Vulnhub virtual machine; OSCP prep box and a change of pace. To gain access to box requires an exploitation of node.js and a special component through some encoding leads to RCE. For the priv-esc you work through a service running as another user and pivot to root.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Vulnhub Link: https://www.vulnhub.com/entry/temple-of-doom-1,243/ Files: temple-of-DOOM-v1.ova (Size: 2.8 GB)
Phase 1 | Reconnaissance Reconnaissance is the act of gathering preliminary data or intelligence on your target. The data is gathered in order to better plan for your attack. Reconnaissance can be performed actively (meaning that you are directly touching the target) or passively (meaning that your recon is being performed through an intermediary).
Discover VM on network
1 |
|
Target: 192.165.56.116
VM login page confirms
Phase 2 | Scanning The phase of scanning requires the application of technical tools to gather further intelligence on your target, but in this case, the intel being sought is more commonly about the systems that they have in place. A good example would be the use of a vulnerability scanner on a target network.
Nmap Scan:
1 |
|
we see the front door - SSH interesting non standard port - 666 - running Node.js
Navigate via browser to site.
source:
not looking like a promising way to gain a foot hold. Further enumeration via dirbuster
Nmap UDP Scan:
1 |
|
nIkto Scan:
1 |
|
Phase 3 | Gaining Access Phase 3 gaining access requires taking control of one or more network devices in order to either extract data from the target, or to use that device to then launch attacks on other targets.
Capturing request with Burp Interceptor
profile seems to be encoded in base64
Decoded
1 |
|
well looks like 3 pieces of infomation are being sent in this cookie, username, csrftoken and an Expires. After playing around with sending the api just the username and csrftoken and still receiving errors just submitted the username with }
in base64 and was greeted by a welcome.
through the testing we saw that the backend is a node-serialize
My knowledge base of this application is limited… very limited so we ask the oracle aka google.
google: node-serialize vulnerabilities
found several explanations but a majority of it reminded me how much I don’t know. I eventually found this wordpress blog that explained things on a manner I was able to wrap my mind around. Link: https://hd7exploit.wordpress.com/2017/05/29/exploiting-node-js-deserialization-bug-for-remote-code-execution-cve-2017-5941/
code example that causes a ls -al
1 |
|
encode with base64 and send as cookie.
result:
sending a reverse shell via nc
1 |
|
encoded to base64 and sent as cookie.
we have a shell
upgrade shell
1 |
|
well after uploading the priv-esc scripts and found a few exploits but we don’t have gcc
on the box to compile. Furthermore, I discovered after returning to the box several times a certain required process was not starting. Thus continuing the priv-esc to become impossible. After several restarts of the VM and much research on the matter I am able to see the processes used by user: fireman
viewing fireman processes
1 |
|
from this point we can see that fireman is calling a binary called ss-manager
. From this point we can search for exploits pertaining to that binary.
ss-manager
is vulnerable to “shadowsocks-libev 3.1.0 - Command Execution”
link: https://www.exploit-db.com/exploits/43006
which this vulnerability stems from “control of Shadowsocks servers for multiple users, it spawns new servers if needed.”
1 |
|
Testing to see if port 8839 is open on VM.
1 |
|
we can now attempt to nc
to this port and parse a reverse tcp connection back to our system.
setup local listener on port 1234
1 |
|
setting up reverse tcp connection on target
1 |
|
we have now escalated to fireman
upgrade shell
1 |
|
perform privilege check with sudo -l
focusing on tcpdump
I found an article that explains how to get root via tcpdump.
Link: https://www.securusglobal.com/community/2014/03/17/how-i-got-root-with-sudo/
basically with the command -z
we will be able to run commands via tcpdump.
so we need a script for this -z
command to run so we will just echo a nc
connection back to our local system on port 4567 and change the chmod.
1 |
|
next, move to the sudo tcpdump
1 |
|
resulting in an execution of our shell.sh
and a reverse connection.
we have achieved root!
Phase 4 | Maintaining Access Maintaining access requires taking the steps involved in being able to be persistently within the target environment in order to gather as much data as possible. The attacker must remain stealthy in this phase, so as to not get caught while using the host environment.
upgrading shell and searching for flag:
1 |
|
bring me the root!
-exec