Well after I wrote yesterday there hadn’t been anything good on THM for a bit they came and released Empline. And it is good. Medium rated.
Ports
My first scan brought up HTTP and SSH only. A later scan - after the box had been running for longer - added mysql to the mix.
Web
Visiting the IP only gets a basic landing page but one link catches the eye; to job.empline.thm/careers. So we add empline.thm and jobs.empline.thm to /etc/hosts and check it out. At jobs.empline.thm we find Opencats Version 0.9.4 Countach. If we take a look at this excellent blog post we can learn all about the vulnerability and how to exploit it.
The system is a job applicant tracking system which allows you to upload a resume as a docx, and there is an XXE injection in the ‘document.xml’ part of the docx. The blog post must have been the inspiration for the box, because it follows the laid out attack almost exactly.
PoC is of course via reading /etc/passwd, but then we read config.php with base64 encoding to get our database credentials. The payload looked like this:
and you update the the docx like so:
I used a python script to create the file per the blog post, and then 7x to extract it so I could access document.xml. No Windows or Office required!
For completeness, here’s the python script:
Right; we get some credentials back in the webapp after uploading our payload here: http://job.empline.thm/careers/index.php?m=careers&p=onApplyToJobOrder
Then it’s base64 decode and…now what? This is when I reran my port scan and found mysql open.
Mysql
This was pretty straightforward; connect to mysql with our creds and grab the users from the table:
From this we get a hash for george which we can crack with john:
And now we can SSH in:
Privesc
I start with some manual eumeration but don’t find any easy wins so hit up linpeas. It reveals:
/usr/local/bin/ruby = cap_chown+ep
In bright red and yellow text so we’re onto a winner here. I’m not exactly proficient in Ruby so I consult the docs and put together this script:
And use it to take ownership of the shadow file:
And there we go. I use nano to change the root password hash to the same as the one for george, and: