Doctor - Vulnyx Writeup
Machine Info
Doctor was an Low rated Linux machine on Vulnyx, involved exploiting Path Traversal Vulnerability to read encrypted id_rsa key which then be cracked using john to get initial access on the box. For privilege Escalation, we will abuse write permission on /etc/passwd file to gain access to root.
User
Scanning through Nmap
First of all we will go with nmap to scan the whole network and check for services running on the network. To scan the whole network and find all the open ports i use -p- used to scan the whole 65535 ports with –min-rate 10000 to scan network faster from nmap and i found a list of open ports on the network and get only the open ports using different terminal tools like cut, tr etc.
1
2
$ nmap -p- --min-rate 10000 192.168.190.135 -oN ini.txt && cat ini.txt | cut -d ' ' -f1 | tr -d '/tcp' | tr '\n' ','
22,80
Now Let’s run the depth scan on these specific ports using
1
$ nmap -p22,80 -sC -sV -A -T4 192.168.190.135 -oN scan.txt
- -sC is to run all the default scripts
- -sV for service and version detection
- -A to check all default things
- -T4 for aggressive scan
- -oN to write the result into a specified file
1
2
3
4
5
6
7
8
9
10
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 44:95:50:0b:e4:73:a1:85:11:ca:10:ec:1c:cb:d4:26 (RSA)
| 256 27:db:6a:c7:3a:9c:5a:0e:47:ba:8d:81:eb:d6:d6:3c (ECDSA)
|_ 256 e3:07:56:a9:25:63:d4:ce:39:01:c1:9a:d9:fe:de:64 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Docmed
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Information Gathering
Through Nmap, we found two open ports, 22 SSH version 7.9p1, on port 80 HTTP Apache 2.4.38 is running on web server. SSH version also reveals that there is a Debian based OS running on the machine.
Port 80 HTTP
On web server, there is some kind of Hospital website is running. They are providing healthcare services.
On doctors tab on navbar, developer is accessing Doctor.html file directly in include function. which is vulnerable to Path Traversal or Directory Traversal vulnerability. The attacker can change the path of file to access any other sensitive file without any permission. The below code is describing the working behind the application.
1
2
$file = $_GET['file'];
include($file);
Exploiting Path Traversal
Let’s try to read the /etc/passwd file which is a file in Linux like systems, that hold the username and their role on the system. Our exploit worked, we can read our user.txt flag directly from here or later after getting shell on the box.
Reading id_rsa
We can also try to read id_rsa file from the system. In SSH, id_rsa is a private key used to sign and authenticate connection on remote server. The path to id_rsa is /home/username/.ssh/id_rsa. From /etc/passwd file, we found our current user is admin. Let’s get it’s private key and save it in a file.
Cracking id_rsa key
The private key is encrypted with DES-EDE3-CBC, which is described on the 2nd line of key. Let’s try to crack it. We will use tool called ssh2john to convert this rsa key to the understandable hash for john, password cracking tool.
After cracking the hash using john with format ssh, we found the key as unicorn.
1
$ john --format=ssh hash.txt -w /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
Initial Access
Now, we have both the key and the encrypted RSA key. We will first decrypt it and then parse to server to gain shell on the box. We will use tool called openssl to decrypt the key and save it to decrypted id_rsa key file and give it read and write permissions using chmod. OpenSSL is an open-source command line tool that is commonly used to generate private keys, create CSRs, install your SSL/TLS certificate, and identify certificate information.
1
2
$ openssl rsa -in id_rsa.enc -out id_rsa
$ chmod 600 id_rsa
Now get a shell on the box using the decypted private key.
1
$ ssh -i id_rsa admin@192.168.190.135
Privilege Escalation
For enumeration on box, we will be using linpease.sh from Linux Privilege Escalation Awesome Scripts.. LinPEAS is an open-source script designed to automate the process of searching for potential privilege escalation vulnerabilities on Linux/Unix/macOS systems.
Linpeas reveals that we have write permissions on /etc/passwd file The /etc/passwd file stores user account information for each user on the system. Each line in the file represents a single user account. Each line in the /etc/passwd file consists of several fields separated by colons (:). The second filed in /etc/passwd file is for hashed password for each user, which is stored in /etc/shadow file. If someone has write permission on /etc/passwd file, he can insert his own password for any of the user on the system and can get access to his account. refrence
Let’s make this attack practical. First create a password with openssl and the paste it in the /etc/passwd file against the entry of root user.
1
2
$ openssl passwd iamroot
$1$lmiGWtxa$zCNKkATEazyjE0nMDOaQH/
Now use su to get shell as a root user on the box and you can see we got root user on the box.
Mitigation
For Path traversal vulnerability, use basename() and realpath() functions. The basename() function returns only the filename part of a given path/filename: basename("../../../etc/passwd") = passwd. The realpath() function returns the canonicalized absolute pathname but only if the file exists and if the running script has executable permissions on all directories in the hierarchy: realpath("../../../etc/passwd") = /etc/passwd.
1
2
$file = basename(realpath($_GET['file']));
include($file);
For root remove write permissions on /etc/passwd file for everyone except root user itself.