Cracker
export TARGET_IP=172.17.0.2
nmap -p0- $TARGET_IP
Port | State | Service |
---|---|---|
22/tcp | open | SSH |
80/tcp | open | HTTP |
Identifying the Hostname
Inference: The website's footer reveals the copyright information:
<footer>
<p>© 2024 cracker.dl | Todos los derechos reservados</p>
</footer>
This suggests that cracker.dl
is the associated domain name. To facilitate access through the domain name, we added an entry to the /etc/hosts
file:
echo "$TARGET_IP cracker.dl" | sudo tee -a /etc/hosts
Subdomain Discovery
wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hh 4029 -H "Host: FUZZ.cracker.dl" -u http://cracker.dl:80/ -t 100
--hh 4029
: Hides responses with a length of 4029 characters. This helps filter out common error pages or responses that are not relevant. Why 4029? Try executing the command without this flag and see the Chars column and the amount of spam by the way.-H "Host: FUZZ.cracker.dl"
: Sets theHost
HTTP header, which is essential for virtual host discovery.FUZZ
will be replaced with each subdomain from the wordlist.-t 100
: Sets the number of concurrent threads to 100. Adjust the-t
value based on your network and the target's capabilities. Too many threads can cause problems. Start with a lower value like 50 and increase gradually.
Subdomain Discovery Results
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://cracker.dl:80/
Total requests: 114441
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000002128: 200 91 L 224 W 3199 Ch "japan"
- The subdomain "japan" returned an HTTP 200 response with a distinct content length (3199 characters) compared to the default "not found" page (4029 characters).
Action:
We added an entry to the /etc/hosts
file to map japan.cracker.dl
to the target IP address:
echo "$TARGET_IP japan.cracker.dl" | sudo tee -a /etc/hosts
Further Exploration:
Navigating to http://japan.cracker.dl
in a web browser revealed a webpage offering software for download. Upon downloading and running the software, it prompted for a serial key, indicating a potential software license or authentication mechanism.
Reverse Engineering the Software
Objective:
To obtain a valid serial key to unlock the software's functionality.
Tool:
Ghidra, a powerful open-source software reverse engineering suite developed by the National Security Agency (NSA).
Analysis of validate_serial
Function:
After loading the software into Ghidra, we located the validate_serial
function, which appears to be responsible for verifying the entered serial key. The decompiled C code is as follows:
bool validate_serial(char *param_1)
{
int iVar1;
char local_a8 [112];
char *local_38;
char *local_30;
char *local_28;
char *local_20;
char *local_18;
char *local_10;
local_10 = "47378";
local_18 = "10239";
local_20 = "84236";
local_28 = "54367";
local_30 = "83291";
local_38 = "78354";
snprintf(local_a8,100,"%s-%s-%s-%s-%s-%s","47378","10239","84236","54367","83291","78354");
iVar1 = strcmp(param_1,local_a8);
return iVar1 == 0;
}
Functionality Breakdown:
- Variable Initialization: The function initializes several local variables,
local_10
tolocal_38
, with string values representing numeric sequences. - Serial Key Construction: It then utilizes
snprintf
to format a string stored inlocal_a8
. This string is constructed by concatenating the values of the previously initialized variables, separated by hyphens. Specifically, it concatenates the strings "47378", "10239", "84236", "54367", "83291", and "78354" in that order. - Comparison: The function compares the user-supplied serial key (passed as
param_1
) with the constructed serial key inlocal_a8
usingstrcmp
. - Return Value:
strcmp
returns 0 if the strings are identical. Therefore,validate_serial
returnstrue
(indicating a valid serial) only if the input serial matches the constructed one, andfalse
otherwise.
Serial Key Derivation:
Based on the snprintf
statement, the correct serial key is formed by concatenating the numeric strings with hyphens:
47378-10239-84236-54367-83291-78354
Verification:
Entering this serial key into the software successfully unlocked it, granting access to a "secret password."
#P@$$w0rd!%#S€c7T
SSH Access
The SSH protocol requires both a username and a password. While we have the password (#P@$$w0rd!%#S€c7T
), the corresponding username is still unknown.
Methodology:
- Username Guessing: A common and often effective approach is to try common or contextually relevant usernames.
- Keyword Extraction: Another method would be to extract potential keywords from the website's content, source code, or other gathered information that might hint at valid usernames. However, this can be time-consuming and may not always yield results.
Attempt:
Given the website and the machine's theme, a reasonable assumption was to test the username "cracker."
ssh cracker@$TARGET_IP
The login attempt was successful. We were able to establish an SSH connection to the target machine as the user "cracker."
Privilege Escalation
Objective:
Elevate privileges from the standard user "cracker" to the root user, gaining complete control over the system.
Initial Exploration:
After gaining SSH access as "cracker," we began exploring the system for potential privilege escalation vectors. This typically involves checking for:
- Misconfigured services
- Vulnerable software versions
- Files with weak permissions
- Stored credentials
However, initial reconnaissance did not immediately reveal any obvious vulnerabilities or misconfigurations that could be exploited to gain root access.
Unexpected Revelation:
Due to the lack of immediate leads, we consulted an external resource, a write-up from another individual who had previously analyzed the same target. This revealed a highly unconventional and unexpected privilege escalation method: the root password was identical to the software serial key we discovered earlier.
Confirmation:
To test this, we used the su
command to switch to the root user:
su root
Password:
47378-10239-84236-54367-83291-78354
Result:
To our astonishment, the serial key worked as the root password.
Final Conclusion
While this scenario is highly contrived, it serves as a valuable learning experience by emphasizing the following points:
- Think Outside the Box: Sometimes, the most unexpected solutions might be the correct ones, even if they defy conventional security wisdom.
- Question Assumptions: Never assume a system is secure, even if initial reconnaissance doesn't reveal obvious vulnerabilities.
- Thoroughness is Key: Exhaust all possible avenues, even unlikely ones, during a security assessment.