CyberSecLabs is a great platform for any beginners in the security realm who would like to start with CTF challenges. I started with a couple free boxes after being recommended by a friend, after a day of tackling the free boxes I decided that it would be worth the subscription.
One of the first boxes I started with was called share. After downloading my VPN pack from the CyberSecLabs website I was ready to get going. First things first.. connect to the VPN with the connection pack via openvpn.
One of the first things I do every time I start a new box is run an nmap scan. Nmap is a network mapping tool that will give you certain information such as open ports and certain services that may be running. The command I run is as follows.
sudo nmap -sC -sV -T4 -O -v 172.31.1.7 -oN shares.txtThe different options are determining certain aspects of the scan to run. “-sC” will run a script scan to search for default scripts running, “-sV” checks for versions among other things, “-T4” is how powerful/fast the scan will run, “-O” enables OS detection, “-v” is a verbose option to watch the scan as it finds open ports etc. Lastly “-oN” outputs the results of the scan to the file “shares.txt” for later viewing.
Here are the results of the nmap scan:
Due to the NFS access control lists results I decided to run a command to see if I could get any information from the NFS server.
showmount -e 172.31.1.7..and got the result..
Boom! Some information on a first user. It looks like there is a directory named “amir” in the home directory, that tells us we have a user named amir! Awesome.. now what?
Now that I have a path associated to the network file system (NFS), I tried to grab some information with a command:
sudo mount -t nfs 172.31.1.7:/home/amir/ /mntI ran the mount command with the option “-t” to set the type to nfs, specified the IP that I am targeting, and the directory I want to pull (in this case I want all the information in amirs directory), and where I would like to save the results in the root directory “mnt”.
From there, I navigated to the mnt directory and listed the contents of the directory with the command.
ls -laLook what we have here!
The hidden .ssh directory has read, write, and execute permissions. Let’s take a look inside shall we?
Huh! An id_rsa backup file? I can use this to ssh onto the box to gain access to the user amir with an SSH command. When I tried to SSH with this file I was prompted that the file did not have the correct permissions so I changed the file to have correct permissions to use as an SSH key.
chmod 600 id_rsa.bakStill unable to SSH in, looks like I need a pass key.
First I will need to convert the id_rsa.bak file using ssh2john, from there crack the password using john. Depending on what version of kali you are using your syntax to run ssh2john may differ.
In the directory of the id_rsa.bak file I ran:
python /usr/share/john/ssh2john.py id_rsa.bak > sharesSSH.txtThe tool John the Ripper will be able to crack the hash using a default wordlist. All you would need to do is run john and specify the key text file. The command will look like this:
sudo john sharesSSH.txt This will give me the SSH password in plain text so I can SSH into amir successfully
Now its time to gain control of the server, let’s let ourselves in shall we?
ssh -i id_rsa.bak amir@172.31.1.7 -p 27853I used the “-i” to specify the SSH key, the user to SSH to, the host IP address, and the port 27853, which if you reference the nmap scan, is the port used for ssh on this machine.
Used the password I cracked with john to log in!
Backing into the the home directory I can see we’re not alone, there is another user named amy. Decided to check what sudo permissions amir may have.
sudo -l
So, by the looks of my output, I can run python3 as amy with no password. Cool, let’s take advantage of this and pivot to amy.
To elevate my privileges I will spawn a python3 shell as the higher privileged user.
sudo -u amy python3 -c ‘import os; os.system(“/bin/sh”)’“sudo -u amy” will run the rest of the command as amy. Import the python3 library “os” then call the operating system to run the shell command “/bin/sh”.
Now I have access to amy’s directory and can now grab the access flag!
What access do we have as amy?
We can run ssh as root with no password, time for another pivot.
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x“Spawn an interactive root shell through ProxyCommand option” via gtfobins, a known vulnerability hub.
root has been pwnd, time to grab the system.txt and get out of here!
