badwidth

####By b13ss3d####

There's also a video version available if you prefer visual walkthroughs.

Port Scanning

We begin our reconnaissance with a port scan using Rustscan to identify active services:

❯ rustscan -a 10.0.160.83
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

Open 10.0.160.83:1337

After identifying the open port, we use Nmap to gather detailed information about the service:

❯ nmap -p1337 -sCV -n -Pn -v 10.0.160.83 -oN scan
<SNIP>
Nmap scan report for 10.0.160.83
Host is up (0.15s latency).

PORT     STATE SERVICE VERSION
1337/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
| http-methods: 
|_  Supported Methods: POST GET HEAD OPTIONS

Nmap command options explained:

• -p <ports>: scan only a specific port.

• -sCV: combines the options -sC and -sV.

• -sC: equivalent to --script=default.

• -sV: Probe open ports to determine service/version info.

• -n: Never do DNS resolution.

• -v: Increase verbosity level.

• -oN <file>: Output scan in normal format. The scan reveals a web server running on port 1337. Let's investigate the website's content using a web browser:

When accessing the web server on port 1337, we encounter a message indicating the need to send an ifname parameter via a POST request.

Gaining Initial Access

To send the POST request, we'll use curl as follows:

I didn't specify a method because curl uses POST by default when using the -d flag.

The response simply says "Used interface" and echoes the content we sent using the ifname parameter, regardless of what we sent.

Command Injection

After trying various techniques, I realized we can inject commands, but we are unable to see the output of those commands. We can use one of two techniques to detect if the command is being executed:

• Ping usage:

  We can use tcpdump to "listen" for ICMP packets through the tun0 interface as shown in the following image:

Then we make a ping from the target to our IP.

We then receive the ping coming from the target.

• HTTP server:

  We can set up a basic HTTP server using Python with the command python3 -m http.server 80 then use curl on the target to make a request to our server, like this:

And we have received the request:

Gaining Initial Access

Now that we know we can execute commands, let's get a reverse shell. First, set up a netcat listener on your machine with the command nc -nlvp 443. Then send the shell using the command injection:

We have received the connection from the target.

Here, we need to upgrade this to a fully interactive shell, so follow these steps:

1. Execute: script /dev/null -qc bash

2. Press CTRL + Z

3. Run: stty raw -echo;fg

4. Execute: reset xterm and press Enter

5. 
6. Finally execute export TERM=xterm. With this we have a fully interactive shell as ETSCTF:

Privilege escalation

If we execute sudo -l: The output of the command indicates that we can execute /usr/local/bin/n158 as any user without a password.

Searching for vulnerabilities related to this, we found this vulnerability.

There's a PoC (Proof of Concept) that demonstrates how to inject commands:

Let's use this to set the SETUID and SETGID permissions on bash, which will allow us to execute it in privileged mode:

The bash binary now has these permissions:

By simply executing bash -p, we have now become root:

Flag Locations

The flags can be found in the following locations:

• /root

• /etc/passwd

• /etc/shadow