Year of the Rabbit - THM

Let's have a nice gentle start to the New Year!

Can yo hack into the Year of the Rabbit box without falling down a hole?

Enumeration

Alright, FTP, SSH and an Apache web server. Looks like FTP doesn't have anonymous login... let's hit that website.

Unconfigured Apache page. Okay, let's gobuster - looks like an /assets folder. Inside there we have a RickRolled.mp4 and a style.css file. Decided to look at the stylesheet and I see this

Visiting that page I see this.

When you click on through, you get Rick Rolled. Going to the site without javascript you see... fuck. I don't want to get rick rolled.

<html>
	<head>
		<title>sup3r_s3cr3t_fl4g</title>
	</head>
	<body>
		<noscript>Love it when people block Javascript...<br></noscript>
		<noscript>This is happening whether you like it or not... The hint is in the video. If you're stuck here then you're just going to have to bite the bullet!<br>Make sure your audio is turned up!<br></noscript>
		<script>
			alert("Word of advice... Turn off your javascript...");
			window.location = "https://www.youtube.com/watch?v=dQw4w9WgXcQ?autoplay=1";
		</script>
		<video controls>
			<source src="/assets/RickRolled.mp4" type="video/mp4">
		</video>
	</body>
</html>

Ok.. ok. So the clue says it's "IN" the video... before I watch this stupid thing, let's download that RickRolled.mp4 file and poke around in it. We'll try exiftool, binwalk, steghide... nothing... or invalid file type. OK Ok... I watched the video - I hate you. Luckily there was some nice audio shortly after a minute that told me I was looking in the wrong place... so I got RickRolled for nothing.

So I started taking some of the web requests apart and saw a call to a "hidden directory" so I went there.

We get a picture of a hot babe - let's download that for later.... steg later not fap later... come on man!

We run strings on this bad boy, using 6 digits as the minimum (-n 6) and get some info!

K, so we'll just copy all the data from the remainder of the file, pop it into a file called 'passwords' and then run hydra on it.

OK so we're in and we see a file.

Let's download that and check it out. We can't traverse any other folders so this is what we got to work with. Looks like a cipher...

OK, so I used two sites here. One to figure out the cipher: https://www.dcode.fr/cipher-identifier and then the other to actually decode it: https://www.dcode.fr/brainfuck-language that gave me this:

User: eli
Password: DSpDiM1wAEwid

Alright, let's try it on our SSH port. Hooray! We're in!

I think we'll have to find this place 'cause Gwen has that user.txt file in her profile but we can't view it.

There's a file called core in Eli's home directory and using file on it says it's a ELF 64-bit LSB core file x86-64 ...but I'm not sure what that is... I thought maybe I'd search for the hiding spot called s3cr3t or leet... bu couldn't find anything. I did a full search for any hidden folders on the system and nothing popped out.

Okay let's run linpeas on this bitch. You can download it here: https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS - I had to download it on my attack box, then create a web server to download it onto the local SSH connection. After running it, I saw this:

Absolutely should be 60 characters long. AND if you have it with that type of security you only need to change it at LEAST once a year.

OK then, let's go take care of this first flag. We'll su into gwen and then pop it.

Well I won't lie... I had t play for a few days just get that flag. Good job on this room. I imagine the root flag will take me another few days!

Ok so Gwen has access to run vi as root... let's see if I can remember how to escape out of that

That's weird... when I try and run it, it asks for a password and then says I can't run that... Well, let's run linpeas on it again - this time as gwen. We see some CVE's we might be able to use.

Okay well none of those worked so I peeked at the writeup. Looks like a sudo exploit for the version.

Checking out the version I see it's 1.8.10p - by googling 'sudo 1.8.10 exploit' I see there's a known CVE here: https://www.exploit-db.com/exploits/47502 and a bit of information here: https://blog.aquasec.com/cve-2019-14287-sudo-linux-vulnerability That says:

The function which converts user id into its username incorrectly treats -1,or its unsigned equivalent 4294967295, like 0, which is always the user ID of root user.

So we're going to use the command listed on the CVE page and call that like this