sec👨‍💻fortress:~#

Defensive By Offensive!.

View on GitHub

Filmsy | PG Practice


No more flimsy excuses

Author: Ven3xy

Released on: Aug 30, 2022

Walkthrough: Yes


Running our nmap scan we have 3 open ports

# Nmap 7.94SVN scan initiated Sun Feb 25 05:01:41 2024 as: nmap -p- -T4 -v --min-rate=1000 -sCV -oN nmap.txt 192.168.194.220
Increasing send delay for 192.168.194.220 from 0 to 5 due to 234 out of 584 dropped probes since last increase.
Warning: 192.168.194.220 giving up on port because retransmission cap hit (6).
Nmap scan report for 192.168.194.220
Host is up (0.16s latency).
Not shown: 42087 closed tcp ports (conn-refused), 23445 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
|   256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_  256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
80/tcp   open  http    OpenResty web app server 1.21.4.1
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: Welcome to OpenResty!
|_http-server-header: openresty/1.21.4.1
3306/tcp open  mysql   MySQL (unauthorized)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 25 05:06:06 2024 -- 1 IP address (1 host up) scanned in 265.30 seconds

Navigating to port 80/HTTP we have a web application running on openresty version 1.21.4.1

Viewing page source we don’t have any important/juicy information :(

We can’t also connect via mysql as it does not allow us, whereas running my nmap scan once more i discovered 2 new open ports 🙃 (Always run your nmap scan twice while playing PG)

# Nmap 7.94SVN scan initiated Sun Feb 25 05:45:03 2024 as: nmap -p- -T4 -v --min-rate=1000 -sCV -oN nmap.txt 192.168.194.220
Warning: 192.168.194.220 giving up on port because retransmission cap hit (6).
Nmap scan report for 192.168.194.220
Host is up (0.15s latency).
Not shown: 58065 closed tcp ports (conn-refused), 7465 filtered tcp ports (no-response)
PORT      STATE SERVICE             VERSION
22/tcp    open  ssh                 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
|   256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_  256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
80/tcp    open  http                OpenResty web app server 1.21.4.1
|_http-server-header: openresty/1.21.4.1
| http-methods: 
|_  Supported Methods: HEAD
|_http-title: Welcome to OpenResty!
3306/tcp  open  mysql               MySQL (unauthorized)
9443/tcp  open  ssl/tungsten-https?
43500/tcp open  http                OpenResty web app server
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
|_http-server-header: APISIX/2.8
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 25 05:48:18 2024 -- 1 IP address (1 host up) scanned in 194.58 seconds

Checking port 9443 we have this page which occurs when a browser sends a request to a web server that the server cannot understand or process correctly

Checking port 43500 we have this page, saying Route no found

However enumerating the http-server-header: APISIX/2.8 i found there is an exploit for this on exploit-db that leads to a Remote Code Execution vulnerability

Checking crontab we can see that the user root runs apt-get update every minute

We can create our own apt pre-invoke script in the /etc/apt/apt.conf.d/ where the scripts are generally kept, first let’s confirm if we have write access to this directory

Yes we do have write access, using this article as a guide i created a file named 00whatever and put the below payload to grant the /root directory all permissions for all users

APT::Update::Pre-Invoke {"chmod -R 777 /root"};

Running the below command we can see that we truly do have access

we can then regain the proof.txt flag as a normal user

GG