Compromised Comms
https://tryhackme.com/jr/compromisedcomms
Last updated
Was this helpful?
https://tryhackme.com/jr/compromisedcomms
Last updated
Was this helpful?
By Jacvbtaylor
"You will take on the role of a top-level agent tasked with uncovering a mole within your organization. The stakes are high, as a recent report has revealed that Agent Brian was found dead with a mysterious note reading "921645" in his jacket. To make matters worse, it has been leaked that he has been communicating with his Agent Handler through a seemingly innocent website, MACHINE_IP. Your mission, should you choose to accept it, is to use your skills in forensic analysis, cryptography, and penetration testing to track down the mole who is responsible for taking down our Agents and how he potentially gained full server access. Good luck, agents!"
With the information from the report, it is clear what the website is and that it is disguised for the Agent communication between the Assets, Agent, and the Agent Handler. Before viewing the website, running a scan to see additional services open will be important. From nmap, it is clear that there is a Webserver and Secure Socket Shell (SSH) access. Knowing SSH is open infers remote command line execution is allowed with the proper user credentials.
Viewing the website running on the server shows nothing out of the ordinary. Most, if not all, of the buttons do not seem to work but the site functions smoothly and doesn't seem to have an CMS login - not one that stands out at least. Further investigation using a directory enumeration scanner, dirsearch, shows some directories and files worth taking note of.
The robots.txt file indicates a file that cannot be crawled, but this doesn't mean it cannot be viewed manually. It is clearly seen that there is a high chance of a secret.html file.
As suspected, the secret.html file exists and has some interesting information. Why is this here and who's flight receipt is this?
It will be beneficial to take note of this PII, or personal identifiable information.
Next up, the images directory does not have index browsing disabled and it is shown to have a random directory, DGI.
Navigating to this directory shows more file inclusion, but specifically a random image.
This image doesn't have anything to do with the website and seems very out of place. This is enough motive to investigate and is downloaded to the local machine using wget.
Inspecting the file, it is clear to be an image. Is it possible this image was placed here for a reason? Is it hiding crucial information? Only one way to find out.
A common tactic used on images is steganography. Steganography allows for embedding text into an image by placing it in the least important bits in the photo. Viewing the photo, it is unclear there is a message because the change to that bit, or bits, isn't enough to change the image's appearance to the human eye, but there are tools that can be used to extract this information - assuming it exists.
Using stegseek and rockyou.txt, the image spewed out a message after the passcode was discovered.
This text looks like complete gibberish though. Was this a waste of time or is it an encrypted message?
Using Cyberchef, it becomes clear that this was in fact a hidden, encrypted message that had been encoded twice - once with Base85 and once with Base64. Seeing the message now in plaintext, it displays a file path. After adding the file path in the URL, the server now shows a login. There is not clear answer what the Username and Password are, but Agent Brian was using this channel and was found with a note. Using this information, it is worth trying his name and that message he left behind for the login..
Sure enough, it worked. There seems to be an old chat log now, with another possible encrypted message.
Viewing the source code via the browsers allows for the encrypted message to be more accessible.
Taking this message and using Cyberchef once more, there is more critical information that has been discovered using Base32 decryption - a password list and a username for SSH.
Saving the password list and using Hydra to bruteforce, the password is discovered.
To ensure this is not a false positive, the login is attempted - and it works.
Inside the user's directory, a zip file is found: Music.zip
It is also password protected but the contents are displayed after an incorrect password is used. This appears to be information needed for the investigation.
Since this low level user has to live off the land in this Linux environment, the only way to bruteforce the zip file is by creating a script:
After creating the script and changing its mode to be executable, it is then ran and the password is found almost instantly.
The contents are now freed but are unable to be concatenated. What does seem to work though is the less command.
After going through these files, more important information is found that will allow for cracking down on the Agency's mole.
There is nothing else that can be done from this user, and it becomes clear that sudo will not be on our side.
Using the following command, this user is able to browse programs, or executables, that may have shared privileges with root
find / -user root -perm -4000 -exec ls -l {} \; 2>/dev/null | awk '{print $9}'
Once program stands out as it is not a standard Linux program.
The suid file sets the user and group ID of the running process to 0 (i.e., root) when the command '/bin/bash' is run at the same time.
Once it is executed, the low privilege user is able to be root, with out a password or sudo privileges. This indicates the vulnerability the mole would have used to gain full server access.
