[THM] : Hacker Vs Hacker Walkthrough
Initial Recon
# Nmap 7.92 scan initiated Tue Jan 31 19:54:16 2023 as: nmap -sV -sC -v -T4 -oN nmap.txt 10.10.235.249
Nmap scan report for 10.10.235.249
Host is up (0.21s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 9f:a6:01:53:92:3a:1d:ba:d7:18:18:5c:0d:8e:92:2c (RSA)
| 256 4b:60:dc:fb:92:a8:6f:fc:74:53:64:c1:8c:bd:de:7c (ECDSA)
|_ 256 83:d4:9c:d0:90:36:ce:83:f7:c7:53:30:28:df:c3:d5 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: RecruitSec: Industry Leading Infosec Recruitment
|_http-favicon: Unknown favicon MD5: DD1493059959BA895A46C026C39C36EF
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 31 19:54:54 2023 -- 1 IP address (1 host up) scanned in 38.02 seconds
In this box we have to walk through a hacked box. The application running on port 80 contains a CV upload field. But when I tried uploading any file I got following error.
Seems like the attacker had uploaded a shell through this endpoint. Upon content discovery, I found the following directories.
.htaccess [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 350ms]
.htpasswd.php [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 3615ms]
.htpasswd [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 4622ms]
.htaccess.php [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 4623ms]
css [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 252ms]
cvs [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 250ms]
dist [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 251ms]
images [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 195ms]
server-status [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 179ms]
upload.php [Status: 200, Size: 552, Words: 67, Lines: 19, Duration: 178ms]
:: Progress: [40938/40938] :: Job [1/1] :: 222 req/sec :: Duration: [0:03:45] :: Errors: 0 ::I again did content discovery on the cvs/ directory with .pdf.php extension and got shell.pdf.php. The attacker used common filter bypass.
I downloaded reverse shell in remote box using wget and obtained a reverse shell as www-data.
After looking the files of the remote server, found .bash_history file in the home directory of lachlan that conatined the ssh credintial.
I tried logging in into the lachlan account but seemed like something was disconnecting us from connection.
The attacker had edited the /etc/cron.d/persistence. We can see that the there is a cronjob that kills /dev/pts session. Every binary has an absoulte path except the pkill command.
$ cat /etc/cron.d/persistence
PATH=/home/lachlan/bin:/bin:/usr/bin
# * * * * * root backup.sh
* * * * * root /bin/sleep 1 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 11 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 21 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 31 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 41 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 51 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; doneSo, I bypassed the cronjob executing a /bin/bash shell right after ssh connection.
ssh lachlan@10.10.134.249 /bin/bash
As, we can see that the PATH variable is set to /home/lachlan/bin in the /etc/cron.d/persistence file so we can create a pseudo pkill binary in that directory and execute any command as our wish as root.
Then, I checked the /root directory and it was accessible by everyone. This gave the root flag for the challenge.
