immune hacking group writeup

This is a quick writeup of the challenge https://immersivelabs.online/labs/cyber-warrior-immune-hacking-group which was funny 🙂

In this warrior challenge you’ll need to follow the breadcrumbs to infiltrate an underground hacking community. You can find the community at their website, immunehackinggroup.tk – from here its all on you. 

i found the first flag in the source code of their webpage

<!--Tm90ZSB0byBhZG1pbnM6IHVzZSB0aGUgdXN1YWwgcm90YXRpb24gY2lwaGVyIHRvIGFjY2VzcyBvdXIgZGFyayBuZXQgc2l0ZTogYm5uajovLzdjcjR0cGdobXdxNmcybXguaWhjaWgv RkxBRzogMWI1MDRkMzMyOGUxNmZkZjI4MWQxZmI5NTE2ZGQ5MGI=--><br/> <!--FLAG: f447b20a7fcbf53a5d5be013ea0b15af--></p>

i decoded the base64 encoded text getting:

Note to admins: use the usual rotation cipher to access our dark net site: bnnj://7cr4tpghmwxxxxxxxxx
 ̎LM Y YMLML

with the help of https://www.dcode.fr/rot-cipher i decoded the rotation cipher getting:

http://7ix4zvmnsxxxxxx.onion

on their darknet page i found another flag and a ssh key:

FAO Admins: We’ve not included the servername required for the full connection.

FQDNUserPassword
<secret>.immunehackinggroup.tkxx password

 FLAG: 827ccb0eea8a706c4c34a16891f84e7b

—–BEGIN RSA PRIVATE KEY—–
MIIEowIBAAKCAQEA5tVR1RWtikbab7Zh/O93Yi3GcT8fh+L0Ngva3ejCrN5OiL0A
h/U5Yi1qLDdhcJqh8CUtohXh2nZNr9Mr3NHi5AezdNb7FffdeFPpX2v5EXJJdKWo
osxUJ7i9ca/Ycq1tx70zxkX9i2WBf5awABUKF/oNybLw+p53LjgnW5ZtnBbqxQT9
d2eSZJz4mHl3Wt8gudv9zUDgPTopZ8FyxfNld/vOfP0CljadWScx2poQn7EJpRkS
jFKz6jHbH3PAWBU1o04XZ2Dud27dAUh9Z+1WkL/2xJ0XPmbazIuMpunAz+kluyiF
k89jLhaMPL8HX4NNPUNP/a5A1bIhdAATOXA7fQIDAQABAoIBAQDAQwknzCiBNcaW
qXgwLlxnX+0bQhJHIld59KHVlxse1QLgjVu14iBrj5wRPAdivMkItk6t5D/7r/HA
8shj4kVy3J8yQCVeBNdoc6u7mLkZOPHJwHkXL80gUJUp7ecAjUcUyJgpGv61blRQ
Kvho+R0xH0sAppRkijyGOKs/c6nUCQVCauVgIJ8LccmGyadZidXqLqkzigd6QPK0
pol2BqJHjO5DrDRH0uMNVh96ZtPXlHkVyobU0wWCIRoweP2SlnKgDtyrAQsIpEDK
qixyRDjnOgjbx2Tff0GcdmJRQVo8FRW2PxYk9OsvEqpTEhtJxfDFXs1+RPMK75Sg
5aDoRywZAoGBAPxdyga48ktzP4RwMY7v3/FxeaHsJo6eqGf8kPm/qTZz+XdcYwud
v4NkyECjTaFDlovHLx+/88gchEms7Tlh/WXiMmFTfxk280QZ9WLqebe5I7fFP1m1
sbkhIuIxOKiQemm+/TnPZNIltOO9u2yYWcZr7r25Wa4qo9MmrpPYPXAfAoGBAOoo
KRiz+yN8vlAzyMP2ftXk6OxCj7qkfGchs/dWmSjElly2/kV6fY9UveEz0TjhbzJS
UVQY0ORoJjof2OsQOYkFCdSD8VZkm3tE04ZpJp349csrJj8922LXS+UJoT7UQQTG
TDxRlcczVPEwpQvU/dL3HR+59+oFlfUBTdmMEDDjAoGANmszCUgQV1y+sZxP03a+
X54MkHIPzmk//0xjJrfBkVBo1uhBI1wc1ASDegy8zK16ZSHKc5o8w0YC8LAtZ1ZO
Ag5Ittv+aD2FL4Y5d97/6DIwFYyfIIUhkb4ne4cJpK+i9fKNQE4Me5RN8V4UcFJZ
6YOUs6yoPfpL4VhSBOd4OBkCgYATX0s3HfzTDMj5/a7Id6Y6r/uNQFxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
—–END RSA PRIVATE KEY—–

They sent me a lion, but he was too FIERCE. So they send me a TXT record, it was perfect!  

so i looked at the dns entries of their domain and found a flag

dnsrecon -d immunehackinggroup.tk

[] A immunehackinggroup.tk 52.19.78.250 [] A immunehackinggroup.tk 52.48.133.28
[] TXT immunehackinggroup.tk FLAG:25d55ad283aa400af464c76d713c07ad [] Enumerating SRV Records
[-] No SRV Records Found for immunehackinggroup.tk
[+] 0 Records Found

with robtex.com i found the FQDN of the ssh server

https://www.robtex.com/dns-lookup/hidden.immunehackinggroup.tk

FQDN hidden.immunehackinggroup.tk
Host Name hidden
Domain Name immunehackinggroup.tk
Registry tk
TLD tk
DNS
IP numbers 34.248.217.230

with the ssh key and credentials found on the onion site i log into ssh and found a flag
ubuntu@ip-172-31-45-227:~$ cat /home/ubuntu/flag.txt
202cb962ac59075b964b07152d234b70

which was the final flag for the objective. but i decided to go further and enumerate the system. there is a lot of eveidence that other ppl tried to elevate privileges with exploits. luckily i was able to wget LinEnum.sh and found a lot, so i didnt need to use exploits at all

ubuntu@ip-172-31-45-227:~$ sudo cat /root/flag.txt
aec8023d578dd1da237f553052990b9c

sudo was enabled for user ubuntu w/o password ^^ enum is the key 😛 so i found another flag in /root and another in /root/contacts/membership

ubuntu@ip-172-31-45-227:~$ sudo cat /root/contacts/membership
name|email
Flag|e7df7cd2ca07f4f1ab415d457a6e1c13

NOW it gets funny:

ubuntu@ip-172-31-45-227:~$ sudo cat /home/ubuntu/README
We recently had some issues with accounts, and we had to reset the root password of Your account to a randomly generated one It’s recommended to change the password for security reasons Current root password: xxxxx Sorry for the incovenience, the Amazon Team


root@ip-172-31-45-227:/home/ubuntu# whoami
root

lol?

root@ip-172-31-45-227:/home/ubuntu# echo „hi, send me some extra points i got way more flags 🙂 btw i love your virtual labs, but i dunno if i meant to get root on this machine, for security reasons i change the root passwd 😉 contact me at xxx@unordnung.net if thats not part of the challenge immunehackinggroup.“ | mail -s „hi. might be an incident“ enquiries@immersivelabs.com
root@ip-172-31-45-227:/home/ubuntu# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

xxxxx

you got mail immersivelabs, thx for the fun 🙂
root@ip-172-31-45-227:/home/ubuntu# exit

so…what now? breaking out of kvm? (is that still the ctf or am i hacking aws then? 🙂 installing miners?

im a newbie as you might’ve already guessed.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.