[OSCP Practice Series 48] Proving Grounds — Depreciated
Machine Type: Linux
Initial
A regular Linux machine.
I found some interesting commented code on the site.
<!--commenting the code until we fix the whole application-->
<!--<div class="row">-->
<!--<div class="col-lg-4 col-sm-offset-2">-->
<!--<div class="panel panel-primary">-->
<!--<div class="panel-heading">Login</div>-->
<!--<div class="panel-body">-->
<!--<div class="col-md-6">-->
<!--<form method="post" action="http://127.0.0.1:8433/graphql?query={login(username:$uname, password:$pswd)}" enctype="multipart/form-data">-->
<!--<div class="form-group">-->
<!--<label for="uname">Username</label>-->
<!--<input type="text" placeholder="username" name="uname" class="form-control"><br>-->
<!--<label for="pswd">Password</label>-->
<!--<input type="text" placeholder="password" name="pswd" class="form-control"><br>-->
<!--<button class="btn btn-primary" type="submit">Submit</button>-->
<!--</div>-->
<!--</form>-->
<!--</div>-->
<!--</div>-->
<!--<div class="panel-footer">-->
<!--<center>-->
<!--<p style="font-size:2em;color: black"> </p>-->
<!--</center>-->
<!--</div>-->
<!--</div>-->
<!--</div>-->
<!--</div>-->Seems like there’s GraphQL we need to interact with. Let’s check port 5132.
This is interesting. Oh, they mentioned a CLI application. Let’s try to nc it.
We need OTP and username for it.
Let’s check port 8433;
Nice, let’s enumerate some GraphQL.
query={__schema{types{name,fields{name}}}}
query={__schema{types{name,fields{name,args{name,description,type{name,kind,ofType{name, kind}}}}}}}
Here we can see the parameters needed for the getToken function and getOTP function.
Let’s try the listUsers function.
query={listUsers}
{"data":{"listUsers":"['peter', 'jason']"}}We don’t know the uid so we can’t use getToken function.
query={getToken("uid":1)}
Let’s use getOTP function instead since we already know the username, and we know we need OTP login.
Now that we have the OTP, let’s login via nc.
Foothold
Seems like we got a shell, but can’t do anything. Let’s try Jason.
Wrong credentials. Hm.. Let’s re-login as Peter.
When I typed ‘help’, a help menu appeared.
I read a message and gained some information:
- Peter has a weak password (peter@safe).
- There’s an outdated MySQL system running.
Let’s use the password to attempt to SSH as Peter.
We are in.
local.txt: f7de6437abc8d3eb1ff2d4156f0de199We can’t sudo.
Getting Root
We can see the source-code on the /opt directory.
There are messages and msg.json files, which are very interesting to read, but we don’t have permission to access them.
While reading the messages.py file, I noticed an interesting comment.
There must be a flaw in the code that we can exploit. Immediately, I can see the flaw.
If I attempt to access /opt/depreciated/messaging/msg.json directly, the following happens:
- Check if
/opt/depreciated/messaging/msg.jsonexists, which will return true. Read the entire content of/opt/depreciated/messaging/msg.jsonand store it in the ‘data’ variable. - Get the basename, which is ‘msg.json’. The data in the ‘basename’ variable should be
/opt/depreciated/msg.json. - Finally, write the file using the data from the ‘data’ variable and place it in the location specified by the ‘basename’ variable.
Following this process, a file named msg.json should exist in the /opt/depreciated directory.
Nice. Now we can read the msg.json file.
We got a password. Maybe for joshua or for root. Let’s try.
9>XsS+&=Zn#AS9-@Turns out, it is for root.
proof.txt: 4f33bbc0ef0e4fd2e7698639ae0841a4Learned
- Refershing on simple GraphQL raiding.
