Mustacchio
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Just in case lets run a scan on all ports
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80,8765
(-oN nmap): Saving it into a file called nmap
Enumeration
Port 80: HTTP
Lets visit the site on port 80
Its a well made website, Lets run a gobuster
scan.
There is a interesting directory called custom
, lets check it out.
We have two folders, after checking them out, the js
folder has something interesting
Lets Download this users.bak
file, it has I think credentials, so lets see what type of file it is.
Its a SQLite file, lets open this file with sqlitebrowser
Looking through the application, we can see the hashed password for the user admin
Lets crack this. First save it in a file called hash
, and then lets use john the ripper
to crack the password.
We have the password, but we do not have a place to login, lets check the other http page running on the machine
Port 8765: HTTP
We have a login page, lets login with the credentials we just found
It is asking us to submit a comment, lets do this.
We do not see what is happening clearly, so lets capture the request on burp
and check what is happening on the backend of this website.
Lets send this to repeater
so that we can test different requests. Lets submit the request.
Ok we have several interesting thing to look at.
We have a username
Barry
The URL
/auth/dontforget.bak
The POST parameter is called
xml
The function
checktarea
First lets look at the /auth/dontforget.bak
file
Ok, it contains xml. Lets check if it is vulnerable to XXE
Exploitation
We can see that it is vulnerable , now lets try to read the id_rsa
file
Once we submit this we get a response
Its a private key, lets copy it, we can copy it easier by going to the source code
Once saved in a file called id_rsa
, lets crack the password using john the ripper
.
Now we have the password for the user barry, lets login through ssh. But first we need to set the right permission for the id_rsa
file.
We can read the user.txt
file
Privilege Escalation
Lets look for SUID bits
.
The /home/joe/live_log
file looks interesting as it is not a common SUID
file.
Lets look at what the file is doing
They are logs, lets use the strings
command to see more information on the file.
The highlighted lines look interesting.
Looking at it for a while, we can see that the tail command is used to show the content of the /var/log/nginx/access.log
file, we can exploit this by creating our own tail binary, and execute it so that we can get root on the machine. We can do this by changing the PATH
variable to the directory we mention.
Lets first make a file called tail
in the /home/barry
directory and add these lines of code.
Now lets give the file all permissions
Now lets set the PATH
variable to /home/barry
as the tail file is here.
Now in theory if we run the live_log
file, we should get root, so lets do that.
We are root. We can also read the root flag.
Last updated