Included (Tier 2)
Last updated
Was this helpful?
Last updated
Was this helpful?
Tier -> 2
Difficult -> Very Easy
OS -> Linux
Tags -> PHP / Custom Applications / Protocols / Apache / TFTP / LXD / Reconnaissance / Local File Inclusion / Clear Text Credentials / Arbitrary File Upload
With this, I answered the first questions
Answer: 22,6789,8080,8443
Then to learn more about the service running in the open port, I did an exhaustive scan
As I found an HTTP service running on port 80, I went to the browser to explore the content being deployed. I found a simple page for a business with anything relevant. What caught my attention was that the URL was retrieving the file of the page with a query, and maybe this could be vulnerable to a Local File Inclusion attack
So I tried to change the file name to a route of a file from the system, in this case, the well-known /etc/password file, and noticed it let me see the content of this file, being, in fact, vulnerable to Local File Inclusion as I thought. Also checking the information from the file, I saw that in the system existed a profile named tftp which is the default for the TFTP protocol, also giving me the route to the folder where its configuration files should be
So, to confirm the system was using this protocol, I did a scan on the UDP ports of the system as this protocol usually works over UDP, and our previous scan didn't detect the service. With this, I found that the protocol was being used under its default port, the UDP port 69
With this, we answered the first questions
Answer: tftp
Answer: Local File Inclusion
Answer: /var/lib/tftpboot/
Knowing this, I tried connecting to the protocol and submitting a reverse shell script for PHP as this protocol doesn't let me list shared files, just download them or upload them. As it didn't give us any error we closed the connection assuming the file was on the server
As I gained access as the user from the web server, I had to find a way to make lateral movement to another user on the system with less restricted actions. First, I went to explore the default folder for servers /var/www/html, and looking at the hidden files found the .htaccess and .htpasswd files, which are related to the server configuration and usually store sensitive information
With this, I answered the next question
Answer: .htpasswd
So checking the content of the .htpasswd file, I found the credentials for the mike user were being leaked, and after trying to change to this user using them, I successfully logged in. Then, I went to its /home folder where I found a user.txt file, and reading it, retrieved the user flag
With this, I answered the next question
Answer: lxd
With this, I answered the next question
Answer: Alpine
After this, I imported the image, and created a container using it, specifying high privileges and mounting the filesystem of the target inside it. Then, I started the container to interact with it
With this, I answered the next question
Answer: security.privileged=true
With all this created, I generated a shell from the container having now access as the root user to the complete filesystem. By last, I went to the mount point on the /mnt/root folder where I found a root.txt file, and reading its content retrieved the root flag
With this and the previously found user flag, I answered the last questions
Answer: /mnt/root/
Answer: a56ef91d70cfbf2cdb8f454c006935a1
And finally, I got the root flag and pwned the machine
Answer: c693d9c7499d9f572ee375d4c14c7bcf
I started doing an initial scan using
To learn more about the HTTP protocol you can go
To learn more about Local File Inclusion exploitation you can go
To learn more about the TFTP protocol you can go
Then, I set up a listener to be aware of the connection and called the script from the previously found folder where TFTP was storing its files. After hitting the direction, I noticed the page kept loading and I had successfully caught a shell from the target. Then, I sanitized the terminal to work more comfortably with it
To learn more about the abuse of exposed .htaccess or .hthtpasswd files, you can go
I needed to find a way to escalate privileges so I tried to check the sudo permissions for the user but didn't have any. After checking some information like local running services, and special permissions on files, the only relevant thing I found was that the user was part of the lxd group. So, with a little , I understood the use of lxd as a tool for creating containers of operating systems. So, I checked if this tool was installed on the system and it was
With this information, I searched for possible exploits of this tool and found an interesting with a guide to do it. So, following the guide, I got an image for the Alpine operating system and mounted a server to pass it from our machine to the target host. Then, I downloaded it and checked that it was on the target
To learn the complete process for the privilege escalation abusing lxd you can go
