Offensive Security Proving Grounds Walk Through “Banzai”

Initial Foothold:

Beginning the initial nmap enumeration.

Running the default nmap scripts.

Enumerating the web service running on port 8080. All the pages return status code 403 Forbidden. I tried using all the extra header tags we can include in requests to try bypass this restriction but it doesn’t work.

Enumerating the web service running on port 8295.

Running gobuster to enumerate the directories. I don’t see anything interesting.

We see a FTP service running. I obtained valid credentials by bruteforcing the ftp service. username-admin, password-admin.

We see this is the home folder of the web service running on port 8295. We can try uploading a php reverse shell onto this folder and triggering it to get a reverse shell.

Copying the php-reverse-shell onto the current directory and modifying out IP address and port.

Using ftp service to transfer the file inside /img directory.

We get a reverse shell by opening the file from the directory on the web service.

Privilege Escalation:

We cannot reach out to our local machine from this target machine because of some configurations. If you cannot use wget to transfer the linpeas file onto the machine, use the same ftp service to upload the file. Make sure to modify the permissions via ftp or www-data would not be able to run it. I don’t see any outstanding misconfiguration from the linpeas output. We see a mysql service running as root though.

I see this interesting config.php file in /var/www/ which contains db credentials for root. Using that to further enumerate the db. I don’t see any interesting databases or tables here. We can try finding a privilege escalation exploit for it.

The version is 5.7.30. I tried privel exploits 40678 and 40679 which matches this version but it didn’t work. I tried searching privel exploits for mysql and this was a super helpful article. I followed it to get root access.

Refer: https://steflan-security.com/linux-privilege-escalation-exploiting-user-defined-functions/

Transferring the shared object to the target machine using ftp.

I get an error: ERROR 1126 (HY000): Can’t open shared library ‘raptor_udf2.so’: file too short.

It took some time to realize that this was because of some kind of access restrictions. There is nothing inserted into the table with the insert command. Hence there is nothing in the dumpfile. If this is the case with you, you can verify it with.

select * from foo;

This can be overcome by changing file permissions of raptor_udf.so when it’s compiled. Since our user doesn’t have many permissions on the box. I created two extra dummy files raptor_udf2.o and raptor_udf2.so along with the raptor_udf2.c file and set their permissions as 777 with ftp.

This way when you insert it in mysql, it works fine.

Anyway, I created the function and changed the permission of /etc/passwd.

Now we can add our own user in there and get root access. If someone has trouble adding a new root user into /etc/passwd, refer this.

And we have root.