twitter

Hack The Box: Shrek

Difficulty: HARD

Machine Creator: SirenCeol & Cowonaboat

 

Tools Used:

 

NMAP

Gobuster

Audacity

 

Task: To find User.txt and Root.txt

 

Network Enumeration

 

Let’s start with an NMAP scan.

nmap -sV -sC 10.10.10.47


Nmap scan shows  two ports (excluding ssh).

 

HTTP

When we open the website in a browser, we can see that there is a Shrek fansite. Also on this page, we can see an image gallery and an upload page.

Gobuster

gobuster -u http://10.10.10.47 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-small.txt -t 40 -x .html,.php


Gobuster scan shows our upload pages and also an uploads directory and an images directory.

 


Browsing the uploads directory, we can see different files may give hints to some exploits. There is a file called secret_ultimate.php that seems interesting. Let’s check that out.

 


Looking at the secret_ultimate.php, it looks like there is something wrong with the coding. Maybe we should download this file and see that it contains.

 

wget http://10.10.10.47/uploads/secret_ultimate.php


The php file shows us a new possible directory called secret_area_51.

 


Browsing the new directory we see what appears to be an audio file. First thing this makes me think of is stenography.

 

Stenography


Looking at the audio file in audacity we can see this unusual area at the end of the file.

 


If we switch to spectrogram view and zoom in we can notice something strange near the top. Let’s see if we can make this more viewable.

 

Modifying the spectrogram settings we can see a hidden message that appears to be FTP credentials “donkey:d0nk3y1337!”.

 

FTP


Logging into this FTP site using FileZilla we can see several text files.

 


While looking at the files that were downloaded, there is a key which is an encrypted RSA private key.

 


Looking at the text files that were downloaded from the FTP site they seem to be filled with some random data.

 


The contents of the files are base64 however 2 of them have errors.

 


The first file with errors has some gaps and base64 hidden in the file.

echo UHJpbmNlQ2hhcm1pbmc= | base64 -d


Decoding this string gives us “PrinceCharming”

 

Viewing the second file the same way we see another area with gaps and an embedded base64 encoded string. When we decode this, we get encrypted ciphertext.

 

Cyphertext


To decrypt the ciphertext, we need to use the secure python library and decrypt using the password that we found in the previous base64 file “PrinceCharming.”

 


After running the decryption python script, we are given the password “shr3k1sb3st!”.

 

Using the encrypted RSA key file that we downloaded from the FTP server earlier and the new password that we decrypted we are now able to SSH using the username sec.

 

PrivledgeEsclation (fake)


For privilege escalation, we need to start with determining the Linux version of this machine. The version is Arch Linux Shrek 4.12.6-1-ARCH.

Sudo -l

 

sudo -u farquad /usr/bin/vi

 



We can list what sudo privileges we have with the command “sudo -l.” From here we can run vi as for quad. Once we are in vi we need to run a bash command “:!/bin/bash” and hit enter.

 


In farquad’s home directory we see a file called a mirror. If we execute the file, we are given a quote. (hint: there is nothing special about this file just a rabbit hole)

 

PrivledgeEsclation (real)

find / -type f -newermt 2017-08-20 ! -newermt 2017-08-24 2>/dev/null


Looking at the date of the user.txt file is Aug 22nd. If we search for any files modified within a couple of days, we can see any files that were changed during this time. In this search, there is one text file that stands out.

 


Looking at the cron jobs for root. We can see that one has the same modified date as the thoughts.txt.

 

If we create a test file in the/usr/src/ directory after a few mins the cron job modifies this file.

 

https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt


For the final exploit, we need to create a reference file using the touch command and then create a binary to elevate us to a root shell using GCC to compile. After changing the permissions on this binary file and we wait for the cron job to execute we can now execute the binary which will give us a root shell.

 

User.txt & Root.txt