unknowndevice64 v1.0 walkthrough
I started by scanning ny network with nmap, to find the vm.
nmap -sn 10.1.1.1/24 ... Nmap scan report for 10.1.1.60 Host is up (0.00035s latency). MAC Address: 08:00:27:A9:EA:F9 (Oracle VirtualBox virtual NIC) ...
After finding the IP adress of the machine, I ran nmap again to discover what ports were being used, and which services were running.
nmap -sV -p- 10.1.1.60 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-30 14:33 ACST Stats: 0:00:18 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 50.00% done; ETC: 14:34 (0:00:06 remaining) Nmap scan report for 10.1.1.60 Host is up (0.00013s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 1337/tcp open ssh OpenSSH 7.7 (protocol 2.0) 31337/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14) MAC Address: 08:00:27:A9:EA:F9 (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.37 seconds
I opened http://10.1.1.60:31337 in the browser, and discovered an interesting looking website, with a glaringly obvious clue in red. I then looked at the source code, and found a comment that also seemed quite intriguing, which I then downloaded.
wget 10.1.1.60:31337/key_is_h1dd3n.jpg --2019-04-30 15:42:47-- http://10.1.1.60:31337/key_is_h1dd3n.jpg Connecting to 10.1.1.60:31337... connected. HTTP request sent, awaiting response... 200 OK Length: 5386 (5.3K) [image/jpeg] Saving to: ‘key_is_h1dd3n.jpg’ key_is_h1dd3n.jpg 100%[==================>] 5.26K --.-KB/s in 0s 2019-04-30 15:42:47 (1.25 GB/s) - ‘key_is_h1dd3n.jpg’ saved [5386/5386]
I had to assume some type of stenography was being used on the file, and after a bit of investigating with various tools, I decided to try extract some data with
steghide, with the password "h1dd3n".
The key_is_h1dd3n.jpg file contained a brainfuck program which I compiled and executed, which gave me the username and password for the ssh login.
After loggin in, I realised the default shell for user ud64 was rbash (restricted bash). However, I also realised that I had access to the vi text editor, which I opened and spawned a proper bash shell from. I then changed the $PATH variable, so I had easy access to a few more programs. I found that the ud64 user had sudo access to a single program; /usr/bin/sysud64
After discovering that /usr/bin/sysud64 was just a copy of the program strace, I uploaded a small botnet I have been writing (as it was a good opertunity to test it), and executed it with /usr/bin/sysud64. This gave me root access.