This is the 4th machine that I have done for my OSCP preparation. I learned some new tools for this one! So, let’s get into it!
First things first, the target machine is identified to be 192.168.181.151
through an nmap
scan with the -sn
switch and -ON
switch to output the results to a file.
Using nmap
to perform a version scan with the -sV
switch and loading the default scripts with the -sC
switch and assuming all the hosts are up with the -Pn
switch reveals that there is a web server and ssh running on the target machine.
The results also show that a git repository is found with a hostname of devguru.local
.
Going to the web server at port 80
, reveals a normal company website.
Performing directory brute-forcing with ffuf
, shows that a git repository is present and .htaccess
is accessible.
Also, a backend directory is also discovered by ffuf
.
First of all, the /backend
directory goes to an October CMS login page.
Secondly, another page was discovered within .htacess
, /adminer.php
.
adminer.php
is a DBMS or a database management system.
With all the gathered information, the hostname devguru.local
is first added into /etc/hosts
so that the git repository is accessible.
At this point I was stuck, but looking at other writeups reveal a new tool for me, GitTools
. Within GitTools, gitdumper.sh
is a bash script used to download as much as possible from the web server’s .git
directory when directory listing is disabled.
Also within GitTools
is another bash script called extractor.sh
. This script will try to recover the contents of the commit.
Within the commit, one directory stands out, config
.
Within the config
directory, database.php
stand out as a DBMS was discovered.
Within database.php
, the credentials for the DBMS were found.
Entering the credentials found on the login page of the DBMS allows access to the DBMS. The database octoberdb was found.
Within the backend_users
table, a record containing the credentials of the user frank was found with a bcrypt hashed password.
At first, I thought the password needed to be cracked so that I can log in to the CMS. However, later I found out that I already have access to the database, so I could just change the password to whatever I wanted. However, I need to generate the bcrypt hash value for the new password.
Using the password password
, the hash value for that password is generated.
Then, within the DBMS, the password of the user frank can be edited to the hash value generated as mentioned above.
Using the new password along with frank
as the username, gives me access to the CMS.
Knowing that a CMS is being used, I searched for exploits relating to October CMS and found an upload vulnerability.
The proof of concept for exploiting this vulnerability is to upload files which are not in the blockedExtensions
function and load the uploaded file through the URL above.
After preparing the PHP reverse shell and uploading several PHP reverse shells with different bypass methods, it was discovered that this attack vector might not be viable.
Looking around the CMS platform, a place to edit PHP code was found. It can be recognised as PHP code as PHP arrays use associative arrays with square brackets.
With that said, the function above is added to the index page of the web page to execute system commands specified in the cmd
parameter.
As a proof of concept that the exploit works, the ls
command is used and a listing of the CMS working directory is printed out.
Then, python3 --version
is specified in the cmd
parameter to check whether Python can be used as an entry point. Doing so reveals Python3 is present on the target machine.
With Python installed, a Python one-liner reverse shell from PentestMonkey can be used to gain a shell on the target machine.
After setting up the listener and the listening port, the Python one-liner reverse shell is specified in the cmd
parameter. From this, I was able to gain a shell from the target machine.
As normal privilege escalation goes, linpeas.sh
is downloaded from the attacker’s machine and made executable.
After launching linpeas.sh
, a backup file was found within /var/backups
.
Printing out the file, another set of credentials to the DBMS was found.
Logging into the DBMS, a database named gitea
was found.
Again, within the user
table, the credentials to the user frank were found and these values can be changed.
Again, the bcrypt hash value for the new password password
was generated.
With the new hash value, the credentials were changed with the new password hash algorithm of bcrypt and with the rands and salt fields emptied.
Logging in with the new password using the hostname on port 8585
gives me access to frank’s Gitea account.
An entry vector here is to use Git Hooks. Git Hooks are used to execute commands when a git operation was used. For that reason, a new repository is created for this purpose.
According to (Atlassian, n.d), the server-side hooks are as defined:
- pre-receive hooks execute every time a
git push
command was executed - update hooks execute after pre-receive hooks
- post-receive hooks execute whenever a successful
git push
is executed
Using the post-receive hook, the above bash reverse shell is added and updated onto the repository.
For the reverse shell to work, the repository needed to be cloned.
After configuring git and adding a file to the repository’s folder, the updated folder is then committed and pushed onto the repository.
In the background, a listening port on port 9999
listening for incoming connections managed to receive a connection from the target machine.
Within the home directory of the user frank, the user flag was found.
Using sudo -l
to list out the binaries the user can use sudo
on reveals that sqlite3
was allowed to use sudo
by the user frank
.
Using GTFOBins, the above command shows how I can gain root through sqlite3
. However, it does not work.
Using sudo -V
shows the sudo
version of the target machine. This is needed because looking at sudo -l
, root
is not allowed to run sqlite3
.
However, searching up the sudo
version and exploits for it reveal that this rule can be bypassed with the command above (Paramasivam, 2019).
Using the command addressed, replacing /bin/bash
with sqlite3
gives me root
privileges.
Going to the home directory of the root
user, the root flag was found.
In conclusion, this challenge taught me a new tool to use and gave me a refresher to check for more entry points when wanting to gain a shell. Also, there are some parts which I disregarded because I wouldn’t usually find any useful information inside those files such as the backup file found. So, in summary, this challenge taught me to CHECK EVERYTHING.
References
Atlassian. (n.d.). Git Hooks: Atlassian Git Tutorial. Atlassian. Retrieved March 29, 2023, from https://www.atlassian.com/git/tutorials/git-hooks
Paramasivam, M. (2019, October 15). Sudo 1.8.27 — security bypass. Exploit Database. Retrieved March 29, 2023, from https://www.exploit-db.com/exploits/47502