Cult Meeting

Target Information

  • IP: 46.101.82.173:30227

Exploitation

  • Enumerated the target with nmap:

    nmap 46.101.82.173 -sC -sV -T4 -Pn
    

    It only returned that ports 31038 and 31337 were open.

  • Attempted to SSH into the given port:

    ssh -p 30227 46.101.82.173
    

    Returned the message:

    Bad packet length 218766171.
    ssh_dispatch_run_fatal: Connection to 46.101.82.173 port 30227: message authentication code incorrect
    

    The same thing when using anonymous@46.101.82.173.

    Running in verbose mode returned the following:

    OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f  31 Mar 2020
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
    debug1: /etc/ssh/ssh_config line 21: Applying options for *
    debug1: Connecting to 46.101.82.173 [46.101.82.173] port 30227.
    debug1: Connection established.
    debug1: identity file /home/aaron/.ssh/id_rsa type -1
    debug1: identity file /home/aaron/.ssh/id_rsa-cert type -1
    debug1: identity file /home/aaron/.ssh/id_dsa type -1
    debug1: identity file /home/aaron/.ssh/id_dsa-cert type -1
    debug1: identity file /home/aaron/.ssh/id_ecdsa type -1
    debug1: identity file /home/aaron/.ssh/id_ecdsa-cert type -1
    debug1: identity file /home/aaron/.ssh/id_ecdsa_sk type -1
    debug1: identity file /home/aaron/.ssh/id_ecdsa_sk-cert type -1
    debug1: identity file /home/aaron/.ssh/id_ed25519 type -1
    debug1: identity file /home/aaron/.ssh/id_ed25519-cert type -1
    debug1: identity file /home/aaron/.ssh/id_ed25519_sk type -1
    debug1: identity file /home/aaron/.ssh/id_ed25519_sk-cert type -1
    debug1: identity file /home/aaron/.ssh/id_xmss type -1
    debug1: identity file /home/aaron/.ssh/id_xmss-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
    debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
    debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.5 pat OpenSSH* compat 0x04000000
    debug1: Authenticating to 46.101.82.173:30227 as 'anonymous'
    debug1: SSH2_MSG_KEXINIT sent
    Bad packet length 218766171.
    ssh_dispatch_run_fatal: Connection to 46.101.82.173 port 30227: message authentication code incorrect
    

    So we at least know that OpenSSH is running on the target.

    The logs did highlight that at least one of the problems was that my OpenSSH install was trying to authenticate with my local id_rsa file, which obviously won't work. After conducting some research, I determined that the issue could be solved by using a different command:

    ssh -p 30227 anonymous@46.101.82.173 -v -o PreferredAuthentications=password -o PubkeyAuthentication=no
    

    This yielded a much more promising set of logs:

    debug1: kex_exchange_identification: banner line 0: \033[3mYou knock on the door and a panel slides back\033[0m
    debug1: kex_exchange_identification: banner line 1: |/\360\237\221\201\357\270\217 \360\237\221\201\357\270\217 \\|\033[3m A hooded figure looks out at you\033[0m
    debug1: kex_exchange_identification: banner line 2: "What is the password for this week's meeting?" SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
    debug1: kex_exchange_identification: banner line 3:
    debug1: kex_exchange_identification: banner line 4:    \\/
    debug1: kex_exchange_identification: banner line 5: |/\360\237\221\201\357\270\217 \360\237\221\201\357\270\217 \\| "That's not our password - call the guards!"
    kex_exchange_identification: Connection closed by remote host
    
  • Attempted to brute force the password with msfconsole:

    msfconsole
    
    use auxiliary/scanner/ssh/ssh_login
    set RHOSTS 46.101.82.173
    set RPORT 30227
    set PASS_FILE /usr/share/wordlists/rockyou.txt
    set USERNAME anonymous
    set STOP_ON_SUCCESS true
    set VERBOSE true
    run
    

    Unfortunately this was sporadically interrupted by the target closing the connection, and there is no setting to force msfconsole to keep trying. I opened an issue here to request this feature, but it most certainly won't be implemented in time to help me with this challenge.

  • Attempted to brute force the password with hydra:

    hydra -l anonymous -P /usr/share/wordlists/rockyou.txt ssh://46.101.82.173 -s 30227 -t 4
    

    Gave this error message: [ERROR] could not connect to ssh://46.101.82.173:30227 - read_packet(): Packet len too high(218766171 d0a1b5b)

  • Running strings on the file provided by HTB gave the password sup3r_s3cr3t_p455w0rd_f0r_u! thanks to the proximity to the messages displayed by the SSH server. Unfortunately this just SSH's us into our current directory, since it isn't running on the server.

  • Attached edb_debugger to the SSH password verification binary to determine what the password is being compared to.

    edb --run ./meeting
    

    Running a search for the password string shows that /bin/sh is ran if the password matches the proper memory address.

  • Using telnet 46.101.82.173 30227 got me the same result as SSH, except this one was interactive and actually allowed me to enter the password.

    Once I did that, the password I uncovered in the local binary (sup3r_s3cr3t_p455w0rd_f0r_u!) worked, and I was able to get a shell in the server.

    Running cat flag.txt yielded the flag, HTB{1nf1ltr4t1ng_4_cul7_0f_str1ng5}.


Tags

  1. hackthebox (Private)
  2. reversing (Private)
  3. reverse-engineering (Private)
  4. ssh (Private)