Skip to main content

Cracker

export TARGET_IP=172.17.0.2
nmap -p0- $TARGET_IP
PortStateService
22/tcpopenSSH
80/tcpopenHTTP

Identifying the Hostname

Inference: The website's footer reveals the copyright information:

<footer>
    <p>&copy; 2024 cracker.dl | Todos los derechos reservados</p>
</footer>

This suggests that cracker.dl is the associated domain name. To facilitate access through the domain name, we added an entry to the /etc/hosts file:

echo "$TARGET_IP   cracker.dl" | sudo tee -a /etc/hosts

Subdomain Discovery

wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hh 4029 -H "Host: FUZZ.cracker.dl" -u http://cracker.dl:80/ -t 100
  • --hh 4029: Hides responses with a length of 4029 characters. This helps filter out common error pages or responses that are not relevant. Why 4029? Try executing the command without this flag and see the Chars column and the amount of spam by the way.
  • -H "Host: FUZZ.cracker.dl": Sets the Host HTTP header, which is essential for virtual host discovery. FUZZ will be replaced with each subdomain from the wordlist.
  • -t 100: Sets the number of concurrent threads to 100. Adjust the -t value based on your network and the target's capabilities. Too many threads can cause problems. Start with a lower value like 50 and increase gradually.

Subdomain Discovery Results

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************
Target: http://cracker.dl:80/
Total requests: 114441
=====================================================================
ID           Response   Lines    Word       Chars    Payload                                                                                                                                                                    
=====================================================================
000002128:   200        91 L     224 W      3199 Ch     "japan"
  • The subdomain "japan" returned an HTTP 200 response with a distinct content length (3199 characters) compared to the default "not found" page (4029 characters).

Action:

We added an entry to the /etc/hosts file to map japan.cracker.dl to the target IP address:

echo "$TARGET_IP   japan.cracker.dl" | sudo tee -a /etc/hosts

Further Exploration:

Navigating to http://japan.cracker.dl in a web browser revealed a webpage offering software for download. Upon downloading and running the software, it prompted for a serial key, indicating a potential software license or authentication mechanism.

Reverse Engineering the Software

Objective:

To obtain a valid serial key to unlock the software's functionality.

Tool:

Ghidra, a powerful open-source software reverse engineering suite developed by the National Security Agency (NSA).

Analysis of validate_serial Function:

After loading the software into Ghidra, we located the validate_serial function, which appears to be responsible for verifying the entered serial key. The decompiled C code is as follows:

bool validate_serial(char *param_1)

{
  int iVar1;
  char local_a8 [112];
  char *local_38;
  char *local_30;
  char *local_28;
  char *local_20;
  char *local_18;
  char *local_10;
  
  local_10 = "47378";
  local_18 = "10239";
  local_20 = "84236";
  local_28 = "54367";
  local_30 = "83291";
  local_38 = "78354";
  snprintf(local_a8,100,"%s-%s-%s-%s-%s-%s","47378","10239","84236","54367","83291","78354");
  iVar1 = strcmp(param_1,local_a8);
  return iVar1 == 0;
}

Functionality Breakdown:

  1. Variable Initialization: The function initializes several local variables, local_10 to local_38, with string values representing numeric sequences.
  2. Serial Key Construction: It then utilizes snprintf to format a string stored in local_a8. This string is constructed by concatenating the values of the previously initialized variables, separated by hyphens. Specifically, it concatenates the strings "47378", "10239", "84236", "54367", "83291", and "78354" in that order.
  3. Comparison: The function compares the user-supplied serial key (passed as param_1) with the constructed serial key in local_a8 using strcmp.
  4. Return Value: strcmp returns 0 if the strings are identical. Therefore, validate_serial returns true (indicating a valid serial) only if the input serial matches the constructed one, and false otherwise.

Serial Key Derivation:

Based on the snprintf statement, the correct serial key is formed by concatenating the numeric strings with hyphens:

47378-10239-84236-54367-83291-78354

Verification:

Entering this serial key into the software successfully unlocked it, granting access to a "secret password."

#P@$$w0rd!%#S€c7T

SSH Access

The SSH protocol requires both a username and a password. While we have the password (#P@$$w0rd!%#S€c7T), the corresponding username is still unknown.

Methodology:

  1. Username Guessing: A common and often effective approach is to try common or contextually relevant usernames.
  2. Keyword Extraction: Another method would be to extract potential keywords from the website's content, source code, or other gathered information that might hint at valid usernames. However, this can be time-consuming and may not always yield results.

Attempt:

Given the website and the machine's theme, a reasonable assumption was to test the username "cracker."

ssh cracker@$TARGET_IP

The login attempt was successful. We were able to establish an SSH connection to the target machine as the user "cracker."

Privilege Escalation

Objective:

Elevate privileges from the standard user "cracker" to the root user, gaining complete control over the system.

Initial Exploration:

After gaining SSH access as "cracker," we began exploring the system for potential privilege escalation vectors. This typically involves checking for:

  • Misconfigured services
  • Vulnerable software versions
  • Files with weak permissions
  • Stored credentials

However, initial reconnaissance did not immediately reveal any obvious vulnerabilities or misconfigurations that could be exploited to gain root access.

Unexpected Revelation:

Due to the lack of immediate leads, we consulted an external resource, a write-up from another individual who had previously analyzed the same target. This revealed a highly unconventional and unexpected privilege escalation method: the root password was identical to the software serial key we discovered earlier.

Confirmation:

To test this, we used the su command to switch to the root user:

su root

Password:

47378-10239-84236-54367-83291-78354

Result:

To our astonishment, the serial key worked as the root password.

Final Conclusion

While this scenario is highly contrived, it serves as a valuable learning experience by emphasizing the following points:

  • Think Outside the Box: Sometimes, the most unexpected solutions might be the correct ones, even if they defy conventional security wisdom.
  • Question Assumptions: Never assume a system is secure, even if initial reconnaissance doesn't reveal obvious vulnerabilities.
  • Thoroughness is Key: Exhaust all possible avenues, even unlikely ones, during a security assessment.