Machine Creator: lokori
Task: To find User.txt and Root.txt
Let’s start with an NMAP scan.
nmap -sS –min-rate 5000 –max-retries 1 -p- 10.10.10.91
The NMAP scan results show port 22 ssh and port 5000. However, NMAP cant determine what is running on that port.
The first thing that I always try when I have a port that NMAP cant determine what is running I attempt to open it in a browser.
We can see that there is some page that is under construction.
The webpage does not show any useful information let’s use gobuster to find any directories.
gobuster -u http://10.10.10.91:5000 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 40
The Gobuster scan shows two directories we can check these out.
Browsing the upload directory we have a website where we can upload XML files.
XML External Entity (XXE)
Let’s test out how the XML formats by uploading a test file.
The XML file is loaded ready to upload. Let’s also run it through Burp proxy. Note the XML elements are calling for Author, Subject, and Content.
After running this upload through Burp proxy, we can see the structure of the XML. Let’s send this to the repeater.
Building a test XML in the repeater, we can verify that this XML setup is working.
XXE & LFI
Now that we have the structure of the XML we can hopefully do some Local File Inclusion.
After adding the XXE Injection data, we can perform Local File Inclusion and read the contents of the passwd (Users File).
Back on the original web page, it was referencing the “feeds.py” python script. We can try to use LFI to read the contents of that file.
When we examine the “feeds.py” script, we have a new directory “/newpost” with POST method, We can also see that it’s using pickle and encoding in base64.
To exploit pickle in the XML, we need to build a netcat reverse shell and then encode it into base64 which we can write into a python script.
When we run the python script, it returns a base64 encoded hash that we can use in our XXE.
nc -lvnp 1337
We need to start a netcat listener.
When we browse the newpost page using Burp proxy and sending to repeater we can see there is a page however it does not allow us to use the GET method and back in the feed python script, it showed the post method.
When we use a post method, we get an error. However, this does show the post method is accepted.
When we add the base64 encoding from the pickle python script, we get a reverse shell in our netcat listener.
python -c ‘import pty; pty.spawn(“/bin/sh”)’
Lets upgrade to a PTY shell
With our user shell, we can read the user.txt file in Roosa directory.
If we look back at the XML LFI, we saw a directory listed in the file path. Let’s explore this directory.
looking in the deploy directory, there is an RSA key located in here.
Trying root user does not work with the ssh key. I’ve tried all the users on this machine, and the key does not work.
While looking in the other directories in the work/blogfeed directory, there is a hidden .git directory.
When we look at the logs, The real key was added, and the one we copied out was a fake key.
When trying to find the original posting, I’m getting an error we need to fix this shell.
I was able to find an ssh key for Roosa.
Using the private ssh key for Roosa, I now have a real ssh session.
Using the git diff with the ssh session, we can see the original key that was overwritten in red.
After a little bit of clean up, we now have a new unknown key.
Using the new key, we now have a root ssh session.
With our root ssh session, we can read the root.txt