OffSec PG - Inclusiveness

Posted Dec 19, 2021

PG Artwork

By Tanishq Rupaal 2 min read

Enumeration

Machine IP → 192.168.80.14

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.80.14

OS Detection → OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Port	Service	Other details (if any)
21	FTP	vsftpd 3.0.3 → Anonymous FTP allowed
22	SSH	OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80	HTTP	Apache httpd 2.4.38 ((Debian))

Web Scan

GoBuster scan → gobuster dir -u http://192.168.80.14 -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

index.html
robots.txt
seo.html
javascript/
manual/

Looking at the robots.txt, it says only search engines are allowed to access it. Therefore, changing the User-Agent to GoogleBot in burp allows bypassing this restriction. This gives the directory /secret_information/.

Exploitation

LFI

The /secret_information/ directory consists of an introduction to DNS Zone transfer attacks and links to display it in English or Spanish. The links are of the form ..?lang=language.php. Therefore, attempting LFI here allows to print contents of the /etc/passwd file. This gives enumeration of the users → tom and root.

The anonymous ftp login shows that the pub directory of the FTP service is world writeable. Therefore, it is a good place for landing payloads. To get the exact path of the location, the configuration file must be read. From the service enumeration, the version is known to be vsftpd 3.0.3. The default config for this is at /etc/vsftpd.conf.

Using LFI to print this shows the following →

anon_root=/var/ftp/
write_enable=YES

Reverse shell from Anonymous write-enabled FTP and LFI

Using the FTP to upload a reverse shell in PHP and then using LFI to navigate to the payload using the path found in the config file grants the shell as user www-data. The payload used is pentest monkey’s PHP reverse shell.

Enumerating the setuid binaries, an interesting find was the presence of /home/tom/rootshell, which indicates getting privilege of user tom is the step required to get root on the machine.

Privilege Escalation

User

The home directory of the user tom is readable by www-data. Therefore, visiting it grants access to the code of the rootshell binary found above. This also gives the user flag.

The code of the rootshell binary uses FILE* f = popen("whoami", "r");. This does not use an exact path, therefore, the PATH variable can be abused to trick the program into evaluating the username as tom. Therefore, creating a new directory in /tmp and an executable whoami under it that prints tom allows adding this to the current PATH.

echo '#!/bin/bash' > whoami
echo 'echo tom' >> whoami
chmod +x whoami
export PATH=/tmp/testdirectory

This allows for execution of the rootshell binary, which evaluates all checks to true and grants the root shell, thereby the root flag.

Lab Practice Notes, OffSec Proving Grounds

This post is licensed under CC BY 4.0 by the author.