Wednesday 23 December 2015

Walkthrough /dev/random: Pipe

Mission : Get the root flag on `Pipe` which is a deliberately vulnerable virtual machine hosted at The virtual machine can be downloaded at,124/. I quickly loaded up the virtual machine into my VMWare Player and i was good to go !

Detailed Steps for getting root:

I ran a quick nmap scan to identify the Ip address of the Pipe VM. I use `host-only` networking for both my Pipe Vm and Kali box.

We identify the IP address of the new VM as . An nmap scan of the box shows that the box is running services 22,80.

We point our browser to but we are asked to provide credentials. Common attempts such as admin:admin, etc fail. We decide to use burpsuite to see if we can play around with the request to the webserver.

Request intercepted by burp
We change the request before forwarding to webserver 
We configure our IceWeasel browser to use burp proxy settings so that burp can intercept the request and response to and fro from the webserver. We see that the GET request prompts us for authentication. We decide to change the request from GET to GETS. We are now able to see a page which seems like a wikipedia entry.

index.php page hosted at the webserver

We use dirbuster against the webserver and it lists us some interesting files and directories.

Dirbuster output

The scriptz directory looks interesting as we can see a couple of files here. The file php.js contains the javascript equivalent of the serialize function. We also see a log.php.BAK file which seems to be a logger file. 

It seems that this file will write itself on the webroot directory. This is very interesting to us especially if we can control the `data` field supplied to the file.

Now we go back to our index page and see there is a hyperlink at the bottom of the page which allows us to get some artist information. We also view the page source .

We see that the page includes the php.js file to call the serialize API and pass some arguments to it at line 8. We now intercept the request for additional artist information in burp.

We see that the param field is dynamic content. We send the content to the Decoder tab of burp ( Right Click and choose Send to Decoder tab). At the decoder tab we use the Smart Decoder to decode the param.

It seems that in this case a `Info` type object is being created. We know that a `Log` object will invoke the logger file and allow us to write to the webroot. We now attempt to tweak the request so that we can write some data to the webroot via the Log object.
We encode the request using the URL encoder and then forward it to the webserver. Here is our modified request :

Here we invoke the logger class and ask it to create a file called me.txt in the webroot with the contents `howdy rowdy`. We quickly check that our attempt has been successful. Now we can attempt to execute some php commands on the browser. We modify the request to execute phpinfo() command as follows:

We can see that the command was executed in the browser.

Since we can run arbitary command we can attmept to code a reverse shell to our attacking box. Since we can run php commands we use a simple php reverse shell. For this we create a another file in the webroot via the same technique of intercepting the webrequest to the server.

We attempt a reverse shell to our netcat listener on our kali box.

Privilege Escalation

Now that we have root access on the box we run the linuxpriv checker python script. Upon running the script we find that the we have a world writtable home directory for a user called rene

We see that the contents of this file is a zipped backup file which is created and deleted every few minutes. We check for any cronjobs running on the system via cat /etc/crontab which is readable on this box. Interestingly we see a couple of cron jobs running which interest us.

Our attention is drawn to the use of wild cards in the  tar command and chown command . We know that these commands can be exploited to elevate privilege . For more details refer to the excellect post by Leon Juranic

Escalation Technique  via usage of tar command : 

The idea is to trick the tar command to execute the script at the first checkpoint. Our shell file is a reverse shell. The tar command gets run every 5 min on the box so after a brief wait we get a new shell with the same priv as that of the user who ran the tar command. Luckily in this case its root !

1 comment: