{"id":73,"date":"2019-03-09T04:03:22","date_gmt":"2019-03-09T04:03:22","guid":{"rendered":"http:\/\/www.unordnung.net\/?p=73"},"modified":"2019-03-09T04:03:22","modified_gmt":"2019-03-09T04:03:22","slug":"immune-hacking-group-writeup","status":"publish","type":"post","link":"https:\/\/unordnung.net\/misc\/2019\/03\/immune-hacking-group-writeup\/","title":{"rendered":"immune hacking group writeup"},"content":{"rendered":"\n

This is a quick writeup of the challenge https:\/\/immersivelabs.online\/labs\/cyber-warrior-immune-hacking-group<\/a> which was funny \ud83d\ude42<\/p>\n\n\n

In this warrior challenge you\u2019ll need to follow the breadcrumbs to infiltrate an underground hacking community. You can find the community at their website, immunehackinggroup.tk \u2013 from here its all on you.  <\/em><\/p>\n\n\n

i found the first flag in the source code of their webpage<\/p>\n\n\n

<!--Tm90ZSB0byBhZG1pbnM6IHVzZSB0aGUgdXN1YWwgcm90YXRpb24gY2lwaGVyIHRvIGFjY2VzcyBvdXIgZGFyayBuZXQgc2l0ZTogYm5uajovLzdjcjR0cGdobXdxNmcybXguaWhjaWgv RkxBRzogMWI1MDRkMzMyOGUxNmZkZjI4MWQxZmI5NTE2ZGQ5MGI=--><br\/> <!--FLAG: f447b20a7fcbf53a5d5be013ea0b15af--><\/p><\/em><\/pre>\n\n\n
i decoded the base64 encoded text getting:<\/p>\n\n\n
Note to admins: use the usual rotation cipher to access our dark net site: bnnj:\/\/7cr4tpghmwxxxxxxxxx
 \u0019\f\u030e\u0019LM\u0019\fY\fYMLM\u0019\u000eL\u0018<\/em><\/p>\n\n\n
with the help of https:\/\/www.dcode.fr\/rot-cipher i decoded the rotation cipher getting:<\/p>\n\n\n
http:\/\/7ix4zvmnsxxxxxx.onion<\/a><\/p>\n\n\n
on their darknet page i found another flag and a ssh key:<\/p>\n\n\n
FAO Admins: We’ve not included the servername required for the full connection.<\/p>\n\n\n
FQDN<\/td>User<\/td>Password<\/td><\/tr>
<secret>.immunehackinggroup.tk<\/td>xx<\/td> password<\/td><\/tr><\/tbody><\/table>\n\n\n
 FLAG: 827ccb0eea8a706c4c34a16891f84e7b<\/p>\n\n\n
—–BEGIN RSA PRIVATE KEY—–
MIIEowIBAAKCAQEA5tVR1RWtikbab7Zh\/O93Yi3GcT8fh+L0Ngva3ejCrN5OiL0A
h\/U5Yi1qLDdhcJqh8CUtohXh2nZNr9Mr3NHi5AezdNb7FffdeFPpX2v5EXJJdKWo
osxUJ7i9ca\/Ycq1tx70zxkX9i2WBf5awABUKF\/oNybLw+p53LjgnW5ZtnBbqxQT9
d2eSZJz4mHl3Wt8gudv9zUDgPTopZ8FyxfNld\/vOfP0CljadWScx2poQn7EJpRkS
jFKz6jHbH3PAWBU1o04XZ2Dud27dAUh9Z+1WkL\/2xJ0XPmbazIuMpunAz+kluyiF
k89jLhaMPL8HX4NNPUNP\/a5A1bIhdAATOXA7fQIDAQABAoIBAQDAQwknzCiBNcaW
qXgwLlxnX+0bQhJHIld59KHVlxse1QLgjVu14iBrj5wRPAdivMkItk6t5D\/7r\/HA
8shj4kVy3J8yQCVeBNdoc6u7mLkZOPHJwHkXL80gUJUp7ecAjUcUyJgpGv61blRQ
Kvho+R0xH0sAppRkijyGOKs\/c6nUCQVCauVgIJ8LccmGyadZidXqLqkzigd6QPK0
pol2BqJHjO5DrDRH0uMNVh96ZtPXlHkVyobU0wWCIRoweP2SlnKgDtyrAQsIpEDK
qixyRDjnOgjbx2Tff0GcdmJRQVo8FRW2PxYk9OsvEqpTEhtJxfDFXs1+RPMK75Sg
5aDoRywZAoGBAPxdyga48ktzP4RwMY7v3\/FxeaHsJo6eqGf8kPm\/qTZz+XdcYwud
v4NkyECjTaFDlovHLx+\/88gchEms7Tlh\/WXiMmFTfxk280QZ9WLqebe5I7fFP1m1
sbkhIuIxOKiQemm+\/TnPZNIltOO9u2yYWcZr7r25Wa4qo9MmrpPYPXAfAoGBAOoo
KRiz+yN8vlAzyMP2ftXk6OxCj7qkfGchs\/dWmSjElly2\/kV6fY9UveEz0TjhbzJS
UVQY0ORoJjof2OsQOYkFCdSD8VZkm3tE04ZpJp349csrJj8922LXS+UJoT7UQQTG
TDxRlcczVPEwpQvU\/dL3HR+59+oFlfUBTdmMEDDjAoGANmszCUgQV1y+sZxP03a+
X54MkHIPzmk\/\/0xjJrfBkVBo1uhBI1wc1ASDegy8zK16ZSHKc5o8w0YC8LAtZ1ZO
Ag5Ittv+aD2FL4Y5d97\/6DIwFYyfIIUhkb4ne4cJpK+i9fKNQE4Me5RN8V4UcFJZ
6YOUs6yoPfpL4VhSBOd4OBkCgYATX0s3HfzTDMj5\/a7Id6Y6r\/uNQFxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
—–END RSA PRIVATE KEY—–<\/p>\n\n\n
They sent me a lion, but he was too FIERCE. So they send me a TXT record, it was perfect!  <\/p>\n\n\n
so i looked at the dns entries of their domain and found a flag <\/p>\n\n\n
dnsrecon -d immunehackinggroup.tk

 []      A immunehackinggroup.tk 52.19.78.250 []      A immunehackinggroup.tk 52.48.133.28
 []      TXT immunehackinggroup.tk FLAG:25d55ad283aa400af464c76d713c07ad [] Enumerating SRV Records
 [-] No SRV Records Found for immunehackinggroup.tk
 [+] 0 Records Found<\/em><\/p>\n\n\n
with robtex.com i found the FQDN of the ssh server<\/p>\n\n\n
https:\/\/www.robtex.com\/dns-lookup\/hidden.immunehackinggroup.tk<\/a><\/p>\n\n\n
FQDN    hidden.immunehackinggroup.tk
 Host Name    hidden
 Domain Name    immunehackinggroup.tk
 Registry    tk
 TLD    tk
 DNS
 IP numbers    34.248.217.230<\/p>\n\n\n
with the ssh key and credentials found on the onion site i log into ssh and found a flag
 ubuntu@ip-172-31-45-227:~$ cat \/home\/ubuntu\/flag.txt
 202cb962ac59075b964b07152d234b70<\/em><\/p>\n\n\n
which was the final flag for the objective. but i decided to go further and enumerate the system. there is a lot of eveidence that other ppl tried to elevate privileges with exploits. luckily i was able to wget LinEnum.sh and found a lot, so i didnt need to use exploits at all<\/p>\n\n\n
ubuntu@ip-172-31-45-227:~$ sudo cat \/root\/flag.txt
 aec8023d578dd1da237f553052990b9c<\/em><\/p>\n\n\n
sudo was enabled for user ubuntu w\/o password ^^ enum is the key \ud83d\ude1b so i found another flag in \/root and another in \/root\/contacts\/membership<\/p>\n\n\n
ubuntu@ip-172-31-45-227:~$ sudo cat \/root\/contacts\/membership
 name|email
 Flag|e7df7cd2ca07f4f1ab415d457a6e1c13<\/em><\/p>\n\n\n
NOW it gets funny:<\/p>\n\n\n
ubuntu@ip-172-31-45-227:~$ sudo cat \/home\/ubuntu\/README
 We recently had some issues with accounts, and we had to reset the root password of Your account to a randomly generated one  It’s recommended to change the password for security reasons  Current root password: xxxxx  Sorry for the incovenience, the Amazon Team <\/p>\n\n\n

<\/p>\n\n\n
root@ip-172-31-45-227:\/home\/ubuntu# whoami
 root<\/em><\/p>\n\n\n
lol?<\/p>\n\n\n
root@ip-172-31-45-227:\/home\/ubuntu# echo “hi, send me some extra points i got way more flags \ud83d\ude42 btw i love your virtual labs, but i dunno if i meant to get root on this machine, for security reasons i change the root passwd \ud83d\ude09 contact me at xxx@unordnung.net if thats not part of the challenge immunehackinggroup.” | mail -s “hi. might be an incident” enquiries@immersivelabs.com
 root@ip-172-31-45-227:\/home\/ubuntu# passwd
 Enter new UNIX password:
 Retype new UNIX password:
 passwd: password updated successfully<\/p>\n\n\n
xxxxx
<\/p>\n\n\n
you got mail immersivelabs, thx for the fun \ud83d\ude42
root@ip-172-31-45-227:\/home\/ubuntu# exit<\/p>\n\n\n
so…what now? breaking out of kvm? (is that still the ctf or am i hacking aws then? \ud83d\ude42 installing miners?
<\/p>\n\n\n
im a newbie as you might’ve already guessed.<\/p>\n","protected":false},"excerpt":{"rendered":"
This is a quick writeup of the challenge https:\/\/immersivelabs.online\/labs\/cyber-warrior-immune-hacking-group which was funny \ud83d\ude42 In this warrior challenge you\u2019ll need to follow the breadcrumbs to infiltrate an underground hacking community. You can find the community at their website, immunehackinggroup.tk \u2013 from here its all on you.  i found the first flag in the source code of … Read moreimmune hacking group writeup<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[15,34,80],"class_list":["post-73","post","type-post","status-publish","format-standard","hentry","category-ctf-writeup","tag-ctf","tag-immersivelabs","tag-writeup"],"_links":{"self":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts\/73","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/comments?post=73"}],"version-history":[{"count":0,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts\/73\/revisions"}],"wp:attachment":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/media?parent=73"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/categories?post=73"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/tags?post=73"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}