Posts Madness
Post
Cancel

Madness

Description

Will you be consumed by Madness?

RoomMadness
OSLinux
DifficultyEasy
Creatoroptional

Starting off with deploying the machine and quickly scanning the open ports with rustscan,

1
rustscan -a 10.10.73.19 --ulimit 5000

image

We got the open ports and now we can scan them in detail using nmap,

1
nmap -sC -sV -p22,80 10.10.73.19 -oN nmap.txt

image

Result scan shows that port 22 is running ssh service, port 80 is running apache webserver. Let’s start enumerating port 80.

Visit http://10.10.73.19 and we land on a default apache default webpage which has nothing much on the webpage unless we see clearly that there is an image which is not loaded properly on webpage,

image

Checking the source code and there is a comment of They will never find me,

image

Download the image,

1
wget http://10.10.73.19/thm.jpg

image

Checking the head of the image of what type of data it shows, and it seems like this image is corrupted as it has been tempered,

1
head thm.jpg

image

The image header for this JPG is that of a PNG. We can change this using hexedit.

Hexedit is an editor which can be use to edit hex values. To install hexedit,

1
sudo apt install hexedit

Now, we can open this image file in hexedit,

1
hexedit thm.jpg

image

we can see the first three blocks of hex values which are not correct as depicted in List of Signatures.

So, we can make changes on first three blocks and then save the file,

image

Now, after opening the image, we will get the hidden directory,

image

Visiting the hidden directory on website,

image

we get the webpage displaying that someone is waiting for us and to obtain that somebody’s identity, we need to guess their secret.

Looking at the source code in hope to find something interesting and hopefully, I found a comment phrasing that we need to enter a secret b/w 0-99,

image

Entering secret=1 and we got message that this secret is wrong,

image

so we need to correctly guess the secret in order to move forward.

We can use burpsuite to automate this process of guessing the secret correctly. To achieve this, open burpsuite, make request by entering any number guess and let burp intercept our request and send the request to intruder, add the $ mark around the secret value and set the payload from 0-99 number,

image

After firing the attack and waiting for sometime, we will finally get the correct guessed number,

image

Alternatively, we can try wfuzz tool to automate this number guessing,

1
wfuzz -z range,0-99 --hl 97 http://10.10.73.19/th1s_1s_h1dd3n/?secret=FUZZ

image

here we are running wfuzz tool providing it with range from 0-99, using --hl flag to hide responses with specified lines and providing the url link with parameter to fuzz and we will get our secret number.

Now, that we get the phrase (which doesn’t makes sense), we can use it to extract hidden data from image,

1
steghide extract -sf thm.jpg

image

Reading the hidden.txt file which got extracted using steghide tool,

image

we got the username which doesn’t make any sense.

We can paste this username we found on cyberchef and using ROT13, we can decode it,

image

So, now we know who was that somebody, which is joker.

Now, let’s try to login as joker user,

1
ssh joker@10.10.73.19

image

but we got “Permission denied”. After trying some username and password combinations, I failed to login miserably.

Thinking for a while, I remembered that there’s also an image on the room tasks,

image

Download this image and using the passphrase we got, we can extract the hidden data from this image and we get password.txt file.

Reading the password.txt file and there we got another password,

image

Logging in as joker user via ssh,

1
ssh joker@10.10.73.19

image

we got in!

Enumerating joker user directory and we got our user flag,

image

Now comes the privilege escalation. We can list all those binaries which we can run using sudo,

1
sudo -l

image

user joker can’t run any commands as sudo.

Now, let’s find those binaries which has SUID bit set on them,

1
find / -perm -04000 -type f 2>/dev/null

image

there is a binary /bin/screen-4.5.0 which has SUID bit set on it.

Let’s run this binary and we get into another screen. After enumerating, we need to find a suitable exploit so that it can escalate our privileges, and, the exploit can be found at GNU Screen 4.5.0 - Local Privilege Escalation,

1
2
3
4
nano exploit.sh
chmod +x exploit.sh
./exploit.sh
id

image

after performing these commands and firing the exploit, we will get root.

This post is licensed under CC BY 4.0 by the author.