Target Experience:
My observations while working this target:
· Enumeration: Life-like
· Vulnerabilities: Life-like
· Exploitation: Life-like
· Difficulty: Easy/Medium
· Community Notes: OSCP-like
Tools:
The recommended tools for this lab were:
· Nmap
· Dirb
· Nikto
· Browser
· Web Server
· NetCat
· Python Shell
· LinEnum.sh
Vulnerabilities:
The following vulnerabilities were found:
· Parameter Tampering
· SQL Injection
· Misconfiguration
· Local Privilege Escalation (2x)
Information Gathering:
Starting off with the usual Nmap scan, I performed a scan for service version detection, OS detection, script scanning, and traceroute.
With TCP Port 80 open, I used dirb and Nikto to can the target.
With dirb and Nikto scans completed, I decided to investigate the web site.
Continuing to investigate, the only interesting information found was at the /rooms-suites.php page.
Clicking on the Book Now! icon revealed a parameter that was present for each of the 6 rooms available.
Next, I decided to try some parameter tampering by replacing the room number with a ‘.
Foothold:
Seeing that I could tamper with the parameters, I decided to use sqlmap to determine if there was a database; where I could utilize SQL Injection.
After discovering the 7 databases, I went right after the mysql database to obtain credentials.
Next, I decided to dump the users table from the mysql database.
Interesting, there were no tables found. At this point, I decided to enumerate the hotel database and ran into a bit of a stumbling block. It appeared that I was banned due to be aggressive with sqlmap.
After the ban was lifted, I resumed enumerating the hotel database.
At this point, I decided to see if I could get a shell with the SQL Injection.
To improve the shell, I uploaded a PHP CMD script to the target web server. In addition, uploaded decided to create a bash script from https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh to help further enumerate the target. So, I started a Python HTTP Server on my attacker system and uploaded the files.
With the files uploaded, I started a NetCat listener on TCP Port 8080 of my attacker system. I then returned to the browser and connected to /cmd.php; where I entered a Python reverse shell command into the field box and the selected submit.
With the reverse shell established, I decided to upgrade the shell using a Python3 script.
Privilege Escalation (Pepper):
With the foothold firmly established, I decided to enumerate the target. So, I went to the user directory and reviewed the user.txt file.
Interesting. I then decided to do some light enumeration; where I found that the user pepper could launch the simpler.py script without a password as sudo.
I decided to review the script and noticed that there were provisions against escaping the script.
Next, I performed a search and found the following site to aid with trying to escape the script.
https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/
With the newly found information, I decided to launch the script to determine my options. The -p flag seemed to be the best option to escape the code since it was utilizing the underlying ping command.
Note: I struggle with escaping the script due to creating my own rabbit hole. Instead of launching the script from within the directory, I issued a Python3 command followed by the script (Python3 simpler.py -p). The system interpreted that I was launching Python3 with elevated privileges versus the simpler.py with elevated privileges.
After running through the rabbit hole for what seemed like days, I got a little nudge and corrected my ways. I started a NetCat listener on my attacker system to listen on TCP Port 8081. I then correctly executed the simple.py script and established a new elevated privileged shell.
With the reverse shell established, I decided to upgrade the shell using a Python3 script and then obtained the User Flag.
Privilege Escalation (Root):
Having obtained pepper’s privileges, I decided to further enumerate the target to determine how I could privilege escalate to root. So, I ran LinEnum.sh and reviewed the data.
Reviewing the data, I saw that pepper had execute privileges to /bin/systemctl. this was clearly a misconfiguration and should have been added to /etc/sudoers file instead.
Next, I turned to the Internet to research how I could exploit this misconfiguration. I found the a few details regarding SUID and systemctrl.
Knowing that pepper had execute privileges, I used the following to create and execute a service that would exploit the system to root.
I validated the new shell by executing whoami and id.
Lastly, I changed directories to root and reviewed the Root Flag.
References:
https://gtfobins.github.io/gtfobins/systemctl/
Disclaimer:
This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.
Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.
Information within this article is “as is”, without warranty of any sort.
