From cfc9fa6abe1eae4aec08f72ab75dfad6e16402a8 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Thu, 9 Sep 2021 17:56:23 +0500
Subject: [PATCH] Add files via upload
---
TryHackMe/Fortress.md | 330 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 330 insertions(+)
create mode 100644 TryHackMe/Fortress.md
diff --git a/TryHackMe/Fortress.md b/TryHackMe/Fortress.md
new file mode 100644
index 0000000..a0467a3
--- /dev/null
+++ b/TryHackMe/Fortress.md
@@ -0,0 +1,330 @@
+# TryHackMe-Fortress
+
+## NMAP
+
+```bash
+PORT STATE SERVICE REASON VERSION
+22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 2048 9f:d0:bb:c7:e2:ee:7f:91:fe:c2:6a:a6:bb:b2:e1:91 (RSA)
+| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXx2nOQ7SVuA1liJqX+ZR2KK9Oipy+1cd4ZZ3iD+/xuAkvon338WPfjcGmNaBd0McHqunhvl1xJZZMsOsjVuMUSD0GUX3YF6BQ/RdVxQ00/g
+RvVW70nUk+kf+Umz/5HbI9IfBLoIcRGWxf3naUdl8Vfs7Fj38fnZB0A+8av3/VAthEhiOq58o9ssQJ7DD6ZJydt4R1G9WYa2C+8O76/rJ9EadLCaNAeKKUYmuGEdJit+vGsd4ggzYc0qJQ2QmRUr
+VK+FeIFZDIo4InaPIiI1VF0X+ooax1siytlF85f5956EfDsGgzNBZb/9I5tGz4QFnM/FH65fXEnvUrDoXO2+dj
+| 256 06:4b:fe:c0:6e:e4:f4:7e:e1:db:1c:e7:79:9d:2b:1d (ECDSA)
+| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPBJBTN55zS77xduARAxZeA+xhJt04e3yVZpkmTObu2JMOjxTzFoK4mftWUdLsx1bs1mDIWWXL
+OKjXcnq3PcO84=
+| 256 0d:0e:ce:57:00:1a:e2:8d:d2:1b:2e:6d:92:3e:65:c4 (ED25519)
+|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJezjvXtsHInz+XQ4hYfNBX5kjinTpiKRYaK5rF1og71
+5581/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
+| ftp-anon: Anonymous FTP login allowed (FTP code 230)
+|_-rw-r--r-- 1 ftp ftp 305 Jul 25 20:06 marked.txt
+| ftp-syst:
+| STAT:
+| FTP server status:
+| Connected to ::ffff:10.8.94.60
+| Logged in as ftp
+| TYPE: ASCII
+| No session bandwidth limit
+| Session timeout in seconds is 300
+| Control connection is plain text
+| Data connections will be plain text
+| At session startup, client count was 2
+| vsFTPd 3.0.3 - secure, fast, stable
+|_End of status
+5752/tcp open unknown syn-ack ttl 63
+5752/tcp open unknown syn-ack ttl 63
+| fingerprint-strings:
+| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, LANDesk-RC, LPDString, RTSPRequest, S
+IPOptions, X11Probe:
+| Chapter 1: A Call for help
+| Username: Password:
+| Kerberos, LDAPBindReq, LDAPSearchReq, NCP, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie:
+| Chapter 1: A Call for help
+|_ Username:
+7331/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
+| http-methods:
+|_ Supported Methods: OPTIONS GET HEAD POST
+|_http-server-header: Apache/2.4.18 (Ubuntu)
+|_http-title: Apache2 Ubuntu Default Page: It works
+```
+
+We can see port 5581 which is ftp and `anonymous` login is enabled so we can login as anonymous user , on port 7331 , apache server is running and on 5752 seems like some response so we'll get too it also we are told to add these two domain names `fortress`, `temple.fortress` from the room description , we can add those to `/etc/hosts` file
+
+
+
+
+
+## PORT 5581 (FTP)
+
+
+
+If we do `ls -la` we'll see a hidden file called `.file`
+
+
+
+So we can download these files using `get`
+
+
+
+We don't find much information from `marked.txt` other than telling us the username `veekay`
+
+
+
+And the other file is python 2.7 compiled byte-file
+
+
+
+
+We decompile this file to human readable file using `uncompyle2` , we can git clone it's repoistory and install the binary using `python setup.py install`
+
+
+
+
+
+
+
+Here we see username and password which are hard coded converted from string to `byte_to_long` format , so let's try to convert a random string to see a long byte format also we can convert it back to a byte string using `long_to_bytes`
+
+```python3
+
+from Crypto.Util.number import bytes_to_long,long_to_bytes
+
+test = bytes("abcbbc","utf-8") # can be written as b"abcbbc" as well
+long_test = bytes_to_long(test)
+print (long_test)
+print (long_to_bytes(long_test))
+```
+
+
+
+But we don't get `L` at the end of long byte string , let's try removing it from username and password variables and try to convert it back to byte string format
+
+
+
+These are aleady in long byte format so we just need to use `long_to_bytes`
+
+
+
+So we got the username and password in a string format but the question is where do we send these credentials ? I tried making a http request on port 5752 but connection timed out so it must be running on some other protocol
+
+## PORT 5752 (Telnet)
+
+Eventually I figuired out it was telnet by trying connecting to it
+
+
+
+We get this text `t3mple_0f_y0ur_51n5` which is from that `secrets.txt` because it was calling the function which would return the contents of that file on providing correct credentials
+
+## PORT 7331 (HTTP)
+
+
+
+On the apache web server we only get the default web page , I tried running `gobuster` with `big.txt` , `common.txt` but came up with nothing , so then tried look for the page we got from secrets.txt but it didn't loaded until I added a php extension to it
+
+
+
+Again we don't see much on this page but after viewing the source code through ctrl+u
+
+
+
+The reason why we are seeing html code is becuase browser executes php code but renders html code that's why we can html tags here , also going to css file we can get a "hint"
+
+
+
+This looks like base64 encoded text which on decoding we get this
+
+
+
+It's talking about "colliding" something maybe a secret or a hash ? Judging from that html commented code we saw , let's try changing the extension to `.html`
+
+
+
+And we got a different page with input fields also viewing the html source code
+
+
+
+We can see some php code here
+
+
+
+What it's doing is that , taking two GET parameters `user` and `pass` doing a type check also checking it's SHA-1 hash if they are similar which is what we call hash collision and back in 2017 someone discovered a collision in SHA-1 by calculating the hash of two pdf files
+
+
+
+So what if we make a python script that will fetch those files content in variables and then we will make a GET request to `t3mple_0f_y0ur_51n5.php` with those parameters
+
+```python
+import requests
+
+# Fetching 2 pdf's file which cause SHA-1 collision
+
+pdf1 = requests.get("https://shattered.it/static/shattered-1.pdf")
+pdf2 = requests.get("https://shattered.it/static/shattered-2.pdf")
+
+# Assinging pdf's content into the GET parameters
+
+params = {'user': pdf1.content, 'pass': pdf2.content}
+
+r = requests.get("http://temple.fortress:7331/t3mple_0f_y0ur_51n5.php/",params=params)
+print (r.text)
+```
+
+But this didn't worked as pdf file's "length exceeds the capacity"
+
+
+
+
+Maximum capacity of url request is 8 KB while we exceed this limit as combined size of those files is 825 KB
+
+
+
+
+
+I found the way around through a writeup from a 2017 CTF challenge which was based on the same concept of SHA-1 hash collision
+
+
+
+
+
+We have a total of 1.6 KB and if we check SHA1 hash of both these files
+
+
+
+They are similar , so here I am just going to host them on my own machine and fetch it
+
+```python
+import requests
+
+# Fetching 2 pdf's file which cause SHA-1 collision
+
+pdf1 = requests.get("http://localhost/1-pdf.192")
+pdf2 = requests.get("http://localhost/2-pdf.192")
+
+# Assinging pdf's content into the GET parameters
+
+params = {'user': pdf1.content, 'pass': pdf2.content}
+
+r = requests.get("http://temple.fortress:7331/t3mple_0f_y0ur_51n5.php/",params=params)
+print (r.text)
+
+```
+
+Although we have succeded in making the request smaller but the contents are identical so we according the writeup we need to put first 320 bytes of the pdf file
+
+
+
+
+
+This makes a total of 640 bytes , also checking the SHA1 hashes
+
+
+
+These two files look different but fingers crossed
+
+
+
+```python3
+import requests
+
+# Fetching 2 pdf's file which cause SHA-1 collision
+
+pdf1 = requests.get("http://localhost/shattered-1.dat")
+pdf2 = requests.get("http://localhost/shattered-2.dat")
+
+# Assinging pdf's content into the GET parameters
+
+params = {'user': pdf1.content, 'pass': pdf2.content}
+
+r = requests.get("http://temple.fortress:7331/t3mple_0f_y0ur_51n5.php/",params=params)
+print (r.text)
+
+```
+
+But this didn't work
+
+
+
+
+
+This is the reason why it didn't worked as both values are having a length of 320 and there's a condition that `user` must have a length greater than 600 and `pass` must have a lenght greater than 500
+
+I found two other files whose SHA1 hashes collide
+
+
+
+
+
+Here we can see both are of 640 bytes which passes the condition and total size is 1.2KB so this request can be allowed
+
+
+
+We get a hidden file `m0td_f0r_j4x0n.txt` , so this must be a username `j4x0n`, on visting that file we'll get the private key
+
+
+
+But the message here was kinda vauge as it stated that "I am leaving a private key for you j4x0n" which was written by `h4rdy`
+
+
+
+So this key was for h4rdy, if we try to do `sudo -l` it won't work it seems that we are in restricted bash
+
+
+
+If we try to change PATH variable it won't allow as it's set to read only
+
+
+
+I tried doing autocomplete to see if I can see any files or directories
+
+
+
+But if we try to login using `-t` which enables "pseudo-tty allocation"
+
+
+
+We can run `cd` and `export` commands so let's set the `SHELL` variable to `/bin/bash` and also change the `PATH` variable
+
+
+
+## Privilege Escalation (ja4xon)
+
+We can now run commands, so now doing `sudo -l` we can see that this user is allowed to run `cat` as `j4x0n` user
+
+
+
+We can read these two files
+
+
+
+
+
+Let's just copy the id_rsa key (private key) and login as `j4x0n`
+
+
+
+But still we can't use `sudo -l` as we don't know the password
+
+
+
+So we need to maybe find this user's password as he is in sudoers group
+
+
+
+In `/opt` directoy we see a SUID binary named `bt` on running tells that it's spawning a root shell but instead keeps printing buch of gibberish on the terminal and force us to exit out of ssh connection , I didn't find anything , manully tried looking into directories , checking local ports and cron jobs but we were in `adm` group which can read log files so I though of visiting `/var/logs/auth.log`
+
+
+
+Let's give this password a try
+
+
+
+With this we rooted this room.
+
+
+## References
+
+- https://reverseengineering.stackexchange.com/questions/1701/decompiling-pyc-files
+- https://github.com/Mysterie/uncompyle2
+- https://stackoverflow.com/questions/3475648/sha1-collision-demo-example
+- https://github.com/fabacab/CTF/tree/master/2017/BKP/cloud/Prudentialv2
+- https://sha-mbles.github.io/
\ No newline at end of file