Starting Point Part 6: Included
I continue the SAGA to build our toolset and hone some processes.
I always begin by storing the IP address in a variable and I started with a masscan like before to get a quick down-and-dirty list of what's open:
Not much, but nmap didn’t give us too much more with:
Well we got Ubuntu running a web server with php. Good start I guess. It looks like I can specify which php file using the parameter? Let’s test that right off the bat: curl $IP/?file=index.php > index1.php; curl $IP/?file=index2.php; diff index2.php index.php. So it isn’t that easy, but I had to try! However, can I do directory traversal with this? That should be easy to check, but we don’t know how far to go up. A quick bash script can get the job done. First, how long is the file we expect? Then we can just loop through and find one that isn’t that length.
And looky there, we got a winner with more wordcounts! Looks like going up 4 is what did it.
So there is the users for the box and that last one sticks out to me…tftp? Did we miss that service? Well, i know that tftp operates on UDP not TCP so our nmap/masscan for TCP wouldn’t have found it anyway. Let’s go check to see if it is alive:
Yup, there it is. Let’s see if it works. It does! So what do we know so far…we know that we have php running on the webpage, we have a way to upload a file using tfp, and we know where it will store it based on the directory inside of the /etc/passwd file (unless some configuration was changed). Let’s just try it and see if it works. I’ll just grab a default php webshell out of the webshells repo on kali and try that. If you haven’t used sed before, its a quick win instead of modifying files with a program. Saved me a few times on those crappy shells that I can’t upgrade.
And nice, we got a reverse shell back and have upgraded to a tty shell as www-data. Well, we could enumerate manually or grab a drink and let automation do the searching for us. I’ll pick the latter and get linpeas going. You can either use tftp to upload that too, or host it and do a curl…either is easy. After watching it all scroll by, search back to the top and take note of anything interesting. Not too much here, just that a user “mike” has been active, is part of some good groups and looks to have a container started. There are some ports we didn’t get on nmap, such as port 8000 and 7890 that could be a vector if ran by someone else. Not much else misconfigured according to linpeas. Since the last boxes did credential reuse, let me try these before I go for some more complicated stuff using su mike. Yup, these team is horrible about password reuse!
So we already ran linpeas and there was a few things about mike that stuck out.
So root switched to mike to run the lxc command (which mike is in that group to start containers). Let’s validate what is running:
Okay, so how can we attack this? I don’t want to kill the one running, I may kill myself and lose my connection and I can’t start a new one. Let’s go check google. It returns this article that looks promising: https://steflan-security.com/linux-privilege-escalation-exploiting-the-lxc-lxd-groups/. So I follow the steps and see what happens:
After following the directions to detail, I get this “Permission denied” at the end of it. Rats. Reading until the end of the article, it indicates that there is an error we have to fix and when I try to recompile it fails due to a compression problem. Continue reading and it states that there is one already made on github! Dang, “reading saves lives” as a friend of my always says. https://github.com/initstring/lxd_root gives the container and bam! a quick “sudo bash” gives us a root shell.
So what did we learn from this box? UDP matters! Don’t forget about those guys, they got some value. If you haven’t messed with linux containers before, here as a very quick intro to it. Hope you expanded your techniques and I’ll see you on the next box!