Fri. Jul 3rd, 2020

Pentesting Fun Stuff

following the cyber security path…

Natraj

Introduction

This is a challenge hosted on vulnhub and it’s from hackingarticles.
The description states that Nataraj is a dancing avatar of Hindu God Shiva.
His dance is called Tandava and it is only performed when he is most angry.
Whoever interrupts his dance dies by Shiva while dancing.

It’s a Boot2Root challenge, based on Nataraja.
The goal is to root the machine and find the root flag.

Let’s get started…

Enumeration

As always we start off with a port-scan to get a good view on what ports are open and what services are running behind them.

An SSH-server (port 22) and a web-server (port 80) are running on a Linux machine.
Because SSH needs credentials, I start with the web-server.
Time for Nikto to step in.

Inside the folder /console/ there is an empty php file.
An UDP port-scan also give up nothing.
The only thing that has come up (without having to sift through all the images in hope there is some form of steganography) is the empty php file.
When I play a little with parameters, I get a hit.

A local file inclusion (LFI).
Let’s check for some interesting files.
First we create a list with all the files that maybe give some useful information.

Then a for loop to iterate over them.

Looks like I can view the auth.log file.
Maybe something called ‘log poisoning’ is possible.
Log Poisoning is a common technique we can use to gain a reverse shell from the LFI vulnerability.
To make this work we need to inject malicious input to the server log (in this case auth.log).
If all goes well PHP will evaluate the input and the inclusion of a malformed file would be evaluated too.
If we control the contents of a file available on the vulnerable web application, we could insert PHP code and load the file over the LFI vulnerability to execute our code.

First let’s poison the log.

To make life a bit more easy, I run the LFI command not with cURL, but in the browser after I started Burpsuite in intercept mode.
After Burpsuite intercepts the request, I transfer the request to the repeater in Burpsuite.

To make use of the log poison, I add a small piece to the request and run it inside the repeater.

Now that I know I can execute a command, it’s time to get a reverse shell.

Not working with Python, let’s try Bash.

Not working with Bash, Let’s try Netcat (the version without -e option).

And this one works.

Maybe the first try would have succeeded if I used python3.
But access is access…..so who cares.

Time to do some recon on the system.

– no interesting files with the SUID bit set
– no files with interesting capabilities
– no mails
– no interesting user owned files
– yes an interesting worldwritable config file

I need to change the file, but there is no vim or nano and vi is working like rubbish.
So best thing is to transfer it to my local machine.

The small change I make is here:

I added the user mahakal to the file.

Why? Apache is normally configured to only have access to its DocumentRoot directory and not to run any system commands.
As such, the Apache process normally runs as an unprivileged user with no shell access in most platforms (www-data).
This is for security reasons as even an exploit to a poorly written PHP or Perl script will not escalate and cause much harm to the system.

Now to get the file back.
For this I use the python3 http server module.

Now to reboot the machine. And because of the restricted privileges I can’t make use of any options to gracefully shut down this server.
Luckely it’s an VM I controle, but this is a thing if the machine was running outside of my reach.

When I reboot the VM, start up the same listener as before and run the same exploit as before (the one in Burpsuite), I get again a reverse shell.
But this time as user mahakal.

Let’s check if this user has any superpowers:

Running nmap with root level permission.

This is never a good idea, because according to GTFObins there is a way to escalate privileges this way.
Nmap has the ability to run scripts during its scanning process.
Those scripts can come from anywhere.
In this case we’re going to create our own script, that will spawn a system shell, and let nmap execute it.
Normally this isn’t a big deal if nmap runs with the permissions of an unprivileged user.
In this case it runs under root…..so you can see where this is going.

And there we have a root shell.
Now for the final piece.

And that’s it.

Conclusion

This was a fun challenge to do.
There were some points I didn’t like, such as the need to physically reboot the VM to make the exploit work.
Like I already mentioned, this can become a problem if this VM is not in your physical reach.
I did like the log poisoning and the way to get RCE.

Overal it was a good challenge and can offer new features for pentesters to learn.
Keep up the good work!!!

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.