Hi guys in this post, I will show you the walkthrough of the vulnhub machine called Sputnix. The difference between my post and the others is that I will show you how i approach this challenge and the thought process behind it. I personally recommend this machine to a beginner who are in the middle of OSCP training since it will give you sense of "how to" spot a rabbit hole that could waste a lot of time in your exam.
Setup the machine:
I will use virtualbox as my preference of virtual machine but its up to you if you have vmware in your computer you can use that as well.
You can download the image from the official website: https://www.vulnhub.com/entry/sputnik-1,301/
The setup is pretty straightforward all you have to do is just import .ova file and you good to go.
Reconnaissance:
Like every hacker before commencing a cyber attack, we will start by identifying and gathering enough information of the machine.
The tools that I used in here is only: NMAP
First, we need to identify what is the machine's ip address. We can use "-sn" flag in the nmap to do a ping sweep to find out what machine in our network that is online.
Notice that my machine has ip address of 192.168.1.8 and the sputnik machine has ip address of 192.168.1.7
Let's continue to identify how many and what service that is hosted by the machine, again I will use nmap to do the task.
Because we are not worried about getting caught, we can just let loose and do aggressive scanning to all of the port of the machine.
Using "-A" for aggressive scanning that will include "OS detection, version detection, script scanning, and traceroute", "-T5" for setup the speed of the scanning to the highest since we don't want to waste our time and finally "-p-" for instructing nmap to scan all the port from 1-65535.
The result shows that the machine open 4 ports(8089, 8191, 55555 and 61337), however for the detail, a new comer might feel a bit overwhelmed with the content.
Port 8089:
lets start by going to the first open port(8089), notice that the nmap point out that it detects a SSL cert which means that this port enforce https. Thus, we need to put "https://" prefix when visiting the port. If you try to visit the service using your browser you will encounter this warning, but you don't need to worry all you have to do is just choose "advanced" > "accept risk and continue"
After you done with the cert warning like the above figure. You will see a website like below figure. I provide with the response that each of the page return if you visit it.
Unfortunately all of this pages don't have something interesting, the RPC page always return "invalid request", services/NS page is protected with basic HTTP authentication I try to use common credential in splunk such as admin:admin and admin:changeme but it didn't work whereas static page always lead me to 404.
I try to do one last check if there is a hidden page inside port 8089 using dirsearch but it doesn't show me anything useful. Thus, we can conclude that this is a rabbit hole you don't have to spend anymore time in this port and.
Port 8191:
Same as the previous port, port 8191 don't give us a really much of lead to obtain access to the machine. Splunk uses MongoDB to facilitate certain internal functionality like the kvstore but in order to access the DB you need credentials, since we don't have it, we can pretty sure conclude that we hit rabbit hole again.
Port 55555:
Now this is where is things got really interesting. Notice in the nmap result that the port host a flappy bird game but it also contain an exposed .git repo inside it. Exposing .git to outsider is pretty dangerous since anyone with the access to the website can obtain the original source code of the website.
There are a lots of documents contain in the .git but here some interesting file that you should pay attention to:
- https://example.com/.git/config => configuration of the git repo
- https://example.com/.git/HEAD => The HEAD in Git is the pointer to the current branch reference
- https://example.com/.git/logs/HEAD
- https://example.com/.git/index => The index is a binary file (generally kept in . git/index ) containing a sorted list of path names, each with permissions and the SHA1 of a blob object
from all of the four mentioned files the "logs/HEAD" contain interesting content to us.
it shows us another github account, lets download it
the github repo contain the exact same source code of the website in port 55555. To get the most of the github lets check the log file, to see if there is something useful for us or not.
you can try to analyze each of the commit using "ls-tree" options from git utility but the one that actually really useful is the one commit that has the hash of 07fda135aae22fa7869b3de9e450ff7cacfbc717
cool! we just found ourselves a credential for us to try. I try to input the credential to the last two port that we have encounter, the port 8089 accept the credential but it no where lead me to get a shell to the machine.
Port 61337:
This port also contain splunk service just like port 8089
Use the same credential we go into the admin page. With a little bit of research(https://www.exploit-db.com/exploits/46238), we know in order to obtain access to machine we can upload a backdoor to the splunk enterprise.
We are going to use the script from https://www.exploit-db.com/exploits/46238 operating the program is pretty easy but before you can use it you have to download geckodriver into your machine and put the location of it into the script, like figure below.
I extract the binary file from .tgz file and then put it in the same directory of the script.
now lets run the script like the figure below and before you can do that you need to open a port using netcat in your machine:
wait a little bit and you should have a shell by now
Privilege Escalation:
It's even easier to do privilege escalation in this machine. First, type "sudo -l" that will show you the current privilege of our user.
notice that our user able to run root privilege by executing command on behalf of user "ed". Type "sudo ed" followed by "!/bin/sh" that will drop you to a shell.
That's all and you can get the flag
I hope you enjoy this post and see you later next time.
Comments
Post a Comment