NMAP
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-12 09:38 PKT
Nmap scan report for 192.168.1.66
Host is up (0.00018s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 67:63:a0:c9:8b:7a:f3:42:ac:49:ab:a6:a7:3f:fc:ee (RSA)
| 256 8c:ce:87:47:f8:b8:1a:1a:78:e5:b7:ce:74:d7:f5:db (ECDSA)
|_ 256 92:94:66:0b:92:d3:cf:7e:ff:e8:bf:3c:7b:41:b7:5a (ED25519)
MAC Address: 08:00:27:72:46:36 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.92 seconds
PORT 80
On the web page we see two images and one hinting being different so this means there is some stegnography involved
I ran stegcracker on both of the image files and got two messages
Then with the message from those files I was able to login in through ssh
In markus
directory we see a note which tells about bonita's ssh private key.
But we couldn’t read the file because of some permissions.Going to web directory we find a gogo.wav
file so let's download it to our machine and analyze it !
I uploaded this file as it was a morse code so analyzed it through online morese code analyzer and it was a rabbithole
So only option left for me was to run linpeas.
I found that there was a capaiblity set on tail
which is like a SUID.So id_rsa that we found for bonita
we cannot read it but we can read it through tail command. Tail will print the last ten lines of a file so we need to specify to print last 30 or 40 lines so we can get the whole id_rsa key
Using id_rsa I logged in as bonita
There is a SUID binary but when running it says WRONG CODE so let’s transfer it to our machine and analyze the binary
So using ghidra I saw that it is comparing variable with a hex value 0x16f8
Convert the hex value to decimal value