Hackable 3

a writeup

20 avril 2024

Code : commands/tools | path | clues/progress

In short : #

• I got VM IP from Ubuntu rescue mode and netdiscover tool.

• With nmap I saw there is an SSH port and an HTTP port active but only the HTTP service is up.

• Inspecting the code of /index.html. Learning about port knocking and having a nickname : jubiscleudo. Having access to /login_page/login.html.

• I clicked on the login button in /login_page/login.html and it redirected me to /login.php.

• Inspecting the code of /login.php and it gave me the location /3.jpg. It is an image that contains a secret message that I extracted with the tool steghide : porta:65535.

• I used gobuster to get as many subpages as I can get.

• Found a wordlist in /backup/wordlist.txt.

• I found /robots.txt that exclude /config to get crawled by bots.

• On /config/1.txt I found MTAwMDA= that is a base64 code that gives me 10000 when decoded using dcode.fr.

• On /css page there is a 2.txt with a brainfuck language encoded message ++++++++++[>+>+++>+++++++>++++++++++««-]»>——————…. that gives me 4444 when decoded using dcode.fr.

• Using knockd with these three port numbers in the right order (10000 4444 65535) I was able to open the SSH service.

• Using hydra, the nickname jubiscleudo and the wordlist.txt i did a bruteforce attack.

• Login : jubiscleudo. Password : onlymy.

• cat /home/jubiscleudo/.user.txt to see ascii art.

• ls /home to see there is another user hackable_3.

• ls -la /var/www/html to see things I missed with Gobuster.

• cat /var/www/html/.backup_config.php and I got DB_USERNAME hackable_3 and DB_PASSWORD TrOLLED_3.

• su hackable_3 with this password and I’m in. Nothing relevant in its directory.

• Using groups hackable_3 I saw that this account is in the lxd group. I can use an exploit to grant root access.

• Using the lxc tool I created a storage, then configured it and launched a container named “test”.

• I used https://github.com/initstring/lxd_root script "ldx_rootv1.sh" to get this exploit done.

• Then I was finally able to use sudo since this account was a member of sudoers.

• I decided to sudo passwd root then to log into root account.

• I could read the /root/root.txt file that got me an Obama “not bad” meme in ascii art.

I. Discovery #

First, I started up the VM. I set my virtual network to bridge for this VM so my ParrotOS VM and my host machine are on the same subnetwork.

Then I started up with left maj pulled down so I can access ubuntu rescue mode to know the machine IP :

In the system-summary page :

Then I restart the machine to get all his services loaded up. I’ve now an IP and I’ve been able to confirmate it with netdiscover tool :

netdiscover -r 192.168.0.0/24

It is the same IP and MAC address, we couldn’t identify it more accurately :

Now it is time to know what services emit from it. We’re using nmap to do that :

nmap -p- -sV -Pn -T4 192.168.0.15
-p- to scan all ports
-sV to know versions to services that are up
-Pn to skip host discovery (ping)
-T4 to scan as fast as possible

Now we know that there are ssh and http protocols running on port 22 and port 80. SSH is in a filtered state that means I cannot log into it, maybe due to firewall protection.

A web service is up on port 80 with an Apache2. Let’s see :

If we zoom in we can see a hidden button on the top right that open a side menu on the left :

And we end on this login page :

/login_page/login.html

Now back to the main page and see what’s inside source code :

There’s few things I noticed :

A link to the login page that I just saw
A comment that gives me an username I believe : jubiscleudo and an indication to him to use port knocking and something to do with a .jpg file.

According to the Wikipedia page Port knocking is a method that can modify firewall rules in real time to permit a port to open for communications. It’s mainly used to protect SSH access because in order to get the port to open it needs to establish connections on distincts ports in the right order. So I believe that I need to know those ports to get to the machine through SSH.

II. Port Knocking

Now back to the /login_page/login.html. When we click on the “Login” button it redirect us to a blank /login.php page

Here is the source code of this page :

This is PHP code that I wouldn’t normally see. I notice ‘Location: 3.jpg’ on line 17.

/3.jpg directory gives us an image of Christ the Redeemer statue in Rio de Janeiro :

I downloaded this image and tried to open it in plain text but it gave me garbish. So I try to search how people hide things in images and it’s clear that I need to do steganography. There are many ways to hide something in an image so I decided to try some online tools which modify the colorimetrics settings of it but I didn’t find something relevant.

I found a tool named steghide that can hide and extract information from a file without changing its look by modifying bits that are not used to the file. With it I was able to discover porta:65535. There was no passphrase to give. It might be one of the ports needed with port knocking to gain access to SSH.

steghide extract -sf 3.jpg

Let’s continue to dig. Using Gobuster and a wordlist I found on internet I’m able to find pages :

gobuster dir -u <URL> -w <wordlist> -b <http code to exclude>

gobuster dir -u http://192.168.0.15 -w 'golist' -b 400,404

Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://192.168.0.15
[+] Method: GET
[+] Threads: 10
[+] Wordlist: golist
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s

Starting gobuster in directory enumeration mode

/robots.txt (Status: 200) [Size: 33]
/css (Status: 301) [Size: 310] [–> http://192.168.0.15/css/]
/js (Status: 301) [Size: 309] [–> http://192.168.0.15/js/]
/.htaccess (Status: 403) [Size: 277]
/config.php (Status: 200) [Size: 507]
/config (Status: 301) [Size: 313] [–> http://192.168.0.15/config/]
/login.php (Status: 200) [Size: 487]
/backup (Status: 301) [Size: 313] [–> http://192.168.0.15/backup/]
/.htpasswd (Status: 403) [Size: 277]
/.htpasswds (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/?wsdl (Status: 200) [Size: 1095]
/?view=log (Status: 200) [Size: 1095]
/backup (Status: 301) [Size: 313] [–> http://192.168.0.15/backup/]
/config (Status: 301) [Size: 313] [–> http://192.168.0.15/config/]
/config.php (Status: 200) [Size: 507]
/config/ (Status: 200) [Size: 929]
/home.html (Status: 200) [Size: 11327]
/index.html (Status: 200) [Size: 1095]
/imagens (Status: 200) [Size: 317]
/login.php (Status: 200) [Size: 487]
/robots.txt (Status: 200) [Size: 33]
/server-status (Status: 403) [Size: 277]
Progress: 3521 / 3522 (99.97%)

Finished

I noticed a wordlist on /backup page :

On the robots.txt page :

http://192.168.0.15/robots.txt

User-Agente: * Disallow: /config

It is used to give instructions to bots that crawl the web and get website information available to search engines. Using the wildcard gives the instruction to all crawlers bots. It means all of them. On the second line there is the instruction : unauthorized to get any information about /config.

We saw /config with Gobuster. Let’s take a look :