10 KiB
TryHackMe-Betav2j
NMAP
Nmap scan report for 10.10.220.63
Host is up (0.41s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2c:54:c1:d0:05:91:e1:c0:98:e1:41:f2:b3:21:d9:6b (RSA)
| 256 1e:ba:57:5f:29:8c:e4:7a:b4:e5:ac:ed:65:5d:8e:32 (ECDSA)
|_ 256 7b:55:2f:23:68:08:1a:eb:90:72:43:66:e1:44:a1:9d (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
3306/tcp open mysql MySQL 5.5.5-10.1.47-MariaDB-0ubuntu0.18.04.1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.1.47-MariaDB-0ubuntu0.18.04.1
| Thread ID: 69
| Capabilities flags: 63487
| Some Capabilities: SupportsTransactions, ConnectWithDatabase, DontAllowDatabaseTableColumn, LongPassword, ODBCClient, Speaks41ProtocolOld, Support41Auth, IgnoreSigpipes, Speaks41ProtocolNew, FoundRows, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, InteractiveClient, SupportsCompression, LongColumnFlag, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: :`Vl<)UProV?vX5?|vZ@
|_ Auth Plugin Name: mysql_native_password
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.06 seconds
PORT 80
Running gobuster on the web server
These all were just rabbit holes
Looking at the memebers on the forum there's a member whith a white rabbit avatar
So this hints us as the room description had a follow the rabbit picture
We can see this user has some posts but when we try to view them it would not show them
So let's try registring an account on Linux-Bay forum. I already registered on the forum before trying this so I'll login to the forum
Now when you visit his profile you can see his post
Here you can see a link to page
Viewing the source code we can find the link where white rabbit lead us
Visting the page /reportPanel.php we can see a bunch of bugs that people have reported
Now a hint is given to us that the vulnerability must be from the year 2021 so we have three vulnerabilites that are reported in 2021.
I will be testing against weak credentials so fire up burp suite and intercept the login request
Send request to intruder
Set the payloads for username and passowrd
The first payload is for the usernames , I copied all the usernames found on mybb site
The second payload is for the passwords which were weak credentials reported as a vulnerability in year 2021. Now let's start the attack.
Here we can see the lenght of the response for the login successfully message is 5982,6069 and in between this length so now let's sort out the moderators and admin from the credentials we got. We have the creds for the two moderators "ArnoldBagger" and "PalacerKing".
In the sent items we can see this intersting directory
Here the modManagerv2.plugin and p.txt.gpg is interesting.Now we need to find the password for decrypting the p.txt.gpg file so we can have a look at the plugin file
$sql_p = file_get_contents('inc/tools/manage/SQL/p.txt'); //read SQL password from p.txt
This line is getting the sql password from that ecnrypted text file so we really need to decrypt it inorder to login into mysql and if we scroll down a little we maybe able to find the username
So to summarize the stuff we had done uptill now , we bruteforced the passwords and got into a moderator account then from there we saw one of the email that lead us to /devBuilds then we saw an ecnrypted that we need to find a password for it so let's go back and see if we left something or not
Going back to /reportPanel.php we find a hidden text which says the keymaker's message
I didn't really understood what the message was but that binary text was our directory
If we look closely into those chinese characters we can see some english letters ofqxvg then with these letters we perform permutation
And we get a list of words from the permutation. Now we can covert this gpg file into a file that johntheripper can understand and then we can crack the hash with the wordlist we found so
Run this command to see where gpg2john is stored
Save the hash in a file
Then run john against the file with the wordlist
Now we can connect to mysql with this password
Here we can see login_key of Ellie but the question is what is a login_key so I found something on mybb community forums
Also if see the cookies
We can see that OoTfmlJyJhdJiqHXucrvRueHvGhE6LnBi5ih27KLQBKfigQLud is the login_key for ArnoldBagger and the id for this user is 11
If we go back to Team we can see the super moderator is BlackCat with the user id 7 (we can count the id from seeing the members page)
And now we are logged in as BlackCat
We can see a lot of stuff in the attachments testing.zip , DevTools.zip and SSH-TOTP documentation.pdf. The documentation explains how the authentication for Linux Bay will work so digging through those archives I found a table
As we can see the username is architect but the method of logging in with SSH is TOTP (Time-based One-Time Password). So in order to login our time must be synced so type this in your terminal
timedatectl set-timezone UTC
Then run ntp_syncer.py
But before running the timeSimulatorClient.py check the code that what it is doing
We can see that sharedSecret isn't used anywhere in the code so let's take a look at one of those diagrams
According to this diagram time zone from three different countries are multipled together then XOR operation is performed between the result that comes from it with the shared token so we need to modifiy the code a little bit and to figure out the correct token also the 3 time zones
from datetime import datetime, timedelta
import time
import subprocess
from hashlib import sha256
sharedSecret = 792513759492579
while True:
now = datetime.now()
Ukraine = datetime.now() + timedelta(hours=4, minutes=43)
UkraineCurrentTime = int(Ukraine.strftime("%d%H%M"))
Germany = datetime.now() + timedelta(hours=13, minutes=55)
GermanyCurrentTime = int(Germany.strftime("%d%H%M"))
England = datetime.now() + timedelta(hours=9, minutes=19)
EnglandCurrentTime = int(England.strftime("%d%H%M"))
Denmark = datetime.now() + timedelta(hours=-5, minutes=18)
DenmarkCurrentTime = int(Denmark.strftime("%d%H%M"))
Nigeria = datetime.now() + timedelta(hours=1, minutes=6)
NigeriaCurrentTime = int(Nigeria.strftime("%d%H%M"))
multipliedTime = (UkraineCurrentTime*DenmarkCurrentTime*NigeriaCurrentTime)
print('---------------------------------------')
nOTP = (int(multipliedTime ^ sharedSecret))
sshpass = (sha256(repr(nOTP).encode('utf-8')).hexdigest())
print(sshpass[22:44])
print('---------------------------------------')
# keep updating every second - upon each new minute change OTP ssh code
time.sleep(1)
subprocess.call("clear")
So this is the code that gave the right OTP
And we are logged in with OTP
We can find the user.txt here
Doing a sudo-l we can that this user is allowed to run awk as root
And we got root !!
For the ACP pin I ran the find command to search for txt files
101754^123435+689511
This resulted to 718008
In /etc folder I found a file
But this was named using special characters so if we try to read it bash would give it an error
By googling a liitle bit on how to read files named with special characters I found this
And on running the python script it gave the root flag
mysql password : myS3CR3TPa55 ssh user architect Ellie: G9KY2siJp9OOymdCiQclQn9UhxL6rSpoA3MXHCDgvHCcrCOOuT Blackcat : JY1Avl8cqCMkIFprMxWbTxwf8dSkiv7GJHzlPDWJWWg9gnG3FB
date --set="12 Feb 2021 08:44:35"