Firstly, I initiated a Rustscan on the host, detecting three open ports: 22, 8000, and 6048.
We've identified an SSH service running OpenSSH 8.2p1, an HTTP service on port 8000 running Werkzeug/3.0.2 Python/3.8.10, and an unidentified service on port 6048 with an unknown version.
let's have a look at the http service
Picture of http port 8000 service As you can see, I can't access the web app because it's redirecting me to airplane.thm. To gain access to the website, we need to add the domain to the /etc/hosts file.
sudo echo "machine_ip airplane.thm" >> /etc/hosts
After executing this command, let's observe how the website appears now.
Picture of http port 8000 service Excellent! We have the website running. Next, we see a parameter called 'page'.
That could be indicative of a potential LFI attack on the 'page' parameter. Let's test it using Jhaddix's LFI wordlist.
ffuf command to exploit LFI Notice that we have plenty of payloads. Let's test if they're working!
Great! The exploit worked, and we can see that there are two users.
Shell as Hudson
Let's examine the processes running on the website using Burp Suite Repeater.
Burp Suite LFI ATTACK viewing /proc/self/environ as you can see we get the environment of the website process and it's running by hudson user
also we can view how the process has ran and view the command-line arguments
viewing the command-line arguments of the website process as you can see we manged to get 2 information to start an attack
the owner of the website is: hudson
and the name of the file is app.py
let's try to get the source code by returning one back step only:
getting source code of the website Hooray!! we got the website source code:
great now that we gatherd all this info let's try to get info of the port 6048 by Fuzzing all machine's Processes via Burp Suite interuder
setting the vaule of the Fuzzing place Next Set the number for Processes from 0 to 1000
Picture of Payload Setting Burp Suite After searching through all processes, I found this particular process with the following command-line arguments:
Burp Suite picture of gdb process Great! We've identified the unknown port as a gdb server. We can exploit it by creating an ELF backdoor with msfvenom, uploading it, and executing it easily.
First, let's create the backdoor.
For a quicker method to obtain the OpenVPN IP, you can utilize this command:
ifconfig tun0 | grep -i "inet" -w | awk '{print $2}'
Next, after creating the backdoor, we need to set executable permissions on the file to ensure it runs correctly.
Afterward, we'll execute GDB to establish the remote connection.
Next, we'll need to configure the remote debugger target so that the backdoor can be executed remotely.
Afterwards, upload the ELF file.
Finally, set the remote executable file.
before runing the debugger Ensure to set up a netcat listener on the backdoor's port
Finally, simply run the debugger.
Woo-hoo! We've got a reverse shell! Let's goooo!
reverse shell via gdb remote service Now that we have a reverse shell, let's level up the shell using the SSH service. Copy the ~/.ssh/id_rsa.pub from your computer, then run this command to paste the .ssh/id_rsa.pub into ~/.ssh/authorized_keys of huson.
Cool! Now we're connected via SSH, so much better than before!
ssh connecting successfully Shell as carlos
First things first, let's run linpeas.sh to check for any potential privilege escalation vulnerabilities.
Awesome! We discovered that the 'find' command has suid permissions.
let's exploit it using this command:
Great! We've got a shell as carlos.
Let's replicate what we did earlier to enhance our current shell.
When running the 'id' command, it indicates that I'm in the sudo group.
Let's attempt running the command 'sudo -l' to see if I'm permitted to execute commands as other users.
Fantastic! As you can see, we have the ability to run Ruby scripts as root. Now, we can exploit this vulnerability easily in just one line.
but how ???
By exploiting the wildcard to alter the path of the Ruby script, we can execute malicious commands.
now we can get the last flag easliy
