Can you help the NSF get a foothold in UNATCO’s system?
nmap -T5 -p- -sVC 10.10.20.94
There are 3 open ports:
80 – HTTP –
23023 – HTTP – UNATCO Liberty Island – Command/Control
In the robots.txt file, NMAP shows us the presence of the /datacubes directory. When we go there, the site redirects us to this new URLhttp://10.10.20.94/datacubes/0000/
According to the information displayed, these appear to be archived messages. Let’s see if there are others. To do this, with Gobuster, we will parse the archives by going to the /0001 page and then /0002.
I did this with Excel to save time from a Windows PC. In a text format cell, you have to put 0000 and pull (+) up to 1000.
Then you have to copy the column in the Notepad, then copy-paste its content in a file under Kali which will then be used with Gobuster.
gobuster dir -u http://10.10.20.94/datacubes/ -w num.txt
We have 6 results. I let you look on what is on the others. I’ll go straight to the last /0451…the most interesting…
It is explained that the VNC login on jacobson’s machine is composed of « smashthestate » with a hmac’ed key which is present in the « bad actor » list, all converted with the MD5 hashing algorithm.
The list can be found on the website at this URLhttp://10.10.20.94/badactors.html
The only indication for the username are the initials JL. In the “bad actor” list, the only name with his initials is jlebedev
The website https://www.freeformatter.com/hmac-generator.htmlallows us to calculate the hash of the password.
Only the first 8 characters should be taken.
Once connected, there is a badactor-list executable on the desktop.
We will run this application to see what happens.
The app does 2 things. It synchronizes at the address http://UNATCO on port 23023 and once the connection is established, it seems to retrieve the list of Bad Actors.
Setting up a web server with python
python3.8 -m http.server
Recovery on Kali
With the help of Wireshark, we will see what is happening at the network level. You must first modify the HOSTS file, so that the application connects to the right place and therefore retrieves the bad actors list.
Once the capture is finished, we will use the http filter to eliminate all frames linked to VNC.
To see the http request in detail, right-click on it and follow http stream.
In the window that is displayed, we retrieve the communication between Kali and the UNTACO server. We can see that there is a directive command that performs a cat on the file badactors.txt on the URL UNATCO:23023
We will retrieve this query and rerun it with BurpSuite
Access to URL 10.10.20.94 :23023
Renvoi de l’interception dans Repeater et y copier la requête vu dans Wireshark.
Return the intercept to BurpSuite and copy the request seen in Wireshark there.
We can see that we are recovering the list of bad actors.
By changing the cat command to the id command, we can see that we have root rights.
The rest then is simple. There are several methods to gain root access.
Directive : cp /bin/bash /tmp
Directive : cd /tmp
Directive : chmod 7777 /tmp/bash
Then you have to go back to the VNC console, and go to the /tmp folder via the file explorer and run bash through the terminal.
That’s all folks
Thank you for taking the trouble to come to the site to read this Write Up
I hope you found it useful and that it taught you some new things.
Feel free to leave a comment or share this article.