Vault: Command Injection Walkthough

A company in Kenya called CyberSpace KE has been releasing a challenge each week and last week and last week the released a boot2root machine that was running a web application which was vulnerable to command injection. If you are new to this type of vulnerability in layman’s term it’s a vulnerability that allows an attacker to run system command through a vulnerable web application you exploit the vulnerability and get a shell on the box looking around you find some encoded credential that helps you escalate your privileges to a different user and you find that, that specific user can run python as the root user. Drop to a python shell and using the OS library spawn a root shell on the system. It was a simple challenge according to my opinion. And since this is a box found in the real world we’ll do some port forwarding to get a shell on our box using ngrok. I haven’t really done this before on the blog therefore it should be interesting. Without much say let’s jump in

As always we are going to start off with a nmap scan of the box. I ran full TCP port scan on the box and found two ports were open

I ran default script scans and service scan on those open ports and one came back as a HTTP server.

As we all know HTTP always has a bigger attack surface and therefore that’s the place i started to enumerate

Opening the website we get a standard webpage with a text box that allows user input by typing a command

I tried running simple OS commands to see if it could work

And voila we have code execution on the site. Next we need to get a reverse shell on the box and since this is a real world scenario we don’t have any VPN KEYS therefore we’ll need to do some port forwarding with ngrok.

So i downloaded ngrok to my box and set up the authorization token if you are stuck just sign up to ngrok and they have a tutorial on how you can do it

Next i started ngrok using the following command

./ngrok tcp 9001

What ngrok will do is once it get an inbound TCP connection it will forward the connection to my local port 9001

Running the command we are presented with a ngrok terminal interface

Looking at the screen shot above we are presented with a host. I need to covert the host to an IP address and a tool called host will do the job perfectly

Also ping does the job perfectly

Next i did set up a netcat reverse shell on port 9001 since all incoming connection from ngrok will be forwarded to this port

Next we get a reverse shell using the web application

Looking back at the netcat session we have a shell on the box

Looking at www-data home directory we have the first flag

Next i downloaded linpeas to the vulnerable box from my box using the same concept of port forwarding i showed earlier

Linpeas does most of the privilege escalation checks for us and that's why Its my go to script whenever am checking for privilege escalation vectors on any Linux based box. The script also incorporates some other functionalities like a port scanner and an host subnet scanner

Looking at the output of linpeas we can see that there is a file in the root directory called hint.txt which is very suspicious first of all since it a non-standard file

Since i had read access to the file i decided to view it. And it had some base64 encoded credentials for the tomato user

Let’s decrypt the password

Looking at the screenshot above we get a password for the tomato users. sweet let’s SU to that user and see if the password works

And voila we have a shell as the tomato user. Going back to out recon we had SSH port open on the server instead of using this shell let’s login using SSH since it has a much more stable sudo shell

Looking at the screenshot above we have a valid logon to the box. Our next step is to find a privilege escalation vector to get root on the box

running sudo -l with the users password we see that we can run python as the root user without knowing the root’s password

This creates a security loophole since there are a million ways you can run system commands from from a python shell

In this tutorial I’ll use OS library

Let’s drop to a python shell running on a root context

Next lets import the OS library

let’s use the library to spawn a root shell on the server

And we are root on the server. Easy right!!

Let’s navigate to the root directory and get the root’s flag

And the box is done hope you learnt a thing or two from the walkthrough if saw leave a comment down below and don’t forget to clap for me and follow me so that you don’t miss any upcoming articles.