Friday, 17 March 2017

Pluck w00t!

Time to Pluck!

Though a bit late, I decided to give this machine a try!

As with all almost every machine I began with arp-scan/netdiscover:


Once this is done, next I try to do a port scan on the host.

I began with the tcp scan while upd scans taking more time ran in the background.
Since port 80 was open, I ran nikto in other window.


Post this is done, I move next to check banners on each service.

SSH dint give any banner, neither mysql or llmnr protocol so I tried to enumerate the web.

Just before I went to check the web service, I looked at the nikto results and they were interesting!


Now, this was very interesting, an LFI!!

Meanwhile I had also tried fuzzing the admin page on the webservice and it revealed sql injection:


Now, I had two vectors so I thought lets begin with the LFI.

Doing a /etc/passwd dumped all the contents!!


But Trying lfi on other files like apache logs etc was not getting possible (permission issue??)

This was when something caught my eye....  There was an entry in /etc/passwd called backup-user!

Moreover, there was a script to it!

Reading the same script revealed another gateway.




Tftp was going to come in picture but is it open! Dang! Nmap for udp scan showed me port 69 for tftp was open!

Next I just get the backup file!



Now checking the backup.tar file I see /home directory. Looking further there are ssh keys in paul's directory. I make permissions changes in the keys and try one by one all 4 private keys.

key number 4 works for me and I login, but login is not a shell but a command line menu :D





Next step, I look at the various options but Edit file caught my eye! The editor was vi editor in this case. So I can do a shell escape sequence.

set shell=/bin/bash
:shell

And I get interactive session!



Next priv escalation!

I see its a very new kernel.
Searching exploits for this kernel gave me one DoS exploit but that wont work. I have to r00t!

Checking file permissions I see setuid bit on exim! That could be one vector (maybe???)

However, I thought why not try kernel exploits and dirtycow was a pure random guess!

And it worked!




w00t w00t!

And flag is captured!

Overall an awesome machine and very satisfying! Reminds me of my oscp frustration days!

Thanks vulnhub 4 hosting and @ryanoberto for making this VM!

-n!ghtcr4wl3r
I picked up Sedna and these were the steps:

Like any machine, starting with arp-scan to first know the machine IP:

arp-scan -l



The machine got detected at 192.168.137.152

The next step was to run an nmap scan:



From here, I decided that I shall  be concentrating on port 80.

First checking the webpage:


I decided I shall have a peek at the robots.txt as well:


going to /Hackers gave 404 -Not found! Damn! :D

Meanwhile in background, I was running gobuster.

Doing web enumeration and checking web page sources dint reveal much!
I decided to check my gobuster results:


Manually enumerating the dirbuster pointed folders, I quickly became clear that builderengine was running.

Next, a searchsploit revealed exploit for arbitrary upload in BuilderEngine.


Seems BuilderEngine is vulnerable to arbitrary file uploads on the directory:
http://IP_Addr/themes/dashboard/assets/plugins/jquery-file-upload/server/php/

I uploaded a simple php reverse shell to received reverse shell on listening port 443.



And I got the limited shell:



And the first flag :D

/var/html
cat flag.txt
bfbb7e6e6e88d9ae66848b9aeac6b289

Privilege Escalation:

It became very clear that in world writeable files:

    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/systemd/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/hugetlb/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/perf_event/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/blkio/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/freezer/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/devices/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/memory/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/cpuacct/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/cpu/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/cpuset/cgroup.event_control
    -rw-rw-rw- 1 root root 0 Mar 16 11:09 /sys/kernel/security/apparmor/.access

Apparmor was writeable.

So taking some clue, I first tried overlayfs local exploit as it involves using the apparmor directory.

https://www.exploit-db.com/exploits/37292/

The exploit matched exactly with the kernel version and the release.

Running the exploit, it was giving its output in all fprintf statements but It failed.
Checking the C code, it seems there is on "su" file in /bin by default!

In this stage, I enumerated further on the misconfigurations part, I could not find much so ...

So, back again I went back to check more exploits for the kernel and the OS release.

The OS being 14.04 has another matching exploit:

https://www.exploit-db.com/exploits/36746/

For 14.04, the exploit apport worked just fine and root shell was achieved.


And the next flag!

/root
cat flag.txt
a10828bee17db751de4b936614558305

There are two more flags, I am lazy so going to skip those in ths walkthrough...
(Maybe I will do tat later...) :D