Mustacchio

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.193.190

Just in case lets run a scan on all ports

Detailed Nmap Scan :

Command Breakdown:

• (-sV): Service version

• (-sC): Default nmap scripts

• (-p): Specifying ports 22,80,8765

• (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 22,80,8765 -oN nmap 10.10.193.190

Enumeration

Port 80: HTTP

Lets visit the site on port 80

Its a well made website, Lets run a gobuster scan.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.193.190/

There is a interesting directory called custom, lets check it out.

We have two folders, after checking them out, the js folder has something interesting

Lets Download this users.bak file, it has I think credentials, so lets see what type of file it is.

Its a SQLite file, lets open this file with sqlitebrowser

sqlitebrowser users.bak

Looking through the application, we can see the hashed password for the user admin

Lets crack this. First save it in a file called hash, and then lets use john the ripper to crack the password.

We have the password, but we do not have a place to login, lets check the other http page running on the machine

Port 8765: HTTP

We have a login page, lets login with the credentials we just found

It is asking us to submit a comment, lets do this.

We do not see what is happening clearly, so lets capture the request on burp and check what is happening on the backend of this website.

Lets send this to repeater so that we can test different requests. Lets submit the request.

Ok we have several interesting thing to look at.

• We have a username Barry

• The URL /auth/dontforget.bak

• The POST parameter is called xml

• The function checktarea

First lets look at the /auth/dontforget.bak file

Ok, it contains xml. Lets check if it is vulnerable to XXE

Exploitation

We can see that it is vulnerable , now lets try to read the id_rsa file

Once we submit this we get a response

Its a private key, lets copy it, we can copy it easier by going to the source code

Once saved in a file called id_rsa, lets crack the password using john the ripper.

Now we have the password for the user barry, lets login through ssh. But first we need to set the right permission for the id_rsa file.

We can read the user.txt file

Privilege Escalation

Lets look for SUID bits.

find / -perm -u=s -type f 2>/dev/null

The /home/joe/live_log file looks interesting as it is not a common SUID file.

Lets look at what the file is doing

They are logs, lets use the strings command to see more information on the file.

The highlighted lines look interesting.

Looking at it for a while, we can see that the tail command is used to show the content of the /var/log/nginx/access.log file, we can exploit this by creating our own tail binary, and execute it so that we can get root on the machine. We can do this by changing the PATH variable to the directory we mention.

Lets first make a file called tail in the /home/barry directory and add these lines of code.

Now lets give the file all permissions

Now lets set the PATH variable to /home/barry as the tail file is here.

Now in theory if we run the live_log file, we should get root, so lets do that.

We are root. We can also read the root flag.