Vulnhub - INO: 1
flags: user, root
Description: This machine require a low skill to get user flag, a little more skill to escalate to root!
This is INO: 1 from Vulnhub.
SSH, SMTP (25) and HTTP.
Well, this webserver hated me. Because it’s running fail2ban. Basically it was one run with gobuster or whatever, and then good luck getting it to respond again. Anyway, that was part of the fun I guess :)
The simplest way to a shell here is via /lot/, which is easily found and easily exploited. The exploit doesn’t say what you can do with it, but I uploaded the pentestmonkey PHP reverse shell with the Division List option in the GUI. It was quite happy to take and execute a PHP file, no issues. Yikes.
A quick aside
Google has been flagging the pentestmonkey site as scary and dangerous for a while now, but Chrome flat out refused to download the shell I wanted - there is literally no (obvious) option to tell it that, yes I really do want to download this file. Nope; Google says it’s spooky and you can’t have it.
This wouldn’t have been an issue, except I was working through my Windows host machine rather than Kali, since I’d upset fail2ban on Kali. So I downloaded the file with wget in WSL. Windows Defender promptly nuked it anyway, but at least I had the option to restore it from Defender jail and the nuking didn’t come as a surprise. But Chrome too? Geez.
Back on track
Actually once I’m on the box there is a second web-based option to get a reverse shell. The box is running inoERP in addition to the Lot Reservation Management System. And, inoERP is also exploitable with a python script on searchsploit:
The only hard part with that would be knowing that the directory exists - ino_enterprise_resource_planning is a heck of a subdirectory name to guess. I haven’t checked if it’s in any of my wordlists but I can’t see why it would be.
On the box
We can find some MySQL creds (lot:lot) and extract a bunch of hashes, many of which we can crack to simple things like admin, admin123 etc. But none of this is useful. I run LinPeas; nothing very useful. We have one obvious target user - ppp. I had to enumerate the box for quite a while before I eventually found the user password; here’s my thinking.
I could see that the box was being worked on during late October - particularly October 27 in the afternoon. I knew I wanted the user ppp. I ran this command:
www-data@ino:/$ find . -ls 2>/dev/null | grep 'Oct 27 18' | cat 2>/dev/null | grep ppp
Which turned up this, amongst some other things:
132449 8 -rw-r–r– 1 root root 4141 Oct 27 18:47 ./var/lib/dpkg/info/ppp.list
I looked in that file, and found there was an /etc/ppp directory, which I hadn’t previously noticed. In there, I found the pot of gold:
So yes, now we have the password for ppp.
ppp can run useradd as root. I had to check the manpages, but when we add a user we can add them to a group, and specify their password (as returned by crypt) if we want. So the method I used was to add a user called rootpls with the password mrcake to the sudo group. Then since he was in the sudo group, I could do sudo su to become root. Let’s see this in action:
Not going to lie, I did a little happy dance once I’d rooted this one :)