[OSCP Practice Series 48] Proving Grounds — Depreciated
Machine Type: Linux
Initial
A regular Linux machine.
I found some interesting commented code on the site.
<!--commenting the code until we fix the whole application-->
<!--<div class="row">-->
<!--<div class="col-lg-4 col-sm-offset-2">-->
<!--<div class="panel panel-primary">-->
<!--<div class="panel-heading">Login</div>-->
<!--<div class="panel-body">-->
<!--<div class="col-md-6">-->
<!--<form method="post" action="http://127.0.0.1:8433/graphql?query={login(username:$uname, password:$pswd)}" enctype="multipart/form-data">-->
<!--<div class="form-group">-->
<!--<label for="uname">Username</label>-->
<!--<input type="text" placeholder="username" name="uname" class="form-control"><br>-->
<!--<label for="pswd">Password</label>-->
<!--<input type="text" placeholder="password" name="pswd" class="form-control"><br>-->
<!--<button class="btn btn-primary" type="submit">Submit</button>-->
<!--</div>-->
<!--</form>-->
<!--</div>-->
<!--</div>-->
<!--<div class="panel-footer">-->
<!--<center>-->
<!--<p style="font-size:2em;color: black"> </p>-->
<!--</center>-->
<!--</div>-->
<!--</div>-->
<!--</div>-->
<!--</div>-->
Seems like there’s GraphQL we need to interact with. Let’s check port 5132.
This is interesting. Oh, they mentioned a CLI application. Let’s try to nc
it.
We need OTP and username for it.
Let’s check port 8433;
Nice, let’s enumerate some GraphQL.
query={__schema{types{name,fields{name}}}}
query={__schema{types{name,fields{name,args{name,description,type{name,kind,ofType{name, kind}}}}}}}
Here we can see the parameters needed for the getToken
function and getOTP
function.
Let’s try the listUsers
function.
query={listUsers}
{"data":{"listUsers":"['peter', 'jason']"}}
We don’t know the uid
so we can’t use getToken
function.
query={getToken("uid":1)}
Let’s use getOTP
function instead since we already know the username, and we know we need OTP login.
Now that we have the OTP, let’s login via nc
.
Foothold
Seems like we got a shell, but can’t do anything. Let’s try Jason.
Wrong credentials. Hm.. Let’s re-login as Peter.
When I typed ‘help’, a help menu appeared.
I read a message and gained some information:
- Peter has a weak password (peter@safe).
- There’s an outdated MySQL system running.
Let’s use the password to attempt to SSH as Peter.
We are in.
local.txt: f7de6437abc8d3eb1ff2d4156f0de199
We can’t sudo.
Getting Root
We can see the source-code on the /opt
directory.
There are messages and msg.json
files, which are very interesting to read, but we don’t have permission to access them.
While reading the messages.py
file, I noticed an interesting comment.
There must be a flaw in the code that we can exploit. Immediately, I can see the flaw.
If I attempt to access /opt/depreciated/messaging/msg.json
directly, the following happens:
- Check if
/opt/depreciated/messaging/msg.json
exists, which will return true. Read the entire content of/opt/depreciated/messaging/msg.json
and store it in the ‘data’ variable. - Get the basename, which is ‘msg.json’. The data in the ‘basename’ variable should be
/opt/depreciated/msg.json
. - Finally, write the file using the data from the ‘data’ variable and place it in the location specified by the ‘basename’ variable.
Following this process, a file named msg.json
should exist in the /opt/depreciated
directory.
Nice. Now we can read the msg.json file.
We got a password. Maybe for joshua or for root. Let’s try.
9>XsS+&=Zn#AS9-@
Turns out, it is for root.
proof.txt: 4f33bbc0ef0e4fd2e7698639ae0841a4
Learned
- Refershing on simple GraphQL raiding.