Box info:
Name: Grotesque: 2
OS: Linux
Rated Difficulty: 🟩🟩🟨🟨(medium)
====================================================================
Using nmap we've found a bunch of open ports, 555 ports to be more exact.
$ nmap -sC -sV 192.168.0.85 Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-02 09:58 EEST Nmap scan report for 192.168.0.85 Host is up (0.00072s latency). Not shown: 921 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) |_auth-owners: ERROR: Script execution failed (use -d to debug) | ssh-hostkey: | 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA) | 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA) |_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519) 32/tcp open http PHP cli server 5.5 or later |_auth-owners: ERROR: Script execution failed (use -d to debug) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 33/tcp open http PHP cli server 5.5 or later |_auth-owners: ERROR: Script execution failed (use -d to debug) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 37/tcp open http PHP cli server 5.5 or later |_auth-owners: ERROR: Script execution failed (use -d to debug) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 42/tcp open http PHP cli server 5.5 or later |_auth-owners: ERROR: Script execution failed (use -d to debug) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 43/tcp open http PHP cli server 5.5 or later |_auth-owners: ERROR: Script execution failed (use -d to debug) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 49/tcp open http PHP cli server 5.5 or later |_auth-owners: ERROR: Script execution failed (use -d to debug) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 53/tcp open http PHP cli server 5.5 or later ... 555/tcp open http PHP cli server 5.5 or later |_auth-owners: ERROR: Script execution failed (use -d to debug) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Visiting the usual port 80 which most of the times is hosting a website:
Every port from port 32 to port 555 will show the same image (I only randomly checked some of them one by one).
Automate the port scraping:
1. I used python to generate a file with numbers from 1 to 555:
for i in range(555): print (i)
2. Then I used ffuf to automate the port fuzzing:
ffuf -c -w numbers -u http://<MACHINE IP>/FUZZ -fw 39 258 [Status: 200, Size: 762, Words: 67, Lines: 36]
Looks like port 258 is the different one:
The next thing that came in to my mind is to use an online tool to analyze the image, and I did that using this website: https://stegonline.georgeom.net/upload.
Now if we upload the 'ok' emoji image to that website and press the LSB Half, something interesting will appear:
We know from port 258 that the username might be: satan, raphael, angel, distress, greed or lust. So I used hydra to find which is the correct username:
$ hydra -L users -p solomon1 192.168.0.106 ssh [22][ssh] host: 192.168.0.106 login: angel password: s[redacted]
Now we we can login to the box as user angel. Here is a directory named quiet which has a bunch of files that contains the word 'quiet'. I tried to read them using a loop function maybe one of them has a different message, but I had no luck.
Next I used pspy64 to checking any running processes:
Looks like there is a check.sh file inside /root that runs every 1-2 minutes, but I don't know what it does. If we check the files inside the quiet directory we see that those files are owned by root:
So I deleted every file inside the quiet directory to see if they'll get created again. But after some time none of the files were created. But the interesting thing here is that if we check the '/' directory, a new file is created -- rootcreds.txt:
That file contains the password for root:
root creds root s[redacted] root creds root s[redacted]
Shell as root:
Comments
Post a Comment