Sat. Oct 24th, 2020

Pentesting Fun Stuff

following the cyber security path…

Katana

Introduction

Again a challenge from VulnHub.com created by the same person as the previous two I did.
This challenge is rated “intermediate” and the goal is to get access and retrieve the flag in /root.
Also with this challenge there is again a note about a rabbit hole.

Let’s get started with a port-scan.

From the scan it looks like there are several ports open.
There is an FTP server (port 21), an SSH server (port 22), several HTTP servers (ports 80, 7080, 8088 and 8715) and an SMB server (ports 139 and 445).

HTTP, HTTPS and a log-in section.
I’ll start with the low hanging fruit.

And additional nmap scan for the SMB section:

A DoS…..not really useful here.

From a nikto scan on port 8715 I got info about credentials for the log in section.

I can use these with a directory brute-force on the web-server behind port 8715.

Bummer. A thing best to remember is to use a kind of checklist when pen-testing a system.
With numerous results like this, you can get excited with a find and forget to enumerate properly.
So I go back to the beginning and start with a full enumeration on the first server (port 80).

A content management system. There is a admin section.
A quick sqlmap scan shows there are probably no SQL injections possible.
After a while I move on to the next service.

Nothing worth checking.
On to the next.

Now this looks interesting. An upload section.
Let’s upload a test file.

Next we upload it.
And then there is a section that shows some additional information.

Nothing on http://10.0.0.16:8088/katana_test.txt.
Nothing here. But it gets redirected.
So now what? One of the other servers?

Found it. Now to upload a payload to get a reverse shell.
For this one, I use the PHP script from pentestmonkey.

It gets redirected. Now to browse to the file and execute it.

Time for some remote system recon.

For some basic information I transfer LinEnum.sh to the remote system.
In the wide forest of information there is something interesting to be found:

It looks like Python2.7 is set with the CAP_SETUID+ep.
But what does this mean? When we look at the bit flags that are set on this program it doesn’t look like Python2.7 has SUID possibilities right?

What are capabilities?
Linux’s thread/process privilege checking is based on capabilities.
They’re flags to the thread that indicate what kind of additional privileges they’re allowed to use.
By default, root has all of these.

Here you can check out the entire list of capabilities for Linux.

If you want more information about Linux capabilities, you can go here.

According to GTFObins, Python can manipulate its process UID and can be used on Linux as a backdoor to maintain elevated privileges with the CAP_SETUID capability set.

That worked! Now for the final step.

And there you have it.

Conclusion

An excellent challenge for honing you pen-testing skills.
The level of this machine was intermediate and I really think that is accurate.
While getting in wasn’t that hard, Linux capabilities is something most people will overlook.
It is something programmers use, while non-programmers will miss it.

This was fun…..on to the next.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.