Table of Contents
Included is a machine that teaches some more enumeration techniques, even on a different transport layer protocol, and it also teaches that every penetration tester sometimes needs to use Google to see how to perform certain tasks.
Enumeration
Click on Spawn machine to find out the target IP address:
The scan shows only port 80 TCP open, which seems to be running Apache version 2.4.29 . Let's navigate to port 80 using the browser:
The webpage features the landing page for a Gear manufacturing company. It does not seem to contain anything of interest, however, if we take a look at the URL we can see that this has automatically changed to this URL.
http://{Target IP}/?file=home.php
This is a common way that developers use to dynamically
load pages in a website and if not programmed correctly it can often lead to
the webpage being vulnerable to Local File Inclusion(LFI), but more about that in a
bit.
Local File Inclusion (LFI)
This article discusses Local File Inclusion (LFI), a common web vulnerability that allows attackers to include files on a server through web applications. It explains how LFI attacks work, their impact, and best practices to prevent them.
Local File Inclusion (LFI)
We can easily determine if this is the case by attempting to load a file that we know definitely exists on the system and is readable by all users. One of those files is /etc/passwd and to load it, change the file parameter from home.php to /etc/passwd . For consistency reasons, we will show this process with the cURL command-line utility instead of a browser.
This is successful and a list of users is returned. It is worth noting that inputting /etc/passwd might not always work if the inclusion already specifies a working directory.
TFTP (Trivial File Transfer Protocol)
Back to the task at hand, while a Local File Inclusion is a great way to gather information and read system files the goal of every Penetration Tester is to achieve Remote Code Execution on a system. There are a plethora of ways that an LFI can turn into RCE, from log poisoning to plaintext passwords in configuration files and forgotten backups, however in this case the passwd file gave us a big hint as to how to proceed.
The last user that is listed is called TFTP.
A quick Google search reveals that
Trivial File Transfer Protocol (TFTP) is a simple protocol that provides a basic file transfer function with no user authentication. TFTP is intended for applications that do not need the sophisticated interactions that File Transfer Protocol (FTP) provides.
It is also revealed that TFTP uses the User Datagram Protocol (UDP) to communicate. This is defined as a lightweight data transport protocol that works on top of IP.
Enumerate UDP ports using Nmap
To this end let's use Nmap to scan for open UDP ports. It is worth noting that a UDP scan takes a considerably longer time to complete compared to a TCP scan and it also requires superuser privileges.
The scan reveals that port 69 UDP is open and an instance of the TFTP server is running on it.
Installing TFTP
In order to communicate with TFTP, we need to install it on our Linux machine.
Once the tool is installed its manual page can assist with its usage.
Foothold
Acquiring Server Foothold via TFTP and File Traversal Vulnerability
TFTP works by default without the need for authentication. That means that anyone can connect to the TFTP server and upload or download files from the remote system.
We can chain this with the LFI vulnerability that we have already identified, in order to upload malicious PHP code to the target system that will be responsible for returning a reverse shell to us. We will then access this PHP file through the LFI and the webserver will execute the PHP code.
We can either create our own PHP code or use one of the many available PHP reverse shells that can be found online through a Google search. Click here.
PHP Reverse Shell
This repository contains a PHP script for generating a reverse shell. Reverse shells are commonly used in penetration testing and security assessments to gain remote access to a system. This PHP script can be used to establish a reverse shell connection to a target machine.
Clone the Php-reverse shell and Copy the mrdev home directory.
Then open it using a text editor such as Nano or vim and edit the IP and Port.
After acquiring the local IP, change it in the PHP shell and save it. Then we will upload the file to the remote TFTP server.
Now that the file has been uploaded, we need to start a local Netcat listener on the port that we specified in the reverse shell, in order to catch the connection once it initiates.
Finally, we must find a way to access the uploaded PHP file through the LFI but we do not know where the file is uploaded on the target system. Thinking back to the passwd file that we read earlier, the TFTP user's home folder is specified as /var/lib/tftpboot . This information can also be found with a quick Google search.
With this information let's try to load /var/lib/tftpboot/shell.php :
Once this command is run our terminal will appear stuck, however, our Netcat listener has caught a connection.
The received shell is not fully interactive, however, we can make it a bit better by using Python3:
With access to the system as the www-data user, we do not
have enough privileges to read the user flag, therefore we need to find a way
to move laterally to user Mike who was also found on the passwd file.
A good place to start our enumeration would be the webserver directory as it often contains configuration files that might include passwords. The web-related files are usually stored in the /var/www/html folder, so that's where we are going to start.
The folder contains two interesting hidden files, .htaccess and .htpasswd. The .htpasswd file is used to store usernames and passwords for the basic authentication of HTTP users. Let's read both files:
The second file contains credentials for user Mike. Oftentimes users re-use the same passwords for multiple services and accounts and
compromising one of them might mean that all of them are compromised.
If user Mike has used the same password for their system account, we might be able to use the su-utility to acquire a shell with their privileges.
This is successful and the user flag is located in /home/mike:
Privilege escalation
The next step is escalating to the root user in order to gain the highest privileges on the system. Looking at the groups that user Mike is a member of, the lxd group is listed.
lxd/lxc Group - Privilege escalation
LXD is a management API for dealing with LXC containers on Linux systems. It will perform tasks for any members of the local lxd group. It does not make an effort to match the permissions of the calling user to the function it is asked to perform.
Digging a little deeper into LXD and searching for the
keywords LXD Exploit on Google reveals the following information.
A member of the local “ lxd ” group can instantly escalate the privileges to root on the host operating system. This is irrespective of whether that user has been granted sudo rights and does not require them to enter their password. The vulnerability exists even with the LXD snap package.
Learn More:
LXD Privilege Escalation
This resource discusses LXD privilege escalation, a method used to escalate privileges on Linux systems by exploiting vulnerabilities in the LXD container hypervisor. It provides insights into the techniques and mitigations to prevent such attacks.
This is exactly what we need and this HackTricks page
describes the whole exploitation process step by step. The exploit works by
making use of the Alpine image, which is a lightweight Linux distribution based
on a busy box. After this distribution is downloaded and built locally, an HTTP
server is used to upload it to the remote system. The image is then imported
into LXD and it is used to mount the Host file system with root privileges.
Let's begin by installing the Go programming language as well as some other required packages.
Then we must clone the LXC Distribution Builder and build it.
After the build is complete let's download the Alpine YAML file and build it:
Once the build is done lxd.tar.xz and rootfs.squashfs will be available in the same folder:
Sorry to say but we can't transfer these files from here, so first we have to send these files to the XAMPP server on Windows and then start the Apache server.
We will now have to transfer these files to the system through the usage of a Python HTTP server. Run the following command locally on the same folder:
Download lxd.tar.xz and rootfs.squashfs files. Once the download is complete move them to C:\xampp\htdocs .
Now start the Apache server:
Switch back to the reverse shell on the target system and download the files.
Note: As shown previously the local IP can be acquired through the ifconfig command-line utility.
Once the transfer finishes, use the ls command to confirm the files transferred successfully:
The next step is to import the image using the LXC command-line tool:
To verify that the image has been successfully imported we can list the LXD images:
Alpine is correctly shown in the image list. We must now set the security.privileged flag to true, so that the container has all of the privileges that the root file system has. We will also mount the root file system on the container in the /mnt folder.
To access the root flag, we can navigate to the /mnt/root/root folder.
We successfully got the flag, congratulations!
TASK Solutions
TASK 1: What service is running on the target machine over UDP?
Ans. TFTPTASK 2: What class of vulnerability is the webpage that is hosted on port 80 vulnerable to?
Ans. Local File InclusionTASK 3: What is the default system folder that TFTP uses to store files?
Ans. /var/lib/tftpboot/TASK 4: Which interesting file is located in the web server folder and can be used for Lateral Movement?
Ans. .htpasswdTASK 5: What is the group that user Mike is a part of and can be exploited for Privilege Escalation?
Ans. LXDTASK 6: When using an image to exploit a system via containers, we look for a very small distribution. Our favorite for this task is named after mountains. What is that distribution name?
Ans. alpineTASK 7: What flag do we set to the container so that it has root privileges on the host system?
Ans. security.privileged=trueTASK 8: If the root filesystem is mounted at /mnt in the container, where can the root flag be found on the container after the host system is mounted?
Ans. /mnt/root/