Guard Walkthrough

Harith Dilshan -

After the Markup Walkthrough, Here I'm with Guard, so... let's hack and grab the flags.

As I mentioned before, the starting point machines are a series of 9 machines rated as "Very Easy" and should be rooted in a sequence. So it means, if you need to go through this box, first of all you must have a complete Markup machine.

Enough talks, πŸ₯± Let’s Get It Started πŸ±β€πŸ’»

⚠ Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedure to grab the flags! πŸ±β€πŸ‘€

00. Start Machine …

To start the machine, Just click on "Spawn Machine".

Then you can see the IP address for that machine.🀠

Before going to enumeration steps we can simply ping to the IP address and check whether the VPN is connected and the machine is alive. Sometimes the machines might "Disable" ping requests when passing through the firewall. But in most cases ping will be a success! πŸ™‚

As a ping result, its TTL=63. There is only one route between machine and us (VPN). So definitely, it will be a Linux machine.

01. Enumeration First …

01.1 Fast ports scan

As usual, run Nmap fast scan for all TCP ports to identify the ports which are open.

nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.50
-n  : Never do DNS resolution
-vv	: Extra verbosity
--open	: Output only open ports
-p-	: Full TCP ports range (65535)
-T4	: Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network

Here is the output πŸ‘‡

What the heck! only SSH?? Did anything go wrong?? πŸ€·β€β™‚οΈπŸ€·β€β™‚οΈ

01.2 Run Nmap Scripting Engine

To get the best result, we can run the Nmap Scripting Engine for all open ports. Now we know all of the open ports and therefore, we can point out and run the script engine as fast as possible.

nmap -sV -sC -oN DetailPorts.nmap -p 22 10.10.10.50

It's only SSH port here. By looking at the SSH version information from Nmap results, we can say that OS is "Ubuntu Bionic".

Now our attack vector is pretty small right? So let's search exploits for "OpenSSH 7.6p1".

Nothing found. The "OpenSSH < 7.7 - User Enumeration (2)" is holy crap!! It runs on python2. I got so many dependency error and after fixing all module errors, what I got was nothing.😫😫

Since the all the machines are in sequence.. What if we try to use the SSH key we found in the previous machine to login as daniel (the previous Markup Machine)

I copied the previous SSH key to my current directory and changed the permission as well. So let's try to login. Remember to use Daniel user as daniel because this is Linux box and all Linux machines has one rule: the username can not use capital letters.

ssh -i id_rsa daniel@10.10.10.50

And we successfully logged in to the system.

But we can't view the user.txt.

02. Foothold

While you do the enumeration on this box you will note that we can not run some commands like python, cat and find likewise. It means some commands are restricted. πŸ”΄πŸ”΄

After some enumerations and by going through the box I found a pretty cool trick and here it is.πŸ’‘

Do you trust me if I say we can use man to read the user flag?? πŸ€”πŸ€” Fortunately, the man command can be used to spawn a bash shell. Follow me to grab user.txt.

Open the man page for any tool like man ls . Then press shift + 1 , it means '!' mark. Then type bash . The full command will be like !bash then hit enter. 😎😎 You think nothing happened? But then try to view user flag again using cat. This time you will succeed!!

Cool!! It's time to be the root!!

03. Privilege Escalation

To do privilege escalations linPEAS will help a lot. But if you are going to use it here, you will have to face a lot of issues. Therefore I will enumerate manually again. And we can find a readable shadow backup in /var/backups

Let's open that file.

Here we only need root hash, so copy it to our host machine. Then we can hand over the rest of the work to my pet Hashcat 😻😻

echo "$6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbvX4pEHvx1XUzXLTBBu0jRLPeZS.69qNrPgHJ0yvc3N82hY31" >hash

hashcat -m 1800 --force hash /usr/share/wordlists/rockyou.txt

While it's running, the Hashcat will prompt you like below; then press s

After it succeeded, you will see the cracked password and it is password#1

Then we can use this password to su root or you can use SSH like this.πŸ‘‡πŸ‘‡

We got root flag.

Now we have only one box left on the starting point path.

So... I’ll see you in the next box! Base πŸ™‹β€β™‚οΈπŸ™‹β€β™‚οΈ

Find me on @twitter