Machine Creator: SirenCeol & Cowonaboat
Task: To find User.txt and Root.txt
Let’s start with an NMAP scan.
nmap -sV -sC 10.10.10.47
When we open the website in a browser, we can see that there is a Shrek fansite. Also on this page, we can see an image gallery and an upload page.
gobuster -u http://10.10.10.47 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-small.txt -t 40 -x .html,.php
Modifying the spectrogram settings we can see a hidden message that appears to be FTP credentials “donkey:d0nk3y1337!”.
echo UHJpbmNlQ2hhcm1pbmc= | base64 -d
Viewing the second file the same way we see another area with gaps and an embedded base64 encoded string. When we decode this, we get encrypted ciphertext.
Using the encrypted RSA key file that we downloaded from the FTP server earlier and the new password that we decrypted we are now able to SSH using the username sec.
sudo -u farquad /usr/bin/vi
find / -type f -newermt 2017-08-20 ! -newermt 2017-08-24 2>/dev/null
Looking at the date of the user.txt file is Aug 22nd. If we search for any files modified within a couple of days, we can see any files that were changed during this time. In this search, there is one text file that stands out.
If we create a test file in the/usr/src/ directory after a few mins the cron job modifies this file.
For the final exploit, we need to create a reference file using the touch command and then create a binary to elevate us to a root shell using GCC to compile. After changing the permissions on this binary file and we wait for the cron job to execute we can now execute the binary which will give us a root shell.