Sokar seems to block pings but if you scan individual ip’s it seems to work
Scaning the ports of sokar
Load the browser to http://192.168.219.138:591/ and see the sokar page
Bash Shellshock Exploit
I Realized the page is vulnerable to bash shellshock exploit
Running the command it seems to be vulnerable to the shellshock exploit, and looking at the files in /var/spool/mail/bynarr
we are able to aquire a password for the user bynarr and an outbound ephemeral port 51242
Looking at the .bash_profile file of user bynarr we can see that the path includes ‘.’ which is /home/bynarr. But wait a minute, the website on sokar shows it running
a few commands, looking at them you can tell these commands are the following: date, iostat, netstat, and uptime
Refresh the sokar page a few times and you can see that it only updates every minute on the minute. Only one cause of this, the crontab. What if one of the 4 commands executed there does not have a full path? then /home/bynarr/ would be run
Lets try it, with date first.
Sadly it didn’t work if you check the sokar website after it updated, you can see date command is still there, ok lets try iostat.
Bingo! the sokar page refreshed and bynarr’s .bashrc was in plain view. (why did I use .bashrc? no reason it was the only file that was handy at the time)
The page was seen as follows:
##Reverse Shell via Crontab
Ok next we need to get a reverse shell in place. Checking sokar, it seems to have perl
On Kali linux:
Change reverse shell script to your ip address and port 51242 in this case my ip address for kali is 192.168.76.102
Get ready to start httpd on Kali, but first we need to modify the port so user bynarr can get it on port 51242.
So we changed the port from port 80 over to 51242 and we now start Apache2 on Kali
Next we run the shellshock exploit again this time picking up the reverse shell when the crontab runs
Check that its there
Ok awesome it picked it up and its on /tmp folder on sokar
Next we fix up the permissions on the reverse shell
Stop Apache2 server on Kali linux
Fix up permissions on iostat and tell it to run the reverse shell command
Ok on the next Crontab run on sokar we will be able to get a reverse shell
Bingo! we are now user bynarr on sokar
The command sudo -l shows bynarr only as sudo access to the /home/bynarr/lime file. Well okay lets see what this file is.
Run lime as sudo
Ok it seems to have dumped the ram into /tmp/ram. Lets have a look see. It appears to be binary with some readable text, lets strip out the binary and see if we can read it.
While grep’ing for user apophis and root, I came across these 2 strings that appear to be from /etc/shadow
Next lets load up john the ripper so we can crack these hashes
Ok I left john to crack over night, seemed like it was able to crack apophis password but was unable to crack root.
Next we force shell to be interactive
And we change the user to apophis using overdrive as the password we got from john the ripper
Alright we are now user apophis, looking at the user’s home folder we can see there is an executable here
Runing build executable
Hmm…It seems to be looking for a host called sokar-dev. We tell sokar that sokar-dev is our Kali machine by starting a DNS server on Kali and tell sokar to point the nameserver to our ip address at 192.168.76.102
##Configure DNS on Kali
Install and configure DNS server on Kali linux
Add the following lines to named.conf.default-zones
Create 2 files with the following, one for forward and one for reverse, called sokar-dev and other db.192:
On Kali linux make the secret-project folder and git init to start the repository
Running the build executable again after you remove it, clones the folder /root/secret-project from kali over to /mnt/secret-project on sokar. Interesting…
Lets check the version of git
Some Googling it shows that this version is vulnerable to CVE-2014-9390 also known as the git exploit from OSX and Windows case insensitive .Git and .git folder names
So as a result this can help us get root.
The mount command even shows that the /mnt folder is vfat aka fat32/fat16
On Kali lets go ahead and exploit this bug
Since the command post-checkout is executated after every clone we can use that here
Lets execute some root commands and only root would be able to read a file like /etc/shadow
Change the post-checkout to be executable and commit it
On sokar we remove the folder and run build again
Awesome! we can see /etc/shadow and be able to execute commands as root now lets see if we can elevate
On Kali we modify the post-checkout file again and this time we add apophis to /etc/sudoers as a root user