Amaterasu

Source: Proving Grounds OS: Linux Community Rating: Hard

Enumeration & Reconnaissance

  • I started my assessment with autorecon as usual, which revealed several open ports on the target:

    • SSH (21)

    • SSH (25022)

    • HTTP (33414)

    • HTTP (40080)

Service Analysis

  • I had my fuzzers running in the background. The service on port 40080 initially revealed a few paths, but nothing was of real value, seemed like a rabbit hole. In contrast, port 33414 presented a lot more promise as multiple API endpoints were discovered.

Service 40080
Service 33414
Service 40080 (Nothing of Value)

Gaining Initial Access

  • On port 33414, I discovered multiple API endpoints. One endpoint in particular, file-list?dir=, had a path traversal vulnerability that allowed me to enumerate directories on the target.

33414 APIs
file-list?dir API
  • Another endpoint, /file-upload. Allowed me to upload files which I used to insert my SSH key into the authorized keys file. To do this, I generated my key using ssh-keygen and renamed the file to id_rsa.txt to bypass the file extension validation.

ssh-keygen
  • I then used the following curl command to upload the key:

    curl -X POST -F "file=@./id_rsa.txt" -F "filename=/home/alfredo/.ssh/authorized_keys" http://192.168.172.249:33414/file-upload
Sending the Payload
  • This provided me with SSH access as the user alfredo.

Privilege Escalation

  • With the uploaded SSH key in place, I was able to log in to the system via SSH. However, my next step, running linpeas never worked. I couldn’t figure out why until I later checked other writeups which mentioned that the target’s firewall was blocking connections to ports that weren’t explicitly open. Without linpeas, I started manual enumeration. (You can make it work if you use one of the ports that are open on the target.)

  • I checked the cron jobs and discovered a script scheduled to run every minute. The script began by setting the PATH to include /home/alfredo/restapi and then changed its working directory to that folder before executing a command, in this case, invoking tar.

  • Since I had write access to /home/alfredo/restapi, I seized the opportunity. I created a malicious script and placed it in the directory with the name tar. When the cron job ran, it executed my script, which granted me a root shell.

Privilege Escalation

Lessons Learned

  • Path Traversal & File Upload: In this case, a path traversal bug and a lax file upload validation opened the door to SSH access.

  • Firewall Interference: The firewall’s configuration prevented some of my usual tools from running properly.

  • Cron Job Exploitation: The insecure cron job was the path to root.

Last updated