Premise
In this walkthrough, we went over a Linux lab machine and demonstrated basic application and use of python exploits to suit the purpose of the lab. Then we escalated privileges through reading the bash history file in Linux.
Machine Name: Fuel
Difficulty: Medium
Skills Learned
- Python Exploits
- Linux Privilege Escalation
- Bash history in Linux
Initial Reconnaissance and Vulnerability Identification
I started by scanning the “Fuel” machine and found that ports 22 (SSH) and 80 (HTTP) were open. When I checked out the web server on port 80, I saw that it was running Fuel CMS version 1.4. The version number was right there on the landing page, which is a big help in penetration testing.
Exploit Discovery and Modification
Knowing the version, I searched online for “fuel cms 1.4 exploit” and found two types of exploits: Remote Code Execution (RCE) and SQL Injection. I decided to go with the RCE exploit for this walkthrough.
The Python exploit script I downloaded needed a few tweaks to work correctly:
- I had to change the target URL from a local proxy address to the machine’s actual IP address.
- I updated
raw_input
toinput
to make it compatible with Python 3. - I also had to add
.parse
tourllib
for Python 3 compatibility. - Since I wasn’t using a proxy, I removed the proxy-related code.
- I made sure to enclose all the
print
statements in parentheses for Python 3. - Finally, I had to troubleshoot and correct some variable names and assignments within the script.
Gaining Initial Access
After making the exploit executable and running it against the target machine, I was able to execute commands and get a limited shell. My next goal was to get a reverse shell, so I set up a Netcat listener. After a few connection issues and machine restarts (which can happen with online labs), I successfully established a reverse shell.
Privilege Escalation
The initial shell I got was as the user “moira”. To escalate my privileges, I decided to check the bash history file (.bash_history
). I navigated to the user’s home directory and found the file.
When I looked at the file, I found that the system administrator had made a critical mistake. They had used sshpass
to log into an SSH server and typed the root password in clear text right in the command line!
I used the password I found to try and switch to the root user with su root
. The shell was a bit unstable, so su
didn’t work reliably. Instead, I decided to SSH directly into the machine as root using the password I found. After a few more connection problems, I was finally able to connect as root and confirm that I had full access.
Lessons Learned
- Security Best Practices: Never type confidential information like passwords in clear text on the command line. It can be exposed through your bash history.
- Application Updates: Always keep your applications and servers updated to the latest versions to protect against known exploits.
- Exploit Modification: It’s a good idea to be familiar with scripting languages like Python, Bash, Java, and JavaScript so you can understand and modify exploits to fit your needs.
Technical Commands
Here are some of the commands I used in the video:
ls
: To list the contents of a directory.chmod +x [exploit_name]
: To make the exploit script executable.python3 [exploit_name]
: To execute the Python exploit script.id
: To display the user and group IDs of the current user.pwd
: To print the current working directory.nc -lvp 4545
: To set up a Netcat listener.sudo nano [filename]
: To open a file for editing.cd [directory]
: To change the current directory.ls -la
: To list all files and directories, including hidden ones.cat .bash_history
: To display the content of the bash history file.su root
: To switch to the root user.python -c 'import pty; pty.spawn("/bin/bash")'
: To spawn a more interactive TTY shell.ssh root@[IP_Address]
: To initiate an SSH connection as the root user.ping [IP_Address]
: To test network connectivity.