Before beginning, shout outs to Amaryah (Ama) Halo for initiating the 30 day THM Challenge and to Pasifika Tech Network for providing the platform for those of us from Moana-nui-a-kiwa in the tech/cyber space to engage with and tautoko eachother!
Brooklyn Nine Nine
Now, onto the writeup. I opted for an easy box after taking a bit of a hiatus from hacking.
Please note: Spoilers ahead.
Task 1
For this box we are required to get 2 flags:
- User Flag
- Root Flag
Enumeration
To get started, after being given the target ip address we run a quick nmap scan using the command: nmap <target_ip>
Scanning the target ip address with nmap allows us to see the services running and on which ports. From the nmap results we can see 3 open ports:
- Port 21: FTP
- Port 22: SSH
- Port 80: HTTP
Since FTP and SSH typically require user credentials to be allowed access (unless they have anonymous enabled) I begin by navigating to the HTTP web server on port 80 to see if I can find any information or user credentials.
HTTP webserver
We are greeted with a large image and a sentence below it describing the scaling of the image size. There seems to be quite the emphasis on the image here. It doesn’t look like the page has any functionality at all or anything helpful so next I check the source-code.
Checking the Source Code
We can check the source code by right-clicking anywhere on the page and choosing ‘View Page Source’. This leads to a fairly bold comment which give us a big clue as to what we do next. The comment can be seen highlighted below.
Steganography password cracking using stegseek
Steganography is the act of hiding a secret, whether that be a txt file, or another type of file containing a message within another (typically) publicly accessible file.
Now that we know steganography is involved, I navigate back to the home page where we were greeted with the large image, and ‘save image as’ to save it onto our machine.
Now that we have the image, we can see if there is in fact an embedded file in the image using the following command: steghide info <image_name>
It shows us that there is an embedded file and that it is password protected.
Knowing this, we use the tool Stegseek to attempt to crack the password using the commonly used rockyou password list. The command looks as follows: stegseek --crack <image_name> <password_list> <output_file>
SSH access and flag 1!
We successfully discover the password and access the hidden data as shown below. It looks to be user credentials.
I first try to login via SSH using the credentials (after trying and failing due to a few typos) and it works. We acquire our first flag!
FTP anonymous access
Now that we’ve found the user flag, we need to get root!
After logging in as holt via SSH we search around the directories to see if we can find anything useful. Unfortunately, nothing comes up. Since we’ve explored the webserver and SSH, our next step is to check if we can do anything with FTP. This means checking if it has anonymous access enabled.
We do this using the command: ftp anonymous@<target_ip>
We list the contents of the server and see that there is a text file named ‘note_to_jake.txt’. We proceed to download the text file on to our machine.
On reading the txt file, it give us our next big clue, that the user ‘jake’ has a weak password.
Password cracking with Hydra
With Hydra, we’re able to bruteforce the ssh login. We know the user name, ‘jake’ but we need to find the password, so we give Hydra a list of passwords. It then will go through each password and try it in combination with the given username or username list. In our case it will try each password from the rockyou password list with the username ‘jake’. The hydra command looks like the following:
hydra -l <username> -P <password_list> <target_ip> <protocol> -t <num_of_threads> -v
Luckily, we get a hit on the password fairly quickly!
Escalate privileges and flag 2!
We use the password to switch the user to jake and list the contents of their profile. We can see at the bottom of the below screenshot that ‘.sudo_as_admin_successful’ is present. This indicates that jake is capable of successfully issuing a sudo command. This is interesting because we may be able to use that to escalate privileges.
To check which commands jake can issue with sudo privileges we use the command: sudo -l
This shows that jake can execute the ‘less’ binary with sudo privileges. To see how we can exploit this, we check gtfobins which gives us our exploit.
We run the command: sudo less /etc/profile
And then type !/bin/sh to pop a shell.
Straight away our prompt icon changes from ‘$’ to ‘#’ indicating we have successfully escalated our privileges to root, we then navigate to /root where we find our last flag!
Thanks for reading and see you at the next box!
