{"id":138,"date":"2024-05-27T18:20:22","date_gmt":"2024-05-27T18:20:22","guid":{"rendered":"https:\/\/bencron.com\/?p=138"},"modified":"2024-06-21T19:12:14","modified_gmt":"2024-06-21T19:12:14","slug":"astronaut-offsec-proving-grounds-practice","status":"publish","type":"post","link":"https:\/\/bencron.com\/?p=138","title":{"rendered":"Astronaut – OffSec Proving Grounds (Practice)"},"content":{"rendered":"\n

<\/p>\n\n\n\n

The Summary<\/h2>\n\n\n\n
Platform Site<\/strong><\/td>OffSec Proving Grounds (Practice)<\/td><\/tr>
Hostname<\/strong><\/td>astronaut<\/td><\/tr>
Domain<\/strong><\/td>astronaut.offsec<\/td><\/tr>
Operating System \/ Architecture<\/strong><\/td>Linux \/ x86-64<\/td><\/tr>
Rating<\/strong><\/td>Easy<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

This is a write up for the “Astronaut” vulnerable machine from the Offensive Security Proving Grounds (Practice) labs. I will show the testing process and successful exploitation of the machine, from initial scanning to obtaining the proof flag.<\/p>\n\n\n\n

Within the report, I will expand on certain aspects of the test to provide a more granular explanation of areas which are of interest (mainly to the author).<\/p>\n\n\n\n

At the end there will be a debriefing section for review of the test or creation of this report.<\/p>\n\n\n\n

The Attack<\/h2>\n\n\n\n

Scanning & Prelims<\/h3>\n\n\n\n

After I get the test environment set up, I proceed with an NMAP scan. Below is the command I like to enter with a breakdown of it, followed by the scan output.<\/p>\n\n\n\n

NMAP Command<\/p>\n\n\n\n

nmap -T4 -A -p- xx.xx.xx.xx -oA nmap-XXXXXXX --webxml<\/code><\/pre>\n\n\n\n
    \n
  • nmap<\/code> –> the application<\/li>\n\n\n\n
  • -T4<\/code> –> timing set to aggressive (4)<\/li>\n\n\n\n
  • -A -p-<\/code> –> enables all scans & scans all ports<\/li>\n\n\n\n
  • xx.xx.xx.xx<\/code> –> target IP address<\/li>\n\n\n\n
  • -oA<\/code> –> output All file types: normal, grepable, XML<\/li>\n\n\n\n
  • nmap-XXXXXX<\/code> –> names of output files (XXXX changes per testers choice)<\/li>\n\n\n\n
  • --webxml<\/code> –> can move & view the XML easily on another machine.<\/li>\n<\/ul>\n\n\n\n
    NMAP – Output<\/span><\/path><\/path><\/svg><\/span>
    Starting Nmap 7.93 ( https:\/\/nmap.org ) at 2024-05-02 12:02 EDT<\/span><\/span>\nNmap scan report for astronaut.offsec (192.168.217.12)<\/span><\/span>\nHost is up (0.032s latency).<\/span><\/span>\nNot shown: 65533 closed tcp ports (reset)<\/span><\/span>\nPORT   STATE SERVICE VERSION<\/span><\/span>\n22\/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)<\/span><\/span>\n| ssh-hostkey: <\/span><\/span>\n|   3072 984e5de1e697296fd9e0d482a8f64f3f (RSA)<\/span><\/span>\n|   256 5723571ffd7706be256661146dae5e98 (ECDSA)<\/span><\/span>\n|_  256 c79baad5a6333591341eefcf61a8301c (ED25519)<\/span><\/span>\n80\/tcp open  http    Apache httpd 2.4.41<\/span><\/span>\n|_http-title: Index of \/<\/span><\/span>\n| http-ls: Volume \/<\/span><\/span>\n| SIZE  TIME              FILENAME<\/span><\/span>\n| -     2021-03-17 17:46  grav-admin\/<\/span><\/span>\n|_<\/span><\/span>\n|_http-server-header: Apache\/2.4.41 (Ubuntu)<\/span><\/span>\nNo exact OS matches for host (If you know what OS is running on it, see https:\/\/nmap.org\/submit\/ ).<\/span><\/span>\nTCP\/IP fingerprint:<\/span><\/span>\nOS:SCAN(V=7.93%E=4%D=5\/2%OT=22%CT=1%CU=35305%PV=Y%DS=4%DC=T%G=Y%TM=6633B933<\/span><\/span>\nOS:%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=103%TI=Z%II=I%TS=A)OPS(O1=M5<\/span><\/span>\nOS:51ST11NW7%O2=M551ST11NW7%O3=M551NNT11NW7%O4=M551ST11NW7%O5=M551ST11NW7%O<\/span><\/span>\nOS:6=M551ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%D<\/span><\/span>\nOS:F=Y%T=40%W=FAF0%O=M551NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0<\/span><\/span>\nOS:%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T<\/span><\/span>\nOS:6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=C46<\/span><\/span>\nOS:C%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
    While scanning, I set up notes for this machine. I also edit the \/etc\/hosts<\/code> file in Kali to associate a domain of my choosing to the IP address provided by the Platform Site. The entry is often edited during testing when new domains are found.<\/p>\n\n\n\n
    Service Enumeration<\/h3>\n\n\n\n
    SSH<\/span><\/path><\/path><\/svg><\/span>
    22\/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)<\/span><\/span>\n| ssh-hostkey: <\/span><\/span>\n|   3072 984e5de1e697296fd9e0d482a8f64f3f (RSA)<\/span><\/span>\n|   256 5723571ffd7706be256661146dae5e98 (ECDSA)<\/span><\/span>\n|_  256 c79baad5a6333591341eefcf61a8301c (ED25519)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
    Experience tells me, “It’s never SSH”. It is best to try other services first. But if being thorough is desired, do a google search of: OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 vulnerabilities. In cases like this, most results are from people testing other vulnerable machines.<\/p>\n\n\n\n
    HTTP<\/span><\/path><\/path><\/svg><\/span>
    80\/tcp open  http    Apache httpd 2.4.41<\/span><\/span>\n|_http-title: Index of \/<\/span><\/span>\n| http-ls: Volume \/<\/span><\/span>\n| SIZE  TIME              FILENAME<\/span><\/span>\n| -     2021-03-17 17:46  grav-admin\/<\/span><\/span>\n|_<\/span><\/span>\n|_http-server-header: Apache\/2.4.41 (Ubuntu)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
    HTTP, now we’re talking. Accessing the website brings the following<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Opening the directory brings up a default web page for Grav CMS. Some online searching shows Grav CMS is a Contant Managemnt System for creating website. It seems to be focused on simplicity and ease of use for the user. Their logo is an Astronaut, making it clear how this machine received its name. Many creators of these machines name them as a clue to what’s vulnerable.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Checking in with Wappalyzer corroborates the existence of GRAV CMS as well as other interesting information. The existence of PHP is worth noting for crafting potential payloads.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    A google search for “Grav CMS admin page” brings some results. There is a github repo which list the path location of the admin page.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Several attempts at running easy default credentials such as admin:admin<\/code> failed.<\/p>\n\n\n\n
    I decided to do a check of searchsploit<\/code> to see if there are any known vulnerabilities and exploits.<\/p>\n\n\n\n
    searchsploit GravCMS<\/code><\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    The “Arbitrary YAML Write\/Update (Unauthenticated)” exploit proved to be successful. Details in the next section.<\/p>\n\n\n\n
    The Foothold<\/h3>\n\n\n\n
    The successful exploit is a python script run from the Attacker\/Kali machine. According to the documentation in the script, the creator of the script goes by “legend” and the original author was Mehmet INCE. Thank you, for your contributions.<\/p>\n\n\n\n
    Below is a screenshot of the script. I will provide a brief “How-to” to execute the exploit for those just wanting to break the machine. Later, as a learning exercise, I will provide a more detailed look into what is happening.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    The script has the target IP address as http:\/\/192.168.1.2. This will need to be changed to the IP of our Astronaut machine.<\/p>\n\n\n\n