Pwn Dev Box
Today we are going to root another box from TCM Security’s Ethical Hacking course aka Dev Machine. Let’s roll baby, shall we
so we are going to run a Nmap scan as usual to see what ports and services are running.
The command for the nmap scan is given above, you can do nmap — help to see other useful flags to use nmap with and comment your fav flags to use as well, moving on the results.
so basically, we have quite a few ports open, so right off the bat port 22 isn’t all that juicy since there’s rarely some vulnerability with ssh and unless we are aware of login creds. there isn’t much to do with that.
Moving on, we see 2 http ports i.e., 80 and 8080 are open and we will enumerate them and a bunch of rpcbind ports but they are most probably a rabbit hole and there’s one new port 2049 and nfs_acl was running so its interesting go to google and read about it and how to enum it and all, but a short note is that it’s similar to what samba is like a file share so these are our targets and i have added an article to read about nfs_acl service.
so when we visited to the both http sites we saw 2 pages let’s see.
at first i.e., port 80 we see a page which tells that Bolt is installed incorrectly and how it should be configured. so ideally we should check the source code if this page for some comments and bolt seems like a CMS we should enumerate it for some already known public exploits but we’ll do directory busting to see what all directories are there.
we found several directories let’s check each one of them for any info disclosures or any critical file which shouldn’t be there.
So after enumerating these directories and files, I have found inside app/config/config.yml
For now we have found a username and password, so we can try to ssh using these credentials but it didn’t work so for now let’s keep this in our back pocket and enumerate the other site.
and just for proof sake i have added a snap to try ssh login
Now, On the second site we have a php configuration details listed, now it might be useful to go through all this because there might be some sort of information disclosure or anything which might be useful but for this instance there isn’t anything quite interesting.
Now what we can do is again do directory brute forcing and all those things which we can do all those http enumeration steps but we found an interesting directory, Let’s hop on to it.
So when we went inside dev what we found is this:
Now here, we tried to use the credentials we had to login but it didn’t worked so at last we thought to go into interwebs and search for any known vulnerabilities inside boltwire CMS to our luck we found the JACKPOT!!!
so we found a local file inclusion, you can find the exploit in the given link and along with a link to understand what local file inclusion really is.
so we can input a path inside the parameter and access a local file inside a web server since the developers didn’t sanitized the parameters that well.
the payload used: index.php?p=action.search&action=../../../../../../../etc/passwd
The dots and backslashes shows in a linux sys go as far as possible in the file sys to the root directory and then go to etc and display the passwd file which lists the users file, we also tried shadow file which contains the password hashes but it didn’t worked.
Now let’s enumerate the nfs_acl so starting with let’s see the mounts ie. file shares available to us.
we see a srv/nfs folder so lets us mount this folder in our sys but first create a dir in /mnt/dev in our attack machine and then use the given command to mount the file share.
now switch to /mnt/dev and see what’s inside this file share which we mounted to our sys just now.
we have three files here so let’s cat out todo.txt and we know id_rsa is an ssh key file so we’ll try to login using ssh via this key and we’ll unzip save.zip, so without further ado lets get into it.
So we have a text from jp and that might be jean paul from the users which we found earlier using LFI, so what we can do is try to ssh using this id_rsa file and username jean paul and another password we found was I_love_java.
here we go, we have found a shell, let’s see what all we can do since we don’t have root privileges.
here using sudo -l we found we can run zip command as root using sudo so how can we leverage this to get a root shell, we can go to something called gtfobin and get commands to drop into a root level shell using zip command.
we can run these commands and let’s cross ou fingers
we got a root shell an successfully rooted this machine. Thanks alot for reading and if it helped you kindly comment and upvote this writeup and again all credit for these techniques goes to Heath Adams aka Cybermentor and his course i.e., TCM Security’s Ethical Hacking course, I am learning alot and it’s just a way for me to document my journey and share these with the wonderful audience like you.
