This was a cool little box that the Deloitte Cyber Attack Team brought with them to the Wednesday presentation, getting user was not particularly challenging but the most annoying thing was to get root access. Let’s get right into it!
Starting up the Piper box, we’re greeted with this interface:
Not really any information, let’s head on over to our kali box and run netdiscover to get the ip address of the Piper box.
Now that we have the ip address, let’s run an nmap scan and see what we can find.
nmap -sV -sC -O -p 1-5000 -o piper.log 172.16.99.136
Port 80 is open, let’s check it out.
There doesn’t seem to be anything here, let’s check out whats on port 4949
Bingo! An admin panel, I tried SQL injection for about 10 minutes before I gave up, SQLi seemed to be well protected against.
Having a look back at the nmap scan, we can see the service as
ssl/http, if we run the heartbleed nmap script, we can see that the machine is vulnerable to heartbleed.
We can use metasploit to check out whether the machine is vulnerable to heartbleed using the
Setting option dump on and running the exploit, we get access credentials for the admin panel.
Putting the credentials in, we get access to the dash board!
In the top corner we notice that the console has been removed, so let’s have a dig around the source code to see if it’s actually been removed or not.
So the console hasn’t been removed, and it seems to be able to run linux commands against the back web server.
So let’s throw in some python reverse shell code and st up our listener to get a shell!
And we’re able to catch our reverse shell and get a low privilege shell, lets hunt around for the first flag!
And so we’ve found our user flag.
Going back to our nmap scan, we see that ssh is on the system as well, let’s just try to reuse johns credentials to ssh onto the system.
sudo -l on the system reveals that we can run pip2 without a password, so let’s search for how we can abuse it for priv esc.
A quick google search has brought up this promising repo that we can install for a reverse root shell hopefully.
Let’s change the IP and PORT to our netcat listener and wait for a reverse shell.
And we have our reverse root shell and our flag!