Thu. Oct 22nd, 2020

Pentesting Fun Stuff

following the cyber security path…

SickOs: 1.2

This is another challenge on my OSCP list. You can find it here.

Enumeration

Starting with a port scan.

Webserver

On the landing page there is nothing but a picture, which after downloading hasn’t got anything special to it.

Nothing here…
The HTTP header says PHP, so let’s run a directory brute-forcer.

A test folder which appears to be empty. A quick check about the HTTP options reveals that WebDAV is enabled.

Let’s try nmap to upload a php reverse shell script.

The uploading worked, but after running the file from the browser there is no connection on my end. There is something blocking the connection.
A step back and upload a simple PHP backdoor.

Ok…this works. Now to figure out why the reverse shell was not working.

After a few tries, it looks like port 443 is allowed to connect to. Now that I know which port allows a connection I change my PHP reverse shell script to connect to port 443 and upload it again the same way as before. Starting a local listener and……

Getting a proper TTY.

PRIVILEGE ESCALATION

To look for some EoP vectors I transfer LinEnum.sh from my local machine to the remote machine using Netcat.

From this scan there is an interesting SUID file: /usr/bin/mtr. This site has some interesting information about MTR.

‘MTR is a network diagnostic tool that combines ‘ping’ and ‘traceroute’ into one program. A security vulnerability in the product allows execution of arbitrary code, and gaining of elevated privileges. It should be noted that MTR’s author does not recommend that the program be executed a setuid root.’

Unfortunately I can’t seem to get this exploit to work. So I turn my attention back to the LinEnum report.

The combination of kernel version and OS version is most likely a recipe for a known Overlay FS kernel exploit. But this is a very easy exploit and because this machine is a few years old, I’m going to look for another way to escalate my privileges. If nothing else comes up, I can always try this one.

When looking at the cronjobs listed there is a small deviation. All have the same period of creation except for chkrootkit.

The file /tmp/update will be executed as root, thus effectively rooting your box, if malicious content is placed inside the file.

There are numerous things you can do, but as I only need to get into /root I create a file called update with in it: chmod -R 777 /root.

After waiting some time…

Conclusion

This was indeed a nice challenge do warm up for the OSCP exam. There are a few more challenges to undertake before I wanna try out the OSCP exam.
Hopefully they will be as interesting as this one.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.