CTF-Writeups/Ignite-Hackathon/Hackathon-OS.md

Hackathon-OS

NMAP

PORT    STATE SERVICE     REASON         VERSION
22/tcp  open  ssh         syn-ack ttl 64 OpenSSH 8.4p1 Ubuntu 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)                                               
80/tcp  open  http        syn-ack ttl 64 Apache httpd 2.4.46 ((Ubuntu))
| http-methods:                                                           
|_  Supported Methods: GET POST OPTIONS HEA                          
| http-robots.txt: 6 disallowed entries          
|_/test/ /t3$t@123/ /includes/ /external/ /api/ /hashes/                     
|_http-server-header: Apache/2.4.46 (Ubuntu)               
|_http-title: Apache2 Ubuntu Default Page: It works         
139/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 4.6.2          
445/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 4.6.2                  
MAC Address: 80:00:0B:3C:4A:7E (Intel Corporate)          
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:                 
|_clock-skew: 1s                     
| nbstat: NetBIOS name: FILESERVER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)                                                       
| Names:                             
|   FILESERVER<00>       Flags: <unique><active>                          
|   FILESERVER<03>       Flags: <unique><active>                          
|   FILESERVER<20>       Flags: <unique><active>                          
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>                         

NMAP scan shows us 4 ports out which http and smb service looks interesting to us

PORT 135/445 (SMB)

We have three shares here out of which shares looks interesting

But we can see that we don't have read access to any of them so let's move on !

PORT 80 (HTTP)

On the web server we can see a default apache page

Since we already know about robots.txt from the nmap scan we can just visit that file and see what entries we may find

None of these directories lead us to anywhere so let's fuzz for files and directories using gobuster

This is only returned us robots.txt so no files are on the server , let's go a step back and run enum4linux-ng to enumerate users through smb

This gave us the username test , if we remember from robots.txt file there was entry named test and t3$t@123 so this maybe test user's password

Foothold

With this we logged into shares directory on smb and we see few files there

HINT file contains a username and a hash

clark:46a8047d5f9178c75aa6bf1090592427

While pass.txt contains list of potential passwords so we need to crack the clark's hash using the provided worlist , we can either use hashcat or john but I'll be using hashcat for cracking this md5 hash

So we got clark's password , now we need to ssh into the machine

This user isn't in sudoers group also isn't allowed to run any commands as other user so let's enumerate the machine to find other user folders

Privilege Escalation (maker)

Here we see Deep.zip which was not related to rooting for this box as it only contains a flag and we can get flag by just cracking this archive's password by using the previous password list , so moving on we see .bash_history that's important to look at what commands the user ran

Rooting the box

After switching to maker we realize that this user is in villan group so let's see what files are owned by villan group

/etc/passwd file is owned by this group so this means that we can read/write to this file , let's verify this

All that is left to do is to add a hash in root's entry, you can do this by generating a password hash using openssl but I just copied my hash from /etc/shadow and just pasted there

And with this we rooted this fun, amazing , challenging , hard ,OP,hackathon,not a vulnhub copied box.