August 14, 2021•469 words
There are three open ports, including samba and a web server. Access to the server is limited by HTTP Basic Authentication, and brute forcing it right now is not a viable option. We first try to enumerate domains, shares and users through enum4linux. Fortunately enough, the box allows to log in using null sessions, so enum4linux is capable of giving us some juicy info, including two usernames.
We can try to brute force our access using these usernames either into samba or past HTTP Basic Authentication. I personally tried both but more threads can be spawned against HTTP and the brute force came to a successful login in reasonable time.
On the web server there is a search page that seems to browse the content of a directory on the box. Possibly, it is passing our input to a command on the box. There is some client side filter, easily avoid it using Burp to modify your requests. A working payload is structured as follows:
\"; <command>; echo \"
where my choice for <command> was:
<Python reverse shell base64 encoded> | base64 -d | bash
This way we obtain a shell on the box as the low privileged user www-data.
With some basic enumeration you should quickly notice that port 22 is open locally, meaning there is an SSH server that we couldn't access through our first scan of the box. Set up a port forward, my choice to do this was using socat and opening a new port on the target (not very stealthy, but quick and easy enough):
./socat tcp-l:33060,fork,reuseaddr tcp:127.0.0.1:22 &
Now you can try to brute force your way in using the two usernames (three, including root) that we know exist on the box. Hint: if you check the sshd_config you will notice only one user is allowed to access, so you can significantly reduce the number of attempts required to brute force access.
This brute force will, eventually, come to a successful login. You can now retrieve the first flag. Moving on, you should notice you now have sudo privileges: you can run a single binary as root, but at first sight it doesn't seem to be extremely useful. Move it to your attacking machine and analyze it with radare2, you should notice the "poweroff" function is called without specifying the full path. Go back and check sudo privileges: sudo is not using secure path! This means you can modify the existing PATH, create a "poweroff" binary that is just a copy of /bin/bash and execute the binary with sudo privileges. This will cause your custom function to get executed as root and you will get your well deserved root shell. Nice job!
As always, merry hacking!