Difficulty Rating:

Machine: Falafel
OS: Linux
Target IP: 10.10.10.73


Overview

The machine runs web services on port 80. The login page of the website is vulnerable to php type juggling vulnerability. User can login by exploiting the vulnerability and upload a malicious file and get shell on the machine with low privileges. Two more local privilege escalations were possible due to passwords stored in a php file, and another stored in a framebuffer. Finally, root access was gained by reading the / partition, because the user was a member of the disk group.


  • Nmap
# Nmap 7.70 scan initiated Fri Jun 15 08:36:38 2018 as: nmap -A -oN falafel.nmap -v 10.10.10.73
Increasing send delay for 10.10.10.73 from 0 to 5 due to 51 out of 169 dropped probes since last increase.
Nmap scan report for 10.10.10.73
Host is up (0.26s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 36:c0:0a:26:43:f8:ce:a8:2c:0d:19:21:10:a6:a8:e7 (RSA)
|   256 cb:20:fd:ff:a8:80:f2:a2:4b:2b:bb:e1:76:98:d0:fb (ECDSA)
|_  256 c4:79:2b:b6:a9:b7:17:4c:07:40:f3:e5:7c:1a:e9:dd (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: B8A9422F95F0D71B26D25CE15206BB79
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry 
|_/*.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Falafel Lovers
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun 15 08:37:08 2018 -- 1 IP address (1 host up) scanned in 29.92 seconds
  • Gobuster

  • Let’s check /cyberlaw.txt

  • Looks like we can login without requiring to know the password. One way to do that if the backend is using php with loose comparison operators. We could try php type juggling exploit on the password field.

  • This link mentions magic hashes available for MD5 and SHA1:
  • This link gives magic hashes for various hashing algorithms:

  • We will use magic hash for MD5 in the password field. For that, I used Burp Suite to intercept the request and edit it using repeater, and the sent the request.

  • After logging in, we are allowed to upload the a file via URL.

  • After trying with multiple extensions, I found that it accepts the filename which ends with .png only. This is one of the examples of whitelisting the file name.
  • After playing with it a while, I found that if I enter a long file name, it truncates to a specific size, while saving the file. We can use this vulnearability to store a file as php.

  • A small hint was given as well, by the maker in the profile section.

  • I intercepted the upload request in Burp Suite and changed the file name, so that it will be saved with .php extension.

  • The payload is php-reverse-shell.php.
  • Start nc listener and get reverse shell.

  • Contents of /etc/passwd.

  • There are two users, moshe and yossi
  • Check connection.php in /var/www/html

  • We got a password for user Moshe. Let’s SSH using the password falafelIsReallyTasty and user moshe

  • Get user.txt

  • To get root, we need to get privileges of user yossi.
  • When we check the groups for user moshe we see that the user is in the video group.

  • After a lot of enumeration, I found that there is be something interesting in the framebuffer. To know more about Linux Framebuffer, check out the Wikipedia page.
  • Let’s get the contents of /dev/fb0 using:
$ cat /dev/fb0 > /tmp/screen.raw
  • We need to convert this raw data into png. Download the raw data on the local machine and use the below script to convert it to PNG.
#!/usr/bin/perl -w

$w = shift || 240;
$h = shift || 320;
$pixels = $w * $h;

open OUT, "|pnmtopng" or die "Can't pipe pnmtopng: $!\n";

printf OUT "P6%d %d\n255\n", $w, $h;

while ((read STDIN, $raw, 2) and $pixels--) {
   $short = unpack('S', $raw);
   print OUT pack("C3",
      ($short & 0xf800) >> 8,
      ($short & 0x7e0) >> 3,
      ($short & 0x1f) << 3);
}

close OUT;
  • Save the file as iraw2png.pl.

  • But, before converting it to PNG, we need to find it’s dimensions.

  • Execute the perl script to get PNG formatted image.

  • Check the image.

  • We finally got the password for user yossi. SSH with the password MoshePlzStopHackingMe!
  • Check the groups of user yossi.

  • The user belongs to the disk group. Let’s check the files that are accessible by the user with disk group.

  • Let’s check the partitions

  • The partition /dev/sda1 is mounted as / (root) partition, and the user has access to read and write the partition.
  • We can exploit this issue by reading the partition using debugfs utility.
  • debugfs is an interactive filesystem debugger. It can be used to examine the filesystem.
  • Since the user has permissions to read and write /dev/sda1 partition, we can use debugfs to examine /root partition on /dev/sda1

  • Now that I got the root’s SSH private key, I can SSH into the machine as root user.

  • Get root.txt
User and root owned!!

Share the fun!