Sorcerer

Writeup for Sorcerer from offsec Proving Grounds

Information Gathering

sudo ./nmapAutomator.sh 192.168.197.100 all

Service Enumeration

HTTP (Port 80)

Dead end. Ran gobuster, nothing interesting came up.

HTTP (Port 8080)

gobuster dir -u http://192.168.197.100:8080/ -w /usr/share/dirb/wordlists/common.txt -t 40

Another dead end.

HTTP (Port 7742)

Notice there are interesting files at /default/ and /zipfiles/.

Exploit

We can download all the files and take a look at what's inside.

Using ls -laR, we can see that max has some interesting files.

Looking at the authorized_keys file, we can see that the file scp_wrapper.sh is called whenever a user connects with ssh.

Let's take a look at this scp_wrapper.sh

We can gather a few things from the script. When the user max connects to ssh, he can only execute commands that start with scp.

Since scp runs over ssh, we can use the id_rsa file from max to connect and overwrite the scp_wrapper.sh file with something to help us get an interactive shell.

We can then edit the scp_wrapper.sh file to include the command 'bash'.

We can now connect by SCP and transfer the edited wrapper file using the following command:

scp -i /home/kali/PG/sorcerer/max-home/max/.ssh/id_rsa /home/kali/PG/sorcerer/max-home/max/scp_wrapper.sh max@192.168.197.100:/home/max/scp_wrapper.sh

We then found a dennis user and inside is local.txt.

Privesc

We can get LinEnum.sh on the machine after starting a python SimpleHTTPServer.

Starting the SimpleHTTPServer on our attacking machine

Got our LinEnum.sh on the victim machine

LinEnum shows an interesting SUID file - start-stop-daemon.

A quick search on GTFObins shows us the exact command to run to get root.

start stop daemon | GTFOBins

/usr/sbin/start-stop-daemon -n $RANDOM -S -x /bin/sh -- -p