Expose
Use your red teaming knowledge to pwn a Linux machine. - by 1337rce
Last updated
The following post by 0xb0b is licensed under CC BY 4.0
Recon
Scanning our target with Nmap we can discover five open ports, of which on each of them runs a different service. On Port 21 FTP, on 22 SSH, on 53 DNS, on 1337 a web server, and on 1883 a MQTT broker.
While enumerating the different services, we were not able to find anything of interest regarding ports 53 and 1883. Running a directory scan via Gobuster on the web server at port 1337 gives us some interesting directories. We have two admin login portals, of which one might be the correct one, and a PhpMyAdmin page.
Running a second directory scan on /admin_101 reveals more interesting directories than on /admin. Given this fact and the fact that the username field is prefilled, it indicates to us that this might be the correct login portal. A brute force attack was run with the given username hacker@root.thm, but did not lead to any results. Instead, an SQL injection vulnerability might be present.
User Flag
For a quick check, we capture the HTTP request while trying to log in and reuse it in SQLMap.
By running SQLMap with the captured request, we are able to dump the database.
We were able to retrieve some interesting information. For the user hacker@root.thm, we get a password in clear text. Using it on the admin portal does not lead to anything of interest. Beside the credentials are two URLs in the config table stored, which we were not able to discover via Gobuster and a password or password hint to be able to access those URLs.
For /file1010111/index.php we get a simple MD5 hash, which might be crackable. For the page /upload-cv00101011/index.php we just get a hint that the password is the username of the machine starting with the letter Z.
Using crackstation we are able to crack the hash easily and get a password.
Next, we visit /file1010111/index.php.
By providing the password, we get a hint to fuzz for parameters. Without checking anything more, we visit /upload-cv00101011/index.php.
The page /upload-cv00101011/index.php also gives us a hint about the password being the name of the machine user starting with the letter Z. An attempt was made by using Burp Suite to brute force the usernames. While the brute force is running, we check out /file1010111/index.php again.
On checking out the source page of /file1010111/index.php we get another hint to try file or view as GET parameters. On a closer look at the URL, this might be a page to view files on the system, and a local file inclusion vulnerability might be present.
For a simple check, we use ?file=index.php to check for local file inclusion. Upon calling http://10.10.118.26:1337/file1010111/index.php?file=index.php and providing the cracked password, we see that the page has now been loaded multiple times. An LFI is present.
Due to the fact that we need to know the username of the machine to access the other page, we try to check out the /etc/passwd file on the system. By providing the URL http://10.10.118.26:1337/file1010111/index.php?file=../../../../etc/passwd we are able to enumerate the user zeamkish.
We directly head up to /upload-cv00101011/ and provide the found user.
We are greeted with a file upload page.
Looking at the source of the page, we see a simple local upload filter in javascript checking for file endings. Only JPG or PNG files are allowed.
For a simple test, we upload a picture of a cute cat and get the hint to look into the source code to see the path. The first thought was about to check the correct .php file via the LFI page, but first we checked out the source of the page.
And the files are stored at the /upload_thm_1001 folder.
Here we are able to see our cat picture.
Next, me make use of pentestmonkey PHP reverse shell provided by revshells.com
For a simple bypass, we name our shell as evilcat.phpD.jpg. We capture our upload request in Burp Suite and change the letter D to a null byte. Alternatively, a breakpoint in the JavaScript can be set, a .php file be uploaded and the variable fileExtension be changed in the console to contain 'jpg' instead of 'php'.
We change the byte in Burp and forward the request.
Next, we head to /upload-cv00101011/upload_thm_1001/ and set up a listener, and we see that our bypass was successful.
Upon calling our reverse shell PHP script our shell connects. We are www-data.
For convenience, we upgrade our shell.
While enumerating for the usual suspects like sudo -l or SUID binaries, nothing could be found. We were not allowed to use Find. That is odd; it might be a big hint to prevent us from finding SUID binaries. But taking a look at zeamkish's home directory, we see the flag that we are not allowed to access, but the credentials stored for the user in ssh_cred.txt.
We use the credentials to log in to the system as the user zeamkish using SSH. We are in the home directory of zeamkish and are able to read the user's flag.
Root Flag
Upon checking for interesting SUID binaries as the user zeamkish we get an interesting hit.
The editor Nano has a SUID bit set. With that, we are able to read and write files outside of our rights as root. For a fast but harmful privilege escalation, we change the /etc/shadow file and edit the password of the user root.
With the use of openssl we generate our new password.
Next we just open /etc/shadow using /usr/bin/nano and insert our custom password hash.
After editing the password of root, we are able to change the user to root using su and providing our chosen password. Next, we find the flag in the home directory of root.
