Dodge
Difficulty: Medium
OS: Linux
Description: Test your pivoting and network evasion skills.
Summary: Discovering vhosts and updating firewall rules to enable a port then to ssh access via private keys from the enabled port then to privilege escalation.
Let’s get started
STARTING WITH NMAP SCAN
we have 3 ports open as you can see which are ssh,http and https
Accessing port 80 is forbidden. So, let’s proceed to port 443 (https)
Recall from the nmap scan we have some vhosts exposed
Add them to your /etc/hosts file
10.10.234.171 dodge.thm www.dodge.thm blog.dodge.thm dev.dodge.thm touch-me-not.dodge.thm ball.dodge.thm netops-dev.dodge.thm
The vhosts ain’t accessbile i.e we are forbidden to access them. Except for the netops-dev.dodge.thm
Visiting the virtual host we have a blank page which is sus
Viewing the source (CTRL+U) we can see a js file. Checking the js file shows:
It sends an AJAX request (asynchronous HTTP request) to a file called firewall10110.php on the server, asking for data (via a GET request).
let’s check whats really happening in the directory
so it’s basically for updating firewall rules.
And yeah as we can see there are other ports which are not available or opened in our Nmap scan because it’s blocked
Let’s enable the port
sudo ufw allow 21
As you can it’s now allowing connections which was denying earlier
so, let’s re run nmap scan after updating the rule
Now we have a new open port which wasnt opened before. port 21 FTP which allows anonymous login
so listing all the contents on the server revealed an ssh directory which contains private keys
As you can see we only have the permission to get the authorized_keys and id_rsa_backup
so, i downloaded the files to my local machine. Let’s Read the authorized_keys file to know the user that owns the private key
The user challenger owns the private key. So, let’s ssh into the machine and with the private key (you dont need a passowrd to ssh)
chmod 600 id_rsa_backup && ssh -i id_rsa_backup challenger@ip then read the user.txt flag
PRIVILEGE ESCALATION
There’s an encoded strings in the /var/www/notes/api/posts.php file
Looking at it you can tell it’s in base64
so, decoding it revealed the user cobra's passowrd
challenger@thm-lamp:/var/www/notes/api$ echo "W3sidGl0bGUiOiJUby1kbyBsaXN0IiwiY29udGVudCI6IkRlZmluZSBhcHAgcmVxdWlyZW1lbnRzOjxicj4gMS4gRGVzaWduIHVzZXIgaW50ZXJmYWNlLiA8YnI+IDIuIFNldCB1cCBkZXZlbG9wbWVudCBlbnZpcm9ubWVudC4gPGJyPiAzLiBJbXBsZW1lbnQgYmFzaWMgZnVuY3Rpb25hbGl0eS4ifSx7InRpdGxlIjoiTXkgU1NIIGxvZ2luIiwiY29udGVudCI6ImNvYnJhIFwvIG16NCVvN0JHdW0jVFR1In1d" | base64 -d
[{"title":"To-do list","content":"Define app requirements:<br> 1. Design user interface. <br> 2. Set up development environment. <br> 3. Implement basic functionality."},{"title":"My SSH login","content":"cobra \/ mz4%o7BGum#TTu"}}
Now we can switch to user cobra since we have the password
cobra: mz4%o7BGum#TTu
su cobra and paste the password. simple sudo -l showed that the user cobra can run /usr/bin/apt as root
Quick search on gtfobins showed we can gain root by running this command sudo apt update -o APT::Update::Pre-Invoke::=/bin/sh
And now we have fully compromised the server
#Firewall #UpdateRules #ftp #ssh #PrivilegeEscalation