Tuesday, September 22, 2015

Hacking Lord Of the Root


Background
I created this machine to help others learn some basic CTF hacking strategies and some tools. I aimed this machine to be very similar in difficulty to those I was breaking on the OSCP. This is a walkthrough to guide those who get stuck to complete the challenge. This is a boot-to-root machine and will not require any guest interaction.

Note: There is one local privilege entry and there are two different root privilege escalations.

The OVA can be found at: Vulnhub.

Exploitation
Upon booting up the machine I did an entire TCP scan of the host and only ssh is open.

Upon banner grabbing we see:


Knock Friend? 1,2,3? That seems like port knocking to me..



Another full nmap scan reveals a web server has opened!

Webapp
After an examination of the webapp with Nikto and Dirb there is nothing of interest. But I was able to find some things through manual testing and examination.

Index.html
But there is a comment on the 404 page...
The comment seems to be base64 so we decode that:
 This URL takes us to a php login page that is vulnerable to SQL injection!

 So we dump the data with sqlmap:

The root Mysql password was also weak:

We checked for password reuse on ssh:
We are in low privilege!

There are two privilege escalations and both are described.

Escalation A Buffer overflow:

We found a suid buffer overflow contained within /SECRET directory. There are three files but when you look at the size of all of them, one is smaller than the other two. This smaller one is the BufferOverflow.
We moved an exploit dev file into temp so we didn't have to deal with the switching and verified the crash.
Next, we download GDB Peda. This gdb extension is the absolute best for exploit dev!

Verified the crash on Peda using out exploit code. Notice we have overwritten EIP with 0x41414141. the Ascii characters "AAAA".

We also check for security precautions. But there are none.
HOWEVER, ASLR is on.
Using GDB Peda, we find our EIP offset.


Next, we verify control the EIP register. Notice the crash is on 0x42424242. Which is "BBBB"

We generate our shellcode using Peda and add our shellcode to the exploit.







Now that we know we have ASLR to circumvent, we need to modify our exploit code.

Due to ASLR randomizing address space and there are no good jmp esp instructions to use, we do not have a pre-defined location in memory to go to. This means we need to bruteforce the solution. I ran the program in gdb a handful of times to get a feeling of where the stack was landing on execution, due to it being different every time.  I was noticing that it always started with BF and the last 6 bytes were different. So I chose CC because it was in the middle of my random sample of stack locations. The last 4 digits I used were arbitrary. Next we will make a GIANT NOP sled. I used 20480 but it could be potentially larger.

Lastly, I created code to find the smallest buffer overflow file size to run just in case the file tries to switch mid run and we put that code in a while loop to run it indefinitely. This is because if we get a seg fault, it will replay the request and if we land our shell code it will stop on the shell giving us shell access.

This was our final code:












Note: You will notice back-off in the os call. This is expected because os.system is a blocking call. You can try to make it non-blocking to improve the script. But I used os.system for a quick and dirty solution.




Success!

Escalation B MYSQL:

Since we have the MySQL Root password and Mysql is running as root, we can use UDF's to escalate.
Success! We are in!

I hope you enjoyed the Lord Of The Root!

15 comments:

  1. not sure if this was intentional or not but you can bypass the privesc:

    smeagol@LordOfTheRoot:~$ sudo -l
    User smeagol may run the following commands on LordOfTheRoot:
    (ALL : ALL) ALL

    smeagol@LordOfTheRoot:~$ sudo su

    root@LordOfTheRoot:/home/smeagol# cat /root/Flag.txt
    “There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”
    – Gandalf

    ReplyDelete
  2. Whoa! That was a HUGE oversight. Thanks for the input! I will have the modified image up and the updated image is found on the mediafire link. Hopefully the Vulnhub mirror will be updated soon.

    ReplyDelete
  3. Hello, and thanks for the VM. What wordlist did you use for your dirb scan? I do not get the 404 page that you mention in your tutorial. Here is what I get when running dirb with all included wordlists and dirbuster's wordlists:
    192.168.xxx.xxx:1337/
    192.168.xxx.xxx:1337/index
    192.168.xxx.xxx:1337/images

    ReplyDelete
  4. Sorry I was unclear in my post. The Webapp was intentionally designed to not show anything on dirb. I found the 404.html through manual testing.

    ReplyDelete
    Replies
    1. Thanks for the reply. I am new to pentesting, and currently doing the OSCP. What manual techniques would you recommend for finding directories?

      Delete
    2. Really Dirb is the best for predictable directories but using a proxy and stepping through an application to view both requests and response is the best practice to understand the flow of an application. My favorite proxy is Burp.

      Delete
  5. hello, I am a little confused when at the SQL Injection, can you explain the Script using sqlmap? Thanks. :)

    ReplyDelete
  6. SQLmap is an automated sql injection exploiter. I used it to dump the credentials. I suggest you look up a tutorial if you are not familiar with it. I did it by first capturing the request via a proxy, then I used the requests:
    sqlmap -r request.txt --dbs
    sqlmap -r request.txt -D $database --table
    sqlmap -r request.txt -D $database -T $table --dump

    Hope that helps.

    ReplyDelete
  7. Also you have the MySQL root password inside login.php and smeagol can read it! :)

    ReplyDelete
  8. That was intentional! It is important to do post exploitation on Smeagol before you move to attacking root.

    ReplyDelete
  9. hello, Can someone please give me some advice. I am stuck at this part.

    MySQL>create function do_system returns integer soname 'raptor_udf.so';
    ERROR 1126 (HY000): Can't open shared library 'raptor_udf.so' (errno: 0 /usr/lib/mysql/plugin/raptor_udf.so: invalid ELF header)


    ReplyDelete
  10. I doubt that directory you are attempting to read and write from are readable and writable. My tutorial has where I read and wrote from and it will work successfully. Google is your friend.

    ReplyDelete
  11. I got the same error as Unknown (ERROR 1126 (HY000): Can't open shared library 'raptor_udf.so' (errno: 0 /usr/lib/mysql/plugin/raptor_udf.so: invalid ELF header). Eventually found that the error will happen when the wrong directory is specify when loading the file into the database insert into foo3 values(load_file('/home/smeagol/raptor_udf2c.so'));

    If that happens then the exploit have to be recompile with another name and the new table has to be recreated. So copy all the commands to run in a notepad first and review them before running them.

    ReplyDelete
  12. Hi Kook. Great Writeup mate. Can you please let me know how you found out that one of the files in the SECRET directory is vulnerable to Buffer overflow? Thank you

    ReplyDelete
    Replies
    1. When I create the initial python code, I run it against all 3 files. Two of them will exit normally and one will seg fault. The seg fault is a good sign it is potentially vulnerable to a buffer overflow. The following is the code:
      import os
      exploit = "A"*500
      os.system("./file"+exploit)

      Delete