Today we’re going to solve another CTF machine “Inception”. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

  • Target OS: Linux
  • Services: HTTP, HTTP Proxy Squid
  • IP Address: 10.10.10.67
  • Difficulty: Hard

Weakness

  • Bypassing restrictive network filtering
  • dompdf exploitation
  • Reuse of password

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

Since, we have two ports opened one is “Squid http proxy” and “Apache” let’s enumerate both.

Enumerate Squid HTTP Proxy

I don’t really know what’s the purpose of Squid http proxy here on the box. So let’s find out by doing some Google research.

We found an msf module “use auxiliary/scanner/http/squid_pivot_scanning” after reading the description we found that it can be helpful for internal port scan of the network.

Let’s get started!

Great! we see SSH is opened indeed but don’t really know the password of it, we’ll leave it here for now and continue enumerating further.

We also have apache running so after browsing we got.

We start gathering information manually first to check some initial things such as checking page source code or enumerating directories robots.txt etc..

We found a comment left by a developer <!– Todo: test dompdf on php 7.x –>

We have two keywords test and dompdf by assuming this could be directories we tested and found dompdf an actual directory.

After navigating through some directories we found nothing so after that i some Google research about dompdf i found out that it’s an “HTML to PDF converter” then i ran searchsploit and found 3 exploits and version 0.6.0.

And inside /dompdf directory we have VERSION file and it’s 0.6.0.

And we found our exploit “dompdf 0.6.0 – ‘dompdf.php’ ‘read’ Parameter Arbitrary File Read” now let’s test it.

This is an example URL

If we take a look we have convert.base64-encode parameter so we can expect our output encoded let’s test with /etc/passwd file.

If you browse this URL it will download PDF but to be quick we can use curl instead.

Since we have base64 encoded we can easily decode it by using this command below.

And we have this uncommon user cobb:x:1000:1000::/home/cobb:/bin/bash so this will be our primarily target.

Since we can’t do much with this exploit but we can look around some interesting files such as virtual hosts default file.

By doing this manually takes time so let’s create a python script first.

We can simply use this script and use file as a parameter.

Now after checking some default files we come to know that inside apache default host file. we have a hidden directory. which maybe wasn’t possible for any directory enumerating tool to find.

AuthUserFile /var/www/html/webdav_test_inception/webdav.passwd

If you browse this file it asks for credentials. which we don’t have yet! but we have read access through LFI exploit 🙂

Now that we have found our creds it’s encrypted in md5.

Let’s crack this md5 hash.

And now we have our username webdav_tester and the password babygurl69.

Using the previously obtained credentials, it is possible to log into the webdav instance at
/webdav_test_inception, however it returns 403 forbidden. Using the same credentials, it is
possible to upload a PHP script to the webdav directory to obtain remote code execution. This
can be achieved multiple different ways, however using cURL is likely the easiest.

Since we can’t get any reverse shell instead we’re gonna upload a shell and operate through URL.

After navigating around some directories we found wordpress_4.8.3 directory but we don’t permission for read. but you remember we can read wp-config.php file through read access through LFI exploit.

So, now that we have found MYSQL password but we don’t really know the purpose of it right now! but we can assume this could be the repeated password for SSH.

If you remember we found an SSH port opened through internal scan but don’t really know how to connect to it. let’s figure it out together.

After doing some Google search i found an simple method to tunnel through proxy by adding the squid proxy to /etc/proxychains.conf.

After adding that line to the bottom of proxychains.conf let’s try connecting now!

Privilege Escalation

Now, that we have found user access we’re going after root.txt flag now. We can gather information by running enumeration scripts. but before that we should do some research manually.

I did sudo -l and got this output.

Since, we have permission to run sudo we can easily su to root.

This is what we got instead of our flag.

“You’re waiting for a train. A train that will take you far away. Wake up to find root.txt.”

I thought maybe it’s renamed to something else or maybe it’s hidden somewhere but unfortunately no luck. Now it’s time to run enumerating script! When i did wget then i noticed something strange.

Then i noticed we’re on a different machine here! Now we have to enumerate more.

If we check netstat -ant we have something interesting.

We see another IP address, 192.168.0.1 is connected to the squid port on the box we are currently on.

Also if you do!

192.168.0.1 is our gateway it says! Let’s find out more about it.

We can use nc to port scan.

It’s interesting we found these ports.

Scan UDP ports using nc

We can successfully connect to ftp using anonymous:anonymous login.

We are also able to download most files, but we are not able to put anything on the system through FTP. Now we don’t have much freedom here instead we’re limited to enumerate manually.

Inside /etc directory we have some interesting files.

get passwd
get crontab
cd default
get tftpdhpa

We can see apt update command is running every 5 minutes.

Now, read this: https://www.cyberciti.biz/faq/debian-ubuntu-linux-hook-a-script-command-to-apt-get-upgrade-command/

Let’s create our SSH key first.

Now we have to upload our public key using tftp.

Success! Now we will need to chmod the permissions on the file, otherwise it will be ignored by SSH. Let’s setup our apt command file with the following:

We have to wait since it’s running every 5 minutes.

Done! 🙂 We’re root now!