Amaterasu

Last updated 2 months ago

Source: Proving Grounds OS: Linux Community Rating: Hard

Enumeration & Reconnaissance

I started my assessment with autorecon as usual, which revealed several open ports on the target:
- SSH (21)
- SSH (25022)
- HTTP (33414)
- HTTP (40080)

I had my fuzzers running in the background. The service on port 40080 initially revealed a few paths, but nothing was of real value, seemed like a rabbit hole. In contrast, port 33414 presented a lot more promise as multiple API endpoints were discovered.

On port 33414, I discovered multiple API endpoints. One endpoint in particular, file-list?dir=, had a path traversal vulnerability that allowed me to enumerate directories on the target.

Another endpoint, /file-upload. Allowed me to upload files which I used to insert my SSH key into the authorized keys file. To do this, I generated my key using ssh-keygen and renamed the file to id_rsa.txt to bypass the file extension validation.

I then used the following curl command to upload the key:

curl -X POST -F "file=@./id_rsa.txt" -F "filename=/home/alfredo/.ssh/authorized_keys" http://192.168.172.249:33414/file-upload

With the uploaded SSH key in place, I was able to log in to the system via SSH. However, my next step, running linpeas never worked. I couldn’t figure out why until I later checked other writeups which mentioned that the target’s firewall was blocking connections to ports that weren’t explicitly open. Without linpeas, I started manual enumeration. (You can make it work if you use one of the ports that are open on the target.)
I checked the cron jobs and discovered a script scheduled to run every minute. The script began by setting the PATH to include /home/alfredo/restapi and then changed its working directory to that folder before executing a command, in this case, invoking tar.
Since I had write access to /home/alfredo/restapi, I seized the opportunity. I created a malicious script and placed it in the directory with the name tar. When the cron job ran, it executed my script, which granted me a root shell.

Path Traversal & File Upload: In this case, a path traversal bug and a lax file upload validation opened the door to SSH access.
Firewall Interference: The firewall’s configuration prevented some of my usual tools from running properly.
Cron Job Exploitation: The insecure cron job was the path to root.

Last updated 2 months ago

Source: Proving Grounds OS: Linux Community Rating: Hard

I started my assessment with autorecon as usual, which revealed several open ports on the target:
- SSH (21)
- SSH (25022)
- HTTP (33414)
- HTTP (40080)

I had my fuzzers running in the background. The service on port 40080 initially revealed a few paths, but nothing was of real value, seemed like a rabbit hole. In contrast, port 33414 presented a lot more promise as multiple API endpoints were discovered.

On port 33414, I discovered multiple API endpoints. One endpoint in particular, file-list?dir=, had a path traversal vulnerability that allowed me to enumerate directories on the target.

Another endpoint, /file-upload. Allowed me to upload files which I used to insert my SSH key into the authorized keys file. To do this, I generated my key using ssh-keygen and renamed the file to id_rsa.txt to bypass the file extension validation.

I then used the following curl command to upload the key:

curl -X POST -F "file=@./id_rsa.txt" -F "filename=/home/alfredo/.ssh/authorized_keys" http://192.168.172.249:33414/file-upload

With the uploaded SSH key in place, I was able to log in to the system via SSH. However, my next step, running linpeas never worked. I couldn’t figure out why until I later checked other writeups which mentioned that the target’s firewall was blocking connections to ports that weren’t explicitly open. Without linpeas, I started manual enumeration. (You can make it work if you use one of the ports that are open on the target.)
I checked the cron jobs and discovered a script scheduled to run every minute. The script began by setting the PATH to include /home/alfredo/restapi and then changed its working directory to that folder before executing a command, in this case, invoking tar.
Since I had write access to /home/alfredo/restapi, I seized the opportunity. I created a malicious script and placed it in the directory with the name tar. When the cron job ran, it executed my script, which granted me a root shell.

Path Traversal & File Upload: In this case, a path traversal bug and a lax file upload validation opened the door to SSH access.
Firewall Interference: The firewall’s configuration prevented some of my usual tools from running properly.
Cron Job Exploitation: The insecure cron job was the path to root.