This is the report for the seventh and final series of exercises for my penetration testing course, taught by Tero Karvinen
The seventh assignment consists of three parts, as follows:
a) Tee troijalainen Unicornilla ohjeen mukaan. (Vinkki: katso Tatun raporttia)
b) Asenna oma, itsellesi uusi harjoitusmaali. Voit hakea maalikoneen Vulnhubista. Murtaudu koneelle, katso walktroughsta vinkki, jos jäät jumiin.
c) Google Project Zero. Löydätkö tekniikoita, joita voi hyödyntää pentestissä? (Ei tarvitse toistaa haastavia assembler-temppuja)
These exercises are done on my home computer, the hardware consists of the following:
ASUS X99M-WS Motherboard
16Gb DDR4 Kingston RAM
Samsung 840 EVO 250Gb ssd
The operating system used is the Kali Linux version 2018.3.
Since I already tried using Unicorn, I was excluded from this assignment.
The unicorn test can be found in my previous assignment H6
The practice target I decided to use from Vulnhub was the first one that was on their list, Node:1. The description stated that it was a medium level boot2root kind of challenge.
The setup of the target machine was pretty straight forward, download the .ovs file and import it to VirtualBox. Only note is that the virtual machines network settings were a bit off, so I changed the network adapter to “bridged” mode. Aftet that the machine start up without a hitch.
I started by performing a basic nmap scan using db_nmap.
Since the only port open other than SSH (22/TCP) was 3000 with a node.js service I decided to investigate that. I tried using uniscan on the target, but it didn’t give any additional useful information.
The only thing I could do was download a myplace.backup file. I also tried login in using the other credentials from the users list but the site gave a message that “at the moment only administrators can login”.
In an earlier course class, Tero showed us how to decode base64. I used that command:
cat myplace.beckup | base64 -d
Since I didn’t have a password for the file (the ones from the /api/users did not work), the only thing I could think of was password enumeration. Previously I had used hydra for this but when I googled it, the first search result was for program called fcrackzip. I had never heard of it, but it was intended for a case like this one. A quick glance on the instructions and the progman was able to crack the password. It was actualy ridiculously fast on performing the enumeration, only took like one second to find the match. I used the rockyou.txt file, since it’s contains a large amount of passwords. The file can be found in Kali Linux by default.
The backup had a the same file structure as /var/www would normally have, as far as I have seen. I started browsing the files, from the base directory upwards. The app.html didn’t have anything interesting in it.
Since there was only two ports open on the machine, port 3000/tcp I had already checked out and the port 27017 from the app.js file runs on localhost, SSH is the only left to try. I decided on trying the newly found credentials to login via SSH. Luckily this guess was correct.
From this point, I had no clue on how to proceed. I could not find anything by browsing the file system that would seem to be of any use. Mark didn’t have sudo privileges. I spend about two hours on thinking and searching for more clues but all came out empty.
I decided on looking at an walkthrough of the machine to find clues on how to proceed. The fisrt one I looked at, mentioned that the machine had a privilege escalation flaw, this was possibly unintended weakness but I decided on trying it out. Now I know that the target machine is running Ubuntu 16.04 operating system, so I decided on googling it. The first search result seemed like something that could work, since I already had access to the system.
Since scp didn’t work (would have been too easy it seems). Maybe mark could download files from internet. A friend on mine who does pentesting, once said that python http server had helped him in many occasions, so this was something I could try out. Setting the temporary server up is quite easy, just set it up on the folder you want to use as it’s base.
It worked like a charm and I was able to get root access.
I looked through walkthroughs and this was the easy way of doing this. To be honest, I’m not sure I could have solved this without the privilege escalation exploit. The “right” way of solving this machine, is for the moment a bit out of my reach concerning my knowledge on pentesting.
I haven’t read Project zero before, our teacher mentioned it before in class before this assignment. To be honest, I didn’t expect the material to be so deeply technical. This is generally not a bad thing, but I had a little bit of trouble on finding an article that wasn’t too challenging to read and interpret, it also had to be something I had genuine interest in.
The one that I found interesting was an arcticle about exploiting windows 10 in a local network using WPAD/PAC and JScript.
The second thing is that this technique is quite old and as the article demostrates, it still works. The threat is not uknown and measures have been taken to prevent this but sill.