Mustacchio

Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
nmap -Pn 10.10.193.190

Just in case lets run a scan on all ports

Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80,8765
(-oN nmap): Saving it into a file called nmap
nmap -sV -sC -p 22,80,8765 -oN nmap 10.10.193.190

Enumeration
Port 80: HTTP
Lets visit the site on port 80

Its a well made website, Lets run a gobuster
scan.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.193.190/

There is a interesting directory called custom
, lets check it out.

We have two folders, after checking them out, the js
folder has something interesting

Lets Download this users.bak
file, it has I think credentials, so lets see what type of file it is.

Its a SQLite file, lets open this file with sqlitebrowser
sqlitebrowser users.bak
Looking through the application, we can see the hashed password for the user admin

Lets crack this. First save it in a file called hash
, and then lets use john the ripper
to crack the password.

We have the password, but we do not have a place to login, lets check the other http page running on the machine
Port 8765: HTTP

We have a login page, lets login with the credentials we just found

It is asking us to submit a comment, lets do this.

We do not see what is happening clearly, so lets capture the request on burp
and check what is happening on the backend of this website.

Lets send this to repeater
so that we can test different requests. Lets submit the request.

Ok we have several interesting thing to look at.
We have a username
Barry
The URL
/auth/dontforget.bak
The POST parameter is called
xml
The function
checktarea
First lets look at the /auth/dontforget.bak
file

Ok, it contains xml. Lets check if it is vulnerable to XXE

Exploitation
We can see that it is vulnerable , now lets try to read the id_rsa
file

Once we submit this we get a response

Its a private key, lets copy it, we can copy it easier by going to the source code


Once saved in a file called id_rsa
, lets crack the password using john the ripper
.

Now we have the password for the user barry, lets login through ssh. But first we need to set the right permission for the id_rsa
file.

We can read the user.txt
file

Privilege Escalation
Lets look for SUID bits
.
find / -perm -u=s -type f 2>/dev/null

The /home/joe/live_log
file looks interesting as it is not a common SUID
file.
Lets look at what the file is doing

They are logs, lets use the strings
command to see more information on the file.

The highlighted lines look interesting.
Looking at it for a while, we can see that the tail command is used to show the content of the /var/log/nginx/access.log
file, we can exploit this by creating our own tail binary, and execute it so that we can get root on the machine. We can do this by changing the PATH
variable to the directory we mention.
Lets first make a file called tail
in the /home/barry
directory and add these lines of code.

Now lets give the file all permissions

Now lets set the PATH
variable to /home/barry
as the tail file is here.

Now in theory if we run the live_log
file, we should get root, so lets do that.

We are root. We can also read the root flag.

Last updated
Was this helpful?