# TryHackMe-Fortress ## NMAP ```bash PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 9f:d0:bb:c7:e2:ee:7f:91:fe:c2:6a:a6:bb:b2:e1:91 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXx2nOQ7SVuA1liJqX+ZR2KK9Oipy+1cd4ZZ3iD+/xuAkvon338WPfjcGmNaBd0McHqunhvl1xJZZMsOsjVuMUSD0GUX3YF6BQ/RdVxQ00/g RvVW70nUk+kf+Umz/5HbI9IfBLoIcRGWxf3naUdl8Vfs7Fj38fnZB0A+8av3/VAthEhiOq58o9ssQJ7DD6ZJydt4R1G9WYa2C+8O76/rJ9EadLCaNAeKKUYmuGEdJit+vGsd4ggzYc0qJQ2QmRUr VK+FeIFZDIo4InaPIiI1VF0X+ooax1siytlF85f5956EfDsGgzNBZb/9I5tGz4QFnM/FH65fXEnvUrDoXO2+dj | 256 06:4b:fe:c0:6e:e4:f4:7e:e1:db:1c:e7:79:9d:2b:1d (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPBJBTN55zS77xduARAxZeA+xhJt04e3yVZpkmTObu2JMOjxTzFoK4mftWUdLsx1bs1mDIWWXL OKjXcnq3PcO84= | 256 0d:0e:ce:57:00:1a:e2:8d:d2:1b:2e:6d:92:3e:65:c4 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJezjvXtsHInz+XQ4hYfNBX5kjinTpiKRYaK5rF1og71 5581/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 ftp ftp 305 Jul 25 20:06 marked.txt | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.8.94.60 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 5752/tcp open unknown syn-ack ttl 63 5752/tcp open unknown syn-ack ttl 63 | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, LANDesk-RC, LPDString, RTSPRequest, S IPOptions, X11Probe: | Chapter 1: A Call for help | Username: Password: | Kerberos, LDAPBindReq, LDAPSearchReq, NCP, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie: | Chapter 1: A Call for help |_ Username: 7331/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works ``` We can see port 5581 which is ftp and `anonymous` login is enabled so we can login as anonymous user , on port 7331 , apache server is running and on 5752 seems like some response so we'll get too it also we are told to add these two domain names `fortress`, `temple.fortress` from the room description , we can add those to `/etc/hosts` file

## PORT 5581 (FTP) If we do `ls -la` we'll see a hidden file called `.file`

So we can download these files using `get`

We don't find much information from `marked.txt` other than telling us the username `veekay`

And the other file is python 2.7 compiled byte-file

We decompile this file to human readable file using `uncompyle2` , we can git clone it's repoistory and install the binary using `python setup.py install`

Here we see username and password which are hard coded converted from string to `byte_to_long` format , so let's try to convert a random string to see a long byte format also we can convert it back to a byte string using `long_to_bytes` ```python3 from Crypto.Util.number import bytes_to_long,long_to_bytes test = bytes("abcbbc","utf-8") # can be written as b"abcbbc" as well long_test = bytes_to_long(test) print (long_test) print (long_to_bytes(long_test)) ```

But we don't get `L` at the end of long byte string , let's try removing it from username and password variables and try to convert it back to byte string format

These are aleady in long byte format so we just need to use `long_to_bytes`

So we got the username and password in a string format but the question is where do we send these credentials ? I tried making a http request on port 5752 but connection timed out so it must be running on some other protocol ## PORT 5752 (Telnet) Eventually I figuired out it was telnet by trying connecting to it

We get this text `t3mple_0f_y0ur_51n5` which is from that `secrets.txt` because it was calling the function which would return the contents of that file on providing correct credentials ## PORT 7331 (HTTP)

On the apache web server we only get the default web page , I tried running `gobuster` with `big.txt` , `common.txt` but came up with nothing , so then tried look for the page we got from secrets.txt but it didn't loaded until I added a php extension to it

Again we don't see much on this page but after viewing the source code through ctrl+u

The reason why we are seeing html code is becuase browser executes php code but renders html code that's why we can html tags here , also going to css file we can get a "hint"

This looks like base64 encoded text which on decoding we get this

It's talking about "colliding" something maybe a secret or a hash ? Judging from that html commented code we saw , let's try changing the extension to `.html`

And we got a different page with input fields also viewing the html source code

We can see some php code here

What it's doing is that , taking two GET parameters `user` and `pass` doing a type check also checking it's SHA-1 hash if they are similar which is what we call hash collision and back in 2017 someone discovered a collision in SHA-1 by calculating the hash of two pdf files

So what if we make a python script that will fetch those files content in variables and then we will make a GET request to `t3mple_0f_y0ur_51n5.php` with those parameters ```python import requests # Fetching 2 pdf's file which cause SHA-1 collision pdf1 = requests.get("https://shattered.it/static/shattered-1.pdf") pdf2 = requests.get("https://shattered.it/static/shattered-2.pdf") # Assinging pdf's content into the GET parameters params = {'user': pdf1.content, 'pass': pdf2.content} r = requests.get("http://temple.fortress:7331/t3mple_0f_y0ur_51n5.php/",params=params) print (r.text) ``` But this didn't worked as pdf file's "length exceeds the capacity"

Maximum capacity of url request is 8 KB while we exceed this limit as combined size of those files is 825 KB

I found the way around through a writeup from a 2017 CTF challenge which was based on the same concept of SHA-1 hash collision

We have a total of 1.6 KB and if we check SHA1 hash of both these files

They are similar , so here I am just going to host them on my own machine and fetch it ```python import requests # Fetching 2 pdf's file which cause SHA-1 collision pdf1 = requests.get("http://localhost/1-pdf.192") pdf2 = requests.get("http://localhost/2-pdf.192") # Assinging pdf's content into the GET parameters params = {'user': pdf1.content, 'pass': pdf2.content} r = requests.get("http://temple.fortress:7331/t3mple_0f_y0ur_51n5.php/",params=params) print (r.text) ``` Although we have succeded in making the request smaller but the contents are identical so we according the writeup we need to put first 320 bytes of the pdf file

This makes a total of 640 bytes , also checking the SHA1 hashes

These two files look different but fingers crossed

```python3 import requests # Fetching 2 pdf's file which cause SHA-1 collision pdf1 = requests.get("http://localhost/shattered-1.dat") pdf2 = requests.get("http://localhost/shattered-2.dat") # Assinging pdf's content into the GET parameters params = {'user': pdf1.content, 'pass': pdf2.content} r = requests.get("http://temple.fortress:7331/t3mple_0f_y0ur_51n5.php/",params=params) print (r.text) ``` But this didn't work

This is the reason why it didn't worked as both values are having a length of 320 and there's a condition that `user` must have a length greater than 600 and `pass` must have a lenght greater than 500 I found two other files whose SHA1 hashes collide

Here we can see both are of 640 bytes which passes the condition and total size is 1.2KB so this request can be allowed

We get a hidden file `m0td_f0r_j4x0n.txt` , so this must be a username `j4x0n`, on visting that file we'll get the private key

But the message here was kinda vauge as it stated that "I am leaving a private key for you j4x0n" which was written by `h4rdy`

So this key was for h4rdy, if we try to do `sudo -l` it won't work it seems that we are in restricted bash

If we try to change PATH variable it won't allow as it's set to read only

I tried doing autocomplete to see if I can see any files or directories

But if we try to login using `-t` which enables "pseudo-tty allocation"

We can run `cd` and `export` commands so let's set the `SHELL` variable to `/bin/bash` and also change the `PATH` variable

## Privilege Escalation (ja4xon) We can now run commands, so now doing `sudo -l` we can see that this user is allowed to run `cat` as `j4x0n` user

We can read these two files

Let's just copy the id_rsa key (private key) and login as `j4x0n`

But still we can't use `sudo -l` as we don't know the password

So we need to maybe find this user's password as he is in sudoers group

In `/opt` directoy we see a SUID binary named `bt` on running tells that it's spawning a root shell but instead keeps printing buch of gibberish on the terminal and force us to exit out of ssh connection , I didn't find anything , manully tried looking into directories , checking local ports and cron jobs but we were in `adm` group which can read log files so I though of visiting `/var/logs/auth.log`

Let's give this password a try

With this we rooted this room. ## References - https://reverseengineering.stackexchange.com/questions/1701/decompiling-pyc-files - https://github.com/Mysterie/uncompyle2 - https://stackoverflow.com/questions/3475648/sha1-collision-demo-example - https://github.com/fabacab/CTF/tree/master/2017/BKP/cloud/Prudentialv2 - https://sha-mbles.github.io/