Post

OffSec PG - BBS Cute, Born2Root, Cybersploit1, Deception

Posted
PG Artwork
PG Artwork
By Tanishq Rupaal
7 min read
OffSec PG - BBS Cute, Born2Root, Cybersploit1, Deception

BBS Cute

Enumeration

Machine IP → 192.168.192.128

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.192.128

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80HTTPApache httpd 2.4.38 ((Debian))
88KERBEROS-SECnginx 1.14.2
110POP3Courier pop3d
995POP3SCourier pop3d

Web Scan

GoBuster scan → gobuster dir -u http://192.168.192.128 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • index.php
  • index.html
  • search.php
  • rss.php
  • icons/ (403)
  • docs/
  • print.php
  • uploads/
  • skins/
  • core/
  • manual/
  • popup.php
  • captcha.php
  • example.php
  • libs/
  • snippet.php
  • show_news.php
  • cdata/
  • server-status

The webserver is also running Cute News Management System powered by CuteNews 2.1.2.

Exploitation

Using searchsploit to look at existing vulnerabilities, there are 4 results for the version of CuteNews being run on the system. looking at the RCE expoloit, the python code has easy to understand steps.

Basically, the vulnerability is the ability to upload a reverse shell in place of the avatar for a given user and then navigating to it. The exploit requires various steps. The first is to register a user. This was done at the /index.php?register page. This required a captcha value, which did not load inline on the page. Without eefort, the captcha.php file found in directory busting gives the captcha code directly. Therefore, a user was registered.

Next, the avatar for the user must be updated. This was done by navigating to /index.php?mod=main&opt=personal page. The php reverse shell from pentest monkey is used as the file for upload here. However, this file is rejected. This implies that the server does check for file names or file headers. By hit and trial, the headers are being checked and not the extensions.

Therefore, like the exploit-db version of the RCE, the php code must be prepended with the GIF8;\n header to trick the server to think it is an image file. Also, the Content-Type header is not checked for file type. The reverse shell uploads successfully and navigating to it at /uploads/avatar_<username>_php_rev.php executes the php code and gives the reverse shell. The user flag is also obtained via the www-data permissions.

Privilege Escalation

Enumerating sudo -l and setuid files, the interesting option is that of hping3. Even if the sudo -l says only --icmp mode is allowed, since it is a setuid binary, the interface of hping3 can be sirectly exposed. The direct invocation of hping3 allows for a application shell to execute. This does support usual bash commands.

whoami shows the permissions of root. Therefore, using the hping3 shell, the root flag can be obtained as well.

Born2Root

Enumeration

Machine IP → 192.168.225.49

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.225.49

OS Detection → os_info

PortServiceOther details (if any)
22SSHOpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
80HTTPApache httpd 2.4.10 ((Debian))
111RPCBINDrpcbind 2-4 (RPC #100000)
44532--

Web Scan

GoBuster scan → gobuster dir -u http://192.168.225.49 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Robots txt file has two directories →

  • wordpress-blog/
  • files/

Directories/files listed →

  • index.html
  • robots.txt
  • icons/
  • files/
  • manual/

Exploitation

The /icons/ directory has a .txt file which seems out of place amongst all the other image files. Upon inspection, it contained an RSA private key. Used this to login to the ssh server running on the machine. For ther user, the most obvious one is martin given the clear mentions throughout the website. Upon loggin in, the shell asks for a secret password. Entering something random just drops into the shell and gives the user flag.

The program that asked for the secret password was located at the end of the .bashrc in martin’s home directory. This was /var/tmp/login.py. Upon close inspection, the script has an error to always allow access into the shell. The script is as follows →

1
2
3
4
5
6
7
8
9
10
11
12
13
14

#!/usr/bin/python

import os

print("")
print("READY TO ACCESS THE SECRET LAB ? ")
print("")
password = raw_input("secret password : ")

if (password) == "secretsec" or "secretlab" : ## --> Always true
	print("WELCOME ! ")
else:
	print("GET OUT ! ")
	os.system("pkill -u 'martin'")

Privilege Escalation

Looking at the /etc/passwd file, the users of interest are root, martin, hadi and jimmy.

User 1

Looking at the crontab, there is a job by jimmy that runs every 5 minutes as python /tmp/sekurity.py. This file does not exist, therefore, can be created and subsequently executed. This can be used to receive a shell as jimmy over netcat. The home directory consists of a networker binary, which doesn’t seem to do anything concrete.

User 2

Cracking the password for hadi was taking too long, therefore a hack was used to grep out all passwords related to “hadi” from the rockyou.txt list. This sublist was also set on the cracking task in parallel, which found the password surprisingly quick, resulting in credentials hadi:hadi123.

Root

As the hadi user, running su root directly gives the root shell and thus the root flag.

Cybersploit1

Enumeration

Machine IP → 192.168.124.92

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.124.92

OS Detection → os_info

PortServiceOther details (if any)
22SSHOpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.2.22 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u http://192.168.124.92 -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php

Directories/files listed →

  • index/
  • index.html
  • robots/
  • hacker/

The hacker/ page consists of a base64 string which decodes to cybersploit{youtube.com/c/cybersploit}.

Exploitation

The source of the home page consists of <!-------------username:itsskv--------------------->. Therefore, this can be used for a password brute force on the ssh server. This did not reveal a password. Testing the previous base64 string as the password works and grants access to the user itsskv.

This gives the first flag.

Privilege Escalation

Enumerating the setuid binaries gives no info. Looking at the kernel version and os version using uname -a, it seems the kernel is indeed an outdated one → 3.13.0. Using searchsploit to look at exploits for this version using searchsploit 3.13.0, there is an overlay.fs exploit for local privilege escalation.

Compiling this binary for the 32 bit version and transferring to the machine via wget, enables getting root user shell after running it. This gives the root flag.

Deception

Enumeration

Machine IP → 192.168.225.34

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.225.34

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.4.29 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u http://192.168.225.34 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • index.html
  • icons/ (403)
  • wordpress/
  • javascript/ (403)
  • phpmyadmin/

Scanning the /wordpress/ directory again gives the following →

  • index.php (301)
  • wp-content/
  • wp-login.php
  • license.txt
  • wp-includes/
  • readme.html
  • robots.txt
  • robots.html
  • wp-trackback.php
  • wp-admin/ (302)

Running WPScan on the target shows the following result →

  • XMLRPC enabled at /wordpress/xmlrpc.php
  • Directory listing at /wordpress/wp-content/uploads/
  • WP-Cron enabled at /wordpress/wp-cron.php
  • Wordpress version 5.3.2
  • Enumerated users → yash and haclabs

Exploitation

Looking at the page /wordpress/robots.html, it has a click interface which shows a playful alert. Looking at the code, a new webpage /wordpress/admindelete.html was discovered. This page says LOL,A Noob is looking for a hint. Based on this, searching for /wordpress/hint.html was discovered, which says Please collect all the API tokens availabe on the home page. Therefore, the homepage was scoured for API tokens. The following were found →

1
2
3
4

API old0 : 5F4DCC3B5AA
API old1 : 765D61D8
API old2 : 327DEB
API new : 882CF99

When concatenated, this gives 5F4DCC3B5AA765D61D8327DEB882CF99. This is not any kind of hash, therefore, trying this out in credentials yash:5F4DCC3B5AA765D61D8327DEB882CF99 works. This gives the shell as user yash and the local flag.

Privilege Escalation

User

The uuser yash is not allowed to run sudo, therefore, looked at the setuid binaries. The interesting ones were /usr/bin/arping and /usr/bin/traceroute6.iputils. Looking at the files in the home directory, there is a file .systemlogs which contains a bunch of text. This does have the username haclabs within "". Grepping out " to accentuate them shows the following values →

1
2
3

haclabs
A=123456789
+A[::-1]

The following values make sense from the above → 987654321, 123456789987654321 and haclabs987654321. Trying these out for the user haclabs, the last one works and grants the shell.

Root

haclabs can execute sudo for all commands without a password. Using this to spawn a shell grants the shell as root and thus, the root flag.

Lab Practice Notes, OffSec Proving Grounds
oscp lab offsec-proving-grounds
This post is licensed under CC BY 4.0 by the author.