Tue Dec 6 07:46:51 2016 from 180.76.15.158

rochefort.de

root:e595aea6255b00f70777ca9418bd9596:0:0::/root:/bin/bash

bin:x:1:1:bin:/bin:/bin/false

daemon:x:2:2:daemon:/sbin:/bin/false

adm:x:3:4:adm:/var/log:/bin/false

lp:x:4:7:lp:/var/spool/lpd:/bin/false

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/:/bin/false

news:x:9:13:news:/usr/lib/news:/bin/false

uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false

operator:x:11:0:operator:/root:/bin/bash

ftp:x:14:50::/home/ftp:/bin/false

rpc:x:32:32:RPC portmap user:/:/bin/false

sshd:x:33:33:sshd:/:/bin/false

messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false

nobody:x:99:99:nobody:/:/bin/false

edr:d6cc59c46b0b3f2cf2fef9360d96776e:1000:1000:Enguerrand de Rochefort,,,:/home/edr:/bin/bash

guest:3858f62230ac3c915f300c664312c63f:1001:1001:Guest User,,,:/home/guest:/bin/bash

# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $

# This is the sshd server system-wide configuration file. See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented. Uncommented options override the

# default value.

Port 1042

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# The default requires explicit activation of protocol 1

#Protocol 2

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

#HostKey /etc/ssh/ssh_host_ecdsa_key

#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 1024

# Ciphers and keying

#RekeyLimit default none

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

#RSAAuthentication yes

PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

# but this is overridden so installations will only check .ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none

#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

ChallengeResponseAuthentication no

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication. Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

#UsePAM no

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PermitTTY yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

UsePrivilegeSeparation sandbox

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS no

#PidFile /var/run/sshd.pid

#MaxStartups 10:30:100

#PermitTunnel no

#ChrootDirectory none

#VersionAddendum none

# no default banner path

#Banner none

# override default of no subsystems

Subsystem sftp /usr/libexec/sftp-server

# Example of overriding settings on a per-user basis

#Match User anoncvs

# X11Forwarding no

# AllowTcpForwarding no

# PermitTTY no

# ForceCommand cvs server

## sudoers file.

##

## This file MUST be edited with the 'visudo' command as root.

## Failure to use 'visudo' may result in syntax or file permission errors

## that prevent sudo from running.

##

## See the sudoers man page for the details on how to write a sudoers file.

##

Defaults env_reset

Defaults mail_badpass

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

 

##

## Host alias specification

##

## Groups of machines. These may include host names (optionally with wildcards),

## IP addresses, network numbers or netgroups.

# Host_Alias WEBSERVERS = www1, www2, www3

 

##

## User alias specification

##

## Groups of users. These may consist of user names, uids, Unix groups,

## or netgroups.

# User_Alias ADMINS = millert, dowdy, mikef

 

##

## Cmnd alias specification

##

## Groups of commands. Often used to group related commands together.

# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \

/usr/bin/pkill, /usr/bin/top

 

##

## Defaults specification

##

## You may wish to keep some of the following environment variables

## when running commands via sudo.

##

## Locale settings

# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"

##

## Run X applications through sudo; HOME is used to find the

## .Xauthority file. Note that other programs use HOME to find

## configuration files and this may lead to privilege escalation!

# Defaults env_keep += "HOME"

##

## X11 resource path settings

# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"

##

## Desktop path settings

# Defaults env_keep += "QTDIR KDEDIR"

##

# Allow sudo-run commands to inherit the callers' ConsoleKit session

# Defaults env_keep += "XDG_SESSION_COOKIE"

##

## Uncomment to enable special input methods. Care should be taken as

## this may allow users to subvert the command being run via sudo.

# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"

##

## Uncomment to enable logging of a command's output, except for

## sudoreplay and reboot. Use sudoreplay to play back logged sessions.

# Defaults log_output

# Defaults!/usr/bin/sudoreplay !log_output

# Defaults!/usr/local/bin/sudoreplay !log_output

# Defaults!/sbin/reboot !log_output

 

##

## Runas alias specification

##

 

##

## User privilege specification

##

root ALL=(ALL:ALL) ALL

 

## Uncomment to allow members of group wheel to execute any command

# %wheel ALL=(ALL:ALL) ALL

 

## Same thing without a password

# %wheel ALL=(ALL) NOPASSWD: ALL

 

## Convenient start and stop of sshd daemon

edr ALL = NOPASSWD: /etc/rc.d/rc.sshd start

edr ALL = NOPASSWD: /etc/rc.d/rc.sshd stop

edr ALL = NOPASSWD: /etc/rc.d/rc.sshd status

 

## Uncomment to allow members of group sudo to execute any command

# %sudo ALL=(ALL) ALL

 

## Uncomment to allow any user to run sudo if they know the password

## of the user they are running the command as (root by default).

# Defaults targetpw # Ask for the password of the target user

# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'

 

## Read drop-in files from /etc/sudoers.d

## (the '#' here does not indicate a comment)

#includedir /etc/sudoers.d

 

-----BEGIN RSA PRIVATE KEY-----

MIIEpAIBAAKCAQEAwgnAAbpbeLnTFhMHrBHS2X/R+Wz8h1ubC7y0NrT8Y7OTpiMw

c7pYI974xHwffYYHcqjAiXEd36gqYqi+K9121JTyCTvnihltweRBv3+3xZ11fEdP

uIJovpg/faaIyecRvAPrFIMRMdpZfdqVTquH9U8OLdu6hjvK3QWdbSsdlhPp5ZyS

wIn33iFgKs11a1oGaULtuGSRpnhnm9aYf7bXLGW8kA0UYLXt/tpdVjSg2zkPZTza

O6xS2bGtmeeIajmgwtDSh/aMzIC8PqxsokKN8bTUO+UPppcQ1lKwaygIfuIQbRUj

4edo6iRDIc23d5FFWydqPfxw2bfcNRkUeQSbMwIDAQABAoIBAQC4wA/RlV8C0+vo

WLY1X8Mi1FFY7CyFtPMrecEdVbX6OEGdLmQzzHmfre2vJ3/URIlS4tpwAwQusC+r

QH/RxEwgnLDXmfIby5p1wp/XdgPEZOg4LK37QC/7SXsqaCZWF20LV6+9GA6HKR+M

dVM0VJ5fM6aMg2pV5RiC2ZXLHAJPoX3NjQlp7QgQ5BlbwIPJXp8bHfelIs6ESswu

yGWKIGrRCc7bJMiwmtwFP/vLjAqfxgMJ6vda1T1F5PObqsjzWqeP3EMrdsGEWQD8

0SbK0CIXSg8h1zCWhBS87Be56SiWUHKkKlGbi9HssSXF3VMQKZvynxmRetX94STG

sLGb5VIBAoGBAOO7bJaqTClultgu3wzaCcX3qZc6frB1D5xaP+9qTY2guEWwHWrI

xKJXqNOQE4b70+lyzWUwZyqIEXQOXgQu8tFq2szJ3+9BwmoFqhaDYInqdCw+LG9m

5rShn//VYBrzwpN1k8MEot2lzi7Jy5d5RM7eSC1maHzhk1gr1wxBjLDHAoGBANof

o/GfE5dORuD+c2Yp/BCuydXSmP/Aql4OTdjLWADgAeEPxgfEK4hvrXbScAq6CvIo

EoEZImZvavNwGxbhmJ6YRgbC1uPt4kVEfM7JD8e9SnncvlOntfWKByaVQJDcSKyJ

ooDfgpXM22LjJ5HCcp3BryNvyAqUZ5cKOFlMHe41AoGBAJHDeXHGdxFd87dT6Pj0

5qSMLUTa8BRKGT/elGXOCO3KHaidXXboItQ2f51K7vTLY4xdKxLFtIMIrQM33v2W

f12Do6DI5kjiMmpiTcgzNyuPoeRft1lm5+xeN2ctUGJv++8epwGAii6M3jgcee/u

cxhmNpS4o9CrIgChrvftTPwpAoGASRrjqp6jRUnh7ZS6fppBtiGu2fBMgSNEtmNa

6fc1Fo39cz4DJCU2ZfLwE2vyS1YRRxnxIb2Xzvc2xEJlgeS4bycgCTISLbBT7t1G

a1Pt6wbhSDiYvZbvIE1TmjXZvvNllBZJFaJTtPtE6D6zy2F9YqxAk8LqK8mTcobl

XeBqA6UCgYB1J1niviZEXE29dW5MnJ0VTFW4tQ8J1tpImzyMPp3NBjzRimN1SBj8

ih56Brsab6HGOvSkZajTRruGziqGJK7cxn7AEhOtmhzFldhZAsRwZM8Eo0vADCPr

Cv4GaMdKwFiBvYwhM0Kuimq0p7UQ6dKjS03WEVlRvEz6hyunbQP3Rg==

-----END RSA PRIVATE KEY-----

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCCcABult4udMWEwesEdLZf9H5bPyHW5sLvLQ2tPxjs5OmIzBzulgj3vjEfB99hgdyqMCJcR3fqCpiqL4r3XbUlPIJO+eKGW3B5EG/f7fFnXV8R0+4gmi+mD99pojJ5xG8A+sUgxEx2ll92pVOq4f1Tw4t27qGO8rdBZ1tKx2WE+nlnJLAiffeIWAqzXVrWgZpQu24ZJGmeGeb1ph/ttcsZbyQDRRgte3+2l1WNKDbOQ9lPNo7rFLZsa2Z54hqOaDC0NKH9ozMgLw+rGyiQo3xtNQ75Q+mlxDWUrBrKAh+4hBtFSPh52jqJEMhzbd3kUVbJ2o9/HDZt9w1GRR5BJsz edr

No further detours. Gain root access now!

The password is also hashed in md5. But it's a way more complex one. I am not saying it can't be cracked, but I doubt that you'll find a rainbow table out there that contains it, so do not spend too much time on trying. There are other ways.

edr is one lazy bastard. Laziness and security usually don't work well together.

Look for custom scripts. Where are these typically located?

Take a look at /usr/local/bin

Ok. So you found that edr made some convenience scripts to control the ssh server. How about checking out the server config?

It is located at /etc/ssh/sshd_config

PermitRootLogin = yes !!!

Maybe edr was stupid enough to not put a password on his ssh key?

And to add his public key to the authorized keys in the root account?

So in case it did not become clear by now: You obviously want to ssh into localhost. (Or rochefort.de, which is the same host)

Getting public key error messages? Are you specifying the target user? Type man ssh for help.

Connection refused? Although the ssh server is running? Check the config again.

Still connection refused? What port are you connecting to? Check the config again and type man ssh to see how to specify a non-default ssh port.

Great you made it this far!

Feel free to poke around for more...

-----BEGIN GEEK CODE BLOCK----

Version: 3.12

GCS d-(++) s: a C++ UL P+ L+++ E--- W++ N o? K? w--- O- M-- V? PS+ PE Y+ PGP>+++ t+ 5 X- R- tv- b+ DI+++ D G e+++ h---- r+++ y+++

------END GEEK CODE BLOCK------

Click the below links to download stuff.

Granin_Man.pdf - Rules (in German) for a simple but tough drinking game some friends and I invented back at University Times

My github repo: https://github.com/enguerrand

Project homepage of XDAT, an x-dimensional data analysis tool: http://www.xdat.org

My wiki, with information mainly about Linux-related stuff: http://wiki.rochefort.de

My wife's website (she's a Make-Up Artist): http://www.simonegatzen.de

Don't try to get root access right away. There are other accounts on this system.

So the target at this point is the edr account. Go right through the front door.

What do I mean by "front door"? Crack the password!

Rainbow tables will help you to do so.

For rainbow tables to be useful, you need the hashed password. With modern systems it would be impossible for you to get access to it from a non-superuser account.

But in the present setup passwords are stored in a very old-fashioned way. We are talking about the 80' here...

Ok. Take a look at /etc/passwd. For more information, see the passwd wikipedia article

So now you have a password hash. The hash type is md5.

Come on, you can do it! Search the web for cracking md5 sums and / or rainbow tables. Plenty of sites out there!

Seriously? Still can't do it? Try harder!

Hi there!

Take a look around by browsing the file system hierarchy using the cd command.

View the content of files using the cat command.

And just in case you are wondering: yes - this place can be hacked! Can you gain root privileges?

Have fun!

Enguerrand

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCCcABult4udMWEwesEdLZf9H5bPyHW5sLvLQ2tPxjs5OmIzBzulgj3vjEfB99hgdyqMCJcR3fqCpiqL4r3XbUlPIJO+eKGW3B5EG/f7fFnXV8R0+4gmi+mD99pojJ5xG8A+sUgxEx2ll92pVOq4f1Tw4t27qGO8rdBZ1tKx2WE+nlnJLAiffeIWAqzXVrWgZpQu24ZJGmeGeb1ph/ttcsZbyQDRRgte3+2l1WNKDbOQ9lPNo7rFLZsa2Z54hqOaDC0NKH9ozMgLw+rGyiQo3xtNQ75Q+mlxDWUrBrKAh+4hBtFSPh52jqJEMhzbd3kUVbJ2o9/HDZt9w1GRR5BJsz edr

Congratulations. You made it. Not all that difficult was it?

If you have ideas for further challenges please send them right over!

#!/bin/bash

sudo /etc/rc.d/rc.sshd status

#!/bin/bash

sudo /etc/rc.d/rc.sshd start

#!/bin/bash

sudo /etc/rc.d/rc.sshd stop