Quick enumeration of the machine with nmap revealed the following information:
We apparently only have two open ports SSH on 22, and a HTTP server on port 8080. Browsing to 8080 reveals a few oddities:
Now we have an idea of what we’re looking for, let’s see if we can find it. I start with wfuzz:
We appear to have found the script in the /develop/ directory — and confirm by browsing to http://10.10.10.168:8080/develop/SuperSecureServer.py:
Excellent. Now, I’m not the worlds’ best programmer, but this section stands out:
I created a Python3 script to leverage this:
And upon execution, was presented with a reverse shell as the www-data user:
I find the user “robert” is present on the system, and I’m able to view some of the files in their home directory:
There appears to be fruit here; we have out.txt, passwordreminder.txt, check.txt and SuperSecureCrypt.py.
Looking at the contents of this Python script:
I can read check.txt, but the other two give nothing useful:
My knowledge of Python, and coding in general these days, is limited. But after reading up, it appears the encryption algorithm takes the encryption key and plaintext as arguments, loops through the characters in the plaintext, and adds the value of the key characters modulo 255 to obtain the ciphertext.
With outside help, I ended up using the below script to reverse the encryption of the two files and return the passphrase:
The key used was found to be alexandrovich. With this key, I could now decrypt the original file:
The original password was SecThruObsFTW. I checked what the new user could do with sudo:
Privilege escalation from here was trivial, though it seems I found a different way to most people on the platform. I have no write privileges to the BetterSSH.py script, nor the directory in which it resides — but I was able to rename that directory, and create a new one with a new script.
I obviously have read and write privileges to the new BetterSSH directory. sudo doesn’t care for this modification, so I’m free to create a new script and run it:
Easy. Looking online now I’m writing up well beyond the point of retirement for the machine, I’ve not seen anyone else take a similar approach.