Hack The Box: Shrek




Difficulty: HARD

Machine Creator: SirenCeol & Cowonaboat

Tools Used:

NMAP

Gobuster

Audacity

Task: To find User.txt and Root.txt

Network Enumeration

Let’s start with an NMAP scan.

nmap -sV -sC 10.10.10.47

HTTP


When we open the website in a browser, we can see that there is a Shrek fansite. Also on this page, we can see an image gallery and an upload page.



Gobuster

gobuster -u http://10.10.10.47 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-small.txt -t 40 -x .html,.php



wget http://10.10.10.47/uploads/secret_ultimate.php


Stenography




Modifying the spectrogram settings we can see a hidden message that appears to be FTP credentials “donkey:d0nk3y1337!”.

FTP






echo UHJpbmNlQ2hhcm1pbmc= | base64 -d


Viewing the second file the same way we see another area with gaps and an embedded base64 encoded string. When we decode this, we get encrypted ciphertext.

Cyphertext




Using the encrypted RSA key file that we downloaded from the FTP server earlier and the new password that we decrypted we are now able to SSH using the username sec.

PrivledgeEsclation (fake)


Sudo -l

sudo -u farquad /usr/bin/vi


PrivledgeEsclation (real)

find / -type f -newermt 2017-08-20 ! -newermt 2017-08-24 2>/dev/null



If we create a test file in the/usr/src/ directory after a few mins the cron job modifies this file.

https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt


User.txt & Root.txt