[OSCP Practice Series 51] Proving Grounds — Catto

Machine Type: Linux

Initial

Only port 8080 is open, so let’s do a full port scan.

Okay, now there are several ports open: 8080 HTTP, 18080 HTTP, 30330 HTTP, 36123 HTTP, 38439 Unknown, 42022 SSH, and 50400 HTTP.

Let’s check them one by one, starting with 8080.

Nothing interesting, let’s Gobust it.

Hm.. a /download directory.

It immediately downloaded a file.

A zip file with the website codes inside. Nothing useful.

Let’s check port 18080.

An apache test server. Let’s gobust it.

A /backup directory.

There’s no interesting file. Let’s check port 30330.

Book Reviews app built with Gatsby. Hmm , let’s check port 36123 first.

Interesting. How about port 50400?

There’s /service directory, but it is nothing. The /session is suspicious, it gives us a UUID.

70313908-2811-4aa3-999b-e8b43612013d

Okay, after checking all the apps, the most interesting one is definitely port 30330 because it is usable. There are also several potential usernames available on there.

keralis
xisuma
zombiecleo
mumbojumbo
sabel
yvette
zahara
marcus
tabbatha
tabby

I don’t find any other clues other than the app being built with Gatsby and TypeScript

Foothold

Let’s actually look what is Gatsby.

Okay, so it is using GraphQL.

Is there a way to interact with it? According to the official documentation (https://www.gatsbyjs.com/docs/tutorial/getting-started/part-4/), we can interact with it from /___graphql.

Nice! Now, this is something. While interacting with it, I found several interesting things.

I got a path disclosure revealing Marcus is one of the home users.

/home/marcus/gatsby-blog-starter/src/

I also queried “allSitePage” and discovered all paths in the application.

There are new paths we can’t access from the web, such as /new-server-config-mc and /dev-404-page. However, /new-server-config-mc is the interesting one.

/dev-404-page

/new-server-config-mc

We got an MC server password!

WallAskCharacter305

We know there’s a user called Marcus; let’s try to SSH using marcus:WallAskCharacter305.

We are in!

local.txt: 99a00546566657f4d6e0ece673dca0f8

Getting Root

I immediately checked netstat and discovered a server running on port 37999 internally. Let’s forward it using SSH.

ssh -L 37999:localhost:37999 marcus@192.168.184.139 -p 42022

Now, we can check what it is.

It’s the same app. It seems like there’s nothing to check on that. Let’s just perform regular enumeration.

Checking the home directory, there’s a weird .bash file, which is very uncommon and owned by root. We can read it.

Its a base64 data.

Weird. It seems like we can’t decode it using base64. Maybe this is AES or something. Okay, at this point, I’m stuck. It turns out there’s a binary in /usr/bin called base64key, which is very weird also.

That’s the usage, and the private key is Marcus’s password (WallAskCharacter305). Okay then.

/usr/bin/base64key F2jJDWaNin8pdk93RLzkdOTr60== WallAskCharacter305 1

proof.txt: 39be917daa33a1b7e4f87e1c60961c3c

Learned

• Enumerating Gatsby.
• TBH the privilege escalation part is very random.