We covered a boot to root machine where we started with an Nmap scan to discover several open ports and services running such as FTP server, Apache web server and NFS file share. By mounting the NFS file share to our local machine we discovered plain text credentials which got us access to the FTP server.
Next we downloaded text files from FTP server, one included a note from the admin and the other included tenths of passwords. Because rate limiting is implemented on the server, we didn’t run brute force on the login form found on the web page rather we found that the PHPsession ID is computed using a combination of base64 and md5 hash that included the username and password of the logged on user.
We created a python script that iterates through the password list we found earlier, calculates the md5sum of the password, encodes it with base64 to find the session ID and tries it against the administration page.
This enabled us to find the correct password of the admin user along with the session ID. Next we achieved a reverse shell by chaining commands on the server status page and later on achieved privilege escalation by exploiting a misconfigured library path through sudo with the Apache process.
What is the root flag?
And then we go to word lists.
So we have this.
there is specified directory to which we gonna receive the mounts, which is mounted. So LS so we have mount. Mounted here and go to mount it.
Okay, that’s what we did. Oh, we used a shy very reserved and shoe 1300. Okay, password Isaac. We create a password for the user. So let the password be the same as the username. And now we have created the user. So sue are Jack and then LS c d mounted and we successfully navigated to the directory. Let’s start relay. So we have a notes Here for employees get for employees text and you can taste the username and password for the FTP server. So we’re gonna Go ahead and log in with this so exit. and then FTP SFTP user at Name or servers not known?
Let’s try this. FTP user the password doesn’t work. Let’s copy that again.
okay, we locked in at least a chalet and we have these files passwords list and from admin. Let’s download these files get from admin the text.
and get passwords
underscore list text
Okay. Now we have these Five Guys. I think they’re under wanted.
Okay. Yeah, these are the files that we have just downloaded. Let’s go ahead and take a look at the note. Okay from admin.
So all employees, this is admin speaking. I came up with a safe list of passwords that you all can use on the site these passwords do not appear on any word list I tested so far. So I encourage you to use them. Even me. I’m using one of those note to Rick. This is a user that we have discovered guys good job or limiting login attempts. It works like a charm this will prevent any future brute-forcing. So this node means we can’t use brute force to get access to the admin user.
The web server we have just uncovered and there is other note.
That there is either name username named Rick.
Alright, let’s take a look at the passwords.
Okay, so if we create a python script to go over all of these.
Perform the necessary decoding and hashing and maybe then we will be able to find the admin password or the admin cookie remember that the cookie here.
The original cookie was encoded in base64.
So we’re going to assume that if we create a python script that goes over all of these. Okay, perform the encoding and the hashing will be able to uncover the admin username. The admin has the cookie and the admin password after we of course perform and E5 hash on the password.
So Ellis name of session?
so in the script here, the first thing we Define is the oil they wanted we want to test is the URL that points to the administration page and the script mainly the first thing it does it will go over the password list. So the list we have just downloaded from the FTP server, right? So this list contains the passwords, but we don’t know which one is the correct one. So what to do we need to
I trade through every single one of these passwords. That’s the first thing here and that’s why we use the data variable to store these passwords and then we either it through every single one of them and we store it in the variable line. The first thing we do is to perform md5 checksum on the password.
Because that’s the formula remember and then we can calculate the mt5 checksum with the username. Admin.
Okay, after we have the password and username admin, we perform base64 and then we test we put the base 64 here as the session ID cookie in the headers. I will send it if we get access of a wicked a positive results. We will conclude that. This is the correct cookie in base64. I will be able to find out the corresponding passwords line and basics for us. Let’s go ahead and run this.
Okay, so what are all of this?
So these are the session IDs. Okay. Now the correct session ID was this one because it resulted in a positive result for a positive hit on the administration page. We were able to access it and this is the corresponding password from the list. This password was not computed was not found in a complex computation operation especially was just in the list, but we were able to find it because we perform the necessary.
Reputations on the md5 checksum and we tested on the administration page and it was a positive hit on this cookie. So we’re going to take this password and login.
So go back.
Okay, as you can see we were able to login go to Administration and we see we are able to access the administration panel and administration panel. We have a service service status Checker assumingly. It does it executes a system command, but we don’t know yet. What is this weird? We can just maybe do some estimation maybe on what on the kind of command? So for example systemctl could be the command used.
system city of observers not found active. It’s inactive.
So it is this is some kind that executes. So what we can do here we can perform command injection. So to retrieve retrieve I should back to the machine or to the attacker machine. So let’s go ahead and nclb be 44 45.
Okay, so this one sounds good.
Let’s go ahead and take this.
Alright first let’s see the IP address of this machine..
And here you’re going to face this temporarily and we’re going to copy the IP address.
10 10 12 42 43
Let’s make sure this is the correct IP. We don’t want to struggle with this later. 194 243. Okay. So now
We’re going to go ahead and take this.
So going back.
Yeah, I forgot. I’m an attacker machine. I thought I owned my virtual machine so bash. So here we went to type we want not only to execute this code will not work because it doesn’t correspond to the command the system expects. So here we’re not going to execute this alone because it’s not going to work. Obviously. We need to use the service or the command the system expects.
So here let’s use bash see.
and here double quotes
Of course the poor will 45 45.
sshd check on the service and
execute the next command execute.
Dear listener not running or going to execute those now 45 45 then going back here.
And this gave us the shell as dub dub data next thing you want to stabilize the shell so you’re gonna have to type TTY.
Okay, hello is fine. So we have a file here named config if we get config?
See their information about these are named. We just saw in the notes and administrator notes Rick and this is the parser so sue break.
And we grab the password and we’re able to escalate to the next user.
Okay. So today she’ll check on the Privileges of that user again paste the password as you can see guys Rick can run this command as as root without the need to provide the password and there is one thing to note here. We have environment reset enabled and we have environment keep is set to the load Library path. It means we can specify.
The locker defied to execute or to use when we run Apache. So usually the looks when you run an executable.
With sudo the next we’ll search for the corresponding Library path or Library file in the default Library path. Okay, if you are able to specify a custom Library path
Okay, Linux will be able or Linux will take the path we specify but for that to happen environment reset needs to be enabled and this is the case environment reset is enabled and we can specify the library path which means if we can specify the library path for this process. Okay, we can create a malicious Library file.
So here I have this in my notes. Let’s go back and use LD underscore. Yeah, LD preload and LD Library path
So basically we’re going to use this.
So let’s take this code.
And on my local machine or on the local machine here.
I’m going to create a file named.
Brave the sea
Beat the space this code save and next we’re going to compile this into a library file.
I think this is gonna be better if we combine this on the machine itself. So to be able to transfer this fart to the machine, we’re going to use net cut so and see.
That’s lvp. 4546.
Pretty good. See permission denied. Okay and see let me go back and find how to do that because sometimes
one mistake and the command won’t work. So we go to maybe Linux and check transfer.
Yep. So destination Port you can run this on the machine, but it is not working up. So 45 46 is upward that we are already using know and see LED 4547. We’ve let’s see.
Permission denied why?
And see the IP address is this.
Queen of the sea
Yeah, exactly. It’s not going to work with it listening running first.
But Rick cannot run and see for some reason.
if C permission denied
CD temp change directory
Maybe this will make things work.
Oh, okay. What now we send the file.
And we received the connection.
Okay, LS and prove the sea is here. Now. We’re going to compile it on the machine. So going back to Linux privileged escalation and in the underscore.
So that’s the command.
He was a brutal C.
Come on, no.
So g c Dash, oh, it’s going to be temp.
That’s shared if Pi C. Okay, and then let’s see.
After we compiled can I output file is a directory?
Going to be S 0 to 1 with the peso.
one and then the rest of the command follows
so we have this file here the next thing we want to use a party to run this file. So pseudo as you can see we specify the library path from which we’re going to choose the library file.
This goes here.
first to do
now the library file here guys.
It’s going to be defiled that we have created.
at the end
so it is private so that one.
Or I think we don’t need to specify this because it’s going to pick it up on its own.
Yeah, always specify the directory at the next thing we want to do is to run the command.
Okay, so that’s the command.
Okay, let’s remove this file.
I think we’re going to have to keep the name as the name is Library Crypt. Okay, it’s going to take this command one more time.
We will see.
We will see.
And then we’re going to run the same column or time try it again.
Wait on this one.
And as you can see the prompt changed from Rick to root and now we have successfully escalated privileges so CD to root.
And you conquered the machine. That’s it.
So guys that was it. I hope you do the video and definitely guys I will see you later.