Ascension

Challenge Lab (Easy) - by Ryan Yager

The following post by 0xb0b is licensed under CC BY 4.0


Scenario

You are a penetration tester on the Hack Smarter Red Team. You need to target a single, designated host within the client's internal network to assess its defensive posture against a persistent threat actor. This engagement is a black-box test and will focus on identifying and exploiting a complete chain of vulnerabilities and misconfigurations that facilitate lateral movement and privilege escalation.

The ultimate goal is to achieve full system compromise (root access).

Recon

The RustScan of 10.0.20.147 revealed several services, including FTP 21 with anonymous login enabled and a file pwlist.txt, SSH 22 running OpenSSH 9.6p1 on Ubuntu, and HTTP 80 serving the Apache 2.4.58 default page. In addition, RPCBind 111 is active and exposes NFS-related services on port 2049 along with mountd, nlockmgr, and status services across high TCP ports. This indicates the host is a Linux system with FTP, SSH, and HTTP as primary entry points, and a misconfigured NFS service that may allow sensitive file access as a key attack surface.

rustscan -a 10.0.20.147 -- -sV -sC

FTP

We connect to the ftp server and download the pwlist.txt file. This contains several weak passwords.

ftp 10.0.20.147

WEB

We investigate the web server on port 80. The index page just reveals the Apache2 Default Page.

Next, we run a directory scan using Feroxbuster including the extensions .html and .php. We see that there might be a Wordpress page running.

feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u 'http://10.0.20.147' -x html,php

The index.php found by Feroxbuster and the several other pages give us a blank page.

We try to run wpscan, but it does not detect a wordpress page running. We try it with --force but are only able to detect the running theme.

wpscan --url http://10.0.20.147/ --force --enumerate u,ap,at,tt,cb,dbe --api-token REDACTED

NFS

Next, we head to the NFS service running on port 2049. With showmount we list the shares availbale to us. And there is one: /srv/nfs/user1.

showmount -e ascension.hsm

Shell as user1

We mount the share and are able to retrieve an SSH private key.

mount -t nfs -o nolock ascension.hsm:/srv/nfs/user1 ascension_mnt

The README.txt file gives us the hint that his might be connected to the user1 user, since it points out the location of the first flag related to user1.

We inspect the public key and see it's the one of user1.

We can check if a password is required with the following command.

ssh-keygen -y -f id_rsa

Since it requires a password, we need to crack it. We generate a hash from the file using ssh2john.py.

We copy the id_rsa file to our directory, apply the correct permissions, and unmount the share.

cp ascension_mnt/id_rsa . 
chmod 600 id_rsa 
umount ascension_mnt

We generate the hash,...

ssh2john.py id_rsa > id_rsa.hash

... and using John to crack it. We got a password.

john --format=ssh --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash

We can now unlock the private key, and see the public key related to user1.

ssh-keygen -y -f id_rsa

Next, we connect to the machine as user1 with the private key. We find the first flag at /opt/user1/flag1.

ssh -i id_rsa user1@ascension.hsm
cat /opt/user1/flag1

Shell as user2

As an overview we have user1, user2, user3, user4, ftpuser and root.

tail /etc/passwd

We check for internal listening ports and see that mysql 3306 is running.

ss -tulnp

We check for services running in the background using pspy64.

There is a backup script at /tmp/backups.sh running by user2.

The /tmp folder does not contain any script. So we can create our own.

We place a simple busybox reverse shell into /tmp/backup.sh.

We use penelope, a reverse shell handler which tries to auto upgrade the catched reverse shell, fixes TTY size and allows us to manage our sessions. After a short duration we receive a conneciton to our listener. We are user2 and find the second flag at /opt/user2/flag2. We remove the script in /tmp/backup.sh to not receive any further connections to our penelope handler.

penelope -p 4445
cat /opt/user2/flag2

Shell as user3

We run linpeas again on the target.

We find some database credentials for the wordpress database. This can already be found as user1. An escalation from user1 to user2 is not necessary which we wil find out later. We already know mysql is running.

We connect to the datrabase,

mysql -u wpuser -D wordpress -h localhost -p

and find the fourth flag in the database and the credentials for user3.

Next, we just use su to change user to user3 and locate the fifth flag at /opt/user3/flag5.

su user3
cat /opt/user3/flag5

Shell as root

In the home directory of user3 we find a Python3 binary, which is kinda odd. Out of curiousity we could inspect the capabilities or we just run linpeas again and see the following capability set. That capability can be abused to escalte our privileges to root, since it is owned by root.

/cap/ser3/python3 cap_setuid=ep

As a result, the admin has granted the user demo the privilege to run the python3 program as root by using cap_setuid+ep. This means the system assigns all privilege to the user for that program. But if you try to find 4000 permission files or programs, then it might not show for /home/dome/python3.

We run the following and get a shell as root. We can retrieve the final flag and the flag of ftpuser and user2.

/home/user3/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
cat /opt/root/flag6

Recalling the pwlist.txt extracted from the ftp server we could apply a brute-force before to try to get access as the ftpuser.

Last updated

Was this helpful?